Skip to content
This repository has been archived by the owner on Dec 17, 2020. It is now read-only.

Add a gem w/ a known security vulnerability #1

Merged
merged 2 commits into from
Oct 24, 2019
Merged

Add a gem w/ a known security vulnerability #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
429cbd9
Add a gem w/ a known security vulnerability
pdobb Jul 13, 2019
5991e5c
Testing new gem version ...
pdobb Oct 24, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions Gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,17 @@ gem 'sqlite3'
gem 'bootsnap', '>= 1.1.0', require: false

gem 'pronto'
gem 'pronto-bundler_audit', '0.5.0'
# gem 'pronto-bundler_audit', github: 'pdobb/pronto-bundler_audit', branch: 'master'
# gem 'pronto-bundler_audit', '0.5.0'
gem 'pronto-bundler_audit', github: 'pdobb/pronto-bundler_audit', branch: 'master'

group :development do
gem "byebug"
gem "pry-byebug"
gem 'pry-rails'
gem 'listen', '>= 3.0.5', '< 3.2'
end

################################################################################

# Gems with security advisories, for testing pronto-bundler_audit.
gem 'yard', '0.9.19'
32 changes: 20 additions & 12 deletions Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,12 @@
GIT
remote: https://github.com/pdobb/pronto-bundler_audit.git
revision: 0f3c459412e92d144bfaece4edcdf0715d9ff752
branch: master
specs:
pronto-bundler_audit (0.5.0)
bundler-audit (~> 0)
pronto (~> 0)

GEM
remote: https://rubygems.org/
specs:
Expand Down Expand Up @@ -42,8 +51,8 @@ GEM
i18n (>= 0.7, < 2)
minitest (~> 5.1)
tzinfo (~> 1.1)
addressable (2.6.0)
public_suffix (>= 2.0.2, < 4.0)
addressable (2.7.0)
public_suffix (>= 2.0.2, < 5.0)
arel (9.0.0)
bootsnap (1.4.4)
msgpack (~> 1.0)
Expand All @@ -56,15 +65,15 @@ GEM
concurrent-ruby (1.1.5)
crass (1.0.4)
erubi (1.8.0)
faraday (0.15.4)
faraday (0.17.0)
multipart-post (>= 1.2, < 3)
ffi (1.11.1)
gitlab (4.12.0)
httparty (~> 0.14, >= 0.14.0)
terminal-table (~> 1.5, >= 1.5.1)
globalid (0.4.2)
activesupport (>= 4.2.0)
httparty (0.17.0)
httparty (0.17.1)
mime-types (~> 3.0)
multi_xml (>= 0.5.2)
i18n (1.6.0)
Expand All @@ -81,9 +90,9 @@ GEM
marcel (0.3.3)
mimemagic (~> 0.3.2)
method_source (0.9.2)
mime-types (3.2.2)
mime-types (3.3)
mime-types-data (~> 3.2015)
mime-types-data (3.2019.0331)
mime-types-data (3.2019.1009)
mimemagic (0.3.3)
mini_mime (1.0.2)
mini_portile2 (2.4.0)
Expand All @@ -103,9 +112,6 @@ GEM
rainbow (>= 2.2, < 4.0)
rugged (~> 0.24, >= 0.23.0)
thor (~> 0.20.0)
pronto-bundler_audit (0.5.0)
bundler-audit (~> 0)
pronto (~> 0)
pry (0.12.2)
coderay (~> 1.1.0)
method_source (~> 0.9.0)
Expand All @@ -114,7 +120,7 @@ GEM
pry (~> 0.10)
pry-rails (0.3.9)
pry (>= 0.10.4)
public_suffix (3.1.1)
public_suffix (4.0.1)
rack (2.0.7)
rack-test (1.1.0)
rack (>= 1.0, < 3)
Expand Down Expand Up @@ -148,7 +154,7 @@ GEM
rb-inotify (0.10.0)
ffi (~> 1.0)
ruby_dep (1.5.0)
rugged (0.28.2)
rugged (0.28.3.1)
sawyer (0.8.2)
addressable (>= 2.3.5)
faraday (> 0.8, < 2.0)
Expand All @@ -170,6 +176,7 @@ GEM
websocket-driver (0.7.1)
websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.4)
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Name: loofah
Version: 2.2.3
Advisory: CVE-2019-15587
Criticality: Unknown
URL: flavorjones/loofah#171
Title: Loofah XSS Vulnerability
Solution: Upgrade to >= 2.3.1.

yard (0.9.19)
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Name: yard
Version: 0.9.19
Advisory:
Criticality: Unknown
URL: GHSA-xfhh-rx56-rxcr
Title: Possible arbitrary path traversal and file access via yard server
Solution: Upgrade to >= 0.9.20.

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Name: yard
Version: 0.9.19
Advisory: CVE-2019-1020001
Criticality: Unknown
URL: GHSA-xfhh-rx56-rxcr
Title: Arbitrary path traversal and file access via yard server
Solution: Upgrade to >= 0.9.20.


Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Name: nokogiri
Version: 1.10.3
Advisory: CVE-2019-5477
Criticality: High
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: Upgrade to >= 1.10.4.

PLATFORMS
ruby
Expand All @@ -179,11 +186,12 @@ DEPENDENCIES
byebug
listen (>= 3.0.5, < 3.2)
pronto
pronto-bundler_audit (= 0.5.0)
pronto-bundler_audit!
pry-byebug
pry-rails
rails (~> 5.2.3)
sqlite3
yard (= 0.9.19)

BUNDLED WITH
2.0.2