New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error raised for config/environment.rb file in non-rails code (Redmine plugin) #995

Closed
ParthBarot-BoTreeConsulting opened this Issue Feb 7, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@ParthBarot-BoTreeConsulting

ParthBarot-BoTreeConsulting commented Feb 7, 2017

When I am trying to setup codeclimate for my Redmine plugin, it fails with the following brakeman error. the support has asked to try using empty file, but I thought to report it here in case anyone has easy solution.

File does not exist: 'config/environment.rb'; Path is not a file: 'config/environment.rb': 
`{"type"=>"Issue", "check_name"=>"CVE_2015_3227", 
  "description"=>"Rails 3.x is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version 3.2.22", 
  "fingerprint"=>"73e352cd7b43b0a4045a100d43b7707bebf3caeaec223a191375cde74f7e2b52", 
  "categories"=>["Security"], "severity"=>"normal", "remediation_points"=>300000, 
  "location"=>{"path"=>"config/environment.rb", "lines"=>{"begin"=>1, "end"=>1}}, 
  "content"=>{"body"=>"Read more: https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"}}`.
@presidentbeef

This comment has been minimized.

Show comment
Hide comment
@presidentbeef

presidentbeef Feb 7, 2017

Owner

Hi Paarth,

The empty file is the easy solution. However, this warning should also not be reported when the exact Rails version is not known. This is a known issue and will be fixed shortly.

Owner

presidentbeef commented Feb 7, 2017

Hi Paarth,

The empty file is the easy solution. However, this warning should also not be reported when the exact Rails version is not known. This is a known issue and will be fixed shortly.

presidentbeef added a commit that referenced this issue Feb 8, 2017

Only report CVE-2015-3227 when version known
exact version.

Fixes #993 and fixes #995

@presidentbeef presidentbeef closed this in #996 Feb 9, 2017

Repository owner locked and limited conversation to collaborators May 18, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.