Gemsurance: Insurance for your Gems
Gemsurance is a tool for monitoring if any of your Ruby Gems are out-of-date or vulnerable. It uses Bundler and the Ruby Advisory Database to do so. It's similar to bundler-audit, but outputs an HTML report and determines which gems are out-of-date as well.
Getting started
To install Gemsurance, add
gem 'gemsurance'
to your Gemfile and run bundle install.
Use gemsurance by running
bundle exec gemsurance [options]
from the directory containing the Gemfile whose gems you wish to check.
This will output an HTML file (named gemsurance_report.html by default) in the current directory containing a report of your gem status: which gems are out-of-date and which gems have reported vulnerabilities in the Ruby Advisory Database. The Ruby Advisory Database git repo will be checked out into tmp/vulnerabilities relative to the working directory.
Gems that are up-to-date are colored green and gems that are out-of-date but without reported vulnerabilities are colored yellow. Vulnerable gems are colored red, and information about the vulnerability and versions with a patch for the issue is displayed in the rightmost column.
Gemsurance exits with code 0 if there are no gems with reported vulnerabilities and code 1 if there are any such gems.
Integration into a Rails RSpec suite
Running the gemsurance check as part of your RSpec test suite will cause an RSpec failure whenever a gem with a known vulnerability is detected in your application. This is incredibly useful if your application is tested regularly by a CI build. You can set this up by adding sample_spec/gemsurance_spec.rb to your RSpec tests.
Command-line options
Command-line options to the gemsurance executable are as follows:
- --pre: Consider pre-release gem versions
- --output FILE: Output report to specified file
- --whitelist FILE: Read whitelist from file. Defaults to .gemsurance.yml
- --format FORMAT: Output report to specified format (html, csv, & yml available). Html by default.
The whitelist must be in the format
---
nokogiri:
CVE-2015-1819:
- 1.5.9
- 1.6.0
OSVDB-101179:
- 1.5.6
- 1.6.0
TODOs
- Support Git versions of gems
- Formatting as JSON
Contributing
Contributions are always welcome. Please fork the repo and create a pull request or create an issue.
Acknowledgements
Thanks to Bundler and the Ruby Advisory Database, upon which Gemsurance is based.
License
MIT License.