Dependency security checks

[vitoravelino]

Having issues with dependencies might become a problem in the future. We never know. I thought it would be a good idea since we always try to deliver stable products.

I look around and found three services that do some checks:

• https://snyk.io/
• https://hakiri.io/
• https://www.deppbot.com/

They are free for open source projects.

We currently have 3 issues because nokogiri < 1.7.2:

• CVE-2017-5029
• CVE-2016-4738
• CWE-611

Snyk reported those 3 issues and Hakiri and Deppbot the CVE ones only.

What do you think?

[mssola]

I have kind of mixed feelings about this:

• We are already passing brakeman.
• Tools that test on gem versions are not a good idea: our gems are shipped with patches that cover CVE's, so those reported CVEs are probably wrong (I'd have to investigate to be sure).

Maybe @jordimassaguerpla can bring some light here.

[vitoravelino]

If our gems are shipped with patches that cover CVE's then there's nothing to be discussed. I had no idea, that's why I opened this.

[flavio]

I know the issue is closed, but I just wanted to say I think it would be nice to integrate https://snyk.io/ on the Go projects we have.

[jordimassaguerpla]

@vitoravelino : first of all, thanks for checking it :)

The issues you mention do not affect us because we are not vendoring libxslt nor libxml2 but using the system ones, instead. So we are safe.

In general I prefer to use bundler-audit from https://github.com/rubysec which queries an open database and can be run on our CI.