Comments (10)
Thank you Matsuda-san! I totally agree and understand, sorry to bother the simplecov team for that.
My applications itself have requirements to use latest version of rack. What happens to my company (and possibly for some others) is that there are vulnerabilities checkers (AWS Inspector) that scan containers images, looks into package managers files and eventually find the rack version in the "Gemfile.lock".
I will look further on AWS Inspector if is possible to suppress this type of finding without suppressing real dependencies vulnerabilities.
from simplecov-html.
@blombard , just to inform you, I am also waiting for another release, but that might be out of Matsuda's hands as it needs to be published to Rubygems.
What I am doing at the moment is fetching directly from the specific commit on github with
gem 'simplecov-html', git: 'https://github.com/simplecov-ruby/simplecov-html',
ref: 'ea52c023962c449156d9348a827666c981bd3831'
I am also trying to reach a AWS Inspector specialist to understand if they don't have a way around this alerts for code that is not even in the image, it's just a lock file inside a dependency with mention to another dependency..
from simplecov-html.
Ok, Ok, I just merged the dependabot PR (#124) since I even got a mention on the other issue, but please note that the "vulnerability" on rack gem here does not at all affect your applications' security.
Gems bundled here via Gemfile.lock
in this repo is nothing but development dependencies that are used only for clones of this Git repo. Not your applications that depend on simplecov-html. Please check Gemfile.lock
in your apps and confirm what I said.
Also, simplecov-html is a static site generator. This product is not a kind of software that runs a web server and processes web requests on your machine. Hence, even if you run simplecov with such "vulnerable" version of Rack, there's no way the attackers can attack your production server.
Again, I just merged the PR in order to calm you guys down, and also to show you that the project is not dead, but please learn that you generally need not to care about the content of Gemfile.lock
in someone else's repo.
from simplecov-html.
@william-kurosawa Oh, thank you for the explanation! Now I understand the triggers and people's motivation for issues like this. Sounds fair enough actually!
from simplecov-html.
I think a new release needs to be built in order to make this fix visible on rubygems.org ?
from simplecov-html.
Can anyone take a look on this issue? It should be just a bump on rack version.
I guess Dependabot's PR supersedes the previous PR by @nishidayuya: #124
from simplecov-html.
#121 is older than #124, because when #121 was born, rack-2.2.6.4 (#124) was not exist in the world.
So, I'll close #121.
from simplecov-html.
I will look further on AWS Inspector if is possible to suppress this type of finding without suppressing real dependencies vulnerabilities.
I have the same problem. Could it be possible to bump this gem to 0.12.4
and also bump simplecov
with the updated simplecov-html
dependency?
If you don't have time to do that, how can I effectively fork simplecov
/simplecov-html
to make this work for me?
from simplecov-html.
@william-kurosawa Perfect, exactly what I needed for now 👌
from simplecov-html.
@amatsuda is it possible to get a release of this change?
from simplecov-html.
Related Issues (20)
- Missed lines color doesn't work for color blind people HOT 1
- jquery-3.4.1 contains vulnerabilities please upgrade to 3.5.1 HOT 6
- Missing asset referenced HOT 1
- Feature proposal: use CDN for assets or put them inline HOT 1
- Feature Request: Update URL with file path. HOT 1
- Feature Request: Silence output_message
- Show test coverage
- Use Float#floor instead of Float#round
- Show loading size
- Fails with `Errno::EACCES: Permission denied @ rb_sysopen` if vendor files are read-only HOT 1
- Symbolic link attack within `coverage` directory can overwrite files elsewhere HOT 1
- New release? HOT 2
- Errors in File.open HOT 2
- Wrong sorting for coverage HOT 6
- Regression: non-ASCII characters are broken HOT 3
- Javascript error in version '0.12.0', some pages cannot be open HOT 15
- Disable pagination HOT 3
- Cannot refresh coverage page directly in version '0.12.0' HOT 4
- Feature proposal: multiple coverages in one html HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from simplecov-html.