[
https://issues.apache.org/jira/browse/CALCITE-6794?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Francis Chuang updated CALCITE-6794:
------------------------------------
Fix Version/s: 1.39.0
> Site Gemfile contains vulnerable ruby libraries
> -----------------------------------------------
>
> Key: CALCITE-6794
> URL: https://issues.apache.org/jira/browse/CALCITE-6794
> Project: Calcite
> Issue Type: Task
> Components: site
> Affects Versions: 1.38.0
> Reporter: Hugh Pearse
> Assignee: Hugh Pearse
> Priority: Trivial
> Fix For: 1.39.0
>
>
> Automated scans are failing of the repo blocking corporate process for
> library approval due to CVE vulnerability findings. Very minor change to site
> gemfile required to pass the scans.
> Scanning tool is Trivy, and issue does not appear in owasp dependency-check.
>
> * Scan of *https://github.com/apache/calcite* on *Jan 17, 2025*
> Repo Tag Scanned: *calcite-1.38.0*
> |Vulnerabilities|
> ||Severity||PkgName||Installed Version||Fixed Version||Vulnerability
> ID||Reference||
> |HIGH|rexml|3.2.5|>=
> 3.3.9|CVE-2024-49761|https://avd.aquasec.com/nvd/cve-2024-49761|
> |HIGH|webrick|1.7.0|>=
> 1.8.2|CVE-2024-47220|https://avd.aquasec.com/nvd/cve-2024-47220|
> |MEDIUM|nokogiri|1.14.3|1.15.6,
> 1.16.2|GHSA-vcc3-rw6f-jv97|https://github.com/advisories/GHSA-vcc3-rw6f-jv97|
> |MEDIUM|nokogiri|1.14.3|~> 1.15.6, >=
> 1.16.2|GHSA-xc9x-jj77-9p9j|https://github.com/advisories/GHSA-xc9x-jj77-9p9j|
> |MEDIUM|rexml|3.2.5|>=
> 3.2.7|CVE-2024-35176|https://avd.aquasec.com/nvd/cve-2024-35176|
> |MEDIUM|rexml|3.2.5|>=
> 3.3.2|CVE-2024-39908|https://avd.aquasec.com/nvd/cve-2024-39908|
> |MEDIUM|rexml|3.2.5|>=
> 3.3.3|CVE-2024-41123|https://avd.aquasec.com/nvd/cve-2024-41123|
> |MEDIUM|rexml|3.2.5|>=
> 3.3.3|CVE-2024-41946|https://avd.aquasec.com/nvd/cve-2024-41946|
> |MEDIUM|rexml|3.2.5|>=
> 3.3.6|CVE-2024-43398|https://avd.aquasec.com/nvd/cve-2024-43398|
> Solution is to update the site Gemfile
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
