Skip to content
This repository has been archived by the owner on Feb 25, 2023. It is now read-only.

appfolio/gemsurance

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

87 Commits

.github

.github

 
 

bin

bin

 
 

images

images

 
 

lib

lib

 
 

sample_spec

sample_spec

 
 

test

test

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

CHANGELOG.md

CHANGELOG.md

 
 

Gemfile

Gemfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Rakefile

Rakefile

 
 

gemsurance.gemspec

gemsurance.gemspec

 
 

Repository files navigation

Build Status Gem Version Code Climate

Gemsurance: Insurance for your Gems

Gemsurance is a tool for monitoring if any of your Ruby Gems are out-of-date or vulnerable. It uses Bundler and the Ruby Advisory Database to do so. It's similar to bundler-audit, but outputs an HTML report and determines which gems are out-of-date as well.

Getting started

To install Gemsurance, add

gem 'gemsurance'

to your Gemfile and run bundle install.

Use gemsurance by running

bundle exec gemsurance [options]

from the directory containing the Gemfile whose gems you wish to check.

This will output an HTML file (named gemsurance_report.html by default) in the current directory containing a report of your gem status: which gems are out-of-date and which gems have reported vulnerabilities in the Ruby Advisory Database. The Ruby Advisory Database git repo will be checked out into tmp/vulnerabilities relative to the working directory.

Example Gemsurance report

Gems that are up-to-date are colored green and gems that are out-of-date but without reported vulnerabilities are colored yellow. Vulnerable gems are colored red, and information about the vulnerability and versions with a patch for the issue is displayed in the rightmost column.

Gemsurance exits with code 0 if there are no gems with reported vulnerabilities and code 1 if there are any such gems.

Integration into a Rails RSpec suite

Running the gemsurance check as part of your RSpec test suite will cause an RSpec failure whenever a gem with a known vulnerability is detected in your application. This is incredibly useful if your application is tested regularly by a CI build. You can set this up by adding sample_spec/gemsurance_spec.rb to your RSpec tests.

Command-line options

Command-line options to the gemsurance executable are as follows:

  • --pre: Consider pre-release gem versions
  • --output FILE: Output report to specified file
  • --whitelist FILE: Read whitelist from file. Defaults to .gemsurance.yml
  • --format FORMAT: Output report to specified format (html, csv, & yml available). Html by default.

The whitelist must be in the format

---
nokogiri:
  CVE-2015-1819:
    - 1.5.9
    - 1.6.0
  OSVDB-101179:
    - 1.5.6
    - 1.6.0

TODOs

  • Support Git versions of gems
  • Formatting as JSON

Contributing

Contributions are always welcome. Please fork the repo and create a pull request or create an issue.

Acknowledgements

Thanks to Bundler and the Ruby Advisory Database, upon which Gemsurance is based.

License

MIT License.

About

Gem vulnerability checker using rubysec/ruby-advisory-db

Topics

ruby gem vulnerability

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

212 stars

Watchers

143 watching

Forks

25 forks
Report repository

Releases

15 tags

Packages

No packages published

Contributors 13

Languages