bundler-audit is a small utility which can check your
Gemfile’s contents against the Ruby Advisory Database.
You can simply run it via
bundle audit and it will report insecure gem sources as well as library versions that have known vulnerabilities:
$ bundle audit Insecure Source URI found: git://github.com/compass/compass-rails.git Insecure Source URI found: git://github.com/sinatra/sinatra.git Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: https://github.com/sparklemotion/nokogiri/pull/1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: paperclip Version: 4.3.7 Advisory: CVE-2017-0889 Criticality: High URL: https://github.com/thoughtbot/paperclip/pull/2435 Title: Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class. Solution: upgrade to >= 5.2.0 Vulnerabilities found!
To update your local copy of the Ruby Advisory DB you can use the following command:
$ bundle audit update Updating ruby-advisory-db ... From https://github.com/rubysec/ruby-advisory-db * branch master -> FETCH_HEAD Already up to date. Current branch master is up to date. Updated ruby-advisory-db ruby-advisory-db: 317 advisories
You can also combine both of these operations via the
bundle audit check --update command, which we execute as part of our CI pipeline.
Bonus tip: when updating your vulnerable gem you may want to keep changes to a minimum and
bundle update has a useful
--conservative option which will not update any shared dependencies.