• This repository has been archived on 07/Sep/2022
  • Stars
    star
    145
  • Rank 254,144 (Top 6 %)
  • Language
    Ruby
  • License
    Other
  • Created over 6 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Old database of Elixir security advisories before the GitHub Security Advisory DB supported Hex / Elixir.

Deprecation Notice

This repo was created before the GitHub Security Advisory DB supported Hex / Elixir. Now that support has been added, we've deprecated / archived this repo. The Security Advisory DB is a much more flexible solution that includes an actual API, GraphQL support, auto-ingesting from various data sources, professional curation, etc.

elixir-security-advisories

Elixir Advisory Database

The Elixir Advisory Database is a repository of security advisories filed against published Elixir packages.

Advisory metadata is stored in YAML format for Sobelow, Dependabot, MixAudit and other automated tools to consume.

This is also an experimental web API for the database.

Build Status

Directory Structure

The database is a list of directories that match the names of Elixir libraries on [hex.pm]. Within each directory are one or more advisory files for the Elixir library.

packages/:
  plug/:
    2017-02-28.yml
    2017-02-28_2.yml

Format

Each advisory file contains the advisory information in YAML format:

---
id: 8268e120-60b4-4efb-b9ca-4e3faca0cca6
package: plug
disclosure_date: 2017-02-28
cve: 2017-1000052
link: https://elixirforum.com/t/static-and-session-security-fixes-for-plug/3913
title: |
  Null Byte Injection in Plug.Static

description: |
  Plug.Static is used for serving static assets, and is vulnerable to null
  byte injection. If file upload functionality is provided, this can allow
  users to bypass filetype restrictions.

  We recommend all applications that provide file upload functionality and
  serve those uploaded files locally with Plug.Static to upgrade immediately
  or include the fix below. If uploaded files are rather stored and served
  from S3 or any other cloud storage, you are not affected.

patched_versions:
  - ~> 1.3.2
  - ~> 1.2.3
  - ~> 1.1.7
  - ~> 1.0.4

unaffected_versions:
  - "< 1.0.0"

Schema

There is linting in place to enforce the following schema for each advisory:

Attribute Type Description
id String A version 4 UUID (use https://www.uuidgenerator.net/version4).
package String Name of the affected package.
disclosure_date Date Date the vulnerability was publicly disclosed (here or elsewhere).
cve String/Null (Optional) CVE assigned to the vulnerability.
link String Link to the original disclosure / more details.
title String Title of the vulnerability. This should be a (very) short description.
description String Description of the vulnerability.
patched_versions Array Array of Elixir requirement strings specifying patched versions.
unaffected_versions Array Array of Elixir requirement strings specifying unaffected versions.

Contributing

Do you know about a vulnerability that isn't listed in this database? Open an issue or submit a PR.

License

All content in this repository is placed in the public domain.

Public Domain

More Repositories

1

dependabot-core

🤖 Dependabot's core logic for creating update PR's.
Ruby
4,462
star
2

dependabot-script

A simple script that demonstrates how to use Dependabot Core
Ruby
478
star
3

fetch-metadata

Extract information about the dependencies being updated by a Dependabot-generated PR.
TypeScript
100
star
4

feedback

The old feedback repository for Dependabot. Click below for the new repository.
85
star
5

cli

A tool for testing and debugging Dependabot update jobs.
Go
81
star
6

demo

🤖 Fork me to try out Dependabot
Ruby
40
star
7

api-docs

[Deprecated] Documentation for Dependabot Preview's API
33
star
8

dependabot-actions-workflow

Old example workflow for updating Dependabot pull requests. No longer relevant, see Readme for details.
Ruby
23
star
9

gem-vulnerability-analysis

Jupyter notebook for a blog post on gem vulnerabilities and version updates.
Jupyter Notebook
15
star
10

gomodules-extracted

This code was originally used in dependabot-core, but has since been removed. See Readme for details.
Go
10
star
11

smoke-tests

A collection of manifest files for various package managers and is used to perform end-to-end tests for Dependabot.
HCL
10
star
12

git-shim

git https shim
Go
8
star
13

yarn-lib

A build of yarn that provides access to its internals
Shell
7
star
14

dummy-packages

Dummy packages for testing Dependabot
Ruby
6
star
15

php-dummy-pkg-a

A dummy PHP package for testing Dependabot.
4
star
16

acf-php-example

Skeleton example for vendoring advanced-custom-fields plugin
4
star
17

prometheus-aggregator-ruby

A Ruby client for https://github.com/peterbourgon/prometheus-aggregator
Ruby
4
star
18

preview-demo

This repo contains some outdated and vulnerable dependencies. Fork it to try out Dependabot Preview!
4
star
19

vgotest

A dummy Go Module for testing Dependabot.
3
star
20

.github

3
star
21

php-dummy-pkg-b

A dummy PHP package for testing Dependabot.
2
star