Skip to main content

Find vulnerabilities in Ruby

You can find vulnerabilities in your Ruby applications. You can scan Ruby Gem repositories using the command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis, see Packaging Ruby on Rails applications.

Scan your code

You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-ruby

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Ruby code. Some scan directives are specific to Ruby projects.

Before you begin:

Scanning a repository that uses Ruby and one of its build or package managers requires the ability to build the code within the environment in which you scan the project. This includes these requirements:

  • Meet the requirements for the Veracode SCA agent.
  • Have access to the Ruby repository.
  • Have Ruby installed on your local path. To scan vulnerable methods, you must have Ruby 2.x or later.
  • Include Gemfile in the repository that you plan to scan.
  • If Gemfile.lock does not exist in the project root where you perform scans, you must be able to run the bundle install command from this project root.
  • Have Bundler 1.1.0 or later installed on the local path.

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:

bundle install --path vendor/bundle

To complete this task:

At the command line, run the scan command pointed to the directory of the Ruby repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Fix example direct vulnerability

These example steps provide a fix for a Cross-site Request Forgery (CSRF) vulnerability in administrate, version 0.1.4 in the example-ruby repository.

To complete this task:

  1. Edit the Gemfile file in the root of the project to match the following:

    gem 'administrate', '0.1.5'

  2. Run the following command from your terminal within the project:

    bundle update administrate

  3. Validate the fix.

Fix example transitive vulnerability

To fix a transitive library for Ruby, override the transitive dependency by adding the appropriately versioned dependency as a direct library to your Gemfile.

These steps provide a fix for a Session Fixation vulnerability in rest-client, version 1.7.3 in the test-ruby-gem repository.

To complete this task:

  1. Edit the Gemfile file in the root of the project and add the recommended version of the gem:

    gem 'rest-client', '1.8.0.rc1'

  2. Run this command from your terminal within the project:

    bundle update rest-client

  3. Validate the fix.

Fix example vulnerable method

These example steps provide a fix for a Reflected Cross-site Scripting (XSS) through Unvalidated Input in Error Messages vulnerable method in rack-ssl, which is included in the example-ruby repository.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.

  2. Select Agent-Based Scan.

  3. Select your workspace.

  4. Select Projects.

  5. Select the srcclr/example-ruby project.

  6. Select Reflected Cross-site Scripting (XSS) through Unvalidated Input in Error Messages in the Vulnerabilities table. The Vulnerable Methods section shows that the redirect_to_https method is the vulnerable part of the library.

  7. To address the identified vulnerable method, do one of these tasks:

    • Change your code to perform in the same manner without relying on this particular method.
    • Follow the provided instructions to update the library to a safe version.

  8. Validate the fix.

Last updated on