Preview affected and fixed versions before publishing to Gemnasium DB
Problem to solve
Contributors to the Gemnasium Vulnerability Database need to check the affected and fixed versions before publishing a new advisory, which at the moment is tedious and time consuming. It should be possible to preview the affected and fixed versions automatically, in the MR that adds a security to the vulnerability DB, or updates an existing one.
Intended users
Contributors to the Gemnasium Vulnerability DB, including members of the ~"Category:Vulnerability Database" team.
Proposal
gemnasium-db-toolbox connects to the package registries (like rubygems.org), list the package versions currently available, and evaluates the affected version range to tell which versions are affected, and which are not. It's then possible to preview an advisory in a MR of the gemnasium-db project.
Implementation plan
-
Add a preview
sub-command togemnasium-db-toolbox
, leveraging thevrange
library as well, and built using the codebase of Gemnasium Package Syncer (no longer maintained). This covers the following package registries: rubygems.org, Maven Central, pypi.org, and npmjs.com. See gitlab-org/security-products/gemnasium-db-toolbox!11. -
Add packagist.org support to gemnasium-db-toolbox. That's because this was not supported by Gemnasium Package Syncer. -
Configure the pipeline of gemnasium-db, call gemnasium-db-toolbox preview
for new and updated advisories. See gitlab-org/security-products/gemnasium-db!336 (closed) -
Update contribution guide
What does success look like, and how can we measure that?
- Contributors to gemnasium-db can preview the affected and fixed versions in the MR, and make sure the security advisory they're about to publish is correct.
- Reviewers spend less time reviewing the MRs.