Search code examples
circleciruby-on-rails-7brakeman

CircleCi bundle exec brakeman test exiting with Category: unmaintained dependancy

We have a Ruby on Rails project and I had upgraded this to Rails 7 from latest version of Rails 6 back in October and all the tests were passing fine on CircleCi and everything has been fine. Coming back to this project recently, I had to update Brakeman to latest version 5.4.0. Now CircleCi is complaining about unmaintained dependancy in my Gemfile.lock and the line it's referring to is rails (7.0.4.2) dependancy in the Gemfile.lock. I am assuming it's because of this, that Brakeman is exiting and failing tests on CircleCI? I have added a screenshot of the issue. I tried doing bundle update and yarn upgrade to update all dependancies, which has been fine. I did try and update to Ruby 3.0.0 but I'm getting issues with that so reverted back to 2.7.6.

The circleCi config we have for brakeman is as follows: run: bundle exec brakeman --ensure-latest --exit-on-warn

Has anyone come across this and any idea why this particular test could be failing? I would appreciate if someone can also explain this error section, ie what is weak confidence

1

I have tried upgrades/updates to make sure dependancies are all fine. Locally all tests are passing and app is running fine. Problem is happening on CircleCi only. Had to upgrade to latest Brakeman. Im not clear on why I'm getting unmaintained dependancy.

Solution

  • The warning is pointing to the wrong line/file. This bug will be fixed in the next release.

    However, the "message" in the warning should be clear:

    Support for Ruby 2.7.6 ends on 2023-03-31

    I did try and update to Rails 3.0.0 but I'm getting issues with that so reverted back to 2.7.6.

    I assume you meant "Ruby" in this sentence, and that matches with the warning.

    Has anyone come across this and any idea why this particular test could be failing?

    There must be a reference to Ruby version 2.7.6 in the .ruby-version, Gemfile, and/or Gemfile.lock. Ruby 2.7 is expected to be unsupported starting March 31st, 2023. Relying on unsupported software means you may be running a version that no longer receives updates when security issues are found. The older the software, the more likely it is to accumulate unfixed security issues.

    I would appreciate if someone can also explain this error section, ie what is weak confidence

    Brakeman's warnings about unmaintained/unsupported/end-of-life (EOL) libraries start at "weak" confidence 60 days before EOL date, then "medium" 30 days out, then "high" on/after the EOL date.