chore: update security scan results

    - Updated scan data from workflow run 7
    - Scan mode: git-only
    - Total scanned: 42
    - Total vulnerabilities: 260

Author: actions-user

data/release_v5.0-d9f9b7d8ed.json

@@ -1,15 +1,46 @@
 {
   "release_version": "release/v5.0-d9f9b7d8ed",
-  "scan_date": "2025-07-17T00:29:07.646483Z",
+  "scan_date": "2025-07-18T00:28:47.611912Z",
   "tool_version": "0.20.1",
   "total_components": 0,
-  "vulnerabilities": [],
+  "vulnerabilities": [
+    {
+      "cve_id": "CVE-2025-49600",
+      "component": "mbed_tls",
+      "component_version": "3.6.3",
+      "severity": "MEDIUM",
+      "score": "4.9",
+      "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
+      "description": "In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of the internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value are not checked. These functions return an integer that indicates whether the call succeeded or not. If a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized, and the result of the signature verification is unpredictable. When the software implementation of SHA-256 is used, these functions will not fail. However, with hardware-accelerated hashing, an attacker could use fault injection against the accelerator to bypass verification.",
+      "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-49600"
+    },
+    {
+      "cve_id": "CVE-2025-49601",
+      "component": "mbed_tls",
+      "component_version": "3.6.3",
+      "severity": "MEDIUM",
+      "score": "4.8",
+      "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
+      "description": "In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtls_lms_import_public_key allows context-dependent attackers to trigger a crash or limited adjacent-memory disclosure by supplying a truncated LMS (Leighton-Micali Signature) public-key buffer under four bytes. An LMS public key starts with a 4-byte type indicator. The function mbedtls_lms_import_public_key reads this type indicator before validating the size of its input.",
+      "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-49601"
+    },
+    {
+      "cve_id": "CVE-2025-52497",
+      "component": "mbed_tls",
+      "component_version": "3.6.3",
+      "severity": "MEDIUM",
+      "score": "4.8",
+      "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
+      "description": "Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.",
+      "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-52497"
+    }
+  ],
   "summary": {
-    "total_vulnerabilities": 0,
+    "total_vulnerabilities": 3,
     "by_severity": {
       "CRITICAL": 0,
       "HIGH": 0,
-      "MEDIUM": 0,
+      "MEDIUM": 3,
       "LOW": 0
     }
   },

data/release_v5.1-700330da07.json

@@ -1,6 +1,6 @@
 {
   "release_version": "release/v5.1-700330da07",
-  "scan_date": "2025-07-17T00:29:17.546214Z",
+  "scan_date": "2025-07-18T00:29:17.434900Z",
   "tool_version": "0.20.1",
   "total_components": 0,
   "vulnerabilities": [],

data/release_v5.2-1a4fd9b80b.json

@@ -1,6 +1,6 @@
 {
   "release_version": "release/v5.2-1a4fd9b80b",
-  "scan_date": "2025-07-17T00:29:48.200845Z",
+  "scan_date": "2025-07-18T00:29:08.797068Z",
   "tool_version": "0.20.1",
   "total_components": 0,
   "vulnerabilities": [],

data/release_v5.3-bf79937908.json

@@ -1,15 +1,46 @@
 {
   "release_version": "release/v5.3-bf79937908",
-  "scan_date": "2025-07-17T00:29:38.741084Z",
+  "scan_date": "2025-07-18T00:28:27.675307Z",
   "tool_version": "0.20.1",
   "total_components": 0,
-  "vulnerabilities": [],
+  "vulnerabilities": [
+    {
+      "cve_id": "CVE-2025-49600",
+      "component": "mbed_tls",
+      "component_version": "3.6.3",
+      "severity": "MEDIUM",
+      "score": "4.9",
+      "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
+      "description": "In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of the internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value are not checked. These functions return an integer that indicates whether the call succeeded or not. If a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized, and the result of the signature verification is unpredictable. When the software implementation of SHA-256 is used, these functions will not fail. However, with hardware-accelerated hashing, an attacker could use fault injection against the accelerator to bypass verification.",
+      "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-49600"
+    },
+    {
+      "cve_id": "CVE-2025-49601",
+      "component": "mbed_tls",
+      "component_version": "3.6.3",
+      "severity": "MEDIUM",
+      "score": "4.8",
+      "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
+      "description": "In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtls_lms_import_public_key allows context-dependent attackers to trigger a crash or limited adjacent-memory disclosure by supplying a truncated LMS (Leighton-Micali Signature) public-key buffer under four bytes. An LMS public key starts with a 4-byte type indicator. The function mbedtls_lms_import_public_key reads this type indicator before validating the size of its input.",
+      "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-49601"
+    },
+    {
+      "cve_id": "CVE-2025-52497",
+      "component": "mbed_tls",
+      "component_version": "3.6.3",
+      "severity": "MEDIUM",
+      "score": "4.8",
+      "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
+      "description": "Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.",
+      "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-52497"
+    }
+  ],
   "summary": {
-    "total_vulnerabilities": 0,
+    "total_vulnerabilities": 3,
     "by_severity": {
       "CRITICAL": 0,
       "HIGH": 0,
-      "MEDIUM": 0,
+      "MEDIUM": 3,
       "LOW": 0
     }
   },

data/release_v5.4-f10ac3eec2.json

@@ -1,15 +1,46 @@
 {
   "release_version": "release/v5.4-f10ac3eec2",
-  "scan_date": "2025-07-17T00:28:57.260804Z",
+  "scan_date": "2025-07-18T00:28:37.827074Z",
   "tool_version": "0.20.1",
   "total_components": 0,
-  "vulnerabilities": [],
+  "vulnerabilities": [
+    {
+      "cve_id": "CVE-2025-49600",
+      "component": "mbed_tls",
+      "component_version": "3.6.3",
+      "severity": "MEDIUM",
+      "score": "4.9",
+      "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
+      "description": "In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of the internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value are not checked. These functions return an integer that indicates whether the call succeeded or not. If a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized, and the result of the signature verification is unpredictable. When the software implementation of SHA-256 is used, these functions will not fail. However, with hardware-accelerated hashing, an attacker could use fault injection against the accelerator to bypass verification.",
+      "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-49600"
+    },
+    {
+      "cve_id": "CVE-2025-49601",
+      "component": "mbed_tls",
+      "component_version": "3.6.3",
+      "severity": "MEDIUM",
+      "score": "4.8",
+      "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
+      "description": "In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtls_lms_import_public_key allows context-dependent attackers to trigger a crash or limited adjacent-memory disclosure by supplying a truncated LMS (Leighton-Micali Signature) public-key buffer under four bytes. An LMS public key starts with a 4-byte type indicator. The function mbedtls_lms_import_public_key reads this type indicator before validating the size of its input.",
+      "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-49601"
+    },
+    {
+      "cve_id": "CVE-2025-52497",
+      "component": "mbed_tls",
+      "component_version": "3.6.3",
+      "severity": "MEDIUM",
+      "score": "4.8",
+      "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
+      "description": "Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.",
+      "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-52497"
+    }
+  ],
   "summary": {
-    "total_vulnerabilities": 0,
+    "total_vulnerabilities": 3,
     "by_severity": {
       "CRITICAL": 0,
       "HIGH": 0,
-      "MEDIUM": 0,
+      "MEDIUM": 3,
       "LOW": 0
     }
   },

data/release_v5.5-cf8dad0746.json

@@ -1,15 +1,46 @@
 {
   "release_version": "release/v5.5-cf8dad0746",
-  "scan_date": "2025-07-17T00:29:28.718540Z",
+  "scan_date": "2025-07-18T00:28:58.785403Z",
   "tool_version": "0.20.1",
   "total_components": 0,
-  "vulnerabilities": [],
+  "vulnerabilities": [
+    {
+      "cve_id": "CVE-2025-49600",
+      "component": "mbed_tls",
+      "component_version": "3.6.3",
+      "severity": "MEDIUM",
+      "score": "4.9",
+      "vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
+      "description": "In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of the internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value are not checked. These functions return an integer that indicates whether the call succeeded or not. If a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized, and the result of the signature verification is unpredictable. When the software implementation of SHA-256 is used, these functions will not fail. However, with hardware-accelerated hashing, an attacker could use fault injection against the accelerator to bypass verification.",
+      "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-49600"
+    },
+    {
+      "cve_id": "CVE-2025-49601",
+      "component": "mbed_tls",
+      "component_version": "3.6.3",
+      "severity": "MEDIUM",
+      "score": "4.8",
+      "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
+      "description": "In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtls_lms_import_public_key allows context-dependent attackers to trigger a crash or limited adjacent-memory disclosure by supplying a truncated LMS (Leighton-Micali Signature) public-key buffer under four bytes. An LMS public key starts with a 4-byte type indicator. The function mbedtls_lms_import_public_key reads this type indicator before validating the size of its input.",
+      "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-49601"
+    },
+    {
+      "cve_id": "CVE-2025-52497",
+      "component": "mbed_tls",
+      "component_version": "3.6.3",
+      "severity": "MEDIUM",
+      "score": "4.8",
+      "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
+      "description": "Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.",
+      "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-52497"
+    }
+  ],
   "summary": {
-    "total_vulnerabilities": 0,
+    "total_vulnerabilities": 3,
     "by_severity": {
       "CRITICAL": 0,
       "HIGH": 0,
-      "MEDIUM": 0,
+      "MEDIUM": 3,
       "LOW": 0
     }
   },

data/scan_summary.json

@@ -1,54 +1,54 @@
 {
-  "last_updated": "2025-07-17T00:29:48.201261Z",
+  "last_updated": "2025-07-18T00:29:17.435362Z",
   "scanned_versions": [
+    "v5.4.2",
+    "v5.1.2",
+    "v5.4.1",
+    "v5.2.2",
+    "v5.0.8",
+    "v5.2",
+    "v5.2.3",
+    "v5.1.6",
+    "v5.0.3",
     "v5.2.4",
-    "v5.0.4",
+    "v5.0.1",
     "v5.1.1",
-    "v5.1",
+    "v5.1.4",
     "v5.2.1",
-    "v5.0.5",
     "v5.3",
-    "v5.2.3",
-    "v5.2",
-    "v5.1.3",
-    "v5.0.7",
-    "v5.3.2",
+    "v5.0.5",
     "v5.0.2",
-    "v5.4.1",
-    "v5.1.5",
-    "v5.1.6",
+    "v5.3.2",
+    "v5.1.3",
+    "v5.4",
     "v5.2.5",
     "v5.3.3",
-    "v5.0.6",
-    "v5.1.4",
-    "v5.1.2",
     "v5.3.1",
-    "v5.2.2",
-    "v5.4",
     "v5.0.9",
-    "v5.0.3",
-    "v5.0.8",
-    "v5.4.2",
-    "v5.0.1",
+    "v5.0.4",
+    "v5.1",
+    "v5.0.7",
+    "v5.0.6",
+    "v5.1.5",
     "v5.0",
+    "release/v5.3-bf79937908",
     "release/v5.4-f10ac3eec2",
     "release/v5.0-d9f9b7d8ed",
-    "release/v5.1-700330da07",
     "release/v5.5-cf8dad0746",
-    "release/v5.3-bf79937908",
-    "release/v5.2-1a4fd9b80b"
+    "release/v5.2-1a4fd9b80b",
+    "release/v5.1-700330da07"
   ],
   "failed_versions": [
+    "release/v5.3",
     "release/v5.4",
     "release/v5.0",
-    "release/v5.1",
     "release/v5.5",
-    "release/v5.3",
-    "release/v5.2"
+    "release/v5.2",
+    "release/v5.1"
   ],
   "total_scanned": 36,
   "scan_method": "git-batch",
-  "workflow_run": "6",
+  "workflow_run": "7",
   "scanner_info": {
     "tool": "esp-idf-security-dashboard",
     "esp_idf_sbom_version": "0.20.1",

data/v5.0.1.json

@@ -1,6 +1,6 @@
 {
   "release_version": "v5.0.1",
-  "scan_date": "2025-07-17T00:28:43.982600Z",
+  "scan_date": "2025-07-18T00:25:36.485902Z",
   "tool_version": "0.20.1",
   "total_components": 0,
   "vulnerabilities": [],

data/v5.0.2.json

@@ -1,6 +1,6 @@
 {
   "release_version": "v5.0.2",
-  "scan_date": "2025-07-17T00:26:18.832201Z",
+  "scan_date": "2025-07-18T00:26:24.441821Z",
   "tool_version": "0.20.1",
   "total_components": 0,
   "vulnerabilities": [],

data/v5.0.3.json

@@ -1,6 +1,6 @@
 {
   "release_version": "v5.0.3",
-  "scan_date": "2025-07-17T00:28:20.382414Z",
+  "scan_date": "2025-07-18T00:25:22.739583Z",
   "tool_version": "0.20.1",
   "total_components": 0,
   "vulnerabilities": [],