Remove --ignore CVE-2015-9284 from dpc-admin Dockerfile (#2305)

## 🎫 Ticket No ticket ## 🛠 Changes - csrf protection upgraded to 1 - omniauth-github upgraded to 2 - omniauth-oktaoauth removed - ignore CVE-2015-9284 removed from Dockerfile ## ℹ️ Context Seeing if we could remove CVE-2015-9284 from Dockerfile ## 🧪 Validation - Builds - On deploy to dev, can still log in
CMSgov · Oct 29, 2024 · 4e179ae · 4e179ae
1 parent ab46bb5
commit 4e179ae
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 19 deletions.
diff --git a/dpc-admin/Dockerfile b/dpc-admin/Dockerfile
@@ -26,7 +26,7 @@ RUN gem install bundler --no-document && \
     npm install
 
 # Run bundler audit
-RUN bundle exec bundle audit update && bundle exec bundle audit check --ignore CVE-2015-9284
+RUN bundle exec bundle audit update && bundle exec bundle audit check
 
 # Copy the code, test the app, and build the assets pipeline
 COPY /dpc-admin /dpc-admin

diff --git a/dpc-admin/Gemfile b/dpc-admin/Gemfile
@@ -21,7 +21,7 @@ gem 'dotenv-rails', groups: [:development, :test]
 gem 'puma', '~> 6.4.3'
 gem 'redis', '~> 4.0'
 gem 'luhnacy', '~> 0.2.1'
-gem 'omniauth-rails_csrf_protection', '~> 0.1.2'
+gem 'omniauth-rails_csrf_protection', '~> 1.0'
 gem 'sidekiq', '~> 7.2.4'
 gem 'turbolinks', '~> 5'
 gem 'newrelic_rpm', '~> 8.10'
@@ -34,8 +34,7 @@ gem 'devise'
 gem 'devise-async'
 gem 'devise-security'
 gem 'health_check'
-gem 'omniauth-github', '~> 1.4.0'
-gem 'omniauth-oktaoauth', '~> 0.1.6'
+gem 'omniauth-github', '~> 2.0.0'
 gem 'octokit' # can be removed once we move past github omniauth
 gem 'fhir_models'
 gem 'sidekiq_alive', '~> 2.1.5'

diff --git a/dpc-admin/Gemfile.lock b/dpc-admin/Gemfile.lock
@@ -259,21 +259,19 @@ GEM
       base64
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
-    omniauth (1.9.2)
+    omniauth (2.1.2)
       hashie (>= 3.4.6)
-      rack (>= 1.6.2, < 3)
-    omniauth-github (1.4.0)
-      omniauth (~> 1.5)
-      omniauth-oauth2 (>= 1.4.0, < 2.0)
-    omniauth-oauth2 (1.7.3)
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-github (2.0.1)
+      omniauth (~> 2.0)
+      omniauth-oauth2 (~> 1.8)
+    omniauth-oauth2 (1.8.0)
       oauth2 (>= 1.4, < 3)
-      omniauth (>= 1.9, < 3)
-    omniauth-oktaoauth (0.1.6)
-      omniauth (~> 1.5)
-      omniauth-oauth2 (>= 1.4.0, < 2.0)
-    omniauth-rails_csrf_protection (0.1.2)
+      omniauth (~> 2.0)
+    omniauth-rails_csrf_protection (1.0.2)
       actionpack (>= 4.2)
-      omniauth (>= 1.3.1)
+      omniauth (~> 2.0)
     orm_adapter (0.5.0)
     parallel (1.24.0)
     parser (3.3.1.0)
@@ -292,6 +290,9 @@ GEM
       nio4r (~> 2.0)
     racc (1.7.3)
     rack (2.2.8.1)
+    rack-protection (3.2.0)
+      base64 (>= 0.1.0)
+      rack (~> 2.2, >= 2.2.4)
     rack-session (1.0.2)
       rack (< 3)
     rack-test (2.1.0)
@@ -500,9 +501,8 @@ DEPENDENCIES
   newrelic_rpm (~> 8.10)
   nokogiri (>= 1.16.5)
   octokit
-  omniauth-github (~> 1.4.0)
-  omniauth-oktaoauth (~> 0.1.6)
-  omniauth-rails_csrf_protection (~> 0.1.2)
+  omniauth-github (~> 2.0.0)
+  omniauth-rails_csrf_protection (~> 1.0)
   pg (>= 0.18, < 2.0)
   pry
   pry-nav