CVE-2020-14001 Kramdown gem version
Joengenduvel opened this issue · 8 comments
While scanning our logstash container we stumbled on this CVE which seems to be caused by a dependency on this library.
Can we expect a new release with an updated dependency?
~/Downloads/logstash-7.9.0.zip | grep kramdown
514 08-12-2020 00:03 logstash-7.9.0/vendor/bundle/jruby/2.5.0/gems/tilt-2.0.10/lib/tilt/kramdown.rb
I'm not sure what we need to fix in Tilt. We don't have a dependency on Kramdown and only provide an adapter. There's nothing in Tilt which should cause you get an old version Kramdown.
I think an explicit dependency on versions >= 2.3.0 will fix the issue. looks like version REL_1_5_0 is tagged with latest
I think an explicit dependency on versions >= 2.3.0 will fix the issue. looks like version REL_1_5_0 is tagged with latest
There is no dependency in Tilt on Kramdown. Adding Tilt as a dependency should not bring in any version of Kramdown.
I think an explicit dependency on versions >= 2.3.0 will fix the issue. looks like version REL_1_5_0 is tagged with latest
There is no dependency in Tilt on Kramdown. Adding Tilt as a dependency should not bring in any version of Kramdown.
@judofyr: Tilt's Gemfile references Kramdown as a gem in the "secondary" group. Does that not count as a dependency?
As @Joengenduvel wrote, it results in Trivy detecting a critical vulnerability for Logstash because it uses Tilt.
The Gemfile
is only used for development. It does not contain a version, and shouldn't affect packaged versions of logstash
(unless they are packaging wrong, but that doesn't look to be the case).
The file referenced in the first post is the adapter. If Trivy is detecting that as a dependency or cause for CVE, you should raise an issue with Trivy.
If the file was called crypto_miner.rb
, and only had the contents of puts "hello world"
, is it a crypto miner? Would Trivy flag it as such?
I dug into this a bit more. It's not based on file name, which the first post seemed to imply.
I ran trivy -d image docker.elastic.co/logstash/logstash:7.10.1
and captured the output (see https://gist.github.com/adam12/ea1fe607ffb39f0f8de09820e9a7f14e). They are basing the failure on the packaged Gemfile.lock
. If we look at this file we can see the dependency tree.
Tilt has no dependencies.
<snipped above>
thread_safe (0.3.6-java)
tilt (2.0.10)
treetop (1.6.11)
polyglot (~> 0.3)
<snipped below>
The only dependency on kramdown
is logstash-devutils
<snipped above>
logstash-codec-rubydebug (3.1.0)
amazing_print (~> 1)
logstash-core-plugin-api (>= 1.60, <= 2.99)
logstash-devutils (1.3.6-java)
fivemat
gem_publisher
insist (= 1.0.0)
kramdown (= 1.14.0)
logstash-core-plugin-api (>= 2.0, <= 2.99)
minitar
rake
rspec (~> 3.0)
rspec-wait
stud (>= 0.0.20)
logstash-filter-aggregate (2.9.1)
logstash-core-plugin-api (>= 1.60, <= 2.99)
<snipped below>
You can see the dependency on kramdown
here: https://github.com/elastic/logstash-devutils/blob/86bc69db54e0d5e26693acb4a768e84c089eb531/logstash-devutils.gemspec#L45
They are using a major version behind (Kramdown is now shipping 2.x versions) and it appears that they've pinned it intentionally (https://github.com/elastic/logstash-devutils/blob/5d140a5625e28fd73cf063d5c4d0a18130e1583a/CHANGELOG.md#134), so I couldn't even submit a PR to update the version without a bunch more work.
So my suggestion is raise an issue in https://github.com/elastic/logstash-devutils.
It's not a Tilt issue.