Dependendency Scanner recommends "upgrade"
Summary
I scanned a Ruby project that has gem rugged version 1.7.2. Dependency Scanner reported that this gem is vulnerable to CVE-2014-9390 and recommended upgrading to 0.21.3.
Steps to reproduce
- Create project
- Commit a Gemfile.lock:
source 'https://rubygems.org'
GEM
remote: https://rubygems.org/
specs:
rugged (1.7.2)- Configure Dependency Scanning
- Check the project Vulnerability Report or the Vulnerabilities in Pipeline to see the vulnerability
Example Project
https://gitlab.com/duncan_harris_ultimate_group/dependency-scanner-gem-573106
What is the current bug behavior?
The vulnerability report is recommending a downgrade to an earlier version of rugged.
What is the expected correct behavior?
The scanner should recognize that version 1.7.2 of this gem is not impacted by CVE-2014-9390.
Relevant logs and/or screenshots
Relevant log from secure job debug
[INFO] [Gemnasium] [2024-10-08T23:38:13Z] [/go/src/app/advisory/repo.go:157] ▶ Using commit 05c229af0626884c89ca4949c148d1957a70b64e
of vulnerability database
[DEBU] [Gemnasium] [2024-10-08T23:38:13Z] [/go/src/app/vrange/cli/cli.go:93] ▶ /vrange/gem/vrange.rb /tmp/vrange_queries2982997875
[
{
"range": "<0.21.3||>0.22a",
"version": "1.7.2",
"satisfies": true
},
{
"range": "<0.27.3",
"version": "1.7.2",
"satisfies": false
},
{
"range": "<0.27.3",
"version": "1.7.2",
"satisfies": false
},
{
"range": "<0.26.6||>=0.27.0 <0.27.4",
"version": "1.7.2",
"satisfies": false
},
{
"range": "<0.28.4",
"version": "1.7.2",
"satisfies": false
},
{
"range": "<0.28.4",
"version": "1.7.2",
"satisfies": false
},
{
"range": "<1.4.5||=1.5.0",
"version": "1.7.2",
"satisfies": false
}
]Output of checks
Possible fixes
Edited by Duncan