add sqlite cves

Signed-off-by: Weston Steimel <[email protected]>

Author: westonsteimel

Diff for: data/anchore/2025/CVE-2025-29088.json

@@ -0,0 +1,45 @@
+{
+  "additionalMetadata": {
+    "cna": "mitre",
+    "cveId": "CVE-2025-29088",
+    "description": "In SQLite 3.49.0 before 3.49.1, certain argument values to sqlite3_db_config (in the C-language API) can cause a denial of service (application crash). An sz*nBig multiplication is not cast to a 64-bit integer, and consequently some memory allocations may be incorrect.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://gist.github.com/ylwango613/d3883fb9f6ba8a78086356779ce88248",
+      "https://github.com/sqlite/sqlite/commit/56d2fd008b108109f489339f5fd55212bb50afd4",
+      "https://sqlite.org/forum/forumpost/48f365daec",
+      "https://sqlite.org/releaselog/3_49_1.html",
+      "https://www.sqlite.org/cves.html"
+    ],
+    "upstream": {
+      "datePublished": "2025-04-10T00:00:00.000Z",
+      "dateReserved": "2025-03-11T00:00:00.000Z",
+      "dateUpdated": "2025-04-14T13:56:32.775Z",
+      "digest": "a37214b85b201b2b9825db727a976e3c199215737b11f72e6ef7ed9b37002c99"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "cpes": [
+          "cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*"
+        ],
+        "product": "SQLite",
+        "repo": "https://sqlite.org/src",
+        "vendor": "SQLite",
+        "versions": [
+          {
+            "lessThan": "3.49.1",
+            "status": "affected",
+            "version": "3.49.0",
+            "versionType": "semver"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}

Diff for: data/anchore/2025/CVE-2025-3277.json

@@ -0,0 +1,46 @@
+{
+  "additionalMetadata": {
+    "cna": "google",
+    "cveId": "CVE-2025-3277",
+    "description": "An integer overflow can be triggered in SQLite’s `concat_ws()` function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size ~4GB can be triggered. This can result in arbitrary code execution.",
+    "reason": "Added CPE configurations because not yet analyzed by NVD.",
+    "references": [
+      "https://sqlite.org/src/info/498e3f1cf57f164f"
+    ],
+    "upstream": {
+      "datePublished": "2025-04-14T16:50:48.902Z",
+      "dateReserved": "2025-04-04T14:24:39.857Z",
+      "dateUpdated": "2025-04-14T18:07:24.569Z",
+      "digest": "c6301342a581e109b3859701000aca03c75d5ae07cbb71da44f8ca23557863c0"
+    }
+  },
+  "adp": {
+    "affected": [
+      {
+        "cpes": [
+          "cpe:2.3:a:sqlite:sqlite:*:*:*:*:*:*:*:*"
+        ],
+        "product": "SQLite",
+        "programRoutines": [
+          {
+            "name": "concat_ws"
+          }
+        ],
+        "repo": "https://sqlite.org/src",
+        "vendor": "SQLite",
+        "versions": [
+          {
+            "lessThan": "3.49.1",
+            "status": "affected",
+            "version": "0",
+            "versionType": "custom"
+          }
+        ]
+      }
+    ],
+    "providerMetadata": {
+      "orgId": "00000000-0000-4000-8000-000000000000",
+      "shortName": "anchoreadp"
+    }
+  }
+}