gistfile1.txt

# import the SCA package within the scope of ocular session
ocular> import $file.scripts.sca

# get CVEs associated with the projects bill of materials (JSON format)
ocular> sca.getCve(cpg)

.....
.....
}, {
  "groupId" : "com.fasterxml.jackson.core",
  "artifactId" : "jackson-databind",
  "version" : "2.8.7",
  "isImported" : true,
  "details" : [ {
    "coordinates" : "pkg:maven/com.fasterxml.jackson.core/[email protected]",
    "description" : "General data-binding functionality for Jackson: works on core streaming API",
    "reference" : "https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/[email protected]",
    "vulnerabilities" : [ {
      "id" : "1205a1ec-0837-406f-b081-623b9fb02992",
      "title" : "[CVE-2017-15095]  Deserialization of Untrusted Data",
      "description" : "A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.",
      "cvssScore" : 9.8,
      "cvssVector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "cve" : "CVE-2017-15095",
      "reference" : "https://ossindex.sonatype.org/vuln/1205a1ec-0837-406f-b081-623b9fb02992"
    }, {
      "id" : "b85a00e3-7d9b-49cf-9b19-b73f8ee60275",
      "title" : "[CVE-2017-17485]  Improper Control of Generation of Code (\"Code Injection\")",
      "description" : "FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.",
      ......