Ruby MuleRuby Mule
Support
Published on

Gemfilecheck: Easiest way to check your Gemfile for security issues

Authors
  • avatar
    Name
    Dusan
    Twitter

Did you know that you can reduce the number of potential cyberattacks by more than 80% just by updating your Gemfile regularly? That’s true, read more to find out how and why.

Why Gemfilecheck?

One of the first things I do, when I come to a new Ruby project, is to check its Gemfile. A Gemfile is a file that lists all the dependencies (gems) of a Ruby project. Gems are reusable libraries that provide functionality for various tasks, such as DB access, testing, authentication, etc.

Unfortunately, gems can also introduce security risks. Especially, they become a liability if they are not updated regularly. This means gems may have known vulnerabilities that can be exploited by attackers in order to compromise your application or website. These vulnerabilities are known as Common Vulnerabilities and Exposures (CVEs). On the other hand not known vulnerabilities are called Zero-day exploits. You can not do much about these, but you can certainly address CVEs.

Checking for outdated gems and CVEs is usually a manual process where you have to combine the output of several commands, such as bundle outdated and bundle-audit. This can be tedious and time-consuming, especially if you have many projects to maintain.

That is why I created a free tool called Gemfilecheck. This service is targeted at Ruby developers who want to simplify the process of checking their Gemfiles for outdated gems and CVEs.

How it works?

It allows you to upload your Gemfile.lock(keep in mind it is Gemfile.lock that has to be anlyzed, not Gemfile itself) or paste its contents and get a report of all the gems that need to be updated or have known vulnerabilities. You can also see the latest version of each gem, the severity of each CVE, and a link to more information about it.

Gemfilecheck is easy to use. You can use it anytime you want to check the health of your Gemfile and keep your Ruby project up to date.

Why you should use it?

Why is this important? Because patching known issues and vulnerabilities in your project dependencies can significantly reduce the surface area of attack for your app or website. You have to understand that this is hackers’ and scammers modus operandi. They just have a list of CVEs(and associated attack vectors), and then probe sites randomly for any of them. This process is mostly automated, and once any of the vulnerabilities are found, not much you can do about it. That is why it is important to keep your dependencies updated.

Most people do not keep their dependencies regularly updated, and this is what causes hackers to be able to attack most of the apps and websites. For example, in 2013, a vulnerability in Ruby on Rails CVE-2013-0156 (it was in actionpack to be precise) allowed remote code execution, which affect many websites. In 2019, the rest-client gem CVE-2019-15224 included malicious backdoor added by the hackers in the gem code itself. Affected versions of rest-client were later yanked from RubyGems, but it ilustrates the point.

Claim that you can reduce over 80% of attacks just by updating your gems is not unfounded at all. It is based on a report by Snyk, which analyzed different open-source projects and found that 86% of the vulnerabilities were fixed in newer versions of gems. This means you would be immune most of the time, just by updating your Gemfile.

So what are you waiting for? Go to https://gemfilecheck.com and check your Gemfile today. You might get unplesantly surprised by its findings.