Skip to content

False positive on platform-specific RubyGems versions in CycloneDX SBOM #2898

Description

@xballoy

Description

When a Ruby project resolves a gem to native platform builds (for example nokogiri 1.19.3-x86_64-linux-gnu) and a CycloneDX SBOM is generated with cdxgen, osv-scanner reports the platform-specific components as vulnerable even though they are the same release as the plain version.

In this case nokogiri 1.19.3 is the fixed version for GHSA-c4rq-3m3g-8wgx and GHSA-v2fc-qm4h-8hqv (both have introduced: 0 and fixed: 1.19.3). The plain nokogiri 1.19.3 component is correctly not flagged, but several of the platform builds are reported as vulnerable with a suggested fix of 1.19.3. They are the 1.19.3 release, just built for a specific platform.

The platform suffix looks like it is being treated as part of the version string. Under RubyGems version rules a - makes everything after it a prerelease, so 1.19.3-aarch64-linux-gnu sorts below 1.19.3 and falls inside the [0, 1.19.3) range of the advisories.

Versions

  • osv-scanner version: 2.4.0
  • osv-scalibr version: 0.4.5
  • cdxgen: ghcr.io/cyclonedx/cdxgen:latest (-t ruby)
  • Ruby 3.4.5, Bundler 2.6.9

Steps to reproduce

  1. Create a Ruby project with a Gemfile pinning nokogiri 1.19.3:

    source "https://rubygems.org"
    
    gem "nokogiri", "1.19.3"
  2. Generate the lockfile and add Linux platforms so native gem variants are included alongside the plain release:

    bundle lock
    bundle lock --add-platform x86_64-linux aarch64-linux ruby

    The resulting Gemfile.lock contains nokogiri several times, for example:

    nokogiri (1.19.3)
    nokogiri (1.19.3-aarch64-linux-gnu)
    nokogiri (1.19.3-aarch64-linux-musl)
    nokogiri (1.19.3-arm-linux-gnu)
    nokogiri (1.19.3-arm-linux-musl)
    nokogiri (1.19.3-arm64-darwin)
    nokogiri (1.19.3-x86_64-darwin)
    nokogiri (1.19.3-x86_64-linux-gnu)
    nokogiri (1.19.3-x86_64-linux-musl)
    
  3. Generate a CycloneDX SBOM with cdxgen:

    docker run --rm -v "$PWD":/app ghcr.io/cyclonedx/cdxgen:latest -t ruby -o /app/bom.json /app

    The SBOM contains one component per platform, with purls like pkg:gem/nokogiri@1.19.3 and pkg:gem/nokogiri@1.19.3-x86_64-linux-gnu.

  4. Scan the SBOM:

    osv-scanner scan source --sbom=bom.json

Expected behavior

No nokogiri component should be reported. 1.19.3 is the fixed version for both advisories, and the platform builds (1.19.3-x86_64-linux-gnu and so on) are the same release as 1.19.3.

Actual behavior

The plain 1.19.3 component is not flagged, but several platform-specific components are reported as vulnerable with a suggested fix of 1.19.3:

Total 5 packages affected by 10 known vulnerabilities (0 Critical, 5 High, 5 Medium, 0 Low, 0 Unknown) from 1 ecosystem.

| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE  | VERSION                   | FIXED VERSION |
| https://osv.dev/GHSA-c4rq-3m3g-8wgx | 7.5  | RubyGems  | nokogiri | 1.19.3-aarch64-linux-gnu  | 1.19.3        |
| https://osv.dev/GHSA-v2fc-qm4h-8hqv | 5.3  | RubyGems  | nokogiri | 1.19.3-aarch64-linux-gnu  | 1.19.3        |
| https://osv.dev/GHSA-c4rq-3m3g-8wgx | 7.5  | RubyGems  | nokogiri | 1.19.3-aarch64-linux-musl | 1.19.3        |
| https://osv.dev/GHSA-v2fc-qm4h-8hqv | 5.3  | RubyGems  | nokogiri | 1.19.3-aarch64-linux-musl | 1.19.3        |
| https://osv.dev/GHSA-c4rq-3m3g-8wgx | 7.5  | RubyGems  | nokogiri | 1.19.3-arm-linux-gnu      | 1.19.3        |
| https://osv.dev/GHSA-v2fc-qm4h-8hqv | 5.3  | RubyGems  | nokogiri | 1.19.3-arm-linux-gnu      | 1.19.3        |
| https://osv.dev/GHSA-c4rq-3m3g-8wgx | 7.5  | RubyGems  | nokogiri | 1.19.3-arm-linux-musl     | 1.19.3        |
| https://osv.dev/GHSA-v2fc-qm4h-8hqv | 5.3  | RubyGems  | nokogiri | 1.19.3-arm-linux-musl     | 1.19.3        |
| https://osv.dev/GHSA-c4rq-3m3g-8wgx | 7.5  | RubyGems  | nokogiri | 1.19.3-arm64-darwin       | 1.19.3        |
| https://osv.dev/GHSA-v2fc-qm4h-8hqv | 5.3  | RubyGems  | nokogiri | 1.19.3-arm64-darwin       | 1.19.3        |

Additional notes

The result is also inconsistent across platforms. Only the non x86_64 variants are flagged (aarch64-linux-gnu, aarch64-linux-musl, arm-linux-gnu, arm-linux-musl, arm64-darwin). The x86_64-darwin, x86_64-linux-gnu, and x86_64-linux-musl variants are present in the SBOM but are not flagged, same as the plain 1.19.3. That difference points at how the platform suffix is tokenized during version comparison.

Attachments

bom.json

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions