Details
-
Task
-
Status: Closed
-
Trivial
-
Resolution: Fixed
-
1.38.0
Description
Automated scans are failing of the repo blocking corporate process for library approval due to CVE vulnerability findings. Very minor change to site gemfile required to pass the scans.
Scanning tool is Trivy, and issue does not appear in owasp dependency-check.
- Scan of https://github.com/apache/calcite* on *Jan 17, 2025
Repo Tag Scanned: calcite-1.38.0
| Vulnerabilities | |||||
| Severity | PkgName | Installed Version | Fixed Version | Vulnerability ID | Reference |
|---|---|---|---|---|---|
| HIGH | rexml | 3.2.5 | >= 3.3.9 | CVE-2024-49761 | https://avd.aquasec.com/nvd/cve-2024-49761 |
| HIGH | webrick | 1.7.0 | >= 1.8.2 | CVE-2024-47220 | https://avd.aquasec.com/nvd/cve-2024-47220 |
| MEDIUM | nokogiri | 1.14.3 | 1.15.6, 1.16.2 | GHSA-vcc3-rw6f-jv97 | https://github.com/advisories/GHSA-vcc3-rw6f-jv97 |
| MEDIUM | nokogiri | 1.14.3 | ~> 1.15.6, >= 1.16.2 | GHSA-xc9x-jj77-9p9j | https://github.com/advisories/GHSA-xc9x-jj77-9p9j |
| MEDIUM | rexml | 3.2.5 | >= 3.2.7 | CVE-2024-35176 | https://avd.aquasec.com/nvd/cve-2024-35176 |
| MEDIUM | rexml | 3.2.5 | >= 3.3.2 | CVE-2024-39908 | https://avd.aquasec.com/nvd/cve-2024-39908 |
| MEDIUM | rexml | 3.2.5 | >= 3.3.3 | CVE-2024-41123 | https://avd.aquasec.com/nvd/cve-2024-41123 |
| MEDIUM | rexml | 3.2.5 | >= 3.3.3 | CVE-2024-41946 | https://avd.aquasec.com/nvd/cve-2024-41946 |
| MEDIUM | rexml | 3.2.5 | >= 3.3.6 | CVE-2024-43398 | https://avd.aquasec.com/nvd/cve-2024-43398 |
Solution is to update the site Gemfile