Thursday, June 19, 2014

Report on Vulnerable Gems with Bundle-Audit

Bundler Audit is a gem that reports on vulnerable gems in your Gemfile. Its similar to Gemnasium or https://hakiri.io/facets but can more easily be integrated into Jenkins. Its also recommended by the Brakeman people.

Install

Add the following to your Gemfile in the development group:
  gem 'bundler-audit'
Run
bundle install

Run Locally

Run
bundle-audit update
bundle-audit
This will output any vulnerable Gem versions you have, or a nice green message if you're ok

Integrate with Jenkins

To display the results on the project home page

Add the following to your "Execute Shell" build step:
bundle-audit update
bundle-audit > bundle-audit.txt
Then under "Post build actions", add "Publish rich text message"
Select "confluence" markup, and paste the following:
h2. Bundle Audit Results
${FILE:bundle-audit.txt}
Now re-run your build and the results will display

Take it a step further and make Jenkins fail when there's vulnerable gems

Modify your execute shell build step to check the output of bundle-audit. Here's a simple example script which does this (see SnapDeploy for example)
#!/bin/bash
cd ~
source /var/lib/jenkins/.rvm/scripts/rvm
cd $WORKSPACE
bundle install
bundle update sqlite3


# Prepare db for testing
RAILS_ENV=test bundle exec rake db:create db:migrate db:test:prepare --trace


# Run rspec
RAILS_ENV=test bundle exec rspec --no-color
rspec_status=$?


# Run cucumber
RAILS_ENV=test bundle exec cucumber -p jenkins
cucumber_status=$?


# Run Brakeman
brakeman -o brakeman-output.tabs --no-progress --separate-models


# Run bundle audit
bundle-audit update
bundle-audit > bundle-audit.txt
echo "BUNDLE AUDIT RESULTS:"
cat bundle-audit.txt
grep -Fxq "No unpatched versions found" bundle-audit.txt
audit_status=$?


# Fail if rspec or cucumber failed or there's vulnerable gems
exit "$(($rspec_status + $cucumber_status + $audit_status))"

1 comment:

  1. Business analytics is a very broad term. A lot of different analytics like marketing, customer, risk and operations analytics come under this category. It accumulates a large amount of data, puts it together and provides us with a business analytics solution that will enable strategic decision making. GAP Analysis

    ReplyDelete