New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question about scanning rails engine gems #993

Closed
raivil opened this Issue Feb 6, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@raivil

raivil commented Feb 6, 2017

Hi,

I have a private rails engine gem that supports rails >= 3.2.22.
Whenever this private gem gets scanned without a Gemfile a vulnerability related to rails version is found (CVE-2015-3227). If Gemfile.lock is present, no issues are found.
The gem is on a private repo without Gemfile.lock.

Should brakeman while analyzing the code consider gemspec on Gemfile and the actual dependencies added on gemspec file? Spec file contains the right dependencies spec.add_dependency "rails", ">= 3.2.22"

presidentbeef added a commit that referenced this issue Feb 8, 2017

Only report CVE-2015-3227 when version known
exact version.

Fixes #993 and fixes #995

@presidentbeef presidentbeef closed this in #996 Feb 9, 2017

@presidentbeef

This comment has been minimized.

Show comment
Hide comment
@presidentbeef

presidentbeef Feb 11, 2017

Owner

Hi Ronaldo,

I have noticed this issue, too. It seems the check for that CVE was not handling unknown versions properly.

I will consider adding support for gemspecs, as well.

Owner

presidentbeef commented Feb 11, 2017

Hi Ronaldo,

I have noticed this issue, too. It seems the check for that CVE was not handling unknown versions properly.

I will consider adding support for gemspecs, as well.

@raivil

This comment has been minimized.

Show comment
Hide comment

raivil commented Feb 11, 2017

@presidentbeef Thank you!

Repository owner locked and limited conversation to collaborators May 18, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.