[Rails] Using OSV-Scanner to find existing vulnerabilities affecting your Rails application dependencies

Posted on Edited on In , , , Views: Word count in article: 4.2k Reading time ≈ 4 mins.

Using OSV-Scanner to find existing vulnerabilities affecting your Rails application dependencies

Recently, Google released the open source vulnerability scanner OSV-Scanner. OSV-Scanner is an officially supported front-end tool for the open source OSV database, written in Go, designed to scan open source applications to assess the security of any merged dependencies.

You can use OSV-Scanner to find vulnerabilities in Rails application dependencies, including Gemfile.lock, package-lock.json, yarn.lock, etc., the latest commit records in .git directories, and Debian-based mirrors.

Installation

There are some ways to install OSV-Scanner

Release

The latest released binary version can be downloaded from Releases · google/osv-scanner - https://github.com/google/osv-scanner/releases .

Package manager

Or install via package manager Windows Scoop, Homwbrew.

1
2
3
4
5
# Homwbrew (brew)
$ brew install osv-scanner

# Windows Scoop
scoop install osv-scanner

For more information on Scoop, see Scoop - https://scoop.sh/.

For more information on Homebrew, see The Missing Package Manager for macOS (or Linux) — Homebrew - https://brew.sh/.

Source code

Alternatively, you can install from source by running:

1
$ go install github.com/google/osv-scanner/cmd/osv-scanner@v1

This requires Go 1.18+.

使用

OSV-Scanner collects a list of dependencies and versions used in a project, then matches this list with the OSV database via the OSV.dev API. You can have OSV-Scanner scan your application directory, import a version dependency lock file, scan Debian-based Docker images (preview feature), or scan SBOM software bill of materials files.

Scan directory

Traverse the directory listing to find:

  • Version dependent lock files (such as Gemfile.lock, package-lock.json, yarn.lock, etc.)

  • SBOM Software Bill of Materials

  • the latest commit record of the .git directory

Can be configured to traverse subdirectories recursively using the --recursive / -r flag.

Example

1
$ osv-scanner -r .

Input a lock file

Use the lockfile package to support a wide range of lockfiles. Here is a list of currently supported lock files:

Example

1
2
3
4
$ osv-scanner --lockfile=Gemfile.lock

# Specify Gemfile.lock, package-lock.json, yarn.json, etc.
$ osv-scanner --lockfile=Gemfile.lock -L package-lock.json -L yarn.json

Scan Debian-based docker images (Preview)

This tool will grab the list of installed packages in a Debian image and query them for vulnerabilities.

Currently only Debian-based Docker image scanning is supported.

Requires Docker to be installed and the tool to have permissions to invoke it.

Filesystems of Docker containers are not currently scanned, and have various other limitations. Please follow this issue - https://github.com/google/osv-scanner/issues/64 for updates on container scanning !

Example

1
$ osv-scanner --docker image_name:latest

image_name is your Debian-based Rails application image.

Input SBOM

SPDX - https://spdx.dev/ and CycloneDX SBOM - https://cyclonedx.org/. The format is automatically detected based on the input file content.

Example

1
$ osv-scanner --sbom=sbom.json

Configuration

To configure scanning, place the osv-scanner.toml file in the directory where the scan files are located. To override this file, pass the --config=/path/to/config.toml argument.

Currently, there is only 1 configuration option:

IgnoredVulns

To ignore a vulnerability, enter the ID under the IgnoreVulns key. (Optional) Add an expiration date or reason.

Example

1
2
3
4
5
6
7
8
[[IgnoredVulns]]
id = "GO-2022-0968"
# ignoreUntil = 2022-11-09 # Optional exception expiry date
reason = "No ssh servers are connected to or hosted in Go lang"

id = "GO-2022-1059"
# ignoreUntil = 2022-11-09 # Optional exception expiry date
reason = "No external http servers are written in Go lang."

JSON output

By default, osv-scanner outputs a human-readable table. To have osv-scanner output JSON, pass the --json flag when calling osv-scanner.

When using the --json flag, only JSON output will be printed to stdout, all other output will be directed to stderr. So, to only save the json output to a file, you can use osv-scanner --json ... > /path/to/file.json to redirect the output.

References

[1] google/osv-scanner: Vulnerability scanner written in Go which uses the data provided by https://osv.dev - https://github.com/google/osv-scanner

[2] OSV - https://osv.dev/

[3] Bundler: How to manage application dependencies with Bundler - https://bundler.io/guides/using_bundler_in_applications.html#gemfilelock

[4] Ruby on Rails — A web-app framework that includes everything needed to create database-backed web applications according to the Model-View-Controller (MVC) pattern. - https://rubyonrails.org/

[5] Docker: Accelerated, Containerized Application Development - https://www.docker.com/

[6] The Missing Package Manager for macOS (or Linux) — Homebrew - https://brew.sh/

[7] Scoop - https://scoop.sh/