ruby_audit

ruby_audit copied to clipboard

Welp, I think the check for rubygems vulnerabilities has been broken since February 2021. #### Problem I was looking around the [rubysec/ruby-advisory-db](https://github.com/rubysec/ruby-advisory-db) repo while working on #34, and I noticed...

mikesaelim

I thought I'd clean up some stuff around the advisory database, so this PR does 3 things: ### Remove the check for stale database The first thing is removing the...

mikesaelim

I was looking at [rubysec/bundler-audit](https://github.com/rubysec/bundler-audit) for features from the last couple years to ~~steal~~ be inspired by, and I thought rubysec/bundler-audit#327 was a good idea. Sometimes, an advisory suggests multiple...

mikesaelim

Add a config file option for issues to ignore

1

It would be nice if you could specify CVEs to ignore via a config file, similar to [bundler-audit's config file](https://github.com/rubysec/bundler-audit?tab=readme-ov-file#configuration-fil), instead of needing to append them each to the ruby-audit...

leanne73

After bumping to Ruby 3.2.0 when running ruby_audit check we receive the following error Tried to load unspecified class: Date (Psych::DisallowedClass) for ruby_audit check. ruby-audit version => ruby-audit 1.3.0 (advisories:...

epidevops

The file structure of https://github.com/rubysec/ruby-advisory-db has changed. `libraries` dir was removed and its files moved to `gems/rubygems-update` dir. Therefore existing code doesn't work with the new file structure. Probably there...

adamzapasnik

Hello, Following this new CVE for jruby https://github.com/rubysec/ruby-advisory-db/blob/master/rubies/jruby/CVE-2022-25857.yml we received the following report: ``` Name: jruby Version: 2.6.8.0 Advisory: CVE-2022-25857 Criticality: High URL: https://github.com/jruby/jruby/issues/7342 Title: CVE-2022-25857 jruby/psych/snakeyaml: Denial of Service...

ylecuyer

Just doing some regular maintenance. I don't think we need to do another release for this PR. * Bump the ruby version in development to 3.3.1 * Drop support for...

mikesaelim