Giter Club home page Giter Club logo

ruby-advisory-db's Introduction

Ruby Advisory Database

The Ruby Advisory Database aims to compile all advisories that are relevant to Ruby libraries.

Goals

  1. Provide advisory metadata in a simple yet structured YAML schema for automated tools to consume.
  2. Avoid reinventing CVEs.
  3. Avoid duplicating the efforts of the OSVDB.

Directory Structure

The database is a list of directories that match the names of Ruby libraries on rubygems.org. Within each directory are one or more advisory files for the Ruby library. These advisory files are typically named using the advisories OSVDB identifier number.

gems/:
  actionpack/:
    OSVDB-79727.yml  OSVDB-84513.yml  OSVDB-89026.yml  OSVDB-91454.yml
    OSVDB-84243.yml  OSVDB-84515.yml  OSVDB-91452.yml

Format

Each advisory file contains the advisory information in YAML format:

---
gem: actionpack
framework: rails
cve: 2013-0156
osvdb: 89026
url: http://osvdb.org/show/osvdb/89026
title: |
  Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
  Remote Code Execution 

description: |
  Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
  The issue is triggered when a type casting error occurs during the parsing
  of parameters. This may allow a remote attacker to potentially execute
  arbitrary code.

cvss_v2: 10.0

patched_versions:
  - ~> 2.3.15
  - ~> 3.0.19
  - ~> 3.1.10
  - ">= 3.2.11"

Schema

  • gem [String]: Name of the affected gem.
  • framework [String] (optional): Name of framework gem belongs to.
  • platform [String] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
  • cve [String]: CVE id.
  • osvdb [Fixnum]: OSVDB id.
  • url [String]: The URL to the full advisory.
  • title [String]: The title of the advisory.
  • date [Date]: Disclosure date of the advisory.
  • description [String]: Multi-paragraph description of the vulnerability.
  • cvss_v2 [Float]: The CVSSv2 score for the vulnerability.
  • unaffected_versions [Array<String>] (optional): The version requirements for the unaffected versions of the Ruby library.
  • patched_versions [Array<String>]: The version requirements for the patched versions of the Ruby library.

Credits

Please see CONTRIBUTORS.md.

This database also includes data from the Open Source Vulnerability Database developed by the Open Security Foundation (OSF) and its contributors.

ruby-advisory-db's People

Contributors

phillmv avatar postmodern avatar reedloden avatar skorth avatar mveytsman avatar jrusnack avatar jeremyolliver avatar vanessahenderson avatar lcashdol avatar dwradcliffe avatar f3ndot avatar mocoso avatar koenrh avatar presidentbeef avatar jeffreyc avatar thirstscolr avatar simi avatar forced-request avatar elskwid avatar derekprior avatar aselder avatar grosser avatar vasinov avatar areina avatar sho-h avatar rafaelfranca avatar olly avatar matt-glover avatar joergschiller avatar maclover7 avatar

Watchers

James Cloos avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.