zwolf
commented
4 years ago Guardrails is failing on a different CVE than the one specified in https://github.com/zooniverse/talk-api/issues/242.
Both of these things can be true:
This PR patches the vulnerability it is intended to patch:
Packages | Affected versions | Patched versions
actionview (RubyGems) | <= 4.2.11.1 | 4.2.11.3Guardrail is failing us for a vulnerability we cannot patch without a Rails 5 upgrade
Actionpack:
Versions Affected: rails <= 6.0.3
Not affected: rails < 4.0.0
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Actionview:
Versions Affected: All.
Not affected: None.
Fixed Versions: 6.0.2.2, 5.2.4.2Panoptes doesn't seem to be complaining about these May disclosures so either we somehow let Guardrails pass them or the fix is new and next time the scan runs, it'll pick these up there, too. Since we're not upgrading Talk to Rails 5 anytime soon, the answer to that question will determine how I move forward here.
:warning: We detected security issues in this pull request:
Vulnerable Libraries (2)
- [actionpack@4.2.11.3](https://github.com/zooniverse/talk-api/blob/a14e273c7ef035c2f73b9409b6d892c84f6ddef3/Gemfile.lock#L16) upgrade to `~> 5.2.4.3, >= 6.0.3.1` - [actionview@4.2.11.3](https://github.com/zooniverse/talk-api/blob/a14e273c7ef035c2f73b9409b6d892c84f6ddef3/Gemfile.lock#L17) upgrade to `~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2` More info on how to fix Vulnerable Libraries in [Ruby](https://docs.guardrails.io/docs/en/vulnerabilities/ruby/using_vulnerable_libraries.html?utm_source=ghpr).👉 Go to the dashboard for detailed results.
📥 Happy? Share your feedback with us.