Update dependencies to resolve CVEs

Question

Update dependencies to resolve CVEs

Closed this issue 2 years ago · 3 comments

Hello! We're looking at using pg-aws_rds_iam, and upon scanning with AWS Inspector there are a handful of dependencies in the current Gemfile.lock that are out-of-date and have open high CVEs. commonmarker looks like the worst offender (CVE-2023-22483, CVE-2023-22486, CVE-2023-22484, CVE-2023-22485.

it looks like you've been on top of dependabot updates, so maybe this is just a request to ship a new release? Happy to help update/test if you need it. Thanks!

Answer 1 · 2023-05-04T16:19:38.000Z

Hi @ckdake! Thanks for taking a look at pg-aws_rds_iam.

How exactly are you running AWS Inspector on the gem? The thing is, Gemfile.lock is just for development, so I think this is a false positive.

If you install the gem (either directly or with Bundler) you'll only get the dependencies listed in the gemspec (and their transitive dependencies).

Verifying this:

$ docker run --rm -it ruby:3.2-alpine sh

# apk add build-base postgresql-dev
...
OK: 599 MiB in 74 packages

# gem install pg-aws_rds_iam
...
Successfully installed pg-1.5.3
Successfully installed aws-eventstream-1.2.0
Successfully installed aws-sigv4-1.5.2
Successfully installed jmespath-1.6.2
Successfully installed aws-partitions-1.759.0
Successfully installed aws-sdk-core-3.171.0
Successfully installed aws-sdk-rds-1.177.0
Successfully installed pg-aws_rds_iam-0.4.2
8 gems installed

# ls -1 /usr/local/bundle/gems
aws-eventstream-1.2.0
aws-partitions-1.759.0
aws-sdk-core-3.171.0
aws-sdk-rds-1.177.0
aws-sigv4-1.5.2
jmespath-1.6.2
pg-1.5.3
pg-aws_rds_iam-0.4.2

As you can see, commonmarker is not installed.

Having said that, Gemfile.lock shouldn't really even be included in the gem at all. I'll look at limiting the files that are included to only those that are strictly necessary.

Answer 2 · 2023-05-04T16:58:02.000Z

I've released v0.5.0 which removes the Gemfile.lock and other unnecessary files from the packaged gem. Hopefully that should solve your problem!

Answer 3 · 2023-05-04T17:00:40.000Z

Hello! You fixed this while I was out to lunch :). Thanks!

We use docker to package our rails app up with it's gems (not in the :development group!), and push a container image to AWS ECR which then scans the included files for vulns. It finds/found the Gemfile.lock included in your gem which triggered the warnings. Getting the Gemfile.lock out of the gem is a perfect solution here, and should clear out the warnings. I'll report back if we run into anything else.