{
  "repository": "splunk/splunk",
  "commit_source": "image_build_metadata",
  "commit_sha": "sha256:e47c0e002bd7f9f0ac38dd32a121ee542ab8b98c8042999ea64437be48e24d4b",
  "submitted_target": {
    "target_kind": "docker_image",
    "commit_sha": "sha256:f3c444ec113bba9456e4ac0879d92503072f3b09721bef97a19637954328d6fd",
    "version": "10.0.6",
    "ref": "10.0.6",
    "display": "splunk/splunk:10.0.6 (vulnerable)"
  },
  "variant_target": {
    "target_kind": "docker_image",
    "commit_sha": "sha256:e47c0e002bd7f9f0ac38dd32a121ee542ab8b98c8042999ea64437be48e24d4b",
    "version": "10.0.7",
    "ref": "10.0.7",
    "display": "splunk/splunk:10.0.7 (fixed - bypass target)"
  },
  "notes": "Splunk Enterprise is closed-source; source identity is determined from the official Docker image digest. The vulnerable image is splunk/splunk:10.0.6 (sha256:f3c444ec113bba9456e4ac0879d92503072f3b09721bef97a19637954328d6fd). The fixed/bypass-target image is splunk/splunk:10.0.7 (sha256:e47c0e002bd7f9f0ac38dd32a121ee542ab8b98c8042999ea64437be48e24d4b). The postgres sidecar package version in the fixed build is 8a372c04-20260422t100430 (from manifest.json). Image digests were obtained via 'docker image inspect splunk/splunk:10.0.7 --format={{.Id}}' and confirmed via 'docker inspect --format={{.Image}} splunk-fixed-v'."
}
