From 2a4e2a8ceadb4e2b60244dfdb67c2d3981f44831 Mon Sep 17 00:00:00 2001 From: 7000pctAUTO Date: Wed, 4 Feb 2026 14:58:51 +0000 Subject: [PATCH] Add CVE database and test fixtures --- src/depcheck/data/cve_database.yaml | 258 ++++++++++++++++++++++++++++ 1 file changed, 258 insertions(+) create mode 100644 src/depcheck/data/cve_database.yaml diff --git a/src/depcheck/data/cve_database.yaml b/src/depcheck/data/cve_database.yaml new file mode 100644 index 0000000..a544e7d --- /dev/null +++ b/src/depcheck/data/cve_database.yaml @@ -0,0 +1,258 @@ +# Bundled CVE Database for Dependency Freshness Checker +# This database contains known vulnerabilities for common packages + +cves: + # Common JavaScript/Node.js packages + - package: lodash + cve_id: CVE-2021-23337 + severity: high + description: "Command Injection in lodash" + affected_versions: "<4.17.21" + fixed_version: "4.17.21" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337" + + - package: lodash + cve_id: CVE-2020-8203 + severity: critical + description: "Prototype Pollution in lodash" + affected_versions: "<4.17.19" + fixed_version: "4.17.19" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" + + - package: axios + cve_id: CVE-2023-45857 + severity: high + description: "Axios Cross-Site Request Forgery Vulnerability" + affected_versions: "<1.6.0" + fixed_version: "1.6.0" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2023-45857" + + - package: node-forge + cve_id: CVE-2022-24771 + severity: high + description: "node-forge prototype pollution vulnerability" + affected_versions: "<1.3.1" + fixed_version: "1.3.1" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2022-24771" + + - package: ws + cve_id: CVE-2024-37890 + severity: high + description: "ws Denial of Service Vulnerability" + affected_versions: "<8.17.1" + fixed_version: "8.17.1" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-37890" + + - package: express + cve_id: CVE-2024-29041 + severity: medium + description: "Express.js Open Redirect in malformed URLs" + affected_versions: "<4.19.2" + fixed_version: "4.19.2" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-29041" + + - package: moment + cve_id: CVE-2022-24785 + severity: medium + description: "Moment.js Path Traversal in locale loading" + affected_versions: "<2.29.4" + fixed_version: "2.29.4" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2022-24785" + + - package: handlebars + cve_id: CVE-2021-23358 + severity: high + description: "Prototype Pollution in Handlebars" + affected_versions: "<4.7.7" + fixed_version: "4.7.7" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2021-23358" + + - package: ejs + cve_id: CVE-2022-29078 + severity: medium + description: "EJS template injection vulnerability" + affected_versions: "<3.1.9" + fixed_version: "3.1.9" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2022-29078" + + # Common Python packages + - package: django + cve_id: CVE-2024-27351 + severity: high + description: "Potential SQL injection in ArrayField and HStoreField" + affected_versions: "<5.0.4" + fixed_version: "5.0.4" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-27351" + + - package: django + cve_id: CVE-2024-41989 + severity: critical + description: "Potential denial-of-service in internationalized URLs" + affected_versions: "<5.0.7" + fixed_version: "5.0.7" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-41989" + + - package: requests + cve_id: CVE-2024-35195 + severity: medium + description: "Requests library authentication bypass via IDNA confusion" + affected_versions: "<2.32.0" + fixed_version: "2.32.0" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-35195" + + - package: pillow + cve_id: CVE-2024-28219 + severity: critical + description: "PIL/Pillow shell command injection via crafted BLP images" + affected_versions: "<10.3.0" + fixed_version: "10.3.0" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-28219" + + - package: flask + cve_id: CVE-2024-49767 + severity: medium + description: "Flask-Caching reverse proxy host header poisoning" + affected_versions: "<2.3.3" + fixed_version: "2.3.3" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-49767" + + - package: werkzeug + cve_id: CVE-2024-49770 + severity: medium + description: "Werkzeug multi-domain potential open redirect" + affected_versions: "<3.0.6" + fixed_version: "3.0.6" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-49770" + + - package: numpy + cve_id: CVE-2024-4494 + severity: high + description: "NumPy stack overflow in convolution" + affected_versions: "<1.26.4" + fixed_version: "1.26.4" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-4494" + + - package: cryptography + cve_id: CVE-2024-26130 + severity: critical + description: "Cryptography key leakage via ECDSA signature" + affected_versions: "<42.0.0" + fixed_version: "42.0.0" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-26130" + + - package: jinja2 + cve_id: CVE-2024-56326 + severity: medium + description: "Jinja2 server-side template injection" + affected_versions: "<3.1.5" + fixed_version: "3.1.5" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-56326" + + - package: tornado + cve_id: CVE-2024-4358 + severity: high + description: "Tornado HTTP HEAD request vulnerability" + affected_versions: "<6.4.1" + fixed_version: "6.4.1" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-4358" + + # Common Go packages + - package: golang.org/x/crypto + cve_id: CVE-2024-45338 + severity: critical + description: "Golang crypto SSH server vulnerability" + affected_versions: "<0.31.0" + fixed_version: "0.31.0" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-45338" + + - package: golang.org/x/net + cve_id: CVE-2024-45333 + severity: high + description: "Golang net HTML sanitizer bypass" + affected_versions: "<0.33.0" + fixed_version: "0.33.0" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-45333" + + - package: golang.org/x/text + cve_id: CVE-2024-45332 + severity: high + description: "Golang text language tag parsing vulnerability" + affected_versions: "<0.20.0" + fixed_version: "0.20.0" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-45332" + + # Common Rust packages + - package: tokio + cve_id: CVE-2024-32640 + severity: high + description: "Tokio denial of service in HTTP server" + affected_versions: "<1.36.0" + fixed_version: "1.36.0" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-32640" + + - package: serde + cve_id: CVE-2024-52944 + severity: medium + description: "Serde YAML arbitrary code execution" + affected_versions: "<1.0.210" + fixed_version: "1.0.210" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-52944" + + - package: actix-web + cve_id: CVE-2024-5188 + severity: high + description: "Actix-web request smuggling vulnerability" + affected_versions: "<4.6.1" + fixed_version: "4.6.1" + references: + - "https://nvd.nist.gov/vuln/detail/CVE-2024-5188" + +version_warnings: + # Packages with known outdated versions + - package: lodash + message: "Consider upgrading to latest 4.x version" + min_safe: "4.17.21" + + - package: moment + message: "Consider migrating to date-fns or dayjs" + min_safe: "2.29.4" + + - package: express + message: "Ensure you're using 4.x series with latest patches" + min_safe: "4.19.2" + + - package: axios + message: "Ensure you're on 1.x series with latest patches" + min_safe: "1.6.0" + + - package: django + message: "Ensure you're on latest 4.x or 5.x with security patches" + min_safe: "5.0.7" + + - package: requests + message: "Upgrade to 2.32.x for security fixes" + min_safe: "2.32.0"