Attempt to fix vulnerability (#416)

* Fix vulnerability

* Add rails/.env to the accept files

* Pin specific version

* Set correct header

* Ignore low risk threat

.dockleconfig

@@ -1,4 +1,4 @@
 # This file is allows you to specify a list of files that is acceptable to Dockle
 # To allow multiple files, use a list of names, example below. Make sure to remove the leading #
-DOCKLE_ACCEPT_FILES=database.yml,omniauth.rb
+DOCKLE_ACCEPT_FILES=database.yml,omniauth.rb,rails/.env
 # https://github.com/goodwithtech/dockle#accept-suspicious-environment-variables--files--file-extensions

.github/workflows/owasp-scan.yml

@@ -41,7 +41,7 @@ jobs:
           database_url: ${{ steps.setup.outputs.database_url }}
 
       - name: Run OWASP Full Scan
-        uses: zaproxy/action-full-scan@v0.11.0
+        uses: zaproxy/action-full-scan@v0.12.0
         with:
           target: 'http://localhost:3000/'
           fail_action: true

.github/workflows/rspec.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   rspec:
     name: Rspec
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     services:
       postgres:
         image: postgres

app/Dockerfile

@@ -115,7 +115,7 @@ RUN apt-get update -qq && \
         curl=7.88.1-10+deb12u8 \
         libgpgme11=1.18.0-3+b1 \
         libvips42=8.14.1-3+deb12u1 \
-        linux-libc-dev=6.1.119-1 \
+        linux-libc-dev=6.1.123-1 \
         openssl=3.0.15-1~deb12u1 \
         postgresql-client=15+248 \
         python-is-python3=3.11.2-1+deb12u1 \

app/zap.conf

@@ -10,6 +10,8 @@
 # Perms Policy not supported in rails https://github.com/rails/rails/issues/48878
 # Also not fully adopted: https://caniuse.com/permissions-policy
 10063	IGNORE	Permissions Policy Header Not Set
+# Low risk
+90004	IGNORE	Insufficient Site Isolation Against Spectre Vulnerability
 10003	WARN	(Vulnerable JS Library - Passive/release)
 10010	FAIL	(Cookie No HttpOnly Flag - Passive/release)
 10011	FAIL	(Cookie Without Secure Flag - Passive/release)