GHSA scanning?

Patrick Hunt Mon, 09 Mar 2026 09:27:51 -0700

I noticed that there are GHSA reports which don't always have CVEs
assigned. We have the OWASP scanner scanning for CVEs as part of our
Jenkins infra, however not GHSA. Should we add this?


There's a tool "osv-scanner" which I ran locally on my machine (not sure if
this is running right but ...), it reported the following for trunk....

Regards,

Patrick

..... <clip general logs> ....
End status: 536 dirs visited, 2308 inodes visited, 21 Extract calls,
3.877381125s elapsed, 3.877341s wall time
Filtered 3 local/unscannable package/s from the scan.
Total 5 packages affected by 10 known vulnerabilities (0 Critical, 3 High,
4 Medium, 3 Low, 0 Unknown) from 1 ecosystem.
10 vulnerabilities can be fixed.


╭─────────────────────────────────────┬──────┬───────────┬───────────────────────────────────────┬─────────┬───────────────┬──────────────────────────────────────────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE
                      │ VERSION │ FIXED VERSION │ SOURCE
                            │
├─────────────────────────────────────┼──────┼───────────┼───────────────────────────────────────┼─────────┼───────────────┼──────────────────────────────────────────────────────┤
│ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9  │ Maven     │
ch.qos.logback:logback-core           │ 1.3.15  │ 1.3.16        │
zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml   │
│ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8  │ Maven     │
ch.qos.logback:logback-core           │ 1.3.15  │ 1.5.25        │
zookeeper-contrib/zookeeper-contrib-fatjar/pom.xml   │
│ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9  │ Maven     │
ch.qos.logback:logback-core           │ 1.3.15  │ 1.3.16        │
zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │
│ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8  │ Maven     │
ch.qos.logback:logback-core           │ 1.3.15  │ 1.5.25        │
zookeeper-contrib/zookeeper-contrib-loggraph/pom.xml │
│ https://osv.dev/GHSA-25qh-j22f-pwp8 │ 5.9  │ Maven     │
ch.qos.logback:logback-core           │ 1.3.15  │ 1.3.16        │
zookeeper-contrib/zookeeper-contrib-rest/pom.xml     │
│ https://osv.dev/GHSA-qqpg-mvqg-649v │ 1.8  │ Maven     │
ch.qos.logback:logback-core           │ 1.3.15  │ 1.5.25        │
zookeeper-contrib/zookeeper-contrib-rest/pom.xml     │
│ https://osv.dev/GHSA-cfxw-4h78-h7fw │ 8.9  │ Maven     │ dnsjava:dnsjava
                      │ 3.5.1   │ 3.6.0         │ zookeeper-server/pom.xml
                            │
│ https://osv.dev/GHSA-crjg-w57m-rqqf │ 7.7  │ Maven     │ dnsjava:dnsjava
                      │ 3.5.1   │ 3.6.0         │ zookeeper-server/pom.xml
                            │
│ https://osv.dev/GHSA-mmwx-rj87-vfgr │ 7.1  │ Maven     │ dnsjava:dnsjava
                      │ 3.5.1   │ 3.6.0         │ zookeeper-server/pom.xml
                            │
│ https://osv.dev/GHSA-4cx2-fc23-5wg6 │ 6.3  │ Maven     │
org.bouncycastle:bcpkix-jdk18on (dev) │ 1.78    │ 1.79          │
zookeeper-server/pom.xml                             │
╰─────────────────────────────────────┴──────┴───────────┴───────────────────────────────────────┴─────────┴───────────────┴──────────────────────────────────────────────────────╯

GHSA scanning?

Reply via email to