ruby-advisory-db
ruby-advisory-db copied to clipboard
rubysec
A database of vulnerable Ruby Gems
I want to add gems/*.yml more easily. As a trial, I add rake tasks to fetch information from RSS and create yaml file in ruby/rails. ``` $ rake db:update #...
I was looking at ruby-advisory-db/gems/actionview/CVE-2016-2097.yml The unaffected_versions and patched_version ranges are as follows: ``` unaffected_versions: - ">= 4.2.0" # "~> 3.2.22.2" is found in gems/actionpack/CVE-2016-2097.yml patched_versions: - "~> 4.1.14, >=...
End of life Ruby and Gems could be something `ruby-advisory-db` tracks. Tools like `bundler-audit` could then use this information to alert users fail builds. Any thoughts?
Aside from the primary reference URL, should add any additional references under the `related` section.
Sometimes we have multiple IDs combined together into one advisory. One example of this is `gems/bootstrap/CVE-2018-14040.yml`. The GHSA sync script doesn't understand that CVE-2018-14042 is part of this same advisory.
Re: https://github.com/rubysec/ruby-advisory-db/pull/266
As per Openwall's [tweet](https://twitter.com/Openwall/status/706162681045262336): > CVE IDs difficult and slow to obtain? Enter OVE: http://www.openwall.com/ove Problem solved? Perhaps we should consider supporting the OVE because whatever, who knows, maybe it'll...
Apparently there was a security issue fixed here: https://github.com/mislav/will_paginate/commit/ec9b9851901f8b74adc945302c0520320aaa7ead and here: https://github.com/mislav/will_paginate/commit/ab55687acae11af4274bdf1664481314524d91f6 It looks like versions before 3.1.2, 3.0.9, and are vulnerable, but this has no CVE and I'm not...
Just a todo list I figured I should put somewhere more public... Need to add advisories for all these: ruby_rncryptor / ruby_rncryptor_secured -- https://srcclr.com/security/timing-attacks/ruby/s-1938 spina -- https://srcclr.com/security/cross-site-request-forgery-csrf/ruby/s-1686 logstash-core -- https://srcclr.com/security/factoring-attack-rsa-export-keys-freak/ruby/s-1745...
Should we add advisory templates in Wiki, or other repository or this repository? So we'll have same format of advisory and other people can help add advisories.
