Created
July 7, 2023 15:58
-
-
Save jasnow/ef53343a290b568bf65cf6d273e443a0 to your computer and use it in GitHub Desktop.
Seven Feedback items
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
===================================================================== | |
(1) | |
Note that the debug stuff at the end of the sync script talks about | |
the two versions fields. You might want to review that too. | |
# The unaffected_versions field is similarly not directly available | |
# This optional field must be inferred from the vulnerableVersionRange | |
====================================================================== | |
(2) | |
FYI: Saved for later: "beta/rc/pre" examples. | |
====================================================================== | |
(3) Check out: | |
gems/webrick/CVE-2009-4492.yml (ONE LINE, ONCE VALUE) | |
INPUT | |
# vulnerableVersionRange: "<= 1.3.1" | |
# firstPatchedVersion: | |
# identifier: 1.4.0 | |
...................................................................... | |
7/7 EXPECTED: | |
unaffected_verions: | |
-- "> 1.3.1, < 1.4.0" # Is this right? | |
patched_versions: | |
- ">= 1.4.0" | |
...................................................................... | |
7/7 ACTUAL: | |
unaffected_verions: | |
(no field or value) # Is this right? | |
patched_versions: | |
- ">= 1.4.0" | |
====================================================================== | |
(4) Check out: | |
CVE-2019-1335 | |
INPUT | |
# vulnerableVersionRange: "= 0.0.7" | |
# firstPatchedVersion: | |
# identifier: 0.0.8 | |
...................................................................... | |
7/7 EXPECTED: | |
unaffected_versions: | |
- "!= 0.0.7" | |
patched_versions: | |
- ">= 0.0.8" | |
...................................................................... | |
7/7 ACTUAL: | |
unaffected_versions: | |
- " < 0.0.7" # Is this right? | |
patched_versions: | |
- ">= 0.0.8" | |
====================================================================== | |
(5) Check out: | |
ghsa: 333g-rpr4-7hxq (MULTI LINES but ONE LINE OF INTEREST, TWO VALUES) | |
INPUT | |
# vulnerableVersionRange: ">= 1.6.10, <= 1.6.13" | |
# firstPatchedVersion: | |
# identifier: 1.7.0 | |
...................................................................... | |
7/7 EXPECTED | |
unaffected_versions: | |
- "< 1.6.10, > 1.6.13" # Is this right? | |
patched_versions: | |
- ">= 1.7.0" | |
...................................................................... | |
7/7 ACTUAL | |
unaffected_versions: | |
- "< 1.6.10" | |
patched_versions: | |
- ">= 1.7.0" | |
====================================================================== | |
(6) Check out: | |
GHSA-7627-mp87-jf6q (MULTI-LINE, MULTI-RANGE on a line) | |
- gems/cocoapods-downloader/CVE-2022-24440.yml | |
INPUT: | |
vulnerabilities: | |
- package: | |
name: cocoapods-downloader | |
ecosystem: RUBYGEMS | |
vulnerableVersionRange: ">= 1.6.2, < 1.6.3" | |
firstPatchedVersion: | |
identifier: 1.6.3 | |
- package: | |
name: cocoapods-downloader | |
ecosystem: RUBYGEMS | |
vulnerableVersionRange: "< 1.6.0" | |
firstPatchedVersion: | |
identifier: 1.6.0 | |
...................................................................... | |
7/7 EXPECTED | |
unaffected_versions: | |
- "> 1.6.0, < 1.6.2" | |
patched_versions: | |
- "~> 1.6.0" | |
- ">= 1.6.3" | |
...................................................................... | |
7/7 ACTUAL | |
unaffected_versions: | |
- "< 1.6.2" (ASSUME OK) | |
patched_versions: | |
- "~> 1.6.0" | |
- ">= 1.6.3" | |
====================================================================== | |
(7) Check out: | |
gems/activerecord/CVE-2015-7577.yml | |
INPUT | |
vulnerabilities: | |
- package: | |
name: activerecord | |
ecosystem: RUBYGEMS | |
vulnerableVersionRange: ">= 4.0.0, <= 4.1.14.0" | |
firstPatchedVersion: | |
identifier: 4.1.14.1 | |
- package: | |
name: activerecord | |
ecosystem: RUBYGEMS | |
vulnerableVersionRange: ">= 3.1.0, <= 3.2.22.0" | |
firstPatchedVersion: | |
identifier: 3.2.22.1 | |
...................................................................... | |
7/7 EXPECTED | |
unaffected_versions: | |
- "< 3.1.0" | |
patched_versions: | |
- "~> 3.2.22.1" | |
- ">= 4.1.14.1" | |
...................................................................... | |
7/7 ACTUAL | |
unaffected_versions: | |
- "< 4.0.0" # Is this right? | |
patched_versions: | |
- "~> 3.2.22.1" | |
- ">= 4.1.14.1" | |
====================================================================== | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment