基础信息
项目名称:XiaoMi/soar
项目徽章:
仓库地址:https://github.com/pterodactyl/panel
检测报告地址:https://www.murphysec.com/console/report/1719953582588739584/1719953584438427648
此报告由Murphysec提供
漏洞列表
| 漏洞名称 | 漏洞类型 | MPS编号 | CVE编号 | 漏洞等级 |
|---|---|---|---|---|
| vitess.io/vitess 存在跨站脚本漏洞 | XSS | MPS-2022-13515 | 中危 | |
| PingCAP TiDB 格式化字符串错误漏洞 | 使用外部控制的格式字符串 | MPS-2022-56135 | CVE-2022-3023 | 严重 |
| Google Go 权限许可和访问控制问题漏洞 | 权限管理不当 | MPS-2022-9049 | CVE-2022-29526 | 中危 |
| Vitess 安全漏洞 | MPS-2023-9400 | CVE-2023-29194 | 低危 | |
| Vitess 安全漏洞 | MPS-2023-9401 | CVE-2023-29195 | 中危 |
缺陷组件
| 组件名称 | 版本 | 最小修复版本 | 依赖关系 | 修复建议 |
|---|---|---|---|---|
| github.com/pingcap/tidb | v1.1.0-beta.0.20210601085537-5d7c852770eb | 直接依赖 | 建议修复 | |
| golang.org/x/sys | v0.0.0-20210601080250-7ecdf8ef093b | 0.1.0 | 间接依赖 | 可选修复 |
| vitess.io/vitess | v0.0.0-20200325000816-eda961851d63 | 10.0.0-rc1 | 直接依赖 | 可选修复 |
许可证风险
| 许可证类型 | 相关组件 | 许可证风险 |
|---|---|---|
| MIT | 26 | 低 |
| BSD-2-Clause | 6 | 低 |
| BSD-3-Clause | 11 | 低 |
| Apache-2.0 | 13 | 低 |
| ICU | 1 | 低 |
| CC0-1.0 | 1 | 低 |
| MPL-2.0 | 6 | 低 |
| BSD-2-Clause-Views | 1 | 低 |
| ISC | 1 | 低 |
SBOM清单
| 组件名称 | 组件版本 | 是否直接依赖 | 仓库 |
|---|---|---|---|
| github.com/tidwall/gjson | v1.12.1 | 直接依赖 | go |
| gopkg.in/warnings.v0 | v0.1.2 | 间接依赖 | go |
| github.com/percona/go-mysql | v0.0.0-20210427141028-73d29c6da78c | 直接依赖 | go |
| golang.org/x/text | v0.3.6 | 间接依赖 | go |
| github.com/gedex/inflector | v0.0.0-20170307190818-16278e9db813 | 直接依赖 | go |
| github.com/astaxie/beego | v1.12.3 | 直接依赖 | go |
| github.com/go-martini/martini | v0.0.0-20170121215854-22fa46961aab | 间接依赖 | go |
| github.com/pingcap/tidb | v1.1.0-beta.0.20210601085537-5d7c852770eb | 直接依赖 | go |
| github.com/martini-contrib/render | v0.0.0-20150707142108-ec18f8345a11 | 间接依赖 | go |
| github.com/mitchellh/go-ps | v1.0.0 | 间接依赖 | go |
| github.com/saintfish/chardet | v0.0.0-20120816061221-3af4cd4741ca | 直接依赖 | go |
| github.com/kr/pretty | v0.2.1 | 直接依赖 | go |
| github.com/dchest/uniuri | v0.0.0-20200228104902-7aecb25e1fe5 | 直接依赖 | go |
| golang.org/x/lint | v0.0.0-20200302205851-738671d3881b | 间接依赖 | go |
| vitess.io/vitess | v0.0.0-20200325000816-eda961851d63 | 直接依赖 | go |
| github.com/shirou/gopsutil | v3.21.2+incompatible | 间接依赖 | go |
| go.uber.org/multierr | v1.7.0 | 间接依赖 | go |
| github.com/google/shlex | v0.0.0-20191202100458-e7afc7fbc510 | 间接依赖 | go |
| github.com/mitchellh/go-testing-interface | v1.14.0 | 间接依赖 | go |
| github.com/Azure/go-autorest/autorest | v0.10.0 | 间接依赖 | go |
| github.com/martini-contrib/gzip | v0.0.0-20151124214156-6c035326b43f | 间接依赖 | go |
| github.com/konsorten/go-windows-terminal-sequences | v1.0.3 | 间接依赖 | go |
| github.com/aquarapid/vaultlib | v0.5.1 | 间接依赖 | go |
| github.com/looplab/fsm | v0.2.0 | 间接依赖 | go |
| github.com/codegangsta/inject | v0.0.0-20150114235600-33e0aa1cb7c0 | 间接依赖 | go |
| github.com/mitchellh/mapstructure | v1.2.3 | 间接依赖 | go |
| github.com/samuel/go-zookeeper | v0.0.0-20200724154423-2164a8ac840e | 间接依赖 | go |
| github.com/go-sql-driver/mysql | v1.6.0 | 直接依赖 | go |
| github.com/klauspost/pgzip | v1.2.4 | 间接依赖 | go |
| github.com/rcrowley/go-metrics | v0.0.0-20200313005456-10cdbea86bc0 | 间接依赖 | go |
| github.com/pingcap/tipb | v0.0.0-20210601083426-79a378b6d1c4 | 间接依赖 | go |
| github.com/spyzhov/ajson | v0.4.2 | 间接依赖 | go |
| github.com/spf13/cobra | v1.1.1 | 间接依赖 | go |
| gopkg.in/gcfg.v1 | v1.2.3 | 间接依赖 | go |
| github.com/buger/jsonparser | v1.1.1 | 间接依赖 | go |
| github.com/pingcap/parser | v0.0.0-20210525032559-c37778aff307 | 直接依赖 | go |
| github.com/sjmudd/stopwatch | v0.0.0-20170613150411-f380bf8a9be1 | 间接依赖 | go |
| github.com/Azure/azure-storage-blob-go | v0.10.0 | 间接依赖 | go |
| golang.org/x/sys | v0.0.0-20210601080250-7ecdf8ef093b | 间接依赖 | go |
| github.com/gorilla/handlers | v1.5.1 | 间接依赖 | go |
| github.com/hashicorp/consul/api | v1.5.0 | 间接依赖 | go |
| github.com/martini-contrib/auth | v0.0.0-20150219114609-fa62c19b7ae8 | 间接依赖 | go |
| gopkg.in/yaml.v2 | v2.4.0 | 直接依赖 | go |
| github.com/montanaflynn/stats | v0.6.3 | 间接依赖 | go |
| github.com/hashicorp/go-uuid | v1.0.2 | 间接依赖 | go |
| github.com/hashicorp/go-immutable-radix | v1.1.0 | 间接依赖 | go |
| github.com/planetscale/pargzip | v0.0.0-20201116224723-90c7fc03ea8a | 间接依赖 | go |
| github.com/howeyc/gopass | v0.0.0-20190910152052-7cb4b85ec19c | 间接依赖 | go |
| github.com/gorilla/mux | v1.8.0 | 间接依赖 | go |
| github.com/hashicorp/go-sockaddr | v1.0.2 | 间接依赖 | go |
| github.com/hashicorp/serf | v0.9.2 | 间接依赖 | go |
| go.uber.org/zap | v1.17.0 | 间接依赖 | go |
| github.com/pingcap/pd/v4 | v4.0.0-beta.1.0.20200305072537-61d9f9cc35d3 | 间接依赖 | go |
| github.com/oxtoacart/bpool | v0.0.0-20190530202638-03653db5a59c | 间接依赖 | go |
| github.com/patrickmn/go-cache | v2.1.0+incompatible | 间接依赖 | go |
| github.com/cyberdelia/go-metrics-graphite | v0.0.0-20161219230853-39f87cc3b432 | 间接依赖 | go |
| github.com/pingcap/log | v0.0.0-20210317133921-96f4fcab92a4 | 间接依赖 | go |
| github.com/russross/blackfriday | v1.6.0 | 直接依赖 | go |
| github.com/olekukonko/tablewriter | v0.0.5-0.20200416053754-163badb3bac6 | 间接依赖 | go |
| github.com/CorgiMan/json2 | v0.0.0-20150213135156-e72957aba209 | 直接依赖 | go |
| github.com/golang/protobuf | v1.5.2 | 间接依赖 | go |
| github.com/sirupsen/logrus | v1.8.1 | 间接依赖 | go |
| github.com/jeremywohl/flatten | v0.0.0-20190921043622-d936035e55cf | 间接依赖 | go |