Add json schema and validate yml files

dennispaagman · dennispaagman · commit 81d252b6a2e2 · 2026-05-17T19:51:31.000+02:00
diff --git a/Gemfile b/Gemfile
@@ -1,9 +1,10 @@
 source 'https://rubygems.org'
 
 gem 'rake'
-gem 'faraday', '~> 2.0'
-gem 'kwalify', '~> 0.1'
-gem 'rspec',   '~> 3.0'
+gem 'faraday',      '~> 2.0'
+gem 'kwalify',      '~> 0.1'
+gem 'json_schemer', '~> 2.0'
+gem 'rspec',        '~> 3.0'
 
 group :development do
   gem 'pry'
diff --git a/spec/schema_validation_spec.rb b/spec/schema_validation_spec.rb
@@ -0,0 +1,66 @@
+require 'spec_helper'
+
+require 'json_schemer'
+require 'yaml'
+
+SCHEMAS_DIR = File.join(ROOT, 'spec', 'schemas')
+
+def schemer_for(schema_path)
+  JSONSchemer.schema(
+    JSON.parse(File.read(schema_path)),
+    meta_schema: 'https://json-schema.org/draft/2020-12/schema'
+  )
+end
+
+def normalize_for_json(value)
+  case value
+  when Hash
+    value.transform_values { |v| normalize_for_json(v) }
+  when Array
+    value.map { |v| normalize_for_json(v) }
+  when Date
+    value.iso8601
+  else
+    value
+  end
+end
+
+def format_errors(errors)
+  errors.map do |e|
+    pointer = e['data_pointer'].to_s.empty? ? '<root>' : e['data_pointer']
+
+    "↳ #{pointer}: #{e['error']}"
+  end.join("\n")
+end
+
+GEM_SCHEMER  = schemer_for(File.join(SCHEMAS_DIR, 'gem.json'))
+RUBY_SCHEMER = schemer_for(File.join(SCHEMAS_DIR, 'ruby.json'))
+
+shared_examples 'conforming schema' do |glob:, schemer:|
+  Dir.glob(File.join(ROOT, glob)).sort.each do |path|
+    filename = path.split('/')[-2..].join('/')
+
+    it "#{filename} conforms to schema" do
+      data = normalize_for_json(YAML.safe_load_file(path, permitted_classes: [Date]))
+      errors = schemer.validate(data).to_a
+
+      expect(errors).to be_empty, lambda {
+        "#{filename}\n#{format_errors(errors)}"
+      }
+    end
+  end
+end
+
+describe 'JSON Schema validation' do
+  describe 'for gems' do
+    include_examples 'conforming schema',
+                     glob: 'gems/*/*.yml',
+                     schemer: GEM_SCHEMER
+  end
+
+  describe 'for rubies' do
+    include_examples 'conforming schema',
+                     glob: 'rubies/*/*.yml',
+                     schemer: RUBY_SCHEMER
+  end
+end
diff --git a/spec/schemas/gem.json b/spec/schemas/gem.json
@@ -0,0 +1,141 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://github.com/rubysec/ruby-advisory-db/schemas/gem.json",
+  "title": "Ruby gem advisory",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["gem", "url", "title", "date", "description"],
+  "anyOf": [
+    { "required": ["cve"] },
+    { "required": ["osvdb"] },
+    { "required": ["ghsa"] }
+  ],
+  "properties": {
+    "gem": {
+      "type": "string",
+      "minLength": 1
+    },
+    "library": {
+      "type": "string",
+      "minLength": 1
+    },
+    "framework": {
+      "type": "string",
+      "minLength": 1
+    },
+    "platform": {
+      "type": "string",
+      "minLength": 1
+    },
+    "cve": {
+      "type": "string",
+      "pattern": "^\\d{4}-\\d+$"
+    },
+    "osvdb": {
+      "type": "integer",
+      "minimum": 1
+    },
+    "ghsa": {
+      "type": "string",
+      "pattern": "^[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$"
+    },
+    "url": {
+      "type": "string",
+      "pattern": "^https?://",
+      "not": { "pattern": "^https?://osvdb\\.org" }
+    },
+    "title": {
+      "type": "string",
+      "minLength": 1,
+      "pattern": "^(?:\\S|\\S.*\\S)$"
+    },
+    "date": {
+      "type": "string",
+      "format": "date",
+      "pattern": "^\\d{4}-\\d{2}-\\d{2}$"
+    },
+    "description": {
+      "type": "string",
+      "minLength": 1,
+      "allOf": [
+        { "pattern": "\\n" },
+        { "not": { "pattern": "\\\\n\\\\n" } },
+        { "not": { "pattern": "(#+) PoC" } }
+      ]
+    },
+    "cvss_v2": {
+      "type": "number",
+      "minimum": 0.0,
+      "maximum": 10.0
+    },
+    "cvss_v3": {
+      "type": "number",
+      "minimum": 0.0,
+      "maximum": 10.0
+    },
+    "cvss_v4": {
+      "type": "number",
+      "minimum": 0.0,
+      "maximum": 10.0
+    },
+    "unaffected_versions": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "type": "string",
+        "pattern": "^(?:<=|<|>=|>|~>|=) [0-9A-Za-z.\\-]+(?:, (?:<=|<|>=|>|~>|=) [0-9A-Za-z.\\-]+)?$"
+      }
+    },
+    "patched_versions": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "type": "string",
+        "pattern": "^(?:<=|<|>=|>|~>|=) [0-9A-Za-z.\\-]+(?:, (?:<=|<|>=|>|~>|=) [0-9A-Za-z.\\-]+)?$"
+      }
+    },
+    "related": {
+      "type": "object",
+      "additionalProperties": false,
+      "minProperties": 1,
+      "properties": {
+        "cve": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "string",
+            "pattern": "^\\d{4}-\\d+$"
+          }
+        },
+        "ghsa": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "string",
+            "pattern": "^[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$"
+          }
+        },
+        "osvdb": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "integer",
+            "minimum": 1
+          }
+        },
+        "url": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "string",
+            "pattern": "^https?://"
+          }
+        }
+      }
+    },
+    "notes": {
+      "type": "string",
+      "minLength": 1
+    }
+  }
+}
diff --git a/spec/schemas/ruby.json b/spec/schemas/ruby.json
@@ -0,0 +1,133 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://github.com/rubysec/ruby-advisory-db/schemas/ruby.json",
+  "title": "Ruby implementation advisory",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["engine", "url", "title", "date", "description"],
+  "anyOf": [
+    { "required": ["cve"] },
+    { "required": ["osvdb"] },
+    { "required": ["ghsa"] }
+  ],
+  "properties": {
+    "engine": {
+      "type": "string",
+      "enum": ["ruby", "jruby", "mruby", "mrubyc", "rbx", "truffleruby"]
+    },
+    "platform": {
+      "type": "string",
+      "minLength": 1
+    },
+    "cve": {
+      "type": "string",
+      "pattern": "^\\d{4}-\\d+$"
+    },
+    "osvdb": {
+      "type": "integer",
+      "minimum": 1
+    },
+    "ghsa": {
+      "type": "string",
+      "pattern": "^[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$"
+    },
+    "url": {
+      "type": "string",
+      "pattern": "^https?://",
+      "not": { "pattern": "^https?://osvdb\\.org" }
+    },
+    "title": {
+      "type": "string",
+      "minLength": 1,
+      "pattern": "^(?:\\S|\\S.*\\S)$"
+    },
+    "date": {
+      "type": "string",
+      "format": "date",
+      "pattern": "^\\d{4}-\\d{2}-\\d{2}$"
+    },
+    "description": {
+      "type": "string",
+      "minLength": 1,
+      "allOf": [
+        { "pattern": "\\n" },
+        { "not": { "pattern": "\\\\n\\\\n" } },
+        { "not": { "pattern": "(#+) PoC" } }
+      ]
+    },
+    "cvss_v2": {
+      "type": "number",
+      "minimum": 0.0,
+      "maximum": 10.0
+    },
+    "cvss_v3": {
+      "type": "number",
+      "minimum": 0.0,
+      "maximum": 10.0
+    },
+    "cvss_v4": {
+      "type": "number",
+      "minimum": 0.0,
+      "maximum": 10.0
+    },
+    "unaffected_versions": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "type": "string",
+        "pattern": "^(?:<=|<|>=|>|~>|=) [0-9A-Za-z.\\-]+(?:, (?:<=|<|>=|>|~>|=) [0-9A-Za-z.\\-]+)?$"
+      }
+    },
+    "patched_versions": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "type": "string",
+        "pattern": "^(?:<=|<|>=|>|~>|=) [0-9A-Za-z.\\-]+(?:, (?:<=|<|>=|>|~>|=) [0-9A-Za-z.\\-]+)?$"
+      }
+    },
+    "related": {
+      "type": "object",
+      "additionalProperties": false,
+      "minProperties": 1,
+      "properties": {
+        "cve": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "string",
+            "pattern": "^\\d{4}-\\d+$"
+          }
+        },
+        "ghsa": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "string",
+            "pattern": "^[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$"
+          }
+        },
+        "osvdb": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "integer",
+            "minimum": 1
+          }
+        },
+        "url": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "string",
+            "pattern": "^https?://"
+          }
+        }
+      }
+    },
+    "notes": {
+      "type": "string",
+      "minLength": 1
+    }
+  }
+}
