Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introducing "Automated Security Updates" #15

Open
JuanitoFatas opened this issue Dec 24, 2015 · 1 comment
Open

Introducing "Automated Security Updates" #15

JuanitoFatas opened this issue Dec 24, 2015 · 1 comment

Comments

@JuanitoFatas
Copy link
Member

@JuanitoFatas JuanitoFatas commented Dec 24, 2015

馃敂 ~ 馃敂 ~ 馃敂 hor hor hor

We are really excited to announce a new feature for deppbot today 馃帀馃帄:

Automated Security Updates - Fixes your security vulnerabilities automagically.

See live examples: here, here and here.

The idea behind it is simple if you already know how to Secure Your Ruby App with bundler-audit 馃敀.

Let's go through how it works, using discourse/discourse Gemfile@f3e24ba as an example.

First, deppbot uses bundler-audit to find out 馃攷 if any gem has security vulnerabilities:

$ git clone git@github.com:discourse/discourse.git && cd discourse
$ bundle-audit
Name: jquery-rails
Version: 3.1.2
Advisory: CVE-2015-1840
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
Title: CSRF Vulnerability in jquery-rails
Solution: upgrade to >= 4.0.4, ~> 3.1.3

Name: rest-client
Version: 1.7.2
Advisory: CVE-2015-1820
Criticality: Unknown
URL: https://github.com/rest-client/rest-client/issues/369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses
Solution: upgrade to >= 1.8.0

Name: rest-client
Version: 1.7.2
Advisory: CVE-2015-3448
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3

Name: sprockets
Version: 2.11.0
Advisory: CVE-2014-7819
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
Title: Arbitrary file existence disclosure in Sprockets
Solution: upgrade to ~> 2.0.5, ~> 2.1.4, ~> 2.2.3, ~> 2.3.3, ~> 2.4.6, ~> 2.5.1, ~> 2.7.1, ~> 2.8.3, ~> 2.9.4, ~> 2.10.2, ~> 2.11.3, ~> 2.12.3, >= 3.0.0.beta.3

Vulnerabilities found!

We can see that jquery-rails, rest-client, sprockets are vulnerable 馃敟馃敟馃敟 and need to be fixed 馃挭. As a human, we can choose the appropriate solutions, update Gemfile then bundle again. Well, so does deppbot! 馃槈.

deppbot will fix this in one commit (just like one would):

Sample discourse automated security updates Commit

But there is more than that! deppbot also provides the information you need to know in the Pull Request:

Sample discourse automated security updates Pull Request

Gems with security vulnerabilities that are fixed are listed at the very top in the Pull Request description, along with the corresponding CVE / OSVDB links to http://rubysec.com.

What about the "With these gem updates" section 馃槙? You may be wondering why these other gems are updated as well?

Let me explain...

If you take the updated Gemfile, and try to update only the vulnerable gems, you'll see:

$ bundle update jquery-rails sprockets rest-client
Fetching gem metadata from https://rubygems.org/.............
Fetching version metadata from https://rubygems.org/...
Fetching dependency metadata from https://rubygems.org/..
Resolving dependencies......
Bundler could not find compatible versions for gem "sprockets":
  In Gemfile:
    sprockets (~> 2.11.3)

    ember-rails was resolved to 0.18.2, which depends on
      ember-handlebars-template (< 1.0, >= 0.1.1) was resolved to 0.1.5, which depends on
        sprockets (< 3.1, >= 2.1)

    sass-rails (~> 4.0.5) was resolved to 4.0.5, which depends on
      sprockets (<= 2.11.0, ~> 2.8)

    sass-rails (~> 4.0.5) was resolved to 4.0.5, which depends on
      sprockets-rails (~> 2.0.0) was resolved to 2.0.1, which depends on

Oh no, an incompatible error. 馃槗

However, deppbot is smart enough to figure it out how to resolve it 馃槑, and gems that are updated to resolve the incompatible error are then placed under the "With these gem updates" section.

When would you receive a Security Update Pull Request? Once deppbot detects vulnerable ruby gems (and there are no open Pull Requests from deppbot), deppbot will issue a Security Update Pull Request regardless of your frequency setting. In this case, we prioritise the security of your app above everything-else and ignore the frequency setting in order to help you secure your app in the quickest time possible.

Let us know what you think about this new feature! 馃檱

Merry Christmas 馃巹馃巵 and Ship Better Software with deppbot in 2016 馃巻!

馃巺

~ 馃敂 ~ 馃敂 ~ 馃敂

One more thing, 馃挕 deppbot only works with GitHub repositories with a valid Gemfile and Gemfile.lock.

@KINGSABRI

This comment has been minimized.

Copy link

@KINGSABRI KINGSABRI commented Dec 24, 2015

Interesting and important, no doubt
Keep it up2date!
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can鈥檛 perform that action at this time.