bundler-audit alternatives and similar gems
Based on the "Security" category.
Alternatively, view bundler-audit alternatives based on common mentions on social networks and blogs.
-
-
-
-
-
-
Bearer
Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks. -
-
Hashids
A small Ruby gem to generate YouTube-like hashes from one or many numbers. Use hashids when you do not want to expose your database ids to the user. -
-
Ronin
Ronin is a Free and Open Source Ruby Toolkit for Security Research and Development. Ronin also allows for the rapid development and distribution of code, exploits, payloads, etc, via 3rd-party git repositories. -
Rack::UTF8Sanitizer
Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters in request URI and headers. -
ActiveHashcash
Protect Rails applications against bots and brute force attacks without annoying humans. -
-
-
ronin-vulns
Tests URLs for Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL injection (SQLi), and Cross Site Scripting (XSS), Server Side Template Injection (SSTI), and Open Redirects. -
TSS - Threshold Secret Sharing
A Ruby implementation of Threshold Secret Sharing (Shamir) as defined in IETF Internet-Draft draft-mcgrew-tss-03.txt -
-
Rack::ContentSecurityPolicy
DISCONTINUED. Rack middleware for declaratively setting the HTTP ContentSecurityPolicy (W3C CSP Level 2/3) security header to help prevent against XSS and other browser based attacks. -
sessionKeys
A tool for the deterministic generation of unique user IDs, and NaCl cryptographic keys from a single username and high entropy passphrase.
Judoscale - Save 47% on cloud hosting with autoscaling that just works
* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.
Do you think we are missing an alternative of bundler-audit or a related project?
README
bundler-audit
Description
Patch-level verification for bundler.
Features
- Checks for vulnerable versions of gems in
Gemfile.lock. - Checks for insecure gem sources (
http://andgit://). - Allows ignoring certain advisories that have been manually worked around.
- Prints advisory information.
- Does not require a network connection.
Synopsis
Audit a project's Gemfile.lock:
$ bundle-audit
Name: actionpack
Version: 3.2.10
Advisory: OSVDB-91452
Criticality: Medium
URL: http://www.osvdb.org/show/osvdb/91452
Title: XSS vulnerability in sanitize_css in Action Pack
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
Name: actionpack
Version: 3.2.10
Advisory: OSVDB-91454
Criticality: Medium
URL: http://osvdb.org/show/osvdb/91454
Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
Name: actionpack
Version: 3.2.10
Advisory: OSVDB-89026
Criticality: High
URL: http://osvdb.org/show/osvdb/89026
Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
Name: activerecord
Version: 3.2.10
Advisory: OSVDB-91453
Criticality: High
URL: http://osvdb.org/show/osvdb/91453
Title: Symbol DoS vulnerability in Active Record
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
Name: activerecord
Version: 3.2.10
Advisory: OSVDB-90072
Criticality: Medium
URL: http://direct.osvdb.org/show/osvdb/90072
Title: Ruby on Rails Active Record attr_protected Method Bypass
Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
Name: activerecord
Version: 3.2.10
Advisory: OSVDB-89025
Criticality: High
URL: http://osvdb.org/show/osvdb/89025
Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
Name: activesupport
Version: 3.2.10
Advisory: OSVDB-91451
Criticality: High
URL: http://www.osvdb.org/show/osvdb/91451
Title: XML Parsing Vulnerability affecting JRuby users
Solution: upgrade to ~> 3.1.12, >= 3.2.13
Unpatched versions found!
Update the ruby-advisory-db that bundle audit uses:
$ bundle-audit update
Updating ruby-advisory-db ...
remote: Counting objects: 44, done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 39 (delta 19), reused 29 (delta 10)
Unpacking objects: 100% (39/39), done.
From https://github.com/rubysec/ruby-advisory-db
* branch master -> FETCH_HEAD
Updating 5f8225e..328ca86
Fast-forward
CONTRIBUTORS.md | 1 +
gems/actionmailer/OSVDB-98629.yml | 17 +++++++++++++++++
gems/cocaine/OSVDB-98835.yml | 15 +++++++++++++++
gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++
gems/sounder/OSVDB-96278.yml | 13 +++++++++++++
gems/wicked/OSVDB-98270.yml | 14 ++++++++++++++
6 files changed, 73 insertions(+)
create mode 100644 gems/actionmailer/OSVDB-98629.yml
create mode 100644 gems/cocaine/OSVDB-98835.yml
create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml
create mode 100644 gems/sounder/OSVDB-96278.yml
create mode 100644 gems/wicked/OSVDB-98270.yml
ruby-advisory-db: 64 advisories
Update the ruby-advisory-db and check Gemfile.lock (useful for CI runs):
$ bundle-audit check --update
Checking the Gemfile.lock without updating the ruby-advisory-db:
$ bundle-audit check --no-update
Ignore specific advisories:
$ bundle-audit check --ignore OSVDB-108664
Checking a custom Gemfile.lock file:
$ bundle-audit check --gemfile-lock Gemfile.custom.lock
Output the audit's results in JSON:
$ bundle-audit check --format json
Output the audit's results in JSON, to a file:
$ bundle-audit check --format json --output bundle-audit.json
Rake Tasks
Bundler-audit provides rake tasks for checking the code and for updating
its vulnerability database.
Simply add the following code to the Rakefile:
require 'bundler/audit/task'
Bundler::Audit::Task.new
The following rake tasks will then become available:
$ rake -T
rake bundle:audit
rake bundle:audit:update
Configuration File
bundler-audit also supports a per-project configuration file:
.bundler-audit.yml:
---
ignore:
- CVE-YYYY-XXXX
- ...
ignore:[Array<String>] - A list of advisory IDs to ignore.
You can provide a path to a config file using the --config flag:
$ bundle-audit check --config bundler-audit.custom.yaml
Requirements
Install
$ [sudo] gem install bundler-audit
Git
- Debian / Ubuntu:
$ sudo apt install git
- RedHat / Fedora:
$ sudo dnf install git
- Alpine Linux:
$ apk add git
- macOS:
$ brew install git
Contributing
- https://github.com/rubysec/bundler-audit/fork
git clone YOUR_FORK_URIcd bundler-audit/bundle installbundle exec rake specgit checkout -b YOUR_FEATURE- Make your changes
bundle exec rake specgit commit -agit push origin YOUR_FEATURE
License
Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
bundler-audit is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
bundler-audit is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with bundler-audit. If not, see https://www.gnu.org/licenses/.
*Note that all licence references and agreements mentioned in the bundler-audit README section above
are relevant to that project's source code only.