You can simply run it via
bundle audit and it will report insecure gem sources as well as library versions that have known vulnerabilities:
$ bundle audit Insecure Source URI found: git://github.com/compass/compass-rails.git Insecure Source URI found: git://github.com/sinatra/sinatra.git Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: https://github.com/sparklemotion/nokogiri/pull/1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: paperclip Version: 4.3.7 Advisory: CVE-2017-0889 Criticality: High URL: https://github.com/thoughtbot/paperclip/pull/2435 Title: Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class. Solution: upgrade to >= 5.2.0 Vulnerabilities found!
To update your local copy of the Ruby Advisory DB you can use the following command:
$ bundle audit update Updating ruby-advisory-db ... From https://github.com/rubysec/ruby-advisory-db * branch master -> FETCH_HEAD Already up to date. Current branch master is up to date. Updated ruby-advisory-db ruby-advisory-db: 317 advisories
You can also combine both of these operations via the
bundle audit check --update command, which we execute as part of our CI pipeline.
Bonus tip: when updating your vulnerable gem you may want to keep changes to a minimum and
bundle update has a useful
--conservative option which will not update any shared dependencies.