civisanalytics / ruby_audit Goto Github PK

Checks Ruby and RubyGems against known security vulnerabilities.

License: Other

Ruby 98.96% Shell 1.04%

ruby_audit's Introduction

RubyAudit

RubyAudit checks your current version of Ruby and RubyGems against known security vulnerabilities (CVEs), alerting you if you are using an insecure version. It complements bundler-audit, providing complete coverage for your Ruby stack. If you use Bundler, you should use both RubyAudit and bundler-audit.

RubyAudit is based on and leverages bundler-audit, and would not exist without the hard work of the rubysec team, specifically bundler-audit and ruby-advisory-db.

"If I have seen further it is by standing on the shoulders of Giants." -- Isaac Newton

Installation

Add this line to your application's Gemfile:

gem 'ruby_audit'

And then execute:

$ bundle

Or install it yourself as:

$ gem install ruby_audit

Because bundler-audit requires bundler, RubyAudit requires bundler as a transitive dependency. If you don't intend to run RubyAudit in the production environment, you may selectively install it in your development and test environments by using Bundler groups.

Usage

To check your current version of Ruby and RubyGems:

$ ruby-audit check

You can ignore specific advisories by specifying -i <advisory>:

$ ruby-audit check -i CVE-2015-7551

By default, RubyAudit will check for updates to the ruby-advisory-db when it runs. If you are using RubyAudit offline, you can bypass this check by specifying -n:

$ ruby-audit check -n

Development

After checking out the repo, run bin/setup to install dependencies. You'll also want to run git submodule update --init to populate the ruby-advisory-db submodule in /vendor that is used for testing. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

The database in /vendor/ruby-advisory-db is only used as a fixture for unit tests. By default, the database used for actual vulnerability checks is stored at ~/.local/share/ruby-advisory-db.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

See CONTRIBUTING.

License

RubyAudit is released under the GNU General Public License version 3.

ruby_audit's People

Contributors

Stargazers

Watchers

Forkers

austinvernsonger errm ketan colinxfleming nevans seclytics ylecuyer uxxman mikesaelim

ruby_audit's Issues

Bumping to Ruby 3.2.0 causes Tried to load unspecified class: Date (Psych::DisallowedClass) for ruby_audit check

After bumping to Ruby 3.2.0 when running ruby_audit check we receive the following error Tried to load unspecified class: Date (Psych::DisallowedClass) for ruby_audit check.

ruby-audit version => ruby-audit 1.3.0 (advisories: 707)

/Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/class_loader.rb:99:in find': Tried to load unspecified class: Date (Psych::DisallowedClass) from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/class_loader.rb:28:in load'
from (eval):2:in date' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/scalar_scanner.rb:66:in tokenize'
from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/to_ruby.rb:65:in deserialize' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/to_ruby.rb:130:in visit_Psych_Nodes_Scalar'
from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/visitor.rb:30:in visit' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/visitor.rb:6:in accept'
from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/to_ruby.rb:35:in accept' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/to_ruby.rb:347:in block in revive_hash'
from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/to_ruby.rb:345:in each' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/to_ruby.rb:345:in each_slice'
from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/to_ruby.rb:345:in revive_hash' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/to_ruby.rb:169:in visit_Psych_Nodes_Mapping'
from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/visitor.rb:30:in visit' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/visitor.rb:6:in accept'
from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/to_ruby.rb:35:in accept' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/to_ruby.rb:320:in visit_Psych_Nodes_Document'
from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/visitor.rb:30:in visit' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/visitor.rb:6:in accept'
from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych/visitors/to_ruby.rb:35:in accept' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych.rb:334:in safe_load'
from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych.rb:369:in load' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych.rb:671:in block in load_file'
from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych.rb:670:in open' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/3.2.0/psych.rb:670:in load_file'
from /Users/user/.rvm/gems/ruby-3.2.0/gems/bundler-audit-0.7.0.1/lib/bundler/audit/advisory.rb:48:in load' from /Users/user/.rvm/gems/ruby-3.2.0/gems/ruby_audit-1.3.0/lib/ruby_audit/database.rb:7:in block in advisories_for'
from internal:dir:220:in glob' from /Users/user/.rvm/gems/ruby-3.2.0/gems/ruby_audit-1.3.0/lib/ruby_audit/database.rb:35:in each_advisory_path_for'
from /Users/user/.rvm/gems/ruby-3.2.0/gems/ruby_audit-1.3.0/lib/ruby_audit/database.rb:6:in advisories_for' from /Users/user/.rvm/gems/ruby-3.2.0/gems/ruby_audit-1.3.0/lib/ruby_audit/database.rb:22:in check'
from /Users/user/.rvm/gems/ruby-3.2.0/gems/ruby_audit-1.3.0/lib/ruby_audit/database.rb:12:in check_ruby' from /Users/user/.rvm/gems/ruby-3.2.0/gems/ruby_audit-1.3.0/lib/ruby_audit/scanner.rb:61:in block in scan_inner'
from /Users/user/.rvm/gems/ruby-3.2.0/gems/ruby_audit-1.3.0/lib/ruby_audit/scanner.rb:60:in each' from /Users/user/.rvm/gems/ruby-3.2.0/gems/ruby_audit-1.3.0/lib/ruby_audit/scanner.rb:60:in scan_inner'
from /Users/user/.rvm/gems/ruby-3.2.0/gems/ruby_audit-1.3.0/lib/ruby_audit/scanner.rb:32:in scan_ruby' from /Users/user/.rvm/gems/ruby-3.2.0/gems/ruby_audit-1.3.0/lib/ruby_audit/scanner.rb:19:in scan'
from /Users/user/.rvm/gems/ruby-3.2.0/gems/ruby_audit-1.3.0/lib/ruby_audit/cli.rb:15:in check' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/gems/3.2.0/gems/thor-1.2.1/lib/thor/command.rb:27:in run'
from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/gems/3.2.0/gems/thor-1.2.1/lib/thor/invocation.rb:127:in invoke_command' from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/gems/3.2.0/gems/thor-1.2.1/lib/thor.rb:392:in dispatch'
from /Users/user/.rvm/rubies/ruby-3.2.0/lib/ruby/gems/3.2.0/gems/thor-1.2.1/lib/thor/base.rb:485:in start' from /Users/user/.rvm/gems/ruby-3.2.0/gems/ruby_audit-1.3.0/exe/ruby-audit:6:in <top (required)>'
from /Users/user/.rvm/gems/ruby-3.2.0/bin/ruby-audit:25:in load' from /Users/user/.rvm/gems/ruby-3.2.0/bin/ruby-audit:25:in

'
from /Users/user/.rvm/gems/ruby-3.2.0/bin/ruby_executable_hooks:22:in eval' from /Users/user/.rvm/gems/ruby-3.2.0/bin/ruby_executable_hooks:22:in '

Bug: doesn't check rubygems anymore

The file structure of https://github.com/rubysec/ruby-advisory-db has changed. libraries dir was removed and its files moved to gems/rubygems-update dir. Therefore existing code doesn't work with the new file structure.

Probably there should be a scheduled Github action that runs tests every week against https://github.com/rubysec/ruby-advisory-db 🤔

Better separation of version update suggestions

I was looking at rubysec/bundler-audit for features from the last couple years to ~~steal~~ be inspired by, and I thought rubysec/bundler-audit#327 was a good idea. Sometimes, an advisory suggests multiple possible gem versions to upgrade to, and each of those suggestions uses a comma-separated format. For example, the advisory says

patched_versions:
  - "~> 5.2.6, >= 5.2.6.2"
  - "~> 6.0.4, >= 6.0.4.6"
  - "~> 6.1.4, >= 6.1.4.6"
  - ">= 7.0.2.2"

When we join these together, we also separate them with a comma, and it becomes hard to understand. bundler-audit settled on wrapping each version spec with single quotes, before joining them with a comma as before. So in this example, you'd get

Solution: upgrade to '~> 5.2.6, >= 5.2.6.2', '~> 6.0.4, >= 6.0.4.6', '~> 6.1.4, >= 6.1.4.6', '>= 7.0.2.2'

Should we copy what bundler-audit is doing?

Add a config file option for issues to ignore

It would be nice if you could specify CVEs to ignore via a config file, similar to bundler-audit's config file, instead of needing to append them each to the ruby-audit command using -i.

ruby audit works under bundler, but not stand-alone

Hi,

I'm having some issues with the direct gem install approach when I'm not using bundler.

For context, this was identified while I was trying to move away from manually calling the command locally to get it running under ci without requiring ruby_audit to be an application dependency.

It's not a massive hardship in my case to just scope it to :test in the Gemfile, but I thought I'd raise it in case you weren't aware (or I'm doing something dumb):

Actual behaviour

When manually installing the gem as follows I encounter an error when performing the check

# gem install ruby_audit
Fetching ruby_audit-2.0.0.gem
Successfully installed ruby_audit-2.0.0
1 gem installed

# ruby-audit check
Traceback (most recent call last):
	3: from /usr/local/bundle/bin/ruby-audit:23:in `<main>'
	2: from /usr/local/bundle/bin/ruby-audit:23:in `load'
	1: from /usr/local/bundle/gems/ruby_audit-2.0.0/exe/ruby-audit:4:in `<top (required)>'
/usr/local/bundle/gems/ruby_audit-2.0.0/exe/ruby-audit:4:in `require': cannot load such file -- ruby_audit (LoadError)

On the other hand, when installing the gem via bundler the check completes fine.

Expected behaviour

I can install the gem directly and execute the check without needing to use bundler.

Interest in potentially reading ruby version from Gemfile.lock?

hey! We were doing some chatting over in coinbase/salus about adding ruby_audit, so that the comprehensive security scanner could do its magic. I took a stab at it but ran into a wall around here, since it looks like there isn't a way to get ruby version from anything other than the active environment.

Would you have any interest in adding an option in ruby_audit to read ruby version from Gemfile.lock rather than environment? I'm more than happy to do the programming, just wanted to check first.

(Thanks much for this library! Have used it for years, it's great.)

change `master` to `main`

rationale: https://www.theserverside.com/feature/Why-GitHub-renamed-its-master-branch-to-main

Could not find gem 'ruby_audit (>= 2.2)'

Version 2.2 is released. https://github.com/civisanalytics/ruby_audit/releases/tag/v2.2.0
But looks like it is not available yet.

When running bundle update ruby_audit

Fetching gem metadata from https://rubygems.org/........

Could not find gem 'ruby_audit (>= 2.2)' in rubygems repository https://rubygems.org/ or installed locally.

The source contains the following gems matching 'ruby_audit':
  * ruby_audit-1.0.0
  * ruby_audit-1.0.1
  * ruby_audit-1.1.0
  * ruby_audit-1.2.0
  * ruby_audit-1.3.0
  * ruby_audit-2.0.0
  * ruby_audit-2.1.0

Overly strict bundler-audit

Trying to upgrade to newest bundler-audit and received this message:

Bundler could not find compatible versions for gem "bundler-audit":
  In Gemfile:
    bundler-audit (~> 0.5.0)

    ruby_audit (~> 1.0) was resolved to 1.0.1, which depends on
      bundler-audit (~> 0.4.0)

Believe that ruby_audit should require bundler-audit (> 0.4.0)