[LRUG] Fwd: Keeping track of new security vulnerabilities?

Mark Burns markthedeveloper at gmail.com
Fri Sep 20 02:21:48 PDT 2013

Code climate provides a paid for security service. I'm not sure if it is
any more comprehensive than the any others but it's at least another option
to throw into the mix.

On Thursday, 19 September 2013, Joel Chippindale wrote:

> LRUGers
> If you want to keep up to date with the latest known security
> vulnerabilities with Ruby and the gems you are using there seem to be many
> different places to look, for example:
> - For rails there is the rubyonrails-security mailing list (
> https://groups.google.com/forum/#!forum/rubyonrails-security) which has
> rails covered but what about any of the other ruby gems you rely on?
> - It is unclear to me whether the ruby-security-ann mailing list is still
> active (https://groups.google.com/forum/#!forum/ruby-security-ann).
> - The National Vulnerability Database (
> http://web.nvd.nist.gov/view/vuln/search-results?query=ruby&search_type=all&cves=on)
> appears to be more comprehensive and enables you to search for ruby
> vulnerabilities but does not appear to give you any nice way to be alerted
> when a new vulnerability is discovered.
> - The ruby-advisory-db on github (
> https://github.com/rubysec/ruby-advisory-db/) looks like a great project
> (with potential to create a tool which would read your Gemfile/Gemfile.lock
> and warn you of issues?) but the frequency of updates and number of open
> issues suggest to me that it is far from comprehensive.
> However none of these appear to be comprehensive, even with respect to
> reported issues, or make it easy to keep track of new vulnerabilities.
> How do you keep up to date with security vulnerabilities that are
> discovered in Ruby and the gems you use?
> J.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20130920/9cfb4b80/attachment-0003.html>

More information about the Chat mailing list