Description
When a Ruby project resolves a gem to native platform builds (for example nokogiri 1.19.3-x86_64-linux-gnu) and a CycloneDX SBOM is generated with cdxgen, osv-scanner reports the platform-specific components as vulnerable even though they are the same release as the plain version.
In this case nokogiri 1.19.3 is the fixed version for GHSA-c4rq-3m3g-8wgx and GHSA-v2fc-qm4h-8hqv (both have introduced: 0 and fixed: 1.19.3). The plain nokogiri 1.19.3 component is correctly not flagged, but several of the platform builds are reported as vulnerable with a suggested fix of 1.19.3. They are the 1.19.3 release, just built for a specific platform.
The platform suffix looks like it is being treated as part of the version string. Under RubyGems version rules a - makes everything after it a prerelease, so 1.19.3-aarch64-linux-gnu sorts below 1.19.3 and falls inside the [0, 1.19.3) range of the advisories.
Versions
- osv-scanner version: 2.4.0
- osv-scalibr version: 0.4.5
- cdxgen: ghcr.io/cyclonedx/cdxgen:latest (
-t ruby)
- Ruby 3.4.5, Bundler 2.6.9
Steps to reproduce
-
Create a Ruby project with a Gemfile pinning nokogiri 1.19.3:
source "https://rubygems.org"
gem "nokogiri", "1.19.3"
-
Generate the lockfile and add Linux platforms so native gem variants are included alongside the plain release:
bundle lock
bundle lock --add-platform x86_64-linux aarch64-linux ruby
The resulting Gemfile.lock contains nokogiri several times, for example:
nokogiri (1.19.3)
nokogiri (1.19.3-aarch64-linux-gnu)
nokogiri (1.19.3-aarch64-linux-musl)
nokogiri (1.19.3-arm-linux-gnu)
nokogiri (1.19.3-arm-linux-musl)
nokogiri (1.19.3-arm64-darwin)
nokogiri (1.19.3-x86_64-darwin)
nokogiri (1.19.3-x86_64-linux-gnu)
nokogiri (1.19.3-x86_64-linux-musl)
-
Generate a CycloneDX SBOM with cdxgen:
docker run --rm -v "$PWD":/app ghcr.io/cyclonedx/cdxgen:latest -t ruby -o /app/bom.json /app
The SBOM contains one component per platform, with purls like pkg:gem/nokogiri@1.19.3 and pkg:gem/nokogiri@1.19.3-x86_64-linux-gnu.
-
Scan the SBOM:
osv-scanner scan source --sbom=bom.json
Expected behavior
No nokogiri component should be reported. 1.19.3 is the fixed version for both advisories, and the platform builds (1.19.3-x86_64-linux-gnu and so on) are the same release as 1.19.3.
Actual behavior
The plain 1.19.3 component is not flagged, but several platform-specific components are reported as vulnerable with a suggested fix of 1.19.3:
Total 5 packages affected by 10 known vulnerabilities (0 Critical, 5 High, 5 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION |
| https://osv.dev/GHSA-c4rq-3m3g-8wgx | 7.5 | RubyGems | nokogiri | 1.19.3-aarch64-linux-gnu | 1.19.3 |
| https://osv.dev/GHSA-v2fc-qm4h-8hqv | 5.3 | RubyGems | nokogiri | 1.19.3-aarch64-linux-gnu | 1.19.3 |
| https://osv.dev/GHSA-c4rq-3m3g-8wgx | 7.5 | RubyGems | nokogiri | 1.19.3-aarch64-linux-musl | 1.19.3 |
| https://osv.dev/GHSA-v2fc-qm4h-8hqv | 5.3 | RubyGems | nokogiri | 1.19.3-aarch64-linux-musl | 1.19.3 |
| https://osv.dev/GHSA-c4rq-3m3g-8wgx | 7.5 | RubyGems | nokogiri | 1.19.3-arm-linux-gnu | 1.19.3 |
| https://osv.dev/GHSA-v2fc-qm4h-8hqv | 5.3 | RubyGems | nokogiri | 1.19.3-arm-linux-gnu | 1.19.3 |
| https://osv.dev/GHSA-c4rq-3m3g-8wgx | 7.5 | RubyGems | nokogiri | 1.19.3-arm-linux-musl | 1.19.3 |
| https://osv.dev/GHSA-v2fc-qm4h-8hqv | 5.3 | RubyGems | nokogiri | 1.19.3-arm-linux-musl | 1.19.3 |
| https://osv.dev/GHSA-c4rq-3m3g-8wgx | 7.5 | RubyGems | nokogiri | 1.19.3-arm64-darwin | 1.19.3 |
| https://osv.dev/GHSA-v2fc-qm4h-8hqv | 5.3 | RubyGems | nokogiri | 1.19.3-arm64-darwin | 1.19.3 |
Additional notes
The result is also inconsistent across platforms. Only the non x86_64 variants are flagged (aarch64-linux-gnu, aarch64-linux-musl, arm-linux-gnu, arm-linux-musl, arm64-darwin). The x86_64-darwin, x86_64-linux-gnu, and x86_64-linux-musl variants are present in the SBOM but are not flagged, same as the plain 1.19.3. That difference points at how the platform suffix is tokenized during version comparison.
Attachments
bom.json
Description
When a Ruby project resolves a gem to native platform builds (for example
nokogiri 1.19.3-x86_64-linux-gnu) and a CycloneDX SBOM is generated with cdxgen, osv-scanner reports the platform-specific components as vulnerable even though they are the same release as the plain version.In this case nokogiri 1.19.3 is the fixed version for GHSA-c4rq-3m3g-8wgx and GHSA-v2fc-qm4h-8hqv (both have
introduced: 0andfixed: 1.19.3). The plainnokogiri 1.19.3component is correctly not flagged, but several of the platform builds are reported as vulnerable with a suggested fix of 1.19.3. They are the 1.19.3 release, just built for a specific platform.The platform suffix looks like it is being treated as part of the version string. Under RubyGems version rules a
-makes everything after it a prerelease, so1.19.3-aarch64-linux-gnusorts below1.19.3and falls inside the[0, 1.19.3)range of the advisories.Versions
-t ruby)Steps to reproduce
Create a Ruby project with a Gemfile pinning nokogiri 1.19.3:
Generate the lockfile and add Linux platforms so native gem variants are included alongside the plain release:
The resulting Gemfile.lock contains nokogiri several times, for example:
Generate a CycloneDX SBOM with cdxgen:
docker run --rm -v "$PWD":/app ghcr.io/cyclonedx/cdxgen:latest -t ruby -o /app/bom.json /appThe SBOM contains one component per platform, with purls like
pkg:gem/nokogiri@1.19.3andpkg:gem/nokogiri@1.19.3-x86_64-linux-gnu.Scan the SBOM:
osv-scanner scan source --sbom=bom.jsonExpected behavior
No nokogiri component should be reported. 1.19.3 is the fixed version for both advisories, and the platform builds (
1.19.3-x86_64-linux-gnuand so on) are the same release as1.19.3.Actual behavior
The plain
1.19.3component is not flagged, but several platform-specific components are reported as vulnerable with a suggested fix of 1.19.3:Additional notes
The result is also inconsistent across platforms. Only the non x86_64 variants are flagged (
aarch64-linux-gnu,aarch64-linux-musl,arm-linux-gnu,arm-linux-musl,arm64-darwin). Thex86_64-darwin,x86_64-linux-gnu, andx86_64-linux-muslvariants are present in the SBOM but are not flagged, same as the plain1.19.3. That difference points at how the platform suffix is tokenized during version comparison.Attachments
bom.json