jollygoodcode / jollygoodcode.github.io

:thought_balloon: Jolly Good Blog
https://jollygoodcode.github.io
137 stars 7 forks source link

Introducing "Automated Security Updates" #15

Open JuanitoFatas opened 8 years ago

JuanitoFatas commented 8 years ago

:bell: ~ :bell: ~ :bell: hor hor hor

We are really excited to announce a new feature for deppbot today :tada::confetti_ball::

Automated Security Updates - Fixes your security vulnerabilities automagically.

See live examples: here, here and here.

The idea behind it is simple if you already know how to Secure Your Ruby App with bundler-audit :lock:.

Let's go through how it works, using discourse/discourse Gemfile@f3e24ba as an example.

First, deppbot uses bundler-audit to find out :mag_right: if any gem has security vulnerabilities:

$ git clone git@github.com:discourse/discourse.git && cd discourse
$ bundle-audit
Name: jquery-rails
Version: 3.1.2
Advisory: CVE-2015-1840
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
Title: CSRF Vulnerability in jquery-rails
Solution: upgrade to >= 4.0.4, ~> 3.1.3

Name: rest-client
Version: 1.7.2
Advisory: CVE-2015-1820
Criticality: Unknown
URL: https://github.com/rest-client/rest-client/issues/369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses
Solution: upgrade to >= 1.8.0

Name: rest-client
Version: 1.7.2
Advisory: CVE-2015-3448
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3

Name: sprockets
Version: 2.11.0
Advisory: CVE-2014-7819
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
Title: Arbitrary file existence disclosure in Sprockets
Solution: upgrade to ~> 2.0.5, ~> 2.1.4, ~> 2.2.3, ~> 2.3.3, ~> 2.4.6, ~> 2.5.1, ~> 2.7.1, ~> 2.8.3, ~> 2.9.4, ~> 2.10.2, ~> 2.11.3, ~> 2.12.3, >= 3.0.0.beta.3

Vulnerabilities found!

We can see that jquery-rails, rest-client, sprockets are vulnerable :fire::fire::fire: and need to be fixed :muscle:. As a human, we can choose the appropriate solutions, update Gemfile then bundle again. Well, so does deppbot! :wink:.

deppbot will fix this in one commit (just like one would):

Sample discourse automated security updates Commit

But there is more than that! deppbot also provides the information you need to know in the Pull Request:

Sample discourse automated security updates Pull Request

Gems with security vulnerabilities that are fixed are listed at the very top in the Pull Request description, along with the corresponding CVE / OSVDB links to http://rubysec.com.

What about the "With these gem updates" section :confused:? You may be wondering why these other gems are updated as well?

Let me explain...

If you take the updated Gemfile, and try to update only the vulnerable gems, you'll see:

$ bundle update jquery-rails sprockets rest-client
Fetching gem metadata from https://rubygems.org/.............
Fetching version metadata from https://rubygems.org/...
Fetching dependency metadata from https://rubygems.org/..
Resolving dependencies......
Bundler could not find compatible versions for gem "sprockets":
  In Gemfile:
    sprockets (~> 2.11.3)

    ember-rails was resolved to 0.18.2, which depends on
      ember-handlebars-template (< 1.0, >= 0.1.1) was resolved to 0.1.5, which depends on
        sprockets (< 3.1, >= 2.1)

    sass-rails (~> 4.0.5) was resolved to 4.0.5, which depends on
      sprockets (<= 2.11.0, ~> 2.8)

    sass-rails (~> 4.0.5) was resolved to 4.0.5, which depends on
      sprockets-rails (~> 2.0.0) was resolved to 2.0.1, which depends on

Oh no, an incompatible error. :sweat:

However, deppbot is smart enough to figure it out how to resolve it :sunglasses:, and gems that are updated to resolve the incompatible error are then placed under the "With these gem updates" section.

When would you receive a Security Update Pull Request? Once deppbot detects vulnerable ruby gems (and there are no open Pull Requests from deppbot), deppbot will issue a Security Update Pull Request regardless of your frequency setting. In this case, we prioritise the security of your app above everything-else and ignore the frequency setting in order to help you secure your app in the quickest time possible.

Let us know what you think about this new feature! :bow:

Merry Christmas :christmas_tree::gift: and Ship Better Software with deppbot in 2016 :fireworks:!

:santa:

~ :bell: ~ :bell: ~ :bell:

One more thing, :bulb: deppbot only works with GitHub repositories with a valid Gemfile and Gemfile.lock.

KINGSABRI commented 8 years ago

Interesting and important, no doubt Keep it up2date! Thanks!