Incorrectly flagged vulnerabilities with 4-digit version numbers #328
Labels
Comments
|
I cannot seem to reproduce this bug using the latest version of Vulnerable Gemfilesource 'https://rubygems.org/'
gem 'bundler-audit'
gem 'activerecord', '6.0.3.4'$ bundle exec bundle-audit
Name: activerecord
Version: 6.0.3.4
CVE: CVE-2021-22880
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter
Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3.5, >= 6.1.2.1
Vulnerabilities found!Secure Gemfilesource 'https://rubygems.org/'
gem 'bundler-audit'
gem 'activerecord', '6.0.3.5'$ bundle exec bundle-audit
No vulnerabilities foundCould you post the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Codeclimate runs bundler-audit to check for vulnerabilities
and I noticed that it incorrectly flags vulnerabilities.
e.g. when upgrading Rails from 6.0.4 to 6.0.4.6
these two vulnerabilities get flagged, although they already have the fix from 6.0.3.5 applied:
https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
Flagging this issue with Codeclimate as well, but wanted to give you guys a heads-up in case it is an issue in bundler-audit.
Perhaps the comparison of version numbers is not correctly done, and has trouble with 4-digit version numbers?
Steps To Reproduce
Steps to reproduce the bug:
$ bundle-audit ...Expected Behavior
should not flag these CVEs as an error
Actual Behavior
see image above
Environment
The text was updated successfully, but these errors were encountered: