Using Vulnerable Libraries

Why is this important?

Most of the code for modern applications is coming from third-party libraries. This is great because it speeds up development. However, there is no guarantee that third-party libraries are secure and of high quality.

As a result, over 500 vulnerabilities were reported in Ruby and Rails related gems.

Check out this video for a high-level explanation:

Using Known Vulnerable Components

Updating Vulnerable Libraries

Option A: Manually update the packages

  1. Look at the vulnerable package in the GuardRails PR comment.
  2. Identify if a fixed version is available and your Gemfile doesn't have conflicting constraints.

     # Resolve constraint that prevent updating to a fixed version
     # For example, this would prevent you from upgrading to Rails 5.2.0
     gem 'rails', '~> 5.1.6'
    
  3. Once you know that the update can be done, run the according command:

     # Attempt a patch-level only (--patch) update to the Gemfile.lock
     # with as minimal effect on other gems as possible
     bundle update --patch --conservative <vulnerable-gem-name>
     # Update gems to latest minor version
     bundle update --minor --strict
     # Update gems to latest major version
     bundle update --major
    
  4. Test to verify that the upgrade doesn't break the app.

  5. Ship it 🚢 and relax 🌴

Option B: When no update is available

  1. Look at the vulnerable package in the GuardRails PR comment.
  2. If no update is available then you have 3 choices:
    • Remove the package if it's not needed
    • Replace the package with another one that doesn't contain vulnerabilities
    • Take a closer look at the vulnerability details and create a PR patching it.
  3. Test to verify that your actions don't break the app.
  4. Ship it 🚢 and relax 🌴

More information: