Criticality information on json output

Question

Criticality information on json output

Closed this issue 4 years ago · 2 comments

I noticed the information of criticality on JSON output is missing, but when I generate the output to text the criticality info is present.

Am I missing something options or configuration?

{
     "type":"unpatched_gem",
     "gem":{
        "name":"actionpack",
        "version":"5.1.7"
     },
     "advisory":{
        "path":"/Users/sleekr/.local/share/ruby-advisory-db/gems/actionpack/CVE-2021-22885.yml",
        "id":"CVE-2021-22885",
        "url":"https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI",
        "title":"Possible Information Disclosure / Unintended Method Execution in Action Pack",
        "date":"2021-05-05",
        "description":"There is a possible information disclosure / unintended method execution\nvulnerability in Action Pack which has been assigned the CVE identifier\nCVE-2021-22885.\n\nVersions Affected:  >= 2.0.0.\nNot affected:       < 2.0.0.\nFixed Versions:     6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6\n\nImpact\n------\nThere is a possible information disclosure / unintended method execution\nvulnerability in Action Pack when using the `redirect_to` or `polymorphic_url`\nhelper with untrusted user input.\n\nVulnerable code will look like this:\n\n```\nredirect_to(params[:some_param])\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nWorkarounds\n-----------\nTo work around this problem, it is recommended to use an allow list for valid\nparameters passed from the user.  For example:\n\n```\nprivate def check(param)\n  case param\n  when \"valid\"\n    param\n  else\n    \"/\"\n  end\nend\n\ndef index\n  redirect_to(check(params[:some_param]))\nend\n```\n\nOr force the user input to be cast to a string like this:\n\n```\ndef index\n  redirect_to(params[:some_param].to_s)\nend\n```\n",
        "cvss_v2":null,
        "cvss_v3":null,
        "cve":"2021-22885",
        "osvdb":null,
        "ghsa":null,
        "unaffected_versions":[
           "< 2.0.0"
        ],
        "patched_versions":[
           "~> 5.2.4.6",
           "~> 5.2.6",
           "~> 6.0.3.7",
           ">= 6.1.3.2"
        ]
     }
}

Answer 1 · 2021-06-03T18:36:01.000Z

That is because the JSON output is derived from Advisory#to_h which is inherited from Struct and only outputs Struct fields by default. We'd need to override Advisory#to_h and include Advisory#criticality in the output.

Answer 2 · 2021-06-04T10:38:44.000Z

@postmodern I will try to submit a PR for that.