Description
According to About the GitHub Advisory database:
We add advisories to the GitHub Advisory Database from the following sources:
[...]
The FriendsOfPHP database
But of the seven currently listed CakePHP framework security advisories in FriendsOfPHP/security-advisories, only one can be found int he GHSA database.
Namely the only one with a CVE:
https://github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/CVE-2019-11458.yaml
GHSA-qhrx-hcm6-pmrw
The other four do not have a CVE:
https://github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2014-04-29.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2015-05-07.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2015-05-28.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2015-08-06.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2015-11-05.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2018-05-20.yaml
Listed security advisories on Packagist (lists FriendsOfPHP/security-advisories & GHSA).
- Is a linked CVE available in the raw data of FriendsOfPHP/security-advisories a requirement for being imported into the GSA database?
- If so, could this be documented?
- If not, how can these missing CakePHP security advisories be imported into the GHSA database?
Could be related to #115