Description
While performing a scan of ruby:2.6.3-alpine3.10, we are showing a vulnerability result tied to procps (CVE-2018-1121).
procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel\'s proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng\'s utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.
This package is listed as a build dependency and although build dependencies are removed, a run-time dependency exists on procps, and we are unable to remove just procps because it is tied to the .ruby-rundeps virtual group.
After doing some digging, it looks like ruby-build doesn't reference this package as a recommended system requirement, and looking back at #30, the commentary doesn't mention this package but #33 merged it.
This issue has largely been declared wont-fix (ref, ref), and we're hoping to remove the vulnerability from our scan report - can this package be removed?
Thanks!