-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Data quality issue with 2016/2017 Ruby CVEs #2333
Comments
✨ Thank you for your interest in OSV.dev's data quality! ✨ Please review our FAQ entry on how to most efficiently have this addressed. |
Preliminary investigation of CVE-2016-2336:
The commits definitely exist for the version tags:
Yet analysis doesn't find the commits any branch, and ruby/ruby@a9721a2 and ruby/ruby@d40ea2a are not reported as being in the repo (which aligns with the behaviour from analysis) The commits are definitely there:
My Git internals fu isn't particularly strong, but relying on https://stackoverflow.com/questions/2706797/finding-what-branch-a-git-commit-came-from, for these two commits I get:
I need to understand how to interpret what |
Ah yeah, the case of detached tags. It is unfortunately legal to tag outside of any branch. In Ruby's case, it was simply because of the way it's imported from svn and in svn tags were completely separate to branches. For those you can probably assume that empty commits won't have an impact on the vulnerability as they contain no code changes and so can take the first non-empty parent commit when searching for paths between commits, which for Ruby will lie on a branch. In other cases however, detached tags can contain code changes as an intentional part of the release process, such as swiftlang/swift@2194dc2 from CVE-2020-9861. So it's somewhat awkward to generalise. |
The CVE ID
CVE-2016-2336
CVE-2016-2337
CVE-2016-2338
CVE-2016-2339
CVE-2017-6181
CVE-2017-11465
CVE-2017-17790
Describe the data quality issue observed
osv.dev marks these as "no fix available" and does not list any git tags
Suggested changes to record
Git tags are listed and osv.dev is able to detect the CVE as fixed.
The exact cause of the problem is unfortunately unclear to me, otherwise I would suggest something more precise.
Given the "fixed" commits just point to the release tag commit, whatever produced the commit range did originally have the correct list of affected versions.
Additional context
NIST CPEs list the versions affected correctly.
The text was updated successfully, but these errors were encountered: