Geek Answers Handbook

How can I make sure my gems are safe?

I am looking for an automated way to check all the gems used on my site in Sinatra for available security updates. Is there such a thing?

My fundamental attitude to updates: if it is not broken, do not try to fix it. But if I am vulnerable, I want to know about it. By applying security updates, I keep the minimum number of possible behavior changes.

Reference Information. Most of my previous work has been in Drupal. In this community, developers can mark their module releases as security fixes. This means that my site or my CLI tools can request release data for the modules used on the current website to find out if security updates are available and notify me.

+4
source share
4 answers

Install the wiring harness from rubysec on github. Run it periodically / regularly. It is free, is updated through the CVE library of known security threats, and the reports in which your project has updates are available.

+1
source

As far as I know, there is no definitive way to automate this. There is no flag concept in Ruby gems, which indicates that they are security updates, etc. Most gem keepers are pretty good at complying with the major.minor.patch agreement for version numbers. The main obstacles are API hacking, minor added functionality, but backward compatible, and a fix for patches or very minor changes. Nothing is provided there, and some gems do not even use three-part version numbers. The rails themselves are particularly egregious of the absence here; The disadvantages of Rails rails are universally incompatible, breaking changes. Rails patch bumps are usually security fixes.

If this is enough for your needs, you can use the Bundler to indicate that you need updates at the patch level:

 gem 'foo', '~> 2.2.0'

... will install the latest fix level version 2.2.x of the gem (for example, you can get 2.2.12, but not 2.3.0).

See the Rubygems document for more information on versions (used by the Bundler) and how to be conservative (โ€œpessimisticโ€ in their terminology). Also see Their Numbering Guidelines . Again, keep in mind that they are not strictly enforced, and when Rails himself creates such a terrible example of violation of the agreement, other gem authors do not always do the right thing.

+6
source

If you use the Bundler in your project, you can check if you are using the latest gemstones with bundle outdated . To find out if the known version has a known vulnerability, you can use the bundler-audit gem, or, alternatively, the holepicker gem. There is also a Gemnasium service that can track your gems for you and notify you when the gem is updated or has a security problem.

Refresh . Github now tracks your Gemfile repository and notifies you that the gem has a security issue.

+3
source

There is a website called Gemnasium . He checks if the gems you are using are the latest, and if there is any security issue, he will send you an email.

+2
source

More articles:


All Articles