Sign upLogin

ministryofjustice/hwf-calculator

View on GitHub
Star

Showing 81 of 91 total issues

Revert libxml2 behavior in Nokogiri gem that could cause XSS
Open

    nokogiri (1.8.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-8048

URL: https://github.com/sparklemotion/nokogiri/pull/1746

Solution: upgrade to >= 1.8.3

Regular Expression Denial of Service in websocket-extensions (RubyGem)
Open

    websocket-extensions (0.1.3)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-7663

Criticality: High

URL: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2

Solution: upgrade to >= 0.1.5

Possible information leak / session hijack vulnerability
Open

    rack (2.0.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-16782

Criticality: Medium

URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

Solution: upgrade to ~> 1.6.12, >= 2.0.8

File Content Disclosure in Action View
Open

    actionview (5.1.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5418

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Directory Traversal in rubyzip
Open

    rubyzip (1.2.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-1000544

Criticality: Critical

URL: https://github.com/rubyzip/rubyzip/issues/369

Solution: upgrade to >= 1.2.2

Loofah XSS Vulnerability
Open

    loofah (2.2.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16468

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/154

Solution: upgrade to >= 2.2.3

Possible shell escape sequence injection vulnerability in Rack
Open

    rack (2.0.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-30123

Criticality: Critical

URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

Denial of service via header parsing in Rack
Open

    rack (2.0.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-44570

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1

Broken Access Control vulnerability in Active Job
Open

    activejob (5.1.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16476

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw

Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Denial of Service Vulnerability in Rack Multipart Parsing
Open

    rack (2.0.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-30122

Criticality: High

URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk

Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

ruby-ffi DDL loading issue on Windows OS
Open

    ffi (1.9.23)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-1000201

Criticality: High

URL: https://github.com/ffi/ffi/releases/tag/1.9.24

Solution: upgrade to >= 1.9.24

Possible DoS vulnerability in Rack
Open

    rack (2.0.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16470

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk

Solution: upgrade to >= 2.0.6

Possible XSS vulnerability in Rack
Open

    rack (2.0.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16471

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o

Solution: upgrade to ~> 1.6.11, >= 2.0.6

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Open

    nokogiri (1.8.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-14404

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1785

Solution: upgrade to >= 1.8.5

Similar blocks of code found in 2 locations. Consider refactoring.
Open

        function deSelectNoneCheckbox() {
            ignoringClicks(function() {
                noneCheckboxEl().trigger('click').trigger('click').prop('checked', false);
            });
        }
Severity: Minor
Found in app/assets/javascripts/pages/benefits_received.js and 1 other location - About 50 mins to fix
app/assets/javascripts/pages/benefits_received.js on lines 69..73

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 51.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Similar blocks of code found in 2 locations. Consider refactoring.
Open

        function deSelectDontKnowCheckbox() {
            ignoringClicks(function () {
                dontKnowCheckboxEl().trigger('click').trigger('click').prop('checked', false);
            });
        }
Severity: Minor
Found in app/assets/javascripts/pages/benefits_received.js and 1 other location - About 50 mins to fix
app/assets/javascripts/pages/benefits_received.js on lines 63..67

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 51.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

protect_from_forgery should be configured with 'with: :exception'
Open

  protect_from_forgery with: :reset_session
Severity: Minor
Found in app/controllers/application_controller.rb by brakeman

Cross-site request forgery is #5 on the OWASP Top Ten. CSRF allows an attacker to perform actions on a website as if they are an authenticated user.

This warning is raised when no call to protect_from_forgery is found in ApplicationController. This method prevents CSRF.

For Rails 4 applications, it is recommended that you use protect_from_forgery :with => :exception. This code is inserted into newly generated applications. The default is to nil out the session object, which has been a source of many CSRF bypasses due to session memoization.

See the Ruby Security Guide for details.

Method call has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
Open

  def call
    return self unless valid?
    if lte_minimum?
      mark_as_help_available
    elsif above_minimum? && lte_maximum?
Severity: Minor
Found in app/services/household_income_calculator_service.rb - About 25 mins to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

Similar blocks of code found in 2 locations. Consider refactoring.
Open

module Calculator
  module Test
    # A section representing the court fee question
    # This section interfaces to the court fee question using its #set
    # and #has_value? methods (and more).  Allowing the test suite to set
Severity: Minor
Found in test_common/sections/court_fee_question.rb and 1 other location - About 25 mins to fix
test_common/sections/disposable_capital_question.rb on lines 5..14

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 29.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Similar blocks of code found in 2 locations. Consider refactoring.
Open

      included do
        element :day, :field, t("#{i18n_scope}.components.day.label")
        element :month, :field, t("#{i18n_scope}.components.month.label")
        element :year, :field, t("#{i18n_scope}.components.year.label")
Severity: Minor
Found in test_common/sections/question_date.rb and 1 other location - About 20 mins to fix
test_common/sections/date_of_birth_question.rb on lines 8..11

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 27.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Severity
Category
Status
Source
Language