-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logstash Package with 2.6+ Ruby #13704
Comments
Modern Logstash ships with JRuby 9.2.20.1, which is language-compatible with MRI Ruby 2.5, but is a separately maintained implementation that is not EOL. We have plans to move to JRuby 9.3 (which tracks MRI Ruby 2.6) as it stabilizes with regard to the features we use. JRuby does lag behind the MRI implementation in terms of Ruby language-level features, but is robust and actively maintained. What is the primary motivation of this issue? Are you a maintainer of a plugin who wants to use more modern Ruby language features? |
Thanks for quick reply. It's good that JRuby 2.5+ will continue for a while. My concerns was Vulnerabilities raised by anchore-cli on this Image. I noticed, git, mail, snmp, redis and nokogiri gems used in this release has Critical/High vulnerabilities, but these are dependencies for logstash-plugin. What I can do, I can removed these gems and plugin if I am not using them from Image and build it again for my project. Problem is with Nokogiri, upgraded version of it requires ruby 2.6.0 +, does it requires 2.6.0 for JRuby also ? Thanks |
I do have some internal knowledge of Nokogiri - vulnearibilities are usually specific to a CRuby/JRuby version since the backend is very different for the gem. The JRuby version has no native system dependencies (only CRuby uses libxml2). I have tried to run
... this really does not make sense, so far - looking at sparklemotion/nokogiri#1915
Looking at the "Critical" git gem report e.g.:
So it depends how good the tool you're using is and whether it gives you false positives. |
That's what I thought lately...achore-cli is not giving correct details. I will mark it close and will wait for updated version. |
For example if you scan logstash 7.17.9 with trivy - https://github.com/aquasecurity/trivy |
Any solution or plan to fix this git vulnerabilites? |
Do we have any recent plan to launch Logstash Package with upgraded ruby 2.6, as ruby 2.5 is going EOL ?
Thanks.
The text was updated successfully, but these errors were encountered: