Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update rubocop dependencies #217

Closed
wants to merge 2 commits into from

Conversation

mladenilic
Copy link

Upgrades RuboCop dependencies which solves following issues with rexml:
https://nvd.nist.gov/vuln/detail/CVE-2024-41123
https://nvd.nist.gov/vuln/detail/CVE-2024-41946

@byroot
Copy link
Member

byroot commented Nov 8, 2024

Sorry, just saw this now, I updated rexml on master directly.

But I wonder what kind of tool you might be using for it to care about the dev dependencies of redis-client. That's totally ridiculous.

@byroot byroot closed this Nov 8, 2024
@mladenilic mladenilic deleted the rubocop-update branch November 12, 2024 11:15
@mladenilic
Copy link
Author

It is reported by the Amazon Inspector. I agree with your point about dev dependencies.

In my case, this brings up additional issues with compliance audits, which is why I opened the PR. In any case, thanks for taking the time!

@byroot
Copy link
Member

byroot commented Nov 12, 2024

It is reported by the Amazon Inspector.

Interesting.

@jterapin @mullermp, apologies for the ping, but since we interacted recently: would you happen to know if there's a way to send feedback to the Amazon Inspector team to ask them to not scan dev dependencies?

@mullermp
Copy link

Yes. @mladenilic Can you file a support ticket through the AWS console? That would be the best way.

@mladenilic
Copy link
Author

Amazon Inspector team acknowledges that the current scanning approach might lead to false positives, where vulnerabilities are reported for components that do not pose an actual risk due to not being used at runtime. However, they also believe it's still valuable to be aware of these potential vulnerabilities.

The response also mentions a new matching engine which may improve the accuracy, but it's unclear if this will specifically address the issue of unused dependencies.

Anyway, my specific problem will be solved once new gem version gets released, since f9641cf removes Gemfile.lock from the gem package. In the meantime we have documented the vulnerability as a low risk to the environment will wait for new version of redis-client.

Thank you both!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants