

Don't find out about Ruby vulnerabilities through Hacker News and Twitter - phillmv
https://gemcanary.com

======
bradleyland
Congrats on launching guys, but I'm going to be really honest here. The
requirement that I provide access to my Github repos like this is a deal
breaker. For a security related product, this creates a huge attack surface
and audit requirement.

From a security standpoint, what you _want_ to do is less important than what
you _can_ do, and the access controls you use currently -- public or public +
private -- just aren't fine grained enough.

~~~
phillmv
>For a security related product, this creates a huge attack surface and audit
requirement.

We agree. We spent a lot of time debating this.

We originally set out to build a gem, but realized it was so much easier to
use through GitHub. Unfortunately, we can't provide more granular access due
to what the API gives us.

We plan on eventually releasing said gem, as noted in the "I don't use github"
link on the front page :).

~~~
mrgreenfur
What about a functionality where I can upload my gemfile when I deploy? I
deploy, cap sends you my gemfile and you notify me.

~~~
phillmv
Exactly what we had in mind. Soon!

~~~
stephenhuey
Looking forward to it!

------
phillmv
Hey! We built this as an itch scratcher - something that will only notify us
about security updates. We've been working on this for a couple weeks now, and
we think other people might find it useful.

We're still in beta and adding some polish, so please let us know if something
breaks. Also, it's possible we may run up against the GitHub API rate limit,
so bear with us if we turn off new user signups.

Thanks!,

~~~
fla
Defenately something uselful I would pay for. Unfortunately I can't let you
access my private repos. Any alternative ?

~~~
phillmv
We're planning on releasing a gem so you can use it without github.

If you're interested, add your email through the "I don't use GitHub" link on
the front page, and we'll let you know when it's ready :).

------
pnathan
I think this is the best headline/page I've read for a long time.

It neatly states an obvious problem in the headline, then on landing, proposes
a service to solve the problem that _we know exists_. If I had a ruby system,
I'd be on this like, well, frosting on a cupcake. Mmmmm, cupcakes. :)

------
habosa
This is really well done, thanks! I read HN every day and I thought I was
fairly up to date after the last Rails security scramble but you guys pointed
out a few more gems I need to update/remove. Integration was seamless and I
got the information I came for in less than 2 minutes.

------
tantalor
Very interesting, but why is it ruby specific? What about packages
vulnerabilities in other languages? Surely you can parse Javascript and Python
requirement files as well, the concept is no different.

~~~
endtwist
(Disclaimer: I'm one of the founders.)

BundleScout[1] does this for other languages, including Node.js and Python--
and of course Ruby Gems. We don't have Github integration yet, but you can
simply upload your requirements file (which, it seems, some people would
rather do anyway).

[1] <https://bundlescout.com>

~~~
kmfrk
The design is gorgeous. A few observations:

1\. When I upload a requirements.txt file, let me just pick 5 packages from
the file instead of telling me I have to upgrade to use it.

2\. Why is Django listed as the old version 1.3.7 in my dash?

3\. You have a Twitter account, but there appears to be no link on your
website that I could spot.

~~~
endtwist
Well, thank you!

1\. We just pushed the import feature a couple days ago so we're still
tweaking how it works. This is a good suggestion, I'll definitely take it into
consideration.

2\. You should be seeing 1.3.7 as the 'old version' (last update we detected).
We're still working on better branch/track breakdown--this isn't an issue for
most packages.

3\. The Twitter account is linked at the bottom of the page :)

Let me know at friends [at] bundlescout [.] com if you're not seeing the right
Django version and I'll look into it today.

~~~
kmfrk
I found out why the Twitter link isn't working; it's because you're using the
"Twitter button(TM)". This gets blocked by Ghostery, so using an old time-y
link would probably be better for fallback purposes. Up to you, of course. :)

------
param
How is this better than brakeman? (<http://brakemanscanner.org/>) Seems like
they only pretty much check your gem dependencies while brakeman also does
static code analysis and points out potential sql injection spots etc...

~~~
InAnEmergency
Brakeman will not check _all_ gem dependencies and is not a general-purpose
gem dependency security checker... bundler-audit will probably end up being
the de facto tool for that: <https://github.com/postmodern/bundler-audit>

------
dguido
Postmodern wrote a gem to do this entirely on your own, no giving away access
to your Github repositories necessary. Check out bundle-audit:

<https://github.com/postmodern/bundler-audit>

~~~
ontoillogical
We're actually collaborating with him on the advisory database that gemcanary
and bundler-audit both use. It's free and open for anyone to use.

Check it out: <https://github.com/rubysec/ruby-advisory-db>

~~~
dguido
Cool, the whole system of projects you guys are working on look exciting. Glad
that Ruby is finally getting its act together a little bit.

------
throwawayG9
We have this for PHP: <https://security.sensiolabs.org/>

You should consider building something similar.

------
existentialmutt
Where do you guys find out about security vulnerabilities?

~~~
ontoillogical
(I'm the other person responsible for gemcanary)

Having a record of all the security vulnerabilities that affect the Ruby
community is important. To that end, we help maintain
<https://github.com/rubysec/ruby-advisory-db/> which is free for anyone to use
or contribute to.

------
gravis
I'm personally using <https://gemnasium.com>, and very happy with it

------
camus
Oh yeah ,now i get it , it is like a canary in a coal mine !!! great project
guys .

