Sign upLogin

ministryofjustice/hwf-calculator

View on GitHub
Star

Showing 81 of 91 total issues

Improper neutralization of data URIs may allow XSS in Loofah
Open

    loofah (2.2.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23515

Criticality: Medium

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx

Solution: upgrade to >= 2.19.1

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

    nokogiri (1.8.2)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-26247

Criticality: Low

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Solution: upgrade to >= 1.11.0.rc4

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

    activesupport (5.1.5)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8165

Criticality: Critical

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

    nokogiri (1.8.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-13117

URL: https://github.com/sparklemotion/nokogiri/issues/1943

Solution: upgrade to >= 1.10.5

Possible DoS Vulnerability in Active Record PostgreSQL adapter
Open

    activerecord (5.1.5)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-22880

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI

Solution: upgrade to >= 5.2.4.5, ~> 5.2.4, >= 6.0.3.5, ~> 6.0.3, >= 6.1.2.1

Uncontrolled Recursion in Loofah
Open

    loofah (2.2.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23516

Criticality: High

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm

Solution: upgrade to >= 2.19.1

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23518

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m

Solution: upgrade to >= 1.4.4

Function BenefitsReceivedPage has 82 lines of code (exceeds 25 allowed). Consider refactoring.
Open

    function BenefitsReceivedPage () {
        var self = this;

        self.init = function() {
            initListenersForCheckboxes();
Severity: Major
Found in app/assets/javascripts/pages/benefits_received.js - About 3 hrs to fix

    Complex method Calculator::Test::Setup#given_i_am (52.6)
    Open

          def given_i_am(user_name)
        return self.user = OpenStruct.new if user_name.to_sym == :anonymous
        self.user = personas.fetch(user_name)
        user.marital_status = user.marital_status.to_sym
        user.date_of_birth = (user.age.to_i.years.ago - 10.days).strftime('%-d/%-m/%Y')
    Severity: Minor
    Found in test_common/helpers/setup.rb by flog

    Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

    You can read more about ABC metrics or the flog tool

    Function DetailsPolyfill has 74 lines of code (exceeds 25 allowed). Consider refactoring.
    Open

        function DetailsPolyfill () {
        var self = this;
        var _nextId = 0;
        self.init = function() {
            if(checkSupport()) {
    Severity: Major
    Found in app/assets/javascripts/details.polyfill.js - About 2 hrs to fix

      Similar blocks of code found in 3 locations. Consider refactoring.
      Open

              function onBenefitsChange(event) {
            if(self.ignoreClickEvents) return;
            if($(event.target).prop('checked')) {
                deSelectDontKnowCheckbox();
                deSelectNoneCheckbox();
      Severity: Major
      Found in app/assets/javascripts/pages/benefits_received.js and 2 other locations - About 55 mins to fix
      app/assets/javascripts/pages/benefits_received.js on lines 95..101
      app/assets/javascripts/pages/benefits_received.js on lines 103..109

      Duplicated Code

      Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

      Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

      When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

      Tuning

      This issue has a mass of 53.

      We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

      The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

      If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

      See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

      Refactorings

      Further Reading

      Similar blocks of code found in 3 locations. Consider refactoring.
      Open

              function onNoneChange(event) {
            if(self.ignoreClickEvents) return;
            if($(event.target).prop('checked')) {
                deSelectBenefitsCheckboxes();
                deSelectDontKnowCheckbox();
      Severity: Major
      Found in app/assets/javascripts/pages/benefits_received.js and 2 other locations - About 55 mins to fix
      app/assets/javascripts/pages/benefits_received.js on lines 87..93
      app/assets/javascripts/pages/benefits_received.js on lines 103..109

      Duplicated Code

      Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

      Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

      When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

      Tuning

      This issue has a mass of 53.

      We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

      The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

      If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

      See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

      Refactorings

      Further Reading

      Similar blocks of code found in 3 locations. Consider refactoring.
      Open

              function onDontKnowChange(event) {
            if(self.ignoreClickEvents) return;
            if($(event.target).prop('checked')) {
                deSelectBenefitsCheckboxes();
                deSelectNoneCheckbox();
      Severity: Major
      Found in app/assets/javascripts/pages/benefits_received.js and 2 other locations - About 55 mins to fix
      app/assets/javascripts/pages/benefits_received.js on lines 87..93
      app/assets/javascripts/pages/benefits_received.js on lines 95..101

      Duplicated Code

      Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

      Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

      When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

      Tuning

      This issue has a mass of 53.

      We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

      The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

      If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

      See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

      Refactorings

      Further Reading

      Revert libxml2 behavior in Nokogiri gem that could cause XSS
      Open

          nokogiri (1.8.2)
      Severity: Minor
      Found in Gemfile.lock by bundler-audit

      Advisory: CVE-2018-8048

      URL: https://github.com/sparklemotion/nokogiri/pull/1746

      Solution: upgrade to >= 1.8.3

      Denial of Service Vulnerability in Rack Content-Disposition parsing
      Open

          rack (2.0.4)
      Severity: Minor
      Found in Gemfile.lock by bundler-audit

      Advisory: CVE-2022-44571

      URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

      Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

      Path Traversal in Sprockets
      Open

          sprockets (3.7.1)
      Severity: Critical
      Found in Gemfile.lock by bundler-audit

      Advisory: CVE-2018-3760

      Criticality: High

      URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k

      Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8

      Loofah XSS Vulnerability
      Open

          loofah (2.2.2)
      Severity: Minor
      Found in Gemfile.lock by bundler-audit

      Advisory: CVE-2018-16468

      Criticality: Medium

      URL: https://github.com/flavorjones/loofah/issues/154

      Solution: upgrade to >= 2.2.3

      Regular Expression Denial of Service in websocket-extensions (RubyGem)
      Open

          websocket-extensions (0.1.3)
      Severity: Critical
      Found in Gemfile.lock by bundler-audit

      Advisory: CVE-2020-7663

      Criticality: High

      URL: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2

      Solution: upgrade to >= 0.1.5

      File Content Disclosure in Action View
      Open

          actionview (5.1.5)
      Severity: Critical
      Found in Gemfile.lock by bundler-audit

      Advisory: CVE-2019-5418

      Criticality: High

      URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

      Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

      Possible shell escape sequence injection vulnerability in Rack
      Open

          rack (2.0.4)
      Severity: Minor
      Found in Gemfile.lock by bundler-audit

      Advisory: CVE-2022-30123

      Criticality: Critical

      URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

      Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

      Severity
      Category
      Status
      Source
      Language