Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Audit ruby version, when specified #229

Open
fatkodima opened this issue Oct 22, 2019 · 6 comments
Open

Feature request: Audit ruby version, when specified #229

fatkodima opened this issue Oct 22, 2019 · 6 comments
Labels

Comments

@fatkodima
Copy link
Contributor

When Gemfile.lock includes ruby version, something like

RUBY VERSION
   ruby 2.7.0p-1

than verify it for vulnerabilities.
If this is a valuable feature for this project, then I will send a PR.

@jmks
Copy link

jmks commented Mar 31, 2020

It would also be nice if something could audit rubygems which I know is not in the lock file.

@lucasluitjes
Copy link

A few years back I wrote https://github.com/lucasluitjes/recent_ruby which does exactly that. I don't know if it meets the project standards for bundler-audit but I thought I'd mention it just in case it's helpful.

@fatkodima
Copy link
Contributor Author

@postmodern @reedloden Before I will invest some time into this feature, is this something that will be merged?

@etagwerker
Copy link

@fatkodima I would be interested in something like this, not sure if @postmodern would agree.

@lucasluitjes Does recent_ruby include a feature to list known CVEs for the Ruby version you are using?

It would be useful to know that if you are using Ruby 2.7.x, then you have this known CVE to worry about: https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/

@lucasluitjes
Copy link

@etagwerker No, recent_ruby only checks if the build file for that ruby version in the ruby-build repository contains warn_eol (for example https://github.com/rbenv/ruby-build/blob/master/share/ruby-build/2.7.7), and that you're on the latest patch release.

Listing CVEs would be handy feature though. Not sure where to reliably pull that data from. I looked at https://github.com/rubysec/ruby-advisory-db/tree/master/rubies/ruby but it doesn't seem up to date (CVE-2023-28756 isn't in there, for example). If you know a good data source, feel free to make an issue on the https://github.com/lucasluitjes/recent_ruby repository.

@postmodern
Copy link
Member

Apparently bundler 2.4 now requires that the RUBY VERSION versions be listed if the Gemfile contains a ruby '...' declaration.
https://devcenter.heroku.com/changelog-items/2809

Although, I'm still not 100% certain that the ruby version in the Gemfile.lock will always match the actual ruby version that's used in production?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants