[LRUG] Keeping track of new security vulnerabilities?

Joel Chippindale joel.chippindale at gmail.com
Wed Sep 25 07:17:11 PDT 2013


As I look more into bundler-audit and the ruby-advisory-db I am less
convinced of it's value in it's current state.

1. If you install bundler-audit it will NOT currently keep the version of
the ruby-advisory-db up to date, which means that even if new
vulnerabilities get added to the database you won't be aware of them and
there appears to be little movement on changing this [1]

2. The ruby-advisory-db suggests that it will aggregate advisories from
various sources but there does not appear to be much effort to keep it up
to date. For example a brief search of OSVDB [2] reveals many reported gem
vulnerabilities that are not included [3][4][5]

J.

[1] See the discussion on this pull request about 'live' data
https://github.com/rubysec/bundler-audit/pull/13
[2] http://www.osvdb.org
[3] Vulnerability with fog-dragonfly http://www.osvdb.org/show/osvdb/96798
[4] Vulnerability with sounder http://www.osvdb.org/show/osvdb/96278
[5] Vulnerability with show_in_browser http://www.osvdb.org/show/osvdb/93490



On 25 September 2013 14:30, Joel Chippindale <joel.chippindale at gmail.com>wrote:

> Thanks to all of you for your excellent suggestions.
>
> Both bundler-audit [1] and brakeman [2] look very interesting and I am
> certainly going to give them a go.
>
> J.
>
>
> [1] https://github.com/rubysec/bundler-audit
> [2] http://brakemanscanner.org/
>
>
>
> On 20 September 2013 12:49, Chris Mear <chrismear at gmail.com> wrote:
>
>> On 20 Sep 2013, at 10:21, Mark Burns <markthedeveloper at gmail.com> wrote:
>>
>> > Code climate provides a paid for security service. I'm not sure if it
>> is any more comprehensive than the any others but it's at least another
>> option to throw into the mix.
>>
>> I've tried this one. It's for Rails apps only, and AFAICT it's just
>> running Brakeman for you:
>>
>> http://brakemanscanner.org
>>
>> Which is not to say the service doesn't add some potentially handy
>> features: email notifications, tracking of individual problems until they
>> are fixed, easy marking of false-positives, automatic ticket creation... I
>> just didn't personally find those worth the entry fee.
>>
>> Chris
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20130925/27b6fbdf/attachment-0003.html>


More information about the Chat mailing list