Skip to content

Omit patched_versions: if the GHSA has no patched version identifiers.#664

Merged
postmodern merged 3 commits into
masterfrom
github_sync_no_patched_versions
Jul 1, 2023
Merged

Omit patched_versions: if the GHSA has no patched version identifiers.#664
postmodern merged 3 commits into
masterfrom
github_sync_no_patched_versions

Conversation

@postmodern
Copy link
Copy Markdown
Member

@postmodern postmodern commented Jun 29, 2023

Implements a fix for #656.

@postmodern
Copy link
Copy Markdown
Member Author

postmodern commented Jun 29, 2023

@jasnow could you review this branch? I think this implements the fix you want.

@postmodern postmodern self-assigned this Jun 29, 2023
@jasnow
Copy link
Copy Markdown
Contributor

jasnow commented Jun 29, 2023

Note for gems/arabic-prawn/CVE-2014-2322.yml, the output of patched_versions_for(package) is not empty?, it is:

patched_versions:
  - ">= "

I get this when I run "rake":

  2) gems /home/t530-dev/Projects/ruby-advisory-db/gems/arabic-prawn/CVE-2014-2322.yml patched_versions each patched version >=  should contain valid RubyGem version requirements
     Failure/Error:
       expect {
       Gem::Requirement.new(*subject)
       }.not_to raise_error
     
       expected no Exception, got #<Gem::Requirement::BadRequirementError: Illformed requirement [">= "]> with backtrace:
         # ./spec/advisory_example.rb:203:in `new'
         # ./spec/advisory_example.rb:203:in `block (8 levels) in <top (required)>'
         # ./spec/advisory_example.rb:202:in `block (7 levels) in <top (required)>'
     Shared Example Group: "Advisory" called from ./spec/gem_advisory_example.rb:5
     Shared Example Group: "Gem Advisory" called from ./spec/advisories_spec.rb:7
     # ./spec/advisory_example.rb:202:in `block (7 levels) in <top (required)>'

  3) gems /home/t530-dev/Projects/ruby-advisory-db/gems/arabic-prawn/CVE-2014-2322.yml versions assumes that future versions will be patched
     Failure/Error: Gem::Version.new(v.match(/[0-9.]+\.\d+/)[0])
     
     NoMethodError:
       undefined method `[]' for nil:NilClass
     
                 Gem::Version.new(v.match(/[0-9.]+\.\d+/)[0])
                                                         ^^^
     Shared Example Group: "Gem Advisory" called from ./spec/advisories_spec.rb:7
     # ./spec/gem_advisory_example.rb:44:in `block (5 levels) in <top (required)>'
     # ./spec/gem_advisory_example.rb:43:in `each'
     # ./spec/gem_advisory_example.rb:43:in `sort_by'
     # ./spec/gem_advisory_example.rb:43:in `block (4 levels) in <top (required)>'

@postmodern
Copy link
Copy Markdown
Member Author

postmodern commented Jun 30, 2023

@jasnow added logic to filter out when firstPatchedVersion is set, but identifier isn't. I think that's why you're getting ">= " in the patched_versions.

@jasnow
Copy link
Copy Markdown
Contributor

jasnow commented Jun 30, 2023
edited
Loading

Adding this made it work:

-      patched_versions << ">= #{first_patched_versions.last}"
+      if first_patched_versions.length > 0 
+        patched_versions << ">= #{first_patched_versions.last}"
+      end

@postmodern
Copy link
Copy Markdown
Member Author

postmodern commented Jun 30, 2023

@jasnow that implies the identifier field is an empty String, which seems wrong. Could you paste the full vulnerabilities: data you're seeing, so I can see what data GitHub Advisories is returning?

@jasnow
Copy link
Copy Markdown
Contributor

jasnow commented Jun 30, 2023

puts vulnerabilities.inspect on line 343

[{"package"=>{"name"=>"redcloth", "ecosystem"=>"RUBYGEMS"}, "vulnerableVersionRange"=>"< 4.3.0", "firstPatchedVersion"=>{"identifier"=>"4.3.0"}}]
Wrote: gems/redcloth/CVE-2012-6684.yml
[{"package"=>{"name"=>"arabic-prawn", "ecosystem"=>"RUBYGEMS"}, "vulnerableVersionRange"=>"<= 0.0.1", "firstPatchedVersion"=>nil}]
Wrote: gems/arabic-prawn/CVE-2014-2322.yml

@postmodern
Copy link
Copy Markdown
Member Author

postmodern commented Jun 30, 2023

@jasnow OK, added your code. It should work now.

@jasnow
Copy link
Copy Markdown
Contributor

jasnow commented Jul 1, 2023

Here is the compllete advisory when "Never patched" is true:

---
gem: arabic-prawn
cve: 2014-2322
ghsa: hgmw-x865-hf9x
url: http://www.openwall.com/lists/oss-security/2014/03/10/8
title: Arabic Prawn allows remote attackers to execute arbitrary commands via shell
  metacharacters
date: 2017-10-24
description: |
  "`lib/string_utf_support.rb` in the Arabic Prawn 0.0.1 gem for Ruby allows
  remote attackers to execute arbitrary commands via shell metacharacters in the (1)
  downloaded_file or (2) url variable."
unaffected_versions:
notes: Never patched
related:
  url:
    - https://nvd.nist.gov/vuln/detail/CVE-2014-2322
    - http://www.openwall.com/lists/oss-security/2014/03/10/8
    - http://www.openwall.com/lists/oss-security/2014/03/12/6
    - https://web.archive.org/web/20160306235714/http://www.vapid.dhs.org/advisories/arabic-ruby-gem.html
    - https://github.com/advisories/GHSA-hgmw-x865-hf9x

@postmodern
Copy link
Copy Markdown
Member Author

postmodern commented Jul 1, 2023

@jasnow I'm guessing you'd prefer notes: go after related:?

@jasnow
Copy link
Copy Markdown
Contributor

jasnow commented Jul 1, 2023
edited
Loading

@jasnow I'm guessing you'd prefer notes: go after related:?

No, when I do it manually, I put it exactly where patched_versions would be.
The only difference I noticed would I put the text in double quotes.

@postmodern postmodern marked this pull request as ready for review July 1, 2023 19:26
@postmodern postmodern merged commit c6807c3 into master Jul 1, 2023
@postmodern postmodern mentioned this pull request Jul 1, 2023
Closed
@jasnow jasnow mentioned this pull request Jul 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@postmodern postmodern

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@postmodern @jasnow