Bundler::Advise

Scans a Gemfile looking for known vulnerable gems.

Add this line to your application's Gemfile:

gem 'bundler-advise'

And then execute:

$ bundle

Or install it yourself as:

$ gem install bundler-advise

The intent of this gem is to provide a library alternate to bundler-audit with an MIT license. The intent of bundler-audit is to be a standalone utility, bundler-advise can be integrated into other codebases without concerns over GPLv3 licensing.

Both tools fetch and parse the contents of the ruby-advisory-db. bundle-advise has no CLI, does not scan for insecure sources, but does support custom advisory databases that match the interface of the data in ruby-advisory-db, for organizations that want to maintain an internal database for private gems.

    require 'bundler/advise'

    # Presuming the default ruby-advisory-db on github.com and Dir.pwd is set to
    # project root, containing the project's Gemfile.lock
    advisories = Bundler::Advise::GemAdviser.new.scan_lockfile

    # To change the directory:
    advisories = Bundler::Advise::GemAdviser.new(dir: other_project_dir).scan_lockfile

    # To use a custom advisory db:
    db = Bundler::Advise::Advisories.new(dir: my_custom_db_path, repo: custom_git_url)
    advisories = Bundler::Advise::GemAdviser.new(advisories: db).scan_lockfile

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Bug reports and pull requests are welcome on GitHub at https://github.com/chrismo/bundler-advise.

The gem is available as open source under the terms of the MIT License.