mrjoy-bundler-audit¶ ↑
Description¶ ↑
Patch-level verification for Bundler.
Features¶ ↑
-
Checks for vulnerable versions of gems in
Gemfile.lock
. -
Checks for insecure gem sources (
http://
). -
Allows ignoring certain advisories that have been manually worked around.
-
Prints advisory information.
-
Does not require a network connection.
Benefits of This Fork¶ ↑
This fork is kept up to date with both master
and relevant branches from upstream frequently. In addition:
-
IMPORTANT: The upstream repository’s master branch and current gem release (v0.3.1) use a vendored copy of the vulnerability database by default. As of v0.3.2, this branch incorporate’s the upstream
gut_vendored_db
branch, which fixes the problems caused by using a vendored DB. Read here for more info. -
Simpler, more robust testing infrastructure for greater assurance of code quality, and easier contribution.
-
Emphasis on simplifying code based on CodeClimate results, to ensure code is as easy as possible to reason about.
-
Emphasis on improving the upstream version’s excellent C0 code coverage to as close to 100% as possible.
Synopsis¶ ↑
Audit a projects Gemfile.lock
:
$ bundle-audit Name: actionpack Version: 3.2.10 Advisory: OSVDB-91452 Criticality: Medium URL: http://www.osvdb.org/show/osvdb/91452 Title: XSS vulnerability in sanitize_css in Action Pack Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13 Name: actionpack Version: 3.2.10 Advisory: OSVDB-91454 Criticality: Medium URL: http://osvdb.org/show/osvdb/91454 Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13 Name: actionpack Version: 3.2.10 Advisory: OSVDB-89026 Criticality: High URL: http://osvdb.org/show/osvdb/89026 Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11 Name: activerecord Version: 3.2.10 Advisory: OSVDB-91453 Criticality: High URL: http://osvdb.org/show/osvdb/91453 Title: Symbol DoS vulnerability in Active Record Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13 Name: activerecord Version: 3.2.10 Advisory: OSVDB-90072 Criticality: Medium URL: http://direct.osvdb.org/show/osvdb/90072 Title: Ruby on Rails Active Record attr_protected Method Bypass Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12 Name: activerecord Version: 3.2.10 Advisory: OSVDB-89025 Criticality: High URL: http://osvdb.org/show/osvdb/89025 Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11 Name: activesupport Version: 3.2.10 Advisory: OSVDB-91451 Criticality: High URL: http://www.osvdb.org/show/osvdb/91451 Title: XML Parsing Vulnerability affecting JRuby users Solution: upgrade to ~> 3.1.12, >= 3.2.13 Unpatched versions found!
Update the [ruby-advisory-db] that bundle-audit
uses:
$ bundle-audit update Updating ruby-advisory-db ... remote: Counting objects: 44, done. remote: Compressing objects: 100% (24/24), done. remote: Total 39 (delta 19), reused 29 (delta 10) Unpacking objects: 100% (39/39), done. From https://github.com/rubysec/ruby-advisory-db * branch master -> FETCH_HEAD Updating 5f8225e..328ca86 Fast-forward CONTRIBUTORS.md | 1 + gems/actionmailer/OSVDB-98629.yml | 17 +++++++++++++++++ gems/cocaine/OSVDB-98835.yml | 15 +++++++++++++++ gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++ gems/sounder/OSVDB-96278.yml | 13 +++++++++++++ gems/wicked/OSVDB-98270.yml | 14 ++++++++++++++ 6 files changed, 73 insertions(+) create mode 100644 gems/actionmailer/OSVDB-98629.yml create mode 100644 gems/cocaine/OSVDB-98835.yml create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml create mode 100644 gems/sounder/OSVDB-96278.yml create mode 100644 gems/wicked/OSVDB-98270.yml ruby-advisory-db: 64 advisories
Requirements¶ ↑
Install¶ ↑
$ gem install mrjoy-bundler-audit
Or in your Gemfile:
gem 'mrjoy-bundler-audit', :require => nil
Or in your Gemfile:
gem 'bundler-audit', :require => nil
License¶ ↑
Copyright © 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com) Modifications Copyright © 2013-2014 Jon Frisby (jfrisby@mrjoy.com), or their respective authors.
mrjoy-bundler-audit is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
mrjoy-bundler-audit is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with mrjoy-bundler-audit. If not, see www.gnu.org/licenses/.