Skip to content

dwradcliffe/ruby-advisory-db

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

161 Commits
gems
gems
 
 
lib
lib
 
 
spec
spec
 
 
.gitignore
.gitignore
 
 
.rspec
.rspec
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
CONTRIBUTORS.md
CONTRIBUTORS.md
 
 
Gemfile
Gemfile
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 
Rakefile
Rakefile
 
 

Repository files navigation

Ruby Advisory Database

The Ruby Advisory Database aims to compile all advisories that are relevant to Ruby libraries.

Goals

  1. Provide advisory metadata in a simple yet structured YAML schema for automated tools to consume.
  2. Avoid reinventing CVEs.
  3. Avoid duplicating the efforts of the OSVDB.

Directory Structure

The database is a list of directories that match the names of Ruby libraries on rubygems.org. Within each directory are one or more advisory files for the Ruby library. These advisory files are typically named using the advisories OSVDB identifier number.

gems/: actionpack/: OSVDB-79727.yml OSVDB-84513.yml OSVDB-89026.yml OSVDB-91454.yml OSVDB-84243.yml OSVDB-84515.yml OSVDB-91452.yml

Format

Each advisory file contains the advisory information in YAML format:

--- gem: actionpack framework: rails cve: 2013-0156 osvdb: 89026 url: http://osvdb.org/show/osvdb/89026 title: | Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution description: | Ruby on Rails contains a flaw in params_parser.rb of the Action Pack. The issue is triggered when a type casting error occurs during the parsing of parameters. This may allow a remote attacker to potentially execute arbitrary code. cvss_v2: 10.0 patched_versions: - ~> 2.3.15 - ~> 3.0.19 - ~> 3.1.10 - ">= 3.2.11"

Schema

  • gem [String]: Name of the affected gem.
  • framework [String] (optional): Name of framework gem belongs to.
  • platform [String] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
  • cve [String]: CVE id.
  • osvdb [Fixnum]: OSVDB id.
  • url [String]: The URL to the full advisory.
  • title [String]: The title of the advisory.
  • date [Date]: Disclosure date of the advisory.
  • description [String]: Multi-paragraph description of the vulnerability.
  • cvss_v2 [Float]: The CVSSv2 score for the vulnerability.
  • unaffected_versions [Array<String>] (optional): The version requirements for the unaffected versions of the Ruby library.
  • patched_versions [Array<String>]: The version requirements for the patched versions of the Ruby library.

Credits

Please see CONTRIBUTORS.md.

This database also includes data from the Open Source Vulnerability Database developed by the Open Security Foundation (OSF) and its contributors.

About

A "database" of vulnerable Ruby Gems

Resources

Readme

License

View license

Contributing

Contributing
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Ruby 100.0%