{ "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:f94a9834-31f8-5999-95ab-7e792e723d33", "version": 1, "metadata": { "timestamp": "2026-08-16T14:03:32.000Z", "tools": [ { "vendor": "Apex Platform", "name": "football-crm-vex-generator", "version": "1.0.0" } ], "component": { "type": "application", "bom-ref": "pkg:npm/football-crm@1.0.0", "name": "football-crm", "version": "1.0.0" }, "properties": [ { "name": "security:sbomRef", "value": "public/sbom.cyclonedx.json" }, { "name": "security:statementCount", "value": "8" }, { "name": "security:lastReviewed", "value": "2026-05-13" } ] }, "vulnerabilities": [ { "bom-ref": "vex/CVE-2016-5195", "id": "CVE-2016-5195", "source": { "name": "OSV / kernel.org", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5195" }, "ratings": [ { "severity": "low", "method": "CVSSv3" } ], "description": "Dirty COW (historical reference)", "advisories": [ { "url": "https://dirtycow.ninja/" } ], "analysis": { "state": "not_affected", "justification": "protected_by_mitigating_control", "detail": "Dirty COW (historical reference) affects the host kernel of any system running our containers, CI runners, or self-hosted infra. We do not deploy our own kernel — Netlify Functions run on AWS-managed Lambda kernel (AWS patch cadence); GitHub Actions on GitHub-managed runner kernels; install-sandbox containers run on the host's kernel via Docker. Defence-in-depth: control #1 (ignore-scripts=true), control #13 (install-sandbox cap_drop ALL + default-deny egress proxy), control #21 (scan-host-kernel-cve.ts ratchets where our build surface intersects affected kernels). Application-layer defences: Reject any container base image whose kernel-version implication is pre-4.8 — that's an EOL signal." }, "affects": [ { "ref": "pkg:npm/football-crm@1.0.0" } ] }, { "bom-ref": "vex/CVE-2022-0847", "id": "CVE-2022-0847", "source": { "name": "OSV / kernel.org", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0847" }, "ratings": [ { "severity": "high", "method": "CVSSv3" } ], "description": "Dirty Pipe", "advisories": [ { "url": "https://dirtypipe.cm4all.com/" } ], "analysis": { "state": "not_affected", "justification": "protected_by_mitigating_control", "detail": "Dirty Pipe affects the host kernel of any system running our containers, CI runners, or self-hosted infra. We do not deploy our own kernel — Netlify Functions run on AWS-managed Lambda kernel (AWS patch cadence); GitHub Actions on GitHub-managed runner kernels; install-sandbox containers run on the host's kernel via Docker. Defence-in-depth: control #1 (ignore-scripts=true), control #13 (install-sandbox cap_drop ALL + default-deny egress proxy), control #21 (scan-host-kernel-cve.ts ratchets where our build surface intersects affected kernels). Application-layer defences: Container read-only rootfs (already enforced in our install-sandbox); Drop CAP_SYS_PTRACE + minimize setuid binaries in container images." }, "affects": [ { "ref": "pkg:npm/football-crm@1.0.0" } ] }, { "bom-ref": "vex/CVE-2023-32233", "id": "CVE-2023-32233", "source": { "name": "OSV / kernel.org", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32233" }, "ratings": [ { "severity": "high", "method": "CVSSv3" } ], "description": "Netfilter nf_tables LPE", "advisories": [ { "url": "https://github.com/Liuk3r/CVE-2023-32233" } ], "analysis": { "state": "not_affected", "justification": "protected_by_mitigating_control", "detail": "Netfilter nf_tables LPE affects the host kernel of any system running our containers, CI runners, or self-hosted infra. We do not deploy our own kernel — Netlify Functions run on AWS-managed Lambda kernel (AWS patch cadence); GitHub Actions on GitHub-managed runner kernels; install-sandbox containers run on the host's kernel via Docker. Defence-in-depth: control #1 (ignore-scripts=true), control #13 (install-sandbox cap_drop ALL + default-deny egress proxy), control #21 (scan-host-kernel-cve.ts ratchets where our build surface intersects affected kernels). Application-layer defences: Drop CAP_NET_ADMIN in container security contexts; the exploit requires it.." }, "affects": [ { "ref": "pkg:npm/football-crm@1.0.0" } ] }, { "bom-ref": "vex/CVE-2024-1086", "id": "CVE-2024-1086", "source": { "name": "OSV / kernel.org", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1086" }, "ratings": [ { "severity": "high", "method": "CVSSv3" } ], "description": "nf_tables double-free / UAF", "advisories": [ { "url": "https://pwning.tech/nftables/" } ], "analysis": { "state": "not_affected", "justification": "protected_by_mitigating_control", "detail": "nf_tables double-free / UAF affects the host kernel of any system running our containers, CI runners, or self-hosted infra. We do not deploy our own kernel — Netlify Functions run on AWS-managed Lambda kernel (AWS patch cadence); GitHub Actions on GitHub-managed runner kernels; install-sandbox containers run on the host's kernel via Docker. Defence-in-depth: control #1 (ignore-scripts=true), control #13 (install-sandbox cap_drop ALL + default-deny egress proxy), control #21 (scan-host-kernel-cve.ts ratchets where our build surface intersects affected kernels). Application-layer defences: Container hardening — drop CAP_NET_ADMIN; that capability is required for nftables manipulation. PodSecurityStandards 'restricted' profile drops it by default.." }, "affects": [ { "ref": "pkg:npm/football-crm@1.0.0" } ] }, { "bom-ref": "vex/CVE-2024-21626", "id": "CVE-2024-21626", "source": { "name": "OSV / kernel.org", "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv" }, "ratings": [ { "severity": "critical", "method": "CVSSv3" } ], "description": "Leaky Vessels (runc container escape)", "advisories": [ { "url": "https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/" } ], "analysis": { "state": "not_affected", "justification": "protected_by_mitigating_control", "detail": "Leaky Vessels (runc container escape) affects the host kernel of any system running our containers, CI runners, or self-hosted infra. We do not deploy our own kernel — Netlify Functions run on AWS-managed Lambda kernel (AWS patch cadence); GitHub Actions on GitHub-managed runner kernels; install-sandbox containers run on the host's kernel via Docker. Defence-in-depth: control #1 (ignore-scripts=true), control #13 (install-sandbox cap_drop ALL + default-deny egress proxy), control #21 (scan-host-kernel-cve.ts ratchets where our build surface intersects affected kernels). Application-layer defences: Limit which images can be run (signed-image-only policy); User namespaces remapping so even container-root is unprivileged on the host; AppArmor / SELinux confinement profile on every container." }, "affects": [ { "ref": "pkg:npm/football-crm@1.0.0" } ] }, { "bom-ref": "vex/CVE-2026-31431", "id": "CVE-2026-31431", "source": { "name": "OSV / kernel.org", "url": "https://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/" }, "ratings": [ { "severity": "high", "method": "CVSSv3" } ], "description": "Copy Fail (algif_aead in-place AEAD)", "advisories": [ { "url": "https://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/" } ], "analysis": { "state": "not_affected", "justification": "protected_by_mitigating_control", "detail": "Copy Fail (algif_aead in-place AEAD) affects the host kernel of any system running our containers, CI runners, or self-hosted infra. We do not deploy our own kernel — Netlify Functions run on AWS-managed Lambda kernel (AWS patch cadence); GitHub Actions on GitHub-managed runner kernels; install-sandbox containers run on the host's kernel via Docker. Defence-in-depth: control #1 (ignore-scripts=true), control #13 (install-sandbox cap_drop ALL + default-deny egress proxy), control #21 (scan-host-kernel-cve.ts ratchets where our build surface intersects affected kernels). Application-layer defences: Prevent any application-layer RCE / command injection / deserialization / SSRF that could give an attacker local-shell foothold (every SecNav CWE agent contributes here); Container hardening — drop CAP_SYS_ADMIN, run as non-root, read-only rootfs, seccomp profile that blocks AF_ALG socket creation; If running in Kubernetes: PodSecurityStandards 'restricted' profile blocks AF_ALG socket creation by default." }, "affects": [ { "ref": "pkg:npm/football-crm@1.0.0" } ] }, { "bom-ref": "vex/GHSA-p7fg-763f-g4gf", "id": "GHSA-p7fg-763f-g4gf", "source": { "name": "curated" }, "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Insecure default file permissions in Claude SDK's Local Filesystem Memory Tool. We do not enable the Local Filesystem Memory tool — our Anthropic SDK integration uses the API directly via the request/response pattern, not the agent-with-tools harness that owns the vulnerable filesystem-write path. The vulnerable function is therefore unreachable." }, "advisories": [ { "url": "https://osv.dev/GHSA-p7fg-763f-g4gf" }, { "url": "https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-p7fg-763f-g4gf" } ], "affects": [ { "ref": "pkg:npm/football-crm@1.0.0" } ] }, { "bom-ref": "vex/GHSA-qx2v-qp2m-jg93", "id": "GHSA-qx2v-qp2m-jg93", "source": { "name": "curated" }, "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "PostCSS XSS via unescaped in stringified output. We use PostCSS only as a build-time transform (Tailwind + Autoprefixer pipeline in Vite); PostCSS's output is consumed by the Vite build chain, not rendered into user-facing HTML. The XSS sink requires PostCSS output to be inserted into a live DOM via innerHTML or similar — we never do this. PostCSS is a build dependency, not a runtime dependency in our deployed bundle." }, "advisories": [ { "url": "https://osv.dev/GHSA-qx2v-qp2m-jg93" } ], "affects": [ { "ref": "pkg:npm/football-crm@1.0.0" } ] } ] }