From a51e086f4971d85f82511b103f50e30abb381a4e Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Sun, 24 May 2026 16:37:28 -0400 Subject: [PATCH 1/5] Moved CONTRIBUTING.md into README.md file --- CONTRIBUTING.md | 16 ---------------- README.md | 14 ++++++++++++++ 2 files changed, 14 insertions(+), 16 deletions(-) delete mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index 72681b560e..0000000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1,16 +0,0 @@ -# Contributing Guidelines - -* Try to keep all text within 80 columns. -* YAML must be indented by 2 spaces. -* `title:` must be a single sentence/line. -* `description: |` must contain more than one sentence/line. -* `patched_versions`/`unaffected_versions` version ranges must be quoted - (ex: `">= 1.2.3"`). -* Please see the [README](README.md#schema) for more documentation on the - YAML Schema. -* Prior to submitting a pull request, run the tests: - -``` -bundle install -bundle exec rspec -``` diff --git a/README.md b/README.md index 686cde3e10..bc8f873bec 100644 --- a/README.md +++ b/README.md @@ -130,6 +130,7 @@ patched_versions: * `title` \[String\] (required): The title of the advisory or individual vulnerability. It must be a single line sentence. * `date` \[Date\] (required): The public disclosure date of the advisory. * `description` \[String\] (required): One or more paragraphs describing the vulnerability. It may contain multiple paragraphs. + * Used `description: |` if it is more than one sentence/line. * `cvss_v2` \[Float\] (optional): The [CVSSv2] score for the vulnerability. * `cvss_v3` \[Float\] (optional): The [CVSSv3] score for the vulnerability. * `cvss_v4` \[Float\] (optional): The [CVSSv4] score for the vulnerability. @@ -137,6 +138,7 @@ patched_versions: unaffected versions of the Ruby library. * `patched_versions` \[Array\\] (optional): The version requirements for the patched versions of the Ruby library. + * `patched_versions`/`unaffected_versions` version ranges must be quoted (ex: `">= 1.2.3"`). * `related` \[Hash\\>\] (optional): Sometimes an advisory references many urls and other identifiers. Supported keys: `cve`, `ghsa`, `osvdb`, and `url` * `notes` \[String\] (optional): Internal notes regarding the vulnerability's inclusion in this database. @@ -151,6 +153,7 @@ patched_versions: * `title` \[String\] (required): The title of the advisory or individual vulnerability. It must be a single line sentence. * `date` \[Date\] (required): The public disclosure date of the advisory. * `description` \[String\] (required): One or more paragraphs describing the vulnerability. It may contain multiple paragraphs. + * Used `description: |` if it is more than one sentence/line. * `cvss_v2` \[Float\] (optional): The [CVSSv2] score for the vulnerability. * `cvss_v3` \[Float\] (optional): The [CVSSv3] score for the vulnerability. * `cvss_v4` \[Float\] (optional): The [CVSSv4] score for the vulnerability. @@ -158,9 +161,20 @@ patched_versions: unaffected versions of the Ruby implementation. * `patched_versions` \[Array\\] (optional): The version requirements for the patched versions of the Ruby implementation. + * `patched_versions`/`unaffected_versions` version ranges must be quoted (ex: `">= 1.2.3"`). * `related` \[Hash\\>\] (optional): Sometimes an advisory references many urls and other identifiers. Supported keys: `cve`, `ghsa`, `osvdb`, and `url` * `notes` \[String\] (optional): Internal notes regarding the vulnerability's inclusion in this database. +# General Contributing Guidelines + + * Try to keep all text within 80 columns. + + * Run yamlint [`yamllint` tool](https://yamllint.readthedocs.io/en/stable/quickstart.html] to check yaml format. + * YAML must be indented by 2 spaces. + * For more info: https://pypi.org/project/yamllint + + * Please see the [README](README.md#schema) for more documentation on the YAML Schema. + ## Tests Prior to submitting a pull request, run the tests: From a4fedb408e1639c2eaba579abf82df8670b4d4b4 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Sun, 24 May 2026 18:46:23 -0400 Subject: [PATCH 2/5] Add issue #1045 conventions --- README.md | 96 +++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 68 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index bc8f873bec..5497f24b40 100644 --- a/README.md +++ b/README.md @@ -103,9 +103,15 @@ url: https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-fl title: Buffer overrun in String-to-Float conversion date: 2022-04-12 description: | - A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This vulnerability has been assigned the CVE identifier CVE-2022-28739. We strongly recommend upgrading Ruby. + A buffer-overrun vulnerability is discovered in a conversion algorithm from a + String to a Float. This vulnerability has been assigned the CVE identifier + CVE-2022-28739. We strongly recommend upgrading Ruby. - Due to a bug in an internal function that converts a String to a Float, some convertion methods like Kernel#Float and String#to_f could cause buffer over-read. A typical consequence is a process termination due to segmentation fault, but in a limited circumstances, it may be exploitable for illegal memory read. + Due to a bug in an internal function that converts a String to a Float, some + convertion methods like Kernel#Float and String#to_f could cause buffer + over-read. A typical consequence is a process termination due to segmentation + fault, but in a limited circumstances, it may be exploitable for illegal + memory read. Please update Ruby to 2.6.10, 2.7.6, 3.0.4, or 3.1.2. patched_versions: @@ -120,59 +126,93 @@ patched_versions: ### `gems` * `gem` \[String\] (required): Name of the affected gem. -* `library` \[String\] (optional): Name of the ruby library which the affected gem belongs to. -* `framework` \[String\] (optional): Name of the framework which the affected gem belongs to. (e.g. rails) -* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. jruby) +* `library` \[String\] (optional): Name of the ruby library which the + affected gem belongs to. +* `framework` \[String\] (optional): Name of the framework which the + affected gem belongs to. (e.g. rails) +* `platform` \[String\] (optional): If this vulnerability is platform-specific, + name of platform this vulnerability affects (e.g. jruby) * `cve` \[String\] (optional): Common Vulnerabilities and Exposures (CVE) ID. * `osvdb` \[Integer\] (optional): Open Sourced Vulnerability Database (OSVDB) ID. * `ghsa` \[String\] (optional): GitHub Security Advisory (GHSA) ID. * `url` \[String\] (required): The URL to the full advisory. -* `title` \[String\] (required): The title of the advisory or individual vulnerability. It must be a single line sentence. +* `title` \[String\] (required): The title of the advisory or individual + vulnerability. It must be a single line sentence. + * Line wrap `title:` field at 80. * `date` \[Date\] (required): The public disclosure date of the advisory. -* `description` \[String\] (required): One or more paragraphs describing the vulnerability. It may contain multiple paragraphs. +* `description` \[String\] (required): One or more paragraphs describing the + vulnerability. It may contain multiple paragraphs. * Used `description: |` if it is more than one sentence/line. + * Line wrap `descriptions:` field at 80. + * Do no include "POC" or "PoC" in `description:` field. + * Not use "\n" in `description:` field. * `cvss_v2` \[Float\] (optional): The [CVSSv2] score for the vulnerability. * `cvss_v3` \[Float\] (optional): The [CVSSv3] score for the vulnerability. * `cvss_v4` \[Float\] (optional): The [CVSSv4] score for the vulnerability. * `unaffected_versions` \[Array\\] (optional): The version requirements for the unaffected versions of the Ruby library. -* `patched_versions` \[Array\\] (optional): The version requirements for the - patched versions of the Ruby library. +* `patched_versions` \[Array\\] (optional): The version requirements + for the patched versions of the Ruby library. * `patched_versions`/`unaffected_versions` version ranges must be quoted (ex: `">= 1.2.3"`). -* `related` \[Hash\\>\] (optional): Sometimes an advisory references many urls and other identifiers. Supported keys: `cve`, `ghsa`, `osvdb`, and `url` -* `notes` \[String\] (optional): Internal notes regarding the vulnerability's inclusion in this database. + * Omit patched_versions: if you has no patched version identifiers. +* `related` \[Hash\\>\] (optional): Sometimes an advisory + references many urls and other identifiers. Supported keys: + `cve`, `ghsa`, `osvdb`, and `url` + * Field `related:/url:` is 4 blanks from left margin. +* `notes` \[String\] (optional): Internal notes regarding the vulnerability's + inclusion in this database. ### `rubies` -* `engine` \[`ruby` | `mruby` | `jruby` | `truffleruby`\] (required): Name of the affected Ruby implementation. -* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. jruby) +* `engine` \[`ruby` | `mruby` | `jruby` | `truffleruby`\] (required): Name + of the affected Ruby implementation. +* `platform` \[String\] (optional): If this vulnerability is platform-specific, + name of platform this vulnerability affects (e.g. jruby) * `cve` \[String\] (optional): Common Vulnerabilities and Exposures (CVE) ID. * `osvdb` \[Integer\] (optional): Open Sourced Vulnerability Database (OSVDB) ID. * `ghsa` \[String\] (optional): GitHub Security Advisory (GHSA) ID. * `url` \[String\] (required): The URL to the full advisory. -* `title` \[String\] (required): The title of the advisory or individual vulnerability. It must be a single line sentence. +* `title` \[String\] (required): The title of the advisory or individual + vulnerability. It must be a single line sentence. + * Line wrap `title:` field at 80. * `date` \[Date\] (required): The public disclosure date of the advisory. -* `description` \[String\] (required): One or more paragraphs describing the vulnerability. It may contain multiple paragraphs. - * Used `description: |` if it is more than one sentence/line. +* `description` \[String\] (required): One or more paragraphs describing the + vulnerability. It may contain multiple paragraphs. + * Used `description: |` (not `|-`) if it is more than one sentence/line. + * Line wrap `descriptions:` field at 80. + * Not use "\n" in `description:` field. + * Do no include "POC" or "PoC" in `description:` field. * `cvss_v2` \[Float\] (optional): The [CVSSv2] score for the vulnerability. * `cvss_v3` \[Float\] (optional): The [CVSSv3] score for the vulnerability. * `cvss_v4` \[Float\] (optional): The [CVSSv4] score for the vulnerability. -* `unaffected_versions` \[Array\\] (optional): The version requirements for the - unaffected versions of the Ruby implementation. -* `patched_versions` \[Array\\] (optional): The version requirements for the - patched versions of the Ruby implementation. - * `patched_versions`/`unaffected_versions` version ranges must be quoted (ex: `">= 1.2.3"`). -* `related` \[Hash\\>\] (optional): Sometimes an advisory references many urls and other identifiers. Supported keys: `cve`, `ghsa`, `osvdb`, and `url` -* `notes` \[String\] (optional): Internal notes regarding the vulnerability's inclusion in this database. +* `unaffected_versions` \[Array\\] (optional): The version requirements + for the unaffected versions of the Ruby implementation. + * Field `unaffected_versions` are 2 blanks from left margin. +* `patched_versions` \[Array\\] (optional): The version requirements + for the patched versions of the Ruby implementation. + * `patched_versions`/`unaffected_versions` version ranges must be quoted + (ex: `">= 1.2.3"`). + * Field `patched_versions`are 2 blanks from left margin. + * Omit patched_versions: if you has no patched version identifiers. +* `related` \[Hash\\>\] (optional): Sometimes an advisory + references many urls and other identifiers. Supported keys: + `cve`, `ghsa`, `osvdb`, and `url` + * Field `related:/url:` is 4 blanks from left margin. + * `notes` \[String\] (optional): Internal notes regarding the vulnerability's + inclusion in this database. # General Contributing Guidelines - + * Advisory filename prefix naming preferance is: + * 1st choice: CVE, then GHSA, then OSVDB. + * Advisory filename (without suffix) should be equal to root `url:` field value. * Try to keep all text within 80 columns. - - * Run yamlint [`yamllint` tool](https://yamllint.readthedocs.io/en/stable/quickstart.html] to check yaml format. + * Run yamlint [`yamllint` tool](https://yamllint.readthedocs.io/en/stable/quickstart.html] to check yaml format. It find no issues. * YAML must be indented by 2 spaces. - * For more info: https://pypi.org/project/yamllint - + * Ruby YAML does not like embedded ":" characters. + * For more info: + * https://pypi.org/project/yamllint + * [HERE](https://github.com/rubysec/ruby-advisory-db/blob/master/.github/workflows/ruby.yml) + * Check all URLs for dead links. Sometimes find the URL https://web.archive.org . * Please see the [README](README.md#schema) for more documentation on the YAML Schema. ## Tests From d6274a1e0b656724a1f59ba82e25c9ea11e7ec22 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Mon, 25 May 2026 08:40:04 -0400 Subject: [PATCH 3/5] Fix formatting issues in README.md --- README.md | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 5497f24b40..12afda0b4b 100644 --- a/README.md +++ b/README.md @@ -142,23 +142,24 @@ patched_versions: * `date` \[Date\] (required): The public disclosure date of the advisory. * `description` \[String\] (required): One or more paragraphs describing the vulnerability. It may contain multiple paragraphs. - * Used `description: |` if it is more than one sentence/line. - * Line wrap `descriptions:` field at 80. - * Do no include "POC" or "PoC" in `description:` field. - * Not use "\n" in `description:` field. + * Used `description: |` if it is more than one sentence/line. + * Line wrap `descriptions:` field at 80. + * Do no include "POC" or "PoC" in `description:` field. + * Not use "\n" in `description:` field. * `cvss_v2` \[Float\] (optional): The [CVSSv2] score for the vulnerability. * `cvss_v3` \[Float\] (optional): The [CVSSv3] score for the vulnerability. * `cvss_v4` \[Float\] (optional): The [CVSSv4] score for the vulnerability. * `unaffected_versions` \[Array\\] (optional): The version requirements for the unaffected versions of the Ruby library. + * `unaffected_versions` version ranges must be quoted (ex: `">= 1.2.3"`). * `patched_versions` \[Array\\] (optional): The version requirements for the patched versions of the Ruby library. - * `patched_versions`/`unaffected_versions` version ranges must be quoted (ex: `">= 1.2.3"`). - * Omit patched_versions: if you has no patched version identifiers. + * `patched_versions version ranges must be quoted (ex: `">= 1.2.3"`). + * Omit `patched_versions:` if you has no patched version identifiers. * `related` \[Hash\\>\] (optional): Sometimes an advisory references many urls and other identifiers. Supported keys: `cve`, `ghsa`, `osvdb`, and `url` - * Field `related:/url:` is 4 blanks from left margin. + * All supported keys are 4 blanks from left margin. * `notes` \[String\] (optional): Internal notes regarding the vulnerability's inclusion in this database. @@ -178,10 +179,10 @@ patched_versions: * `date` \[Date\] (required): The public disclosure date of the advisory. * `description` \[String\] (required): One or more paragraphs describing the vulnerability. It may contain multiple paragraphs. - * Used `description: |` (not `|-`) if it is more than one sentence/line. - * Line wrap `descriptions:` field at 80. - * Not use "\n" in `description:` field. - * Do no include "POC" or "PoC" in `description:` field. + * Used `description: |` (not `|-`) if it is more than one sentence/line. + * Line wrap `descriptions:` field at 80. + * Not use "\n" in `description:` field. + * Do no include "POC" or "PoC" in `description:` field. * `cvss_v2` \[Float\] (optional): The [CVSSv2] score for the vulnerability. * `cvss_v3` \[Float\] (optional): The [CVSSv3] score for the vulnerability. * `cvss_v4` \[Float\] (optional): The [CVSSv4] score for the vulnerability. @@ -197,21 +198,22 @@ patched_versions: * `related` \[Hash\\>\] (optional): Sometimes an advisory references many urls and other identifiers. Supported keys: `cve`, `ghsa`, `osvdb`, and `url` - * Field `related:/url:` is 4 blanks from left margin. + * All supported keys are 4 blanks from left margin. * `notes` \[String\] (optional): Internal notes regarding the vulnerability's inclusion in this database. # General Contributing Guidelines * Advisory filename prefix naming preferance is: * 1st choice: CVE, then GHSA, then OSVDB. - * Advisory filename (without suffix) should be equal to root `url:` field value. + * Advisory filename (without suffix) should be equal to root `url:` field value. * Try to keep all text within 80 columns. * Run yamlint [`yamllint` tool](https://yamllint.readthedocs.io/en/stable/quickstart.html] to check yaml format. It find no issues. - * YAML must be indented by 2 spaces. - * Ruby YAML does not like embedded ":" characters. - * For more info: - * https://pypi.org/project/yamllint - * [HERE](https://github.com/rubysec/ruby-advisory-db/blob/master/.github/workflows/ruby.yml) + * YAML must be indented by 2 spaces. + * Ruby YAML does not like embedded ":" characters. + * For more info: + * https://pypi.org/project/yamllint + * [HERE](https://github.com/rubysec/ruby-advisory-db/blob/master/.github/workflows/ruby.yml) + * Run `rspec spec/schema_validation_spec.rb` for aditional lint checks. * Check all URLs for dead links. Sometimes find the URL https://web.archive.org . * Please see the [README](README.md#schema) for more documentation on the YAML Schema. From 0753f816c744ec686da13b4a3d4c2f6ba20ad76b Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Mon, 25 May 2026 08:49:37 -0400 Subject: [PATCH 4/5] Update README to clarify "%" usage in description field --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 12afda0b4b..5c04db6a36 100644 --- a/README.md +++ b/README.md @@ -145,7 +145,7 @@ patched_versions: * Used `description: |` if it is more than one sentence/line. * Line wrap `descriptions:` field at 80. * Do no include "POC" or "PoC" in `description:` field. - * Not use "\n" in `description:` field. + * Not use "\n" or "%" in `description:` field. * `cvss_v2` \[Float\] (optional): The [CVSSv2] score for the vulnerability. * `cvss_v3` \[Float\] (optional): The [CVSSv3] score for the vulnerability. * `cvss_v4` \[Float\] (optional): The [CVSSv4] score for the vulnerability. @@ -181,7 +181,7 @@ patched_versions: vulnerability. It may contain multiple paragraphs. * Used `description: |` (not `|-`) if it is more than one sentence/line. * Line wrap `descriptions:` field at 80. - * Not use "\n" in `description:` field. + * Not use "\n" or "%" in `description:` field. * Do no include "POC" or "PoC" in `description:` field. * `cvss_v2` \[Float\] (optional): The [CVSSv2] score for the vulnerability. * `cvss_v3` \[Float\] (optional): The [CVSSv3] score for the vulnerability. From e20d885ab1ce6e78a2579fb3aea51fc95c13eb35 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Mon, 25 May 2026 08:59:53 -0400 Subject: [PATCH 5/5] Fix formatting issues in README.md PR#1054 lint check for "related:" (cvs, ghsa, osvdb). --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5c04db6a36..df766149c9 100644 --- a/README.md +++ b/README.md @@ -160,6 +160,7 @@ patched_versions: references many urls and other identifiers. Supported keys: `cve`, `ghsa`, `osvdb`, and `url` * All supported keys are 4 blanks from left margin. + * `cve`, `ghsa`, and `osvdb` related fields are not URLs. * `notes` \[String\] (optional): Internal notes regarding the vulnerability's inclusion in this database. @@ -188,7 +189,7 @@ patched_versions: * `cvss_v4` \[Float\] (optional): The [CVSSv4] score for the vulnerability. * `unaffected_versions` \[Array\\] (optional): The version requirements for the unaffected versions of the Ruby implementation. - * Field `unaffected_versions` are 2 blanks from left margin. + * Field `unaffected_versions` are 2 blanks from left margin.* `cve`, `ghsa`, and `osvdb` related fields are not URLs. * `patched_versions` \[Array\\] (optional): The version requirements for the patched versions of the Ruby implementation. * `patched_versions`/`unaffected_versions` version ranges must be quoted @@ -199,6 +200,7 @@ patched_versions: references many urls and other identifiers. Supported keys: `cve`, `ghsa`, `osvdb`, and `url` * All supported keys are 4 blanks from left margin. + * `cve`, `ghsa`, and `osvdb` related fields are not URLs. * `notes` \[String\] (optional): Internal notes regarding the vulnerability's inclusion in this database.