Adding gem auditing to CI process

June 24, 2015

One part of the development process that is all too often overlooked is security. Although we may follow the Rails Guides advice for securing our applications, what about our external dependencies?

The average Gemfile for most Rails applications is chock full of references to gems created by third-parties. How will you know if any of these are compromised. Luckily, bundler-audit is here to help.

First, we install the gem:

gem install bundler-audit

To use it we run bundle-audit from the command line. Here is an example output from an outdated Rails application:

Name: activesupport
Version: 4.1.6
Advisory: CVE-2015-3227
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Title: Possible Denial of Service attack in Active Support
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22

Name: http
Version: 0.6.3
Advisory: CVE-2015-1828
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/httprb/jkb4oxwZjkU
Title: HTTPS MitM vulnerability in http.rb
Solution: upgrade to >= 0.7.3, ~> 0.6.4

Name: jquery-rails
Version: 3.1.2
Advisory: CVE-2015-1840
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
Title: CSRF Vulnerability in jquery-ujs and jquery-rails
Solution: upgrade to >= 4.0.4, ~> 3.1.3

Now we can read up on the vulnerabilities which affect of application, and make it our priority to update the Gemfile.

Whilst we can run this manually, it's more helpful to run it as part of your deploy process. The bundle-audit command happily returns an non-zero exit code if it finds any unpatched gems, which will cause your build to fail.

It's important to take security seriously, and this helps make it part of your day-to-day development.

Read more