I'm looking for an automated way to check all the gems used in my sinatra-based site for available security updates. Does such a thing exist?
我正在寻找一种自动方式来检查我在基于sinatra的网站中使用的所有宝石,以获得可用的安全更新。这样的事情存在吗?
My principle attitude to updates is: If it ain't broke, don't try to fix it. But if I am vulnerable then I want to know about it. By only applying security updates, I keep the amount of potential behaviour change to a minimum.
我对更新的主要态度是:如果没有破坏,不要试图修复它。但如果我很脆弱,那么我想知道它。通过仅应用安全更新,我将潜在行为的更改量保持在最低限度。
Background: The majority of my previous work has been in Drupal. In that community, maintainers can tag their module releases as fixing security issues. That means that my website, or my CLI tools, can query release data for modules used in the current website to see whether security updates are available and notify me.
背景:我以前的大部分工作都在Drupal。在该社区中,维护人员可以将其模块版本标记为修复安全问题。这意味着我的网站或我的CLI工具可以查询当前网站中使用的模块的发布数据,以查看是否有安全更新并通知我。
4 个解决方案
#1
1
Install the bundle-audit gem from rubysec on github. Run it periodically/routinely. It's free, is kept up to date via the CVE library of known security threats, and reports which gems in your project have available updates.
从github上的rubysec安装bundle-audit gem。定期/定期运行。它是免费的,通过已知安全威胁的CVE库保持最新,并报告项目中的哪些宝石有可用的更新。
#2
6
To the best of my knowledge, there is no definitive way to automate this. There's no notion of a flag in Ruby gems indicating that they are security updates, etc. Most gem maintainers are pretty good about honoring the convention of major.minor.patch
for version numbers, though. Major bumps are API-breaking, minor add functionality but are backwards compatible, and patch are for bugfixes or very trivial changes. There's nothing enforcing this, and some gems don't even use the three-part version numbers. Rails itself is particularly egregious about failing here; Rails minor version bumps are universally non-compatible, breaking changes. Rails patch bumps tend to be security fixes, though.
据我所知,没有确定的自动化方法。 Ruby gem中没有一个标志的概念,表明它们是安全更新等。但是,大多数gem维护者都非常善于尊重major.minor.patch的版本号约定。主要障碍是API破坏,次要添加功能但向后兼容,补丁用于错误修正或非常微不足道的更改。没有任何强制执行,有些宝石甚至不使用三部分版本号。 Rails本身在这里失败尤其令人震惊; Rails次要版本颠簸是普遍不兼容的,破坏了变化。但是,Rails补丁颠簸往往是安全修复程序。
If this is sufficient for your needs, you can use Bundler to specify that you only want patch-level updates:
如果这足以满足您的需求,您可以使用Bundler指定您只需要补丁级更新:
gem 'foo', '~> 2.2.0'
...will install the latest patch level of version 2.2.x of the gem (e.g. you might end up with 2.2.12, but not 2.3.0).
...将安装gem的2.2.x版的最新补丁级别(例如,最终可能是2.2.12,但不是2.3.0)。
See the Rubygems docs for more about version strings (used by Bundler), and how to be conservative ("pessimistic" in their terminology). Also see their numbering guidelines. Again, bear in mind that these are not strictly enforced, and with Rails itself providing such a terrible example of breaking convention, other gem authors don't always do the right thing.
有关版本字符串(由Bundler使用)以及如何保守(在术语中使用“悲观”)的更多信息,请参阅Rubygems文档。另请参阅他们的编号指南。再次,请记住,这些并没有严格执行,并且由于Rails本身提供了破坏惯例的可怕例子,其他宝石作者并不总是做正确的事情。
#3
3
If you are using Bundler with your project you can check that you are using the latest versions of gems with bundle outdated
. To know if the version of a gem that you are using has a known security vulnerability, you can use the bundler-audit gem, or alternatively the holepicker gem. There is also a service called Gemnasium that can monitor your gems for you and notify you when a gem is updated or has a security issue.
如果您在项目中使用Bundler,则可以检查您是否使用了捆绑包过时的最新版本的宝石。要知道您使用的gem的版本是否具有已知的安全漏洞,您可以使用bundler-audit gem,或者使用holepicker gem。还有一项名为Gemnasium的服务可以为您监控您的宝石,并在宝石更新或出现安全问题时通知您。
Update: Github now monitors your repository's Gemfile
and notifies you when a gem has a security issue.
更新:Github现在监视存储库的Gemfile,并在gem出现安全问题时通知您。
#4
2
There is website called Gemnasium. It check if gems that you are using are the newest one, and if there is any security issue it will send you email.
有一个名为Gemnasium的网站。它检查您使用的宝石是否是最新宝石,如果有任何安全问题,它会向您发送电子邮件。
#1
1
Install the bundle-audit gem from rubysec on github. Run it periodically/routinely. It's free, is kept up to date via the CVE library of known security threats, and reports which gems in your project have available updates.
从github上的rubysec安装bundle-audit gem。定期/定期运行。它是免费的,通过已知安全威胁的CVE库保持最新,并报告项目中的哪些宝石有可用的更新。
#2
6
To the best of my knowledge, there is no definitive way to automate this. There's no notion of a flag in Ruby gems indicating that they are security updates, etc. Most gem maintainers are pretty good about honoring the convention of major.minor.patch
for version numbers, though. Major bumps are API-breaking, minor add functionality but are backwards compatible, and patch are for bugfixes or very trivial changes. There's nothing enforcing this, and some gems don't even use the three-part version numbers. Rails itself is particularly egregious about failing here; Rails minor version bumps are universally non-compatible, breaking changes. Rails patch bumps tend to be security fixes, though.
据我所知,没有确定的自动化方法。 Ruby gem中没有一个标志的概念,表明它们是安全更新等。但是,大多数gem维护者都非常善于尊重major.minor.patch的版本号约定。主要障碍是API破坏,次要添加功能但向后兼容,补丁用于错误修正或非常微不足道的更改。没有任何强制执行,有些宝石甚至不使用三部分版本号。 Rails本身在这里失败尤其令人震惊; Rails次要版本颠簸是普遍不兼容的,破坏了变化。但是,Rails补丁颠簸往往是安全修复程序。
If this is sufficient for your needs, you can use Bundler to specify that you only want patch-level updates:
如果这足以满足您的需求,您可以使用Bundler指定您只需要补丁级更新:
gem 'foo', '~> 2.2.0'
...will install the latest patch level of version 2.2.x of the gem (e.g. you might end up with 2.2.12, but not 2.3.0).
...将安装gem的2.2.x版的最新补丁级别(例如,最终可能是2.2.12,但不是2.3.0)。
See the Rubygems docs for more about version strings (used by Bundler), and how to be conservative ("pessimistic" in their terminology). Also see their numbering guidelines. Again, bear in mind that these are not strictly enforced, and with Rails itself providing such a terrible example of breaking convention, other gem authors don't always do the right thing.
有关版本字符串(由Bundler使用)以及如何保守(在术语中使用“悲观”)的更多信息,请参阅Rubygems文档。另请参阅他们的编号指南。再次,请记住,这些并没有严格执行,并且由于Rails本身提供了破坏惯例的可怕例子,其他宝石作者并不总是做正确的事情。
#3
3
If you are using Bundler with your project you can check that you are using the latest versions of gems with bundle outdated
. To know if the version of a gem that you are using has a known security vulnerability, you can use the bundler-audit gem, or alternatively the holepicker gem. There is also a service called Gemnasium that can monitor your gems for you and notify you when a gem is updated or has a security issue.
如果您在项目中使用Bundler,则可以检查您是否使用了捆绑包过时的最新版本的宝石。要知道您使用的gem的版本是否具有已知的安全漏洞,您可以使用bundler-audit gem,或者使用holepicker gem。还有一项名为Gemnasium的服务可以为您监控您的宝石,并在宝石更新或出现安全问题时通知您。
Update: Github now monitors your repository's Gemfile
and notifies you when a gem has a security issue.
更新:Github现在监视存储库的Gemfile,并在gem出现安全问题时通知您。
#4
2
There is website called Gemnasium. It check if gems that you are using are the newest one, and if there is any security issue it will send you email.
有一个名为Gemnasium的网站。它检查您使用的宝石是否是最新宝石,如果有任何安全问题,它会向您发送电子邮件。