

Show HN: Is it vulnerable? Drag-n-drop your Gemfile.lock to check - phillmv
https://isitvulnerable.com/

======
sciurus
You can run this check yourself using the bundle-audit tool. It uses the list
of vulnerabilities from ruby-advisory-db.

Checking the git history, I see that phillmv is a contributor to ruby-
advisory-db.

[https://github.com/rubysec/bundler-audit](https://github.com/rubysec/bundler-
audit)

[https://github.com/rubysec/ruby-advisory-db](https://github.com/rubysec/ruby-
advisory-db)

~~~
phillmv
Yep! We started that project alongside postmodern_mod3 about two years ago :).

We figured we could do a better job all around if we managed to productize it.

~~~
sarwechshar
This looks so simple but clearly a lot of work went into it. I'm learning Ruby
and this is certainly going to be one of my most used tools - thanks!

------
phillmv
Hey. We posted about our service last week and got great feedback. We took
that feedback and decided to put isitvulnerable.com together to really
showcase what you can get out of it / uh check your dang Gemfile.lock at
least.

We're expanding platforms, so do tell us what to support next :).

~~~
alexbecker
Saw the title and thought it might be you two. The site looks great! I'm
surprised you found the time to put something like that together while in
YCombinator.

Of course I have to suggest Python/Django, since that's what my company uses.
But to maximize (number of users)x(number of security vulnerabilities),
perhaps Wordpress plugins would be worth monitoring?

~~~
phillmv
It's a been a long couple of months :).

~~~
maxs
One more vote for Python/Django.

------
Mojah
If you're into PHP, SensioLabs has a similar service you can use in your
Composer.lock file:
[https://security.sensiolabs.org/check](https://security.sensiolabs.org/check)

It'll block any vulnerable version of a dependency in your project.

------
homakov
Someone should reestimate severity of those "CVEs". I got 10 warnings and none
of them is any severe for my app(and yours too, likely), so I'm definitely not
vulnerable.

Also LOL "CSRF Vulnerability in jquery-rails" is known as not a bug at all.

~~~
phillmv
Wouldn't be the first time you sent us a PR, Egor :D.

But yeah, we do need to find the time to clean it up.

~~~
homakov
Just don't want it to be yet another "We found 123 vulnerabilities, sign up to
learn more". E.g. if it's Rails RCE it confidence should be 3/3, if some app-
specific, 2/3 etc. But anyway great job

------
bshimmin
This is terrific. Easy to understand, fast, and very useful. Great job, guys!

~~~
recursive
I guess the presentation is pretty clean. But what's a gemfile.lock?

~~~
cseelus
bundler.io has a very good explanation[1]:

 _After developing your application for a while, check in the application
together with the Gemfile and Gemfile.lock snapshot. Now, your repository has
a record of the exact versions of all of the gems that you used the last time
you know for sure that the application worked. Keep in mind that while your
Gemfile lists only three gems (with varying degrees of version strictness),
your application depends on dozens of gems, once you take into consideration
all of the implicit requirements of the gems you depend on.

This is important: the Gemfile.lock makes your application a single package of
both your own code and the third-party code it ran the last time you know for
sure that everything worked. Specifying exact versions of the third-party code
you depend on in your Gemfile would not provide the same guarantee, because
gems usually declare a range of versions for their dependencies._

1) [http://bundler.io/v1.7/rationale.html#checking-your-code-
int...](http://bundler.io/v1.7/rationale.html#checking-your-code-into-version-
control)

~~~
MatthewMcDonald
I suspect recursive is pointing out that if you don't know what a gemfile.lock
is, then the site is not useful or easy to understand.

------
piratebroadcast
So if somebody hacks isitvulnerable.com, they have a list of vulnerable rails
sites.

~~~
phillmv
We thought about this.

We don't associate any gemfiles with user information, so at best… all you
could get is a list of vulnerable gemfiles, somewhere, out there :).

~~~
shostack
Novice here, but wouldn't a list of vulnerable gems be almost as valuable a
target (if it doesn't already exist elsewhere)? I would imagine it is not
difficult to generate a list of sites using those versions of gems that have
public repos.

Please feel free to educate me if that is not at all the case though--like I
said, novice, so just starting to wrap my head around security implications of
things like this.

~~~
Cyranix
Not sure why you were downvoted for asking a question and trying to learn.

The information is coming from publicly available descriptions of
vulnerabilities. The affected versions of gems are already enumerated. This
tool is a way to make it easier for devs to compare their set of gems against
the vast database of vulnerabilities.

~~~
shostack
Thanks for the helpful response, this is exactly what I was wondering as I
assumed there might be some publicly available info on vulnerabilities.

Is there a definitive source for keeping track of these out of curiosity? I'd
consider myself an "early" programmer, so I know enough to be dangerous, but
feel like there's no time like the present to start keeping track of known
issues with things I might be using, even if I may not grasp the full extent
of them at my level of experience.

------
brobinson
Great tool! Bookmarked.

Bug report: text here [1] is not rendering properly, but if I resize the
window to be smaller it adjusts and is fine. Happens in Firefox 39.0.3 (no
plugins) and Chrome 44.0.2403.130 (64-bit, no plugins) at 1000px window width
on OSX Yosemite.

[1] [http://i.imgur.com/rgQqli8.png](http://i.imgur.com/rgQqli8.png)

~~~
scott_karana
Ditto, with Fx 39.0 and uBlock Origin, 1920px, also Yosemite.

------
dboyd
Looks great. Your formatting on the result page is messed up in my browser
(chrome on osx). You can see a screen shot here...

[https://annotate.driftt.com/view?i=99nffsejxeiittq%2F2015-08...](https://annotate.driftt.com/view?i=99nffsejxeiittq%2F2015-08-07_at_10.49_AM_\(1\).png%2F)

~~~
ontoillogical
Thanks for the report, we're on it.

------
caioariede
I'd like to know if there is something similar for Python, or something like
[https://github.com/rubysec/ruby-advisory-db](https://github.com/rubysec/ruby-
advisory-db) for Python.

~~~
aaronbasssett
[https://requires.io/](https://requires.io/)

------
busterarm
THANK YOU!

I think this is really awesome...

...I have to go update a few projects right now.

------
thoughtpalette
This is awesome, great idea! I see the sign-up for additional platforms.
Thinking of supporting package.json and bower files?

~~~
phillmv
>Thinking of supporting package.json and bower files?

Definitely! We're building a service to monitor your app and server's
dependencies, and we currently support Ubuntu and Ruby.

Our goal is to cover basically all of open source :).

