Skip to content
This repository has been archived by the owner on Feb 25, 2023. It is now read-only.

appfolio/gemsurance

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 15 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github
 
 
bin
 
 
images
 
 
lib
 
 
sample_spec
 
 
test
 
 
.gitignore
 
 
.travis.yml
 
 
CHANGELOG.md
 
 
Gemfile
 
 
LICENSE
 
 
README.md
 
 
Rakefile
 
 
gemsurance.gemspec
 
 
Gemsurance: Insurance for your Gems Getting started Integration into a Rails RSpec suite Command-line options TODOs Contributing Acknowledgements License

README.md

Build Status Gem Version Code Climate

Gemsurance: Insurance for your Gems

Gemsurance is a tool for monitoring if any of your Ruby Gems are out-of-date or vulnerable. It uses Bundler and the Ruby Advisory Database to do so. It's similar to bundler-audit, but outputs an HTML report and determines which gems are out-of-date as well.

Getting started

To install Gemsurance, add

gem 'gemsurance'

to your Gemfile and run bundle install.

Use gemsurance by running

bundle exec gemsurance [options]

from the directory containing the Gemfile whose gems you wish to check.

This will output an HTML file (named gemsurance_report.html by default) in the current directory containing a report of your gem status: which gems are out-of-date and which gems have reported vulnerabilities in the Ruby Advisory Database. The Ruby Advisory Database git repo will be checked out into tmp/vulnerabilities relative to the working directory.

Example Gemsurance report

Gems that are up-to-date are colored green and gems that are out-of-date but without reported vulnerabilities are colored yellow. Vulnerable gems are colored red, and information about the vulnerability and versions with a patch for the issue is displayed in the rightmost column.

Gemsurance exits with code 0 if there are no gems with reported vulnerabilities and code 1 if there are any such gems.

Integration into a Rails RSpec suite

Running the gemsurance check as part of your RSpec test suite will cause an RSpec failure whenever a gem with a known vulnerability is detected in your application. This is incredibly useful if your application is tested regularly by a CI build. You can set this up by adding sample_spec/gemsurance_spec.rb to your RSpec tests.

Command-line options

Command-line options to the gemsurance executable are as follows:

  • --pre: Consider pre-release gem versions
  • --output FILE: Output report to specified file
  • --whitelist FILE: Read whitelist from file. Defaults to .gemsurance.yml
  • --format FORMAT: Output report to specified format (html, csv, & yml available). Html by default.

The whitelist must be in the format

---
nokogiri:
  CVE-2015-1819:
    - 1.5.9
    - 1.6.0
  OSVDB-101179:
    - 1.5.6
    - 1.6.0

TODOs

  • Support Git versions of gems
  • Formatting as JSON

Contributing

Contributions are always welcome. Please fork the repo and create a pull request or create an issue.

Acknowledgements

Thanks to Bundler and the Ruby Advisory Database, upon which Gemsurance is based.

License

MIT License.

About

Gem vulnerability checker using rubysec/ruby-advisory-db

Topics

ruby gem vulnerability

Resources

Readme

License

MIT license
Activity

Stars

212 stars

Watchers

143 watching

Forks

25 forks
Report repository

Releases

15 tags

Packages

No packages published

Contributors 13

Languages