How do I ascertain that my gems are secure?

Question

I'm looking for an automated way to check all the gems used in my sinatra-based site for available security updates. Does such a thing exist?

My principle attitude to updates is: If it ain't broke, don't try to fix it. But if I am vulnerable then I want to know about it. By only applying security updates, I keep the amount of potential behaviour change to a minimum.

Background: The majority of my previous work has been in Drupal. In that community, maintainers can tag their module releases as fixing security issues. That means that my website, or my CLI tools, can query release data for modules used in the current website to see whether security updates are available and notify me.

Answer 1

To the best of my knowledge, there is no definitive way to automate this. There's no notion of a flag in Ruby gems indicating that they are security updates, etc. Most gem maintainers are pretty good about honoring the convention of major.minor.patch for version numbers, though. Major bumps are API-breaking, minor add functionality but are backwards compatible, and patch are for bugfixes or very trivial changes. There's nothing enforcing this, and some gems don't even use the three-part version numbers. Rails itself is particularly egregious about failing here; Rails minor version bumps are universally non-compatible, breaking changes. Rails patch bumps tend to be security fixes, though.

If this is sufficient for your needs, you can use Bundler to specify that you only want patch-level updates:

gem 'foo', '~> 2.2.0'

...will install the latest patch level of version 2.2.x of the gem (e.g. you might end up with 2.2.12, but not 2.3.0).

See the Rubygems docs for more about version strings (used by Bundler), and how to be conservative ("pessimistic" in their terminology). Also see their numbering guidelines. Again, bear in mind that these are not strictly enforced, and with Rails itself providing such a terrible example of breaking convention, other gem authors don't always do the right thing.

Answer 2

If you are using Bundler with your project you can check that you are using the latest versions of gems with bundle outdated. To know if the version of a gem that you are using has a known security vulnerability, you can use the bundler-audit gem, or alternatively the holepicker gem. There is also a service called Gemnasium that can monitor your gems for you and notify you when a gem is updated or has a security issue.

Update: Github now monitors your repository's Gemfile and notifies you when a gem has a security issue.