codeclimate / codeclimate-bundler-audit Goto Github PK

On one hand, according to https://hub.docker.com/r/codeclimate/codeclimate-bundler-audit/, it was last pushed 9 days ago.

On the other hand, due to this (already solved) issue in ruby-advisory-db, several vulnerabilities were being wrongly reported for Rails v4.2.6.

It would be nice if you could re-build the image (so it runs bundle-audit update) to get rid of all those fake warnings when analyzing the dependencies' upgrade.

Thank you in advance!

Rubygems are not supposed to commit their Gemfile.lock...

So why is this project running and failing builds on CodeClimate?

Took me so long to figure out this was breaking my CodeClimate integration that I've already begun migrating to other services... (CodeCov, etc)

Please fix!

Failure: https://codeclimate.com/github/pboling/shiftable/builds/26

1. I did not turn this on
2. I don't know how to turn it off
3. It is breaking my CC build
4. That prevents my stats from updating, leaving my repo's badges stale
5. RubyGems shouldn't ever depend on a Gemfile.lock, it doesn't make ANY sense.

💢

While I understand it is not common for the Gemfile to be anywhere but in the root of the repository, I have a project where it is under the test/ directory. In its current state, this audit is unable to find it and I get the following error:

/usr/src/app/lib/cc/engine/bundler_audit/analyzer.rb:16:in `run': No Gemfile.lock found. (CC::Engine::BundlerAudit::Analyzer::GemfileLockNotFound)
    from /usr/src/app/bin/bundler-audit:7:in `<main>'

Would it be possible to either scan subdirectories or enable a configuration so that the containing directory could be provided?

the same problem as #5 and #7

consider using bundle-audit check --update to auto update the vulnerabilities database

As it stands now, I think bundle-audit update can only happen when a new image version is created. What can be done to allow the vulnerability database to be updated more often than when a new repo commit?

Related to escalation: https://github.com/codeclimate/escalations/issues/55

Actual Behavior

User is seeing fixed and new issues. See screenshot:

Expected Behavior

Issues should not be both fixed and new with pull requests.

Steps to reproduce

Pull Request link: https://codeclimate.com/repos/52a613bc7e00a45c2d000027/pull/4646

Is there any way to specify issues to ignore, like can be done with the --ignore switch to bundle-audit on the command line?

It was released some time ago https://github.com/rubysec/bundler-audit/blob/master/ChangeLog.md

codeclimate-bundler-audit is still using old version.

This is resulting in some vulnerabilities not being found.

Output from version 0.6.1 is not detecting rack vulnerability, which is detected by 0.7.0:

Name: rack
Version: 2.0.9
Advisory: CVE-2020-8161
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Description:

  There was a possible directory traversal vulnerability in the Rack::Directory app that is bundled with Rack.

  Versions Affected: rack < 2.2.0 Not affected: Applications that do not use Rack::Directory. Fixed Versions: 2.1.3, >= 2.2.0

  Impact ------

  If certain directories exist in a director that is managed by `Rack::Directory`, an attacker could, using this vulnerability,
  read the contents of files on the server that were outside of the root specified in the Rack::Directory initializer.

  Workarounds -----------

  Until such time as the patch is applied or their Rack version is upgraded, we recommend that developers do not use
  Rack::Directory in their applications.

Solution: upgrade to ~> 2.1.3, >= 2.2.0

Vulnerabilities found!

When I run bundler-audit gem on the command line, it finds:

$ bundle-audit check
Name: uglifier
Version: 2.7.1
Advisory: 126747
Criticality: Unknown
URL: https://github.com/mishoo/UglifyJS2/issues/751
Title: uglifier incorrectly handles non-boolean comparisons during minification
Solution: upgrade to >= 2.7.2

Vulnerabilities found!

When I run in it on CodeClimate CLI, i get:

Starting analysis

Analysis complete! Found 0 issues.

bundle-audit in our CI is catching a vulnerability that is not showing Code Climate, because the engine is out of date.

rubysec/ruby-advisory-db@320fa19 was added 3 days ago, but https://hub.docker.com/r/codeclimate/codeclimate-bundler-audit/ was last updated 7 days ago

How often is the bundler audit engine updated?