GEM_HOME is set to /usr/local/bundle and made world sticky + writable. This could introduce several supply-chain-related vulnerabilities and are usually harder to detect, since most scanning tools, including SBOM tools, do not collect all files. A workaround could be to encourage the use of GEM_PATH with a separate directory such as /opt/ruby-latest/bundle. Alternatively, the documentation could be updated to mention the presence of this sticky, world-writable directory in the images.
GEM_HOME is set to
/usr/local/bundleand made world sticky + writable. This could introduce several supply-chain-related vulnerabilities and are usually harder to detect, since most scanning tools, including SBOM tools, do not collect all files. A workaround could be to encourage the use ofGEM_PATHwith a separate directory such as/opt/ruby-latest/bundle. Alternatively, the documentation could be updated to mention the presence of this sticky, world-writable directory in the images.