abdullah/til
1
0
Fork 0
mirror of https://github.com/jbranchaud/til synced 2026-01-02 22:58:01 +00:00
Code Issues Projects Releases Wiki Activity

Add Skip Specific CVEs When Auditing Your Bundle as a Ruby til

Browse Source
This commit is contained in:
jbranchaud
2022-02-01 11:28:51 -06:00
parent 5606218291
commit ad29a186c3
2 changed files with 35 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -10,7 +10,7 @@ pairing with smart people at Hashrocket.
For a steady stream of TILs, [sign up for my newsletter](https://crafty-builder-6996.ck.page/e169c61186).
_1183 TILs and counting..._
_1184 TILs and counting..._
---
@@ -992,6 +992,7 @@ _1183 TILs and counting..._
- [Show Public Methods With Pry](ruby/show-public-methods-with-pry.md)
- [Silence The Output Of A Ruby Statement In Pry](ruby/silence-the-output-of-a-ruby-statement-in-pry.md)
- [Single And Double Quoted String Notation](ruby/single-and-double-quoted-string-notation.md)
- [Skip Specific CVEs When Auditing Your Bundle](ruby/skip-specific-cves-when-auditing-your-bundle.md)
- [Squeeze Out The Extra Space](ruby/squeeze-out-the-extra-space.md)
- [String Interpolation With Instance Variables](ruby/string-interpolation-with-instance-variables.md)
- [Summing Collections](ruby/summing-collections.md)

33
ruby/skip-specific-cves-when-auditing-your-bundle.md Normal file
View File

@@ -0,0 +1,33 @@
# Skip Specific CVEs When Auditing Your Bundle
The [`bundler-audit` gem](https://github.com/rubysec/bundler-audit) is a tool
that can check for CVEs (Common Vulnerabilities and Exposures) in the installed
versions of gems in your Ruby project. This is a great addition to a CI
pipeline to ensure you aren't deploying code with vulnerabilities.
If you have a known CVE in one of your dependencies, I recommend installing a
patch as soon as possible. Of course, we have to apply some nuance to that
statement.
It is possible that we need to temporarily ignore the CVE warning to continue
to ship code while we work on integrating the patch. Or it may be super
low-risk and we are comfortable putting it off for a while.
Use the `--ignore` flag to prevent `bundler-audit` from flagging a specific
CVE.
```bash
$ bundler-audit check --ignore CVE-2022-23837
```
Or if you need to ignore multiple, list them one after another.
```bash
$ bundler-audit check --ignore CVE-2022-23837 CVE-2021-41817
```
If you do skip a CVE in your bundle audit, make sure you understand the risks
and have a plan for dealing with it in the future.
See `bundler-audit --help` or [their
docs](https://github.com/rubysec/bundler-audit) for more details.