Skip to content

Dedup the scanner report for unpatched gems with more than one platform#440

Open
jrodriigues wants to merge 2 commits into
rubysec:masterfrom
jrodriigues:issue-438
Open

Dedup the scanner report for unpatched gems with more than one platform#440
jrodriigues wants to merge 2 commits into
rubysec:masterfrom
jrodriigues:issue-438

Conversation

@jrodriigues

Copy link
Copy Markdown

Fixes #438.

The scanner now deduplicates the unpatched gems on [gem.name, gem.version, advisory.id].

Notice that the spec can considered flaky. Without adding the Gemfile.lock change, it will pass as well.
Let me know if you are happy with this approach or if you prefer something more robust.

@jasnow

jasnow commented Jul 3, 2026

Copy link
Copy Markdown
Member

I was waiting until another team member returns from vacation, but my thought is to
keep the old behavior if the user uses "--verbose" or "-v" so both groups are happy.

@jrodriigues

Copy link
Copy Markdown
Author

That makes sense, I will push something to cover that scenario.

@jasnow jasnow requested a review from flavorjones July 3, 2026 16:31
activesupport (= 3.2.10)
arel (~> 3.0.2)
tzinfo (~> 0.3.29)
activerecord (3.2.10-aarch64-linux-gnu)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to add actual real gem name here like nokogiri in two versions?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason I added it this way was to be as less intrusive as possible.
At first I did add nokogiri-1.19.3 with all the different platforms, but because the fixture database is pinned to an older commit it did not see those vulnerabilities.
At that point I decided to add a manual entry myself to avoid making too many modifications.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Duplicate vulnerabilities reported for gems that have multiple arch specs on the lockfile

3 participants