ruby-advisory-db
ruby-advisory-db copied to clipboard
A database of vulnerable Ruby Gems
Hi! I work on the Google [Open Source Vulnerabilities](https://github.com/google/osv) project, and we've been working with the Go security team and other vulnerability database maintainers to try to arrive at a...
Would it be possible to enforce a yaml field for the methods affected by each vulnerability? Almost all CVEs appear to only affect a very small subset of methods, and...
In the license the usage of OSVDB is mentioned and references their license. OSVDB and OSF both shut down years ago. Is it still relevant to keep them in the...
Can we pull the CVSS score(s) from NVD via https://github.com/olbat/nvdcve when writing advisories?
guard/guard-livereload#159 CVE seems to be invalid: https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/158c10cf11bc7d6ad728c1a8dd213f523ecfca52/DWF/2016/1000305/CVE-2016-1000305.json
> fix potential xss vulnerability if a user has dangerous values in their data https://github.com/intercom/intercom-rails/commit/83baa40d21b217caf52db57a2a0616a030ec8f38
I'm not sure this vulnerability ever received a CVE. It's described in the project's README: https://github.com/attr-encrypted/encryptor#upgrading-from-v200-to-v300 This gem was encrypting all messages using the same key/nonce. This not only exposes...
As suggested by @postmodern in comment https://github.com/rubysec/ruby-advisory-db/issues/251#issuecomment-606172546 it would be nice to update the titles/descriptions for each advisory on using NVD as a url. However, one thing I noticed is...
#416 I have included only 2 examples of how it can be implemented. `gems/eol.yml` file format: ```yaml : url: date: description: ``` I see `title` attribute here as always useless,...