Skip to content

Add gsm: advisory field in support of issue #305; Added 1 brand new GSM advisory #960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jasnow wants to merge 2 commits into from
Closed

Add gsm: advisory field in support of issue #305; Added 1 brand new GSM advisory #960

jasnow wants to merge 2 commits into from
+114 −10

Conversation

@jasnow
Copy link
Contributor

@jasnow jasnow commented Jan 14, 2026
edited
Loading

Add gsm: advisory field in support of issue #305

  • Modified the schemas, specs, and README to add "gsm:" advisory field (similar to "ghsa:" field).
  • Add GSM-2016-16 advisory

postmodern
postmodern reviewed Jan 14, 2026
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens when this GSM advisory eventually get's assigned a CVE or added to GitHub Security Advisories DB? Will we end up with a GHSA- and CVE- file? Could the github_advisory_sync.rb automatically rename GSM-* to CVE-*/GHSA-*?

@jasnow
Copy link
Contributor Author

jasnow commented Jan 14, 2026

Good questions

What happens when this GSM advisory eventually get's assigned a CVE or added
to GitHub Security Advisories DB? Will we end up with a GHSA- and CVE- file?

I think that the PR#585 lint check's purpose is to flag duplicate advisories.

Could the github_advisory_sync.rb automatically rename GSM-* to CVE-/GHSA-?

We could watch for it and add a feature when it happens.

@postmodern
Copy link
Member

postmodern commented Jan 15, 2026

I'm hesitant about adding GSM advisory IDs to the database because of one advisory that never got assigned a CVE. bundler-audit would also need to be updated, as it expects either a cve:, ghsa:, or osvdb: ID to be present; otherwise encryptor < 3.0.0 would break bundler-audit.

I reviewed encryptor's GitHub issues's and noted two things:

  1. Appears that the maintainer said they would try to request a CVE, but never reported back.
  2. Another person did further research and believes the vulnerability is actually in Ruby's openssl library, not the encryptor gem. This might explain why a CVE was never assigned.

Either someone else needs to request the CVE on behalf of encryptor, or maybe a CVE is not needed and GSM-2016-16 might be invalid.

Long-term, I might be open to trying to consume GitLab's Advisory database along with GitHub's Advisory DB and NVD.

@postmodern postmodern closed this Jan 15, 2026
@jasnow jasnow deleted the Add-gsm-field branch January 15, 2026 20:23
@jasnow
Copy link
Contributor Author

jasnow commented Jan 15, 2026

OK

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@postmodern postmodern postmodern left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jasnow @postmodern