loading...

Rails quick tips #4: Keep your bundle secure with bundler-audit

citizen428 profile image Michael Kohl Updated on ・2 min read

bundler-audit is a small utility which can check your Gemfile's contents against the Ruby Advisory Database.

You can simply run it via bundle audit and it will report insecure gem sources as well as library versions that have known vulnerabilities:

$ bundle audit
Insecure Source URI found: git://github.com/compass/compass-rails.git
Insecure Source URI found: git://github.com/sinatra/sinatra.git
Name: nokogiri
Version: 1.8.2
Advisory: CVE-2018-8048
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/pull/1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
Solution: upgrade to >= 1.8.3

Name: paperclip
Version: 4.3.7
Advisory: CVE-2017-0889
Criticality: High
URL: https://github.com/thoughtbot/paperclip/pull/2435
Title: Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability
in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.
Solution: upgrade to >= 5.2.0

Vulnerabilities found!

To update your local copy of the Ruby Advisory DB you can use the following command:

$ bundle audit update
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up to date.
Current branch master is up to date.
Updated ruby-advisory-db
ruby-advisory-db: 317 advisories

You can also combine both of these operations via the bundle audit check --update command, which we execute as part of our CI pipeline.

Bonus tip: when updating your vulnerable gem you may want to keep changes to a minimum and bundle update has a useful --conservative option which will not update any shared dependencies.

Posted on by:

citizen428 profile

Michael Kohl

@citizen428

I dev @ DEV. Your friendly neighborhood anarcho-cynicalist. ¯\_(ツ)_/¯ and (╯°□°)╯︵ ┻━┻) are my two natural states. Tag mod for #ruby, #fsharp, #ocaml

Discussion

pic
Editor guide
 

Bundle audit with GuardRails available :) Many features. <3 <3

blog.guardrails.io/ruby-support-re...

 

Nice! The founder's a good friend of mine, he'll be happy to see this shared here :)

 

A little late to the party, but yes, I'm very happy to see this shared here <3

 

This is the first time I've heard of GuardRails. I'm looking over its home page now. Is it a CI/CD tool? Or is it specifically just for assessing vulnerabilities. It seems like a really neat tool!

 

Hello Jess, thanks for the kind words!

Right now GuardRails is available as a GitHub application that gives you security feedback directly in your Pull Requests.

In many ways, it is similar to a CI/CD tool, but one that automatically orchestrates a wide range of security tools.

Based on the languages in your repository, it would automatically select the right engines to run, unify the results, filter out irrelevant findings and false positives. The security issues are then made available as a comment in the Pull Request, with links to relevant file and line. It also provides a link to our detailed documentation on how to fix a given issue based on the language it was identified in.

In a sentence, GuardRails continuously provides you with accurate and actionable security feedback directly in your development workflow.

Looking forward to getting your feedback. Let me know if you have any questions.

 

Thank you for useful information. ( ˙꒳​˙ )

I used bundle audit then edit Gemfile.lock..... (´Д⊂ヽ
Now trying bundle update --conservative.