rubysec / bundler-audit Goto Github PK

Replace data/bundler/audit with a git sub-module to ruby-advisory-db.

Refactor into rubygems-audit, which would auto-detect Bundler, otherwise check the latest version of the gems installed.

On an older project, my ruby environment had rubygems version 1.6.2 installed which causes a false positive on non SemVer gem strings e.g. such as newrelic_rpm in cve 2013-0284 has a patched version of ">= 3.5.3.25", but the installed version of "3.5.5.38" doesn't satisfy the constraint. Updating rubygems (in my case to 1.8.19) and re-running fixes that, but I suggest printing a warning if the rubygems version is too old for that to work correctly. I'm not sure what the appropriate cutoff version would be.

TL;DR;

old rubygems versions can't compare gem versions with 4 period separated numbers correctly, so at least a warning would be appropriate

README:

$ bundle-audit check --update

Real life:

$ bundle-audit version
bundle-audit 0.4.0 (advisories: 163)
$ bundle-audit check --update
ERROR: "bundle-audit check" was called with arguments ["--update"]
Usage: "bundle-audit check"

Resolve the host of insecure git sources and check if they are non-routable IPs.

Just putting together a PR, unfortunately having a little trouble getting all specs to pass with unmodified master. I guess I'm missing some setup steps. Here's what I've got so far:

# Fork repo on GitHub, then ...

git clone FORK_URL

cd bundler-audit/

bundle install

bundle exec rspec

Use YAML.parse to manually parse/load the advisory data to prevent potential exploitation of the YAML deserialization vulnerability.

Since ruby-advisory-db is being updated so frequently, it doesn't make sense to use bundler-audit with a vendored version. Instead, bundler-audit could automatically clone/update the ruby-advisory-db ensuring it was always up-to-date. This would simplify the Database.path logic, at the cost of requiring a network connection.

bundler-audit version = 0.3.0

I can't reproduce it on my mac, but it continuously crashing on travis-ci.org

bundle-audit update; bundle-audit check

Gemfile.lock

GEM
  remote: https://rubygems.org/
  specs:
    actionmailer (4.0.0)
      actionpack (= 4.0.0)
      mail (~> 2.5.3)
    actionpack (4.0.0)
      activesupport (= 4.0.0)
      builder (~> 3.1.0)
      erubis (~> 2.7.0)
      rack (~> 1.5.2)
      rack-test (~> 0.6.2)
    activemodel (4.0.0)
      activesupport (= 4.0.0)
      builder (~> 3.1.0)
    activerecord (4.0.0)
      activemodel (= 4.0.0)
      activerecord-deprecated_finders (~> 1.0.2)
      activesupport (= 4.0.0)
      arel (~> 4.0.0)
    activerecord-deprecated_finders (1.0.3)
    activesupport (4.0.0)
      i18n (~> 0.6, >= 0.6.4)
      minitest (~> 4.2)
      multi_json (~> 1.3)
      thread_safe (~> 0.1)
      tzinfo (~> 0.3.37)
    arel (4.0.2)
    atomic (1.1.14)
    builder (3.1.4)
    erubis (2.7.0)
    ftpd (0.2.1)
      memoizer (~> 1.0.1)
    hike (1.2.3)
    i18n (0.6.9)
    mail (2.5.4)
      mime-types (~> 1.16)
      treetop (~> 1.4.8)
    memoizer (1.0.1)
    mime-types (1.25.1)
    minitest (4.7.5)
    multi_json (1.8.4)
    polyglot (0.3.3)
    rack (1.5.2)
    rack-test (0.6.2)
      rack (>= 1.0)
    rails (4.0.0)
      actionmailer (= 4.0.0)
      actionpack (= 4.0.0)
      activerecord (= 4.0.0)
      activesupport (= 4.0.0)
      bundler (>= 1.3.0, < 2.0)
      railties (= 4.0.0)
      sprockets-rails (~> 2.0.0)
    railties (4.0.0)
      actionpack (= 4.0.0)
      activesupport (= 4.0.0)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
    rake (10.1.1)
    sprockets (2.10.1)
      hike (~> 1.2)
      multi_json (~> 1.0)
      rack (~> 1.0)
      tilt (~> 1.1, != 1.3.0)
    sprockets-rails (2.0.1)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
      sprockets (~> 2.8)
    thor (0.18.1)
    thread_safe (0.1.3)
      atomic
    tilt (1.4.1)
    treetop (1.4.15)
      polyglot
      polyglot (>= 0.3.1)
    tzinfo (0.3.38)

PLATFORMS
  ruby

DEPENDENCIES
  ftpd (= 0.2.1)
  rails (= 4.0.0)

Exception backtrace:

/home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-1.5.2/lib/bundler/vendor/thor/shell/basic.rb:80:in `say': undefined method `end_with?' for #<Gem::Version "0.2.1"> (NoMethodError)
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-1.5.2/lib/bundler/vendor/thor/shell.rb:59:in `say'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/cli.rb:77:in `say'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/cli.rb:89:in `print_advisory'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/cli.rb:46:in `block in check'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/scanner.rb:87:in `block (2 levels) in scan'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/database.rb:164:in `block in check_gem'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/database.rb:139:in `block in advisories_for'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/database.rb:227:in `glob'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/database.rb:227:in `each_advisory_path_for'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/database.rb:138:in `advisories_for'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/database.rb:162:in `check_gem'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/scanner.rb:85:in `block in scan'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/scanner.rb:84:in `each'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/scanner.rb:84:in `scan'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/lib/bundler/audit/cli.rb:39:in `check'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-1.5.2/lib/bundler/vendor/thor/command.rb:27:in `run'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-1.5.2/lib/bundler/vendor/thor/invocation.rb:121:in `invoke_command'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-1.5.2/lib/bundler/vendor/thor.rb:363:in `dispatch'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-1.5.2/lib/bundler/vendor/thor/base.rb:440:in `start'
    from /home/travis/.rvm/gems/ruby-2.1.0/gems/bundler-audit-0.3.0/bin/bundle-audit:10:in `<top (required)>'
    from /home/travis/.rvm/gems/ruby-2.1.0/bin/bundle-audit:23:in `load'
    from /home/travis/.rvm/gems/ruby-2.1.0/bin/bundle-audit:23:in `<main>'

@postmodern would you merge a PR that adds these a low priority advisories ?
https://github.com/ASoftCo/leaky-gems

Hey,

It's will be great to add optional --quiet flat during git clone https://github.com/rubysec/ruby-advisory-db.git.

We use bundle-audit during CI build and just don't want to pollute output log.

Running bundle-audit, it flags vulnerabilities for versions below my current version.

$ bin/bundle-audit
Name: rails
Version: 2.3.17
CVE: 2013-0156
...
Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11

Hey,

we are consuming bundler-audit in our CI builds and we don't want to hit https://github.com/rubysec/ruby-advisory-db.git continuously, so we want to make database URL configurable. Also make other global parameters like VENDORED_PATH, VENDORED_TIMESTAMP, USER_PATH which will make this gem to have broader usage.

I can make a pull request if you want.

What is with travis? Why it doesn't run tests?

Pulled directly from email discussions

... if File.exists? (~/.gem/advisories/ruby-advisory-db); #use that; else #use data/ruby-advisory-db; end type of statement...

And

You would also want a --sync flag to create the DB. Also if the directory against, auto-update it unless a --no-update flag is specified.

Can you change license type? This license assumes disclosure of source code as I understood, and I think this license is not absolutely suitable for those who will use gem in commercial projects.

I just installed bundler-audit, then did gem update bundler-audit, then did bundle-audit update, then ran it, and it successfully found the latest rails security problems, so it is a great gem. However, when I fixed the problems, and ran bundle-audit again, I had the following output:

Insecure Source URI found: http://rubygems.org/
Unpatched versions found!

However, according to issue #67 this should no longer happen.

We're about to integrate bundler-audit into our CircleCI build process and it's looking really promising except for one fact: ignoring vulnerabilities leads to none being listed by bundler-audit, but it still exits with exit code 1, making CircleCI think it failed.

The reason why we ignore some vulnerabilities is because we're running on a forked version of https://github.com/spree/spree and we have to monkey patch their security patches instead of upgrading the version.

Example output:

$ bundle exec bundle-audit check --update --ignore OSVDB-119205 OSVDB-125699 OSVDB-125701
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up-to-date.
ruby-advisory-db: 226 advisories
Vulnerabilities found!

#98 fixed an issue we were having (We also utilize gem-in-a-box)...

Could we get a 0.4.1 version released?

Thanks.

When running bundle-audit update is it expected to return a non-zero exit code when the update server is unavailable? Currently I'm seeing a zero exit code (bundler-audit 0.4.0).

I tried testing this by disabling my network connection and running:

$ bundle-audit --version
bundle-audit 0.4.0 (advisories: 233)

$ bundle-audit update
Updating ruby-advisory-db ...
fatal: unable to access 'https://github.com/rubysec/ruby-advisory-db.git/': Could not resolve host: github.com
ruby-advisory-db: 233 advisories

# zero exit code, expected non-zero:
$ echo $?
0

A reason for preferring a non-zero exit code instead, is for environments that are running unattended jobs like:

# If advisory db fails to update, may not have latest vulnerabilties:
bundle-audit update && bundle-audit

These environments could report that the bundle-audit is good (no vulns. found) when the advisory db is out-of-date. bundle-audit update may persistently fail due to restrictive firewall policies, meaning the advisory db is never updated successfully.

Hi! Having Gemfile.lock in git is very useful for a team so that everyone uses the same gem versions.... why do you have it in the gitignore file? I am curious if there is a good reason for that...

we were using an outdated version of will_paginate:

laptop ~/gr [test-times|✚ 2…2]$ grep will_paginate Gemfile*
Gemfile:gem 'will_paginate', '~> 3.0.3'
Gemfile.lock:    will_paginate (3.0.3)
Gemfile.lock:  will_paginate (~> 3.0.3)

and bundler-audit didn't find this issue:

laptop ~/gr [test-times|✚ 2…3]$ bundle-audit update
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up-to-date.
ruby-advisory-db: 64 advisories
laptop ~/gr [test-times|✚ 2…3]$ bundle-audit
No unpatched versions found

even though it's definitely listed in the ruby-advisory-db:

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/will_paginate/OSVDB-101138.yml

Was having a play around and wondering why the following command was not ignoring the given vulnerability:

$ be bundle-audit check --ignore 126747
Name: uglifier
Version: 2.7.1
Advisory: 126747
Criticality: Unknown
URL: https://github.com/mishoo/UglifyJS2/issues/751
Title: uglifier incorrectly handles non-boolean comparisons during minification
Solution: upgrade to >= 2.7.2

After doing some debugging, I found that the advisory property being used to compare to the ignore list was the id property ("OSVDB-126747"), but the code prints the osvdb property ("126747") which did not include the prefix.

unless ignore.include?(advisory.id)
  yield UnpatchedGem.new(gem,advisory)
end

        say "Advisory: ", :red

        if advisory.cve
          say "CVE-#{advisory.cve}"
        elsif advisory.osvdb
          say advisory.osvdb
        end

Is there a reason for not displaying the full Advisory ID in the output?

When running bundler-audit with no vulnerable gems, it still outputs 'Unpatched versions found!' if an insecure source is found.

$: bundle-audit
Insecure Source URI found: http://rubygems.org/
Unpatched versions found!

When running bundle-audit check --update as described in the README.md it throws an error.

ERROR: "bundle-audit check" was called with arguments ["--update"]
Usage: "bundle-audit check"

I worked around this by using bundle-audit update && bundle-audit check, but thought you might want to be aware so the README can be updated if this is no longer supported or fixed if it's a bug.

Lot's of people are scared of GPL, relasing under MIT would be great/simpler/no need to explain to legal department etc

Update all specs to use RSpec 3 syntax. Consider using transpec to automate the process.

Is there an easy way to integrate bundle-audit with the app's specs?

It would be cool to be able to include a bundler-audit -provided Rspec task that does the deed for you. This saves you having to remember doing it every now and then.

Or maybe a default Capistrano task that hooks itself and runs whenever cap:deploy is invoked

I run bundle-audit on rails-2.3.18 project. Is bundler-audit telling the truth here?
Name: actionpack
Version: 2.3.18
CVE: 2012-1099
Criticality: Medium
URL: http://www.osvdb.org/show/osvdb/79727
Title: Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb Manually Generated Select Tag Options XSS
Solution: upgrade to ~> 3.0.12, ~> 3.1.4, >= 3.2.2

Name: actionpack
Version: 2.3.18
CVE: 2012-3424
Criticality: Medium
URL: http://www.osvdb.org/show/osvdb/84243
Title: Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb with_http_digest Helper Method Remote DoS
Solution: upgrade to ~> 3.0.16, ~> 3.1.7, >= 3.2.7

Name: actionpack
Version: 2.3.18
CVE: 2012-3463
Criticality: Medium
URL: http://osvdb.org/84515
Title: Ruby on Rails select_tag Helper Method prompt Value XSS
Solution: upgrade to ~> 3.0.17, ~> 3.1.8, >= 3.2.8

Name: actionpack
Version: 2.3.18
CVE: 2012-3465
Criticality: Medium
URL: http://www.osvdb.org/show/osvdb/84513
Title: Ruby on Rails strip_tags Helper Method XSS
Solution: upgrade to ~> 3.0.17, ~> 3.1.8, >= 3.2.8

Name: activerecord
Version: 2.3.18
CVE: 2012-2660
Criticality: High
URL: http://www.osvdb.org/show/osvdb/82610
Title: Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query Arbitrary IS NULL Clause Injection
Solution: upgrade to ~> 3.0.13, ~> 3.1.5, >= 3.2.4

Name: activerecord
Version: 2.3.18
CVE: 2012-2661
Criticality: Medium
URL: http://www.osvdb.org/show/osvdb/82403
Title: Ruby on Rails where Method ActiveRecord Class SQL Injection
Solution: upgrade to ~> 3.0.13, ~> 3.1.5, >= 3.2.4

Name: activesupport
Version: 2.3.18
CVE: 2012-1098
Criticality: Medium
URL: http://osvdb.org/79726
Title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
Solution: upgrade to ~> 3.0.12, ~> 3.1.4, >= 3.2.2

Name: activesupport
Version: 2.3.18
CVE: 2012-3464
Criticality: Medium
URL: http://www.osvdb.org/show/osvdb/84516
Title: Ruby on Rails HTML Escaping Code XSS
Solution: upgrade to ~> 3.0.17, ~> 3.1.8, >= 3.2.8

Unpatched versions found!

Example of output from bundle-audit

Name: json
Version: 1.7.7
CVE: 2013-0269
Criticality: High
URL: http://direct.osvdb.org/show/osvdb/90074
Title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
Solution: upgrade to ~> 1.5.4, ~> 1.6.7, >= 1.7.7

So it tells me to upgrade to >= 1.7.7 when I already have 1.7.7 installed, as confirmed with:

# bundle list | grep json
  * json (1.7.7)

Using this Ruby:

# ruby -v
ruby 1.8.7 (2012-10-12 patchlevel 371) [i686-darwin12.2.0]

The problem only appears to affect 1.8.7. On 1.9.3p385, the nonsensical warnings disappear.

Move the advisories out into a common Ruby Advisory Database. This would allow bundler-audit to be updated out-of-release-cycle. Other websites could use Bundler::Audit::Database and merely call #update! via a cronjob.

We have several gems that points to master branch on GitHub, sadly. When we run bundle-audit check, it displays the error:

Insecure Source URI found: git://github.com/gregbell/active_admin.git

So, I tried to use --ignore flag, but no luck

$ bundle-audit --ignore active_admin
Insecure Source URI found: git://github.com/gregbell/active_admin.git
Unpatched versions found!
$ echo $?
1

So I'm proposing either of this change:

• Adds --ignore-git-source so that it stops complaining if I include something from Git
• Make --ignore detects that this gem is in a particular source, and doesn't raise error for that source.

What do you guys think? I could submit a patch if any of this idea looks good for you.

almost all (if not all) element reported by bundle-audit are false positive...

for example

Name: activerecord
Version: 3.2.18
Advisory: OSVDB-90072
Criticality: Medium
URL: http://direct.osvdb.org/show/osvdb/90072
Title: Ruby on Rails Active Record attr_protected Method Bypass
Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12

recommendation is to upgrade to something greater than 3.2.12 and I am on 3.2.18
why is it reported...

bundle audit currently reports me 41 items... and I have yet to find one that is real...

thanks

A thought came up while applying bundler-audit (and brakeman etc) on many projects for a client.

To avoid errors when doing bulk operations especially, it would be convenient that bundler-audit verify if it is up-to-date or not.

If the user relies on :git in the Gemfile, mention that there's a new commit. If there's a new version on rubygems, mention that as well etc.

Just a thought - maybe that's too much? But I'm careful and almost got bitten by that today.

What do you think?

a new version on rubygems would be great :)

Run bundle audit with ignore particular version of CVE, but it find this vulnerability

✗ bundle-audit check --ignore "CVE-2014-4920"
Insecure Source URI found: git://github.com/airblade/paper_trail.git
....
Name: twitter-bootstrap-rails
Version: 2.2.8
Advisory: CVE-2014-4920
Criticality: Unknown
URL: http://blog.nvisium.com/2014/03/reflected-xss-vulnerability-in-twitter.html
Title: Reflective XSS Vulnerability in twitter-bootstrap-rails
Solution: upgrade to >= 3.2.0

Vulnerabilities found!

The bundle-audit check --update call mentioned in README does not work for me:

vagrant@vagrant-ubuntu-trusty-64:/vagrant$ gem list | grep bundler-audit
bundler-audit (0.4.0)
vagrant@vagrant-ubuntu-trusty-64:/vagrant$ bundle-audit check --update
ERROR: "bundle-audit check" was called with arguments ["--update"]
Usage: "bundle-audit check"

Hi,

I tried out this service (https://isitvulnerable.com/) after receiving the last Ruby weekly. It reports vulnerabilities in my Gemfile.lock not caught by the latest version of bundler-audit:

jquery-rails 4.0.3
Upgrade to:
CSRF Vulnerability in jquery-rails  ~> 3.1.3
>= 4.0.4
rest-client 1.6.7
Upgrade to:
Rest-Client Gem for Ruby logs password information in plaintext >= 1.7.3
rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses

What should I think about it ?

Thanks

Hi,

I'm getting a SyntaxError under REE 1.8.7-2012.02:

bundler-audit-0.1.0/lib/bundler/audit/advisory.rb:56: syntax error, unexpected ')' (SyntaxError)

Is this gem compatible with Ruby 1.8.7? I see no mention of ruby version requirements.

Hey man, it looks like the submodule of of the vuln db you have is missing the 5 new actionpack vulns

..
OSVDB-100524.yml
OSVDB-100525.yml
OSVDB-100526.yml
OSVDB-100527.yml
OSVDB-100528.yml

I ran bundler-audit on a 3.2.15 codebase and didn't get any rails issues.

The bundle-audit binary is run with ruby_executable_hooks. By default, this wrapper uses the noexec functionality, documented at https://github.com/mpapis/rubygems-bundler. In turn, this executes the Gemfile in the current directory.

This is problematic if the Gemfile has early termination code, such as

if !File.exists?("/usr/bin/foo")
 Bundler.ui.error("You must install `foo` first!")
 raise SystemExit.new(1)
end

When executing under bundle-audit, the error isn't shown, and the command fails silently. This is undesirable, and may lead users to believe that their project passed the audit.

I'm unsure if we can opt out of this somewhere in the gemspec, though that would probably be best. At the least, we should document it and suggest exporting NOEXEC_EXCLUDE=bundle-audit from one's shell to disable Gemfile parsing.

Thanks!

Can you release a new version once in a while, there are a lot of changes on master that never made it to rubygems (0.1.2 is the latest there)

@postmodern

The problem comes from using the most recent commit time of USER_PATH, but trying to use the ctime of the copy in VENDORED_PATH.

Let's say you package up a version of the vendored repo with its last commit
being from time T=1.

You release your gem at time T=2.

The upstream vulnerability repo is updated at T=3.

A user installs the gem at T=4.

A user installs a local bundle at T=5.

Using the ctime of the vendored copy means that it will be comparing a
vendored copy with a timestamp of T=5 (but whose last commit is from T=1)
to a local copy with a last commit of T=2.

The code will thus use an OLDER vendored repo until such time as the vuln
database carries a commit newer than the time at which the user installed
the gem, and updates his or her local cache.

I'm working on an appropriate fix for this now, which will likely involve snapshotting the ctime of the vendored copy whenever it's updated.

bundler-audit has started giving the following warning:
Insecure Source URI found: git://github.com/stefanpenner/country_select.git
I reported on this on their github site but the response was that they do not support bundler-audit. Can you please give me some more information about what is causing this warning so I can try to convince them it is worth fixing.

Any chance bundler-audit could add support for the Rails 3-0 stable branch?

More info:
http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/

It's currently at

rails (3.0.20 f2839f1)

Use advisory files from multiple paths. Prefer the file with a newer timestamp.

Call me paranoid, but even though bundler-audit seems awesome I feel unsafe using this library anywhere near production code. If the ruby advisory DB is ever compromised, everything's YAML and getting parsed unsafely with Psych. This isn't bundler-audit's fault... Hopefully TenderLove and the other Psych contributors can figure out a sort of #safe_load soon. I'm an optimist :-)

Till then, why don't we use dtao's safe_yaml gem, which gives us YAML.safe_load to only create basic Ruby objects? What does everyone think of this?

In our company we got an internal gem server and we need do ignore the warning:
Insecure Source URI found: http://gems.test.com.br/

Help?

Apologies, issue created in wrong repo!

Goals

• Remove vendored DB.
• Support auto-updates.
• Improve security of parsing YAML.