Use of software with known vulnerabilities
Need
Updating software and dependencies to versions without known vulnerabilities
Context
• Usage of Ruby 2.6.3 as the programming language for development
• Usage of Rails for building web applications
• Usage of SQLite3 for database management and querying
• Usage of Puma for high-performance Ruby web applications
• Usage of sass-rails for compiling Sass stylesheets in a Rails application
• Usage of Uglifier for minifying JavaScript code
• Usage of coffee-rails for integrating CoffeeScript with Rails
• Usage of Turbolinks for faster navigation and page loading in web applications
• Usage of jbuilder for building JSON responses in a structured and efficient manner
• Usage of byebug for debugging and troubleshooting in a Node.js application
• Usage of web-console for debugging and monitoring web applications
• Usage of listen for starting a server and listening for incoming requests
• Usage of Spring framework for building Java applications
• Usage of spring-watcher-listen for file system monitoring and event handling
Description
1. Non compliant code
# Gemfile
source 'https://rubygems.org'
git_source(:github) { |repo| "https://github.com/#{repo}.git" }
ruby '2.6.3'
# Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
# Use sqlite3 as the database for Active Record...This Ruby on Rails application's Gemfile specifies the versions of the dependencies that the application requires. The gems specified in this file have known vulnerabilities. For instance, the Rails gem version 5.2.3 has several known vulnerabilities that can expose the application to various types of attacks. Other gems such as 'puma', 'sass-rails', and 'uglifier' may also have known vulnerabilities depending on their versions. The application might be exposed to risks such as: - Remote code execution - SQL injection - Cross-site scripting - Denial of service It's crucial to keep the dependencies updated and use versions that do not have known vulnerabilities. Regularly checking for updates and vulnerabilities can help in maintaining the security of the application. Services like 'bundler-audit' or Fluid Attacks' tools can be used to check for known vulnerabilities in the dependencies.
2. Steps
• Identify the specific software or dependency with known vulnerabilities
• Update the version of the software or dependency to a version that does not have known vulnerabilities
• Check the release notes or security advisories for the software or dependency to ensure that the new version does not introduce any breaking changes or compatibility issues
• Update the Gemfile with the new version of the software or dependency
• Run bundle install to install the updated software or dependency
• Test the application to ensure that it functions correctly with the updated software or dependency
3. Secure code example
# Gemfile
source 'https://rubygems.org'
git_source(:github) { |repo| "https://github.com/#{repo}.git" }
ruby '2.6.3'
# Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
# Use sqlite3 as the database for Active Record...The original code was using outdated versions of several gems, which had known vulnerabilities. The updated code now uses the latest, secure versions of these gems. The gems that were updated include: - `rails` was updated from version 5.2.3 to 6.1.4 - `puma` was updated from version 3.11 to 5.5.2 - `sass-rails` was updated from version 5.0 to 6.0.0 - `uglifier` was updated from version 1.3.0 to 4.2.0 - `coffee-rails` was updated from version 4.2 to 5.0.0 - `jbuilder` was updated from version 2.5 to 2.11.2 - `web-console` was updated from version 3.3.0 to 4.1.0 - `listen` was updated from version 3.0.5 to 3.3.1 - `spring-watcher-listen` was updated from version 2.0.0 to 2.0.1 After updating the Gemfile, run `bundle install` to install the updated gems. Then, test the application to ensure that it functions correctly with the updated gems.
References
• 011. Use of software with known vulnerabilities