Ruby 2.7.6 container failing Acceptance Baseline Criteria
Summary
The Ruby 2.7.6 container is failing its Acceptance Baseline Criteria and needs updates to resolve true-positive high-severity CVEs
CVE-2020-36327, CVE-2021-31799, and CVE-2021-43809. Based upon my experimentation with building images atop this base image, I think CVE-2020-36327 and CVE-2021-31799 can be addressed by running gem update bundler
and then gem uninstall bundler-2.1.4
as root in the Dockerfile that builds the container image.
Tasks
Contributor:
-
Provide justifications for findings in the VAT (docs) -
Apply the ~"Hardening::Review" label to this issue and wait for feedback
Iron Bank:
-
Review findings and justifications -
Send approval request to Authorizing Official -
Close issue after approval from Authorizing Official
Note: If the above approval process is rejected for any reason, the
Hardening::Approval
label will be removed and the issue will be sent back toOpen
. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theHardening::Approval
label.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding
.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.