Closed milda-a closed 3 months ago
YOU54F
commented
3 months ago which files are security flagging up?
the default gemspec is being deleted here
https://github.com/pact-foundation/pact-ruby-standalone/pull/140
as per the previous issue
https://github.com/pact-foundation/pact-ruby-standalone/issues/134#issuecomment-2060734687
but this is yet to be released (should be releasing shortly)
YOU54F
commented
3 months ago we package on a single machine so cannot execute the end user packages without using separate runners
mefellows
commented
3 months ago It's worth noting that rdoc is included in the Ruby distribution itself, which is why I think it's been removed this way.
I know your security tool is flagging it as an issue because there is a vulnerability in it, but I'd argue the vulnerability itself is not a practical problem for any users of this tool. That is, the circumstances that would make it an actual threat are not relevant here.
Pre issue-raising checklist
I have already (please mark the applicable with an
x):Software versions
Expected behaviour
Rdoc gem properly removed from the binaries, without any leftover files.
Actual behaviour
Rdoc gem has some hanging files which flag up security.
Steps to reproduce
Rdoc is being removed in pact here: https://github.com/pact-foundation/pact-ruby-standalone/blob/abeee3dc705df36bad560fc53b71600e8fde7baa/tasks/package.rake#L196 And we remove the .gemspec file, however, security is still flagging it up, so, if possible, please remove the gem properly with
gem uninstall.Relevent log files
Please ensure you set logging to
DEBUGand attach any relevant log files here (or link from a gist).