Add CVE-2019-5477 for nokogiri and rexical (#404)

Author: greysteil

gems/nokogiri/CVE-2019-5477.yml

@@ -0,0 +1,28 @@
+---
+gem: nokogiri
+cve: 2019-5477
+date: 2019-08-11
+url: https://github.com/sparklemotion/nokogiri/issues/1915
+title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
+description: |
+  A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
+  commands to be executed in a subprocess by Ruby's `Kernel.open` method.
+  Processes are vulnerable only if the undocumented method
+  `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
+
+  This vulnerability appears in code generated by the Rexical gem versions
+  v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner
+  code for parsing CSS queries. The underlying vulnerability was addressed in
+  Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in
+  Nokogiri v1.10.4.
+
+  Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method
+  `Nokogiri::CSS::Tokenizer#load_file` with untrusted user input.
+
+patched_versions:
+  - ">= 1.10.4"
+
+related:
+  url:
+    - https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926
+    - https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ

gems/rexical/CVE-2019-5477.yml

@@ -0,0 +1,18 @@
+---
+gem: rexical
+cve: 2019-5477
+date: 2019-08-11
+url: https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926
+title: Rexical Command Injection Vulnerability
+description: |
+  A command injection vulnerability appears in code generated by the Rexical
+  gem versions v1.0.6 and earlier. It allows commands to be executed in a
+  subprocess by Ruby's `Kernel.open` method.
+
+patched_versions:
+  - ">= 1.0.7"
+
+related:
+  url:
+    - https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc#107--2019-08-06
+    - https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ