Question: Snyk incorrectly flagging v1.13.6-x86_64-linux for CVE-2022-29181

[dferdian]

I understand that we have v1.13.6 meant to address CVE-2022-29181, but I found out it's only resolved for ruby platform, not x86_64-linux.

We use Snyk and here is the message we've got:

  Upgrade nokogiri@1.13.6-x86_64-linux to nokogiri@1.13.6 to fix
  ✗ Improper Handling of Unexpected Data Type (new) [High Severity][https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-2840634] in nokogiri@1.13.6-x86_64-linux
    introduced by nokogiri@1.13.6-x86_64-linux and 2 other path(s)

Here is the chunk of our Gemfile.lock:

GEM
  remote: https://rubygems.org/
  specs:
    ....
    nokogiri (1.13.6)
      mini_portile2 (~> 2.8.0)
      racc (~> 1.4)
    nokogiri (1.13.6-x86_64-darwin)
      racc (~> 1.4)
    nokogiri (1.13.6-x86_64-linux)
      racc (~> 1.4)
    ...

PLATFORMS
  ruby
  x86_64-darwin-21
  x86_64-linux

DEPENDENCIES
  ...
  nokogiri
  ...

BUNDLED WITH
   2.2.29

[flavorjones]

Hi! Thanks for raising this, that does look confusing.

I'm not familiar with Snyk's product, so you should probably ask them this question. However my guess is that their software is confused by the native platform string -x86_64-linux in the gem name and has incorrectly identified it as something different from plain v1.13.6. However, it's not -- they are the same software, but one contains precompiled libraries and one does not.

In summary: this message appears to be in error and you should talk to your vendor about it!

[dferdian]

Thanks @flavorjones, appreciate your quick response!