bundler-audit: v2.7.0-rc.2 return a vulnerability with a internal error from Bundler
Closed this issue · 2 comments
What happened:
Running v2.7.0-rc.2 on examples/ruby/example1 Horusec return a single vulnerability of Bundler that contains an internal error from Bundler as vulnerability.
Language: Ruby
Severity: UNKNOWN
Line:
Column:
SecurityTool: BundlerAudit
Confidence: LOW
File: /path/to/examples/ruby/example1/Gemfile.lock
Code: Cloning into '/root/.local/share/ruby-advisory-db'...
Details: (Cloning into '/root/.local/share/ruby-advisory-db'... - ) ( - )
Type: Vulnerability
ReferenceHash: 214f4d69b8d1097144ce3464c811116801ea47bfeae55cff3dd7c89637f25934
==================================================================================
In this analysis, a total of 4 possible vulnerabilities were found and we classified them into:
Total of Vulnerability HIGH is: 1
Total of Vulnerability MEDIUM is: 2
Total of Vulnerability UNKNOWN is: 1
Running v2.6.9 on the same directory the results is reported correctly, and all vulnerabilities reported by Bundler is showed correctly.
Language: Ruby
Severity: LOW
Line: 145
Column:
SecurityTool: BundlerAudit
Confidence: LOW
File: /path/to/examples/ruby/example1/Gemfile.lock
Code: rubyzip
Details: Denial of Service in rubyzip ("zip bombs") (rubyzip - 1.2.3) upgrade to >= 1.3.0 (CVE-2019-16892 - https://github.com/rubyzip/rubyzip/pull/403)
Type: Vulnerability
ReferenceHash: ebe6127b6b73f88bda2adc59a33e33ed8a6744623adef3b1d02c4682bd7d8fc9
==================================================================================
In this analysis, a total of 21 possible vulnerabilities were found and we classified them into:
Total of Vulnerability HIGH is: 5
Total of Vulnerability MEDIUM is: 6
Total of Vulnerability LOW is: 10
What you expected to happen:
Both versions return the same results.
How to reproduce it (as minimally and precisely as possible):
Execute both v2.7.0-rc.2 and v2.6.9 on examples/ruby/example1 directory and see the difference output results.
Anything else we need to know?:
On v2.6.9 Horusec use horuszup/horusec-ruby:v1.0.2 as a Docker image to execute Bundler and on v2.7.0-rc.2 the horuszup/horusec-ruby:v1.1.1 is used. The difference is that on v1.0.1 the base image is ruby:3.0.2-alpine and on v1.1.1 the image is ruby:2.7.5-alpine.
Running both containers using the examples/ruby/example1 as path to scan is another way to reproduce the issue:
docker run --rm -it -v $(pwd)/examples/ruby/example1:/src horuszup/horusec-ruby:v1.0.2 sh
/ # cd /src/
/src # bundle-audit
Name: actionpack
Version: 6.0.0
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1docker run --rm -it -v $(pwd)/examples/ruby/example1:/src horuszup/horusec-ruby:v1.1.1 sh
/ # cd /src/
/src # bundle-audit
Download ruby-advisory-db ...
Cloning into '/root/.local/share/ruby-advisory-db'...
fatal: unable to access 'https://github.com/rubysec/ruby-advisory-db.git/': SSL certificate problem: unable to get local issuer certificate
failed to download https://github.com/rubysec/ruby-advisory-db.git to "/root/.local/share/ruby-advisory-db"This could be related to #880
The problem here was that the machine used to make this tests had some problems with SSL connections because some certificates was invalid, so when Bundler tried to clone the ruby-advisory-db an error was generated by git: SSL certificate problem: unable to get local issuer certificate
Either way an improvement should be made for any invalid output returned by the Bundler an error should be generated, rather than parse that output as a vulnerability.
The PR #925 was merged and contains a validation that will not parse an output from Bundler if not contains Name: string, which fix this and any future issues from parsing errors as vulnerability from Bundler output, so I'm closing this issue.