Logstash Package with 2.6+ Ruby

[gr790]

Do we have any recent plan to launch Logstash Package with upgraded ruby 2.6, as ruby 2.5 is going EOL ?

Thanks.

[yaauie]

Modern Logstash ships with JRuby 9.2.20.1, which is language-compatible with MRI Ruby 2.5, but is a separately maintained implementation that is not EOL. We have plans to move to JRuby 9.3 (which tracks MRI Ruby 2.6) as it stabilizes with regard to the features we use. JRuby does lag behind the MRI implementation in terms of Ruby language-level features, but is robust and actively maintained.

What is the primary motivation of this issue? Are you a maintainer of a plugin who wants to use more modern Ruby language features?

[gr790]

Thanks for quick reply. It's good that JRuby 2.5+ will continue for a while. My concerns was Vulnerabilities raised by anchore-cli on this Image. I noticed, git, mail, snmp, redis and nokogiri gems used in this release has Critical/High vulnerabilities, but these are dependencies for logstash-plugin. What I can do, I can removed these gems and plugin if I am not using them from Image and build it again for my project. Problem is with Nokogiri, upgraded version of it requires ruby 2.6.0 +, does it requires 2.6.0 for JRuby also ?

Thanks

[kares]

I do have some internal knowledge of Nokogiri - vulnearibilities are usually specific to a CRuby/JRuby version since the backend is very different for the gem. The JRuby version has no native system dependencies (only CRuby uses libxml2).

I have tried to run anchore-cli image vuln docker.elastic.co/logstash/logstash:7.17.0 non-os.
It gets me this "Critical" CVE regarding Nokogiri:

CVE-2019-5477              nokogiri-*                                   Critical        None          CVE-2019-5477           https://nvd.nist.gov/vuln/detail/CVE-2019-5477           java        nvd                /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/nokogiri-1.12.5-java/lib/nokogiri/nokogiri.jar 

... this really does not make sense, so far - looking at sparklemotion/nokogiri#1915

• the vulnetability was resolved in Nokogiri 1.10.4
• the vulnerability wasn't Java (JRuby) specific - despite the tool pointing to lib/nokogiri/nokogiri.jar

Looking at the "Critical" git gem report e.g.:

CVE-2015-7545              git-1.10.2                                   Critical        None          CVE-2015-7545           https://nvd.nist.gov/vuln/detail/CVE-2015-7545           gem         nvd                /usr/share/logstash/vendor/bundle/jruby/2.5.0/specifications/git-1.10.2.gemspec

• vulnerability is almost 6 years old
• the CVE itself seems to concern git binary not the gem (gem does not package any binaries)
• the gem included in the 7.17.0 image is latest from Jan 06 2022

So it depends how good the tool you're using is and whether it gives you false positives.
Not sure what I missed but so far it seems like the tool is not up-to-date or has some issues with scanning the Logstash docker image.

[gr790]

That's what I thought lately...achore-cli is not giving correct details. I will mark it close and will wait for updated version.

[sambercovici]

For example if you scan logstash 7.17.9 with trivy - https://github.com/aquasecurity/trivy
You get a large list of detected Ruby vulnerabilities with git (git-1.10.2.gemspec) marked as critical due to CVE-2022-25648.

[hunkathome]

Any solution or plan to fix this git vulnerabilites?