In production I am using the Fedora/CentOS module based installation of Ruby 2.7. Rexml is included as a default gem and it has a security issue. Even though our application uses a newer version of rexml, security scanners detect the older default gem and flag it as an issue. Are there possible side effects or issues from just rm -rf
ing the gem?
You can ‘rm’ the gem. But it’s not a good idea. So just update the system gems with sudo gem update --system
.
In my case, I can’t run the above command on amazonlinux:
bash-4.2# gem update --system
Updating rubygems-update
Fetching: rubygems-update-3.3.8.gem (100%)
ERROR: Error installing rubygems-update:
rubygems-update requires Ruby version >= 2.3.0.
ERROR: While executing gem ... (NoMethodError)
undefined method `version' for nil:NilClass
The version of Ruby provided by 6 months old AmazonLinux is Ruby 2.0.
There are crude Linux distributions like AmazonLinux, CentOS, Debian who think the older the software is, the stabler it is. So they tend to decade old software in their repo in the name of stability. The actual reason for this is lazy community, they won’t update a thing unless that has security issues. So in such cases, you’re out of luck. Don’t use system Ruby. Use rvm/rbenv instead for ruby version management. If your server uses modern hardware, don’t use such distributions. The kernels are likely to be a couple of decades older.