Ignore bundler CVEs and set up comments/owners for future

Signed-off-by: Andy Tinkham <andy.tinkham@cyberark.com>
cyberark · Oct 26, 2022 · ca89eaf · ca89eaf
1 parent 42254bd
commit ca89eaf
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 5 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,9 +1,12 @@
-* @cyberark/community-and-integrations-team @conjurinc/community-and-integrations-team @conjurdemos/community-and-integrations-team
+* @cyberark/community-and-integrations-team
 
 # Changes to .trivyignore require Security Architect approval
-.trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
+.trivyignore @cyberark/security-architects
 
 # Changes to .codeclimate.yml require Quality Architect approval
-.codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects
+.codeclimate.yml @cyberark/quality-architects
 # Changes to SECURITY.md require Security Architect approval
-SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
+SECURITY.md @cyberark/security-architects
+
+# Need to make sure we don't add something that triggers CVE-2020-36327 or CVE-2021-43809
+Gemfile* @cyberark/security-architects
diff --git a/.trivyignore b/.trivyignore
@@ -1,4 +1,12 @@
-## These vulnerabilities impact the kernel version of the container which
+# At the moment, we do not pull any private gems. Updating to 
+# a fixed version of bundler requires updating the whole project to Ruby
+# 3.0, which breaks the tests. CONJSE-1571 is entered for this upgrade 
+# process. For now, ignore the bundler CVEs since we don't trigger them
+# but we need to check it if we change the Gemfile.
+CVE-2020-36327
+CVE-2021-43809
+
+# These vulnerabilities impact the kernel version of the container which
 ## isn't used when the code is being run within Docker
 ## More info: https://docs.docker.com/engine/security/security/
 CVE-2020-12465

diff --git a/Gemfile b/Gemfile
@@ -11,6 +11,14 @@ end
 # Docker base image so it won't be updated with fuzzy matching.
 ruby '~> 2.7'
 
+# We currently use a version of Bundler with known vulnerabilities until we
+# can update this project to use Ruby 3.0. Currently, this Gemfile does not
+# include any gems in ways that trigger those vulnerabilities. However, any
+# changes to this file need to be reviewed to ensure they don't expose us
+# to CVE-2020-36327 or CVE-2021-43809. These CVEs are currently ignored in 
+# our Trivy scans and will not be caught. Adding Gemfile and Gemfile.lock
+# to CODEOWNERS to ensure reviews include security personnel for this reason.
+
 gem 'conjur-api', '~> 5.3.4'
 gem 'activesupport', '~> 5.2.6'
 gem 'railties', '~> 5.2.6'