Using Vulnerable Libraries
Why is this important?
Most of the code for modern applications is coming from third-party libraries. This is great because it speeds up development. However, there is no guarantee that third-party libraries are secure and of high quality.
As a result, over 500 vulnerabilities were reported in Ruby and Rails related gems.
Check out this video for a high-level explanation:
Updating Vulnerable Libraries
Option A: Manually update the packages
- Look at the vulnerable package in the GuardRails PR comment.
- Identify if a fixed version is available and your
Gemfile
doesn't have conflicting constraints.
# Resolve constraint that prevent updating to a fixed version
# For example, this would prevent you from upgrading to Rails 5.2.0
gem 'rails', '~> 5.1.6'
- Once you know that the update can be done, run the according command:
# Attempt a patch-level only (--patch) update to the Gemfile.lock
# with as minimal effect on other gems as possible
bundle update --patch --conservative <vulnerable-gem-name>
# Update gems to latest minor version
bundle update --minor --strict
# Update gems to latest major version
bundle update --major
- Test to verify that the upgrade doesn't break the app.
- Ship it 🚢 and relax 🌴
Option B: When no update is available
- Look at the vulnerable package in the GuardRails PR comment.
- If no update is available then you have 3 choices:
- Remove the package if it's not needed
- Replace the package with another one that doesn't contain vulnerabilities
- Take a closer look at the vulnerability details and create a PR patching it.
- Test to verify that your actions don't break the app.
- Ship it 🚢 and relax 🌴
More information:
- OWASP TOP 10 Reference: Using Components with Known Vulnerabilities
- Using Bundle Update
- Updating Gems Cheat Sheet