Skip to content

Bump common to v2.1.4

Lucas Charles requested to merge bump-common-to-v2.1.4 into master

What does this MR do?

Bump the common dependency from v2.0.0 to v2.1.4 and update expectation accordingly

Format update:

  • adds remediations
  • Reorder due to severity
❯ _jq_cve_diff test/expect/gl-dependency-scanning-report.json test/fixtures/gl-dependency-scanning-report.json
--- /dev/fd/63	2019-03-20 12:09:27.000000000 -0700
+++ /dev/fd/62	2019-03-20 12:09:27.000000000 -0700
@@ -1,13 +1,13 @@
 [
-  "sast-sample-rails/Gemfile.lock:actionview:cve:CVE-2019-5419",
+  "sast-sample-rails/Gemfile.lock:ffi:cve:CVE-2018-1000201",
   "sast-sample-rails/Gemfile.lock:actionview:cve:CVE-2019-5418",
+  "sast-sample-rails/Gemfile.lock:actionview:cve:CVE-2019-5419",
   "sast-sample-rails/Gemfile.lock:activejob:cve:CVE-2018-16476",
-  "sast-sample-rails/Gemfile.lock:ffi:cve:CVE-2018-1000201",
   "sast-sample-rails/Gemfile.lock:loofah:cve:CVE-2018-16468",
   "sast-sample-rails/Gemfile.lock:loofah:cve:CVE-2018-8048",
   "sast-sample-rails/Gemfile.lock:nokogiri:cve:CVE-2017-15412",
-  "sast-sample-rails/Gemfile.lock:nokogiri:cve:CVE-2018-8048",
   "sast-sample-rails/Gemfile.lock:nokogiri:cve:CVE-2018-14404",
+  "sast-sample-rails/Gemfile.lock:nokogiri:cve:CVE-2018-8048",
   "sast-sample-rails/Gemfile.lock:rack:cve:CVE-2018-16471",
   "sast-sample-rails/Gemfile.lock:rails-html-sanitizer:cve:CVE-2018-3741",
   "sast-sample-rails/Gemfile.lock:sprockets:cve:CVE-2018-3760",

❯ diff -u <(jq -S '.vulnerabilities | map(.severity)' test/expect/gl-dependency-scanning-report.json) <(jq -S '.vulnerabilities | map(.severity)' test/fixtures/gl-dependency-scanning-report.json)
--- /dev/fd/63	2019-03-20 12:10:32.000000000 -0700
+++ /dev/fd/62	2019-03-20 12:10:32.000000000 -0700
@@ -1,8 +1,8 @@
 [
+  "High",
   "Unknown",
   "Unknown",
   "Unknown",
-  "High",
   "Unknown",
   "Unknown",
   "Unknown",

What are the relevant issue numbers?

Does this MR meet the acceptance criteria?

Merge request reports