Skip to content

innoq/security_report

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits

bin

bin

 
 

lib

lib

 
 

spec

spec

 
 

.gitignore

.gitignore

 
 

.rspec

.rspec

 
 

.travis.yml

.travis.yml

 
 

Gemfile

Gemfile

 
 

Gemfile.lock

Gemfile.lock

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Rakefile

Rakefile

 
 

security_report.gemspec

security_report.gemspec

 
 

Repository files navigation

security_report

Build Status Depfu

Check Ruby projects for dependencies with known security problems. This project uses bundler-audit to check the Gemfiles. It then generates a report like this:

# jquery-rails (3.0.4)
Projects: spec/examples/project_1
Solution: Upgrade to a new version
Problems:
* CVE-2015-1840 (CSRF Vulnerability in jquery-r...)

# paperclip (2.8.0)
Projects: spec/examples/project_1
Solution: Upgrade to a new version
Problems:
* CVE-2017-0889 (Paperclip ruby gem suffers fro...)
* CVE-2015-2963 (Paperclip Gem for Ruby vulnera...)
* 103151 (Paperclip Gem for Ruby contain...)

# rest-client (1.6.7)
Projects: spec/examples/project_1
Solution: Upgrade to a new version
Problems:
* CVE-2015-1820 (rubygem-rest-client: session f...)
* CVE-2015-3448 (Rest-Client Gem for Ruby logs...)

# rubyzip (1.1.7)
Projects: spec/examples/project_1, spec/examples/project_2
Solution: Upgrade to a new version
Problems:
* CVE-2017-5946 (Directory traversal vulnerabil...)
* CVE-2017-5946 (Directory traversal vulnerabil...)

The goal of this project is to provide a functionality similar to Github's security mail for projects that are self hosted on Bitbucket or other self-hosted version control repository hosting services. You can add a scheduled job that runs security_report every night for each of your Ruby projects and mail out the result to the developers.

security_report does not check your code for security problems. If you need something like that and are using Rails, check out brakeman.

Installation

$ gem install security_report

Usage

Run security_report like this:

security_report path_to_your_project

This will output the security report to your terminal. You can also provide the path to multiple projects. To run the security report for each project in the projects folder, run:

security_report projects/*

The tool uses a database of known vulnerabilities. To update the database, use the --update option:

security_report --update projects/*

You can also use a different output format. The default format is called plain. There is also a table output. If you want to use it instead, run:

security_report --format table projects/*

License

security_report is licensed under Apache 2.0 License.

About

Check Ruby projects for dependencies with known security problems

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

9 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages