Checking the git history, I see that phillmv is a contributor to ruby-advisory-db.
We figured we could do a better job all around if we managed to productize it.
We're expanding platforms, so do tell us what to support next :).
It is a service! Visit https://appcanary.com for more deets.
Of course I have to suggest Python/Django, since that's what my company uses. But to maximize (number of users)x(number of security vulnerabilities), perhaps Wordpress plugins would be worth monitoring?
But do you have bugs?
Although I'm worried about the part where I'm supposed to install a service monitor on our servers. I know, many people already do stuff like that with airbrake or newrelic but I know that admins get grey hair because of that. :)
You should think about offering an API where the client can upload its Gemfile.lock on their own.
If you want to get a personal email when it comes out, put "API" in the platform field in the email form on the link above.
In environments with tighter security needs, this is outright verboten.
It is true that those tools help the developers and the admins to monitor their products but where you aren't allowed to use them and have to run your own stuff, you might pay in higher maintenance costs.
There are places where there are heightened security requirements (for various reasons). Disallowing unnecessary outbound connections is a standard practice. This results in pruning quite a lot of possible attack vectors.
 Of course some of those reasons are ridiculous. One place disallowed saving word documents as blobs in an Oracle database running on a Solaris server due to fear of malicious word document macros running on said server.
It seems like a lot of people would love to have an easy way to integrate this into their continuous integration services, for instance - and we're working on making that a Real Thing That Exists.
It'll block any vulnerable version of a dependency in your project.
Also LOL "CSRF Vulnerability in jquery-rails" is known as not a bug at all.
But yeah, we do need to find the time to clean it up.
After developing your application for a while, check in the application together with the Gemfile and Gemfile.lock snapshot. Now, your repository has a record of the exact versions of all of the gems that you used the last time you know for sure that the application worked. Keep in mind that while your Gemfile lists only three gems (with varying degrees of version strictness), your application depends on dozens of gems, once you take into consideration all of the implicit requirements of the gems you depend on.
This is important: the Gemfile.lock makes your application a single package of both your own code and the third-party code it ran the last time you know for sure that everything worked. Specifying exact versions of the third-party code you depend on in your Gemfile would not provide the same guarantee, because gems usually declare a range of versions for their dependencies.
So the app just runs through the list and check whether version of the gem is vulnerable or not.
We don't associate any gemfiles with user information, so at best… all you could get is a list of vulnerable gemfiles, somewhere, out there :).
Please feel free to educate me if that is not at all the case though--like I said, novice, so just starting to wrap my head around security implications of things like this.
The information is coming from publicly available descriptions of vulnerabilities. The affected versions of gems are already enumerated. This tool is a way to make it easier for devs to compare their set of gems against the vast database of vulnerabilities.
Is there a definitive source for keeping track of these out of curiosity? I'd consider myself an "early" programmer, so I know enough to be dangerous, but feel like there's no time like the present to start keeping track of known issues with things I might be using, even if I may not grasp the full extent of them at my level of experience.
Bug report: text here  is not rendering properly, but if I resize the window to be smaller it adjusts and is fine. Happens in Firefox 39.0.3 (no plugins) and Chrome 44.0.2403.130 (64-bit, no plugins) at 1000px window width on OSX Yosemite.
I think this is really awesome...
...I have to go update a few projects right now.
Definitely! We're building a service to monitor your app and server's dependencies, and we currently support Ubuntu and Ruby.
Our goal is to cover basically all of open source :).