WIP: Local ruby-advisory-db conventions

[jasnow]

Local advisory conventions that @postmodern and I (@jasnow) have used in the past and are not checked by "yamllint" or "rake" run.

5/12/2026

• The first step before submitting PRs is to run "yamllint" on the YAML files then run "rake". Both commands should find no issues. More info regarding yamllint HERE.
• See PR Changed 'indent-sequences:' from "consistent" to "true" in .ymllint.yml file. Fixed affected advisories. #1022 regarding checking for correct YAML field indentation.
• Field related:/url: is 4 blanks from left margin.
• Field patched_versions and unaffected_versions are 2 blanks from left margin.
• Postmodern likes:
  • Change "|-" to "|" on description: line.
  • Line wrap descriptions: and title: field at 80. (See CONTRIBUTING.md). @jasnow usually uses 75 because of the 2-char field indent.

5/13/2025

• Postmodern likes:
  • Not use "\n" in description: field.
  • No "POC" in description: field. They will be flagged during rake run and removed during harvesting.
• ruby YAML does not like embedded ":" characters.
• Check all URLs for dead links. Sometimes find the URL https://web.archive.org .
• Suggest adding project-related evidence as references to prove the patch, such as
  • CHANGELOGs, Release Notes, project blog posts.

5/15/2026

• Postmodern wanted the advisory filename prefix to be named: 1st choice: CVE, then GHSA, then OSVDB.

5/23/2026

• Regarding the PR reviews yesterday:
  • I (@jasnow) usually collects all of the necessary URLs and put them in the related: / url field
    then pick one the above URL that is an advisory to use in the url: field. Never thought of it as
    duplicates and @postmodern never asked for the duplicate to be removed.
  • I found dependabot being used in 2023 but it stopped at some point. Also .gitignore file
    contains Gemfile.lock file so @postmodern did not work gem upgrade PRs.

MORE TO COME