[Awesome Ruby Gem] Use bundler-audit gem to find vulnerable version gems in your Gemfile.lock

Posted on Edited on In , , Views: Word count in article: 4.9k Reading time ≈ 4 mins.

bundler-audit

bundler-audit is a utility program which looks at an application’s Gemfile.lock and then looks at rubysec/ruby-advisory-db: A database of vulnerable Ruby Gems - https://github.com/rubysec/ruby-advisory-db to see if we are using a vulnerable version of Gem or not.

Features

  • Checks for vulnerable versions of gems in Gemfile.lock.

  • Checks for insecure gem sources (http://).

  • Allows ignoring certain advisories that have been manually worked around.

  • Prints advisory information.

  • Does not require a network connection.

Installation

You can install it as a gem:

1
$ gem install bundler-audit

or add it into a Gemfile (Bundler):

1
2
3
4
5
6
7
8
# Gemfile

# Put gems used only for development or testing in the appropriate group in the Gemfile
group :development do
  # rubysec/bundler-audit: Patch-level verification for Bundler
  # https://github.com/rubysec/bundler-audit
  gem 'bundler-audit', '0.8.0'
end

Then, run bundle install.

1
$ bundle install

Synopsis

Audit a project’s Gemfile.lock:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
$ bundle-audit
Name: actionpack
Version: 3.2.10
Advisory: OSVDB-91452
Criticality: Medium
URL: http://www.osvdb.org/show/osvdb/91452
Title: XSS vulnerability in sanitize_css in Action Pack
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: actionpack
Version: 3.2.10
Advisory: OSVDB-91454
Criticality: Medium
URL: http://osvdb.org/show/osvdb/91454
Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: actionpack
Version: 3.2.10
Advisory: OSVDB-89026
Criticality: High
URL: http://osvdb.org/show/osvdb/89026
Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-91453
Criticality: High
URL: http://osvdb.org/show/osvdb/91453
Title: Symbol DoS vulnerability in Active Record
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-90072
Criticality: Medium
URL: http://direct.osvdb.org/show/osvdb/90072
Title: Ruby on Rails Active Record attr_protected Method Bypass
Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12

Name: activerecord
Version: 3.2.10
Advisory: OSVDB-89025
Criticality: High
URL: http://osvdb.org/show/osvdb/89025
Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11

Name: activesupport
Version: 3.2.10
Advisory: OSVDB-91451
Criticality: High
URL: http://www.osvdb.org/show/osvdb/91451
Title: XML Parsing Vulnerability affecting JRuby users
Solution: upgrade to ~> 3.1.12, >= 3.2.13

Unpatched versions found!

Update the ruby-advisory-db that bundle audit uses:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ bundle-audit update
Updating ruby-advisory-db ...
remote: Counting objects: 44, done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 39 (delta 19), reused 29 (delta 10)
Unpacking objects: 100% (39/39), done.
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Updating 5f8225e..328ca86
Fast-forward
 CONTRIBUTORS.md                    |  1 +
 gems/actionmailer/OSVDB-98629.yml  | 17 +++++++++++++++++
 gems/cocaine/OSVDB-98835.yml       | 15 +++++++++++++++
 gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++
 gems/sounder/OSVDB-96278.yml       | 13 +++++++++++++
 gems/wicked/OSVDB-98270.yml        | 14 ++++++++++++++
 6 files changed, 73 insertions(+)
 create mode 100644 gems/actionmailer/OSVDB-98629.yml
 create mode 100644 gems/cocaine/OSVDB-98835.yml
 create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml
 create mode 100644 gems/sounder/OSVDB-96278.yml
 create mode 100644 gems/wicked/OSVDB-98270.yml
ruby-advisory-db: 64 advisories

Update the ruby-advisory-db and check Gemfile.lock (useful for CI runs):

1
$ bundle-audit check --update

Checking the Gemfile.lock without updating the ruby-advisory-db:

1
$ bundle-audit check --no-update

Ignore specific advisories:

1
$ bundle-audit check --ignore OSVDB-108664

Checking a custom Gemfile.lock file:

1
$ bundle-audit check --gemfile Gemfile.custom.lock

Output the audit’s results in JSON:

1
$ bundle-audit check --format json

Output the audit’s results in JSON, to a file:

1
$ bundle-audit check --format json --output bundle-audit.json

Rake Tasks

Bundler-audit provides Rake tasks for checking the code and for updating its vulnerability database:

1
2
rake bundle:audit
rake bundle:audit:update

Configuration File

bundler-audit also supports a per-project configuration file:

1
2
3
4
5
6
7
8
9
10
.bundler-audit.yml:

---
ignore:
  - CVE-YYYY-XXXX
  - ...
ignore: [Array<String>] - A list of advisory IDs to ignore.
You can provide a path to a config file using the --config flag:

$ bundle-audit check --config bundler-audit.custom.yaml

References

[1] rubysec/bundler-audit: Patch-level verification for Bundler - https://github.com/rubysec/bundler-audit

[2] bundler-audit | RubyGems.org | your community gem host - https://rubygems.org/gems/bundler-audit

[3] rubysec/ruby-advisory-db: A database of vulnerable Ruby Gems - https://github.com/rubysec/ruby-advisory-db

[4] Home - RubySec - https://rubysec.com/

[5] Rails quick tips #4: Keep your bundle secure with bundler-audit - DEV Community - https://dev.to/citizen428/rails-quick-tips-4-keep-your-bundle-secure-with-bundler-audit-4ea2

[6] Security Risks | FastRuby.io - https://www.fastruby.io/security-risks