Sorry, just saw this now, I updated rexml on master directly.

But I wonder what kind of tool you might be using for it to care about the dev dependencies of redis-client. That's totally ridiculous.

It is reported by the Amazon Inspector. I agree with your point about dev dependencies.

In my case, this brings up additional issues with compliance audits, which is why I opened the PR. In any case, thanks for taking the time!

It is reported by the Amazon Inspector.

Interesting.

@jterapin @mullermp, apologies for the ping, but since we interacted recently: would you happen to know if there's a way to send feedback to the Amazon Inspector team to ask them to not scan dev dependencies?

Yes. @mladenilic Can you file a support ticket through the AWS console? That would be the best way.

Amazon Inspector team acknowledges that the current scanning approach might lead to false positives, where vulnerabilities are reported for components that do not pose an actual risk due to not being used at runtime. However, they also believe it's still valuable to be aware of these potential vulnerabilities.

The response also mentions a new matching engine which may improve the accuracy, but it's unclear if this will specifically address the issue of unused dependencies.

Anyway, my specific problem will be solved once new gem version gets released, since f9641cf removes Gemfile.lock from the gem package. In the meantime we have documented the vulnerability as a low risk to the environment will wait for new version of redis-client.

Thank you both!