Add support for editing of Ruby language (non-RubyGem) advisories in GHSA database #123
Comments
jasnow
changed the title
|
Another reason to do this addition is to support the "Security advisories • Enabled |
jasnow
changed the title
|
Hey @jasnow, thanks for reaching out! Adding a "Rubies" ecosystem certainly is an option, but there's a complexity there in that we have to define the set of valid versions for these. However one of the key motivations for the OSV schema here is ensuring consistency in formatting, while avoiding building a custom registry where we can (instead deferring to existing open source ecosystems). I also proposed a more generic approach in #94 (comment): thoughts on this as a more general approach that will generalise to all programs? |
|
Another alternative is just leveraging the existing GIT metadata fields for identifying these, since it can be hard to define consistent rules for version numbers and naming. e.g. GSD already does this for the Linux kernel: Would that work for the ruby cases here? |
|
More examples here from OSS-Fuzz: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mruby/OSV-2020-744.yaml (Note the "package" field is completely optional, despite these examples having them). id: OSV-2020-744
summary: Heap-double-free in mrb_default_allocf
details: ...
modified: '2022-04-13T03:04:39.780694Z'
published: '2020-07-04T00:00:01.948828Z'
references:
- type: REPORT
url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23801
affected:
ranges:
- type: GIT
repo: https://github.com/mruby/mruby
events:
- introduced: 9cdf439db52b66447b4e37c61179d54fad6c8f33
- fixed: 97319697c8f9f6ff27b32589947e1918e3015503
versions:
- 2.1.2
- 2.1.2-rc
- 2.1.2-rc2
ecosystem_specific:
severity: HIGH |
|
I wonder if @reedloden or @postmodern would have any thoughts on the best way to identify Ruby binaries? |
|
The focus of this specific issue is no one can currently edit the "unreviewed" non-RubyGems advisories Here is my first try to ask for GHSA to help me help them. |
Is there any linkage to a CVE number for these records? |
My guess at an answer would be: More details at: https://github.com/rubysec/ruby-advisory-db/blob/master/lib/github_advisory_sync.rb |
|
@joshbuker From reading the original issue, I feel like "Ecosystem" is being used to describe things such as npmjs.com and rubygems.org. Software such as ruby, mruby, jruby, rbenv, etc, should be considered standalone pieces of software that can be installed directly or via
|
|
This also relates to what is our upstream policy? CloudSecurityAlliance/gsd-tools#178 E.g. should we extend the list of ecosystems to provide better coverage, ideally getting it into OSV, but forking it if needed? |
This is a good point; Ecosystem is more for avoiding namespace issues than anything else. Is there a way we could represent what ruby-advisory-database does with its custom schema in OSV? Ideally, in a way that scales for other ecosystem equivalents as well. Perhaps an Ecosystem of Mostly thinking aloud. |
|
So my understanding of Ecosystem is that it is used to separate namespaces (e.g. npm and Wordpress and perl all have packages called "Security" and so on). So "Binary" doesn't adequately represent something, e.g. it's just a name, or? Some things that are unique, AND meta (including many different things): DNS - put primary domain for that thing, e.g. "ruby-lang.org" |
|
Indeed -- we are defining namespaces here, ideally delegating to existing well defined namespaces where possible. We've picked canonical ecosystems for these where possible to avoid overlap and inconsistencies. We have shied away from catchalls like "generic", "standalone", "binary", because they're impossible to guarantee consistency for. e.g. is it "node", or "Node", or "node.js", or "Node.js" or some other variation? For this issue specifically, I think there are two main things to unpack:
|
|
Using a URI to identify these seems reasonably sane and avoids the consistency issue. Should this live exclusively in the ranges, or should it be replicated to the package as an alternative to the name/ecosystem combo? I could see it being worth doing that just so it's explicit and easier to parse if you're looking for the package to identify whether you care about an ID without needing to enumerate the ranges as well. It also solves the problem of "did you forget?" - either you have name/ecosystem, OR you have uri. Also avoids the issue where you know what's affected but might not know any version ranges yet. Using the above example: id: OSV-2020-744
summary: Heap-double-free in mrb_default_allocf
details: ...
modified: '2022-04-13T03:04:39.780694Z'
published: '2020-07-04T00:00:01.948828Z'
references:
- type: REPORT
url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23801
affected:
package:
uri: https://github.com/mruby/mruby
ranges:
- type: GIT
repo: https://github.com/mruby/mruby
events:
- introduced: 9cdf439db52b66447b4e37c61179d54fad6c8f33
- fixed: 97319697c8f9f6ff27b32589947e1918e3015503
versions:
- 2.1.2
- 2.1.2-rc
- 2.1.2-rc2
ecosystem_specific:
severity: HIGH |
jasnow
changed the title
Also CVSS_V# field is missing. |
To be clear that is not our data. You'll want to talk to upstream, this data is originally from https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mruby/OSV-2020-744.yaml and you can file issues there. As per our discussion CloudSecurityAlliance/gsd-tools#178 the GSD is basically going with "upstream first" so please try to work with them, if it fails then we can talk about modifying/updating the data on our end as needed. |
The issue is identifying an appropriate ecosystem I think. Doing a source rather than package based ecosystem could certainly be an interesting thing to explore (git/vcs/whatever), but a complication I'd like to bring up is that build systems can affect any given vulnerability in a deployed binary. ex. CVE-2021-3177 for the python runtime which leads to a crash on redhat releases and to remote code execution on debian. @jasnow and I discussed some of this over here github/advisory-database#1796 and tl;dr we do not have the capacity to handle this sort of request. |
Actually this is wrong, it should be: URL - a URL that identifies this project, e.g. ruby-lang.org, https://ruby-lang.org, https://github.com/ruby/ruby this is not ideal as it requires mapping and normalization in the long term, but at least it lets us map things and provide the data which is better than no entry at all. |
|
Just received this: |
|
Here's the release of the new Ruby parser: https://github.com/Shopify/ruby-lsp |
jasnow
changed the title
|
This issue is not progressing so I am going to close it. |
Add support for editing of Ruby language (non-RubyGem) advisories in GHSA database.
I tried to add missing information to some of them lately and was blocked
by not having an "ECOSYSTEM" value for them.
I propose something similar to "Ruby Languages" or "Rubies" be added
as a possible "ECOSYSTEM" value.
The "PACKAGE" value could be ["ruby-lang", "jruby", "mruby", "rbx/rubinius", "truffleruby", etc].
A good reference for other possible "PACKAGE" values at https://github.com/codicoscepticos/ruby-implementations
Thanks.
The text was updated successfully, but these errors were encountered: