Project

gemsurance

0.1
Repository is archived
No release in over 3 years
Low commit activity in last 3 years
There's a lot of open issues
Gem vulnerability and version checker
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Runtime

>= 1.2, < 3.0
>= 0.8
~> 1.2
 Project Readme

Build Status Gem Version Code Climate

Gemsurance: Insurance for your Gems

Gemsurance is a tool for monitoring if any of your Ruby Gems are out-of-date or vulnerable. It uses Bundler and the Ruby Advisory Database to do so. It's similar to bundler-audit, but outputs an HTML report and determines which gems are out-of-date as well.

Getting started

To install Gemsurance, add

gem 'gemsurance'

to your Gemfile and run bundle install.

Use gemsurance by running

bundle exec gemsurance [options]

from the directory containing the Gemfile whose gems you wish to check.

This will output an HTML file (named gemsurance_report.html by default) in the current directory containing a report of your gem status: which gems are out-of-date and which gems have reported vulnerabilities in the Ruby Advisory Database. The Ruby Advisory Database git repo will be checked out into tmp/vulnerabilities relative to the working directory.

Example Gemsurance report

Gems that are up-to-date are colored green and gems that are out-of-date but without reported vulnerabilities are colored yellow. Vulnerable gems are colored red, and information about the vulnerability and versions with a patch for the issue is displayed in the rightmost column.

Gemsurance exits with code 0 if there are no gems with reported vulnerabilities and code 1 if there are any such gems.

Integration into a Rails RSpec suite

Running the gemsurance check as part of your RSpec test suite will cause an RSpec failure whenever a gem with a known vulnerability is detected in your application. This is incredibly useful if your application is tested regularly by a CI build. You can set this up by adding sample_spec/gemsurance_spec.rb to your RSpec tests.

Command-line options

Command-line options to the gemsurance executable are as follows:

  • --pre: Consider pre-release gem versions
  • --output FILE: Output report to specified file
  • --whitelist FILE: Read whitelist from file. Defaults to .gemsurance.yml
  • --format FORMAT: Output report to specified format (html, csv, & yml available). Html by default.

The whitelist must be in the format

---
nokogiri:
  CVE-2015-1819:
    - 1.5.9
    - 1.6.0
  OSVDB-101179:
    - 1.5.6
    - 1.6.0

TODOs

  • Support Git versions of gems
  • Formatting as JSON

Contributing

Contributions are always welcome. Please fork the repo and create a pull request or create an issue.

Acknowledgements

Thanks to Bundler and the Ruby Advisory Database, upon which Gemsurance is based.

License

MIT License.