Remediate High vulnerability #25
Comments
|
From Jon: "The version of nokogiri installed is the latest available (1.10.4). So there's also no remediation available for that if it isn't because of this CVE. The issue is that there aren't resolutions available for nokogiri." Note: a milestone has not been assigned to this ticket because it doesn't exist for this repo. |
|
From Nokogiri: sparklemotion/nokogiri#1582 The TL;DR is that the XXE vulnerability in libxml2 (upon which Nokogiri depends) is only an issue for the gem if the application opts into accepting DTD loading and network access. By default these are both false. The stance of the maintainers is that this is not an issue for users of the gem that don't customize options. There is still activity on their repo about this, so I'm going to leave it open for now, but this may get closed as a "false positive". |
|
As per sparklemotion/nokogiri#1582 (comment): The maintainers of Nokogiri are asserting that this is a false positive as of v1.8.3. The underlying issue was patched in libxml 2.9.8, which was pulled into Nokogiri in 1.8.3. They specifically call out anyone who is a "security scanner" that this is already dealt with, and that it should be marked as green. As a result, I'm closing this issue as we are on v1.10.4. |
Snyk reports 1 High vulnerability in HumanCellAtlas/unity nokogiri. Please remediate by the end of Q3 Milestone 3 or, if applicable, document as a false positive finding.
The text was updated successfully, but these errors were encountered: