{ "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "metadata": { "component": { "bom-ref": "pkg:oci/devguard@main?arch=amd64&repository_url=ghcr.io%2Fl3montree-dev%2Fdevguard&tag=main-amd64", "type": "application", "name": "pkg:oci/devguard@main?arch=amd64&repository_url=ghcr.io%2Fl3montree-dev%2Fdevguard&tag=main-amd64", "purl": "pkg:oci/devguard@main?arch=amd64&repository_url=ghcr.io%2Fl3montree-dev%2Fdevguard&tag=main-amd64" } }, "components": [ { "bom-ref": "pkg:golang/github.com/cloudflare/golz4@v0.0.0-20150217214814-ef862a3cdc58", "type": "library", "name": "golz4", "version": "v0.0.0-20150217214814-ef862a3cdc58", "purl": "pkg:golang/github.com/cloudflare/golz4@v0.0.0-20150217214814-ef862a3cdc58" }, { "bom-ref": "pkg:golang/github.com/jackc/pgproto3/v2@v2.3.3", "type": "library", "name": "v2", "version": "v2.3.3", "purl": "pkg:golang/github.com/jackc/pgproto3/v2@v2.3.3" }, { "bom-ref": "pkg:oci/devguard@main?arch=amd64&repository_url=ghcr.io%2Fl3montree-dev%2Fdevguard&tag=main-amd64", "type": "application", "name": "pkg:oci/devguard@main?arch=amd64&repository_url=ghcr.io%2Fl3montree-dev%2Fdevguard&tag=main-amd64", "purl": "pkg:oci/devguard@main?arch=amd64&repository_url=ghcr.io%2Fl3montree-dev%2Fdevguard&tag=main-amd64" } ], "externalReferences": [ { "url": "https://api.main.devguard.org/api/v1/public/e1f24270-6e68-4571-9168-9c151c639c97/refs/main/artifacts/pkg%3Aoci%2Fdevguard%3Frepository_url%3Dghcr.io%2Fl3montree-dev%2Fdevguard%26arch%3Damd64%26tag%3Dmain-amd64/vex.json/", "comment": "Up to date Vulnerability exploitability information.", "type": "exploitability-statement" }, { "url": "https://api.main.devguard.org/api/v1/public/e1f24270-6e68-4571-9168-9c151c639c97/refs/main/artifacts/pkg%3Aoci%2Fdevguard%3Frepository_url%3Dghcr.io%2Fl3montree-dev%2Fdevguard%26arch%3Damd64%26tag%3Dmain-amd64/sbom.json/", "comment": "Software bill of materials.", "type": "bom" }, { "url": "https://main.devguard.org/l3montree-cybersecurity/projects/devguard/assets/devguard/refs/main?artifact=pkg%3Aoci%2Fdevguard%3Frepository_url%3Dghcr.io%2Fl3montree-dev%2Fdevguard%26arch%3Damd64%26tag%3Dmain-amd64", "comment": "Dynamic analysis report", "type": "dynamic-analysis-report" } ], "dependencies": [ { "ref": "pkg:golang/github.com/cloudflare/golz4@v0.0.0-20150217214814-ef862a3cdc58", "dependsOn": [] }, { "ref": "pkg:golang/github.com/jackc/pgproto3/v2@v2.3.3", "dependsOn": [] }, { "ref": "pkg:oci/devguard@main?arch=amd64&repository_url=ghcr.io%2Fl3montree-dev%2Fdevguard&tag=main-amd64", "dependsOn": [ "pkg:golang/github.com/jackc/pgproto3/v2@v2.3.3", "pkg:golang/github.com/cloudflare/golz4@v0.0.0-20150217214814-ef862a3cdc58" ] } ], "vulnerabilities": [ { "id": "GO-2026-4518", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/GO-2026-4518" }, "ratings": [ { "score": -1, "severity": "low", "method": "CVSSv4" }, { "score": 0, "severity": "low", "method": "DevGuard", "justification": "{\"availabilityRequirement\":\"H\",\"baseScore\":-1,\"confidentialityRequirement\":\"H\",\"epss\":0.00058,\"exploitExists\":false,\"integrityRequirement\":\"H\",\"risk\":0,\"underAttack\":false,\"vector\":\"\",\"verifiedExploitExists\":false}" } ], "analysis": { "state": "in_triage", "firstIssued": "2026-04-08T04:45:09Z", "lastUpdated": "2026-04-08T04:45:09Z" }, "affects": [ { "ref": "pkg:golang/github.com/jackc/pgproto3/v2@v2.3.3" } ] }, { "id": "GHSA-jqcq-xjh3-6g23", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/GHSA-jqcq-xjh3-6g23" }, "ratings": [ { "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "score": 4.25, "severity": "medium", "method": "DevGuard", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RC:C/CR:H/IR:H/AR:H", "justification": "{\"availabilityRequirement\":\"H\",\"baseScore\":7.5,\"confidentialityRequirement\":\"H\",\"epss\":0.00058,\"exploitExists\":false,\"integrityRequirement\":\"H\",\"risk\":4.25,\"underAttack\":false,\"vector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RC:C/CR:H/IR:H/AR:H\",\"verifiedExploitExists\":false}" } ], "analysis": { "state": "exploitable", "response": [ "will_not_fix" ], "detail": "We are accepting this risk since we provide our PostgreSQL Server Image. Besides that if the PostgreSQL is already compromised, there is nothing to secure at all. ", "firstIssued": "2026-04-08T13:35:47Z", "lastUpdated": "2026-04-10T13:49:16Z" }, "affects": [ { "ref": "pkg:golang/github.com/jackc/pgproto3/v2@v2.3.3" } ], "properties": [ { "name": "firstResponded", "value": "2026-04-08T13:42:43Z" } ] }, { "id": "GHSA-4wp2-8rm2-jgmh", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/GHSA-4wp2-8rm2-jgmh" }, "ratings": [ { "score": 9.8, "severity": "critical", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "score": 4.53, "severity": "medium", "method": "DevGuard", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:C/CR:H/IR:H/AR:H", "justification": "{\"availabilityRequirement\":\"H\",\"baseScore\":9.800000190734863,\"confidentialityRequirement\":\"H\",\"epss\":0.00874,\"exploitExists\":false,\"integrityRequirement\":\"H\",\"risk\":4.53,\"underAttack\":false,\"vector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RC:C/CR:H/IR:H/AR:H\",\"verifiedExploitExists\":false}" } ], "analysis": { "state": "false_positive", "response": [ "will_not_fix" ], "detail": "Marked as false positive via dependency graph: No Vulnerable Code", "firstIssued": "2026-04-01T15:11:50Z", "lastUpdated": "2026-04-01T15:11:50Z" }, "affects": [ { "ref": "pkg:golang/github.com/cloudflare/golz4@v0.0.0-20150217214814-ef862a3cdc58" } ], "properties": [ { "name": "devguard:pathPattern", "value": "[\"*\",\"pkg:golang/github.com/cloudflare/golz4@v0.0.0-20150217214814-ef862a3cdc58\",\"*\"]" }, { "name": "devguard:pathPattern", "value": "[\"pkg:golang/github.com/cloudflare/golz4@v0.0.0-20150217214814-ef862a3cdc58\",\"*\"]" }, { "name": "firstResponded", "value": "2026-04-01T15:11:50Z" } ] }, { "id": "GO-2020-0022", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/GO-2020-0022" }, "ratings": [ { "score": -1, "severity": "low", "method": "CVSSv4" }, { "score": 0, "severity": "low", "method": "DevGuard", "justification": "{\"availabilityRequirement\":\"H\",\"baseScore\":-1,\"confidentialityRequirement\":\"H\",\"epss\":0.00874,\"exploitExists\":false,\"integrityRequirement\":\"H\",\"risk\":0,\"underAttack\":false,\"vector\":\"\",\"verifiedExploitExists\":false}" } ], "analysis": { "state": "in_triage", "firstIssued": "2026-03-06T18:43:26Z", "lastUpdated": "2026-04-08T13:24:38Z" }, "affects": [ { "ref": "pkg:golang/github.com/cloudflare/golz4@v0.0.0-20150217214814-ef862a3cdc58" } ], "properties": [ { "name": "firstResponded", "value": "2026-03-26T05:28:36Z" } ] } ] }