ruby-advisory-db

ruby-advisory-db copied to clipboard

Add an API for the ruby-advisory-db

6

Add an API for interacting with the database. - Searching for advisories by CVE or gem. - Testing if a `Gem::Version` is vulnerable. - Downloading and updating a copy of...

postmodern

CVE 2022-25765 was fixed

2

Hi, it's look like [CVE-2022-25765](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25765) was fixed in [0.8.7v](https://github.com/pdfkit/pdfkit/releases). Can i create pr with patched [CVE-2022-25765.yml](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pdfkit/CVE-2022-25765.yml)?

BigG1947

Based on the following [commit](https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7), which was found [here](http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed), the patched version is `2.0.0.rc1`. Aslo versions after `1.3.2` and before `2.0.0.rc1` (aka `1.3.3`, `1.3.4` and `1.3.5`) do not contain updates...

oussama-rahali

Advisory Schema - Is :description a type of markdown/markup?

1

Looking at the [Schema](https://github.com/rubysec/ruby-advisory-db#schema) section of the README, we can see that both gems and rubies have an associated `description` attribute that says > [String] (required): One or more paragraphs...

istrasci

[Pre585] Write a lint check for: multiple-cve-1-ghsa-in-1-dir in support of issue #580

1

Write a lint check for: multiple-cve-1-ghsa-in-1-dir in support of issue #580. ``` git grep "^ghsa:" |sed -e "s,CVE-.*ghsa:,," |sort |uniq -d ``` This script found the advisories fixed in #660.

jasnow

Write a Lint rule check for "2 different files: same ghsa: value, only 1 cve: value; Same advisory"

1

Write a Lint rule check for "2 different files: same ghsa: value, only 1 cve: value" (currently not flagged) 1 file is named "CVE-*" (has cve: and ghsa: values) and...

jasnow

[Pre537] Change github_advisory_sync.rb script to conform to project style guidelines

1

Change github_advisory_sync.rb script to conform to project style guidelines. Such as: a. Fix indentation for related:/url:, patched_versions: and unafffected_versions fields. * "patched_version:" field needs to be moved over 4 spaces...

jasnow

[Pre537] Add success status response code check to lib/github_advisory_sync.rb for all URLs Currently best mitigation idea is to flag non-successful status response codes and manually replace them from https://archive.org/web data....

jasnow

Add specs to ensure there are no "double reported" advisories.

1

All advisory files must contain a unique CVE ID and GHSA ID *per* directory. This addresses issue #580.

postmodern

[Pre537] Add cvss values back in as needed using external data in github_advisory_sync.rb

2

Add cvss (cvss_v2, cvss_v3, cvss_v4) values back in as needed using external data in github_advisory_sync.rb. * ~Rest API Example: https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2019-1010218~

jasnow