Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/appfolio/gemsurance
Gem vulnerability checker using rubysec/ruby-advisory-db
https://github.com/appfolio/gemsurance
gem ruby vulnerability
Last synced: about 2 months ago
JSON representation
Gem vulnerability checker using rubysec/ruby-advisory-db
- Host: GitHub
- URL: https://github.com/appfolio/gemsurance
- Owner: appfolio
- License: mit
- Archived: true
- Created: 2013-07-05T18:38:40.000Z (over 11 years ago)
- Default Branch: master
- Last Pushed: 2022-02-16T18:45:35.000Z (almost 3 years ago)
- Last Synced: 2024-04-26T15:21:55.781Z (8 months ago)
- Topics: gem, ruby, vulnerability
- Language: Ruby
- Homepage:
- Size: 470 KB
- Stars: 212
- Watchers: 143
- Forks: 25
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
[![Build Status](https://api.travis-ci.org/appfolio/gemsurance.svg?branch=master)](http://travis-ci.org/appfolio/gemsurance) [![Gem Version](https://badge.fury.io/rb/gemsurance.svg)](http://badge.fury.io/rb/gemsurance) [![Code Climate](https://codeclimate.com/github/appfolio/gemsurance.png)](https://codeclimate.com/github/appfolio/gemsurance)
# Gemsurance: Insurance for your GemsGemsurance is a tool for monitoring if any of your Ruby Gems are out-of-date or vulnerable. It uses [Bundler](https://github.com/bundler/bundler) and the [Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db) to do so. It's similar to bundler-audit, but outputs an HTML report and determines which gems are out-of-date as well.
## Getting started
To install Gemsurance, add
```ruby
gem 'gemsurance'
```
to your Gemfile and run bundle install.Use gemsurance by running
```sh
bundle exec gemsurance [options]
```
from the directory containing the Gemfile whose gems you wish to check.This will output an HTML file (named gemsurance_report.html by default) in the current directory containing a report of your gem status: which gems are out-of-date and which gems have reported vulnerabilities in the Ruby Advisory Database. The Ruby Advisory Database git repo will be checked out into tmp/vulnerabilities relative to the working directory.
![Example Gemsurance report](https://raw.github.com/appfolio/gemsurance/master/images/gemsurance_report.png)
Gems that are up-to-date are colored green and gems that are out-of-date but without reported vulnerabilities are colored yellow. Vulnerable gems are colored red, and information about the vulnerability and versions with a patch for the issue is displayed in the rightmost column.
Gemsurance exits with code 0 if there are no gems with reported vulnerabilities and code 1 if there are any such gems.
### Integration into a Rails RSpec suite
Running the gemsurance check as part of your RSpec test suite will cause an RSpec failure whenever a gem with a known vulnerability is detected in your application. This is incredibly useful if your application is tested regularly by a CI build. You can set this up by adding sample_spec/gemsurance_spec.rb to your RSpec tests.### Command-line options
Command-line options to the gemsurance executable are as follows:
- --pre: Consider pre-release gem versions
- --output FILE: Output report to specified file
- --whitelist FILE: Read whitelist from file. Defaults to .gemsurance.yml
- --format FORMAT: Output report to specified format (html, csv, & yml available). Html by default.The whitelist must be in the format
```yaml
---
nokogiri:
CVE-2015-1819:
- 1.5.9
- 1.6.0
OSVDB-101179:
- 1.5.6
- 1.6.0
```## TODOs
- Support Git versions of gems
- Formatting as JSON## Contributing
Contributions are always welcome. Please fork the repo and create a pull request or create an issue.## Acknowledgements
Thanks to Bundler and the Ruby Advisory Database, upon which Gemsurance is based.## License
MIT License.