Better Security for Ruby Apps

Posted over 2 years ago by Vasily

Houston, Houston, do you read? We are reporting on a major update to the core Hakiri functionality.

Now our vulnerability database is updated from one more data source: Ruby Advisory Database. This means that you’ll receive higher quality Ruby gem security notifications for your open source and private projects. We also improved individual vulnerability pages with richer descriptions, lists of references, unaffected and patched scopes, more cohesive page layouts, and OSVDB IDs for some vulnerabilities. This will help you understand what the root cause of the vulnerability is and how to fix it quickly and effectively.

Hakiri: cat on unicorn warrior

Before diving into more details about the changes check out some updated vulnerability pages on Hakiri that contain merged data from NIST NVD and Ruby Advisory Database:

Ruby Advisory Database

It was our vision from the very beginning to offer the ultimate security monitoring solution for web app developers that would perform dependency scans against multiple data sources at once. Now we are one huge step closer to it.

The big problem that Hakiri tries to solve is the visibility into dependency and code security vulnerabilities. In other words, we try to answer the following question for developers: how do I know that I haven’t introduced a publicly known security vulnerability into my app? We first approached this problem by running security scans against CVE vulnerabilities from the NIST National Vulnerability Database (NVD). This US government-maintained database has some valuable information like security metrics, impact scores, references, and descriptions. One of the problems with it is that it doesn’t always have the most relevant version dependency information, which affects the quality of Hakiri scans. Another big issue with it is that it’s often behind on updates and some vulnerabilities don’t make it to the official index for several months after their disclosure.

To solve those problems we searched for another comparable source of vulnerabilities for a wide range of technologies. Surprisingly, there wasn’t a single centralized vulnerability database that was as compelling as NIST NVD (besides OSVDB that shut down recently). However, we discovered that individual verticals of technologies, such as Ruby gems or Node.js libraries, had pretty good community-maintained security databases. Since Hakiri currently focuses only on Ruby projects (more technologies will be supported by the end of 2016), we decided to add support for Ruby Advisory Database—an open source community-maintained project.

Now our dataset contains merged information from NIST NVD and Ruby Advisory Database. After importing and cross-referencing new vulnerabilities we added 142 brand new Ruby gem vulnerabilities to our index and updated countless other vulnerabilities with better descriptions and other useful metadata.

On top of supporting CVE vulnerabilities that haven’t been officially released—placeholder vulnerabilities—Hakiri now supports Open Source Vulnerability Database (OSVDB) vulnerability IDs as well. OSVDB was officially shut down on April 5, 2016 because “the industry simply did not want to contribute and support such an effort” according to Brian Martin, OSVDB content manager. However, I suspect that OSVDB IDs will remain relevant for months if not years for reference purposes. That’s why we added OSVDB support to Hakiri.

As another improvement to the data aggregation process we added a manual verification step for all new vulnerabilities that enter Hakiri database. This was done to confirm that the new data is high quality and doesn’t have unforeseen kinks.

Issue Pages

What use is good data if it’s not presented properly? As part of our big push to improve core functionality we updated issue pages with a more data rich layout that aims to educate developers about vulnerabilities and to provide them with more insights about the root cause and the impact of every vulnerability.

Some vulnerabilities, like the ones from the Rails Security Google group, were written in the Markdown language. Now we support this format on vulnerability pages. It can be useful for displaying code samples and for organizing data in a more comprehensive way.

Hakiri: issue Markdown

NIST NVD, one of the data sources that Hakiri supports, provides references for all vulnerabilities that it has in its database. Now you can see them as part of every issue on Hakiri that was imported from NIST NVD.

Hakiri: vulnerability references

One other useful thing that we added to issue pages are unaffected and patched scopes for vulnerabilities that were imported from Ruby Advisory Database. Scopes are useful for quickly determining what version the developer should upgrade their compromised gems to.

Hakiri: vulnerability version scopes

This is a big update for Hakiri and it certainly raises the bar for how dependency vulnerabilities are aggregated and reported. We have big plans for a unified knowledge base solution that will have useful statistical data about latest vulnerabilities as well as easy access to the 10,000 foot view of the vulnerability landscape. For now, whenever you are looking at a public issue page on Hakiri you can see what other vulnerabilities a technology has by simply clicking on the name of the technology in the breadcrumbs navigation. Explore away!