ruby-advisory-db
ruby-advisory-db copied to clipboard
Merge the two sup vulnerabilities
While https://github.com/rubysec/ruby-advisory-db/tree/master/gems/sup have different CVEs, it's the same vuln with the same fixed versions
Maybe we should merge them?
If you check the CVE descriptions - one is for RCE via the filename, the second is for RCE via the content_type, so they are slightly different
Yeah, rather keep CVEs separate. Just ran into this with #168. Saves a lot of historical work later by tracking them separately.
Thinking about this more, I disagree.
We should have a schema to track other CVEs that a vulnerability refers to, but no reason to have 2 separate rubysec vulns for this. It only leads to confusion, since in our database they look like duplicates, and no one gains any new information by seeing the two entries.
The schema should look like:
other_cves:
- 2013-4478
other_cves
seems weird (which is the primary and which goes in other?)... any reason why not to permit cve
to have multiple ones? In that case, what do you name the file?
Agreed, it should be cve
.
For now, for this particular file we can stick with the osvdb number.
It is high time we pick something else for file naming.
@jasnow has added the related:
CVE and GHSA IDs to the two vulnerabilities (PR #646) . We should avoid merging CVEs as they are supposed to be individually enumerated vulnerabilities.