search

pact-foundation / pact-ruby-standalone

A standalone pact command line executable using the ruby pact implementation and Travelling Ruby
https://pact.io
MIT License
39 stars 32 forks source link

Vulnerability in rack 2.2.8, openssl 3.1.0 #132

Closed milda-a closed 4 months ago

milda-a commented 4 months ago

Pre issue-raising checklist

I have already (please mark the applicable with an x):

Software versions

Expected behaviour

Vulnerabilities fixed by updating the used rack version. Current version: 2.2.8 Versions with fix: 2.2.8.1, 3.0.9.1 Vulnerabilities fixed by updating the used openssl version. Current version 3.1.0 Versions with fix: 3.1.5, 3.2.1

Actual behaviour

High vulnerabilities raised in /home/builder/deps/pact/lib/vendor/ruby/3.2.0/specifications/rack-2.2.8.gemspec Warn vulnerabilities raised in /home/builder/deps/pact/lib/ruby/lib/ruby/gems/3.2.0/specifications/default/openssl-3.1.0.gemspec

Steps to reproduce

Run software as normal. Vulnerabilities spotted through internal image scanning which includes the pact standalone binaries.

YOU54F commented 4 months ago

Hey, thanks for raising.

Unfortunately openssl 3.1.0 gem is a default gem installed with Ruby so we would need a 3.2.4 release of Ruby containing the updated default gem

https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/

Same news for 3.3.0 - as it contains openssl 3.2.0 default gem.

You may wish to raise a separate issue upstream with the ruby team, if one hasn't already been raised. Once a release is out, we can package it with traveling-ruby and consume it in this project.

I've updated the rack gem. We would need to check the upstream pact ruby project's rack deps, update and test if required, before we can unpin from v2.x in pact-ruby-standalone

You may want to raise a separate issue to track the openssl issue, as this one will be closed with the rack release.