Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for non-rubygems vulnerabilities #184

Closed
jasnow opened this issue Mar 26, 2023 · 8 comments
Closed

Support for non-rubygems vulnerabilities #184

jasnow opened this issue Mar 26, 2023 · 8 comments

Comments

@jasnow
Copy link

jasnow commented Mar 26, 2023

Appears that you get rubygem vulnerabilities by way of GHSA database feed.
Do you have support for the rubies (ruby-lang.org, jruby.org, mruby.org) languages?
Thanks.
@G-Rath
Copy link
Owner

G-Rath commented Mar 26, 2023

I assume you're asking about checking the version of Ruby itself? That is not supported currently, mainly because afaik neither the osv.dev or GitHub advisory databases contain entries for Ruby - in terms of parsing, it would be trivial to have the Gemfile.lock parser support parsing the RUBY VERSION block for the actual version.

@jasnow
Copy link
Author

jasnow commented Mar 26, 2023
edited
Loading

Example: GHSA-w9fp-2996-hhwx
and
https://github.com/rubysec/ruby-advisory-db/tree/master/rubies

@G-Rath
Copy link
Owner

G-Rath commented Mar 26, 2023
edited
Loading

yeah, those exist but are not actually in the database since they're marked as unreviewed - that's because the osv spec doesn't have a way of representing things like "ruby the language/sdk" so the advisory itself has no affected data meaning there's nothing osv-detector can do (since it needs that to be able to match the advisory).

ruby-advisory-db is not using the OSV specification for its entries, so its not directly compatible, though they do have versions so you should write a script to create OSVs from their entries, and use that as a custom database then passing in the Ruby version(s) as a as a CSV (I've been playing with something similar for doing end-of-life checks).

@jasnow
Copy link
Author

jasnow commented Mar 26, 2023

Example: GHSA-w9fp-2996-hhwx

I tried to review them but they do not have a required "ecosystem" value for non-rubygems. Go
to the bottom right corner of the above advisory and click on "improve..." and click on
"Ecosystems" to see.

I have 11 GHSA "rubygems" PRs approved or merged in the last few weeks.

@G-Rath
Copy link
Owner

G-Rath commented Mar 26, 2023

In that case those advisories will be reported by osv-detector - the exception is advisories for Ruby itself since that isn't a gem; if you have gotten an advisory for a Ruby SDK reviewed then I think it would make sense for osv-detector to start parsing the Ruby version from Gemfile.lock and include it as a "package" in its output (at least until the OSV spec decides how to handle those kind of vulnerabilities)

@jasnow
Copy link
Author

jasnow commented Mar 26, 2023

Also found a few GHSA adversaries that were just ruby application code and pointed to a specific repo to demo it.

@jasnow
Copy link
Author

jasnow commented Mar 27, 2023

Duplicated issue on osv-schema repo: ossf/osv-schema#123

@jasnow
Copy link
Author

jasnow commented Mar 29, 2023

Move this issue to osv-schecma repo: ossf/osv-schema#123

@jasnow jasnow closed this as completed Mar 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jasnow @G-Rath