Add GitHub Advisory Database identifiers to external reports (#138)

See also (github/advisory-database#3536)

Author: briandfoy

external_reports/angular.yml

@@ -1,57 +1,56 @@
 ---
+advisories:
+- affected_versions: <=1.7.9
+  cve: CVE-2019-10768
+  description: |
+    In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload.
+  fixed_versions: ~
+  github_security_advisory:
+  - GHSA-89mq-4x47-5v83
+  references:
+  - https://snyk.io/vuln/SNYK-JS-ANGULAR-534884
+  - https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
+  reported: 2019-11-19
+  severity: high
+- affected_versions: <1.5.1
+  cve: CVE-2019-14863
+  description: |
+    There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
+  fixed_versions: ~
+  github_security_advisory:
+  - GHSA-r5fx-8r73-v86c
+  references:
+  - https://snyk.io/vuln/npm:angular:20150807
+  - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863
+  reported: 2020-01-02
+  severity: medium
+- affected_versions: <1.8.0
+  cve: CVE-2020-7676
+  description: |
+    angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "<option>" elements in "<select>" ones changes parsing behavior, leading to possibly unsanitizing code.
+  fixed_versions: '>1.8.0'
+  github_security_advisory:
+  - GHSA-mhp6-pxh8-r675
+  references:
+  - https://github.com/angular/angular.js/pull/17028
+  - https://snyk.io/vuln/SNYK-JS-ANGULAR-570058
+  - https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E
+  - https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20@%3Cozone-issues.hadoop.apache.org%3E
+  - https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b@%3Cozone-issues.hadoop.apache.org%3E
+  - https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b@%3Cozone-issues.hadoop.apache.org%3E
+  - https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7@%3Cozone-issues.hadoop.apache.org%3E
+  - https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b@%3Cozone-issues.hadoop.apache.org%3E
+  - https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02@%3Cozone-issues.hadoop.apache.org%3E
+  - https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1@%3Cozone-issues.hadoop.apache.org%3E
+  - https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1@%3Cozone-commits.hadoop.apache.org%3E
+  - https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a@%3Cozone-issues.hadoop.apache.org%3E
+  reported: 2020-06-08
+  severity: medium
+cpansa_version: 2
 name: angular
-url: https://github.com/angular/angular
 perl_distributions:
-  - name: Zonemaster-GUI
-    affected:
-      - perl_module_versions: '>=1.0.7,<=1.0.11'
-        distributed_library_version: '1.2.22'
-advisories:
-  - cve: CVE-2019-10768
-    description: >
-      In AngularJS before 1.7.9 the function `merge()` could be tricked
-      into adding or modifying properties of `Object.prototype` using a
-      `__proto__` payload.
-    affected_versions: '<=1.7.9'
-    fixed_versions: ~
-    references:
-      - https://snyk.io/vuln/SNYK-JS-ANGULAR-534884
-      - https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
-    reported: 2019-11-19
-    severity: high
-  - cve: CVE-2019-14863
-    description: >
-      There is a vulnerability in all angular versions before
-      1.5.0-beta.0, where after escaping the context of the web application,
-      the web application delivers data to its users along with other
-      trusted dynamic content, without validating it.
-    affected_versions: '<1.5.1'
-    fixed_versions: ~
-    references:
-      - https://snyk.io/vuln/npm:angular:20150807
-      - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14863
-    reported: 2020-01-02
-    severity: medium
-  - cve: CVE-2020-7676
-    description: >
-      angular.js prior to 1.8.0 allows cross site scripting. The
-      regex-based input HTML replacement may turn sanitized code into
-      unsanitized one. Wrapping "<option>" elements in "<select>" ones
-      changes parsing behavior, leading to possibly unsanitizing code.
-    affected_versions: '<1.8.0'
-    fixed_versions: '>1.8.0'
-    references:
-      - https://github.com/angular/angular.js/pull/17028
-      - https://snyk.io/vuln/SNYK-JS-ANGULAR-570058
-      - https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E
-      - https://lists.apache.org/thread.html/r3f05cfd587c774ea83c18e59eda9fa37fa9bbf3421484d4ee1017a20@%3Cozone-issues.hadoop.apache.org%3E
-      - https://lists.apache.org/thread.html/r57383582dcad2305430321589dfaca6793f5174c55da6ce8d06fbf9b@%3Cozone-issues.hadoop.apache.org%3E
-      - https://lists.apache.org/thread.html/r198985c02829ba8285ed4f9b1de54a33b5f31b08bb38ac51fc86961b@%3Cozone-issues.hadoop.apache.org%3E
-      - https://lists.apache.org/thread.html/r79e3feaaf87b81e80da0e17a579015f6dcb94c95551ced398d50c8d7@%3Cozone-issues.hadoop.apache.org%3E
-      - https://lists.apache.org/thread.html/r455ebd83a1c69ae8fd897560534a079c70a483dbe1e75504f1ca499b@%3Cozone-issues.hadoop.apache.org%3E
-      - https://lists.apache.org/thread.html/rb6423268b25db0f800359986867648e11dbd38e133b9383e85067f02@%3Cozone-issues.hadoop.apache.org%3E
-      - https://lists.apache.org/thread.html/r446c297cd6cda2bd7e345c9b0741d7f611df89902e5d515848c6f4b1@%3Cozone-issues.hadoop.apache.org%3E
-      - https://lists.apache.org/thread.html/r80f210a5f4833d59c5d3de17dd7312f9daba0765ec7d4052469f13f1@%3Cozone-commits.hadoop.apache.org%3E
-      - https://lists.apache.org/thread.html/rfa2b19d01d10a8637dc319a7d5994c3dbdb88c0a8f9a21533403577a@%3Cozone-issues.hadoop.apache.org%3E
-    reported: 2020-06-08
-    severity: medium
+- affected:
+  - distributed_library_version: 1.2.22
+    perl_module_versions: '>=1.0.7,<=1.0.11'
+  name: Zonemaster-GUI
+url: https://github.com/angular/angular

external_reports/boost.yml

@@ -1,74 +1,73 @@
 ---
+advisories:
+- affected_versions: '>=1.33,<=1.34'
+  cve: CVE-2008-0171
+  description: |
+    regex/v4/perl_matcher_non_recursive.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (failed assertion and crash) via an invalid regular expression.
+  fixed_versions: '>1.34'
+  github_security_advisory:
+  - GHSA-mc8j-3vrc-57vf
+  references:
+  - http://bugs.gentoo.org/show_bug.cgi?id=205955
+  - http://svn.boost.org/trac/boost/changeset/42674
+  - http://svn.boost.org/trac/boost/changeset/42745
+  - https://issues.rpath.com/browse/RPL-2143
+  - http://www.ubuntu.com/usn/usn-570-1
+  - http://www.securityfocus.com/bid/27325
+  - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00760.html
+  - http://secunia.com/advisories/28545
+  - http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:032
+  - http://secunia.com/advisories/28705
+  - http://secunia.com/advisories/28511
+  - http://secunia.com/advisories/28527
+  - http://wiki.rpath.com/Advisories:rPSA-2008-0063
+  - http://www.gentoo.org/security/en/glsa/glsa-200802-08.xml
+  - http://secunia.com/advisories/28943
+  - http://secunia.com/advisories/28860
+  - http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html
+  - http://secunia.com/advisories/29323
+  - http://www.vupen.com/english/advisories/2008/0249
+  - http://secunia.com/advisories/48099
+  - http://www.securityfocus.com/archive/1/488102/100/0/threaded
+  reported: 2008-01-17
+  severity: ~
+- affected_versions: '>=1.33,<=1.34'
+  cve: CVE-2008-0172
+  description: |
+    The get_repeat_type function in basic_regex_creator.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (NULL dereference and crash) via an invalid regular expression.
+  fixed_versions: '>1.34'
+  github_security_advisory:
+  - GHSA-6rjv-3558-988c
+  references:
+  - http://bugs.gentoo.org/show_bug.cgi?id=205955
+  - http://svn.boost.org/trac/boost/changeset/42674
+  - http://svn.boost.org/trac/boost/changeset/42745
+  - https://issues.rpath.com/browse/RPL-2143
+  - http://www.ubuntu.com/usn/usn-570-1
+  - http://www.securityfocus.com/bid/27325
+  - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00760.html
+  - http://secunia.com/advisories/28545
+  - http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:032
+  - http://secunia.com/advisories/28705
+  - http://secunia.com/advisories/28511
+  - http://secunia.com/advisories/28527
+  - http://wiki.rpath.com/Advisories:rPSA-2008-0063
+  - http://www.gentoo.org/security/en/glsa/glsa-200802-08.xml
+  - http://secunia.com/advisories/28943
+  - http://secunia.com/advisories/28860
+  - http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html
+  - http://secunia.com/advisories/29323
+  - http://www.vupen.com/english/advisories/2008/0249
+  - http://secunia.com/advisories/48099
+  - http://www.securityfocus.com/archive/1/488102/100/0/threaded
+  reported: 2008-01-17
+  severity: ~
+cpansa_version: 2
 name: boost
-url: https://www.boost.org/doc/libs/1_78_0/libs/graph/doc/index.html
 perl_distributions:
-  - name: Boost-Graph
-    last_version_checked: '1.4'
-    affected:
-      - perl_module_versions: '>=1,1,<=1.4'
-        distributed_library_version: '1.33'
-advisories:
-  - cve: CVE-2008-0171
-    description: >
-      regex/v4/perl_matcher_non_recursive.hpp in the Boost regex library
-      (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent
-      attackers to cause a denial of service (failed assertion and crash)
-      via an invalid regular expression.
-    affected_versions: '>=1.33,<=1.34'
-    fixed_versions: '>1.34'
-    references:
-      - http://bugs.gentoo.org/show_bug.cgi?id=205955
-      - http://svn.boost.org/trac/boost/changeset/42674
-      - http://svn.boost.org/trac/boost/changeset/42745
-      - https://issues.rpath.com/browse/RPL-2143
-      - http://www.ubuntu.com/usn/usn-570-1
-      - http://www.securityfocus.com/bid/27325
-      - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00760.html
-      - http://secunia.com/advisories/28545
-      - http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:032
-      - http://secunia.com/advisories/28705
-      - http://secunia.com/advisories/28511
-      - http://secunia.com/advisories/28527
-      - http://wiki.rpath.com/Advisories:rPSA-2008-0063
-      - http://www.gentoo.org/security/en/glsa/glsa-200802-08.xml
-      - http://secunia.com/advisories/28943
-      - http://secunia.com/advisories/28860
-      - http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html
-      - http://secunia.com/advisories/29323
-      - http://www.vupen.com/english/advisories/2008/0249
-      - http://secunia.com/advisories/48099
-      - http://www.securityfocus.com/archive/1/488102/100/0/threaded
-    reported: 2008-01-17
-    severity: ~
-  - cve: CVE-2008-0172
-    description: >
-      The get_repeat_type function in basic_regex_creator.hpp in the
-      Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows
-      context-dependent attackers to cause a denial of service (NULL
-      dereference and crash) via an invalid regular expression.
-    affected_versions: '>=1.33,<=1.34'
-    fixed_versions: '>1.34'
-    references:
-      - http://bugs.gentoo.org/show_bug.cgi?id=205955
-      - http://svn.boost.org/trac/boost/changeset/42674
-      - http://svn.boost.org/trac/boost/changeset/42745
-      - https://issues.rpath.com/browse/RPL-2143
-      - http://www.ubuntu.com/usn/usn-570-1
-      - http://www.securityfocus.com/bid/27325
-      - https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00760.html
-      - http://secunia.com/advisories/28545
-      - http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:032
-      - http://secunia.com/advisories/28705
-      - http://secunia.com/advisories/28511
-      - http://secunia.com/advisories/28527
-      - http://wiki.rpath.com/Advisories:rPSA-2008-0063
-      - http://www.gentoo.org/security/en/glsa/glsa-200802-08.xml
-      - http://secunia.com/advisories/28943
-      - http://secunia.com/advisories/28860
-      - http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html
-      - http://secunia.com/advisories/29323
-      - http://www.vupen.com/english/advisories/2008/0249
-      - http://secunia.com/advisories/48099
-      - http://www.securityfocus.com/archive/1/488102/100/0/threaded
-    reported: 2008-01-17
-    severity: ~
+- affected:
+  - distributed_library_version: '1.33'
+    perl_module_versions: '>=1,1,<=1.4'
+  last_version_checked: '1.4'
+  name: Boost-Graph
+url: https://www.boost.org/doc/libs/1_78_0/libs/graph/doc/index.html

external_reports/bootstrap-markdown.yml

@@ -1,21 +1,23 @@
 ---
+advisories:
+- affected_versions: '>=0'
+  cve: X-CVE-2014-0001
+  description: |
+    Affected versions of the package are vulnerable to Cross-site Scripting (XSS) via the editor box.
+  fixed_versions: ~
+  github_security_advisory:
+  - ~
+  references:
+  - https://security.snyk.io/vuln/npm:bootstrap-markdown:20140826
+  - https://cwe.mitre.org/data/definitions/79.html
+  reported: 2014-08-25
+  severity: ~
+cpansa_version: 2
 name: bootstrap-markdown-editor
-url: https://github.com/inacho/bootstrap-markdown-editor
 perl_distributions:
-  - name: MySQL-Admin
-    last_version_checked: '1.18'
-    affected:
-      - perl_module_versions: '>=1.14,<=1.18'
-        distributed_library_version: '2.0.2'
-advisories:
-  - cve: X-CVE-2014-0001
-    description: >
-      Affected versions of the package are vulnerable to Cross-site
-      Scripting (XSS) via the editor box.
-    affected_versions: '>=0'
-    fixed_versions: ~
-    references:
-      - https://security.snyk.io/vuln/npm:bootstrap-markdown:20140826
-      - https://cwe.mitre.org/data/definitions/79.html
-    reported: 2014-08-25
-    severity: ~
+- affected:
+  - distributed_library_version: 2.0.2
+    perl_module_versions: '>=1.14,<=1.18'
+  last_version_checked: '1.18'
+  name: MySQL-Admin
+url: https://github.com/inacho/bootstrap-markdown-editor

external_reports/bootstrap-select.yml

@@ -1,23 +1,24 @@
 ---
+advisories:
+- affected_versions: <1.13.6
+  cve: CVE-2019-20921
+  description: |
+    bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser.
+  fixed_versions: '>=1.13.6'
+  github_security_advisory:
+  - GHSA-7c82-mp33-r854
+  references:
+  - https://github.com/advisories/GHSA-9r7h-6639-v5mw
+  - https://github.com/snapappointments/bootstrap-select/issues/2199
+  - https://www.npmjs.com/advisories/1522
+  - https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457
+  reported: 2020-09-30
+  severity: medium
+cpansa_version: 2
 name: bootstrap-select
-url:
 perl_distributions:
-  - name: MySQL-Admin
-    affected:
-      - perl_module_versions: '>=1.16,<=1.18'
-        distributed_library_version: '1.12.4'
-advisories:
-  - cve: CVE-2019-20921
-    description: >
-      bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS).
-      It does not escape title values in OPTION elements. This may allow
-      attackers to execute arbitrary JavaScript in a victim's browser.
-    affected_versions: '<1.13.6'
-    fixed_versions: '>=1.13.6'
-    references:
-      - https://github.com/advisories/GHSA-9r7h-6639-v5mw
-      - https://github.com/snapappointments/bootstrap-select/issues/2199
-      - https://www.npmjs.com/advisories/1522
-      - https://snyk.io/vuln/SNYK-JS-BOOTSTRAPSELECT-570457
-    reported: 2020-09-30
-    severity: medium
+- affected:
+  - distributed_library_version: 1.12.4
+    perl_module_versions: '>=1.16,<=1.18'
+  name: MySQL-Admin
+url: ~