mmpollard/RMSIVendorRegApp

View on GitHub

Showing 128 of 128 total issues

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

    nokogiri (1.6.7.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-13117

URL: https://github.com/sparklemotion/nokogiri/issues/1943

Solution: upgrade to >= 1.10.5

Inefficient Regular Expression Complexity in Nokogiri
Open

    nokogiri (1.6.7.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-24836

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8

Solution: upgrade to >= 1.13.4

Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Open

    nokogiri (1.6.7.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-15412

URL: https://github.com/sparklemotion/nokogiri/issues/1714

Solution: upgrade to >= 1.8.2

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.3)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23520

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8

Solution: upgrade to >= 1.4.4

XSS vulnerability in bootstrap-sass
Open

    bootstrap-sass (3.2.0.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-8331

Criticality: Medium

URL: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/

Solution: upgrade to >= 3.4.1

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Open

    nokogiri (1.6.7.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-4658

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1615

Solution: upgrade to >= 1.7.1

Cyclomatic complexity for path_to is too high. [7/6]
Open

  def path_to(page_name)
    case page_name

    when /^the home\s?page$/
      '/'
Severity: Minor
Found in features/support/paths.rb by rubocop

This cop checks that the cyclomatic complexity of methods is not higher than the configured maximum. The cyclomatic complexity is the number of linearly independent paths through a method. The algorithm counts decision points and adds one.

An if statement (or unless or ?:) increases the complexity by one. An else branch does not, since it doesn't add a decision point. The && operator (or keyword and) can be converted to a nested if statement, and ||/or is shorthand for a sequence of ifs, so they also add one. Loops can be said to have an exit condition, so they add one.

Method create has 30 lines of code (exceeds 25 allowed). Consider refactoring.
Open

  def create
    # Might want to figure out how to just call Form.new(form_params), was getting error with that approach initially
    if @form.nil?
      unlocked_params = ActiveSupport::HashWithIndifferentAccess.new(form_params)
      session[:form_params] = nil
Severity: Minor
Found in app/controllers/forms_controller.rb - About 1 hr to fix

    Method create has a Cognitive Complexity of 10 (exceeds 5 allowed). Consider refactoring.
    Open

      def create
        # Might want to figure out how to just call Form.new(form_params), was getting error with that approach initially
        if @form.nil?
          unlocked_params = ActiveSupport::HashWithIndifferentAccess.new(form_params)
          session[:form_params] = nil
    Severity: Minor
    Found in app/controllers/forms_controller.rb - About 1 hr to fix

    Cognitive Complexity

    Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

    A method's cognitive complexity is based on a few simple rules:

    • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
    • Code is considered more complex for each "break in the linear flow of the code"
    • Code is considered more complex when "flow breaking structures are nested"

    Further reading

    Denial of Service Vulnerability in Action View
    Open

        actionview (4.2.5.1)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2019-5419

    Criticality: High

    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI

    Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11

    Unsafe Query Generation Risk in Active Record
    Open

        activerecord (4.2.5.1)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2016-6317

    Criticality: High

    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s

    Solution: upgrade to >= 4.2.7.1

    Possible XSS Vulnerability in Action View
    Open

        actionview (4.2.5.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2016-6316

    Criticality: Medium

    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk

    Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1

    Broken Access Control vulnerability in Active Job
    Open

        activejob (4.2.5.1)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2018-16476

    Criticality: High

    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw

    Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

    TZInfo relative path traversal vulnerability allows loading of arbitrary files
    Open

        tzinfo (1.2.2)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-31163

    Criticality: High

    URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx

    Solution: upgrade to ~> 0.3.61, >= 1.2.10

    Possible information leak / session hijack vulnerability
    Open

        rack (1.6.4)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2019-16782

    Criticality: Medium

    URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

    Solution: upgrade to ~> 1.6.12, >= 2.0.8

    XSS vulnerability in rails-html-sanitizer
    Open

        rails-html-sanitizer (1.0.3)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2018-3741

    URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ

    Solution: upgrade to >= 1.0.4

    Potential remote code execution of user-provided local names in ActionView
    Open

        actionview (4.2.5.1)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-8163

    Criticality: High

    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0

    Solution: upgrade to >= 4.2.11.2

    File Content Disclosure in Action View
    Open

        actionview (4.2.5.1)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2019-5418

    Criticality: High

    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

    Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

    Possible XSS vulnerability in Rack
    Open

        rack (1.6.4)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2018-16471

    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o

    Solution: upgrade to ~> 1.6.11, >= 2.0.6

    Denial of service or RCE from libxml2 and libxslt
    Open

        nokogiri (1.6.7.2)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2015-8806

    Criticality: High

    URL: https://github.com/sparklemotion/nokogiri/issues/1473

    Solution: upgrade to >= 1.6.8

    Severity
    Category
    Status
    Source
    Language