# SPDX SBOM 情報を受け取り、それを OSV 脆弱性にマッピングする spdx-to-osv ツールを実行する $ java -jar ./target/spdx-to-osv-0.0.4-SNAPSHOT-jar-with-dependencies.jar -I k8s-1.21.3-source.spdx -O out-k8s.1.21.3.json
# 出力された spdx-to-osv ツールの OSV 脆弱性を表示する $ cat out-k8s.1.21.3.json … { "id": "GHSA-w73w-5m7g-f7qc", "published": "2021-05-18T21:08:21Z", "modified": "2021-06-28T21:32:34Z", "aliases": [ "CVE-2020-26160" ], "summary": "Authorization bypass in github.com/dgrijalva/jwt-go", "details": "jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m[\"aud\"] (which is allowed by the specification). Because the type assertion fails, \"\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to [golang-jwt](https://github.com/golang-jwt/jwt) at version 3.2.1", "affected": [ { "package": { "name": "github.com/dgrijalva/jwt-go", "ecosystem": "Go", "purl": "pkg:golang/github.com/dgrijalva/jwt-go" }, …
| 
