Ruby gem vulnerability
Need help with gemsurance?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.
appfolio

Description

Gem vulnerability checker using rubysec/ruby-advisory-db

206 Stars 21 Forks MIT License 85 Commits 5 Opened issues

Services available

Need anything else?

Build Status Gem Version Code Climate

Gemsurance: Insurance for your Gems

Gemsurance is a tool for monitoring if any of your Ruby Gems are out-of-date or vulnerable. It uses Bundler and the Ruby Advisory Database to do so. It's similar to bundler-audit, but outputs an HTML report and determines which gems are out-of-date as well.

Getting started

To install Gemsurance, add

ruby
gem 'gemsurance'
to your Gemfile and run bundle install.

Use gemsurance by running

sh
bundle exec gemsurance [options]
from the directory containing the Gemfile whose gems you wish to check.

This will output an HTML file (named gemsurance_report.html by default) in the current directory containing a report of your gem status: which gems are out-of-date and which gems have reported vulnerabilities in the Ruby Advisory Database. The Ruby Advisory Database git repo will be checked out into tmp/vulnerabilities relative to the working directory.

Example Gemsurance report

Gems that are up-to-date are colored green and gems that are out-of-date but without reported vulnerabilities are colored yellow. Vulnerable gems are colored red, and information about the vulnerability and versions with a patch for the issue is displayed in the rightmost column.

Gemsurance exits with code 0 if there are no gems with reported vulnerabilities and code 1 if there are any such gems.

Integration into a Rails RSpec suite

Running the gemsurance check as part of your RSpec test suite will cause an RSpec failure whenever a gem with a known vulnerability is detected in your application. This is incredibly useful if your application is tested regularly by a CI build. You can set this up by adding samplespec/gemsurancespec.rb to your RSpec tests.

Command-line options

Command-line options to the gemsurance executable are as follows: - --pre: Consider pre-release gem versions - --output FILE: Output report to specified file - --whitelist FILE: Read whitelist from file. Defaults to .gemsurance.yml - --format FORMAT: Output report to specified format (html, csv, & yml available). Html by default.

The whitelist must be in the format

```yaml

nokogiri: CVE-2015-1819: - 1.5.9 - 1.6.0 OSVDB-101179: - 1.5.6 - 1.6.0 ```

TODOs

  • Support Git versions of gems
  • Formatting as JSON

Contributing

Contributions are always welcome. Please fork the repo and create a pull request or create an issue.

Acknowledgements

Thanks to Bundler and the Ruby Advisory Database, upon which Gemsurance is based.

License

MIT License.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.