-
Add cvss (cvss_v2, cvss_v3, cvss_v4) values back in as needed using external data in github_advisory_sync.rb.
* ~Rest API Example: https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2019-10…
-
Add a `SECURITY.md` file explaining how to report vulnerabilities in bundler-audit.
* Which email address should they be sent to? (rubysec's mailing list or my email addres?)
* Which PGP key, if a…
-
Looking at `#initialize` now, it seems that it should accept the scanner options (`:ignore`) and store those as instance variables. The `#scan` method would then accept the path to the `Gemfile.lock`.…
-
based on https://github.com/pyupio/safety-db/issues/2262
jayfk updated
3 years ago
-
Sometimes CVE can be fixed through manual patching on specific cases, and in those cases to remove the bundler audit warning it's convenient to use the `--ignore` switch.
Is there a way to pass this …
thbar updated
2 years ago
-
This gem is using an unauthenticated encryption mode (CBC) which is vulnerable to chosen ciphertext attacks (i.e. it is not [IND-CCA](https://en.wikipedia.org/wiki/Ciphertext_indistinguishability) sec…
-
I tried a bundle_audit:update and got:
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
* branch master -> FETCH_HEAD
Updating be85e28..614dea0
error…
-
See http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29
I can only assume that the ruby openssl wrapper uses null bytes for the IV in your use-case, which is _…
-
@knutsenm @jbirdjavi @dbenton9 @twinge @Omicron7
This morning, working on OneApp, I got:
```
$ bundle exec bundle audit check --update --ignore CVE-2015-9284
Updating ruby-advisory-db ...
Fr…
-
I found documentation for [How to write a Bundler plugin](https://bundler.io/v2.3/guides/bundler_plugins.html) and started following it. Step 1 is to go create a gem, and [that guide](https://bundler.…