rubysec
Feature request: Audit ruby version, when specified
When Gemfile.lock includes ruby version, something like
RUBY VERSION
ruby 2.7.0p-1
than verify it for vulnerabilities. If this is a valuable feature for this project, then I will send a PR.
A few years back I wrote https://github.com/lucasluitjes/recent_ruby which does exactly that. I don't know if it meets the project standards for bundler-audit but I thought I'd mention it just in case it's helpful.
@postmodern @reedloden Before I will invest some time into this feature, is this something that will be merged?
@fatkodima I would be interested in something like this, not sure if @postmodern would agree.
@lucasluitjes Does recent_ruby include a feature to list known CVEs for the Ruby version you are using?
It would be useful to know that if you are using Ruby 2.7.x, then you have this known CVE to worry about: https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756/
@etagwerker No, recent_ruby only checks if the build file for that ruby version in the ruby-build repository contains warn_eol (for example https://github.com/rbenv/ruby-build/blob/master/share/ruby-build/2.7.7), and that you're on the latest patch release.
Listing CVEs would be handy feature though. Not sure where to reliably pull that data from. I looked at https://github.com/rubysec/ruby-advisory-db/tree/master/rubies/ruby but it doesn't seem up to date (CVE-2023-28756 isn't in there, for example). If you know a good data source, feel free to make an issue on the https://github.com/lucasluitjes/recent_ruby repository.
Apparently bundler 2.4 now requires that the RUBY VERSION versions be listed if the Gemfile contains a ruby '...' declaration.
https://devcenter.heroku.com/changelog-items/2809
Although, I'm still not 100% certain that the ruby version in the Gemfile.lock will always match the actual ruby version that's used in production?
