There’s a gem called bundler-audit that checks whether any of the gems in your project have open security advisors against them. A year or so ago there was an infamous month in which Rails itself got three of those. It was terrible and I think bundler-audit is a good idea. My only problem with it is having to remember to run it: it just won’t happen. I need to run it automatically and an easy way to do that is to run it as part of my tests.
Unfortunately, bundler-audit doesn’t make it easy. It’s designed for the command line and that’s it, but these days it’s easier than a year ago and I recommend everybody to add them to their integration tests. Here’s how we do it at Watu:
require "test_helper"
require "bundler/audit/database"
require "bundler/audit/scanner"
class SecurityTest < ActionDispatch::IntegrationTest
should "not have any vulnerable gems" do
Bundler::Audit::Database.update!
scanner = Bundler::Audit::Scanner.new
scanner.scan do
raise "There are vulnerable gems in your Gemfile. Run bundle-audit check to know more"
end
end
end
I don’t try to show the vulnerable gems because I found those methods to not be easily reusable and I didn’t want to copy them because they look like they might change at any moment. It’s not a big problem, if something is wrong, you should run bundle-audit check anyway.