Data quality issue with 2016/2017 Ruby CVEs

[Bo98]

The CVE ID
CVE-2016-2336
CVE-2016-2337
CVE-2016-2338
CVE-2016-2339
CVE-2017-6181
CVE-2017-11465
CVE-2017-17790

Describe the data quality issue observed
osv.dev marks these as "no fix available" and does not list any git tags

Suggested changes to record
Git tags are listed and osv.dev is able to detect the CVE as fixed.

The exact cause of the problem is unfortunately unclear to me, otherwise I would suggest something more precise.

Given the "fixed" commits just point to the release tag commit, whatever produced the commit range did originally have the correct list of affected versions.

Additional context
NIST CPEs list the versions affected correctly.

[github-actions]

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

[andrewpollock]

Preliminary investigation of CVE-2016-2336:

[CVE-2016-2336]: Pre-references, derived ["https://github.com/ruby/ruby"] for "ruby-lang" "ruby" using cache
[CVE-2016-2336]: Pre-references, derived ["https://github.com/ruby/ruby"] for "ruby-lang" "ruby" using cache
[CVE-2016-2336]: Summary: [CPEs=2 AppCPEs=2 DerivedRepos=1]
[CVE-2016-2336]: Repos: []string{"https://github.com/ruby/ruby"}
[CVE-2016-2336]: Trying to convert version tags {AffectedCommits:[] AffectedVersions:[{Introduced: Fixed: LastAffected:2.2.2} {Introduced: Fixed: LastAffected:2.3.0}]} to commits using [https://github.com/ruby/ruby]
[CVE-2016-2336]: Attempting version resolution for {Introduced: Fixed: LastAffected:2.2.2} using "https://github.com/ruby/ruby"
[CVE-2016-2336]: Successfully derived {Repo:https://github.com/ruby/ruby Introduced: Fixed: Limit: LastAffected:a9721a259665149b1b9ff0beabcf5f8dc0136120} for last_affected version "2.2.2"
[CVE-2016-2336]: Attempting version resolution for {Introduced: Fixed: LastAffected:2.3.0} using "https://github.com/ruby/ruby"
[CVE-2016-2336]: Successfully derived {Repo:https://github.com/ruby/ruby Introduced: Fixed: Limit: LastAffected:d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20} for last_affected version "2.3.0"

The commits definitely exist for the version tags:

$ git ls-remote -t https://github.com/ruby/ruby | grep -E "(d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20|a9721a259665149b1b9ff0beabcf5f8dc0136120)"
a9721a259665149b1b9ff0beabcf5f8dc0136120        refs/tags/v2_2_2
d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20        refs/tags/v2_3_0

Yet analysis doesn't find the commits any branch, and ruby/ruby@a9721a2 and ruby/ruby@d40ea2a are not reported as being in the repo (which aligns with the behaviour from analysis)

The commits are definitely there:

$ git clone -q https://github.com/ruby/ruby
$ cd ruby
$ git show a9721a259665149b1b9ff0beabcf5f8dc0136120
commit a9721a259665149b1b9ff0beabcf5f8dc0136120 (tag: v2_2_2)
Author: nagachika <[email protected]>
Date:   Mon Apr 13 13:19:16 2015 +0000

    add tag v2_2_2
    
    git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/tags/v2_2_2@50295 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
$ git show d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20
commit d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20 (tag: v2_3_0)
Author: NARUSE, Yui <[email protected]>
Date:   Thu Dec 24 16:35:48 2015 +0000

    add tag v2_3_0
    
    git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/tags/v2_3_0@53290 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
$ git name-rev d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20
d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20 tags/v2_3_0

My Git internals fu isn't particularly strong, but relying on https://stackoverflow.com/questions/2706797/finding-what-branch-a-git-commit-came-from, for these two commits I get:

$ git branch -a --contains d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20
$ git reflog show --all | grep d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20
$ git log --merges d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20
commit 4334bb87f918e8f39051d7c80ca1558205762d60
Merge: 77ac4a50f1 f15ac6c8d6
Author: Nobuyoshi Nakada <[email protected]>
Date:   Thu Oct 8 01:44:51 2015 +0000

    node.c: D_FIELD_HEADER
    
    * node.c (D_FIELD_HEADER): concatenate sequential strings.
    
    git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52078 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

commit d0191f54f437e34600d48b9aa970bad6da506395
Merge: d42d4c1e23 59991b6ac5
Author: svn[bot] <[email protected]>
Date:   Tue Sep 8 22:47:16 2015 +0000

    * properties.
    
    git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51803 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

commit e0934947d3b5403ee51b0809c4b6c139eb99500a
Merge: a8b34c375d 843019f4a0
Author: Kazuki Tanaka <[email protected]>
Date:   Sat Jun 6 20:35:35 2015 +0000

    * lib/cmath.rb: [DOC] Documentation improvements [ci skip]
    
    git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50795 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

commit ff3322560e5e54863f959d3793df1f37a14f35d8
Merge: daa18e5074 fadd0160d0
Author: svn[bot] <[email protected]>
Date:   Sun May 3 18:11:41 2015 +0000

    * 2015-05-04
    
    git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50426 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

# I'm pretty sure this is what our analysis code does 
$ git branch -a --contains a9721a259665149b1b9ff0beabcf5f8dc0136120
$ git reflog show --all | grep a9721a259665149b1b9ff0beabcf5f8dc0136120
$ git log --merges a9721a259665149b1b9ff0beabcf5f8dc0136120
commit fe0ab0517a6cc71b06f0fe1b074f3f2e8e213862
Merge: 364be8e7c2 7632a82d57
Author: NARUSE, Yui <[email protected]>
Date:   Thu Dec 25 08:42:33 2014 +0000

    merge revision(s) 48993:
    
            * ext/io/console/console.c (console_dev): send the given arguments
              to the opened console.  as a special case, do nothing if :close
              is given.
    
            * test/lib/leakchecker.rb (LeakChecker#check_fd_leak): close if
              console.
    
    
    git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@49004 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

commit 31409cbf7f56d72df0049306a2345c6f40f08ed6
Merge: f5dbd9dbec f0806c4863
Author: NARUSE, Yui <[email protected]>
Date:   Thu Dec 25 07:11:34 2014 +0000

    Release branch of Ruby 2.2
    
    git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@48992 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
$ git name-rev a9721a259665149b1b9ff0beabcf5f8dc0136120
a9721a259665149b1b9ff0beabcf5f8dc0136120 tags/v2_2_2
$ git log a9721a259665149b1b9ff0beabcf5f8dc0136120..HEAD --ancestry-path --merges

I need to understand how to interpret what git log --merges is telling me...

[Bo98]

Ah yeah, the case of detached tags. It is unfortunately legal to tag outside of any branch.

In Ruby's case, it was simply because of the way it's imported from svn and in svn tags were completely separate to branches. For those you can probably assume that empty commits won't have an impact on the vulnerability as they contain no code changes and so can take the first non-empty parent commit when searching for paths between commits, which for Ruby will lie on a branch.

In other cases however, detached tags can contain code changes as an intentional part of the release process, such as swiftlang/swift@2194dc2 from CVE-2020-9861. So it's somewhat awkward to generalise.