

A scanner: How secure are open source Ruby projects on GitHub? - jrochkind1
https://hakiri.io/security-watch

======
jrochkind1
I'm surprised this isn't getting higher on the HN.

It's a really neat product.

There are _definitely_ false positives, and it could use some more context
information on the positives it does report. (For vulnerabilities based on gem
specs, identify what version of the dependency it considers okay (not always
easily identifiable from the CVE alone), and quote the Gemfile/gemspec line
that it didn't like).

It definitely does more than just identify gem specs allowing versions of
dependencies with known vulnerabilities. It's also doing some code analysis
(like models missing attr_accessible in rails 3.x), and told me about one such
vulnerability in my code that I think is legit and I need to fixed (also
another couple I think are false positives; there is a 'mark false positive'
button to remove them from your report).

It looks like free level account can get reports on open source (public not
private) github repos. Great.

This is also potentially a source of information for attackers to identify
vulnerable apps, even hypothetically identify and exploit in a totally
automated way, especially for public github repos. Security will keep getting
harder, that much we can be sure.

------
vasinov
Pretty neat. Never thought of loose version intervals as potential
vulnerabilities...but here we go.

