[help] Github Advisory GHSA-vvfq-8hwr-qm4m

[djpremier]

Due to semver logic, github points out that letter versions are below the pure version, so even updating to a version that has been corrected from the precompiled ones, the github warning still continues.

Here is the mention in the Advisory documentation with an example:
Common errors

And an Advisory documentation real example similar to what happening:
Advisory with branch names in version numbers

The version range logic interprets letters after 32.0.0 as prereleases, so if you set the patched version to 32.0.0, then both 32.0.0-android and 32.0.0-jre would be incorrectly marked as vulnerable.

---

In detail what is happening with Advisory GHSA-vvfq-8hwr-qm4m and my understanding of it:

The warning is that versions below 1.18.3 are affected and that the fix was made in version 1.18.3. The problem is that according to Github version check (Dependabot), since it uses semver, precompiled versions mean that they were released before 1.18.3, even though they are not.

In other words, in semver format, for example, version 1.18.3-aarch64-linux-gnu is before 1.18.3.

Analyzing the situation a little more and thinking about it, I believe that the best option would be to change the "Affected versions" parameter to <= 1.18.2 and put all versions of 1.18.3 as "Patched versions", since it is not clear in the documentation, but putting only 1.18.3 may not include the precompiled versions.

Or according to the examples, it might work better to put the version that is alphabetically the first:
Affected versions: <= 1.18.2
Patched versions: 1.18.3-aarch64-linux-gnu

---

Here is a screenshot of my project's Github, where I have already updated the Gemfile.lock and placed the code in main, but the warning remains:

[djpremier]

Hi,

@flavorjones, Sorry for the last interactions, I really couldn't convey my problem exactly. If you still have any questions about my situation or need more details, I'm at your disposal. Thank you very much for the excellent work 😀.

[flavorjones]

@djpremier The string you are pointing at in your Gemfile.lock is an internal string used by bundler to identify the version+platform combination. The gem version that represents is "1.18.3". All the precompiled gems have a version string of "1.18.3" in the gem and the gemspec. All tools should be looking at the version in the gem or the gemspec.

Here is a screenshot of the gemspec installed with nokogiri v1.18.3 x86_64-linux-gnu:

If dependabot is giving you a warning, then this is either due to an issue with dependabot or how it's being used. There is nothing in this gem, or in the GHSA, that needs to be corrected or changed.

I will note that bundler audit is demonstrating correct behavior on projects that I tested with after seeing your message.

I'm very sorry you're having a problem, but you'll need to do more digging to discover what's going wrong, because it's not with this gem or the precompiled packages or the gemspecs or the GHSA.

[flavorjones]

Just to demonstrate that I don't think anything is wrong -- or at the very least I cannot reproduce, here is a walkthrough of upgrading Nokogiri and what I saw in a private project ...

First, the security notice on the project:

The PR before merge:

The PR after merge:

The dependabot notice immediately after the merge, re-checking status:

And finally the notice is resolved:

[flavorjones]

Like, it looks like something's wrong with dependabot to me:

Sorry I can't help.

[flavorjones]

Pinging @deivid-rodriguez in case he has an idea of what's going on, I see he was co-author on the most recent update to dependabot related to rubygems/bundler.

[djpremier]

Like, it looks like something's wrong with dependabot to me:

Sorry I can't help.

Can you check what dependabot wants to change in this new warning (141) and possibly send a screenshot? I suspect it wants to remove the platform information, to keep the exact version number. I don't know how dependabot works, but if it only sees the version statically, I think it won't understand the part you said about Bundler being just an "s.platform"

[flavorjones]

The two warnings are identical except one is for GHSA-vvfq-8hwr-qm4m and one is for GHSA-5mwf-688x-mr7x.

I suspect it wants to remove the platform information, to keep the exact version number

I don't know how many different ways I can say this: the platform information is not part of the version number. The platform string belongs to the package, it's not part of the version string. Please update your mental model of what dependabot is doing during version checks. Go read the bundler or dependabot code if you want to more deeply understand what's happening.

Literally hundreds of thousands, if not millions, of security updates have been done on Nokogiri over the years by dependabot and I've done nothing different this time around with respect to version numbers or precompiled native gems. 🤷

[flavorjones]

Looking at the dependabot logs, this is definitely a problem with dependabot, and it's not related to resolving the version number, which it's doing fine. If I was going to guess, I'd say it's a database failure of some kind:

updater | 2025/02/20 01:18:35 INFO <job_967676087> Checking if nokogiri 1.18.3 needs updating
updater | 2025/02/20 01:18:35 INFO <job_967676087> Started process PID: 1322 with command: {"BUNDLE_PATH"=>"/home/dependabot/dependabot-updater/tmp/20250220-1258-n5sc2/.bundle", "GEM_HOME"=>"/opt/bundler/v2/.bundle"} ruby /opt/bundler/v2/run.rb
updater | 2025/02/20 01:18:35 INFO <job_967676087> Process PID: 1322 completed with status: pid 1322 exit 0
updater | 2025/02/20 01:18:35 INFO <job_967676087> Total execution time: 0.26 seconds
  proxy | 2025/02/20 01:18:35 [017] GET https://rubygems.org:443/api/v1/versions/nokogiri.json
  proxy | 2025/02/20 01:18:36 [017] 200 https://rubygems.org:443/api/v1/versions/nokogiri.json
updater | 2025/02/20 01:18:36 INFO <job_967676087> Filtered out 203 pre-release versions
updater | 2025/02/20 01:18:36 INFO <job_967676087> Latest version is 1.18.3
updater | 2025/02/20 01:18:36 INFO <job_967676087> no security update needed as nokogiri is no longer vulnerable
  proxy | 2025/02/20 01:18:36 [019] POST /update_jobs/967676087/record_update_job_error
  proxy | 2025/02/20 01:18:36 [019] 204 /update_jobs/967676087/record_update_job_error
  proxy | 2025/02/20 01:18:36 [021] POST /update_jobs/967676087/record_ecosystem_meta
  proxy | 2025/02/20 01:18:36 [021] 204 /update_jobs/967676087/record_ecosystem_meta
  proxy | 2025/02/20 01:18:36 [023] PATCH /update_jobs/967676087/mark_as_processed
  proxy | 2025/02/20 01:18:36 [023] 204 /update_jobs/967676087/mark_as_processed
updater | 2025/02/20 01:18:36 INFO <job_967676087> Finished job processing
updater | 2025/02/20 01:18:36 INFO Results:
Dependabot encountered '1' error(s) during execution, please check the logs for more details.
+----------------------------+
|           Errors           |
+----------------------------+
| security_update_not_needed |
+----------------------------+
Failure running container df322431483cb105d2640013c9d12c6901176ecb29f309926ed93f2614b71c97
Cleaned up container df322431483cb105d2640013c9d12c6901176ecb29f309926ed93f2614b71c97
  proxy | 2025/02/20 01:18:36 0/10 calls cached (0%)
  proxy | 2025/02/20 01:18:36 Posting metrics to remote API endpoint
Error: Dependabot encountered an error performing the update

Error: The updater encountered one or more errors.

I consider this matter closed from the perspective of Nokogiri.

[deivid-rodriguez]

Yes, I subscribe everything @flavorjones said. Regarding Dependabot, if I understood correctly, the problem is that Dependabot is incorrectly showing an alert about nokogiri being vulnerable while version is actually up to date. If that's the case, I think it's indeed an internal issue (not related to dependabot-core update logic). If you open a GitHub support ticket they'll probably redirect it to the proper Github team and get that looked at.

[henrikbjorn]

Update actions/dependency-review-action#896 (comment)