Open shadowbq opened 8 years ago
shadowbq
commented
8 years ago We should make a list of obstacles and really look at the project. Snorby is very valueable as snort GUI and I believe we should not abandon this effort.
Taking a quick look at the gem list:
shadowbq
commented
8 years ago As well a major challenge to this is the lack of a strong test coverage, and test harnesses (https://travis-ci.com/, code coverage, static reviews, gem security vulnerability reports etc. ) .
shadowbq
commented
8 years ago as an side note: (taken from ardm-core readme)
"Since ardm gems don't have the same legacy burden as their dm counterparts, it is possible to be more liberal with releases. Already, 1.3.0 versions are released for gems which had significant upgrade issues, such as ardm-rails, ardm-active-model, and ardm-core. At this point, using the newest ardm gems with versions matching ~> 1.2 (in order to include 1.3 releases) it should be possible to run rails 4.0 (and maybe 4.1 and 4.2) on rubies up to 2.1.5."
shadowbq
commented
7 years ago RAILS Security Team:
Supported versions For major security issues, the current release series, the next most recent one, and the last additional major series will receive patches and new versions. This is currently 5.1.x, 5.0.x and 4.2.x.
For minor security issues, the current release series and the next most recent one will receive patches and new versions. This is currently 5.1.x, 5.0.x.
When a release series is no longer supported, it’s your own responsibility to deal with bugs and security issues. We may provide backports of the fixes and publish them to git, however there will be no new versions released. If you are not comfortable maintaining your own versions, you should upgrade to a supported version.
The classification of a security issue is determined by the Rails core team. http://rubyonrails.org/security/
shadowbq
commented
5 years ago CVE-2019-16109 in devise 1.5.4 Devise before 4.7.1 confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. However, there is no scenario within Devise itself in which such database records would exist. Warning details →
shadowbq
commented
5 years ago Please everyone, do not attempt to run this unless you are willing to fork and migrate to a new supported release of Ruby, Rails, and DM (which is not longer maintained either)
External audit: https://snyk.io/test/github/Snorby/snorby
High Severity vulnerabilities in dependencies including (Arbitrary Code Execution, Command Injection, Denial of Service (DoS), Directory Traversal)
High 14 found Medium 18 found Low 2 found
"For major security issues, the current release series, the next most recent one, and the last additional major series will receive patches and new versions. This is currently 4.2.x, 4.1.x, 3.2.x."
With Rails 5 beta 4 release, end of support for all rails 3.x.x is around the corner. http://weblog.rubyonrails.org/releases/
Datamapper (circa 1.2 2012) dm-core is barely hanging around.. We cant move to RAILS 4/5 on dm-core.
See: Migrations to ROM or ARDM https://github.com/ar-dm/ardm-core https://github.com/engineyard/ardm
We should really look at a large migration to new rails5, activerecord arel, and newer bootstrap interfaces at a minimum.