Merge pull request #882 from shubhamshinde360/PA-6507-gem-update-rexml-7.x

(PA-6507)(PA-6736) Gem install rexml to 3.3.2 for CVE-2024-35176 and …

Author: joshcooper

configs/components/rubygem-rexml.rb

@@ -1,6 +1,14 @@
 component 'rubygem-rexml' do |pkg, settings, platform|
-  pkg.version '3.2.6'
-  pkg.md5sum 'a57288ae5afed07dd08c9f1302da7b25'
+  pkg.version '3.3.2'
+  pkg.md5sum '55d213401f5e6a7a83ff3d2cd64a23fe'
 
+  # If the platform is solaris with sparc architecture in agent-runtime-7.x project, we want to gem install rexml
+  # ignoring the dependencies, this is because the pl-ruby version used in these platforms is ancient so it gets
+  # confused when installing rexml. It tries to install rexml's dependency 'strscan' by building native extensions
+  # but fails. We can ignore insalling that since strscan is already shipped with ruby 2 as its default gem.
+  if platform.name =~ /solaris-(10|11)-sparc/ && settings[:ruby_version].to_i < 3
+    settings["#{pkg.get_name}_gem_install_options".to_sym] = "--ignore-dependencies"
+  end
+  
   instance_eval File.read('configs/components/_base-rubygem.rb')
 end

configs/projects/agent-runtime-7.x.rb

@@ -61,6 +61,11 @@
   proj.component 'rubygem-thor'
   proj.component 'rubygem-scanf'
 
+  # We add rexml explicitly in here because even though ruby 2 ships with rexml as its default gem, the version
+  # of rexml it ships with contains CVE-2024-35176 and CVE-2024-39908. So, we add it here to update to a higher version
+  # free from the CVEs.
+  proj.component 'rubygem-rexml'
+
   if platform.is_linux?
     proj.component "virt-what"
     proj.component "dmidecode" unless platform.architecture =~ /ppc64/