Showing 178 of 178 total issues
Ability to forge per-form CSRF tokens given a global CSRF token Open
actionpack (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8166
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Possible DoS Vulnerability in Active Record PostgreSQL adapter Open
activerecord (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2021-22880
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Solution: upgrade to >= 5.2.4.5, ~> 5.2.4, ~> 6.0.3.5, >= 6.1.2.1
Potential XSS vulnerability in Action View Open
actionview (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-15169
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Solution: upgrade to >= 5.2.4.4, ~> 5.2.4, >= 6.0.3.3
Insecure Source URI found: git://github.com/justinfrench/formtastic.git Open
remote: git://github.com/justinfrench/formtastic.git- Exclude checks
Cross-Site Scripting in Kaminari via original_script_name parameter Open
kaminari (1.1.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-11082
Criticality: Medium
URL: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433
Solution: upgrade to >= 1.2.1
Possible XSS vulnerability in ActionView Open
actionview (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-5267
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Solution: upgrade to >= 5.2.4.2, ~> 5.2.4, >= 6.0.2.2
Geocoder gem for Ruby contains possible SQL injection vulnerability Open
geocoder (1.5.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-7981
Criticality: Critical
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7981
Solution: upgrade to >= 1.6.1
Insecure Source URI found: git://github.com/activeadmin/activeadmin.git Open
remote: git://github.com/activeadmin/activeadmin.git- Exclude checks
CSRF Vulnerability in rails-ujs Open
actionview (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8167
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Insecure Source URI found: git://github.com/activerecord-hackery/ransack.git Open
remote: git://github.com/activerecord-hackery/ransack.git- Exclude checks
Insecure Source URI found: git://github.com/activeadmin/inherited_resources.git Open
remote: git://github.com/activeadmin/inherited_resources.git- Exclude checks
Insecure Source URI found: git://github.com/rails/activemodel-serializers-xml.git Open
remote: git://github.com/rails/activemodel-serializers-xml.git- Exclude checks
Possible Strong Parameters Bypass in ActionPack Open
actionpack (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8164
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Directory traversal in Rack::Directory app bundled with Rack Open
rack (2.0.6)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8161
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Solution: upgrade to ~> 2.1.3, >= 2.2.0
Devise Gem for Ruby confirmation token validation with a blank string Open
devise (4.6.1)- Read upRead up
- Exclude checks
Advisory: CVE-2019-16109
URL: https://github.com/plataformatec/devise/issues/5071
Solution: upgrade to >= 4.7.1
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Open
nokogiri (1.10.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-26247
Criticality: Low
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
Solution: upgrade to >= 1.11.0.rc4
Percent-encoded cookies can be used to overwrite existing prefixed cookie names Open
rack (2.0.6)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8184
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Solution: upgrade to ~> 2.1.4, >= 2.2.3
Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open
activesupport (5.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8165
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Loofah XSS Vulnerability Open
loofah (2.2.3)- Read upRead up
- Exclude checks
Advisory: CVE-2019-15587
Criticality: Medium
URL: https://github.com/flavorjones/loofah/issues/171
Solution: upgrade to >= 2.3.1
Method posts has a Cognitive Complexity of 15 (exceeds 5 allowed). Consider refactoring. Open
def posts
csv = parse_csv_file('posts.csv')
csv.each do |row|
unless row['wp_post_type'] == 'post' && row['wp_post_status'] == 'publish'- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"