Sign upLogin

travis-ci/job-board

View on GitHub
Star

Showing 92 of 92 total issues

Method for_queue has 27 lines of code (exceeds 25 allowed). Consider refactoring.
Open

    def self.for_queue(redis: nil, site: '', queue_name: '')
      redis ||= JobBoard.redis
      raise Invalid, 'unknown queue' unless redis.sismember("queues:#{site}", queue_name)

      claims = nil
Severity: Minor
Found in lib/job_board/job_queue.rb - About 1 hr to fix

    Possible information leak / session hijack vulnerability
    Open

        rack (2.0.6)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2019-16782

    Criticality: Medium

    URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

    Solution: upgrade to ~> 1.6.12, >= 2.0.8

    Denial of Service Vulnerability in Rack Content-Disposition parsing
    Open

        rack (2.0.6)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-44571

    URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

    Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

    HTTP Response Splitting vulnerability in puma
    Open

        puma (3.12.0)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-5247

    Criticality: Medium

    URL: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v

    Solution: upgrade to ~> 3.12.4, >= 4.3.3

    HTTP Smuggling via Transfer-Encoding Header in Puma
    Open

        puma (3.12.0)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-11077

    Criticality: Medium

    URL: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm

    Solution: upgrade to ~> 3.12.6, >= 4.3.5

    HTTP Response Splitting (Early Hints) in Puma
    Open

        puma (3.12.0)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-5249

    Criticality: Medium

    URL: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58

    Solution: upgrade to ~> 3.12.4, >= 4.3.3

    Denial of service via header parsing in Rack
    Open

        rack (2.0.6)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-44570

    URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

    Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1

    OS Command Injection in Rake
    Open

        rake (12.3.1)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-8130

    Criticality: High

    URL: https://github.com/advisories/GHSA-jppv-gw3r-w3q8

    Solution: upgrade to >= 12.3.3

    HTTP Smuggling via Transfer-Encoding Header in Puma
    Open

        puma (3.12.0)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-11076

    Criticality: High

    URL: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h

    Solution: upgrade to ~> 3.12.5, >= 4.3.4

    Denial of Service Vulnerability in Rack Multipart Parsing
    Open

        rack (2.0.6)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-30122

    Criticality: High

    URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk

    Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

    ReDoS based DoS vulnerability in Active Support’s underscore
    Open

        activesupport (5.2.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2023-22796

    URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

    Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

    Denial of service via multipart parsing in Rack
    Open

        rack (2.0.6)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-44572

    URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

    Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

    TZInfo relative path traversal vulnerability allows loading of arbitrary files
    Open

        tzinfo (1.2.5)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-31163

    Criticality: High

    URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx

    Solution: upgrade to ~> 0.3.61, >= 1.2.10

    Possible shell escape sequence injection vulnerability in Rack
    Open

        rack (2.0.6)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-30123

    Criticality: Critical

    URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

    Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

    Keepalive thread overload/DoS in puma
    Open

        puma (3.12.0)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2019-16770

    Criticality: High

    URL: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994

    Solution: upgrade to ~> 3.12.2, >= 4.3.1

    Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
    Open

        activesupport (5.2.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-8165

    Criticality: Critical

    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

    Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

    Method update has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.
    Open

        def update(request_body)
      JobBoard.logger.debug(
        'handling request', request_body: request_body.inspect
      )
    Severity: Minor
    Found in lib/job_board/image_updater.rb - About 35 mins to fix

    Cognitive Complexity

    Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

    A method's cognitive complexity is based on a few simple rules:

    • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
    • Code is considered more complex for each "break in the linear flow of the code"
    • Code is considered more complex when "flow breaking structures are nested"

    Further reading

    Method reclaim_for_queue has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.
    Open

        private def reclaim_for_queue(redis: nil, site: '', queue_name: '',
                                  cutoff_seconds: 120)
      reclaimed_for_queue = []
      claimed_by_id = redis.hgetall("queue:#{site}:#{queue_name}:claims")
      claimed_by_processor = {}
    Severity: Minor
    Found in lib/job_board/job_queue_reconciler.rb - About 35 mins to fix

    Cognitive Complexity

    Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

    A method's cognitive complexity is based on a few simple rules:

    • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
    • Code is considered more complex for each "break in the linear flow of the code"
    • Code is considered more complex when "flow breaking structures are nested"

    Further reading

    Avoid too many return statements within this method.
    Open

            return unauthorized
    Severity: Major
    Found in lib/job_board/auth.rb - About 30 mins to fix

      Avoid too many return statements within this method.
      Open

              return @app.call(env)
      Severity: Major
      Found in lib/job_board/auth.rb - About 30 mins to fix
        Severity
        Category
        Status
        Source
        Language