Add Audit Your Ruby Project For Any CVEs as a Ruby TIL

jbranchaud · jbranchaud · commit b2ddce62fd3b · 2024-04-02T11:08:37.000-05:00
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ pairing with smart people at Hashrocket.
 
 For a steady stream of TILs, [sign up for my newsletter](https://crafty-builder-6996.ck.page/e169c61186).
 
-_1404 TILs and counting..._
+_1405 TILs and counting..._
 
 ---
 
@@ -1089,6 +1089,7 @@ _1404 TILs and counting..._
 - [Add Progress Reporting To Long-Running Script](ruby/add-progress-reporting-to-long-running-script.md)
 - [Are They All True?](ruby/are-they-all-true.md)
 - [Assert About An Object's Attributes With RSpec](ruby/assert-about-an-objects-attributes-with-rspec.md)
+- [Audit Your Ruby Project For Any CVEs](ruby/audit-your-ruby-project-for-any-cves.md)
 - [Assoc For Hashes](ruby/assoc-for-hashes.md)
 - [Block Comments](ruby/block-comments.md)
 - [Build HTTP And HTTPS URLs](ruby/build-http-and-https-urls.md)
diff --git a/ruby/audit-your-ruby-project-for-any-cves.md b/ruby/audit-your-ruby-project-for-any-cves.md
@@ -0,0 +1,45 @@
+# Audit Your Ruby Project For Any CVEs
+
+The [`bundler-audit` gem](https://github.com/rubysec/bundler-audit) is a handy
+tool that you can run manually or integrate into your CI workflow to warn you
+about any CVEs in your dependencies.
+
+Running this tool without any arguments will perform a check of your
+`Gemfile.lock` file. It will check against the
+[`ruby-advisory-db`](https://github.com/rubysec/ruby-advisory-db) for any CVEs
+linked to your dependencies, down to the patch-level.
+
+```bash
+$ bundle exec bundler-audit
+
+Name: puma
+Version: 4.3.12
+CVE: CVE-2024-21647
+GHSA: GHSA-c2f4-cvqm-65w2
+Criticality: Medium
+URL: https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
+Title: Puma HTTP Request/Response Smuggling vulnerability
+Solution: upgrade to '~> 5.6.8', '>= 6.4.2'
+
+Vulnerabilities found!
+```
+
+In this example run, a vulnerability was found in the currently installed
+version of the `puma` gem.
+
+I believe a standard `bundler-audit` command will make sure the advisory DB is
+up-to-date, but to be sure, you can run the `update` command.
+
+```bash
+$ bundle exec bundler-audit update
+
+Updating ruby-advisory-db ...
+From https://github.com/rubysec/ruby-advisory-db
+ * branch            master     -> FETCH_HEAD
+Already up to date.
+Updated ruby-advisory-db
+ruby-advisory-db:
+  advisories:   884 advisories
+  last updated: 2024-03-26 16:27:16 -0700
+  commit:       840f21aeeb8a06a93a3c3bf1e2a92d7167029992
+```
