Skip to content

Commit bf35695

Browse files
authored
New rake check - compare root url: to filename (without suffix) (#1069)
* new check: url: == basename(filename) * Removed both strings form line 124 expect stmt * Update URL matching expectation in advisory example * Changed prinary URL to fix PR#1069 CI failures * Reworded expect error string * deleted 2 comments + expect failed string as requested
1 parent f6f8da4 commit bf35695

4 files changed

Lines changed: 17 additions & 5 deletions

File tree

CONTRIBUTING.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,8 @@
99
* Please see the [README](README.md#schema) for more documentation on the
1010
YAML Schema.
1111
* Prior to submitting a pull request, run the tests:
12-
12+
* Advisory filename and the root of the `url:` field must
13+
be equal `(as of 5/10/2026).`
1314
```
1415
bundle install
1516
bundle exec rspec

gems/faraday/CVE-2026-33637.yml

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
gem: faraday
33
cve: 2026-33637
44
ghsa: 5rv5-xj5j-3484
5-
url: https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
5+
url: https://nvd.nist.gov/vuln/detail/CVE-2026-33637
66
title: Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2 -
77
protocol-relative URI objects still bypass host scoping
88
date: 2026-05-18
@@ -31,7 +31,7 @@ description: |
3131
that believe they are constrained to a fixed base URL. If the
3232
connection carries default headers or query parameters, those
3333
values are forwarded to the attacker-selected host.
34-
cvss_v3: 0.0
34+
cvss_v3: 6.5
3535
unaffected_versions:
3636
- "< 2.0.0"
3737
patched_versions:
@@ -43,5 +43,3 @@ related:
4343
- https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
4444
- https://github.com/advisories/GHSA-33mh-2634-fwr2
4545
- https://github.com/advisories/GHSA-5rv5-xj5j-3484
46-
notes: |
47-
- ZERO CVSS value in GHSA and NVD

gems/jwt/CVE-2026-45363.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ patched_versions:
5151
- ">= 3.2.0"
5252
related:
5353
url:
54+
- https://www.cve.org/CVERecord?id=CVE-2026-45363
5455
- https://github.com/jwt/ruby-jwt/security/advisories/GHSA-c32j-vqhx-rx3x
5556
- https://github.com/jwt/ruby-jwt/commit/db560b769a07bd9724e77ff505011ac01872106f
5657
- https://github.com/jwt/ruby-jwt/releases/tag/v3.2.0

spec/advisory_example.rb

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,18 @@
106106
it { expect(subject).to be_kind_of(String) }
107107
it { expect(subject).to_not match(%r{\Ahttp(s)?://osvdb\.org}) }
108108
it { expect(subject).not_to be_empty }
109+
110+
it "has a filename that matches the root of the url field" do
111+
url = advisory["url"]
112+
113+
filename_root = File.basename(path, ".yml")
114+
115+
# 5/24/2026: May 9, 2026 is earliest start date with no failed checks.
116+
start_date = Date.new(2026, 5, 9)
117+
if advisory["date"] >= start_date and !filename_root.start_with?("OSVDB")
118+
expect(url).to include(filename_root)
119+
end
120+
end
109121
end
110122

111123
describe "title" do

0 commit comments

Comments
 (0)