bundler-audit 0.7.0 → 0.7.0.1

data/data/ruby-advisory-db/gems/spree_auth_devise/OSVDB-90865.yml

@@ -0,0 +1,20 @@
+---
+gem: spree_auth_devise
+cve: 2013-2506
+osvdb: 90865
+url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
+title: |
+  Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege
+  Escalation
+date: 2013-02-21
+description: |
+  Spree contains a flaw that leads to unauthorized privileges being gained. The
+  issue is triggered as certain input related to mass role assignment in
+  app/models/spree/user.rb is not properly verified before being used to update
+  a user. This may allow a remote attacker to assign arbitrary roles and gain
+  elevated administrative privileges.
+cvss_v2: 4.0
+patched_versions:
+  - ~> 1.1.6
+  - ~> 1.2.0
+  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/sprockets/CVE-2014-7819.yml

@@ -0,0 +1,27 @@
+---
+gem: sprockets
+cve: 2014-7819
+osvdb: 113965
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
+title: Arbitrary file existence disclosure in Sprockets
+date: 2014-10-30
+description: |
+  Specially crafted requests can be used to determine whether a file exists on
+  the filesystem that is outside an application's root directory.  The files
+  will not be served, but attackers can determine whether or not the file
+  exists.
+cvss_v2: 5.0
+patched_versions:
+  - ~> 2.0.5
+  - ~> 2.1.4
+  - ~> 2.2.3
+  - ~> 2.3.3
+  - ~> 2.4.6
+  - ~> 2.5.1
+  - ~> 2.7.1
+  - ~> 2.8.3
+  - ~> 2.9.4
+  - ~> 2.10.2
+  - ~> 2.11.3
+  - ~> 2.12.3
+  - ">= 3.0.0.beta.3"

data/data/ruby-advisory-db/gems/sprockets/CVE-2018-3760.yml

@@ -0,0 +1,23 @@
+---
+gem: sprockets
+cve: 2018-3760
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
+title: Path Traversal in Sprockets
+date: 2018-06-19
+description: |
+  Specially crafted requests can be used to access files that exist on
+  the filesystem that is outside an application's root directory, when the
+  Sprockets server is used in production.
+  
+  All users running an affected release should either upgrade or use one of the work arounds immediately.
+  
+  Workaround:
+  In Rails applications, work around this issue, set `config.assets.compile = false` and
+  `config.public_file_server.enabled = true` in an initializer and precompile the assets.
+
+   This work around will not be possible in all hosting environments and upgrading is advised.
+
+patched_versions:
+  - ">= 2.12.5, < 3.0.0"
+  - ">= 3.7.2, < 4.0.0"
+  - ">= 4.0.0.beta8"

data/data/ruby-advisory-db/gems/sprout/CVE-2013-6421.yml

@@ -0,0 +1,16 @@
+---
+gem: sprout
+cve: 2013-6421
+osvdb: 100598
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-6421
+title: sprout Gem for Ruby archive_unpacker.rb unpack_zip() Function Multiple Parameter Arbitrary Code Execution
+date: 2013-12-02
+description: |
+  sprout Gem for Ruby contains a flaw in the unpack_zip() function in
+  archive_unpacker.rb. The issue is due to the program failing to properly
+  sanitize input passed via the 'zip_file', 'dir', 'zip_name', and 'output'
+  parameters. This may allow a context-dependent attacker to execute arbitrary
+  code.
+cvss_v2: 7.5
+unaffected_versions:
+  - '< 0.7.246'

data/data/ruby-advisory-db/gems/strong_password/CVE-2019-13354.yml

@@ -0,0 +1,19 @@
+---
+gem: strong_password
+cve: 2019-13354
+url: https://withatwist.dev/strong-password-rubygem-hijacked.html
+title: strong_password Ruby gem malicious version causing Remote Code Execution vulnerability
+date: 2019-07-05
+
+description: |
+  The `strong_password` gem on RubyGems.org was hijacked by a malicious actor. The
+  malicious actor published v0.0.7 containing malicious code that enables an attacker
+  to execute remote code in production.
+
+  Upgrade `strong_password` to v0.0.8 to ensure no malicious code execution is possible.
+
+patched_versions:
+  - ">= 0.0.8"
+
+unaffected_versions:
+  - "!= 0.0.7"

data/data/ruby-advisory-db/gems/sup/CVE-2013-4478.yml

@@ -0,0 +1,14 @@
+---
+gem: sup
+cve: 2013-4478
+osvdb: 99074
+url: http://www.phenoelit.org/stuff/whatsup.txt
+title:  Sup MUA Email Attachment Content Type Handling Arbitrary Command Execution
+date: 2013-10-29
+description: Sup MUA contains a flaw that is triggered when handling email
+  attachment content. This may allow a context-dependent attacker to execute
+  arbitrary commands.
+cvss_v2: 6.8
+patched_versions:
+  - "~> 0.13.2.1"
+  - ">= 0.14.1.1"

data/data/ruby-advisory-db/gems/sup/CVE-2013-4479.yml

@@ -0,0 +1,14 @@
+---
+gem: sup
+cve: 2013-4479
+osvdb: 99074
+url: http://www.phenoelit.org/stuff/whatsup.txt
+title:  Sup MUA Email Attachment Content Type Handling Arbitrary Command Execution
+date: 2013-10-29
+description: Sup MUA contains a flaw that is triggered when handling email
+  attachment content. This may allow a context-dependent attacker to execute
+  arbitrary commands.
+cvss_v2: 6.8
+patched_versions:
+  - "~> 0.13.2.1"
+  - ">= 0.14.1.1"

data/data/ruby-advisory-db/gems/thumbshooter/CVE-2013-1898.yml

@@ -0,0 +1,9 @@
+--- 
+gem: thumbshooter
+cve: 2013-1898
+osvdb: 91839
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-1898
+title: Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-03-26
+description: Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.
+cvss_v2: 7.5

data/data/ruby-advisory-db/gems/twitter-bootstrap-rails/OSVDB-109206.yml

@@ -0,0 +1,22 @@
+---
+gem: twitter-bootstrap-rails
+framework: rails
+cve: 2014-4920
+osvdb: 109206
+url: https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter
+title: Reflective XSS Vulnerability in twitter-bootstrap-rails
+date: 2014-03-25
+
+description: |
+  The twitter-bootstrap-rails Gem for Rails contains a flaw that enables a 
+  reflected cross-site scripting (XSS) attack. This flaw exists because the
+  bootstrap_flash helper method does not validate input when handling flash 
+  messages before returning it to users. This may allow a context-dependent
+  attacker to create a specially crafted request that would execute arbitrary
+  script code in a user's browser session within the trust relationship between
+  their browser and the server.
+
+cvss_v2: 
+
+patched_versions:
+  - ">= 3.2.0"

data/data/ruby-advisory-db/gems/uglifier/OSVDB-126747.yml

@@ -0,0 +1,19 @@
+---
+gem: uglifier
+osvdb: 126747
+url: https://github.com/mishoo/UglifyJS2/issues/751
+title: uglifier incorrectly handles non-boolean comparisons during minification
+date: 2015-07-21
+description: |
+
+  The upstream library for the Ruby uglifier gem, UglifyJS, is
+  affected by a vulnerability that allows a specially crafted 
+  Javascript file to have altered functionality after minification.
+
+  This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated
+  to allow potentially malicious code to be hidden within secure code, 
+  and activated by the minification process.
+
+  For more information, consult: https://zyan.scripts.mit.edu/blog/backdooring-js/
+patched_versions:
+  - ">= 2.7.2"

data/data/ruby-advisory-db/gems/user_agent_parser/CVE-2020-5243.yml

@@ -0,0 +1,28 @@
+---
+gem: user_agent_parser
+cve: 2020-5243
+ghsa: pcqq-5962-hvcw
+url: https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw
+date: 2020-03-10
+title: Denial of Service in uap-core when processing crafted User-Agent strings
+description: |-
+  ### Impact
+  Some regexes are vulnerable to regular expression denial of service (REDoS) due to
+  overlapping capture groups. This allows remote attackers to overload a server by
+  setting the User-Agent header in an HTTP(S) request to maliciously crafted long
+  strings.
+
+  ### Patches
+  Please update `uap-ruby` to >= v2.6.0
+
+  ### For more information
+  https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
+
+cvss_v3: 5.7
+
+patched_versions:
+  - ">= 2.6.0"
+
+related:
+  ghsa:
+    - cmcx-xhr8-3w9p

data/data/ruby-advisory-db/gems/web-console/CVE-2015-3224.yml

@@ -0,0 +1,22 @@
+---
+gem: web-console
+cve: 2015-3224
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw
+title: |
+  IP whitelist bypass in Web Console 
+date: 2015-06-16
+
+description: |
+  Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default). 
+
+  Users whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved. 
+
+  All affected users should either upgrade or use one of the work arounds immediately. 
+
+  To work around this issue, turn off web-console in all environments, by removing/commenting it from the application's Gemfile. 
+
+patched_versions:
+  - ">= 2.1.3"
+
+
+

data/data/ruby-advisory-db/gems/web-console/OSVDB-112346.yml

@@ -0,0 +1,12 @@
+---
+gem: web-console
+osvdb: 112346
+url: http://www.osvdb.org/show/osvdb/112346
+title: Web Console Gem for Ruby contains an unspecified flaw
+date: 2014-09-29
+description: The Web Console Gem for Ruby on Rails contains an unspecified flaw that
+  may allow an attacker to have an unspecified impact. No further details have been
+  provided by the vendor.
+cvss_v2:
+patched_versions:
+  - ">= 2.0.0.beta4"

data/data/ruby-advisory-db/gems/webbynode/CVE-2013-7086.yml

@@ -0,0 +1,12 @@
+---
+gem: webbynode
+cve: 2013-7086
+osvdb: 100920
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-7086
+title: Webbynode Gem for Ruby notify.rb growlnotify Message Handling Arbitrary Command Execution
+date: 2013-12-12
+description: |
+  Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered
+  when handling a specially crafted growlnotify message. This may allow a
+  context-dependent attacker to execute arbitrary commands.
+cvss_v2: 7.5

data/data/ruby-advisory-db/gems/websocket-extensions/CVE-2020-7663.yml

@@ -0,0 +1,35 @@
+---
+gem: websocket-extensions
+cve: 2020-7663
+ghsa: g6wq-qcwm-j5g2
+url: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2
+date: 2020-06-05
+title: Regular Expression Denial of Service in websocket-extensions (RubyGem)
+description: |-
+  ### Impact
+
+  The ReDoS flaw allows an attacker to exhaust the server's capacity to process
+  incoming requests by sending a WebSocket handshake request containing a header
+  of the following form:
+
+      Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...
+
+  That is, a header containing an unclosed string parameter value whose content is
+  a repeating two-byte sequence of a backslash and some other character. The
+  parser takes exponential time to reject this header as invalid, and this will
+  block the processing of any other work on the same thread. Thus if you are
+  running a single-threaded server, such a request can render your service
+  completely unavailable.
+
+  ### Workarounds
+
+  There are no known work-arounds other than disabling any public-facing WebSocket functionality you are operating.
+
+cvss_v3: 7.5
+
+patched_versions:
+  - ">= 0.1.5"
+
+related:
+  url:
+    - https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/

data/data/ruby-advisory-db/gems/wicked/CVE-2013-4413.yml

@@ -0,0 +1,14 @@
+---
+gem: wicked
+cve: 2013-4413
+osvdb: 98270
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-4413
+title: Wicked Gem for Ruby contains a flaw
+date: 2013-10-08
+description: Wicked Gem for Ruby contains a flaw that is due to the program
+  failing to properly sanitize input passed via the 'the_step' parameter
+  upon submission to the render_redirect.rb script.
+  This may allow a remote attacker to gain access to arbitrary files.
+cvss_v2: 5.0
+patched_versions:
+  - '>= 1.0.1'

data/data/ruby-advisory-db/gems/will_paginate/CVE-2013-6459.yml

@@ -0,0 +1,15 @@
+---
+gem: will_paginate
+osvdb: 101138
+cve: 2013-6459
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-6459
+title: will_paginate Gem for Ruby Generated Pagination Link Unspecified XSS
+date: 2013-09-19
+description: will_paginate Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack.
+  This flaw exists because the application does not validate certain unspecified input related to
+  generated pagination links before returning it to the user. This may allow an attacker to create
+  a specially crafted request that would execute arbitrary script code in a users browser within the
+  trust relationship between their browser and the server.
+cvss_v2: 4.3
+patched_versions:
+  - ">= 3.0.5"

data/data/ruby-advisory-db/gems/xaviershay-dm-rails/CVE-2015-2179.yml

@@ -0,0 +1,13 @@
+---
+gem: xaviershay-dm-rails
+cve: 2015-2179
+osvdb: 118579
+url: https://nvd.nist.gov/vuln/detail/CVE-2015-2179
+title: |
+  xaviershay-dm-rails Gem for Ruby exposes sensitive information via the process table
+date: 2015-02-17
+description: |
+  xaviershay-dm-rails Gem for Ruby contains a flaw in the execute() function
+  in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is
+  due to the function exposing sensitive information via the process table.
+  This may allow a local attack to gain access to MySQL credential information.

data/data/ruby-advisory-db/gems/yajl-ruby/CVE-2017-16516.yml

@@ -0,0 +1,19 @@
+---
+gem: yajl-ruby
+cve: 2017-16516
+url: https://nvd.nist.gov/vuln/detail/CVE-2017-16516
+title: Flaw in yajl-ruby gem may cause a DoS
+date: 2017-11-03
+
+description: |
+  In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to
+  Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the 
+  yajl_string_decode function in yajl_encode.c. This results in the whole ruby 
+  process terminating and potentially a denial of service.
+
+patched_versions:
+  - ">= 1.3.1"
+
+related:
+  url:
+    - https://github.com/brianmario/yajl-ruby/issues/176

data/data/ruby-advisory-db/gems/yard/CVE-2017-17042.yml

@@ -0,0 +1,16 @@
+---
+gem: yard
+cve: 2017-17042
+url: https://nvd.nist.gov/vuln/detail/CVE-2017-17042
+date: 2017-11-28
+title: Potential arbitrary file read vulnerability in yard server
+description: |
+  lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block
+  relative paths with an initial ../ sequence, which allows attackers to conduct
+  directory traversal attacks and read arbitrary files.
+
+cvss_v2: 5.0
+cvss_v3: 7.5
+
+patched_versions:
+  - ">= 0.9.11"

data/data/ruby-advisory-db/gems/yard/CVE-2019-1020001.yml

@@ -0,0 +1,17 @@
+---
+gem: yard
+cve: 2019-1020001
+ghsa: xfhh-rx56-rxcr
+url: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
+date: 2019-07-02
+title: Arbitrary path traversal and file access via `yard server`
+description: |
+  A path traversal vulnerability was discovered in YARD <= 0.9.19 when using 
+  `yard server` to serve documentation. This bug would allow unsanitized HTTP
+  requests to access arbitrary files on the machine of a yard server host under
+  certain conditions.
+
+  The issue is resolved in v0.9.20 and later.
+patched_versions:
+  - ">= 0.9.20"
+cvss_v3: 7.3

data/data/ruby-advisory-db/gems/yard/GHSA-xfhh-rx56-rxcr.yml

@@ -0,0 +1,12 @@
+---
+gem: yard
+ghsa: xfhh-rx56-rxcr
+date: 2019-07-02
+url: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
+title: Possible arbitrary path traversal and file access via `yard server`
+description: A path traversal vulnerability was discovered in YARD <= 0.9.19 when
+  using `yard server` to serve documentation. This bug would allow unsanitized HTTP
+  requests to access arbitrary files on the machine of a yard server host under certain
+  conditions.
+patched_versions:
+- ">= 0.9.20"

data/data/ruby-advisory-db/lib/cf_scrape.py

@@ -0,0 +1,5 @@
+import cfscrape
+import sys
+
+scraper = cfscrape.create_scraper() # returns a requests.Session object
+print scraper.get(sys.argv[1]).content

data/data/ruby-advisory-db/lib/github_advisory_sync.rb

@@ -0,0 +1,296 @@
+require "faraday"
+require "json"
+require "yaml"
+require "open-uri"
+
+module GitHub
+  class GitHubAdvisorySync
+
+    # Sync makes sure there are rubysec advisories for all GitHub advisories
+    # It writes a set of yaml files, one for each GitHub Advisory that
+    # is not already present in this repo
+    #
+    # The min_year argument specifies the earliest year CVE to sync.
+    # It is more important to sync the newer ones, so this allows the user to
+    # control how old of CVEs the sync should pull over
+    def self.sync(min_year: 2015)
+      gh_advisories = GraphQLAPIClient.new.retrieve_all_rubygem_publishable_advisories
+
+      # Filter out advisories with a CVE year that is before the min_year
+      gh_advisories.select! do |advisory|
+        if advisory.cve_id
+          _, cve_year = advisory.cve_id.match(/^CVE-(\d+)-\d+$/).to_a
+          cve_year.to_i >= min_year
+        else
+          true # all advisories without a CVE are included too
+        end
+      end
+
+      files_written = []
+      gh_advisories.each do |advisory|
+        files_written += advisory.write_files
+      end
+
+      puts "\nSync completed"
+      if files_written.empty?
+        puts "Nothing to sync today! All CVEs starting from #{min_year} are already present"
+      else
+        puts "Wrote these files:\n#{files_written.to_yaml}"
+      end
+
+      files_written
+    end
+  end
+
+  class GraphQLAPIClient
+    GITHUB_API_URL = "https://api.github.com/graphql"
+
+    GitHubApiTokenMissingError = Class.new(StandardError)
+
+    # return a lazy initialized connection to github api
+    def github_api(adapter = :net_http)
+      @faraday_connection ||= begin
+        puts "Initializing GitHub API connection to URL: #{GITHUB_API_URL}"
+        Faraday.new do |conn_builder|
+          conn_builder.adapter adapter
+          conn_builder.headers = {
+            "User-Agent" => "rubysec/ruby-advisory-db rubysec sync script",
+            "Content-Type" => "application/json",
+            "Authorization" => "token #{github_api_token}"
+          }
+        end
+      end
+      @faraday_connection
+    end
+
+    # An error class which gets raised when a GraphQL request fails
+    GitHubGraphQLAPIError = Class.new(StandardError)
+
+    # all interactions with the API go through this method to standardize
+    # error checking and how queries and requests are formed
+    def github_graphql_query(graphql_query_name, graphql_variables = {})
+      graphql_query_str = GraphQLQueries.const_get graphql_query_name
+      graphql_body = JSON.generate query: graphql_query_str,
+                                   variables: graphql_variables
+      puts "Executing GraphQL request: #{graphql_query_name}. Request variables:\n#{graphql_variables.to_yaml}\n"
+      faraday_response = github_api.post do |req|
+        req.url GITHUB_API_URL
+        req.body = graphql_body
+      end
+      puts "Got response code: #{faraday_response.status}"
+      if faraday_response.status != 200
+        raise(GitHubGraphQLAPIError, "GitHub GraphQL request to #{faraday_response.env.url} failed: #{faraday_response.body}")
+      end
+      body_obj = JSON.parse faraday_response.body
+      if body_obj["errors"]
+        raise(GitHubGraphQLAPIError, body_obj["errors"].map { |e| e["message"] }.join(", "))
+      end
+      body_obj
+    end
+
+    def retrieve_all_github_advisories(max_pages = 1000, page_size = 100)
+      all_advisories = []
+      variables = { "first" => page_size }
+      max_pages.times do |page_num|
+        puts "Getting page #{page_num + 1} of GitHub Advisories"
+        page = github_graphql_query(:GITHUB_ADVISORIES_WITH_RUBYGEM_VULNERABILITY, variables)
+        advisories_this_page = page["data"]["securityAdvisories"]["nodes"]
+        all_advisories += advisories_this_page
+        break unless page["data"]["securityAdvisories"]["pageInfo"]["hasNextPage"] == true
+        variables["after"] = page["data"]["securityAdvisories"]["pageInfo"]["endCursor"]
+      end
+      puts "Retrieved #{all_advisories.length} Advisories from GitHub API"
+
+      all_advisories.map do |advisory_graphql_obj|
+        GitHubAdvisory.new github_advisory_graphql_object: advisory_graphql_obj
+      end
+    end
+
+    def retrieve_all_rubygem_publishable_advisories
+      all_advisories = retrieve_all_github_advisories
+      # remove withdrawn advisories,
+      # and remove those where there are no vulnerabilities for ruby
+      all_advisories.reject { |advisory| advisory.withdrawn? }
+                    .select { |advisory| advisory.has_ruby_vulnerabilities? }
+    end
+
+    module GraphQLQueries
+      GITHUB_ADVISORIES_WITH_RUBYGEM_VULNERABILITY = <<-GRAPHQL.freeze
+        query($first: Int, $after: String) {
+          securityAdvisories(first: $first, after: $after) {
+            pageInfo {
+              endCursor
+              hasNextPage
+              hasPreviousPage
+              startCursor
+            }
+            nodes {
+              identifiers {
+                type
+                value
+              }
+              summary
+              description
+              severity
+              references {
+                url
+              }
+              publishedAt
+              withdrawnAt
+              vulnerabilities(ecosystem:RUBYGEMS, first: 10) {
+                nodes {
+                  package {
+                    name
+                    ecosystem
+                  }
+                  vulnerableVersionRange
+                  firstPatchedVersion {
+                    identifier
+                  }
+                }
+              }
+            }
+          }
+        }
+      GRAPHQL
+    end
+
+    private
+
+    def github_api_token
+      unless ENV["GH_API_TOKEN"]
+        raise GitHubApiTokenMissingError, "Unable to make API requests.  Must define 'GH_API_TOKEN' environment variable."
+      end
+      ENV["GH_API_TOKEN"]
+    end
+  end
+
+  class GitHubAdvisory
+
+    attr_reader :github_advisory_graphql_object
+
+    def initialize(github_advisory_graphql_object:)
+      @github_advisory_graphql_object = github_advisory_graphql_object
+    end
+
+    def identifier_list
+      github_advisory_graphql_object["identifiers"]
+    end
+
+    # extract the CVE identifier from the GitHub Advisory identifier list
+    def cve_id
+      cve_id_obj = identifier_list.find { |id| id["type"] == "CVE" }
+      return nil unless cve_id_obj
+
+      cve_id_obj["value"]
+    end
+
+    def ghsa_id
+      id_obj = identifier_list.find { |id| id["type"] == "GHSA" }
+      id_obj["value"]
+    end
+
+    # advisories should be identified by CVE ID if there is one
+    # but for maintainer submitted advisories there may not be one,
+    # so a GitHub Security Advisory ID (ghsa_id) is used instead
+    def primary_id
+      return cve_id if cve_id
+      ghsa_id
+    end
+
+    # return a date as a string like 2019-03-21.
+    def published_day
+      return nil unless github_advisory_graphql_object["publishedAt"]
+
+      pub_date = Date.parse(github_advisory_graphql_object["publishedAt"])
+      # pub_date.strftime("%Y-%m-%d")
+      pub_date
+    end
+
+    def package_names
+      github_advisory_graphql_object["vulnerabilities"]["nodes"].map{|v| v["package"]["name"]}.uniq
+    end
+
+    def rubysec_filenames
+      package_names.map do |package_name|
+        File.join("gems", package_name, "#{cve_id}.yml")
+      end
+    end
+
+    def withdrawn?
+      !github_advisory_graphql_object["withdrawnAt"].nil?
+    end
+
+    def external_reference
+      github_advisory_graphql_object["references"].first["url"]
+    end
+
+    def vulnerabilities
+      github_advisory_graphql_object["vulnerabilities"]["nodes"]
+    end
+
+    def has_ruby_vulnerabilities?
+      vulnerabilities.any? do |vuln|
+        vuln["package"]["ecosystem"] == "RUBYGEMS"
+      end
+    end
+
+    def some_rubysec_files_do_not_exist?
+      rubysec_filenames.any?{|filename| !File.exist?(filename) }
+    end
+
+    def write_files
+      return [] unless some_rubysec_files_do_not_exist?
+
+      files_written = []
+      vulnerabilities.each do |vulnerability|
+        filename_to_write = File.join("gems", vulnerability["package"]["name"], "#{primary_id}.yml")
+        next if File.exist?(filename_to_write)
+
+        data = {
+          "gem" => vulnerability["package"]["name"],
+          "ghsa" => ghsa_id[5..],
+          "url" => external_reference,
+          "date" => published_day,
+          "title" => github_advisory_graphql_object["summary"],
+          "description" => github_advisory_graphql_object["description"],
+          "cvss_v3" => "<FILL IN IF AVAILABLE>",
+          "patched_versions" => [ "<FILL IN SEE BELOW>" ],
+          "unaffected_versions" => [ "<OPTIONAL: FILL IN SEE BELOW>" ]
+        }
+        data["cve"] = cve_id[4..20] if cve_id
+
+        dir_to_write = File.dirname(filename_to_write)
+        Dir.mkdir dir_to_write unless Dir.exist?(dir_to_write)
+        File.open(filename_to_write, "w") do |file|
+          # create an automatically generated advisory yaml file
+          file.write data.to_yaml
+
+          # The data we just wrote is incomplete,
+          # and therefore should not be committed as is
+          # We can not directly translate from GitHub to rubysec advisory format
+          #
+          # The patched_versions field is not exactly available.
+          # - GitHub has a first_patched_version field,
+          #   but rubysec advisory needs a ruby version spec
+          #
+          # The unnaffected_versions field is similarly not directly available
+          # This optional field must be inferred from the vulnerableVersionRange
+          #
+          # To help write those fields, we put all the github data below.
+          #
+          # The second block of yaml in a .yaml file is ignored (after the second "---" line)
+          # This effectively makes this data a large comment
+          # Still it should be removed before the data goes into rubysec
+          file.write "\n\n# GitHub advisory data below - **Remove this data before committing**\n"
+          file.write "# Use this data to write patched_versions (and potentially unaffected_versions) above\n"
+          file.write github_advisory_graphql_object.to_yaml
+        end
+        puts "Wrote: #{filename_to_write}"
+        files_written << filename_to_write
+      end
+
+      files_written
+    end
+  end
+end