Add GHSA reference type support for GitHub Security Advisories

Author: Chocapikk

docs/metasploit-framework.wiki/Module-Reference-Identifiers.md

@@ -18,6 +18,7 @@ US-CERT-VU | kb.cert.org | ```['US-CERT-VU', '800113']```
 ZDI | zerodayinitiative.com | ```['ZDI', '10-123']```
 WPVDB | wpvulndb.com | ```['WPVDB', '7615']```
 PACKETSTORM | packetstormsecurity.com | ```['PACKETSTORM', '132721']```
+GHSA | github.com/advisories | ```['GHSA', 'xxxx-xxxx-xxxx']```
 URL | anything | ```['URL', 'http://example.com/blog.php?id=123']```
 AKA (_deprecated_*) | anything | ~~`['AKA', 'shellshock']`~~
 

lib/msf/core/module/reference.rb

@@ -114,6 +114,10 @@ def initialize(in_ctx_id = 'Unknown', in_ctx_val = '')
       self.site = "https://wpscan.com/vulnerability/#{in_ctx_val}"
     elsif in_ctx_id == 'PACKETSTORM'
       self.site = "https://packetstormsecurity.com/files/#{in_ctx_val}"
+    elsif in_ctx_id == 'GHSA'
+      # Handle both formats: with or without GHSA- prefix
+      ghsa_id = in_ctx_val.start_with?('GHSA-') ? in_ctx_val : "GHSA-#{in_ctx_val}"
+      self.site = "https://github.com/advisories/#{ghsa_id}"
     elsif in_ctx_id == 'URL'
       self.site = in_ctx_val.to_s
     elsif in_ctx_id == 'LOGO'

tools/dev/msftidy.rb

@@ -270,6 +270,11 @@ def check_ref_identifiers
           warn("Invalid WPVDB reference") if value !~ /^\d+$/ and value !~ /^[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}?$/
         when 'PACKETSTORM'
           warn("Invalid PACKETSTORM reference") if value !~ /^\d+$/
+        when 'GHSA'
+          # Allow both formats: with or without GHSA- prefix
+          # Format: GHSA-xxxx-xxxx-xxxx or xxxx-xxxx-xxxx (where xxxx is 4 alphanumeric chars)
+          ghsa_pattern = /^(?:GHSA-)?[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/i
+          warn("Invalid GHSA reference") if value !~ ghsa_pattern
         when 'URL'
           if value =~ /^https?:\/\/cvedetails\.com\/cve/
             warn("Please use 'CVE' for '#{value}'")
@@ -289,6 +294,8 @@ def check_ref_identifiers
             warn("Please use 'WPVDB' for '#{value}'")
           elsif value =~ /^https?:\/\/(?:[^\.]+\.)?packetstormsecurity\.(?:com|net|org)\//
             warn("Please use 'PACKETSTORM' for '#{value}'")
+          elsif value =~ /^https?:\/\/github\.com\/(?:advisories|[\w\-]+\/[\w\-]+\/security\/advisories)\/GHSA-/
+            warn("Please use 'GHSA' for '#{value}'")
           end
         when 'AKA'
           warn("Please include AKA values in the 'notes' section, rather than in 'references'.")

tools/modules/module_missing_reference.rb

@@ -24,6 +24,7 @@ def types
     'ZDI',
     'WPVDB',
     'PACKETSTORM',
+    'GHSA',
     'URL'
   ]
 end

tools/modules/module_reference.rb

@@ -34,6 +34,7 @@ def types
     'ZDI' => 'http://www.zerodayinitiative.com/advisories/ZDI-#{in_ctx_val}',
     'WPVDB' => 'https://wpscan.com/vulnerability/#{in_ctx_val}',
     'PACKETSTORM' => 'https://packetstormsecurity.com/files/#{in_ctx_val}',
+    'GHSA' => 'https://github.com/advisories/#{in_ctx_val}',
     'URL' => '#{in_ctx_val}'
   }
 end