{"id":13428138,"url":"https://github.com/rubysec/bundler-audit","last_synced_at":"2025-05-14T20:04:54.411Z","repository":{"id":6883861,"uuid":"8133216","full_name":"rubysec/bundler-audit","owner":"rubysec","description":"Patch-level verification for Bundler","archived":false,"fork":false,"pushed_at":"2024-09-14T18:28:18.000Z","size":563,"stargazers_count":2681,"open_issues_count":49,"forks_count":228,"subscribers_count":44,"default_branch":"master","last_synced_at":"2024-10-29T16:58:53.182Z","etag":null,"topics":["bundler-audit","dependency-checker","patch-management","ruby","ruby-advisory-db","security","security-audit","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rubysec.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog.md","contributing":null,"funding":".github/FUNDING.yml","license":"COPYING.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["postmodern","reedloden"]}},"created_at":"2013-02-11T05:41:07.000Z","updated_at":"2024-10-24T11:57:35.000Z","dependencies_parsed_at":"2024-05-01T13:19:57.100Z","dependency_job_id":"b4669799-28cf-485d-8b5a-916bb9a87555","html_url":"https://github.com/rubysec/bundler-audit","commit_stats":{"total_commits":599,"total_committers":65,"mean_commits":9.215384615384615,"dds":"0.23706176961602676","last_synced_commit":"da0eff072a9521dc2995483a8978d5a7dd4e328a"},"previous_names":["postmodern/bundler-audit"],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rubysec%2Fbundler-audit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rubysec%2Fbundler-audit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rubysec%2Fbundler-audit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rubysec%2Fbundler-audit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rubysec","download_url":"https://codeload.github.com/rubysec/bundler-audit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234314458,"owners_count":18812697,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bundler-audit","dependency-checker","patch-management","ruby","ruby-advisory-db","security","security-audit","security-tools"],"created_at":"2024-07-31T01:00:47.192Z","updated_at":"2025-01-22T00:13:58.198Z","avatar_url":"https://github.com/rubysec.png","language":"Ruby","funding_links":["https://github.com/sponsors/postmodern","https://github.com/sponsors/reedloden"],"categories":["Testing","Security","CI/CD","OSS and Dependency management","Free Tools","Ruby","Search","Tools / services to check status of dependencies","测试","Awesome Ruby CLIs","Gems","Programming Languages"],"sub_categories":["Security","Dependency Management","Ruby","安全","Static Code Analysis"],"readme":"# bundler-audit\n\n[![CI](https://github.com/rubysec/bundler-audit/actions/workflows/ruby.yml/badge.svg)](https://github.com/rubysec/bundler-audit/actions/workflows/ruby.yml)\n[![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)\n[![Gem Version](https://badge.fury.io/rb/bundler-audit.svg)](https://badge.fury.io/rb/bundler-audit)\n\n* [Homepage](https://github.com/rubysec/bundler-audit#readme)\n* [Issues](https://github.com/rubysec/bundler-audit/issues)\n* [Documentation](http://rubydoc.info/gems/bundler-audit/frames)\n\n## Description\n\nPatch-level verification for [bundler].\n\n## Features\n\n* Checks for vulnerable versions of gems in `Gemfile.lock`.\n* Checks for insecure gem sources (`http://` and `git://`).\n* Allows ignoring certain advisories that have been manually worked around.\n* Prints advisory information.\n* Does not require a network connection.\n\n## Synopsis\n\nAudit a project's `Gemfile.lock`:\n\n    $ bundle-audit\n    Name: actionpack\n    Version: 3.2.10\n    Advisory: OSVDB-91452\n    Criticality: Medium\n    URL: http://www.osvdb.org/show/osvdb/91452\n    Title: XSS vulnerability in sanitize_css in Action Pack\n    Solution: update to ~\u003e 2.3.18, ~\u003e 3.1.12, \u003e= 3.2.13\n\n    Name: actionpack\n    Version: 3.2.10\n    Advisory: OSVDB-91454\n    Criticality: Medium\n    URL: http://osvdb.org/show/osvdb/91454\n    Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails\n    Solution: update to ~\u003e 2.3.18, ~\u003e 3.1.12, \u003e= 3.2.13\n\n    Name: actionpack\n    Version: 3.2.10\n    Advisory: OSVDB-89026\n    Criticality: High\n    URL: http://osvdb.org/show/osvdb/89026\n    Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution\n    Solution: update to ~\u003e 2.3.15, ~\u003e 3.0.19, ~\u003e 3.1.10, \u003e= 3.2.11\n\n    Name: activerecord\n    Version: 3.2.10\n    Advisory: OSVDB-91453\n    Criticality: High\n    URL: http://osvdb.org/show/osvdb/91453\n    Title: Symbol DoS vulnerability in Active Record\n    Solution: update to ~\u003e 2.3.18, ~\u003e 3.1.12, \u003e= 3.2.13\n\n    Name: activerecord\n    Version: 3.2.10\n    Advisory: OSVDB-90072\n    Criticality: Medium\n    URL: http://direct.osvdb.org/show/osvdb/90072\n    Title: Ruby on Rails Active Record attr_protected Method Bypass\n    Solution: update to ~\u003e 2.3.17, ~\u003e 3.1.11, \u003e= 3.2.12\n\n    Name: activerecord\n    Version: 3.2.10\n    Advisory: OSVDB-89025\n    Criticality: High\n    URL: http://osvdb.org/show/osvdb/89025\n    Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass\n    Solution: update to ~\u003e 2.3.16, ~\u003e 3.0.19, ~\u003e 3.1.10, \u003e= 3.2.11\n\n    Name: activesupport\n    Version: 3.2.10\n    Advisory: OSVDB-91451\n    Criticality: High\n    URL: http://www.osvdb.org/show/osvdb/91451\n    Title: XML Parsing Vulnerability affecting JRuby users\n    Solution: update to ~\u003e 3.1.12, \u003e= 3.2.13\n\n    Unpatched versions found!\n\nUpdate the [ruby-advisory-db] that `bundle audit` uses:\n\n    $ bundle-audit update\n    Updating ruby-advisory-db ...\n    remote: Counting objects: 44, done.\n    remote: Compressing objects: 100% (24/24), done.\n    remote: Total 39 (delta 19), reused 29 (delta 10)\n    Unpacking objects: 100% (39/39), done.\n    From https://github.com/rubysec/ruby-advisory-db\n     * branch            master     -\u003e FETCH_HEAD\n    Updating 5f8225e..328ca86\n    Fast-forward\n     CONTRIBUTORS.md                    |  1 +\n     gems/actionmailer/OSVDB-98629.yml  | 17 +++++++++++++++++\n     gems/cocaine/OSVDB-98835.yml       | 15 +++++++++++++++\n     gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++\n     gems/sounder/OSVDB-96278.yml       | 13 +++++++++++++\n     gems/wicked/OSVDB-98270.yml        | 14 ++++++++++++++\n     6 files changed, 73 insertions(+)\n     create mode 100644 gems/actionmailer/OSVDB-98629.yml\n     create mode 100644 gems/cocaine/OSVDB-98835.yml\n     create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml\n     create mode 100644 gems/sounder/OSVDB-96278.yml\n     create mode 100644 gems/wicked/OSVDB-98270.yml\n    ruby-advisory-db: 64 advisories\n\nUpdate the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):\n\n```shell\n$ bundle-audit check --update\n```\n\nChecking the `Gemfile.lock` without updating the [ruby-advisory-db]:\n\n```shell\n$ bundle-audit check --no-update\n```\n\nIgnore specific advisories:\n\n```shell\n$ bundle-audit check --ignore OSVDB-108664\n```\n\nChecking a custom `Gemfile.lock` file:\n\n```shell\n$ bundle-audit check --gemfile-lock Gemfile.custom.lock\n```\n\nOutput the audit's results in JSON:\n\n```shell\n$ bundle-audit check --format json\n```\n\nOutput the audit's results in JSON, to a file:\n\n```shell\n$ bundle-audit check --format json --output bundle-audit.json\n```\n\n## Rake Tasks\n\nBundler-audit provides `rake` tasks for checking the code and for updating\nits vulnerability database.\n\nSimply add the following code to the `Rakefile`:\n\n```ruby\nrequire 'bundler/audit/task'\nBundler::Audit::Task.new\n```\n\nThe following `rake` tasks will then become available:\n\n```bash\n$ rake -T\nrake bundle:audit\nrake bundle:audit:update\n```\n\n## Configuration File\n\nbundler-audit also supports a per-project configuration file:\n\n`.bundler-audit.yml`:\n\n```yaml\n---\nignore:\n  - CVE-YYYY-XXXX\n  - ...\n```\n\n* `ignore:` \\[Array\\\u003cString\\\u003e\\] - A list of advisory IDs to ignore.\n\nYou can provide a path to a config file using the `--config` flag:\n\n```shell\n$ bundle-audit check --config bundler-audit.custom.yaml\n```\n\n## Requirements\n\n* [git]\n* [ruby] \u003e= 2.0.0\n* [rubygems] \u003e= 1.8\n* [thor] ~\u003e 1.0\n* [bundler] \u003e= 1.2.0, \u003c 3\n\n## Install\n\n```shell\n$ [sudo] gem install bundler-audit\n```\n\n### Git\n\n* Debian / Ubuntu:\n\n```shell\n$ sudo apt install git\n```\n\n* RedHat / Fedora:\n\n```shell\n$ sudo dnf install git\n```\n\n* Alpine Linux:\n\n```shell\n$ apk add git\n```\n\n* macOS:\n\n```shell\n$ brew install git\n```\n\n## Contributing\n\n1. https://github.com/rubysec/bundler-audit/fork\n2. `git clone YOUR_FORK_URI`\n3. `cd bundler-audit/`\n4. `bundle install`\n5. `bundle exec rake spec`\n6. `git checkout -b YOUR_FEATURE`\n7. Make your changes\n8. `bundle exec rake spec`\n9. `git commit -a`\n10. `git push origin YOUR_FEATURE`\n\n## License\n\nCopyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)\n\nbundler-audit is free software: you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation, either version 3 of the License, or\n(at your option) any later version.\n\nbundler-audit is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with bundler-audit.  If not, see \u003chttps://www.gnu.org/licenses/\u003e.\n\n[git]: https://git-scm.com\n[ruby]: https://ruby-lang.org\n[rubygems]: https://rubygems.org\n[thor]: http://whatisthor.com/\n[bundler]: https://bundler.io\n\n[OSVDB]: http://osvdb.org/\n[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frubysec%2Fbundler-audit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frubysec%2Fbundler-audit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frubysec%2Fbundler-audit/lists"}