Giter Site home page Giter Site logo

bundler-audit's Introduction

bundler-audit

CI Code Climate Gem Version

Description

Patch-level verification for bundler.

Features

  • Checks for vulnerable versions of gems in Gemfile.lock.
  • Checks for insecure gem sources (http:// and git://).
  • Allows ignoring certain advisories that have been manually worked around.
  • Prints advisory information.
  • Does not require a network connection.

Synopsis

Audit a project's Gemfile.lock:

$ bundle-audit
Name: actionpack
Version: 3.2.10
Advisory: OSVDB-91452
Criticality: Medium
URL: http://www.osvdb.org/show/osvdb/91452
Title: XSS vulnerability in sanitize_css in Action Pack
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: actionpack
Version: 3.2.10
Advisory: OSVDB-91454
Criticality: Medium
URL: http://osvdb.org/show/osvdb/91454
Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: actionpack
Version: 3.2.10
Advisory: OSVDB-89026
Criticality: High
URL: http://osvdb.org/show/osvdb/89026
Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-91453
Criticality: High
URL: http://osvdb.org/show/osvdb/91453
Title: Symbol DoS vulnerability in Active Record
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-90072
Criticality: Medium
URL: http://direct.osvdb.org/show/osvdb/90072
Title: Ruby on Rails Active Record attr_protected Method Bypass
Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-89025
Criticality: High
URL: http://osvdb.org/show/osvdb/89025
Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11

Name: activesupport
Version: 3.2.10
Advisory: OSVDB-91451
Criticality: High
URL: http://www.osvdb.org/show/osvdb/91451
Title: XML Parsing Vulnerability affecting JRuby users
Solution: upgrade to ~> 3.1.12, >= 3.2.13

Unpatched versions found!

Update the ruby-advisory-db that bundle audit uses:

$ bundle-audit update
Updating ruby-advisory-db ...
remote: Counting objects: 44, done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 39 (delta 19), reused 29 (delta 10)
Unpacking objects: 100% (39/39), done.
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Updating 5f8225e..328ca86
Fast-forward
 CONTRIBUTORS.md                    |  1 +
 gems/actionmailer/OSVDB-98629.yml  | 17 +++++++++++++++++
 gems/cocaine/OSVDB-98835.yml       | 15 +++++++++++++++
 gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++
 gems/sounder/OSVDB-96278.yml       | 13 +++++++++++++
 gems/wicked/OSVDB-98270.yml        | 14 ++++++++++++++
 6 files changed, 73 insertions(+)
 create mode 100644 gems/actionmailer/OSVDB-98629.yml
 create mode 100644 gems/cocaine/OSVDB-98835.yml
 create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml
 create mode 100644 gems/sounder/OSVDB-96278.yml
 create mode 100644 gems/wicked/OSVDB-98270.yml
ruby-advisory-db: 64 advisories

Update the ruby-advisory-db and check Gemfile.lock (useful for CI runs):

$ bundle-audit check --update

Checking the Gemfile.lock without updating the ruby-advisory-db:

$ bundle-audit check --no-update

Ignore specific advisories:

$ bundle-audit check --ignore OSVDB-108664

Checking a custom Gemfile.lock file:

$ bundle-audit check --gemfile Gemfile.custom.lock

Output the audit's results in JSON:

$ bundle-audit check --format json

Output the audit's results in JSON, to a file:

$ bundle-audit check --format json --output bundle-audit.json

Rake Tasks

Bundler-audit provides Rake tasks for checking the code and for updating its vulnerability database:

rake bundle:audit
rake bundle:audit:update

Configuration File

bundler-audit also supports a per-project configuration file:

.bundler-audit.yml:

---
ignore:
  - CVE-YYYY-XXXX
  - ...
  • ignore: [Array<String>] - A list of advisory IDs to ignore.

You can provide a path to a config file using the --config flag:

$ bundle-audit check --config bundler-audit.custom.yaml

Requirements

Install

$ [sudo] gem install bundler-audit

Git

  • Debian / Ubuntu:

    $ sudo apt install git

  • RedHat / Fedora:

    $ sudo dnf install git

  • Alpine Linux:

    $ apk add git

  • macOS:

    $ brew install git

Contributing

  1. https://github.com/rubysec/bundler-audit/fork
  2. git clone YOUR_FORK_URI
  3. cd bundler-audit/
  4. bundle install
  5. bundle exec rake spec
  6. git checkout -b YOUR_FEATURE
  7. Make your changes
  8. bundle exec rake spec
  9. git commit -a
  10. git push origin YOUR_FEATURE

License

Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)

bundler-audit is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

bundler-audit is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with bundler-audit. If not, see https://www.gnu.org/licenses/.

bundler-audit's People

Contributors

postmodern avatar reedloden avatar dependabot[bot] avatar mrjoy avatar rschultheis avatar grosser avatar eliotsykes avatar juanitofatas avatar petergoldstein avatar retornam avatar woodbusy avatar radar avatar paulrbr avatar rizalmuthi avatar mariuz avatar markborcherding avatar jaredbeck avatar dekz avatar alex avatar oliverklee avatar gonzoyumo avatar phereford avatar pjmartorell avatar rwojnarowski avatar rslhdyt avatar vaporyhumo avatar rmoriz avatar sds avatar stouset avatar onk avatar

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.