bundler audit confuse loofah gem version 2.10.0 with 2.1

Question

bundler audit confuse loofah gem version 2.10.0 with 2.1

ksenia-sudarikova opened this issue 3 years ago · comments

I have loofah 2.10.0 in my Gemfile.lock and audit reports warning

== Warnings ==

Confidence: Medium
Category: Cross-Site Scripting
Check: SanitizeMethods
Message: loofah gem 2.10.0 is vulnerable (CVE-2018-8048). Upgrade to 2.2.1
File: Gemfile.lock
Line: 379

I believe its confuses 2.10.0 with 2.1 gem version vulnerable to CVE-2018-8048

Postmodern · Answer 1 · Wed Jun 30 2021 18:30:24 GMT+0800 (China Standard Time)

What version of Ruby, RubyGems, and bundler-audit are you using? I can't reproduce this locally with a simple Gemfile containing gem 'bundler-audit', '0.8.0' and gem 'loofah', '2.10.0' on ruby 3.0.1p64 and rubygems 3.2.15.

Ksenia Sudarikova · Answer 2 · Wed Jun 30 2021 18:53:26 GMT+0800 (China Standard Time)

Ruby 2.5.3p105, RubyGems 2.7.7, bundler-audit 0.8.0

Postmodern · Answer 3 · Fri Jul 02 2021 07:55:15 GMT+0800 (China Standard Time)

Still can't reproduce on Ruby 2.5.9 and 2.7.6.3. I'm going to guess this is a bug in an older RubyGems. Maybe try updating to Ruby 2.5.9 (although the 2.5 series is no longer maintained) or RubyGems (gem update --system).

Hector Zhao · Answer 4 · Fri Jul 02 2021 08:32:51 GMT+0800 (China Standard Time)

@ksenia-sudarikova Could youd double check if your warning message was from brakeman or bundle-audit? Your warning message looks like from brakeman.

Brakeman had such issue (presidentbeef/brakeman#1603). The newest version should have fixed it.

Ksenia Sudarikova · Answer 5 · Fri Jul 02 2021 18:38:54 GMT+0800 (China Standard Time)

You right, I mix up bundler-audit message with brakeman, thanks for clarification