Topics

FYI: Vulnerabilities in BadgeApp dependencies were automatically detected & quickly fixed last week


David A. Wheeler
 

I don't post as much here about the "plumbing" of the BadgeApp web app, but some of you might be interested in the following.

--- David A. Wheeler

==============================

Last week (on August 11) two vulnerabilities were publicly announced in Rails. I was quickly notified about this, because we have two different processes that look for publicly-reported vulnerabilities in our dependencies ("bundle-audit" as embedded in our "rake" task, and the Gemnasium service). In this case, the "rake" task told me first.

I then quickly updated to a fixed version of rails, tested it using our test suite (which covers 98% of the code), pushed out for some additional brief testing on a mock "real" site, and soon afterwards pushed the fixed version out to production. All without anyone else noticing. Because we are ready for public reports of vulnerabilities, we don't need days to respond.

This is a good demo (I think) of why it's important to have good test suites (with reasonable coverage) & tools that report when a vulnerability is found in a dependency. The current criteria already require *some* automated testing. It's my expectation that a future higher level would add (1) a coverage requirement (for the automated testing) and (2) a requirement that there be some way to monitor dependencies so you know when a vulnerability is publicly announced in them. I'm sure it'll be challenging to get those worded well. However, I think this is a good example of why that's important.

The details: I just needed to update rails from 4.2.6 to 4.2.7.1 to fix two vulnerabilities:
* CVE-2016-6316: actionview
Possible XSS Vulnerability in Action View
https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
* CVE-2016-6317: activerecord
Unsafe Query Generation Risk in Active Record
https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s

Hopefully this will convince you that we *do* care about the security of the BadgeApp itself, and take steps to keep it secure. More information on how we work to try to make BadgeApp secure is here:
https://github.com/linuxfoundation/cii-best-practices-badge/blob/master/doc/security.md

Anyway, I thought some people might be interested.