You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I knew that Rack had several vulnerabilities (http://www.cvedetails.com/vulnerability-list/vendor_id-12598/product_id-24629/Rack-Project-Rack.html), so I wanted to check for them. I created new CVE files based on your existing ones - completing the info as best I could (let me know if/how you want them added). I am using an older minor version (1.4.) and did not want to jump to the latest version (1.5.), but there is a fix for that version (1.4.5).
The problem I encountered is that the vulnerability check still flagged the gem even though I updated to one of the fix versions, just not the latest number. So I believe there is a flaw in your looping logic when multiple fix versions are available. Example list of fixes for Rack:
Perhaps you could sort the array of versions before processing the numbers. Then you may need to break out of the loop once a matching major + minor combo has been found, so it does not look for newer versions and report false positive.
fixes.sort!.each do |fv|
fixes_v_array = fv.split(".").map! { |n| n.to_i }
# same major version
if target_v_array[0] == fixes_v_array[0]
# same minor version
if target_v_array[1] == fixes_v_array[1]
# previous patch version, so vulnerable
if target_v_array[2] < fixes_v_array[2]
ret = true
end
# no need to look at other fix versions
break
end
# same major but previous minor
if target_v_array[1] < fixes_v_array[1]
ret = true
end
end
end
The text was updated successfully, but these errors were encountered:
I knew that Rack had several vulnerabilities (http://www.cvedetails.com/vulnerability-list/vendor_id-12598/product_id-24629/Rack-Project-Rack.html), so I wanted to check for them. I created new CVE files based on your existing ones - completing the info as best I could (let me know if/how you want them added). I am using an older minor version (1.4.) and did not want to jump to the latest version (1.5.), but there is a fix for that version (1.4.5).
The problem I encountered is that the vulnerability check still flagged the gem even though I updated to one of the fix versions, just not the latest number. So I believe there is a flaw in your looping logic when multiple fix versions are available. Example list of fixes for Rack:
Perhaps you could sort the array of versions before processing the numbers. Then you may need to break out of the loop once a matching major + minor combo has been found, so it does not look for newer versions and report false positive.
The text was updated successfully, but these errors were encountered: