Brakeman - License question

[jeremymaes]

Hi

We run passwordpusher in a self-hosted fashion and were recently required to have the codebase scanned for compliance reasons.

It looks mostly fine (very few real issues, thanks to your component lifecycle efforts), but one blocker for us at this moment is the fact that the Brakeman library that is listed in the dependencies has a custom license that is limiting its use (not allowed for commercial use).

From what I understand this library is only used in a GitHub workflow to scan the code? So it's not in any way a library that is needed to run passwordpusher itself? Can we strip it out when we run it self-hosted?

Also, there seems to be a vulnerable selenium-webdriver version in use, with a 7.5 CVE vulnerability that has been fixed in 4.14.0 (current seems to be 4.10.0). Not sure if this is even relevant though as the issue seems to be in the IEDriver, which I think might be irrelevant for a Ruby project?

Also as a sidenote: really looking forward to the self-hosted Pro edition, we're really seeing a use-case there :-)

[pglombardo]

Hi @jeremymaes,

brakeman is part of the :development and :test groups in the Gemfile. And when the Docker container is built, the libraries from these groups are not installed.

So technically when you are running the Docker container, brakeman isn't installed there (only used for local development and the automated test suite that runs on Github).

Does this satisfy your requirements? If not, let me know. Maybe I can figure something else out.

Also, there seems to be a vulnerable selenium-webdriver version in use, with a 7.5 CVE vulnerability that has been fixed in 4.14.0 (current seems to be 4.10.0). Not sure if this is even relevant though as the issue seems to be in the IEDriver, which I think might be irrelevant for a Ruby project?

Good find. I'll update this library today. But along the same lines as above, this library isn't in the Docker container since it's in the :test group.

Also as a sidenote: really looking forward to the self-hosted Pro edition, we're really seeing a use-case there :-)

Excellent. I'm working on this full time right now.

[pglombardo]

The fix for the CVE has been released in v1.53.4 which is building now. Thanks for reporting!

[jeremymaes]

Hi @pglombardo

Thanks a lot for your feedback and dependency update! Now the gemfile and container image builds (development/test groups) are more clear to me.
I'll report back internally and see if the fact that it's not in the actual container image is OK.

Kind regards,
Jeremy

[jeremymaes]

Hi @pglombardo

Just to confirm that no other changes or feedback are needed, we were able to pass the compliancy checks as Brakeman is not in the container and you've updated the javaselenium dependency.

Thanks again!

[pglombardo]

That's great to hear and good to know for that process. Thanks @jeremymaes!