Gem vulnerability checker using rubysec/ruby-advisory-db
Gemsurance is a tool for monitoring if any of your Ruby Gems are out-of-date or vulnerable. It uses Bundler and the Ruby Advisory Database to do so. It's similar to bundler-audit, but outputs an HTML report and determines which gems are out-of-date as well.
To install Gemsurance, add
ruby gem 'gemsurance'to your Gemfile and run bundle install.
Use gemsurance by running
sh bundle exec gemsurance [options]from the directory containing the Gemfile whose gems you wish to check.
This will output an HTML file (named gemsurance_report.html by default) in the current directory containing a report of your gem status: which gems are out-of-date and which gems have reported vulnerabilities in the Ruby Advisory Database. The Ruby Advisory Database git repo will be checked out into tmp/vulnerabilities relative to the working directory.
Gems that are up-to-date are colored green and gems that are out-of-date but without reported vulnerabilities are colored yellow. Vulnerable gems are colored red, and information about the vulnerability and versions with a patch for the issue is displayed in the rightmost column.
Gemsurance exits with code 0 if there are no gems with reported vulnerabilities and code 1 if there are any such gems.
Running the gemsurance check as part of your RSpec test suite will cause an RSpec failure whenever a gem with a known vulnerability is detected in your application. This is incredibly useful if your application is tested regularly by a CI build. You can set this up by adding samplespec/gemsurancespec.rb to your RSpec tests.
Command-line options to the gemsurance executable are as follows: - --pre: Consider pre-release gem versions - --output FILE: Output report to specified file - --whitelist FILE: Read whitelist from file. Defaults to .gemsurance.yml - --format FORMAT: Output report to specified format (html, csv, & yml available). Html by default.
The whitelist must be in the format
nokogiri: CVE-2015-1819: - 1.5.9 - 1.6.0 OSVDB-101179: - 1.5.6 - 1.6.0 ```
Contributions are always welcome. Please fork the repo and create a pull request or create an issue.
Thanks to Bundler and the Ruby Advisory Database, upon which Gemsurance is based.