Vuln fixes

CHANGELOG.md

@@ -12,6 +12,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   [cyberark/conjur-service-broker#306](https://github.com/cyberark/conjur-service-broker/pull/306)
 
 ### Security
+- Update activesupport in Gemfile.lock to 6.1.7.1 for CVE-2023-22796 (not vulnerable)
+  [cyberark/conjur-service-broker#310](https://github.com/cyberark/conjur-service-broker/pull/310)
 - Update activesupport in tests/integration/test-app/Gemfile.lock to 7.0.4.1
   for CVE-2023-22796 (not vulnerable) 
   [cyberark/conjur-service-broker#307](https://github.com/cyberark/conjur-service-broker/pull/307)

Gemfile.lock

@@ -1,20 +1,20 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (6.1.7)
-      actionview (= 6.1.7)
-      activesupport (= 6.1.7)
+    actionpack (6.1.7.2)
+      actionview (= 6.1.7.2)
+      activesupport (= 6.1.7.2)
       rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.1.7)
-      activesupport (= 6.1.7)
+    actionview (6.1.7.2)
+      activesupport (= 6.1.7.2)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (6.1.7)
+    activesupport (6.1.7.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
@@ -35,13 +35,14 @@ GEM
       thor (~> 1.0)
     byebug (11.1.3)
     childprocess (4.1.0)
-    ci_reporter (2.0.0)
+    ci_reporter (2.1.0)
       builder (>= 2.1.2)
+      rexml
     ci_reporter_rspec (1.0.0)
       ci_reporter (~> 2.0)
       rspec (>= 2.14, < 4)
     coderay (1.1.3)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.2.2)
     conjur-api (5.3.7)
       activesupport (>= 4.2)
       addressable (~> 2.0)
@@ -109,14 +110,14 @@ GEM
     method_source (1.0.0)
     mime-types (3.4.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2022.0105)
+    mime-types-data (3.2023.0218.1)
     mini_portile2 (2.8.1)
     minitest (5.17.0)
     multi_json (1.15.0)
     multi_test (0.1.2)
     netrc (0.11.0)
     nio4r (2.5.8)
-    nokogiri (1.13.10)
+    nokogiri (1.14.2)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     pry (0.14.2)
@@ -135,11 +136,11 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.4)
+    rails-html-sanitizer (1.5.0)
       loofah (~> 2.19, >= 2.19.1)
-    railties (6.1.7)
-      actionpack (= 6.1.7)
-      activesupport (= 6.1.7)
+    railties (6.1.7.2)
+      actionpack (= 6.1.7.2)
+      activesupport (= 6.1.7.2)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)
@@ -157,12 +158,12 @@ GEM
       rspec-core (~> 3.12.0)
       rspec-expectations (~> 3.12.0)
       rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.0)
+    rspec-core (3.12.1)
       rspec-support (~> 3.12.0)
     rspec-expectations (3.12.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.2)
+    rspec-mocks (3.12.3)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
     rspec-rails (6.0.1)
@@ -185,15 +186,15 @@ GEM
       ffi (~> 1.1)
     thor (1.2.1)
     tomlrb (2.0.3)
-    tzinfo (2.0.5)
+    tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unf (0.1.4)
       unf_ext
     unf_ext (0.0.8.2)
     with_env (1.1.0)
     xml-simple (1.1.9)
       rexml
-    zeitwerk (2.6.6)
+    zeitwerk (2.6.7)
 
 PLATFORMS
   ruby
@@ -226,4 +227,4 @@ RUBY VERSION
    ruby 3.1.3p185
 
 BUNDLED WITH
-   2.3.26
+   2.4.6

NOTICES.txt

@@ -16,12 +16,12 @@ SECTION 2: BSD-3-Clause
 
 SECTION 3: MIT
 
->>> https://rubygems.org/gems/actionview/versions/6.1.7
->>> https://rubygems.org/gems/activesupport/versions/6.1.7
+>>> https://rubygems.org/gems/actionview/versions/6.1.7.2
+>>> https://rubygems.org/gems/activesupport/versions/6.1.7.2
 >>> https://rubygems.org/gems/json-schema/versions/2.8.0
 >>> https://rubygems.org/gems/listen/versions/3.0.8
 >>> https://rubygems.org/gems/rack/versions/2.2.5
->>> https://rubygems.org/gems/railties/versions/6.1.7
+>>> https://rubygems.org/gems/railties/versions/6.1.7.2
 
 
 APPENDIX: Standard License Files and Templates
@@ -90,7 +90,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 MIT License is applicable to the following component(s).
 
->>> https://rubygems.org/gems/actionview/versions/6.1.7
+>>> https://rubygems.org/gems/actionview/versions/6.1.7.2
 
 Copyright (c) 2004-2022 David Heinemeier Hansson
 
@@ -112,7 +112,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
->>> https://rubygems.org/gems/activesupport/versions/6.1.7
+>>> https://rubygems.org/gems/activesupport/versions/6.1.7.2
 
 Copyright (c) 2005-2022 David Heinemeier Hansson
 
@@ -200,7 +200,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 
->>> https://rubygems.org/gems/railties/versions/6.1.7
+>>> https://rubygems.org/gems/railties/versions/6.1.7.2
 
 Copyright (c) 2004-2022 David Heinemeier Hansson
 

buildpack-health-check/go.mod

@@ -7,6 +7,6 @@ require github.com/cyberark/conjur-api-go v0.10.2
 require (
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
-	golang.org/x/sys v0.0.0-20211214234402-4825e8c3871d // indirect
+	golang.org/x/sys v0.1.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )

buildpack-health-check/go.sum

@@ -14,8 +14,9 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20211214234402-4825e8c3871d h1:1oIt9o40TWWI9FUaveVpUvBe13FNqBNVXy3ue2fcfkw=
 golang.org/x/sys v0.0.0-20211214234402-4825e8c3871d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

tests/integration/test-app/Gemfile

@@ -1,6 +1,9 @@
 source 'https://rubygems.org'
 
+ruby '~> 3.1'
+
 gem 'sinatra', ">= 2.0.2"
 gem 'rack', ">= 2.0.6"
 gem 'conjur-api'
 gem 'conjur-cli'
+gem 'thin'

tests/integration/test-app/Gemfile.lock

@@ -1,70 +1,88 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.0.4.1)
+    activesupport (6.1.7.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
-    concurrent-ruby (1.1.10)
-    conjur-api (5.0.0)
-      activesupport
+      zeitwerk (~> 2.3)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
+    concurrent-ruby (1.2.2)
+    conjur-api (5.4.0)
+      activesupport (>= 4.2)
+      addressable (~> 2.0)
       rest-client
-    conjur-cli (6.0.0)
-      activesupport
-      conjur-api (~> 5.0.0.beta)
+    conjur-cli (6.2.6)
+      activesupport (~> 6.0)
+      conjur-api (~> 5.3)
       deep_merge (~> 1.0)
       gli (>= 2.8.0)
-      highline (~> 1.7)
+      highline (~> 2.0)
       netrc (~> 0.10)
       table_print (~> 1.5)
-      xdg (~> 2.2)
-    deep_merge (1.2.1)
-    domain_name (0.5.20170404)
+      xdg (= 2.2.3)
+    daemons (1.4.1)
+    deep_merge (1.2.2)
+    domain_name (0.5.20190701)
       unf (>= 0.0.5, < 1.0.0)
-    gli (2.17.1)
-    highline (1.7.8)
-    http-cookie (1.0.3)
+    eventmachine (1.2.7)
+    gli (2.21.0)
+    highline (2.1.0)
+    http-accept (1.7.0)
+    http-cookie (1.0.5)
       domain_name (~> 0.5)
     i18n (1.12.0)
       concurrent-ruby (~> 1.0)
-    mime-types (3.1)
+    mime-types (3.4.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2016.0521)
+    mime-types-data (3.2023.0218.1)
     minitest (5.17.0)
-    mustermann (2.0.2)
+    mustermann (3.0.0)
       ruby2_keywords (~> 0.0.1)
     netrc (0.11.0)
-    rack (2.2.3.1)
-    rack-protection (2.2.3)
+    public_suffix (5.0.1)
+    rack (2.2.6.2)
+    rack-protection (3.0.5)
       rack
-    rest-client (2.0.2)
+    rest-client (2.1.0)
+      http-accept (>= 1.7.0, < 2.0)
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
     ruby2_keywords (0.0.5)
-    sinatra (2.2.3)
-      mustermann (~> 2.0)
-      rack (~> 2.2)
-      rack-protection (= 2.2.3)
+    sinatra (3.0.5)
+      mustermann (~> 3.0)
+      rack (~> 2.2, >= 2.2.4)
+      rack-protection (= 3.0.5)
       tilt (~> 2.0)
-    table_print (1.5.6)
-    tilt (2.0.11)
-    tzinfo (2.0.5)
+    table_print (1.5.7)
+    thin (1.8.1)
+      daemons (~> 1.0, >= 1.0.9)
+      eventmachine (~> 1.0, >= 1.0.4)
+      rack (>= 1, < 3)
+    tilt (2.1.0)
+    tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unf (0.1.4)
       unf_ext
-    unf_ext (0.0.7.4)
+    unf_ext (0.0.8.2)
     xdg (2.2.3)
+    zeitwerk (2.6.7)
 
 PLATFORMS
-  ruby
+  x86_64-linux
 
 DEPENDENCIES
   conjur-api
   conjur-cli
   rack (>= 2.0.6)
   sinatra (>= 2.0.2)
+  thin
+
+RUBY VERSION
+   ruby 3.1.3p185
 
 BUNDLED WITH
-   1.17.3
+   2.4.6