{
  "repository": "https://github.com/apache/apisix",
  "commit_source": "image_build_metadata",
  "tested_via": "official_docker_images",
  "vulnerable_target": {
    "target_kind": "container_image",
    "image_ref": "apache/apisix:3.16.0-debian",
    "image_digest": "sha256:b921bdef3cfb2ca72e483d643f40e7843683ff8e188984489c2020f17654ee88",
    "version": "3.16.0",
    "release_tag": "3.16.0",
    "release_tag_commit_sha": "f9c4ee37170bdfe075c846973c1be65a582a0c4f",
    "fix_commit_present": false,
    "apisix_version_reported": "3.16.0",
    "display": "apache/apisix:3.16.0-debian (vulnerable; release tag 3.16.0 -> f9c4ee37; fix e4de423f NOT present)"
  },
  "fixed_target": {
    "target_kind": "container_image",
    "image_ref": "apache/apisix:3.17.0-debian",
    "image_digest": "sha256:6cbf65f3085d1386bfd636b7e88400c163c3641841909e674af7896a5766b092",
    "version": "3.17.0",
    "release_tag": "3.17.0",
    "release_tag_commit_sha": "9ef2ecab67f652d38365049613610ef649bb4ad0",
    "fix_commit_sha": "e4de423fc583fdf82f47a1dda6c666aa2f2b3dca",
    "fix_commit_present": true,
    "fix_ancestor_of_release": true,
    "apisix_version_reported": "3.17.0",
    "display": "apache/apisix:3.17.0-debian (fixed; release tag 3.17.0 -> 9ef2ecab; fix e4de423f present)"
  },
  "submitted_target": {
    "target_kind": "container_image",
    "version": "3.16.0",
    "ref": "apache/apisix:3.16.0-debian",
    "display": "apache/apisix:3.16.0-debian (APISIX 3.16.0, vulnerable)"
  },
  "variant_target": {
    "target_kind": "container_image",
    "commit_sha": "9ef2ecab67f652d38365049613610ef649bb4ad0",
    "version": "3.17.0",
    "ref": "apache/apisix:3.17.0-debian",
    "display": "apache/apisix:3.17.0-debian (APISIX 3.17.0, fixed)"
  },
  "version_resolution_method": "docker run --rm <image> apisix version -> 3.16.0 / 3.17.0; release tag commit sha resolved via git rev-list -n1 <tag> in the cached apache/apisix repo mirror; fix ancestry confirmed via git merge-base --is-ancestor e4de423f 3.17.0 (true) and e4de423f 3.16.0 (false).",
  "notes": "Both versions were tested side-by-side in the same script run (vulnerable first, then fixed with fresh etcd). The vulnerable image does NOT contain fix e4de423f; the fixed image DOES. Verdict: no bypass on the fixed target."
}
