{"id":13722934,"url":"https://github.com/dependabot/elixir-security-advisories","last_synced_at":"2025-05-07T16:31:25.397Z","repository":{"id":31458820,"uuid":"127943253","full_name":"dependabot/elixir-security-advisories","owner":"dependabot","description":"Old database of Elixir security advisories before the GitHub Security Advisory DB supported Hex / Elixir.","archived":true,"fork":false,"pushed_at":"2022-07-22T21:33:46.000Z","size":442,"stargazers_count":151,"open_issues_count":1,"forks_count":9,"subscribers_count":38,"default_branch":"master","last_synced_at":"2024-11-14T12:50:38.552Z","etag":null,"topics":["elixir","security"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dependabot.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-04-03T17:21:37.000Z","updated_at":"2024-11-06T01:32:56.000Z","dependencies_parsed_at":"2022-08-23T23:41:21.602Z","dependency_job_id":null,"html_url":"https://github.com/dependabot/elixir-security-advisories","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dependabot%2Felixir-security-advisories","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dependabot%2Felixir-security-advisories/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dependabot%2Felixir-security-advisories/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dependabot%2Felixir-security-advisories/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dependabot","download_url":"https://codeload.github.com/dependabot/elixir-security-advisories/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252915305,"owners_count":21824542,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["elixir","security"],"created_at":"2024-08-03T01:01:34.730Z","updated_at":"2025-05-07T16:31:23.685Z","avatar_url":"https://github.com/dependabot.png","language":"Ruby","funding_links":[],"categories":["Tooling"],"sub_categories":[],"readme":"# Deprecation Notice\n\nThis repo was created before the GitHub Security Advisory DB supported Hex / Elixir. Now that [support has been added](https://github.blog/2022-06-27-github-advisory-database-now-supports-erlang-and-elixir-packages/), we've deprecated / archived this repo. The Security Advisory DB is a much more flexible solution that includes an actual API, GraphQL support, auto-ingesting from various data sources, professional curation, etc.\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"logo/horizontalversion.png\" alt=\"elixir-security-advisories\" height=\"200px\"\u003e\u003c/p\u003e\n\n# Elixir Advisory Database\n\nThe Elixir Advisory Database is a repository of security advisories filed\nagainst published Elixir packages.\n\nAdvisory metadata is stored in [YAML] format for [Sobelow], [Dependabot],\n[MixAudit] and other automated tools to consume.\n\nThis is also an [experimental web API] for the database.\n\n[![Build Status](https://travis-ci.org/dependabot/elixir-security-advisories.svg?branch=master)](https://travis-ci.org/dependabot/elixir-security-advisories)\n\n## Directory Structure\n\nThe database is a list of directories that match the names of Elixir libraries\non [hex.pm]. Within each directory are one or more advisory files for the Elixir\nlibrary.\n\n    packages/:\n      plug/:\n        2017-02-28.yml\n        2017-02-28_2.yml\n\n## Format\n\nEach advisory file contains the advisory information in [YAML] format:\n\n    ---\n    id: 8268e120-60b4-4efb-b9ca-4e3faca0cca6\n    package: plug\n    disclosure_date: 2017-02-28\n    cve: 2017-1000052\n    link: https://elixirforum.com/t/static-and-session-security-fixes-for-plug/3913\n    title: |\n      Null Byte Injection in Plug.Static\n\n    description: |\n      Plug.Static is used for serving static assets, and is vulnerable to null\n      byte injection. If file upload functionality is provided, this can allow\n      users to bypass filetype restrictions.\n\n      We recommend all applications that provide file upload functionality and\n      serve those uploaded files locally with Plug.Static to upgrade immediately\n      or include the fix below. If uploaded files are rather stored and served\n      from S3 or any other cloud storage, you are not affected.\n\n    patched_versions:\n      - ~\u003e 1.3.2\n      - ~\u003e 1.2.3\n      - ~\u003e 1.1.7\n      - ~\u003e 1.0.4\n\n    unaffected_versions:\n      - \"\u003c 1.0.0\"\n\n## Schema\n\nThere is linting in place to enforce the following schema for each advisory:\n\n| Attribute             | Type        | Description                                                            |\n|-----------------------|-------------|------------------------------------------------------------------------|\n| `id`                  | String      | A version 4 UUID (use https://www.uuidgenerator.net/version4).         |\n| `package`             | String      | Name of the affected package.                                          |\n| `disclosure_date`     | Date        | Date the vulnerability was publicly disclosed (here or elsewhere).     |\n| `cve`                 | String/Null | (Optional) CVE assigned to the vulnerability.                          |\n| `link`                | String      | Link to the original disclosure / more details.                        |\n| `title`               | String      | Title of the vulnerability. This should be a (very) short description. |\n| `description`         | String      | Description of the vulnerability.                                      |\n| `patched_versions`    | Array       | Array of Elixir requirement strings specifying patched versions.       |\n| `unaffected_versions` | Array       | Array of Elixir requirement strings specifying unaffected versions.    |\n\n## Contributing\n\nDo you know about a vulnerability that isn't listed in this database? Open an\nissue or submit a PR.\n\n## License\n\nAll content in this repository is placed in the public domain.\n\n[![Public Domain](http://i.creativecommons.org/p/zero/1.0/88x31.png)](https://github.com/dependabot/elixir-security-advisories/blob/master/LICENSE.txt)\n\n[YAML]: http://yaml.org/\n[Sobelow]: https://github.com/nccgroup/sobelow\n[Dependabot]: https://dependabot.com\n[MixAudit]: https://github.com/mirego/mix_audit\n[experimental web API]: https://github.com/ex-security-advisory/api\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdependabot%2Felixir-security-advisories","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdependabot%2Felixir-security-advisories","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdependabot%2Felixir-security-advisories/lists"}