no vulnerabilities

[mikz]

the same problem as #5 and #7

consider using bundle-audit check --update to auto update the vulnerabilities database

[wfleming]

At the moment, we run all engines in containers without network access for security reasons, so unfortunately using --update at run time is not possible. We do keep track of changes to the ruby-advisory-db (which bundler-audit uses to track vulnerabilities) & release new builds of the engine as soon as we can when there are changes there.

If you're using the CLI, you may not be on our most recent version: if you're on OS X & using Homebrew, brew update && brew upgrade codeclimate will update both the CLI and any engines you have installed. You can make sure you have the most recent bundler-audit at any time by running docker pull codeclimate/codeclimate-bundler-audit.

We're investigating ways to make some of this more automatic in the future, but hopefully those suggestions help you for now.

[mikz]

@wfleming still happening. Updated to the latest image and have the same results:

$  codeclimate analyze -e bundler-audit
Starting analysis
Running bundler-audit: Done!

Analysis complete! Found 0 issues.

the docker image id is 32d2599724c6

[dblandin]

@mikz It's possible that you might have encountered an unrelated bug stemming from unhandled InsecureSource vulnerabilities. We addressed the bug recently and and pushed an updated image to codeclimate.com and Docker Hub for the CLI. This bug would cause silent failures and often no output from the engine, which easily could have been interpreted as an out-of-date database.

Would you mind following the upgrade steps again and testing out the new version?

[mikz]

@dblandin it improved. Now it says:

Insecure Source URI found: git://github.com/3scale/ci_reporter_shell.git
Insecure Source URI found: git://github.com/3scale/rspec-html-matchers.git
Insecure Source URI found: git://github.com/HakubJozak/sour.git
Insecure Source URI found: git://github.com/ceritium/html-pipeline.git

But the bundle-audit ran locally outputs:

Insecure Source URI found: git://github.com/3scale/ci_reporter_shell.git
Insecure Source URI found: git://github.com/3scale/rspec-html-matchers.git
Insecure Source URI found: git://github.com/HakubJozak/sour.git
Insecure Source URI found: git://github.com/ceritium/html-pipeline.git
Name: RedCloth
Version: 4.2.9
Advisory: CVE-2012-6684
Criticality: Medium
URL: http://www.osvdb.org/show/osvdb/115941
Title: RedCloth Gem for Ruby Textile Link Parsing XSS
Solution: remove or disable this gem until a patch is available!

Name: actionpack
Version: 4.0.13
Advisory: CVE-2015-7576
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
Title: Timing attack vulnerability in basic authentication in Action Controller.
Solution: upgrade to ~> 5.0.0.beta1.1, ~> 4.2.5.1, ~> 4.1.14.1, ~> 3.2.22.1

Name: actionpack
Version: 4.0.13
Advisory: CVE-2015-7581
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE
Title: Object leak vulnerability for wildcard controller routes in Action Pack
Solution: upgrade to ~> 4.2.5.1, ~> 4.1.14.1

Name: actionpack
Version: 4.0.13
Advisory: CVE-2016-0751
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
Title: Possible Object Leak and Denial of Service attack in Action Pack
Solution: upgrade to ~> 5.0.0.beta1.1, ~> 4.2.5.1, ~> 4.1.14.1, ~> 3.2.22.1

Name: activerecord
Version: 4.0.13
Advisory: CVE-2015-7577
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
Title: Nested attributes rejection proc bypass in Active Record
Solution: upgrade to ~> 5.0.0.beta1.1, ~> 4.2.5.1, ~> 4.1.14.1, ~> 3.2.22.1

Name: activesupport
Version: 4.0.13
Advisory: CVE-2015-3227
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Title: Possible Denial of Service attack in Active Support
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22

Name: jquery-rails
Version: 3.0.4
Advisory: CVE-2015-1840
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
Title: CSRF Vulnerability in jquery-rails
Solution: upgrade to >= 4.0.4, ~> 3.1.3

Name: paperclip
Version: 4.2.0
Advisory: CVE-2015-2963
Criticality: Medium
URL: https://robots.thoughtbot.com/paperclip-security-release
Title: Paperclip Gem for Ruby vulnerable to content type spoofing
Solution: upgrade to >= 4.2.2

Name: redcarpet
Version: 2.3.0
Advisory: 120415
Criticality: Unknown
URL: http://danlec.com/blog/bug-in-sundown-and-redcarpet
Title: redcarpet Gem for Ruby markdown.c parse_inline() Function XSS
Solution: upgrade to >= 3.2.3

Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-1820
Criticality: Unknown
URL: https://github.com/rest-client/rest-client/issues/369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses
Solution: upgrade to >= 1.8.0

Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-3448
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3

Name: sidekiq
Version: 3.3.4
Advisory: 125675
Criticality: Unknown
URL: https://github.com/mperham/sidekiq/pull/2422
Title: Sidekiq Gem for Ruby Multiple Unspecified CSRF
Solution: upgrade to >= 3.4.2

Name: sidekiq
Version: 3.3.4
Advisory: 125676
Criticality: Unknown
URL: https://github.com/mperham/sidekiq/issues/2330
Title: Sidekiq Gem for Ruby web/views/queue.erb CurrentMessagesInQueue Element
Reflected XSS
Solution: upgrade to >= 3.4.0

Name: sidekiq
Version: 3.3.4
Advisory: 125678
Criticality: Unknown
URL: https://github.com/mperham/sidekiq/pull/2309
Title: Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS
Solution: upgrade to >= 3.4.0

Name: sidekiq-pro
Version: 2.0.5
Advisory: 126331
Criticality: Unknown
URL: https://github.com/mperham/sidekiq/commit/651400ed8f237118346895c99dc28ca94f3169d3
Title: Sidekiq Pro Gem for Ruby CSRF in Job Filtering
Solution: upgrade to >= 2.0.6

Name: uglifier
Version: 2.7.1
Advisory: 126747
Criticality: Unknown
URL: https://github.com/mishoo/UglifyJS2/issues/751
Title: uglifier incorrectly handles non-boolean comparisons during minification
Solution: upgrade to >= 2.7.2

Vulnerabilities found!

[dblandin]

@mikz Thanks for the info! That's Interesting. Would you mind sharing a gist with your Gemfile.lock file? You can see the files we're currently testing against in the spec/fixtures directory. I wish rubysec had a repo like https://github.com/nodesecurity/demo full of known gem vulnerabilities to test bundler-audit against.

[mikz]

@dblandin I can't share it publicly, but it is in our codeclimate account.

[dblandin]

@mikz Thank you for your help tracking down this issue!

I've opened a PR which I believe addresses the bug you (and likely many others) are running into. Turns out that there is an problem in our Dockerfile which prevents the engine from referencing the updated vulnerability database correctly, leading to undetected issues. I hope to release an updated engine image soon, but feel free to build from source and verify the fix locally.

# grab the engine source
git clone git@github.com:codeclimate/codeclimate-bundler-audit.git
cd codeclimate-bundler-audit
git checkout origin devon/devon/update-bundler-audit-db-as-app

# build the engine
docker build -t codeclimate/codeclimate-bundler-audit .

# run the engine
cd ~/path/to/your/app
codeclimate analyze -e bundler-audit

[mikz]

@dblandin it works!

== Gemfile.lock (20 issues) ==
2: Insecure Source URI found: git://github.com/3scale/ci_reporter_shell.git [bundler-audit]
9: Insecure Source URI found: git://github.com/3scale/rspec-html-matchers.git [bundler-audit]
17: Insecure Source URI found: git://github.com/HakubJozak/sour.git [bundler-audit]
23: Insecure Source URI found: git://github.com/ceritium/html-pipeline.git [bundler-audit]
84: RedCloth Gem for Ruby Textile Link Parsing XSS [bundler-audit]
89: Possible Object Leak and Denial of Service attack in Action Pack [bundler-audit]
89: Object leak vulnerability for wildcard controller routes in Action Pack [bundler-audit]
89: Timing attack vulnerability in basic authentication in Action Controller. [bundler-audit]
109: Nested attributes rejection proc bypass in Active Record [bundler-audit]
115: Possible Denial of Service attack in Active Support
 [bundler-audit]
348: CSRF Vulnerability in jquery-rails [bundler-audit]
421: Paperclip Gem for Ruby vulnerable to content type spoofing
 [bundler-audit]
503: redcarpet Gem for Ruby markdown.c parse_inline() Function XSS [bundler-audit]
537: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses [bundler-audit]
537: Rest-Client Gem for Ruby logs password information in plaintext [bundler-audit]
614: Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS [bundler-audit]
614: Sidekiq Gem for Ruby web/views/queue.erb CurrentMessagesInQueue Element
Reflected XSS
 [bundler-audit]
614: Sidekiq Gem for Ruby Multiple Unspecified CSRF [bundler-audit]
620: Sidekiq Pro Gem for Ruby CSRF in Job Filtering [bundler-audit]
708: uglifier incorrectly handles non-boolean comparisons during minification [bundler-audit]

Analysis complete! Found 20 issues.

That matches all 20 found by local bundler-audit. Great work!

[dblandin]

@mikz 🙌

Thanks so much for your help! I've pushed out the updated engine image which should now be available for the CLI (after updating engines w/ codeclimate engines:install) and our hosted service.

Would you mind sending me an email at devon@codeclimate.com so I can follow up?

Thanks!