release: 3.1.1

- explicitly use webrick gem version with patch against CVE-2020-25613
- https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
- webrick versions bundled with ruby are vulnerable at this point

.github/workflows/cd.yml

@@ -10,7 +10,7 @@ jobs:
   release-dockerimage:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v1
+    - uses: actions/checkout@v2
     - name: Extract dyndnsd version from tag name
       run: |
         echo ::set-env name=DYNDNSD_VERSION::${GITHUB_REF#refs/*/v}

.github/workflows/vulnscan.yml

@@ -4,6 +4,7 @@ name: vulnscan
 on:
   schedule:
   - cron: '7 4 * * 4'  # weekly on thursday morning
+  workflow_dispatch:
 
 jobs:
   scan-released-dockerimages:
@@ -22,16 +23,19 @@ jobs:
       run: |
         trivy image --download-db-only
     - name: Scan vulnerabilities using Trivy
+      env:
+        TRIVY_SKIP_DIRS: '/usr/lib/ruby/gems/2.7.0/gems/jaeger-client-0.10.0/crossdock,/usr/lib/ruby/gems/2.7.0/gems/jaeger-client-1.0.0/crossdock'
       run: |
         trivy --version
 
-        ALL_IMAGES="$(curl -s https://hub.docker.com/v2/repositories/cmur2/dyndnsd/tags?page_size=1000 | jq -r '.results[].name | "cmur2/dyndnsd:" + .' | grep -e 'cmur2/dyndnsd:v' | sort -r)"
+        # semver sorting as per https://stackoverflow.com/a/40391207/2148786
+        ALL_IMAGES="$(curl -s https://hub.docker.com/v2/repositories/cmur2/dyndnsd/tags?page_size=1000 | jq -r '.results[].name | "cmur2/dyndnsd:" + .' | grep -e 'cmur2/dyndnsd:v' | sed '/-/!{s/$/_/}' | sort -r -V | sed 's/_$//')"
         EXIT_CODE=0
         set -e
         for major_version in $(seq 1 10); do
           for image in $ALL_IMAGES; do
             if [[ "$image" = cmur2/dyndnsd:v$major_version.* ]]; then
-              echo -n "\nScanning newest patch release $image of major v$major_version...\n"
+              echo -e "\nScanning newest patch release $image of major v$major_version...\n"
               if ! trivy image --skip-update --exit-code 1 "$image"; then
                 EXIT_CODE=1
               fi

.travis.yml

@@ -6,5 +6,8 @@ rvm:
 - 2.6
 - 2.5
 
+services:
+- docker
+
 script:
 - bundle exec rake travis

CHANGELOG.md

@@ -1,6 +1,12 @@
 # Changelog
 
-## 3.1.0
+## 3.1.1 (october 3, 2020)
+
+IMPROVEMENTS:
+
+- Use webrick gem which contains fixes against [CVE-2020-25613](https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/)
+
+## 3.1.0 (August 19, 2020)
 
 IMPROVEMENTS:
 

README.md

@@ -81,7 +81,7 @@ The Docker image consumes the same configuration file in YAML format as the gem,
 host: "0.0.0.0"
 port: 8080
 # omit the logfile: option so logging to STDOUT will happen automatically
-db: "/var/lib/db.json"
+db: "/var/lib/dyndnsd/db.json"
 
 # User's settings for updater and permissions follow here!
 ```
@@ -94,7 +94,7 @@ Run the Docker image exposing the DynDNS-API on host port 8080 via:
 docker run -d --name dyndnsd \
            -p 8080:8080 \
            -v /host/path/to/dyndnsd/config.yml:/etc/dyndnsd/config.yml \
-           -v /host/path/to/dyndnsd/db.json:/var/lib/db.json \
+           -v /host/ptherpath/to/dyndnsd/datadir:/var/lib/dyndnsd \
            cmur2/dyndnsd:vX.Y.Z
 ```
 

Rakefile

@@ -9,16 +9,23 @@ RSpec::Core::RakeTask.new(:spec)
 RuboCop::RakeTask.new
 Bundler::Audit::Task.new
 
-desc 'Should be run by developer once to prepare initial solargraph usage (fill caches etc.)'
-task :'solargraph:init' do
-  sh 'solargraph download-core'
-end
-
 desc 'Run experimental solargraph type checker'
-task :'solargraph:tc' do
+task :solargraph do
   sh 'solargraph typecheck'
 end
 
-task default: [:rubocop, :spec, 'bundle:audit']
+namespace :solargraph do
+  desc 'Should be run by developer once to prepare initial solargraph usage (fill caches etc.)'
+  task :init do
+    sh 'solargraph download-core'
+  end
+end
 
-task travis: [:default, :'solargraph:init', :'solargraph:tc']
+desc 'Run hadolint for Dockerfile linting'
+task :hadolint do
+  sh 'docker run --rm -i hadolint/hadolint:v1.18.0 hadolint --ignore DL3018 - < docker/Dockerfile'
+end
+
+task default: [:rubocop, :spec, 'bundle:audit', :solargraph]
+
+task travis: ['solargraph:init', :default, :hadolint]

dyndnsd.gemspec

@@ -28,17 +28,18 @@ Gem::Specification.new do |s|
   s.required_ruby_version = '>= 2.5'
 
   s.add_runtime_dependency 'async-dns', '~> 1.2.0'
-  s.add_runtime_dependency 'jaeger-client', '~> 1.0.0'
+  s.add_runtime_dependency 'jaeger-client', '~> 1.1.0'
   s.add_runtime_dependency 'metriks'
   s.add_runtime_dependency 'opentracing', '~> 0.5.0'
   s.add_runtime_dependency 'rack', '~> 2.0'
   s.add_runtime_dependency 'rack-tracer', '~> 0.9.0'
+  s.add_runtime_dependency 'webrick', '>= 1.6.1'
 
   s.add_development_dependency 'bundler'
   s.add_development_dependency 'bundler-audit', '~> 0.7.0'
   s.add_development_dependency 'rack-test'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rspec'
-  s.add_development_dependency 'rubocop', '~> 0.89.0'
+  s.add_development_dependency 'rubocop', '~> 0.92.0'
   s.add_development_dependency 'solargraph'
 end

lib/dyndnsd/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dyndnsd
-  VERSION = '3.1.0.rc1'
+  VERSION = '3.1.1'
 end