Permalink
Fetching contributors…
Cannot retrieve contributors at this time
70 lines (57 sloc) 2.23 KB

Contributing Guidelines

  • All text must be within 80 columns.
  • YAML must be indented by 2 spaces.
  • Have any questions? Feel free to open an issue.
  • Prior to submitting a pull request, run the tests:
bundle install
bundle exec rspec
  • Follow the schema. Here is an example advisory:
    ---
    gem: examplegem
    cve: 2013-0156
    url: https://github.com/rubysec/ruby-advisory-db/issues/123456
    title: |
      Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
      Remote Code Execution

    description: |
      Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
      The issue is triggered when a type casting error occurs during the parsing
      of parameters. This may allow a remote attacker to potentially execute
      arbitrary code.

    cvss_v2: 10.0

    patched_versions:
      - ~> 2.3.15
      - ~> 3.0.19
      - ~> 3.1.10
      - ">= 3.2.11"
    unaffected_versions:
      - ~> 2.4.3

    related:
      cve:
        - 2013-1234567
        - 2013-1234568
      url:
        - https://github.com/rubysec/ruby-advisory-db/issues/123457

Schema

  • gem [String]: Name of the affected gem.
  • framework [String] (optional): Name of framework gem belongs to.
  • platform [String] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
  • cve [String]: CVE id.
  • osvdb [Integer]: OSVDB id.
  • url [String]: The URL to the full advisory.
  • title [String]: The title of the advisory.
  • date [Date]: Disclosure date of the advisory.
  • description [String]: Multi-paragraph description of the vulnerability.
  • cvss_v2 [Float]: The CVSSv2 score for the vulnerability.
  • cvss_v3 [Float]: The CVSSv3 score for the vulnerability.
  • unaffected_versions [Array<String>] (optional): The version requirements for the unaffected versions of the Ruby library.
  • patched_versions [Array<String>]: The version requirements for the patched versions of the Ruby library.
  • related [Hash<Array<String>>]: Sometimes an advisory references many urls and cves. Supported keys: cve and url