-
-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dealing with unfixed vulnerabilities in gems #157
Comments
Yeah. This is something we're thinking about (i.e. #151). I think right now we're leaning towards a "vulnerable_versions" and we'll figure something out in the next week or two. |
Currently we just omit |
So, actually, Reed pointed out a bunch of scenarios.
Overloading the semantics of patched_versions probably not so great.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What's the best way to handle OSVDB entries / CVE assignments for ruby gems with unfixed vulnerabilities? Specifically, maybe a gem is obsolete / unmaintained and won't ever have a new fixed version, but we want to let people know they are using a vulnerable gem. Another case is when a gem takes too long to fix an issue, but we want to warn users so they are aware (maybe not cause a failure, but at least a warning in those cases).
The text was updated successfully, but these errors were encountered: