bundler-audit 0.7.0.1 → 0.8.0.rc1

data/data/ruby-advisory-db/gems/spree_auth_devise/OSVDB-90865.yml

@@ -1,20 +0,0 @@
----
-gem: spree_auth_devise
-cve: 2013-2506
-osvdb: 90865
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege
-  Escalation
-date: 2013-02-21
-description: |
-  Spree contains a flaw that leads to unauthorized privileges being gained. The
-  issue is triggered as certain input related to mass role assignment in
-  app/models/spree/user.rb is not properly verified before being used to update
-  a user. This may allow a remote attacker to assign arbitrary roles and gain
-  elevated administrative privileges.
-cvss_v2: 4.0
-patched_versions:
-  - ~> 1.1.6
-  - ~> 1.2.0
-  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/sprockets/CVE-2014-7819.yml

@@ -1,27 +0,0 @@
----
-gem: sprockets
-cve: 2014-7819
-osvdb: 113965
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
-title: Arbitrary file existence disclosure in Sprockets
-date: 2014-10-30
-description: |
-  Specially crafted requests can be used to determine whether a file exists on
-  the filesystem that is outside an application's root directory.  The files
-  will not be served, but attackers can determine whether or not the file
-  exists.
-cvss_v2: 5.0
-patched_versions:
-  - ~> 2.0.5
-  - ~> 2.1.4
-  - ~> 2.2.3
-  - ~> 2.3.3
-  - ~> 2.4.6
-  - ~> 2.5.1
-  - ~> 2.7.1
-  - ~> 2.8.3
-  - ~> 2.9.4
-  - ~> 2.10.2
-  - ~> 2.11.3
-  - ~> 2.12.3
-  - ">= 3.0.0.beta.3"

data/data/ruby-advisory-db/gems/sprockets/CVE-2018-3760.yml

@@ -1,23 +0,0 @@
----
-gem: sprockets
-cve: 2018-3760
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
-title: Path Traversal in Sprockets
-date: 2018-06-19
-description: |
-  Specially crafted requests can be used to access files that exist on
-  the filesystem that is outside an application's root directory, when the
-  Sprockets server is used in production.
-  
-  All users running an affected release should either upgrade or use one of the work arounds immediately.
-  
-  Workaround:
-  In Rails applications, work around this issue, set `config.assets.compile = false` and
-  `config.public_file_server.enabled = true` in an initializer and precompile the assets.
-
-   This work around will not be possible in all hosting environments and upgrading is advised.
-
-patched_versions:
-  - ">= 2.12.5, < 3.0.0"
-  - ">= 3.7.2, < 4.0.0"
-  - ">= 4.0.0.beta8"

data/data/ruby-advisory-db/gems/sprout/CVE-2013-6421.yml

@@ -1,16 +0,0 @@
----
-gem: sprout
-cve: 2013-6421
-osvdb: 100598
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-6421
-title: sprout Gem for Ruby archive_unpacker.rb unpack_zip() Function Multiple Parameter Arbitrary Code Execution
-date: 2013-12-02
-description: |
-  sprout Gem for Ruby contains a flaw in the unpack_zip() function in
-  archive_unpacker.rb. The issue is due to the program failing to properly
-  sanitize input passed via the 'zip_file', 'dir', 'zip_name', and 'output'
-  parameters. This may allow a context-dependent attacker to execute arbitrary
-  code.
-cvss_v2: 7.5
-unaffected_versions:
-  - '< 0.7.246'

data/data/ruby-advisory-db/gems/strong_password/CVE-2019-13354.yml

@@ -1,19 +0,0 @@
----
-gem: strong_password
-cve: 2019-13354
-url: https://withatwist.dev/strong-password-rubygem-hijacked.html
-title: strong_password Ruby gem malicious version causing Remote Code Execution vulnerability
-date: 2019-07-05
-
-description: |
-  The `strong_password` gem on RubyGems.org was hijacked by a malicious actor. The
-  malicious actor published v0.0.7 containing malicious code that enables an attacker
-  to execute remote code in production.
-
-  Upgrade `strong_password` to v0.0.8 to ensure no malicious code execution is possible.
-
-patched_versions:
-  - ">= 0.0.8"
-
-unaffected_versions:
-  - "!= 0.0.7"

data/data/ruby-advisory-db/gems/sup/CVE-2013-4478.yml

@@ -1,14 +0,0 @@
----
-gem: sup
-cve: 2013-4478
-osvdb: 99074
-url: http://www.phenoelit.org/stuff/whatsup.txt
-title:  Sup MUA Email Attachment Content Type Handling Arbitrary Command Execution
-date: 2013-10-29
-description: Sup MUA contains a flaw that is triggered when handling email
-  attachment content. This may allow a context-dependent attacker to execute
-  arbitrary commands.
-cvss_v2: 6.8
-patched_versions:
-  - "~> 0.13.2.1"
-  - ">= 0.14.1.1"

data/data/ruby-advisory-db/gems/sup/CVE-2013-4479.yml

@@ -1,14 +0,0 @@
----
-gem: sup
-cve: 2013-4479
-osvdb: 99074
-url: http://www.phenoelit.org/stuff/whatsup.txt
-title:  Sup MUA Email Attachment Content Type Handling Arbitrary Command Execution
-date: 2013-10-29
-description: Sup MUA contains a flaw that is triggered when handling email
-  attachment content. This may allow a context-dependent attacker to execute
-  arbitrary commands.
-cvss_v2: 6.8
-patched_versions:
-  - "~> 0.13.2.1"
-  - ">= 0.14.1.1"

data/data/ruby-advisory-db/gems/thumbshooter/CVE-2013-1898.yml

@@ -1,9 +0,0 @@
---- 
-gem: thumbshooter
-cve: 2013-1898
-osvdb: 91839
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-1898
-title: Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-03-26
-description: Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.
-cvss_v2: 7.5

data/data/ruby-advisory-db/gems/twitter-bootstrap-rails/OSVDB-109206.yml

@@ -1,22 +0,0 @@
----
-gem: twitter-bootstrap-rails
-framework: rails
-cve: 2014-4920
-osvdb: 109206
-url: https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter
-title: Reflective XSS Vulnerability in twitter-bootstrap-rails
-date: 2014-03-25
-
-description: |
-  The twitter-bootstrap-rails Gem for Rails contains a flaw that enables a 
-  reflected cross-site scripting (XSS) attack. This flaw exists because the
-  bootstrap_flash helper method does not validate input when handling flash 
-  messages before returning it to users. This may allow a context-dependent
-  attacker to create a specially crafted request that would execute arbitrary
-  script code in a user's browser session within the trust relationship between
-  their browser and the server.
-
-cvss_v2: 
-
-patched_versions:
-  - ">= 3.2.0"

data/data/ruby-advisory-db/gems/uglifier/OSVDB-126747.yml

@@ -1,19 +0,0 @@
----
-gem: uglifier
-osvdb: 126747
-url: https://github.com/mishoo/UglifyJS2/issues/751
-title: uglifier incorrectly handles non-boolean comparisons during minification
-date: 2015-07-21
-description: |
-
-  The upstream library for the Ruby uglifier gem, UglifyJS, is
-  affected by a vulnerability that allows a specially crafted 
-  Javascript file to have altered functionality after minification.
-
-  This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated
-  to allow potentially malicious code to be hidden within secure code, 
-  and activated by the minification process.
-
-  For more information, consult: https://zyan.scripts.mit.edu/blog/backdooring-js/
-patched_versions:
-  - ">= 2.7.2"

data/data/ruby-advisory-db/gems/user_agent_parser/CVE-2020-5243.yml

@@ -1,28 +0,0 @@
----
-gem: user_agent_parser
-cve: 2020-5243
-ghsa: pcqq-5962-hvcw
-url: https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw
-date: 2020-03-10
-title: Denial of Service in uap-core when processing crafted User-Agent strings
-description: |-
-  ### Impact
-  Some regexes are vulnerable to regular expression denial of service (REDoS) due to
-  overlapping capture groups. This allows remote attackers to overload a server by
-  setting the User-Agent header in an HTTP(S) request to maliciously crafted long
-  strings.
-
-  ### Patches
-  Please update `uap-ruby` to >= v2.6.0
-
-  ### For more information
-  https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
-
-cvss_v3: 5.7
-
-patched_versions:
-  - ">= 2.6.0"
-
-related:
-  ghsa:
-    - cmcx-xhr8-3w9p

data/data/ruby-advisory-db/gems/web-console/CVE-2015-3224.yml

@@ -1,22 +0,0 @@
----
-gem: web-console
-cve: 2015-3224
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw
-title: |
-  IP whitelist bypass in Web Console 
-date: 2015-06-16
-
-description: |
-  Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default). 
-
-  Users whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved. 
-
-  All affected users should either upgrade or use one of the work arounds immediately. 
-
-  To work around this issue, turn off web-console in all environments, by removing/commenting it from the application's Gemfile. 
-
-patched_versions:
-  - ">= 2.1.3"
-
-
-

data/data/ruby-advisory-db/gems/web-console/OSVDB-112346.yml

@@ -1,12 +0,0 @@
----
-gem: web-console
-osvdb: 112346
-url: http://www.osvdb.org/show/osvdb/112346
-title: Web Console Gem for Ruby contains an unspecified flaw
-date: 2014-09-29
-description: The Web Console Gem for Ruby on Rails contains an unspecified flaw that
-  may allow an attacker to have an unspecified impact. No further details have been
-  provided by the vendor.
-cvss_v2:
-patched_versions:
-  - ">= 2.0.0.beta4"

data/data/ruby-advisory-db/gems/webbynode/CVE-2013-7086.yml

@@ -1,12 +0,0 @@
----
-gem: webbynode
-cve: 2013-7086
-osvdb: 100920
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-7086
-title: Webbynode Gem for Ruby notify.rb growlnotify Message Handling Arbitrary Command Execution
-date: 2013-12-12
-description: |
-  Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered
-  when handling a specially crafted growlnotify message. This may allow a
-  context-dependent attacker to execute arbitrary commands.
-cvss_v2: 7.5

data/data/ruby-advisory-db/gems/websocket-extensions/CVE-2020-7663.yml

@@ -1,35 +0,0 @@
----
-gem: websocket-extensions
-cve: 2020-7663
-ghsa: g6wq-qcwm-j5g2
-url: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2
-date: 2020-06-05
-title: Regular Expression Denial of Service in websocket-extensions (RubyGem)
-description: |-
-  ### Impact
-
-  The ReDoS flaw allows an attacker to exhaust the server's capacity to process
-  incoming requests by sending a WebSocket handshake request containing a header
-  of the following form:
-
-      Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...
-
-  That is, a header containing an unclosed string parameter value whose content is
-  a repeating two-byte sequence of a backslash and some other character. The
-  parser takes exponential time to reject this header as invalid, and this will
-  block the processing of any other work on the same thread. Thus if you are
-  running a single-threaded server, such a request can render your service
-  completely unavailable.
-
-  ### Workarounds
-
-  There are no known work-arounds other than disabling any public-facing WebSocket functionality you are operating.
-
-cvss_v3: 7.5
-
-patched_versions:
-  - ">= 0.1.5"
-
-related:
-  url:
-    - https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/

data/data/ruby-advisory-db/gems/wicked/CVE-2013-4413.yml

@@ -1,14 +0,0 @@
----
-gem: wicked
-cve: 2013-4413
-osvdb: 98270
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-4413
-title: Wicked Gem for Ruby contains a flaw
-date: 2013-10-08
-description: Wicked Gem for Ruby contains a flaw that is due to the program
-  failing to properly sanitize input passed via the 'the_step' parameter
-  upon submission to the render_redirect.rb script.
-  This may allow a remote attacker to gain access to arbitrary files.
-cvss_v2: 5.0
-patched_versions:
-  - '>= 1.0.1'

data/data/ruby-advisory-db/gems/will_paginate/CVE-2013-6459.yml

@@ -1,15 +0,0 @@
----
-gem: will_paginate
-osvdb: 101138
-cve: 2013-6459
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-6459
-title: will_paginate Gem for Ruby Generated Pagination Link Unspecified XSS
-date: 2013-09-19
-description: will_paginate Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack.
-  This flaw exists because the application does not validate certain unspecified input related to
-  generated pagination links before returning it to the user. This may allow an attacker to create
-  a specially crafted request that would execute arbitrary script code in a users browser within the
-  trust relationship between their browser and the server.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 3.0.5"

data/data/ruby-advisory-db/gems/xaviershay-dm-rails/CVE-2015-2179.yml

@@ -1,13 +0,0 @@
----
-gem: xaviershay-dm-rails
-cve: 2015-2179
-osvdb: 118579
-url: https://nvd.nist.gov/vuln/detail/CVE-2015-2179
-title: |
-  xaviershay-dm-rails Gem for Ruby exposes sensitive information via the process table
-date: 2015-02-17
-description: |
-  xaviershay-dm-rails Gem for Ruby contains a flaw in the execute() function
-  in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is
-  due to the function exposing sensitive information via the process table.
-  This may allow a local attack to gain access to MySQL credential information.

data/data/ruby-advisory-db/gems/yajl-ruby/CVE-2017-16516.yml

@@ -1,19 +0,0 @@
----
-gem: yajl-ruby
-cve: 2017-16516
-url: https://nvd.nist.gov/vuln/detail/CVE-2017-16516
-title: Flaw in yajl-ruby gem may cause a DoS
-date: 2017-11-03
-
-description: |
-  In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to
-  Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the 
-  yajl_string_decode function in yajl_encode.c. This results in the whole ruby 
-  process terminating and potentially a denial of service.
-
-patched_versions:
-  - ">= 1.3.1"
-
-related:
-  url:
-    - https://github.com/brianmario/yajl-ruby/issues/176

data/data/ruby-advisory-db/gems/yard/CVE-2017-17042.yml

@@ -1,16 +0,0 @@
----
-gem: yard
-cve: 2017-17042
-url: https://nvd.nist.gov/vuln/detail/CVE-2017-17042
-date: 2017-11-28
-title: Potential arbitrary file read vulnerability in yard server
-description: |
-  lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block
-  relative paths with an initial ../ sequence, which allows attackers to conduct
-  directory traversal attacks and read arbitrary files.
-
-cvss_v2: 5.0
-cvss_v3: 7.5
-
-patched_versions:
-  - ">= 0.9.11"

data/data/ruby-advisory-db/gems/yard/CVE-2019-1020001.yml

@@ -1,17 +0,0 @@
----
-gem: yard
-cve: 2019-1020001
-ghsa: xfhh-rx56-rxcr
-url: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
-date: 2019-07-02
-title: Arbitrary path traversal and file access via `yard server`
-description: |
-  A path traversal vulnerability was discovered in YARD <= 0.9.19 when using 
-  `yard server` to serve documentation. This bug would allow unsanitized HTTP
-  requests to access arbitrary files on the machine of a yard server host under
-  certain conditions.
-
-  The issue is resolved in v0.9.20 and later.
-patched_versions:
-  - ">= 0.9.20"
-cvss_v3: 7.3

data/data/ruby-advisory-db/gems/yard/GHSA-xfhh-rx56-rxcr.yml

@@ -1,12 +0,0 @@
----
-gem: yard
-ghsa: xfhh-rx56-rxcr
-date: 2019-07-02
-url: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
-title: Possible arbitrary path traversal and file access via `yard server`
-description: A path traversal vulnerability was discovered in YARD <= 0.9.19 when
-  using `yard server` to serve documentation. This bug would allow unsanitized HTTP
-  requests to access arbitrary files on the machine of a yard server host under certain
-  conditions.
-patched_versions:
-- ">= 0.9.20"

data/data/ruby-advisory-db/lib/cf_scrape.py

@@ -1,5 +0,0 @@
-import cfscrape
-import sys
-
-scraper = cfscrape.create_scraper() # returns a requests.Session object
-print scraper.get(sys.argv[1]).content

data/data/ruby-advisory-db/lib/github_advisory_sync.rb

@@ -1,296 +0,0 @@
-require "faraday"
-require "json"
-require "yaml"
-require "open-uri"
-
-module GitHub
-  class GitHubAdvisorySync
-
-    # Sync makes sure there are rubysec advisories for all GitHub advisories
-    # It writes a set of yaml files, one for each GitHub Advisory that
-    # is not already present in this repo
-    #
-    # The min_year argument specifies the earliest year CVE to sync.
-    # It is more important to sync the newer ones, so this allows the user to
-    # control how old of CVEs the sync should pull over
-    def self.sync(min_year: 2015)
-      gh_advisories = GraphQLAPIClient.new.retrieve_all_rubygem_publishable_advisories
-
-      # Filter out advisories with a CVE year that is before the min_year
-      gh_advisories.select! do |advisory|
-        if advisory.cve_id
-          _, cve_year = advisory.cve_id.match(/^CVE-(\d+)-\d+$/).to_a
-          cve_year.to_i >= min_year
-        else
-          true # all advisories without a CVE are included too
-        end
-      end
-
-      files_written = []
-      gh_advisories.each do |advisory|
-        files_written += advisory.write_files
-      end
-
-      puts "\nSync completed"
-      if files_written.empty?
-        puts "Nothing to sync today! All CVEs starting from #{min_year} are already present"
-      else
-        puts "Wrote these files:\n#{files_written.to_yaml}"
-      end
-
-      files_written
-    end
-  end
-
-  class GraphQLAPIClient
-    GITHUB_API_URL = "https://api.github.com/graphql"
-
-    GitHubApiTokenMissingError = Class.new(StandardError)
-
-    # return a lazy initialized connection to github api
-    def github_api(adapter = :net_http)
-      @faraday_connection ||= begin
-        puts "Initializing GitHub API connection to URL: #{GITHUB_API_URL}"
-        Faraday.new do |conn_builder|
-          conn_builder.adapter adapter
-          conn_builder.headers = {
-            "User-Agent" => "rubysec/ruby-advisory-db rubysec sync script",
-            "Content-Type" => "application/json",
-            "Authorization" => "token #{github_api_token}"
-          }
-        end
-      end
-      @faraday_connection
-    end
-
-    # An error class which gets raised when a GraphQL request fails
-    GitHubGraphQLAPIError = Class.new(StandardError)
-
-    # all interactions with the API go through this method to standardize
-    # error checking and how queries and requests are formed
-    def github_graphql_query(graphql_query_name, graphql_variables = {})
-      graphql_query_str = GraphQLQueries.const_get graphql_query_name
-      graphql_body = JSON.generate query: graphql_query_str,
-                                   variables: graphql_variables
-      puts "Executing GraphQL request: #{graphql_query_name}. Request variables:\n#{graphql_variables.to_yaml}\n"
-      faraday_response = github_api.post do |req|
-        req.url GITHUB_API_URL
-        req.body = graphql_body
-      end
-      puts "Got response code: #{faraday_response.status}"
-      if faraday_response.status != 200
-        raise(GitHubGraphQLAPIError, "GitHub GraphQL request to #{faraday_response.env.url} failed: #{faraday_response.body}")
-      end
-      body_obj = JSON.parse faraday_response.body
-      if body_obj["errors"]
-        raise(GitHubGraphQLAPIError, body_obj["errors"].map { |e| e["message"] }.join(", "))
-      end
-      body_obj
-    end
-
-    def retrieve_all_github_advisories(max_pages = 1000, page_size = 100)
-      all_advisories = []
-      variables = { "first" => page_size }
-      max_pages.times do |page_num|
-        puts "Getting page #{page_num + 1} of GitHub Advisories"
-        page = github_graphql_query(:GITHUB_ADVISORIES_WITH_RUBYGEM_VULNERABILITY, variables)
-        advisories_this_page = page["data"]["securityAdvisories"]["nodes"]
-        all_advisories += advisories_this_page
-        break unless page["data"]["securityAdvisories"]["pageInfo"]["hasNextPage"] == true
-        variables["after"] = page["data"]["securityAdvisories"]["pageInfo"]["endCursor"]
-      end
-      puts "Retrieved #{all_advisories.length} Advisories from GitHub API"
-
-      all_advisories.map do |advisory_graphql_obj|
-        GitHubAdvisory.new github_advisory_graphql_object: advisory_graphql_obj
-      end
-    end
-
-    def retrieve_all_rubygem_publishable_advisories
-      all_advisories = retrieve_all_github_advisories
-      # remove withdrawn advisories,
-      # and remove those where there are no vulnerabilities for ruby
-      all_advisories.reject { |advisory| advisory.withdrawn? }
-                    .select { |advisory| advisory.has_ruby_vulnerabilities? }
-    end
-
-    module GraphQLQueries
-      GITHUB_ADVISORIES_WITH_RUBYGEM_VULNERABILITY = <<-GRAPHQL.freeze
-        query($first: Int, $after: String) {
-          securityAdvisories(first: $first, after: $after) {
-            pageInfo {
-              endCursor
-              hasNextPage
-              hasPreviousPage
-              startCursor
-            }
-            nodes {
-              identifiers {
-                type
-                value
-              }
-              summary
-              description
-              severity
-              references {
-                url
-              }
-              publishedAt
-              withdrawnAt
-              vulnerabilities(ecosystem:RUBYGEMS, first: 10) {
-                nodes {
-                  package {
-                    name
-                    ecosystem
-                  }
-                  vulnerableVersionRange
-                  firstPatchedVersion {
-                    identifier
-                  }
-                }
-              }
-            }
-          }
-        }
-      GRAPHQL
-    end
-
-    private
-
-    def github_api_token
-      unless ENV["GH_API_TOKEN"]
-        raise GitHubApiTokenMissingError, "Unable to make API requests.  Must define 'GH_API_TOKEN' environment variable."
-      end
-      ENV["GH_API_TOKEN"]
-    end
-  end
-
-  class GitHubAdvisory
-
-    attr_reader :github_advisory_graphql_object
-
-    def initialize(github_advisory_graphql_object:)
-      @github_advisory_graphql_object = github_advisory_graphql_object
-    end
-
-    def identifier_list
-      github_advisory_graphql_object["identifiers"]
-    end
-
-    # extract the CVE identifier from the GitHub Advisory identifier list
-    def cve_id
-      cve_id_obj = identifier_list.find { |id| id["type"] == "CVE" }
-      return nil unless cve_id_obj
-
-      cve_id_obj["value"]
-    end
-
-    def ghsa_id
-      id_obj = identifier_list.find { |id| id["type"] == "GHSA" }
-      id_obj["value"]
-    end
-
-    # advisories should be identified by CVE ID if there is one
-    # but for maintainer submitted advisories there may not be one,
-    # so a GitHub Security Advisory ID (ghsa_id) is used instead
-    def primary_id
-      return cve_id if cve_id
-      ghsa_id
-    end
-
-    # return a date as a string like 2019-03-21.
-    def published_day
-      return nil unless github_advisory_graphql_object["publishedAt"]
-
-      pub_date = Date.parse(github_advisory_graphql_object["publishedAt"])
-      # pub_date.strftime("%Y-%m-%d")
-      pub_date
-    end
-
-    def package_names
-      github_advisory_graphql_object["vulnerabilities"]["nodes"].map{|v| v["package"]["name"]}.uniq
-    end
-
-    def rubysec_filenames
-      package_names.map do |package_name|
-        File.join("gems", package_name, "#{cve_id}.yml")
-      end
-    end
-
-    def withdrawn?
-      !github_advisory_graphql_object["withdrawnAt"].nil?
-    end
-
-    def external_reference
-      github_advisory_graphql_object["references"].first["url"]
-    end
-
-    def vulnerabilities
-      github_advisory_graphql_object["vulnerabilities"]["nodes"]
-    end
-
-    def has_ruby_vulnerabilities?
-      vulnerabilities.any? do |vuln|
-        vuln["package"]["ecosystem"] == "RUBYGEMS"
-      end
-    end
-
-    def some_rubysec_files_do_not_exist?
-      rubysec_filenames.any?{|filename| !File.exist?(filename) }
-    end
-
-    def write_files
-      return [] unless some_rubysec_files_do_not_exist?
-
-      files_written = []
-      vulnerabilities.each do |vulnerability|
-        filename_to_write = File.join("gems", vulnerability["package"]["name"], "#{primary_id}.yml")
-        next if File.exist?(filename_to_write)
-
-        data = {
-          "gem" => vulnerability["package"]["name"],
-          "ghsa" => ghsa_id[5..],
-          "url" => external_reference,
-          "date" => published_day,
-          "title" => github_advisory_graphql_object["summary"],
-          "description" => github_advisory_graphql_object["description"],
-          "cvss_v3" => "<FILL IN IF AVAILABLE>",
-          "patched_versions" => [ "<FILL IN SEE BELOW>" ],
-          "unaffected_versions" => [ "<OPTIONAL: FILL IN SEE BELOW>" ]
-        }
-        data["cve"] = cve_id[4..20] if cve_id
-
-        dir_to_write = File.dirname(filename_to_write)
-        Dir.mkdir dir_to_write unless Dir.exist?(dir_to_write)
-        File.open(filename_to_write, "w") do |file|
-          # create an automatically generated advisory yaml file
-          file.write data.to_yaml
-
-          # The data we just wrote is incomplete,
-          # and therefore should not be committed as is
-          # We can not directly translate from GitHub to rubysec advisory format
-          #
-          # The patched_versions field is not exactly available.
-          # - GitHub has a first_patched_version field,
-          #   but rubysec advisory needs a ruby version spec
-          #
-          # The unnaffected_versions field is similarly not directly available
-          # This optional field must be inferred from the vulnerableVersionRange
-          #
-          # To help write those fields, we put all the github data below.
-          #
-          # The second block of yaml in a .yaml file is ignored (after the second "---" line)
-          # This effectively makes this data a large comment
-          # Still it should be removed before the data goes into rubysec
-          file.write "\n\n# GitHub advisory data below - **Remove this data before committing**\n"
-          file.write "# Use this data to write patched_versions (and potentially unaffected_versions) above\n"
-          file.write github_advisory_graphql_object.to_yaml
-        end
-        puts "Wrote: #{filename_to_write}"
-        files_written << filename_to_write
-      end
-
-      files_written
-    end
-  end
-end