While scanning our logstash container we stumbled on this CVE which seems to be caused by a dependency on this library.
Can we expect a new release with an updated dependency?

~/Downloads/logstash-7.9.0.zip | grep kramdown
514 08-12-2020 00:03 logstash-7.9.0/vendor/bundle/jruby/2.5.0/gems/tilt-2.0.10/lib/tilt/kramdown.rb

I'm not sure what we need to fix in Tilt. We don't have a dependency on Kramdown and only provide an adapter. There's nothing in Tilt which should cause you get an old version Kramdown.

I think an explicit dependency on versions >= 2.3.0 will fix the issue. looks like version REL_1_5_0 is tagged with latest

I think an explicit dependency on versions >= 2.3.0 will fix the issue. looks like version REL_1_5_0 is tagged with latest

There is no dependency in Tilt on Kramdown. Adding Tilt as a dependency should not bring in any version of Kramdown.

I think an explicit dependency on versions >= 2.3.0 will fix the issue. looks like version REL_1_5_0 is tagged with latest

There is no dependency in Tilt on Kramdown. Adding Tilt as a dependency should not bring in any version of Kramdown.

@judofyr: Tilt's Gemfile references Kramdown as a gem in the "secondary" group. Does that not count as a dependency?

As @Joengenduvel wrote, it results in Trivy detecting a critical vulnerability for Logstash because it uses Tilt.

The Gemfile is only used for development. It does not contain a version, and shouldn't affect packaged versions of logstash (unless they are packaging wrong, but that doesn't look to be the case).

The file referenced in the first post is the adapter. If Trivy is detecting that as a dependency or cause for CVE, you should raise an issue with Trivy.

If the file was called crypto_miner.rb, and only had the contents of puts "hello world", is it a crypto miner? Would Trivy flag it as such?

I dug into this a bit more. It's not based on file name, which the first post seemed to imply.

I ran trivy -d image docker.elastic.co/logstash/logstash:7.10.1 and captured the output (see https://gist.github.com/adam12/ea1fe607ffb39f0f8de09820e9a7f14e). They are basing the failure on the packaged Gemfile.lock. If we look at this file we can see the dependency tree.

Tilt has no dependencies.

    <snipped above>
    thread_safe (0.3.6-java)
    tilt (2.0.10)
    treetop (1.6.11)
      polyglot (~> 0.3)
    <snipped below>

The only dependency on kramdown is logstash-devutils

    <snipped above>
    logstash-codec-rubydebug (3.1.0)
      amazing_print (~> 1)
      logstash-core-plugin-api (>= 1.60, <= 2.99)
    logstash-devutils (1.3.6-java)
      fivemat
      gem_publisher
      insist (= 1.0.0)
      kramdown (= 1.14.0)
      logstash-core-plugin-api (>= 2.0, <= 2.99)
      minitar
      rake
      rspec (~> 3.0)
      rspec-wait
      stud (>= 0.0.20)
    logstash-filter-aggregate (2.9.1)
      logstash-core-plugin-api (>= 1.60, <= 2.99)
    <snipped below>

You can see the dependency on kramdown here: https://github.com/elastic/logstash-devutils/blob/86bc69db54e0d5e26693acb4a768e84c089eb531/logstash-devutils.gemspec#L45

They are using a major version behind (Kramdown is now shipping 2.x versions) and it appears that they've pinned it intentionally (https://github.com/elastic/logstash-devutils/blob/5d140a5625e28fd73cf063d5c4d0a18130e1583a/CHANGELOG.md#134), so I couldn't even submit a PR to update the version without a bunch more work.

So my suggestion is raise an issue in https://github.com/elastic/logstash-devutils.

It's not a Tilt issue.

Thanks for the investigative work @adam12!

Thank you very much @adam12. I created an issue over at logstash-devutils.