Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Logstash Package with 2.6+ Ruby #13704

Closed
gr790 opened this issue Feb 3, 2022 · 6 comments
Closed

Logstash Package with 2.6+ Ruby #13704

gr790 opened this issue Feb 3, 2022 · 6 comments

Comments

@gr790
Copy link

gr790 commented Feb 3, 2022

Do we have any recent plan to launch Logstash Package with upgraded ruby 2.6, as ruby 2.5 is going EOL ?

Thanks.

@yaauie
Copy link
Member

yaauie commented Feb 3, 2022

Modern Logstash ships with JRuby 9.2.20.1, which is language-compatible with MRI Ruby 2.5, but is a separately maintained implementation that is not EOL. We have plans to move to JRuby 9.3 (which tracks MRI Ruby 2.6) as it stabilizes with regard to the features we use. JRuby does lag behind the MRI implementation in terms of Ruby language-level features, but is robust and actively maintained.

What is the primary motivation of this issue? Are you a maintainer of a plugin who wants to use more modern Ruby language features?

@gr790
Copy link
Author

gr790 commented Feb 4, 2022

Thanks for quick reply. It's good that JRuby 2.5+ will continue for a while. My concerns was Vulnerabilities raised by anchore-cli on this Image. I noticed, git, mail, snmp, redis and nokogiri gems used in this release has Critical/High vulnerabilities, but these are dependencies for logstash-plugin. What I can do, I can removed these gems and plugin if I am not using them from Image and build it again for my project. Problem is with Nokogiri, upgraded version of it requires ruby 2.6.0 +, does it requires 2.6.0 for JRuby also ?

Thanks

@kares
Copy link
Contributor

kares commented Feb 17, 2022

I do have some internal knowledge of Nokogiri - vulnearibilities are usually specific to a CRuby/JRuby version since the backend is very different for the gem. The JRuby version has no native system dependencies (only CRuby uses libxml2).

I have tried to run anchore-cli image vuln docker.elastic.co/logstash/logstash:7.17.0 non-os.
It gets me this "Critical" CVE regarding Nokogiri:

CVE-2019-5477              nokogiri-*                                   Critical        None          CVE-2019-5477           https://nvd.nist.gov/vuln/detail/CVE-2019-5477           java        nvd                /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/nokogiri-1.12.5-java/lib/nokogiri/nokogiri.jar 

... this really does not make sense, so far - looking at sparklemotion/nokogiri#1915

  • the vulnetability was resolved in Nokogiri 1.10.4
  • the vulnerability wasn't Java (JRuby) specific - despite the tool pointing to lib/nokogiri/nokogiri.jar

Looking at the "Critical" git gem report e.g.:

CVE-2015-7545              git-1.10.2                                   Critical        None          CVE-2015-7545           https://nvd.nist.gov/vuln/detail/CVE-2015-7545           gem         nvd                /usr/share/logstash/vendor/bundle/jruby/2.5.0/specifications/git-1.10.2.gemspec
  • vulnerability is almost 6 years old
  • the CVE itself seems to concern git binary not the gem (gem does not package any binaries)
  • the gem included in the 7.17.0 image is latest from Jan 06 2022

So it depends how good the tool you're using is and whether it gives you false positives.
Not sure what I missed but so far it seems like the tool is not up-to-date or has some issues with scanning the Logstash docker image.

@gr790
Copy link
Author

gr790 commented May 27, 2022

That's what I thought lately...achore-cli is not giving correct details. I will mark it close and will wait for updated version.

@gr790 gr790 closed this as not planned Won't fix, can't repro, duplicate, stale May 27, 2022
@sambercovici
Copy link

For example if you scan logstash 7.17.9 with trivy - https://github.com/aquasecurity/trivy
You get a large list of detected Ruby vulnerabilities with git (git-1.10.2.gemspec) marked as critical due to CVE-2022-25648.

@hunkathome
Copy link

Any solution or plan to fix this git vulnerabilites?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants