Incorrectly flagged vulnerabilities with 4-digit version numbers
tilo opened this issue · comments
Description
Codeclimate runs bundler-audit to check for vulnerabilities
and I noticed that it incorrectly flags vulnerabilities.
e.g. when upgrading Rails from 6.0.4 to 6.0.4.6
these two vulnerabilities get flagged, although they already have the fix from 6.0.3.5 applied:
https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
Flagging this issue with Codeclimate as well, but wanted to give you guys a heads-up in case it is an issue in bundler-audit.
Perhaps the comparison of version numbers is not correctly done, and has trouble with 4-digit version numbers?
Steps To Reproduce
Steps to reproduce the bug:
$ bundle-audit ...- ???
Expected Behavior
should not flag these CVEs as an error
Actual Behavior
see image above
Environment
$ bundler-audit --version
...
$ bundle --version
...
$ ruby --version
...
I cannot seem to reproduce this bug using the latest version of bundler-audit and ruby-advisory-db.
Vulnerable Gemfile
source 'https://rubygems.org/'
gem 'bundler-audit'
gem 'activerecord', '6.0.3.4'$ bundle exec bundle-audit
Name: activerecord
Version: 6.0.3.4
CVE: CVE-2021-22880
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter
Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3.5, >= 6.1.2.1
Vulnerabilities found!Secure Gemfile
source 'https://rubygems.org/'
gem 'bundler-audit'
gem 'activerecord', '6.0.3.5'$ bundle exec bundle-audit
No vulnerabilities foundCould you post the Gemfile.lock or Gemfile and which specific CVEs that bundler-audit is detecting?