Reviews and Audits

This section contains information on the security reviews and audits that have been performed against the Mall on Rails codebase, and when possible, a link to their results. The date of the most recent review/audit is also provided.

Semgrep (Continuous, Automated)

Semgrep is an automated platform that provides the following reviews:

  • Static scan (SAST)
  • Supply chain vulnerability scan (SCA)
  • License compatibility scan

SAST

Semgrep SAST rates Ruby and the Rails framework as "generally available", meaning it is mature and commercially supported. Through Semgrep Pro, we additionally have more Pro-exclusive rules that we take advantage of.

SCA

Semgrep SCA supports reachability analysis, which is whether a vulnerable portion of a dependency is used or not in the project. It can also identify malicious dependencies.

Last report

Semgrep is run as part of our CI/CD pipeline, and each merge request is tested before merging to the current branch.

At the time of this writing, 2025-04-13, it has identified 16 issues. 13 have been flagged as "False positive". Three have been flagged as "acceptable risk", which are detailed below:

lib/active_setting/setting.rb:128
lib/active_setting/setting.rb:133
Rule violated: avoid html_safe
Reason: We use HTML Settings for HTML content provided by the storefront owner. This is intentional and by-design.
app/controllers/orders_controller.rb:40
Rule violated: avoid redirect
Reason: This is required to be able to render order success pages for guests.

A full report, including all false positives, can be obtained by any current store owner via WTI Client Care. Interested community members may request a copy of the full report in CSV format via WTI Open Outreach.

glsa-check (Continuous, Automated)

Systems on the Finland hosting platform that run Gentoo Linux sync their Portage repository nightly. After they complete the sync, each server emails the output of glsa-check -t affected to the administration team.

When discovered, vulnerabilities are triaged within 24 hours, and resolved on a timetable congruent to the risk.

Risk CategoryRequired Time to Fix
Critical24 hours
High48 hours
Medium72 hours
Low10 days

Last report

At the time of this writing, 2025-04-13:

host01 ~ # glsa-check -t affected
This system is not affected by any of the listed GLSAs

host02 ~ # glsa-check -t affected
This system is not affected by any of the listed GLSAs

ldap01 ~ # glsa-check -t affected
This system is not affected by any of the listed GLSAs