{
  "repository": "kestra-io/kestra",
  "commit_source": "git_rev_parse_and_image_version",
  "commit_sha_vulnerable_tested": "3cf9c7f5cc29eea76d90d692603f811499948a9f",
  "commit_sha_fixed_tested": "9225d093663e47d8e4cb3ed3969c80f7575a8817",
  "fix_commit_sha": "28ff533d85e6c977e209f90e87e8523d0f8888eb",
  "vulnerable_version": "1.0.44",
  "fixed_version": "1.0.45",
  "latest_1_0_version_checked": "1.0.49",
  "submitted_target": {
    "target_kind": "docker_image",
    "version": "1.0.44",
    "ref": "kestra/kestra:v1.0.44",
    "display": "kestra/kestra:v1.0.44 (git tag v1.0.44 -> 3cf9c7f5cc29eea76d90d692603f811499948a9f)"
  },
  "variant_target": {
    "target_kind": "docker_image",
    "commit_sha": "9225d093663e47d8e4cb3ed3969c80f7575a8817",
    "version": "1.0.45",
    "ref": "kestra/kestra:v1.0.45",
    "display": "kestra/kestra:v1.0.45 (git tag v1.0.45 -> 9225d093663e47d8e4cb3ed3969c80f7575a8817; fix 28ff533d8 is an ancestor)"
  },
  "image_version_self_report": {
    "v1.0.44": "1.0.44",
    "v1.0.45": "1.0.45"
  },
  "image_labels": {
    "v1.0.44": {"org.opencontainers.image.version": "22.04"},
    "v1.0.45": {"org.opencontainers.image.version": "22.04"}
  },
  "fix_ancestry": {
    "is_ancestor_of_v1.0.45": true,
    "is_ancestor_of_v1.0.44": false
  },
  "source_repo_local_path": "/data/pruva/project-cache/442a8ab0-ac47-498f-b695-2ef0bd28250d/repo",
  "notes": "Both official Docker images were pulled and their self-reported --version output (1.0.44 / 1.0.45) was confirmed. Git tag -> commit resolution was performed from the local repo mirror. The fix commit 28ff533d85e6c977e209f90e87e8523d0f8888eb is confirmed to be an ancestor of v1.0.45 (fixed) and NOT of v1.0.44 (vulnerable). The isOpenUrl branch and the default open-urls (including /api/v1/executions/webhook/) are byte-identical in v1.0.49, confirming the defense-in-depth gap persists in the latest 1.0.x release."
}
