brew-vulns 0.2.3 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: be255fe2f38fdc4f92a35543e5164f3d4ebca6e8fdcbd18226d2f71b9fc630de
-  data.tar.gz: e0ee3ea8b1327ebff1fef3dbfc441fafe661d26482d59e37c1574c472d58b365
+  metadata.gz: 393c81aa55ad74bc34018843abde797c2067c055fd669d8669712a32c2e6313c
+  data.tar.gz: a95b21cd1a777076b06b0a6b507f0429c7fde11476b193a712aae67784332d49
 SHA512:
-  metadata.gz: 0e19f82e0b1b075245c696ddbf8ffb09c8beab175ec157214037182005b9af6fae8c942235b43694c4d7e54a5e79ba6735709d3e684d3441b9238e9d2d09d53d
-  data.tar.gz: 705abcdef8c8bb4b7795f7f5478751d0025397e5b64def2682cccce4bf63fa88d9d6bbfa55d7dd15a34826f3375ef6b6177f48a1ef384289a5d8fb917788f15d
+  metadata.gz: 718026189245d3ed3bcc08fc1829610ab1d5752b44bead5f9ac9b4c7718aac88074c0f99acc77c6e058cc182932a3ee05593efd9c26035411d4199044686b017
+  data.tar.gz: fe75aa4ff545a67a8cfa361512393a4b9c64a9ad2edeaa7958fd4495424e28287c5363e2f99595ff751bdcb14a0cb618703773e5874ccda4271917a9289fe31c

data/.rubocop.yml

@@ -1,7 +1,7 @@
 # This file is synced from `Homebrew/brew` by the `.github` repository, do not modify it directly.
 ---
 AllCops:
-  TargetRubyVersion: 3.4
+  TargetRubyVersion: 4.0
   NewCops: enable
   Include:
   - "**/*.rbi"
@@ -31,8 +31,6 @@ Layout/EndAlignment:
 Layout/HashAlignment:
   EnforcedHashRocketStyle: table
   EnforcedColonStyle: table
-Layout/IndentationWidth:
-  Enabled: false
 Layout/LeadingCommentSpace:
   Exclude:
   - Taps/*/*/cmd/*.rb
@@ -149,6 +147,16 @@ Style/FetchEnvVar:
   - Taps/*/*/*.rb
   - "/**/Formula/**/*.rb"
   - "**/Formula/**/*.rb"
+Style/OneClassPerFile:
+  Exclude:
+  - "**/*.rbi"
+  - Taps/*/*/*.rb
+  - "/**/Abstract/**/*.rb"
+  - "**/Abstract/**/*.rb"
+  - "/**/Formula/**/*.rb"
+  - "**/Formula/**/*.rb"
+  - "/**/developer/bin/*"
+  - "**/developer/bin/*"
 Style/FrozenStringLiteralComment:
   EnforcedStyle: always
   Exclude:

data/.ruby-version

@@ -1 +1 @@
-4.0.0
+4.0.5

data/CHANGELOG.md

@@ -1,5 +1,25 @@
 ## [Unreleased]
 
+## [0.3.0] - 2026-05-29
+
+- Add `--all` flag to scan every formula in homebrew-core
+- Accept one or more formula names as arguments to scan specific formulae, including ones that are not installed
+- Exit with status 2 on errors so callers can distinguish errors from "vulnerabilities found" (exit 1)
+- Add example GitHub Actions workflows for tap PR checks and full homebrew-core scans
+- Compute severity bands from CVSS vector strings when OSV data does not provide a severity label
+- Improve CVSS severity fallback handling when multiple score sources are present
+- Handle unbounded `introduced: 0` OSV ranges and multi-interval SEMVER ranges correctly
+- Fail closed (report as affected) when a version range comparison raises instead of silently skipping
+- Sanitize ANSI/terminal escape sequences, carriage returns and backspaces from text output
+- Cap concurrent requests when fetching vulnerability details to avoid unbounded thread spawning
+- Cap OSV pagination at a fixed page limit to avoid unbounded loops on bad responses
+- Set a `User-Agent` header on OSV API requests
+
+## [0.2.3] - 2026-02-05
+
+- Move repository to the Homebrew organisation and update install instructions, formula and links accordingly
+- Internal: shared CI/lint configuration sync and dependency updates
+
 ## [0.2.2] - 2026-01-25
 
 - Add retry logic to OSV API requests (up to 3 attempts on timeout or connection errors)

data/Formula/brew-vulns.rb

@@ -1,8 +1,8 @@
 class BrewVulns < Formula
   desc "Check Homebrew packages for known vulnerabilities via osv.dev"
   homepage "https://github.com/Homebrew/homebrew-brew-vulns"
-  url "https://github.com/Homebrew/homebrew-brew-vulns/archive/refs/tags/v0.2.2.tar.gz"
-  sha256 "64abf7791eb7d04312c1fda9dc49a73f3702f5716ce18506324ed9f401fe2514"
+  url "https://github.com/Homebrew/homebrew-brew-vulns/archive/refs/tags/v0.2.3.tar.gz"
+  sha256 "1f1bdc60daeeded30d22026ba80e66854a95a299f92392c8624997b75d0f971e"
   license "MIT"
 
   depends_on "ruby"

data/README.md

@@ -21,13 +21,14 @@ Once installed, the command is available as `brew vulns`.
 ## Usage
 
 ```bash
-brew vulns [formula] [options]
+brew vulns [formula...] [options]
 ```
 
 ### Options
 
 | Flag | Long form | Description |
 |------|-----------|-------------|
+| | `--all` | Scan every formula in homebrew-core |
 | `-b PATH` | `--brewfile PATH` | Scan packages from a Brewfile (default: ./Brewfile) |
 | `-d` | `--deps` | Include dependencies when checking a specific formula or Brewfile |
 | `-j` | `--json` | Output results as JSON |
@@ -43,9 +44,15 @@ brew vulns [formula] [options]
 # Check all installed packages
 brew vulns
 
-# Check a specific formula
+# Scan every formula in homebrew-core
+brew vulns --all --json > vulns.json
+
+# Check a specific formula (does not need to be installed)
 brew vulns openssl
 
+# Check several formulae at once
+brew vulns vim curl jq
+
 # Check a formula and its dependencies
 brew vulns python --deps
 
@@ -82,7 +89,7 @@ brew vulns --help
 
 ## How it works
 
-1. Reads installed Homebrew formulae via `brew info --json=v2 --installed`
+1. Reads Homebrew formulae via `brew info --json=v2` (installed packages by default, or any named formulae passed as arguments)
 2. Extracts the repository URL and version tag from each formula's source URL
 3. Queries the OSV API using the GIT ecosystem to find known vulnerabilities
 4. Reports any vulnerabilities found with their severity and CVE identifiers
@@ -108,9 +115,10 @@ Found 15 vulnerabilities in 3 packages
 ## Exit codes
 
 - `0` - No vulnerabilities found
-- `1` - Vulnerabilities found (or error occurred)
+- `1` - Vulnerabilities found
+- `2` - An error occurred (network failure, `brew` failure, parse error)
 
-This makes it suitable for use in CI/CD pipelines.
+This makes it suitable for use in CI/CD pipelines. To let a job continue when vulnerabilities are found but still fail on scan errors, use `brew vulns ... || [ $? -eq 1 ]`.
 
 ## GitHub Actions
 
@@ -134,8 +142,7 @@ jobs:
         run: gem install brew-vulns
 
       - name: Run vulnerability scan
-        run: brew vulns --sarif > results.sarif
-        continue-on-error: true
+        run: brew vulns --sarif > results.sarif || [ $? -eq 1 ]
 
       - name: Upload SARIF results
         uses: github/codeql-action/upload-sarif@v3
@@ -167,8 +174,7 @@ jobs:
         run: gem install brew-vulns
 
       - name: Generate SBOM
-        run: brew vulns --cyclonedx > sbom.cdx.json
-        continue-on-error: true
+        run: brew vulns --cyclonedx > sbom.cdx.json || [ $? -eq 1 ]
 
       - name: Submit to dependency graph
         uses: evryfs/sbom-dependency-submission-action@v0
@@ -178,6 +184,8 @@ jobs:
 
 This adds your Homebrew packages to the repository's dependency graph, enabling Dependabot alerts.
 
+See [examples/](examples/) for workflows that check changed formulae on tap pull requests and publish a daily scan of all of homebrew-core.
+
 ## Development
 
 ```bash

data/Rakefile

@@ -5,7 +5,9 @@ require "minitest/test_task"
 require "digest"
 require "open-uri"
 
-Minitest::TestTask.create
+Minitest::TestTask.create do |t|
+  t.framework = %(require "test/test_helper.rb")
+end
 
 task default: :test
 

data/examples/README.md

@@ -0,0 +1,9 @@
+# Example workflows
+
+GitHub Actions workflows showing how `brew vulns` can be wired into a Homebrew tap.
+
+`pr-vuln-check.yml` runs on pull requests that touch `Formula/**/*.rb`. It works out which formulae changed, runs `brew vulns <names> --sarif` against them, and uploads the result to GitHub code scanning so vulnerabilities appear as annotations on the PR.
+
+`scan-all.yml` runs daily, scans every formula in homebrew-core with `brew vulns --all --json`, and publishes `vulns.json` as an asset on a rolling `vulns` release. Downstream tooling (including Homebrew itself) can fetch that file rather than querying OSV directly.
+
+Copy whichever you need into `.github/workflows/` in the target repository and adjust to taste.

data/examples/pr-vuln-check.yml

@@ -0,0 +1,55 @@
+# Check formulae changed in a pull request for known vulnerabilities.
+# Intended for use in a Homebrew tap (e.g. homebrew-core).
+name: Vulnerability check
+
+on:
+  pull_request:
+    paths:
+      - "Formula/**/*.rb"
+
+permissions: {}
+
+jobs:
+  vulns:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Set up Homebrew
+        id: set-up-homebrew
+        uses: Homebrew/actions/setup-homebrew@main
+
+      - name: Install brew-vulns
+        run: brew install homebrew/brew-vulns/brew-vulns
+
+      - name: Detect changed formulae
+        id: changed
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+        run: |
+          cd "$(brew --repository "${GITHUB_REPOSITORY}")"
+          git fetch --quiet --depth=1 origin "${BASE_SHA}"
+          names=$(git diff --name-only --diff-filter=AM "${BASE_SHA}" -- Formula/ \
+            | xargs -r -n1 basename \
+            | sed 's/\.rb$//' \
+            | tr '\n' ' ')
+          echo "names=${names}" >> "${GITHUB_OUTPUT}"
+
+      - name: Check vulnerabilities
+        id: scan
+        if: steps.changed.outputs.names != ''
+        env:
+          FORMULAE: ${{ steps.changed.outputs.names }}
+        run: |
+          brew vulns ${FORMULAE} --sarif > vulns.sarif || [ $? -eq 1 ]
+          if [ -s vulns.sarif ]; then
+            echo "sarif=true" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Upload SARIF
+        if: steps.scan.outputs.sarif == 'true'
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
+        with:
+          sarif_file: vulns.sarif
+          category: brew-vulns

data/examples/scan-all.yml

@@ -0,0 +1,45 @@
+# Scan every formula in homebrew-core for known vulnerabilities and
+# publish the result as vulns.json on a rolling release.
+name: Scan all formulae
+
+on:
+  schedule:
+    - cron: "0 6 * * *"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Set up Homebrew
+        uses: Homebrew/actions/setup-homebrew@main
+
+      - name: Install brew-vulns
+        run: brew install homebrew/brew-vulns/brew-vulns
+
+      - name: Scan
+        run: brew vulns --all --json > vulns.json
+        continue-on-error: true
+
+      - name: Validate output
+        run: ruby -rjson -e 'abort "vulns.json is not a JSON array" unless JSON.load_file("vulns.json").is_a?(Array)'
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: vulns
+          path: vulns.json
+
+      - name: Publish to release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+        run: |
+          if ! gh release view vulns >/dev/null 2>&1; then
+            gh release create vulns --title "Vulnerability data" --notes "Rolling vulnerability scan of homebrew-core"
+          fi
+          gh release upload vulns vulns.json --clobber

data/lib/brew/vulns/cli.rb

@@ -9,10 +9,13 @@ module Brew
 
       DEFAULT_MAX_SUMMARY = 60
       SEVERITY_LEVELS = { "low" => 1, "medium" => 2, "high" => 3, "critical" => 4 }.freeze
+      MAX_VULN_FETCH_THREADS = 15
+      FLAGS_WITH_VALUE = %w[-b --brewfile -m --max-summary -s --severity].freeze
 
       def initialize(args)
         @args = args
-        @formula_filter = args.first unless args.first&.start_with?("-")
+        @formula_names = parse_formula_names(args)
+        @all = args.include?("--all")
         @include_deps = args.include?("--deps") || args.include?("-d")
         @json_output = args.include?("--json") || args.include?("-j")
         @sarif_output = args.include?("--sarif")
@@ -23,6 +26,25 @@ module Brew
         @brewfile = parse_brewfile_path(args)
       end
 
+      def parse_formula_names(args)
+        names = []
+        skip_next = false
+        args.each do |arg|
+          if skip_next
+            skip_next = false
+            next
+          end
+          if FLAGS_WITH_VALUE.include?(arg)
+            skip_next = true
+            next
+          end
+          next if arg.start_with?("-")
+
+          names << arg
+        end
+        names
+      end
+
       def parse_max_summary(args)
         args.each_with_index do |arg, idx|
           if arg == "--max-summary" || arg == "-m"
@@ -69,7 +91,7 @@ module Brew
 
         formulae = load_formulae
         if formulae.empty?
-          puts "No installed formulae found."
+          puts "No formulae found."
           return 0
         end
 
@@ -86,24 +108,26 @@ module Brew
         output_results(results, formulae)
       rescue OsvClient::Error => e
         $stderr.puts "Error querying OSV: #{e.message}"
-        1
+        2
       rescue Error => e
         $stderr.puts "Error: #{e.message}"
-        1
+        2
       rescue JSON::ParserError => e
         $stderr.puts "Error parsing brew output: #{e.message}"
-        1
+        2
       end
 
       private
 
       def load_formulae
-        if @brewfile
+        if @all
+          Formula.load_all
+        elsif @brewfile
           Formula.load_from_brewfile(@brewfile, include_deps: @include_deps)
-        elsif @include_deps && @formula_filter
-          Formula.load_with_dependencies(@formula_filter)
+        elsif @formula_names.any?
+          Formula.load_named(@formula_names, include_deps: @include_deps)
         else
-          Formula.load_installed(@formula_filter)
+          Formula.load_installed
         end
       end
 
@@ -118,10 +142,13 @@ module Brew
           batch_vulns = vuln_results[idx] || []
           next if batch_vulns.empty?
 
-          threads = batch_vulns.map do |v|
-            Thread.new { client.get_vulnerability(v["id"]) }
+          full_vulns = batch_vulns.each_slice(MAX_VULN_FETCH_THREADS).flat_map do |slice|
+            threads = slice.map do |v|
+              Thread.new { client.get_vulnerability(v["id"]) }
+            end
+            threads.map(&:value)
           end
-          full_vulns = threads.map(&:value)
+
           vulns = Vulnerability.from_osv_list(full_vulns)
 
           version = formula.tag || formula.version
@@ -283,24 +310,26 @@ module Brew
         sorted = results.sort_by { |_, vulns| -vulns.map(&:severity_level).max }
 
         sorted.each do |formula, vulns|
-          puts "#{formula.name} (#{formula.version})"
+          puts "#{sanitize_terminal_escapes(formula.name)} (#{sanitize_terminal_escapes(formula.version)})"
           vulns.sort_by { |v| -v.severity_level }.each do |vuln|
             total_vulns += 1
             severity = colorize_severity(vuln.severity_display)
 
-            line = "  #{vuln.id} (#{severity})"
+            line = "  #{sanitize_terminal_escapes(vuln.id)} (#{severity})"
             if vuln.summary
-              summary = if @max_summary > 0 && vuln.summary.length > @max_summary
-                "#{vuln.summary.slice(0, @max_summary)}..."
+              sanitized_summary = sanitize_terminal_escapes(vuln.summary)
+              summary = if @max_summary > 0 && sanitized_summary.length > @max_summary
+                "#{sanitized_summary.slice(0, @max_summary)}..."
               else
-                vuln.summary
+                sanitized_summary
               end
               line = "#{line} - #{summary}"
             end
             puts line
 
             if vuln.fixed_versions.any?
-              puts "    Fixed in: #{vuln.fixed_versions.join(", ")}"
+              fixed_versions = vuln.fixed_versions.map { |version| sanitize_terminal_escapes(version) }
+              puts "    Fixed in: #{fixed_versions.join(", ")}"
             end
           end
           puts
@@ -310,6 +339,15 @@ module Brew
         1
       end
 
+      def sanitize_terminal_escapes(text)
+        text.to_s
+          .gsub(/\e\][^\a\e]*(?:\a|\e\\)/, "")
+          .gsub(/\u009d[^\a\u009c]*(?:\a|\u009c)/, "")
+          .gsub(/\u009b[0-?]*[ -\/]*[@-~]/, "")
+          .gsub(/\e\[[0-?]*[ -\/]*[@-~]/, "")
+          .delete("\e\b\r\u0007\u0080-\u009f")
+      end
+
       def colorize_severity(severity)
         return severity unless $stdout.tty?
 
@@ -324,14 +362,15 @@ module Brew
 
       def print_help
         puts <<~HELP
-          Usage: brew vulns [formula] [options]
+          Usage: brew vulns [formula...] [options]
 
-          Check installed Homebrew packages for known vulnerabilities via osv.dev.
+          Check Homebrew packages for known vulnerabilities via osv.dev.
 
           Arguments:
-            formula              Check only this formula (optional)
+            formula              Check only the named formulae (optional, does not need to be installed)
 
           Options:
+            --all                Scan every formula in homebrew-core
             -b, --brewfile PATH  Scan packages from a Brewfile (default: ./Brewfile)
             -d, --deps           Include dependencies when checking a specific formula or Brewfile
             -j, --json           Output results as JSON
@@ -343,7 +382,9 @@ module Brew
 
           Examples:
             brew vulns                    Check all installed packages
+            brew vulns --all --json       Scan every homebrew-core formula, output JSON
             brew vulns openssl            Check only openssl
+            brew vulns vim curl jq        Check several formulae at once
             brew vulns vim --deps         Check vim and its dependencies
             brew vulns --brewfile         Scan packages listed in ./Brewfile
             brew vulns -b ~/project/Brewfile  Scan a specific Brewfile

data/lib/brew/vulns/formula.rb

@@ -50,51 +50,23 @@ module Brew
         { repo_url: repo_url, version: tag, name: name }
       end
 
-      def self.load_installed(formula_filter = nil)
-        json, status = Open3.capture2("brew", "info", "--json=v2", "--installed")
+      def self.load_all
+        json, status = Open3.capture2("brew", "info", "--json=v2", "--eval-all")
         raise Error, "brew info failed with status #{status.exitstatus}" unless status.success?
 
         data = JSON.parse(json)
-        formulae = data["formulae"].map { |f| new(f) }
-
-        if formula_filter
-          formulae.select! { |f| f.name == formula_filter || f.name.split("@").first == formula_filter }
-        end
-
-        formulae
+        data["formulae"].map { |f| new(f) }
       end
 
-      def self.load_with_dependencies(formula_filter = nil)
+      def self.load_installed
         json, status = Open3.capture2("brew", "info", "--json=v2", "--installed")
         raise Error, "brew info failed with status #{status.exitstatus}" unless status.success?
 
         data = JSON.parse(json)
-        all_formulae = data["formulae"].map { |f| new(f) }
-        formulae_by_name = all_formulae.each_with_object({}) { |f, h| h[f.name] = f }
-
-        if formula_filter
-          filtered = all_formulae.select { |f| f.name == formula_filter || f.name.split("@").first == formula_filter }
-          return [] if filtered.empty?
-
-          deps_output, = Open3.capture2("brew", "deps", "--installed", formula_filter)
-          dep_names = deps_output.split("\n").map(&:strip)
-
-          result = filtered.each_with_object({}) { |f, h| h[f.name] = f }
-          dep_names.each do |dep_name|
-            dep = formulae_by_name[dep_name]
-            result[dep_name] = dep if dep && !result[dep_name]
-          end
-
-          result.values
-        else
-          all_formulae
-        end
+        data["formulae"].map { |f| new(f) }
       end
 
-      def self.load_from_brewfile(brewfile_path, include_deps: false)
-        raise Error, "Brewfile not found: #{brewfile_path}" unless File.exist?(brewfile_path)
-
-        formula_names = parse_brewfile(brewfile_path)
+      def self.load_named(formula_names, include_deps: false)
         return [] if formula_names.empty?
 
         json, status = Open3.capture2("brew", "info", "--json=v2", *formula_names)
@@ -124,6 +96,13 @@ module Brew
         formulae.uniq { |f| f.name }
       end
 
+      def self.load_from_brewfile(brewfile_path, include_deps: false)
+        raise Error, "Brewfile not found: #{brewfile_path}" unless File.exist?(brewfile_path)
+
+        formula_names = parse_brewfile(brewfile_path)
+        load_named(formula_names, include_deps: include_deps)
+      end
+
       def self.parse_brewfile(brewfile_path)
         output, status = Open3.capture2("brew", "bundle", "list", "--file=#{brewfile_path}", "--formula")
         raise Error, "brew bundle list failed with status #{status.exitstatus}" unless status.success?

data/lib/brew/vulns/osv_client.rb

@@ -3,6 +3,7 @@
 require "net/http"
 require "json"
 require "uri"
+require "brew/vulns/version"
 
 module Brew
   module Vulns
@@ -17,6 +18,8 @@ module Brew
       class Error < StandardError; end
       class ApiError < Error; end
 
+      USER_AGENT = "brew-vulns/#{Brew::Vulns::VERSION} (+https://github.com/Homebrew/homebrew-brew-vulns)"
+
       def query(repo_url:, version:)
         payload = {
           package: {
@@ -66,6 +69,7 @@ module Brew
         uri = URI("#{API_BASE}#{path}")
         request = Net::HTTP::Post.new(uri)
         request["Content-Type"] = "application/json"
+        request["User-Agent"] = USER_AGENT
         request.body = JSON.generate(payload)
 
         execute_request(uri, request)
@@ -75,6 +79,7 @@ module Brew
         uri = URI("#{API_BASE}#{path}")
         request = Net::HTTP::Get.new(uri)
         request["Content-Type"] = "application/json"
+        request["User-Agent"] = USER_AGENT
 
         execute_request(uri, request)
       end
@@ -117,15 +122,24 @@ module Brew
         end
       end
 
+      MAX_PAGES = 100
+
       def fetch_all_pages(response, original_payload)
         vulns = response["vulns"] || []
         page_token = response["next_page_token"]
+        page_count = 1
 
         while page_token
+          if page_count >= MAX_PAGES
+            raise ApiError,
+                  "OSV API returned more than #{MAX_PAGES} pages of results; aborting to avoid an unbounded loop"
+          end
+
           payload = original_payload.merge(page_token: page_token)
           response = post("/query", payload)
           vulns.concat(response["vulns"] || [])
           page_token = response["next_page_token"]
+          page_count += 1
         end
 
         vulns

data/lib/brew/vulns/version.rb

@@ -2,6 +2,6 @@
 
 module Brew
   module Vulns
-    VERSION = "0.2.3"
+    VERSION = "0.3.0"
   end
 end

data/lib/brew/vulns/vulnerability.rb

@@ -2,10 +2,17 @@
 
 require "purl"
 require "vers"
+require "cvss_suite"
 
 module Brew
   module Vulns
     class Vulnerability
+      CVSS_TYPE_PRIORITY = {
+        "CVSS_V4" => 4,
+        "CVSS_V3" => 3,
+        "CVSS_V2" => 2
+      }.freeze
+
       attr_reader :id, :summary, :details, :severity, :aliases, :references, :affected
 
       def initialize(data)
@@ -76,9 +83,9 @@ module Brew
 
       def extract_severity(data)
         if data["severity"]&.any?
-          sev = data["severity"].first
-          if sev["score"]&.include?("CVSS")
-            return severity_from_cvss(sev["score"])
+          cvss_severities(data["severity"]).each do |sev|
+            cvss_severity = severity_from_cvss(sev["score"])
+            return cvss_severity if cvss_severity
           end
         end
 
@@ -97,6 +104,12 @@ module Brew
         nil
       end
 
+      def cvss_severities(severities)
+        severities
+          .select { |sev| CVSS_TYPE_PRIORITY.key?(sev["type"]) }
+          .sort_by { |sev| -CVSS_TYPE_PRIORITY.fetch(sev["type"], 0) }
+      end
+
       def normalize_severity(severity)
         return nil unless severity
 
@@ -109,34 +122,15 @@ module Brew
       end
 
       def severity_from_cvss(vector)
-        return nil unless vector
-        return nil unless vector.include?("CVSS:3")
-
-        metrics = parse_cvss_metrics(vector)
-        return nil if metrics.empty?
-
-        impact_high = %w[C I A].count { |m| metrics[m] == "H" }
-        network_attack = metrics["AV"] == "N"
-        no_privs = metrics["PR"] == "N"
-        no_interaction = metrics["UI"] == "N"
-
-        if impact_high >= 2 && network_attack && no_privs
-          "critical"
-        elsif impact_high >= 1 && network_attack
-          "high"
-        elsif impact_high >= 1 || (network_attack && no_privs && no_interaction)
-          "medium"
-        else
-          "low"
-        end
-      end
+        return nil if vector.to_s.empty?
 
-      def parse_cvss_metrics(vector)
-        metrics = {}
-        vector.scan(%r{([A-Z]+):([A-Z])}).each do |key, value|
-          metrics[key] = value
-        end
-        metrics
+        cvss = CvssSuite.new(vector)
+
+        normalize_severity(cvss.severity)
+      rescue StandardError
+        warn "Warning: Failed to determine severity from CVSS vector " \
+             "'#{vector}' for '#{id}'"
+        nil
       end
 
       def normalize_version(version)
@@ -171,30 +165,51 @@ module Brew
       def version_in_range?(version, events, ecosystem)
         return false if events.nil? || events.empty?
 
-        constraints = build_constraints(events)
-        return false if constraints.empty?
-
-        Vers.satisfies?(version, constraints.join(","), ecosystem)
+        build_constraint_sets(events).any? do |constraints|
+          constraints.empty? || Vers.satisfies?(version, constraints.join(","), ecosystem)
+        end
       rescue StandardError => e
         warn "Warning: Failed to check version '#{version}' against constraints: #{e.message}"
-        false
+        true
       end
 
-      def build_constraints(events)
-        constraints = []
+      def build_constraint_sets(events)
+        constraint_sets = []
+        constraints = nil
+
         events.each do |event|
           if event["introduced"]
+            constraints = []
             intro = normalize_version(event["introduced"])
             constraints << ">=#{intro}" unless intro == "0"
-          end
-          if event["fixed"]
+          elsif event["fixed"]
+            constraints ||= []
             constraints << "<#{normalize_version(event["fixed"])}"
-          end
-          if event["last_affected"]
+            constraint_sets << constraints
+            constraints = nil
+          elsif event["last_affected"]
+            constraints ||= []
             constraints << "<=#{normalize_version(event["last_affected"])}"
+            constraint_sets << constraints
+            constraints = nil
+          elsif event["limit"]
+            constraints ||= []
+            limit_constraint = build_limit_constraint(event["limit"])
+            constraints << limit_constraint if limit_constraint
+            constraint_sets << constraints
+            constraints = nil
           end
         end
-        constraints
+
+        constraint_sets << constraints if constraints
+        constraint_sets
+      end
+
+      def build_limit_constraint(limit)
+        limit = limit.to_s
+        return if limit == "*"
+
+        "<#{normalize_version(limit)}"
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brew-vulns
 version: !ruby/object:Gem::Version
-  version: 0.2.3
+  version: 0.3.0
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -9,6 +9,20 @@ bindir: exe
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: cvss-suite
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.1'
 - !ruby/object:Gem::Dependency
   name: purl
   requirement: !ruby/object:Gem::Requirement
@@ -82,6 +96,9 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- examples/README.md
+- examples/pr-vuln-check.yml
+- examples/scan-all.yml
 - exe/brew-vulns
 - lib/brew/vulns.rb
 - lib/brew/vulns/cli.rb
@@ -111,7 +128,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 4.0.10
 specification_version: 4
 summary: Check Homebrew packages for known vulnerabilities
 test_files: []