omerlh
commented
6 years ago LGTM.
Closed serranos closed 6 years ago
omerlh
commented
6 years ago LGTM.
omerlh
commented
6 years ago Just noticed that you didn't add a test case, consider adding a test?
What
This PR intends to change the bundler-audit task criticality classification from "Unknown" To "medium".
Rationale
Bundler-Audit is a tool for:
It uses the ruby-advisory-db as its vulnerability database, which is all great and dandy except, it has a lot of CVEs with value "Unknown". There's an obvious good reason for this. Sometimes the lastest and greatest, "bleeding edge" vulnerabilities are not yet classified.
This leads to a lot of exceptions from Glue, since its behaviour assumes that if a vulnerability doesn't have a defined Severity (a.k.a. Criticality), the test should not be accounted for and an exception should be raised.
Considering that bundler-audit is a very useful tool, this change is being made.
Why medium
Several options were on the table (e.g., adding a new severity class to glue), however, without making much changes this appeared to be the one with least impact to the rest of the codebase.