cosign.advisories.yaml

schema-version: 2.0.2

package:
  name: cosign

advisories:
  - id: CVE-2007-2233
    aliases:
      - GHSA-j44r-c574-p2hv
    events:
      - timestamp: 2023-06-05T17:08:31Z
        type: false-positive-determination
        data:
          type: component-vulnerability-mismatch
          note: The vulnerability is in an ancient CGI script of the same name

  - id: CVE-2023-39325
    aliases:
      - GHSA-4374-p667-p6c8
    events:
      - timestamp: 2023-10-13T16:46:16Z
        type: fixed
        data:
          fixed-version: 2.2.0-r5

  - id: CVE-2023-3978
    aliases:
      - GHSA-2wrh-6pvc-2jm9
    events:
      - timestamp: 2023-10-13T16:47:39Z
        type: fixed
        data:
          fixed-version: 2.2.0-r5

  - id: CVE-2023-44487
    aliases:
      - GHSA-m425-mq94-257g
      - GHSA-qppj-fm5r-hxr3
    events:
      - timestamp: 2023-11-03T14:45:34Z
        type: fixed
        data:
          fixed-version: 2.2.0-r6

  - id: CVE-2023-45283
    aliases:
      - GHSA-vvjp-q62m-2vph
    events:
      - timestamp: 2023-11-07T19:25:11Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-included-in-package
          note: Only affects Windows

  - id: CVE-2023-45284
    aliases:
      - GHSA-rq3x-83w4-p28c
    events:
      - timestamp: 2023-11-07T19:25:14Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-included-in-package
          note: Only affects Windows

  - id: CVE-2023-46737
    aliases:
      - GHSA-vfp6-jrw2-99g9
    events:
      - timestamp: 2023-11-07T13:58:13Z
        type: fixed
        data:
          fixed-version: 2.2.1-r0

  - id: CVE-2023-48795
    aliases:
      - GHSA-45x7-px36-x8w8
    events:
      - timestamp: 2023-12-20T05:09:06Z
        type: fixed
        data:
          fixed-version: 2.2.2-r1

  - id: GHSA-2c7c-3mj9-8fqh
    events:
      - timestamp: 2023-11-23T08:31:39Z
        type: fixed
        data:
          fixed-version: 2.2.1-r1

  - id: GHSA-9763-4f94-gfch
    events:
      - timestamp: 2024-01-12T07:28:15Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: cosign
            componentID: 492e699bde6e5f1b
            componentName: github.com/cloudflare/circl
            componentVersion: v1.3.5
            componentType: go-module
            componentLocation: /usr/bin/cosign
            scanner: grype
      - timestamp: 2024-01-25T07:04:37Z
        type: fixed
        data:
          fixed-version: 2.2.2-r2

  - id: GHSA-jq35-85cj-fj4p
    events:
      - timestamp: 2023-10-31T20:03:42Z
        type: false-positive-determination
        data:
          type: vulnerable-code-not-included-in-package
          note: This vulnerability is in the container runtime itself, not clients of the container runtime.