Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Omit patched_versions: if the GHSA has no patched version identifiers. #664

Merged
merged 3 commits into from
Jul 1, 2023
Merged

Omit patched_versions: if the GHSA has no patched version identifiers. #664

merged 3 commits into from
Jul 1, 2023

Conversation

postmodern
Copy link
Member

Implements a fix for #656.

@postmodern
Copy link
Member Author

@jasnow could you review this branch? I think this implements the fix you want.

@postmodern postmodern self-assigned this Jun 29, 2023
@jasnow
Copy link
Contributor

jasnow commented Jun 29, 2023

Note for gems/arabic-prawn/CVE-2014-2322.yml, the output of patched_versions_for(package) is not empty?, it is:

patched_versions:
  - ">= "

I get this when I run "rake":

  2) gems /home/t530-dev/Projects/ruby-advisory-db/gems/arabic-prawn/CVE-2014-2322.yml patched_versions each patched version >=  should contain valid RubyGem version requirements
     Failure/Error:
       expect {
       Gem::Requirement.new(*subject)
       }.not_to raise_error
     
       expected no Exception, got #<Gem::Requirement::BadRequirementError: Illformed requirement [">= "]> with backtrace:
         # ./spec/advisory_example.rb:203:in `new'
         # ./spec/advisory_example.rb:203:in `block (8 levels) in <top (required)>'
         # ./spec/advisory_example.rb:202:in `block (7 levels) in <top (required)>'
     Shared Example Group: "Advisory" called from ./spec/gem_advisory_example.rb:5
     Shared Example Group: "Gem Advisory" called from ./spec/advisories_spec.rb:7
     # ./spec/advisory_example.rb:202:in `block (7 levels) in <top (required)>'

  3) gems /home/t530-dev/Projects/ruby-advisory-db/gems/arabic-prawn/CVE-2014-2322.yml versions assumes that future versions will be patched
     Failure/Error: Gem::Version.new(v.match(/[0-9.]+\.\d+/)[0])
     
     NoMethodError:
       undefined method `[]' for nil:NilClass
     
                 Gem::Version.new(v.match(/[0-9.]+\.\d+/)[0])
                                                         ^^^
     Shared Example Group: "Gem Advisory" called from ./spec/advisories_spec.rb:7
     # ./spec/gem_advisory_example.rb:44:in `block (5 levels) in <top (required)>'
     # ./spec/gem_advisory_example.rb:43:in `each'
     # ./spec/gem_advisory_example.rb:43:in `sort_by'
     # ./spec/gem_advisory_example.rb:43:in `block (4 levels) in <top (required)>'

@postmodern
Copy link
Member Author

@jasnow added logic to filter out when firstPatchedVersion is set, but identifier isn't. I think that's why you're getting ">= " in the patched_versions.

@jasnow
Copy link
Contributor

jasnow commented Jun 30, 2023
edited
Loading

Adding this made it work:

-      patched_versions << ">= #{first_patched_versions.last}"
+      if first_patched_versions.length > 0 
+        patched_versions << ">= #{first_patched_versions.last}"
+      end

@postmodern
Copy link
Member Author

@jasnow that implies the identifier field is an empty String, which seems wrong. Could you paste the full vulnerabilities: data you're seeing, so I can see what data GitHub Advisories is returning?

@jasnow
Copy link
Contributor

jasnow commented Jun 30, 2023

puts vulnerabilities.inspect on line 343

[{"package"=>{"name"=>"redcloth", "ecosystem"=>"RUBYGEMS"}, "vulnerableVersionRange"=>"< 4.3.0", "firstPatchedVersion"=>{"identifier"=>"4.3.0"}}]
Wrote: gems/redcloth/CVE-2012-6684.yml
[{"package"=>{"name"=>"arabic-prawn", "ecosystem"=>"RUBYGEMS"}, "vulnerableVersionRange"=>"<= 0.0.1", "firstPatchedVersion"=>nil}]
Wrote: gems/arabic-prawn/CVE-2014-2322.yml

@postmodern
Copy link
Member Author

@jasnow OK, added your code. It should work now.

@jasnow
Copy link
Contributor

jasnow commented Jul 1, 2023

Here is the compllete advisory when "Never patched" is true:

---
gem: arabic-prawn
cve: 2014-2322
ghsa: hgmw-x865-hf9x
url: http://www.openwall.com/lists/oss-security/2014/03/10/8
title: Arabic Prawn allows remote attackers to execute arbitrary commands via shell
  metacharacters
date: 2017-10-24
description: |
  "`lib/string_utf_support.rb` in the Arabic Prawn 0.0.1 gem for Ruby allows
  remote attackers to execute arbitrary commands via shell metacharacters in the (1)
  downloaded_file or (2) url variable."
unaffected_versions:
notes: Never patched
related:
  url:
    - https://nvd.nist.gov/vuln/detail/CVE-2014-2322
    - http://www.openwall.com/lists/oss-security/2014/03/10/8
    - http://www.openwall.com/lists/oss-security/2014/03/12/6
    - https://web.archive.org/web/20160306235714/http://www.vapid.dhs.org/advisories/arabic-ruby-gem.html
    - https://github.com/advisories/GHSA-hgmw-x865-hf9x

@postmodern
Copy link
Member Author

@jasnow I'm guessing you'd prefer notes: go after related:?

@jasnow
Copy link
Contributor

jasnow commented Jul 1, 2023
edited
Loading

@jasnow I'm guessing you'd prefer notes: go after related:?

No, when I do it manually, I put it exactly where patched_versions would be.
The only difference I noticed would I put the text in double quotes.

@postmodern postmodern marked this pull request as ready for review July 1, 2023 19:26
@postmodern postmodern merged commit c6807c3 into master Jul 1, 2023
1 check passed
@postmodern postmodern mentioned this pull request Jul 1, 2023
Closed
@jasnow jasnow mentioned this pull request Jul 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@postmodern postmodern

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@postmodern @jasnow