search

pact-foundation / pact-ruby-standalone

A standalone pact command line executable using the ruby pact implementation and Travelling Ruby
https://pact.io
MIT License
39 stars 32 forks source link

rdoc throwing critical vulnerabilities #134

Closed milda-a closed 2 months ago

milda-a commented 2 months ago

Pre issue-raising checklist

I have already (please mark the applicable with an x):

Software versions

Expected behaviour

No critical vulnerabilities raised when installing pact standalone. Blocks us from publishing new images internally with pact standalone installations.

Actual behaviour

A critical vulnerability raised forrdoc v6.5.0 Fixes in versions 6.3.4.1, 6.4.1.1, 6.5.1.1, 6.6.3.1 See fixes in official ruby docs https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/

Steps to reproduce

Installing pact standalone and running it through a security check.

YOU54F commented 2 months ago

thanks for raising, however I think this is a non issue for this project from what I can see

The packaging task in this repo deletes the rdoc gem contents, the only remainder is the gemspec. Looking at the affected code references on the gh advisory, they relate to a lib/rdoc/store.rb which isn't present in the linux arm64 or macos arm64 source I've looked at

https://github.com/advisories/GHSA-592j-995h-p23j

https://github.com/pact-foundation/pact-ruby-standalone/blob/abeee3dc705df36bad560fc53b71600e8fde7baa/tasks/package.rake#L196

milda-a commented 2 months ago

As discussed on slack, I'll close this down for now as we need to remove the gemspec part that's flagging the vuln, but in the future it might be handy to clean up the gemspec along with removing any unneeded libs on traveling ruby 👍