aboutcode-org
diff --git a/‎vulnerabilities/pipelines/v2_importers/ruby_importer.py‎
Lines changed: 75 additions & 61 deletions b/‎vulnerabilities/pipelines/v2_importers/ruby_importer.py‎
Lines changed: 75 additions & 61 deletions
diff --git a/‎vulnerabilities/tests/pipelines/v2_importers/test_ruby_importer_v2.py‎
Lines changed: 39 additions & 0 deletions b/‎vulnerabilities/tests/pipelines/v2_importers/test_ruby_importer_v2.py‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎vulnerabilities/tests/test_data/ruby-v2/gems/CVE-2020-5257-expected.json‎
Lines changed: 38 additions & 0 deletions b/‎vulnerabilities/tests/test_data/ruby-v2/gems/CVE-2020-5257-expected.json‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎vulnerabilities/tests/test_data/ruby-v2/gems/CVE-2020-5257.yml‎
Lines changed: 24 additions & 0 deletions b/‎vulnerabilities/tests/test_data/ruby-v2/gems/CVE-2020-5257.yml‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎vulnerabilities/tests/test_data/ruby-v2/gems/CVE-2024-6531-expected.json‎
Lines changed: 52 additions & 0 deletions b/‎vulnerabilities/tests/test_data/ruby-v2/gems/CVE-2024-6531-expected.json‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎vulnerabilities/tests/test_data/ruby-v2/gems/CVE-2024-6531.yml‎
Lines changed: 24 additions & 0 deletions b/‎vulnerabilities/tests/test_data/ruby-v2/gems/CVE-2024-6531.yml‎
Lines changed: 24 additions & 0 deletions
@@ -16,8 +16,10 @@
 from packageurl import PackageURL
 from pytz import UTC
 from univers.version_range import GemVersionRange
+from univers.version_range import InvalidVersionRange
 
-from vulnerabilities.importer import AdvisoryData, AffectedPackageV2
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import AffectedPackageV2
 from vulnerabilities.importer import ReferenceV2
 from vulnerabilities.importer import VulnerabilitySeverity
 from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
@@ -68,24 +70,30 @@ def clone(self):
         self.vcs_response = fetch_via_vcs(self.repo_url)
 
     def advisories_count(self):
-        return 10
+        base_path = Path(self.vcs_response.dest_dir)
+        return sum(1 for _ in base_path.rglob("*.yml"))
 
     def collect_advisories(self) -> Iterable[AdvisoryData]:
         base_path = Path(self.vcs_response.dest_dir)
-        supported_subdir = ["rubies", "gems"]
-        for subdir in supported_subdir:
-            for file_path in base_path.glob(f"{subdir}/**/*.yml"):
-                if file_path.name.startswith("OSVDB-"):
-                    continue
-
-                raw_data = load_yaml(file_path)
-                advisory_id = file_path.stem
-                advisory_url = get_advisory_url(
-                    file=file_path,
-                    base_path=base_path,
-                    url="https://github.com/rubysec/ruby-advisory-db/blob/master/",
-                )
-                yield parse_ruby_advisory(advisory_id, raw_data, subdir, advisory_url)
+        for file_path in base_path.rglob("*.yml"):
+            if file_path.name.startswith("OSVDB-"):
+                continue
+
+            if "gems" in file_path.parts:
+                subdir = "gems"
+            elif "rubies" in file_path.parts:
+                subdir = "rubies"
+            else:
+                continue
+
+            raw_data = load_yaml(file_path)
+            advisory_id = file_path.stem
+            advisory_url = get_advisory_url(
+                file=file_path,
+                base_path=base_path,
+                url="https://github.com/rubysec/ruby-advisory-db/blob/master/",
+            )
+            yield parse_ruby_advisory(advisory_id, raw_data, subdir, advisory_url)
 
     def clean_downloads(self):
         if self.vcs_response:
@@ -107,36 +115,37 @@ def parse_ruby_advisory(advisory_id, record, schema_type, advisory_url):
 
         if not package_name:
             logger.error("Invalid package name")
-        else:
-            purl = PackageURL(type="gem", name=package_name)
-
-            return AdvisoryData(
-                advisory_id=advisory_id,
-                aliases=get_aliases(record),
-                summary=get_summary(record),
-                affected_packages=get_affected_packages(record, purl),
-                references=get_references(record),
-                severities=get_severities(record),
-                date_published=get_publish_time(record),
-                url=advisory_url,
-            )
+            return
+
+        purl = PackageURL(type="gem", name=package_name)
+        return AdvisoryData(
+            advisory_id=advisory_id,
+            aliases=get_aliases(record),
+            summary=get_summary(record),
+            affected_packages=get_affected_packages(record, purl),
+            references=get_references(record),
+            severities=get_severities(record),
+            date_published=get_publish_time(record),
+            url=advisory_url,
+        )
 
     elif schema_type == "rubies":
         engine = record.get("engine")  # engine enum: [jruby, rbx, ruby]
         if not engine:
             logger.error("Invalid engine name")
-        else:
-            purl = PackageURL(type="ruby", name=engine)
-            return AdvisoryData(
-                advisory_id=advisory_id,
-                aliases=get_aliases(record),
-                summary=get_summary(record),
-                affected_packages=get_affected_packages(record, purl),
-                severities=get_severities(record),
-                references=get_references(record),
-                date_published=get_publish_time(record),
-                url=advisory_url,
-            )
+            return
+
+        purl = PackageURL(type="ruby", name=engine)
+        return AdvisoryData(
+            advisory_id=advisory_id,
+            aliases=get_aliases(record),
+            summary=get_summary(record),
+            affected_packages=get_affected_packages(record, purl),
+            severities=get_severities(record),
+            references=get_references(record),
+            date_published=get_publish_time(record),
+            url=advisory_url,
+        )
 
 
 def get_affected_packages(record, purl):
@@ -145,27 +154,32 @@ def get_affected_packages(record, purl):
     ( patched_versions , unaffected_versions ) then passing the purl and the inverted safe_version_range
     to the AffectedPackage object
     """
-    safe_version_ranges = record.get("patched_versions", [])
-    # this case happens when the advisory contain only 'patched_versions' field
-    # and it has value None(i.e it is empty :( ).
-    if not safe_version_ranges:
-        safe_version_ranges = []
-    safe_version_ranges += record.get("unaffected_versions", [])
-    safe_version_ranges = [i for i in safe_version_ranges if i]
-
     affected_packages = []
-    affected_version_ranges = [
-        GemVersionRange.from_native(elem).invert() for elem in safe_version_ranges
-    ]
-
-    for affected_version_range in affected_version_ranges:
-        affected_packages.append(
-            AffectedPackageV2(
-                package=purl,
-                affected_version_range=affected_version_range,
-                fixed_version_range=None
+    for unaffected_version in record.get("unaffected_versions", []):
+        try:
+            affected_version_range = GemVersionRange.from_native(unaffected_version).invert()
+            affected_packages.append(
+                AffectedPackageV2(
+                    package=purl,
+                    affected_version_range=affected_version_range,
+                    fixed_version_range=None,
+                )
             )
-        )
+        except InvalidVersionRange as e:
+            logger.error(f"InvalidVersionRange {e}")
+
+    for patched_version in record.get("patched_versions", []):
+        try:
+            fixed_version_range = GemVersionRange.from_native(patched_version)
+            affected_packages.append(
+                AffectedPackageV2(
+                    package=purl,
+                    affected_version_range=None,
+                    fixed_version_range=fixed_version_range,
+                )
+            )
+        except InvalidVersionRange as e:
+            logger.error(f"InvalidVersionRange {e}")
     return affected_packages
 
 
@@ -205,7 +219,7 @@ def get_severities(record):
 
     cvss_v3 = record.get("cvss_v3")
     if cvss_v3:
-        severities.append(VulnerabilitySeverity(system=CVSSV3, value=cvss_v4))
+        severities.append(VulnerabilitySeverity(system=CVSSV3, value=cvss_v3))
 
     cvss_v2 = record.get("cvss_v2")
     if cvss_v2:
 
@@ -0,0 +1,39 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+from pathlib import Path
+from unittest.mock import Mock
+from unittest.mock import patch
+
+import pytest
+
+from vulnerabilities.pipelines.v2_importers.ruby_importer import RubyImporterPipeline
+from vulnerabilities.tests import util_tests
+
+TEST_DATA = Path(__file__).parent.parent.parent / "test_data" / "ruby-v2"
+
+TEST_CVE_FILES = [
+    TEST_DATA / "gems/CVE-2020-5257.yml",
+    TEST_DATA / "gems/CVE-2024-6531.yml",
+    TEST_DATA / "rubies/CVE-2011-2686.yml",
+    TEST_DATA / "rubies/CVE-2022-25857.yml",
+]
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize("yml_file", TEST_CVE_FILES)
+def test_ruby_advisories_per_file(yml_file):
+    pipeline = RubyImporterPipeline()
+    pipeline.vcs_response = Mock(dest_dir=TEST_DATA)
+
+    with patch.object(Path, "rglob", return_value=[yml_file]):
+        result = [adv.to_dict() for adv in pipeline.collect_advisories()]
+
+    expected_file = yml_file.with_name(yml_file.stem + "-expected.json")
+    util_tests.check_results_against_json(result, expected_file)
@@ -0,0 +1,38 @@
+[
+  {
+    "advisory_id": "CVE-2020-5257",
+    "aliases": [
+      "CVE-2020-5257",
+      "GHSA-2p5p-m353-833w"
+    ],
+    "summary": "Sort order SQL injection via `direction` parameter in administrate\nIn Administrate (rubygem) before version 0.13.0, when sorting by attributes\non a dashboard, the direction parameter was not validated before being\ninterpolated into the SQL query.\n\nThis could present a SQL injection if the attacker were able to modify the\ndirection parameter and bypass ActiveRecord SQL protections.\n\nWhilst this does have a high-impact, to exploit this you need access to the\nAdministrate dashboards, which should generally be behind authentication.",
+    "affected_packages": [
+      {
+        "package": {
+          "type": "gem",
+          "namespace": "",
+          "name": "administrate",
+          "version": "",
+          "qualifiers": "",
+          "subpath": ""
+        },
+        "affected_version_range": null,
+        "fixed_version_range": "vers:gem/>=0.13.0",
+        "introduced_by_commit_patches": [],
+        "fixed_by_commit_patches": []
+      }
+    ],
+    "references_v2": [],
+    "patches": [],
+    "severities": [
+      {
+        "system": "cvssv3",
+        "value": "7.7",
+        "scoring_elements": ""
+      }
+    ],
+    "date_published": "2020-03-14T00:00:00+00:00",
+    "weaknesses": [],
+    "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/CVE-2020-5257.yml"
+  }
+]
@@ -0,0 +1,24 @@
+---
+gem: administrate
+cve: 2020-5257
+ghsa: 2p5p-m353-833w
+title: Sort order SQL injection via `direction` parameter in administrate
+date: 2020-03-14
+url: https://github.com/advisories/GHSA-2p5p-m353-833w
+description: |
+  In Administrate (rubygem) before version 0.13.0, when sorting by attributes
+  on a dashboard, the direction parameter was not validated before being
+  interpolated into the SQL query.
+
+  This could present a SQL injection if the attacker were able to modify the
+  direction parameter and bypass ActiveRecord SQL protections.
+
+  Whilst this does have a high-impact, to exploit this you need access to the
+  Administrate dashboards, which should generally be behind authentication.
+cvss_v3: 7.7
+patched_versions:
+  - ">= 0.13.0"
+
+related:
+  url:
+    - https://github.com/thoughtbot/administrate/commit/3ab838b83c5f565fba50e0c6f66fe4517f98eed3
@@ -0,0 +1,52 @@
+[
+  {
+    "advisory_id": "CVE-2024-6531",
+    "aliases": [
+      "CVE-2024-6531",
+      "GHSA-vc8w-jr9v-vj7f"
+    ],
+    "summary": "Bootstrap Cross-Site Scripting (XSS) vulnerability\nA vulnerability has been identified in Bootstrap that exposes users\nto Cross-Site Scripting (XSS) attacks. The issue is present in the\ncarousel component, where the data-slide and data-slide-to attributes\ncan be exploited through the href attribute of an <a> tag due to\ninadequate sanitization. This vulnerability could potentially enable\nattackers to execute arbitrary JavaScript within the victim's browser.",
+    "affected_packages": [
+      {
+        "package": {
+          "type": "gem",
+          "namespace": "",
+          "name": "bootstrap",
+          "version": "",
+          "qualifiers": "",
+          "subpath": ""
+        },
+        "affected_version_range": "vers:gem/>=4.0.0",
+        "fixed_version_range": null,
+        "introduced_by_commit_patches": [],
+        "fixed_by_commit_patches": []
+      },
+      {
+        "package": {
+          "type": "gem",
+          "namespace": "",
+          "name": "bootstrap",
+          "version": "",
+          "qualifiers": "",
+          "subpath": ""
+        },
+        "affected_version_range": null,
+        "fixed_version_range": "vers:gem/>4.6.2",
+        "introduced_by_commit_patches": [],
+        "fixed_by_commit_patches": []
+      }
+    ],
+    "references_v2": [],
+    "patches": [],
+    "severities": [
+      {
+        "system": "cvssv3",
+        "value": "6.4",
+        "scoring_elements": ""
+      }
+    ],
+    "date_published": "2024-07-11T00:00:00+00:00",
+    "weaknesses": [],
+    "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/CVE-2024-6531.yml"
+  }
+]
@@ -0,0 +1,24 @@
+---
+gem: bootstrap
+cve: 2024-6531
+ghsa: vc8w-jr9v-vj7f
+url: https://github.com/advisories/GHSA-vc8w-jr9v-vj7f
+title: Bootstrap Cross-Site Scripting (XSS) vulnerability
+date: 2024-07-11
+description: |
+  A vulnerability has been identified in Bootstrap that exposes users
+  to Cross-Site Scripting (XSS) attacks. The issue is present in the
+  carousel component, where the data-slide and data-slide-to attributes
+  can be exploited through the href attribute of an <a> tag due to
+  inadequate sanitization. This vulnerability could potentially enable
+  attackers to execute arbitrary JavaScript within the victim's browser.
+cvss_v3: 6.4
+unaffected_versions:
+  - "< 4.0.0"
+patched_versions:
+  - "> 4.6.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-6531
+    - https://www.herodevs.com/vulnerability-directory/cve-2024-6531
+    - https://github.com/advisories/GHSA-vc8w-jr9v-vj7f