initial commit for EKS Go vulnerability management tracking (#1132)

* initial commit for EKS Go automated vulnerability management * Update projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json * Update projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json * add product identifier section for hash to vex doc * Update projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json * make json valid for vex * Update projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json * simplify vex document for testing
aws · Sep 26, 2023 · 18f5e98 · 18f5e98
1 parent 6125cd1
commit 18f5e98
Showing 1 changed file with 101 additions and 0 deletions.
diff --git a/projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json b/projects/golang/go/VulnerabilityManagement/eks-distro-golang-vex.json
@@ -0,0 +1,101 @@
+{
+  "document": {
+    "category": "csaf_vex",
+    "csaf_version": "2.0",
+    "notes": [
+      {
+        "category": "summary",
+        "text": "VEX Document for AWS EKS Distribution Golang.",
+        "title": "EKS Golnag VEX"
+      }
+    ],
+    "publisher": {
+      "category": "vendor",
+      "name": "Amazon Web Services Inc",
+      "namespace": "https://aws.amazon.com/"
+    },
+    "title": "Vulnerability Tracking Document for AWS EKS Distro Golang",
+    "tracking": {
+      "current_release_date": "2023-08-28T11:00:00Z",
+      "id": "2023-08-EKS-D-GO",
+      "initial_release_date": "2023-08-28T11:00:00Z",
+      "revision_history": [
+        {
+          "date": "2023-08-28T11:00:00Z",
+          "number": "1",
+          "summary": "Initial version."
+        }
+      ],
+      "status": "draft",
+      "version": "1"
+    }
+  },
+  "product_tree": {
+    "category": "vendor",
+    "name": "Amazon Web Services Inc",
+    "branches": [
+      {
+        "category": "product_name",
+        "name": "eks-distro-golang",
+        "branches": [
+          {
+            "category": "product_version",
+            "name": "v1.18.10-eks-8",
+            "product": {
+              "product_id": "eks-distro-golang:v1-18-10-eks-8",
+              "name": "Amazon EKS Distribution Golang version v1.18.10 EKS Release 8"
+            }
+          },
+          {
+            "category": "product_version",
+            "name": "v1.19.12-eks-9",
+            "product": {
+              "product_id": "eks-distro-golang:v1-19-12-eks-9",
+              "name": "Amazon EKS Distribution Golang version v1.19.12 EKS Release 9"
+            }
+          },
+          {
+            "category": "product_version",
+            "name": "v1.20.7-eks-8",
+            "product": {
+              "product_id": "eks-distro-golang:v1-20-7-eks-8",
+              "name": "Amazon EKS Distribution Golang version v1.20.7 EKS release 8"
+            }
+          },
+          {
+            "category": "product_version",
+            "name": "v1.21.0-eks-0",
+            "product": {
+              "product_id": "eks-distro-golang:v1-21-0",
+              "name": "Amazon EKS Distribution Golang version v1.21.0 EKS release 0"
+            }
+          }
+        ]
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-2022-41723",
+      "notes": [
+        {
+          "category": "description",
+          "text": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.",
+          "title": "CVE description"
+        }
+      ],
+      "product_status": {
+        "fixed": [
+          "eks-distro-golang:v1-18-10-eks-8"
+        ]
+      },
+      "references": [
+        {
+          "category": "external",
+          "summary": "NVD - CVE-2022-41723",
+          "url": "https://nvd.nist.gov/vuln/detail/cve-2022-41723"
+        }
+      ]
+    }
+  ]
+}