class YAVDB::Sources::RubyAdvisory::Client

Constants

PACKAGE_MANAGER
REPOSITORY_URL

Public Class Methods

advisories() click to toggle source
# File lib/yavdb/sources/ruby_advisory.rb, line 31
def self.advisories
  YAVDB::SourceTypes::GitRepo.search('gems/**/*.yml', REPOSITORY_URL).map do |repo_path, file_paths|
    Dir.chdir(repo_path) do
      file_paths.map do |file_path|
        advisory_hash = YAML.load_file(file_path)
        create(file_path, advisory_hash)
      end
    end
  end.flatten
end

Private Class Methods

clean_version(versions) click to toggle source
# File lib/yavdb/sources/ruby_advisory.rb, line 86
def clean_version(versions)
  versions&.map { |version| version.tr(',', ' ') }
end
create(file_path, advisory_hash) click to toggle source
# File lib/yavdb/sources/ruby_advisory.rb, line 46
def create(file_path, advisory_hash)
  date                = Date.strptime(advisory_hash['date'].to_s, '%Y-%m-%d')
  severity            = severity(advisory_hash['cvss_v2'], advisory_hash['cvss_v3'])
  cve                 = advisory_hash['cve'] && "CVE-#{advisory_hash['cve']}"
  references          = references(advisory_hash)
  filename            = File.basename(file_path, '.yml')
  vulnerable_versions = if advisory_hash['unaffected_versions'] || advisory_hash['patched_versions']
                          nil
                        else
                          ['*']
                        end

  vuln_id = "rubyadvisory:rubygems:#{advisory_hash['gem']}:#{filename}"

  YAVDB::Advisory.new(
    vuln_id,
    advisory_hash['title'],
    advisory_hash['description'],
    advisory_hash['gem'],
    clean_version(vulnerable_versions),
    clean_version(advisory_hash['unaffected_versions']),
    clean_version(advisory_hash['patched_versions']),
    severity,
    PACKAGE_MANAGER,
    cve && [cve],
    nil, #:cwe
    advisory_hash['osvdb'],
    nil, #:cvss_v2_vector
    advisory_hash['cvss_v2'],
    nil, #:cvss_v3_vector
    advisory_hash['cvss_v3'],
    date,
    date,
    date,
    ['Rubysec'],
    references,
    advisory_hash['url']
  )
end
references(advisory_hash) click to toggle source
# File lib/yavdb/sources/ruby_advisory.rb, line 90
def references(advisory_hash)
  references = [REPOSITORY_URL]

  if advisory_hash['related'] && advisory_hash['related']['url']
    references.concat(advisory_hash['related']['url'])
  else
    references
  end
end
severity(cvss_v2_score, cvss_v3_score) click to toggle source
# File lib/yavdb/sources/ruby_advisory.rb, line 100
def severity(cvss_v2_score, cvss_v3_score)
  if cvss_v3_score
    severity_level(cvss_v3_score)
  elsif cvss_v2_score
    severity_level(cvss_v2_score)
  end
end
severity_level(cvss_score) click to toggle source
# File lib/yavdb/sources/ruby_advisory.rb, line 108
def severity_level(cvss_score)
  case cvss_score
    when 0.0..3.3
      'low'
    when 3.3..6.6
      'medium'
    else
      'high'
  end
end