jasnow/gist:ef53343a290b568bf65cf6d273e443a0

## gistfile1.txt
=====================================================================
(1)

Note that the debug stuff at the end of the sync script talks about
the two versions fields. You might want to review that too.
   # The unaffected_versions field is similarly not directly available
   # This optional field must be inferred from the vulnerableVersionRange

======================================================================
(2)

FYI: Saved for later: "beta/rc/pre" examples.

======================================================================
(3) Check out:

gems/webrick/CVE-2009-4492.yml (ONE LINE, ONCE VALUE)
INPUT
#    vulnerableVersionRange: "<= 1.3.1"
#    firstPatchedVersion:
#       identifier: 1.4.0
......................................................................
7/7 EXPECTED:
unaffected_verions:
  -- "> 1.3.1, < 1.4.0"        # Is this right?
patched_versions:
  - ">= 1.4.0"
......................................................................
7/7 ACTUAL:
unaffected_verions:
  (no field or value)     # Is this right?
patched_versions:
  - ">= 1.4.0"

======================================================================
(4) Check out:

CVE-2019-1335
INPUT
#    vulnerableVersionRange: "= 0.0.7"
#    firstPatchedVersion:
#      identifier: 0.0.8
......................................................................
7/7 EXPECTED:
unaffected_versions:
  - "!= 0.0.7"
patched_versions:
  - ">= 0.0.8"
......................................................................
7/7 ACTUAL:
unaffected_versions:
  - " < 0.0.7"                    # Is this right?
patched_versions:
  - ">= 0.0.8"

======================================================================
(5) Check out:

ghsa: 333g-rpr4-7hxq     (MULTI LINES but ONE LINE OF INTEREST, TWO VALUES)
INPUT
#    vulnerableVersionRange: ">= 1.6.10, <= 1.6.13"
#    firstPatchedVersion:
#      identifier: 1.7.0
......................................................................
7/7 EXPECTED
unaffected_versions:
  - "< 1.6.10, > 1.6.13"    # Is this  right?
patched_versions:
  - ">= 1.7.0"
......................................................................
7/7 ACTUAL
unaffected_versions:
  - "< 1.6.10"
patched_versions:
  - ">= 1.7.0"

======================================================================
(6) Check out:

GHSA-7627-mp87-jf6q    (MULTI-LINE, MULTI-RANGE on a line)
  - gems/cocoapods-downloader/CVE-2022-24440.yml
INPUT:
  vulnerabilities:
    - package:
      name: cocoapods-downloader
      ecosystem: RUBYGEMS
    vulnerableVersionRange: ">= 1.6.2, < 1.6.3"
   firstPatchedVersion:
     identifier: 1.6.3
  - package:
    name: cocoapods-downloader
    ecosystem: RUBYGEMS
  vulnerableVersionRange: "< 1.6.0"
  firstPatchedVersion:
    identifier: 1.6.0
......................................................................
7/7 EXPECTED
unaffected_versions:
  - "> 1.6.0, < 1.6.2"
patched_versions:
   - "~> 1.6.0"
   - ">= 1.6.3"
......................................................................
7/7 ACTUAL
unaffected_versions:
  - "< 1.6.2"  (ASSUME OK)
patched_versions:
   - "~> 1.6.0"
   - ">= 1.6.3"

======================================================================
(7) Check out:

gems/activerecord/CVE-2015-7577.yml
INPUT
  vulnerabilities:
    - package:
      name: activerecord
      ecosystem: RUBYGEMS
    vulnerableVersionRange: ">= 4.0.0, <= 4.1.14.0"
    firstPatchedVersion:
      identifier: 4.1.14.1
   - package:
     name: activerecord
     ecosystem: RUBYGEMS
    vulnerableVersionRange: ">= 3.1.0, <= 3.2.22.0"
    firstPatchedVersion:
      identifier: 3.2.22.1
......................................................................
7/7 EXPECTED
unaffected_versions:
  - "< 3.1.0"
patched_versions:
  - "~> 3.2.22.1"
  - ">= 4.1.14.1"
......................................................................
7/7 ACTUAL
unaffected_versions:
  - "< 4.0.0"          # Is this right?
patched_versions:
  - "~> 3.2.22.1"
  - ">= 4.1.14.1"

======================================================================
EOF
	=====================================================================
	(1)

	Note that the debug stuff at the end of the sync script talks about
	the two versions fields. You might want to review that too.
	# The unaffected_versions field is similarly not directly available
	# This optional field must be inferred from the vulnerableVersionRange

	======================================================================
	(2)

	FYI: Saved for later: "beta/rc/pre" examples.

	======================================================================
	(3) Check out:

	gems/webrick/CVE-2009-4492.yml (ONE LINE, ONCE VALUE)
	INPUT
	# vulnerableVersionRange: "<= 1.3.1"
	# firstPatchedVersion:
	# identifier: 1.4.0
	......................................................................
	7/7 EXPECTED:
	unaffected_verions:
	-- "> 1.3.1, < 1.4.0" # Is this right?
	patched_versions:
	- ">= 1.4.0"
	......................................................................
	7/7 ACTUAL:
	unaffected_verions:
	(no field or value) # Is this right?
	patched_versions:
	- ">= 1.4.0"

	======================================================================
	(4) Check out:

	CVE-2019-1335
	INPUT
	# vulnerableVersionRange: "= 0.0.7"
	# firstPatchedVersion:
	# identifier: 0.0.8
	......................................................................
	7/7 EXPECTED:
	unaffected_versions:
	- "!= 0.0.7"
	patched_versions:
	- ">= 0.0.8"
	......................................................................
	7/7 ACTUAL:
	unaffected_versions:
	- " < 0.0.7" # Is this right?
	patched_versions:
	- ">= 0.0.8"

	======================================================================
	(5) Check out:

	ghsa: 333g-rpr4-7hxq (MULTI LINES but ONE LINE OF INTEREST, TWO VALUES)
	INPUT
	# vulnerableVersionRange: ">= 1.6.10, <= 1.6.13"
	# firstPatchedVersion:
	# identifier: 1.7.0
	......................................................................
	7/7 EXPECTED
	unaffected_versions:
	- "< 1.6.10, > 1.6.13" # Is this right?
	patched_versions:
	- ">= 1.7.0"
	......................................................................
	7/7 ACTUAL
	unaffected_versions:
	- "< 1.6.10"
	patched_versions:
	- ">= 1.7.0"

	======================================================================
	(6) Check out:

	GHSA-7627-mp87-jf6q (MULTI-LINE, MULTI-RANGE on a line)
	- gems/cocoapods-downloader/CVE-2022-24440.yml
	INPUT:
	vulnerabilities:
	- package:
	name: cocoapods-downloader
	ecosystem: RUBYGEMS
	vulnerableVersionRange: ">= 1.6.2, < 1.6.3"
	firstPatchedVersion:
	identifier: 1.6.3
	- package:
	name: cocoapods-downloader
	ecosystem: RUBYGEMS
	vulnerableVersionRange: "< 1.6.0"
	firstPatchedVersion:
	identifier: 1.6.0
	......................................................................
	7/7 EXPECTED
	unaffected_versions:
	- "> 1.6.0, < 1.6.2"
	patched_versions:
	- "~> 1.6.0"
	- ">= 1.6.3"
	......................................................................
	7/7 ACTUAL
	unaffected_versions:
	- "< 1.6.2" (ASSUME OK)
	patched_versions:
	- "~> 1.6.0"
	- ">= 1.6.3"

	======================================================================
	(7) Check out:

	gems/activerecord/CVE-2015-7577.yml
	INPUT
	vulnerabilities:
	- package:
	name: activerecord
	ecosystem: RUBYGEMS
	vulnerableVersionRange: ">= 4.0.0, <= 4.1.14.0"
	firstPatchedVersion:
	identifier: 4.1.14.1
	- package:
	name: activerecord
	ecosystem: RUBYGEMS
	vulnerableVersionRange: ">= 3.1.0, <= 3.2.22.0"
	firstPatchedVersion:
	identifier: 3.2.22.1
	......................................................................
	7/7 EXPECTED
	unaffected_versions:
	- "< 3.1.0"
	patched_versions:
	- "~> 3.2.22.1"
	- ">= 4.1.14.1"
	......................................................................
	7/7 ACTUAL
	unaffected_versions:
	- "< 4.0.0" # Is this right?
	patched_versions:
	- "~> 3.2.22.1"
	- ">= 4.1.14.1"

	======================================================================
	EOF