Sign upLogin

18F/C2

View on GitHub
Star

Showing 591 of 591 total issues

Path Traversal in Sprockets
Open

    sprockets (3.7.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-3760

Criticality: High

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k

Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8

Regular Expression Denial of Service in websocket-extensions (RubyGem)
Open

    websocket-extensions (0.1.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-7663

Criticality: High

URL: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2

Solution: upgrade to >= 0.1.5

Broken Access Control vulnerability in Active Job
Open

    activejob (4.2.7.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16476

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw

Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Revert libxml2 behavior in Nokogiri gem that could cause XSS
Open

    nokogiri (1.8.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-8048

URL: https://github.com/sparklemotion/nokogiri/pull/1746

Solution: upgrade to >= 1.8.3

omniauth leaks authenticity token in callback params
Open

    omniauth (1.3.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-18076

Criticality: High

URL: https://github.com/omniauth/omniauth/pull/867

Solution: upgrade to >= 1.3.2

Moderate severity vulnerability that affects nokogiri
Open

    nokogiri (1.8.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-18258

Criticality: Medium

URL: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb

Solution: upgrade to >= 1.8.2

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Open

    nokogiri (1.8.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-14404

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1785

Solution: upgrade to >= 1.8.5

TZInfo relative path traversal vulnerability allows loading of arbitrary files
Open

    tzinfo (1.2.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-31163

Criticality: High

URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx

Solution: upgrade to ~> 0.3.61, >= 1.2.10

Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Open

    nokogiri (1.8.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-15412

URL: https://github.com/sparklemotion/nokogiri/issues/1714

Solution: upgrade to >= 1.8.2

Denial of Service Vulnerability in Action View
Open

    actionview (4.2.7.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5419

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI

Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11

rack-cors Gem Missing Anchor permits unauthorized CORS requests
Open

    rack-cors (0.4.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-11173

Criticality: High

URL: https://github.com/cyu/rack-cors/issues/86

Solution: upgrade to >= 0.4.1

XSS vulnerability in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.3)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-3741

URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ

Solution: upgrade to >= 1.0.4

Doorkeeper gem has stored XSS on authorization consent view
Open

    doorkeeper (4.2.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-1000088

Criticality: High

URL: https://blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/

Solution: upgrade to >= 4.2.6

Possible XSS vulnerability in Rack
Open

    rack (1.6.8)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16471

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o

Solution: upgrade to ~> 1.6.11, >= 2.0.6

Method role_ids_to_roles has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring.
Open

    def role_ids_to_roles
      roles = []
      role_id_params.each do |id|
        next unless id.present?
        role = Role.find(id) or next
Severity: Minor
Found in app/admin/user.rb - About 45 mins to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

Block has too many lines. [29/25]
Open

ActiveAdmin.register Report do
  permit_params :name, :query, :shared, :user_id
  hstore_editor

  form do |f|
Severity: Minor
Found in app/admin/report.rb by rubocop

This cop checks if the length of a block exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable. The cop can be configured to ignore blocks passed to certain methods.

Method get_content_tag has 5 arguments (exceeds 4 allowed). Consider refactoring.
Open

  def get_content_tag(element, adjusted_time, adjusted_time_str, ago, opts)
Severity: Minor
Found in app/helpers/value_helper.rb - About 35 mins to fix

    Similar blocks of code found in 2 locations. Consider refactoring.
    Open

        b.wrapper tag: "div", class: "col-sm-9" do |ba|
      ba.use :input, class: "form-control"
      ba.use :error, wrap_with: { tag: "span", class: "help-block" }
      ba.use :hint,  wrap_with: { tag: "p", class: "help-block" }
    end
    Severity: Minor
    Found in config/initializers/simple_form_bootstrap.rb and 1 other location - About 35 mins to fix
    config/initializers/simple_form_bootstrap.rb on lines 128..132

    Duplicated Code

    Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

    Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

    When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

    Tuning

    This issue has a mass of 36.

    We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

    The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

    If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

    See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

    Refactorings

    Further Reading

    Similar blocks of code found in 2 locations. Consider refactoring.
    Open

        b.wrapper tag: "div", class: "form-inline" do |ba|
      ba.use :input, class: "form-control"
      ba.use :error, wrap_with: { tag: "span", class: "help-block" }
      ba.use :hint,  wrap_with: { tag: "p", class: "help-block" }
    end
    Severity: Minor
    Found in config/initializers/simple_form_bootstrap.rb and 1 other location - About 35 mins to fix
    config/initializers/simple_form_bootstrap.rb on lines 62..66

    Duplicated Code

    Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

    Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

    When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

    Tuning

    This issue has a mass of 36.

    We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

    The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

    If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

    See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

    Refactorings

    Further Reading

    Method sort= has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.
    Open

        def sort=(field)
      sort_field = field || ""
      direction = sort_field.start_with?("-") ? :desc : :asc
      field_name = sort_field.gsub(/\A-/, "")
    Severity: Minor
    Found in app/presenters/tabular_data/container.rb - About 35 mins to fix

    Cognitive Complexity

    Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

    A method's cognitive complexity is based on a few simple rules:

    • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
    • Code is considered more complex for each "break in the linear flow of the code"
    • Code is considered more complex when "flow breaking structures are nested"

    Further reading

    Severity
    Category
    Status
    Source
    Language