appfolio/gemsurance appfolio/gemsurance

  • This repository has been archived on 25/Feb/2023
  • Stars
    star
    212
  • Rank 186,122 (Top 4 %)
  • Language
    Ruby
  • License
    MIT License
  • Created over 11 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
appfolio/gemsurance
github

appfolio

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Gem vulnerability checker using rubysec/ruby-advisory-db

Build Status Gem Version Code Climate

Gemsurance: Insurance for your Gems

Gemsurance is a tool for monitoring if any of your Ruby Gems are out-of-date or vulnerable. It uses Bundler and the Ruby Advisory Database to do so. It's similar to bundler-audit, but outputs an HTML report and determines which gems are out-of-date as well.

Getting started

To install Gemsurance, add

gem 'gemsurance'

to your Gemfile and run bundle install.

Use gemsurance by running

bundle exec gemsurance [options]

from the directory containing the Gemfile whose gems you wish to check.

This will output an HTML file (named gemsurance_report.html by default) in the current directory containing a report of your gem status: which gems are out-of-date and which gems have reported vulnerabilities in the Ruby Advisory Database. The Ruby Advisory Database git repo will be checked out into tmp/vulnerabilities relative to the working directory.

Example Gemsurance report

Gems that are up-to-date are colored green and gems that are out-of-date but without reported vulnerabilities are colored yellow. Vulnerable gems are colored red, and information about the vulnerability and versions with a patch for the issue is displayed in the rightmost column.

Gemsurance exits with code 0 if there are no gems with reported vulnerabilities and code 1 if there are any such gems.

Integration into a Rails RSpec suite

Running the gemsurance check as part of your RSpec test suite will cause an RSpec failure whenever a gem with a known vulnerability is detected in your application. This is incredibly useful if your application is tested regularly by a CI build. You can set this up by adding sample_spec/gemsurance_spec.rb to your RSpec tests.

Command-line options

Command-line options to the gemsurance executable are as follows:

  • --pre: Consider pre-release gem versions
  • --output FILE: Output report to specified file
  • --whitelist FILE: Read whitelist from file. Defaults to .gemsurance.yml
  • --format FORMAT: Output report to specified format (html, csv, & yml available). Html by default.

The whitelist must be in the format

---
nokogiri:
  CVE-2015-1819:
    - 1.5.9
    - 1.6.0
  OSVDB-101179:
    - 1.5.6
    - 1.6.0

TODOs

  • Support Git versions of gems
  • Formatting as JSON

Contributing

Contributions are always welcome. Please fork the repo and create a pull request or create an issue.

Acknowledgements

Thanks to Bundler and the Ruby Advisory Database, upon which Gemsurance is based.

License

MIT License.

More Repositories

1

store_base_sti_class

Modifies ActiveRecord 4+ with the ability to store the actual class (instead of the base class) in polymorphic _type columns when using STI
Ruby
80
star
2

eslint-rails

Ruby
39
star
3

ae_page_objects

Page Objects for Capybara
Ruby
28
star
4

rails-forward_compatible_controller_tests

Back-porting Rails 5 controller & integration tests into Rails 4
Ruby
19
star
5

react-gears

AppFolio component library for React & Bootstrap
JavaScript
17
star
6

abprof

Ruby
15
star
7

activeforce

Activeforce provides a simple to use and extend interface to Salesforce using the REST API
Ruby
9
star
8

shields_up

This gem provides an alternative and improved implementation of strong_parameters.
Ruby
8
star
9

validates_timeliness

Date and time validation plugin for ActiveModel and Rails. Supports multiple ORMs and allows custom date/time formats.
Ruby
7
star
10

store_base_sti_class_for_3_1

Modifies ActiveRecord 3.1.x with the ability to store the actual class (instead of the base class) in polymorhic _type columns when using STI
Ruby
7
star
11

ae_declarative_authorization

An authorization Rails plugin using a declarative DSL for specifying authorization rules in one place
Ruby
5
star
12

great_code

Best programming practices for young and old. Your code review buddy.
5
star
13

ae_test_coverage

Collect per test code coverage and use it to select tests to run for a changeset
Ruby
4
star
14

google_maps

Geocode addresses using Google Geocode v3 API
Ruby
4
star
15

rails5_xhr_update

Program to help update Rails 4 xhr test method calls to rails 5 syntax.
Ruby
4
star
16

aws_longer

Consider using https://awsu.me/ instead of this project
Python
4
star
17

ruby_css_lint

Ruby repackaging of CSS Lint
JavaScript
3
star
18

minitest-optional_retry

automatically rerun failed tests
Ruby
3
star
19

ladle

Serves stew to stewards
Ruby
2
star
20

usedby

Discover all dependents of ruby gems across a github organization.
Ruby
2
star
21

rentlinx_client

A ruby wrapper for the RentLinx API.
Ruby
2
star
22

asdf-istioctl

Istioctl Plugin for ASDF Version Manager
Python
2
star
23

selenium_test_demo_app

Ruby
2
star
24

destiny_app

JavaScript
2
star
25

homebrew_formulaes

Ruby
2
star
26

teamcity_rest

REST interface to TeamCity
Ruby
2
star
27

seams

Identify seams in your database
Ruby
2
star
28

inheritable_fixtures

Simplify fixtures for a large Rails application which is split into multiple engines.
Ruby
2
star
29

excelsior

share appreciation with others publicly and frequently
Ruby
2
star
30

seven_bridges

Ruby
2
star
31

alexander_graham_bell

Ruby
1
star
32

sassc-import_once

Changes the behavior of Sassc's @import directive to only import a file once.
Ruby
1
star
33

react-gears-cypress

Cypress commands and utilities for automating web applications written with @appfolio/react-gears
JavaScript
1
star
34

LoadTestingFramework

Shell
1
star
35

advanced_testing

Ruby
1
star
36

pttool

Command line tool that interfaces with pivotaltracker.
Ruby
1
star