usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 05:53:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Generate recommendations Python script relies on very out of date Ruby gems #157

New Issue
Closed
opened 2026-01-19 18:29:26 +00:00 by michael · 2 comments
michael commented 2026-01-19 18:29:26 +00:00
Owner
Copy Link

Originally created by @sammcj on GitHub.

Summary

(Summarize the bug encountered concisely)

Steps to reproduce

./scripts/generate_guidance.py build/baselines/800-53r4_high.yaml

Without prompting the python script goes and installs a number of Ruby gems, some of which are very out of date:

Could not find 'bundler' (1.17.2) required by your /Users/username/git/macos_security/Gemfile.lock.

Even if you manage to install such an old gem, you get errors:

gems/bundler-1.17.3/lib/bundler/spec_set.rb:91:in `block in materialize': Could not find Ascii85-1.1.0 in any of the sources (Bundler::GemNotFound)
....
	from <internal: rubygems/core_ext/kernel_require.rb>:85:in `require'
	from ../bin/asciidoctor:27:in `<main>'

ERROR:  Could not find a valid gem 'Ascii85-1.1.0' (>= 0) in any repository
ERROR:  Possible alternatives: Ascii85, ascii85gem

I'd suggest this project needs an uplift of it's libraries / dependencies there's also probably a number of security vulnerabilities in the current versions.

Operating System version

13.5 (22G74)

Intel or Apple Silicon

Apple Silicon

What is the current bug behaviour?

  • generate_guidance fails to run
  • relies on outdated libraries

What is the expected correct behaviour?

  • generate_guidance should run
  • dependant libraries should be up to date

Relevant logs and/or screenshots

as above

Possible fixes

Update or replace dependencies.

Originally created by @sammcj on GitHub. <!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label and verify the issue you're about to submit isn't a duplicate. ---> ### Summary (Summarize the bug encountered concisely) ### Steps to reproduce ``` ./scripts/generate_guidance.py build/baselines/800-53r4_high.yaml ``` Without prompting the python script goes and installs a number of Ruby gems, some of which are _very_ out of date: ``` Could not find 'bundler' (1.17.2) required by your /Users/username/git/macos_security/Gemfile.lock. ``` Even if you manage to install such an old gem, you get errors: ``` gems/bundler-1.17.3/lib/bundler/spec_set.rb:91:in `block in materialize': Could not find Ascii85-1.1.0 in any of the sources (Bundler::GemNotFound) .... from <internal: rubygems/core_ext/kernel_require.rb>:85:in `require' from ../bin/asciidoctor:27:in `<main>' ERROR: Could not find a valid gem 'Ascii85-1.1.0' (>= 0) in any repository ERROR: Possible alternatives: Ascii85, ascii85gem ``` I'd suggest this project needs an uplift of it's libraries / dependencies there's also probably a number of security vulnerabilities in the current versions. ### Operating System version 13.5 (22G74) ### Intel or Apple Silicon Apple Silicon ### What is the current *bug* behaviour? - generate_guidance fails to run - relies on outdated libraries ### What is the expected *correct* behaviour? - generate_guidance should run - dependant libraries should be up to date ### Relevant logs and/or screenshots as above ### Possible fixes Update or replace dependencies.
michael commented 2026-01-19 18:29:27 +00:00
Author
Owner
Copy Link

@golbiga commented on GitHub:

The only requirements we set for ruby gems are the following.

cat Gemfile
source 'https://rubygems.org'

gem 'asciidoctor'
gem 'asciidoctor-pdf'
gem 'rouge', '3.30.0'

When the bundle command is run it's using the system Ruby or whichever you have currently installed. What happens if you rm Gemfile.lock and then run bundle install --binstubs --path mscp_gems within the project folder?

I just did the following and everything worked:

  • rm -rf .bundle bin mscp_gems Gemfile.lock
  • ./scripts/generate_baseline.py -k 800-53r4_high
  • ./scripts/generate_guidance.py build/baselines/800-53r4_high.yaml
Bundle complete! 3 Gemfile dependencies, 24 gems now installed.
Bundled gems are installed into `../mscp_gems`
Generating HTML file from AsciiDoc...
Generating PDF file from AsciiDoc...
@golbiga commented on GitHub: The only requirements we set for ruby gems are the following. ``` cat Gemfile source 'https://rubygems.org' gem 'asciidoctor' gem 'asciidoctor-pdf' gem 'rouge', '3.30.0' ``` When the bundle command is run it's using the system Ruby or whichever you have currently installed. What happens if you `rm Gemfile.lock` and then run `bundle install --binstubs --path mscp_gems` within the project folder? I just did the following and everything worked: - `rm -rf .bundle bin mscp_gems Gemfile.lock` - `./scripts/generate_baseline.py -k 800-53r4_high` - `./scripts/generate_guidance.py build/baselines/800-53r4_high.yaml` ``` Bundle complete! 3 Gemfile dependencies, 24 gems now installed. Bundled gems are installed into `../mscp_gems` Generating HTML file from AsciiDoc... Generating PDF file from AsciiDoc... ```
michael commented 2026-01-19 18:29:27 +00:00
Author
Owner
Copy Link

@sammcj commented on GitHub:

Oh wow ok - yeah the bundle install with --binstubs seemed to fix it!

Thank you!

@sammcj commented on GitHub: Oh wow ok - yeah the bundle install with --binstubs seemed to fix it! Thank you!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#157
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?