GHSA/RLSA - "repository‑level security advisories" list

[jasnow]

GHSA - "repository‑level security advisories" (RLSA) list

LIST

• https://github.com/puma/puma/security/advisories
  • GHSA-qpgp-93vx-g8v8
  • GHSA-2vqw-3mp8-cgmx
    • They were added with this PR Two new puma advisories #1103.
• https://github.com/ruby-oauth/oauth/security/advisories
  • GHSA-prq8-7wvh-44qh
  • GHSA-pp92-crg2-gfv9

NOTES

1. This week while doing research on two puma security advisories mentioned in Ruby Weekly, we learned about the concept of GHSA "repository‑level security advisories" (RLSA). The ruby-advisory-db project monitors GHSA database but we did not know about these advisories. Therefore they are not included in the "bundle audit" results.
2. Now that we do, we need the community's help to add to this list of security advisory sources. If anyone knows more about this topic, please add a comment to this issue, such as:
   • How to get a complete list of Ruby gems or "rubies" with RLSA's.
   • Add your project's RLSA.
3. Until we have established a more formal way to document this sources, I will continue to edit this description with more RLSA's.

[flavorjones]

I don't think this is necessary.

The process for gem maintainers today is that they create a GHSA on the repository that they own. For example, I recently created https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx.

Github has a team that reviews all repository GHSAs, does some very basic sanity checking and copyediting, and then publishes the "blessed" top-level GHSA. For example, the above GHSA ended up at https://github.com/advisories/GHSA-c4rq-3m3g-8wgx.

It's almost always identical content, as far as I can tell, and is published after a usually-very-short delay.

Edited to de-link the GHSAs to make it easier to see the URL differences.

[jasnow]

I don't think this is necessary.

Okay, I will monitor to see if the 4 examples I given show up in GHSA. If they do, I will close this issue.

Also I will not post about this issue until we have verified that they is a difference.