ignoring CVE-2018-1000201 until rails fixes it (#7627)

ruby advisory fails on ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 ``` Once rails/rails-html-sanitizer#73 is merged, we can remove this exception.
department-of-veterans-affairs · Oct 31, 2018 · 9d5bc21 · 9d5bc21
1 parent e61029d
commit 9d5bc21
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/lib/tasks/security.rake b/lib/tasks/security.rake
@@ -20,6 +20,10 @@ task :security_caseflow do
   if Time.zone.local(2018, 9, 10) < Time.zone.today - 1.week
     audit_cmd = "bundle-audit check"
   end
+
+  # ignore CVE-2018-1000201 (awaiting on https://github.com/rails/rails-html-sanitizer/pull/73)
+  audit_cmd += " --ignore CVE-2018-16468"
+
   audit_result = ShellCommand.run(audit_cmd)
 
   puts "\n"