Skip to content

Updating advisories with osvdb.org in "url:" field #613

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 3, 2023
Merged

Updating advisories with osvdb.org in "url:" field #613

merged 3 commits into from
Jun 3, 2023

Conversation

jasnow
Copy link
Contributor

@jasnow jasnow commented May 31, 2023

Updating advisories with osvdb.org in "url:" field

  • Updated "url:" field with non-osvdb reference since osvdb.org is no longer available.
  • Added "ghsa:" field value for advisories with "cve:" values.
  • Added "related:" references as evidence for further work (for advisories with "cve": values, usually only 4 refs; check NVD reference for full list).
  • Changed quotes to or adding double-quotes as needed.
  • Added "notes:" as needed to be more explicit.
  • Line wrapped text fields as needed.
  • Merged one duplicate OSVDB-78119 advisory into CVE-2012-5372 advisory.

Special Notes

  • No new files/advisories in this PR.
  • Will delete rubies/rbx/OSVDB-78119.yml file in separate PR.

Checks

  • internal "morechks" script (all clean)
  • yamlint (green)
  • rake (green)

@postmodern postmodern self-requested a review May 31, 2023 23:24
postmodern
postmodern requested changes Jun 2, 2023
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The primary url: should ideally point to a web page with the advisory information, that explains the impact. how to upgrade, etc. It's probably not very user-friendly to link to raw GitHub code or commit diffs. If no other suitable URL exists for the advisory, perhaps we could link to the https://rubysec.com page for the advisory?

@jasnow
Copy link
Contributor Author

jasnow commented Jun 2, 2023
edited
Loading

The primary url: should ideally point to a web page with the advisory information, that explains the impact. how to upgrade, etc. It's probably not very user-friendly to link to raw GitHub code or commit diffs. If no other suitable URL exists for the advisory, perhaps we could link to the https://rubysec.com page for the advisory?

I agree that sometimes is was hard to find the right one for the main "url:" field. My approach was to pick the public announcement of the vulnerability by the project if possible or proof that the vulnerability was real. I will review your feedback and try to improve my selection.

@jasnow
Copy link
Contributor Author

jasnow commented Jun 2, 2023
edited
Loading

Found 2 more files needing similar changes.

@postmodern postmodern self-requested a review June 3, 2023 02:51
postmodern
postmodern approved these changes Jun 3, 2023
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@postmodern postmodern merged commit 77ae7ba into rubysec:master Jun 3, 2023
@jasnow
Copy link
Contributor Author

jasnow commented Jun 3, 2023

Thanks

@jasnow jasnow mentioned this pull request Jun 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@postmodern postmodern postmodern approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jasnow @postmodern