rubysec / ruby-advisory-db

A database of vulnerable Ruby Gems
https://rubysec.com
Other
1.02k stars 219 forks source link

ruby-doc.org does not link to ruby-advisory-db #33

Open tarcieri opened 11 years ago

tarcieri commented 11 years ago

If you visit:

http://www.ruby-doc.org/

You will see:

"There was 1 Ruby vulnerability reports in the last 14 days. 1 undetermined. Most recent: CVE-2013-1656. See details."

You are presented with a friendly reminder of recent Ruby security vulnerabilities! Seems good!

PROBLEM: this goes to http://web.nvd.nist.gov/

Shouldn't this go to ruby-advisory-db in some form or another?

phillmv commented 11 years ago

They're not using our data https://github.com/rubysec/rubysec.github.com/issues/1 :)

postmodern commented 11 years ago

I will send an email asking whether they've looked at ruby-advisory-db or if they need additional data (maybe a date field?).

postmodern commented 11 years ago

Got this feed back:

After hearing about some Ruby security issues I got to wondering how people are supposed to find about about these things. I read something on Hacker News that mentioned the ruby-advisory-db and and bookmarked it.

It occurred to me that ruby-doc gets some decent traffic so it would make a good place to show security alerts.

I went back and looked at ruby-advisory-db, but it wasn't clear to me how I would best uses it.

From what I can tell this is a set of static files that, somehow, gets updated when vulnerabilities are announced. I looked at the files and was put off (for my purposes) by how it was a set of files broken up by gems. What I was looking for was something stupid easy, few moving parts, as static as possible.

I didn't know what CVE meant so I searched around on that and found web.nvd.nist.gov.

There HTML there is pretty clean and not too hard to parse as XML. I figure it is going to be at least as current as ruby-advisory-db.

In fact, the NVD has a Ruby item, CVE-2013-1656, that isn't in ruby-advisory-db.

The code I run is pretty trivial (though it may yet break on some undiscovered edge case). I use Net::HTTP to fetch the search page, write it a file, then parse the results to create some sortable Ruby objects. A static file is written out with a summary of what's been found in the last two weeks.

It gets called by cron so there's no server process to watch. The file is dynamically loaded in the ruby-doc pages using jQuery so I don't need to regenerate anything else.

I don't know the use-cases you considered for ruby-advisory-db. If someone is specifically interested in particular gems then the file breakdown is helpful. If someone just wants a date-ordered list of recent reports then all the files have to be parsed because (it appears) the file mtimes do not reflect that date of vulnerability.

Perhaps the file names could be used to order them, but you then still have to traverse every directory. But even there I don't know how you wuld use that to find the reports for the last N days.

It may be that ruby-advisory-db has more details from people more directly involved with various vulnerabilities, but my particular goal was not to convey everything but to give people a heads-up on stuff they should investigate further.

Something you may want to consider for ruby-advisory-db would be having a set of concatentated "recent alerts" files. For example, a file that contained all alerts for the past week, another for the past two weeks, past month, past six months. Or something. (I realize this is horribly denormalized, but it would make using the data more convenient.)

Sorry if I misunderstood anything about ruby-advisory-db; I took a look, made a quick judgment about suitability for what I had in mind, and started writing code. There's a downside to relying on parsing possibly flaky HTML, but as best I can tell fetching directly from the NVD gives me more timely data.

Hope this is helpful, and thanks for the work on ruby-advisory-db.

James Britt

tarcieri commented 11 years ago

How about a simple static site generator that parses the YAML versions and spits out an HTML version, which could be hosted on Github Pages?

tarcieri commented 11 years ago

Here's a crazy idea:

Parse YAML -> Produce Markdown -> Run through Octopress -> Static site complete with RSS feed

postmodern commented 11 years ago

I also thought about setting up a simple blog to announce advisories with an atom feed.

postmodern commented 11 years ago

Thanks to @tarcieri there is now an Atom feed of database. Perhaps we could make another Atom feed containing YAML or JSON data, and see if James Britt prefers that over scraping NVDB?

reedloden commented 9 years ago

Once the site is updating via CI (coming soon!), should poke the ruby-doc.org folk again, as MITRE has been super slow to assign CVEs, which means NVD doesn't get those updates. However, we need to be diligent about getting stuff added to ruby-security-db as quickly as possible when stuff is announced.

reedloden commented 9 years ago

Though, I suspect we'll need to handle vulns in ruby engines and rubygems as well first.