Description
bundler-audit
bundler-audit is a gem which provides patch-level verification for Bundler.
When you use Bundler, a lockfile Gemfile.lock will be generated in your project,
and bundler-audit scans your Gemfile.lock to see if you are:
- Using a vulnerable version of a gem
- Installing gems from an insecure source such as
http://orgit@
Let's see how we can use bundler-audit.
First, install bundler-audit:
$ gem install bundler-audit
Let's take a look at an example. The following is the output ran against jollygoodcode/dasherize's Gemfile@1eaf973:
$ bundle-audit
Insecure Source URI found: git://github.com/rails/turbolinks.git
Vulnerabilities found!Note that the command is bundle-audit instead of bundler-audit.
bundler-audit is warning us that an "Insecure Source URI" has been found, and that's because a gem is installed from an insecure source git://github.com which could be subjected to MITM attacks.
The solution is to either install the gem from https:// or use a released gem.
How does bundler-audit knows about all the vulnerabilities?
Beneath the hood, bundler-audit is using data from ruby-advisory-db to check your Gemfile.lock. And while bundler-audit comes with a vendored data, you should update the ruby-advisory-db data everytime before you run bundle-audit:
$ bundle-audit update
Hook bundler-audit to your CI Workflow
It's easy to integrate bundler-audit as part of your CI workflow,
and the following steps work for any Ruby projects (doesn't have to be Rails).
First, add a rake Task:
$ touch lib/bundler/audit/task.rbWith following content:
require "rake/tasklib"
module Bundler
module Audit
class Task < Rake::TaskLib
def initialize
define
end
protected
def define
namespace :bundle do
desc "Updates the ruby-advisory-db then runs bundle-audit"
task :audit do
require "bundler/audit/cli"
%w(update check).each do |command|
Bundler::Audit::CLI.start [command]
end
end
end
end
end
end
endIf you run your specs or tests with rake, add this to Rakefile:
require_relative "lib/bundler/audit/task"
Bundler::Audit::Task.new
task default: "bundle:audit"Or any other form of rake file: rakefile, Rakefile, rakefile.rb, Rakefile.rb.
Now when you run rake with this new rake task, rake will first run your tests,
and then update ruby-advisory-db before executing bundle-audit.
Secure your app with bundler-audit today!
The bundler-audit is brought to you by rubysec, kudos to @rubysec & @postmodern.
Thanks for reading!
@JuanitoFatas ✏️ Jolly Good Code
About Jolly Good Code
We specialise in Agile practices and Ruby, and we love contributing to open source.
Speak to us about your next big idea, or check out our projects.