This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ===================================================================== | |
| (1) | |
| Note that the debug stuff at the end of the sync script talks about | |
| the two versions fields. You might want to review that too. | |
| # The unaffected_versions field is similarly not directly available | |
| # This optional field must be inferred from the vulnerableVersionRange | |
| ====================================================================== | |
| (2) |
jasnow
/ gist:375db909079e0938d8af7d14cc121044
Last active
July 6, 2023 15:06
vulnerableVersionRange for "gems" directory after running sync script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vulnerableVersionRange ("%" is a digit [0-9]) | |
| ====================================================================== | |
| LESS | |
| 90 "< %.%.%" | |
| 15 "< %.%.%.%" | |
| 2 "< %.%.%.rc%" | |
| 3 "<= %.%" | |
| 17 "<= %.%.%" | |
| 1 "<= %.%.%.%" |
jasnow
/ gist:58b566c37d157fdd9d682947039ca469
Created
July 3, 2023 00:43
unaffected_versions automation results for 11 "dups" advisories
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ========== gems/arabic-prawn/CVE-2014-2322.yml ============================ | |
| unaffected_versions: | |
| - "[<=]: [> 0.0.1, < EMPTY ]" | |
| notes: Never patched | |
| related: | |
| url: | |
| # vulnerabilities: | |
| # - package: | |
| # vulnerableVersionRange: "<= 0.0.1" | |
| # firstPatchedVersion: |
jasnow
/ gist:5a57099ee6c80f168dae89319fed2c01
Last active
July 1, 2023 15:59
Mocking up Postmodern's better example messages with my-585-06-30 branch data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ====================================================================== | |
| MULTIPLE DOUBLE REPORTED EXAMPLE | |
| 4) gems /home/t530-dev/Projects/585-652-ruby-advisory-db/spec/../gems/nokogiri | |
| must not contain duplicate GHSA IDs | |
| Failure/Error: expect(ghsa_ids).to match_array(ghsa_ids.uniq) | |
| expected collection contained: ["2qc6-mcvw-92cw", "2rr5-8q37-2w7h", | |
| "4hm9-844j-jmxp", "62qp-3fxm-9wxf", "6qvp-r6r3-9p7h", "6wj9-77wq...5c7-m54m", | |
| "x2fm-93ww-ggvx", "x7rv-cr6v-4vm4", "xh29-r2w5-wx8m", "xjqg-9jvg-fgx2", "xxx9-3xcr-gjj3"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Some questions about PR#585 and issue#580,: | |
| 1. Does it include "rubies" too? | |
| 2. Does it include "related:/cve:" and "related:/ghsa:" too? | |
| OUPTUT OF dups-in-dir.sh script: | |
| Check for duplicate cve values in same dir | |
| ---------------------------------------- | |
| gems/json/CVE-2013-0269.yml:cve: 2013-0269 | |
| gems/json/CVE-2020-10663.yml: - 2013-0269 |
jasnow
/ gist:c075a3ecbabed38640b93a171b5700bf
Created
June 27, 2023 13:58
Automate unaffected_versions field using github_advisory_sync.rb script/task
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| UNAFFECTED_VERSIONS (3 "single range" use cases + 2 others) | |
| -A- (vulnerableVersionRange number == identifier and is: "< number") | |
| -- gems/nokogiri/GHSA-fq42-c5rg-92c2.yml: vulnerableVersionRange: "< 1.13.2" | |
| -- gems/nokogiri/GHSA-fq42-c5rg-92c2.yml: identifier: 1.13.2 | |
| RAW: | |
| vulnerabilities: | |
| - package: | |
| name: nokogiri | |
| ecosystem: RUBYGEMS |
jasnow
/ gist:c05238fab1b2dcb34535e85c6c77de2e
Last active
July 10, 2023 16:46
Summary of additional Pre-537 work needed after running github_advisory_sync.rb script (related to GitHub Action; issue #537)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Here are the additional Pre-537 work needed after running | |
| github_advisory_sync.rb script (related to GitHub Action; issue #537): | |
| I. ISS#647: "Add an explicit ignore list to the github_advisory_sync.rb script" | |
| * OR: "Summary the categories of advisories that must | |
| be deleted after a sync script run (script). | |
| * Will cover: | |
| * (GHSA/BUG/#52) D1. (A) Delete duplicated advisories based | |
| on filename/"gems:" character case: | |
| * GHSA: arabic-prawn and redcloth |
jasnow
/ gist:78c6518ed8862b4ff3c7f6c2e467df83
Last active
June 23, 2023 14:12
Different _versions fields patterns (pareto analysis: frequency is column 1)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1 - - "= ~" | |
| 1 - - ">= ~, <= ~" | |
| 1 - - "< ~beta" | |
| 1 - - ">= ~-beta~" | |
| 1 - - "~> ~beta~" | |
| 1 - - ">= ~p~" | |
| 1 - - "> ~preview~" | |
| 1 - - "~> ~-preview" | |
| 1 - - "< ~rc~" | |
| 1 - - ">= ~rc" |
jasnow
/ gist:77ae70f7f1f2c577a5dfd8fb4186d332
Created
June 21, 2023 13:50
(pre-post-processed) diff --git a/gems/actionpack/CVE-2014-7818.yml b/gems/actionpack/CVE-2014-7818.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/gems/actionpack/CVE-2014-7818.yml b/gems/actionpack/CVE-2014-7818.yml | |
| index 7b801ab..42df6ed 100644 | |
| --- a/gems/actionpack/CVE-2014-7818.yml | |
| +++ b/gems/actionpack/CVE-2014-7818.yml | |
| @@ -1,21 +1,73 @@ | |
| --- | |
| gem: actionpack | |
| -framework: rails | |
| cve: 2014-7818 | |
| ghsa: 29gr-w57f-rpfw |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ====================================================================== | |
| ====================================================================== | |
| ONLY PATCHED_VERSIONS | |
| ====================================================================== | |
| FOUR | |
| gems/actionpack/CVE-2014-7818.yml:patched_versions: | |
| gems/actionpack/CVE-2014-7818.yml- - "~> 3.2.20" | |
| gems/actionpack/CVE-2014-7818.yml- - "~> 4.0.11" | |
| gems/actionpack/CVE-2014-7818.yml- - "~> 4.1.7" | |
| gems/actionpack/CVE-2014-7818.yml- - ">= 4.2.0.beta3" |
NewerOlder