Check RubyGems Vulnerabilities

[TamerShlash]

Greetings,

Mainly inspired by "Multiple vulnerabilities in RubyGems" blog post on official Ruby website, I was thinking whether bundler-audit should check for vulnerabilities in RubyGems itself or not.

It would be great if it did in my opinion.

[modosc]

i think it would if the vulns were merged into the db but that pr is still open:

rubysec/ruby-advisory-db#298

[errm]

There is also this project https://github.com/civisanalytics/ruby_audit that can check rubygems and the current ruby against the ruby-advisory-db

[modosc]

thanks @errm - it's dead though, no updates in a while.

[modosc]

thanks @errm - it's dead though, no updates in a while.

[errm]

It does work though... and since is using the ruby-advisory-db is as up to date as that is... there don't seem to be any open issues so I guess its just inactive because it just works :)
Perhaps @jeffreyc could comment on it's current state?

[jeffreyc]

@errm is correct: it continues to work and no one's filed any issues, so there's been no need for any changes (though I should update it to use bundler-audit 0.6.0). It actually started as #118, which needs some love, but could be updated to add this behavior to bundler-audit, if the rubysec team wanted to go in that direction.

[postmodern]

It would require adding special logic for handling rubygems vulnerabilities, since rubygems comes vendored (but not as a gem) with ruby and can also be updated via installing the rubygems-update gem. I'm assuming this feature would just have to check vulnerable version ranges against Gem::VERSION and instruct the user to run gem update --system? I think it's fine for ruby_audit to take on this feature, as bundler-audit purpose is to audit your bundled projects/apps, not necessarily your runtime/development environment.

[ericsullivan]

You can specify a ruby version in bundler, which creates an entry in Gemfile.lock. Should bundler-audit evaluate that entry for vulnerabilities?
ruby_audit doesn't use that version (it calls ruby --version).

[postmodern]

@ericsullivan that would be more useful than just checking the current ruby version bundler-audit happens to be running under. However, bundler doesn't record or require specific rubygems versions. So even if you are running a patched version of rubygems, your production environment may not be; and vice versa.

[ericsullivan]

Right, it's only half of a solution. If you specify a ruby version in the Gemfile and it doesn't match bundler throws an error and doesn't start, so it is a nice way to ensure your app is running on the correct ruby version. That you can't specify rubygems is unfortunate.

[ericsullivan]

As an update, specifying the RubyGems version in bundler is not a feature the team would like to take on at this time.

[TamerShlash]

I guess I understand now why this does not belong here.