Swami Vivekananda

How to resolve vulnerability alert from dependabot?

05 Oct 2020 - fubar - Sreekar Guddeti

jekyll-Logo The current site is built on top of Ruby gems. These gems themselves undergo development. Updates to these gems are released regularly to resolve critical issues. We look at how to update our site configuration to incorporate these updates into our site.

The current Jekyll site is built on top of Ruby gems. These gems themselves undergo development. Updates to these gems are released regularly to resolve critical issues. Jekyll allows version locking of the Ruby gems. The version of each gem being used can be accessed from the Gemfile.lock file. A look at the file shows

GEM
  remote: https://rubygems.org/
  specs:
    ...
    ...

    github-pages (206)
      ...
      ...
      jekyll-theme-tactile (= 0.1.1)
      jekyll-theme-time-machine (= 0.1.1)
      jekyll-titles-from-headings (= 0.5.3)
      jemoji (= 0.11.1)
      kramdown (= 1.17.0)
      liquid (= 4.0.3)
      mercenary (~> 0.3)
      minima (= 2.5.1)
      ...
    ...
    ...
    jekyll (3.8.7)
      addressable (~> 2.4)
      colorator (~> 1.0)
      em-websocket (~> 0.5)
      i18n (~> 0.7)
      jekyll-sass-converter (~> 1.0)
      jekyll-watch (~> 2.0)
      kramdown (~> 1.14)
      liquid (~> 4.0)
      ...
      ...
    ...
    kramdown (1.17.0)

A recent git push to github-pages active generated a vulnerability alert by GitHub’s Dependabot. The message reads

1 kramdown vulnerability found in Gemfile.lock on Aug 8
Remediation

Upgrade kramdown to version 2.3.0 or later. For example:

gem "kramdown", ">= 2.3.0"

As can be seen, the current version of markdown is behind the required version by atleast one major release!

It is mentioned that the vulnerability is of type “high severity” and the details are

CVE-2020-14001
high severity
Vulnerable versions: < 2.3.0
Patched version: 2.3.0

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

In order to resolve the vulnerability, add the required gem to the Gemfile file

source 'https://rubygems.org'

# if any new gem, say github-pages, is added to the file, run
#`bundle update github-pages`
...
...
gem "kramdown", ">=2.3.0"
...
...

end

and run at prompt

E:\...\Baalkikhaal.github.io>bundle update kramdown
Fetching gem metadata from https://rubygems.org/...........
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies...
Bundler could not find compatible versions for gem "kramdown":
  In Gemfile:
    kramdown (>= 2.3.0) x64-mingw32

    github-pages (~> 206) x64-mingw32 was resolved to 206, which depends on
      kramdown (= 1.17.0) x64-mingw32

However this update failed as there is a kramdown dependency conflict with the gem github-pages. github-pages locked to v206 depends on v1.17 of kramdown.

github-pages itself was locked to v206, when last checked, as suggested by recommended dependencies versions of github-pages. However it has been updated to v208. So we need to update github-pages gem also.

From the github-pages dependency version webpage,

Programmatic access
Want a more programmatic way to keep your local version of Jekyll up to date? All dependencies are bundled within the GitHub Pages Ruby gem, or are available programmatically via pages.github.com/versions.json

Since github-pages itself depends on kramdown, and its dependencies are bundled within the gem as stated above, it is sufficient to update only the github-pages gem in the Gemfile as below

source 'https://rubygems.org'

# if any new gem, say github-pages, is added to the file, run
#`bundle update github-pages`

gem "github-pages", "~> 208"

...
...

end
E:\...\Baalkikhaal.github.io>bundle update kramdown
Fetching gem metadata from https://rubygems.org/...........
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies....
Fetching concurrent-ruby 1.1.7 (was 1.1.6)
Installing concurrent-ruby 1.1.7 (was 1.1.6)
Using i18n 0.9.5
Fetching minitest 5.14.2 (was 5.14.1)
Installing minitest 5.14.2 (was 5.14.1)
Using thread_safe 0.3.6
Using tzinfo 1.2.7
Using zeitwerk 2.4.0 (was 2.3.1)
Fetching activesupport 6.0.3.3 (was 6.0.3.2)
Installing activesupport 6.0.3.3 (was 6.0.3.2)
Using public_suffix 3.1.1
Using addressable 2.7.0
Using bundler 2.1.4
Using coffee-script-source 1.11.1
Using execjs 2.7.0
Using coffee-script 2.4.1
Using colorator 1.1.0
Using ruby-enum 0.8.0
Using commonmarker 0.17.13
Fetching unf_ext 0.0.7.7 (x64-mingw32)
Installing unf_ext 0.0.7.7 (x64-mingw32)
Fetching unf 0.1.4
Installing unf 0.1.4
Fetching simpleidn 0.1.1
Installing simpleidn 0.1.1
Fetching dnsruby 1.61.4 (was 1.61.3)
Installing dnsruby 1.61.4 (was 1.61.3)
Using eventmachine 1.2.7 (x64-mingw32)
Using http_parser.rb 0.6.0
Fetching em-websocket 0.5.2 (was 0.5.1)
Installing em-websocket 0.5.2 (was 0.5.1)
Using ffi 1.13.1 (x64-mingw32)
Using ethon 0.12.0
Using multipart-post 2.1.1
Using faraday 1.0.1
Using forwardable-extended 2.6.0
Using gemoji 3.0.1
Using sawyer 0.8.2
Using octokit 4.18.0
Using typhoeus 1.4.0
Using github-pages-health-check 1.16.1
Using rb-fsevent 0.10.4
Using rb-inotify 0.10.1
Using sass-listen 4.0.0
Using sass 3.7.4
Using jekyll-sass-converter 1.5.2
Using listen 3.2.1
Using jekyll-watch 2.2.1
Using rexml 3.2.4
Using kramdown 2.3.0 (was 1.17.0)
Using liquid 4.0.3
Using mercenary 0.3.6
Using pathutil 0.16.2
Fetching rouge 3.23.0 (was 3.19.0)
Installing rouge 3.23.0 (was 3.19.0)
Using safe_yaml 1.0.5
Fetching jekyll 3.9.0 (was 3.8.7)
Installing jekyll 3.9.0 (was 3.8.7)
Using jekyll-avatar 0.7.0
Using jekyll-coffeescript 1.1.1
Using jekyll-commonmark 1.3.1
Using jekyll-commonmark-ghpages 0.1.6
Using jekyll-default-layout 0.1.4
Using jekyll-feed 0.15.0 (was 0.13.0)
Using jekyll-gist 1.5.0
Using jekyll-github-metadata 2.13.0
Using mini_portile2 2.4.0
Using nokogiri 1.10.10 (x64-mingw32)
Fetching html-pipeline 2.14.0 (was 2.13.0)
Installing html-pipeline 2.14.0 (was 2.13.0)
Fetching jekyll-mentions 1.6.0 (was 1.5.1)
Installing jekyll-mentions 1.6.0 (was 1.5.1)
Using jekyll-optional-front-matter 0.3.2
Using jekyll-paginate 1.1.0
Using jekyll-readme-index 0.3.0
Fetching jekyll-redirect-from 0.16.0 (was 0.15.0)
Installing jekyll-redirect-from 0.16.0 (was 0.15.0)
Using jekyll-relative-links 0.6.1
Using rubyzip 2.3.0
Fetching jekyll-remote-theme 0.4.2 (was 0.4.1)
Installing jekyll-remote-theme 0.4.2 (was 0.4.1)
Using jekyll-seo-tag 2.6.1
Using jekyll-sitemap 1.4.0
Using jekyll-swiss 1.0.0
Using jekyll-theme-architect 0.1.1
Using jekyll-theme-cayman 0.1.1
Using jekyll-theme-dinky 0.1.1
Fetching jekyll-theme-hacker 0.1.2 (was 0.1.1)
Installing jekyll-theme-hacker 0.1.2 (was 0.1.1)
Using jekyll-theme-leap-day 0.1.1
Using jekyll-theme-merlot 0.1.1
Using jekyll-theme-midnight 0.1.1
Using jekyll-theme-minimal 0.1.1
Using jekyll-theme-modernist 0.1.1
Using jekyll-theme-primer 0.5.4
Using jekyll-theme-slate 0.1.1
Using jekyll-theme-tactile 0.1.1
Using jekyll-theme-time-machine 0.1.1
Using jekyll-titles-from-headings 0.5.3
Fetching jemoji 0.12.0 (was 0.11.1)
Installing jemoji 0.12.0 (was 0.11.1)
Using kramdown-parser-gfm 1.1.0
Using minima 2.5.1
Using unicode-display_width 1.7.0
Using terminal-table 1.8.0
Fetching github-pages 208 (was 206)
Installing github-pages 208 (was 206)
Bundle updated!
Post-install message from dnsruby:
Installing dnsruby...
  For issues and source code: https://github.com/alexdalitz/dnsruby
  For general discussion (please tell us how you use dnsruby): https://groups.google.com/forum/#!forum/dnsruby
Post-install message from html-pipeline:
-------------------------------------------------
Thank you for installing html-pipeline!
You must bundle Filter gem dependencies.
See html-pipeline README.md for more details.
https://github.com/jch/html-pipeline#dependencies
-------------------------------------------------

The Gemfile.lock file reflects the updated gem dependencies

github-pages (208)
  ...
  ...
  jekyll-theme-slate (= 0.1.1)
  jekyll-theme-tactile (= 0.1.1)
  jekyll-theme-time-machine (= 0.1.1)
  jekyll-titles-from-headings (= 0.5.3)
  jemoji (= 0.12.0)
  kramdown (= 2.3.0)
  kramdown-parser-gfm (= 1.1.0)
  liquid (= 4.0.3)
  mercenary (~> 0.3)
  ...
  ...

Conclusion

In this way, we cleanly handle software dependency hell.