search

airbnb / synapse

A transparent service discovery framework for connecting an SOA
MIT License
2.07k stars 251 forks source link

Update `aws-sdk` for Security Vulnerabilities #289

Closed chase-childers closed 5 years ago

chase-childers commented 5 years ago

Update the Dependencies of aws-sdk via bundle update aws-sdk.

This is to close known vulnerabilities with nokogiri and ffi: https://github.com/airbnb/synapse/network/alert/Gemfile.lock/nokogiri/open https://github.com/airbnb/synapse/network/alert/Gemfile.lock/ffi/open

chase-childers commented 5 years ago

nokogiri version 1.8.5 specified by the vulnerability has a requirement on ruby >=2.1.0, which doesn't meet all the ruby requirements for the current version of synapse.

A suggested form of action is to update to utilize aws-sdk-ec2 (https://rubygems.org/gems/aws-sdk-ec2). This minimizes the requirements for the SDK. Also noting that the only class utilizing the aws-sdk at the moment is ec2tag.rb service watcher (https://github.com/airbnb/synapse/blob/master/lib/synapse/service_watcher/ec2tag.rb)