In order to support a variety of vulnerability scanners, Heureka should be able to import SARIF data.
trivy image -f sarif golang:1.22.11-alpine3.20
{
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"fullName": "Trivy Vulnerability Scanner",
"informationUri": "https://github.com/aquasecurity/trivy",
"name": "Trivy",
"rules": [
{
"id": "CVE-2024-58251",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "In netstat in BusyBox through 1.37.0, local users can launch of networ ..."
},
"fullDescription": {
"text": "In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim."
},
"defaultConfiguration": {
"level": "warning"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2024-58251",
"help": {
"text": "Vulnerability CVE-2024-58251\nSeverity: MEDIUM\nPackage: ssl_client\nFixed Version: 1.36.1-r31\nLink: [CVE-2024-58251](https://avd.aquasec.com/nvd/cve-2024-58251)\nIn netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.",
"markdown": "**Vulnerability CVE-2024-58251**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|ssl_client|1.36.1-r31|[CVE-2024-58251](https://avd.aquasec.com/nvd/cve-2024-58251)|\n\nIn netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim."
},
"properties": {
"precision": "very-high",
"security-severity": "5.5",
"tags": [
"vulnerability",
"security",
"MEDIUM"
]
}
},
{
"id": "CVE-2025-46394",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "In tar in BusyBox through 1.37.0, a TAR archive can have filenames hid ..."
},
"fullDescription": {
"text": "In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences."
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2025-46394",
"help": {
"text": "Vulnerability CVE-2025-46394\nSeverity: LOW\nPackage: ssl_client\nFixed Version: 1.36.1-r31\nLink: [CVE-2025-46394](https://avd.aquasec.com/nvd/cve-2025-46394)\nIn tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.",
"markdown": "**Vulnerability CVE-2025-46394**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|LOW|ssl_client|1.36.1-r31|[CVE-2025-46394](https://avd.aquasec.com/nvd/cve-2025-46394)|\n\nIn tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences."
},
"properties": {
"precision": "very-high",
"security-severity": "3.3",
"tags": [
"vulnerability",
"security",
"LOW"
]
}
},
{
"id": "CVE-2025-15467",
"name": "OsPackageVulnerability",
"shortDescription": {
"text": "openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing"
},
"fullDescription": {
"text": "Issue summary: Parsing CMS AuthEnvelopedData message with maliciously\ncrafted AEAD parameters can trigger a stack buffer overflow.\n\nImpact summary: A stack buffer overflow may lead to a crash, causing Denial\nof Service, or potentially remote code execution.\n\nWhen parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as\nAES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is\ncopied into a fixed-size stack buffer without verifying that its length fits\nthe destination. An attacker can supply a crafted CMS message with an\noversized IV, causing a stack-based out-of-bounds write before any\nauthentication or tag verification occurs.\n\nApplications and services that parse untrusted CMS or PKCS#7 content using\nAEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable.\nBecause the overflow occurs prior to authentication, no valid key material\nis required to trigger it. While exploitability to remote code execution\ndepends on platform and toolchain mitigations, the stack-based write\nprimitive represents a severe risk.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the CMS implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.\n\nOpenSSL 1.1.1 and 1.0.2 are not affected by this issue."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://avd.aquasec.com/nvd/cve-2025-15467",
"help": {
"text": "Vulnerability CVE-2025-15467\nSeverity: CRITICAL\nPackage: libssl3\nFixed Version: 3.3.6-r0\nLink: [CVE-2025-15467](https://avd.aquasec.com/nvd/cve-2025-15467)\nIssue summary: Parsing CMS AuthEnvelopedData message with maliciously\ncrafted AEAD parameters can trigger a stack buffer overflow.\n\nImpact summary: A stack buffer overflow may lead to a crash, causing Denial\nof Service, or potentially remote code execution.\n\nWhen parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as\nAES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is\ncopied into a fixed-size stack buffer without verifying that its length fits\nthe destination. An attacker can supply a crafted CMS message with an\noversized IV, causing a stack-based out-of-bounds write before any\nauthentication or tag verification occurs.\n\nApplications and services that parse untrusted CMS or PKCS#7 content using\nAEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable.\nBecause the overflow occurs prior to authentication, no valid key material\nis required to trigger it. While exploitability to remote code execution\ndepends on platform and toolchain mitigations, the stack-based write\nprimitive represents a severe risk.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the CMS implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.\n\nOpenSSL 1.1.1 and 1.0.2 are not affected by this issue.",
"markdown": "**Vulnerability CVE-2025-15467**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|libssl3|3.3.6-r0|[CVE-2025-15467](https://avd.aquasec.com/nvd/cve-2025-15467)|\n\nIssue summary: Parsing CMS AuthEnvelopedData message with maliciously\ncrafted AEAD parameters can trigger a stack buffer overflow.\n\nImpact summary: A stack buffer overflow may lead to a crash, causing Denial\nof Service, or potentially remote code execution.\n\nWhen parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as\nAES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is\ncopied into a fixed-size stack buffer without verifying that its length fits\nthe destination. An attacker can supply a crafted CMS message with an\noversized IV, causing a stack-based out-of-bounds write before any\nauthentication or tag verification occurs.\n\nApplications and services that parse untrusted CMS or PKCS#7 content using\nAEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable.\nBecause the overflow occurs prior to authentication, no valid key material\nis required to trigger it. While exploitability to remote code execution\ndepends on platform and toolchain mitigations, the stack-based write\nprimitive represents a severe risk.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the CMS implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.\n\nOpenSSL 1.1.1 and 1.0.2 are not affected by this issue."
},
"properties": {
"precision": "very-high",
"security-severity": "9.5",
"tags": [
"vulnerability",
"security",
"CRITICAL"
]
}
},
...
Task Description
SARIF is a format to document Vulnerability findings. It's supported by many Vulnerability Scanners such as Trivy or Github Advanced Security.
In order to support a variety of vulnerability scanners, Heureka should be able to import SARIF data.
The following questions need to be clarified:
Example
Output: