Hugh Pearse created CALCITE-6794:
------------------------------------
Summary: Site Gemfile contains vulnerable ruby libraries
Key: CALCITE-6794
URL: https://issues.apache.org/jira/browse/CALCITE-6794
Project: Calcite
Issue Type: Task
Components: site
Affects Versions: 1.38.0
Reporter: Hugh Pearse
Automated scans are failing of the repo blocking corporate process for library
approval due to CVE vulnerability findings. Very minor change to site gemfile
required to pass the scans.
Scanning tool is Trivy, and issue does not appear in owasp dependency-check.
* Scan of *https://github.com/apache/calcite* on *Jan 17, 2025*
Repo Tag Scanned: *calcite-1.38.0*
|Vulnerabilities|
||Severity||PkgName||Installed Version||Fixed Version||Vulnerability
ID||Reference||
|HIGH|rexml|3.2.5|>=
3.3.9|CVE-2024-49761|https://avd.aquasec.com/nvd/cve-2024-49761|
|HIGH|webrick|1.7.0|>=
1.8.2|CVE-2024-47220|https://avd.aquasec.com/nvd/cve-2024-47220|
|MEDIUM|nokogiri|1.14.3|1.15.6,
1.16.2|GHSA-vcc3-rw6f-jv97|https://github.com/advisories/GHSA-vcc3-rw6f-jv97|
|MEDIUM|nokogiri|1.14.3|~> 1.15.6, >=
1.16.2|GHSA-xc9x-jj77-9p9j|https://github.com/advisories/GHSA-xc9x-jj77-9p9j|
|MEDIUM|rexml|3.2.5|>=
3.2.7|CVE-2024-35176|https://avd.aquasec.com/nvd/cve-2024-35176|
|MEDIUM|rexml|3.2.5|>=
3.3.2|CVE-2024-39908|https://avd.aquasec.com/nvd/cve-2024-39908|
|MEDIUM|rexml|3.2.5|>=
3.3.3|CVE-2024-41123|https://avd.aquasec.com/nvd/cve-2024-41123|
|MEDIUM|rexml|3.2.5|>=
3.3.3|CVE-2024-41946|https://avd.aquasec.com/nvd/cve-2024-41946|
|MEDIUM|rexml|3.2.5|>=
3.3.6|CVE-2024-43398|https://avd.aquasec.com/nvd/cve-2024-43398|
Solution is to update the site Gemfile
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
