Version Intervals and Security Watch

Posted about 4 years ago by Vasily

I’m extremely excited to announce new functionality in Hakiri today. It includes version interval parsing from gemfile and gemspec files as well as the security leaderboard for open source projects on GitHub.

Version Intervals

Version intervals allow Ruby developers to have simple wildcard dependencies. Until today, Hakiri only supported “hardcoded” gem versions from gemfile.lock for projects but now it can pick up any available dependency file. Say, you have rails ~> 4.0.1 in your gemfile, meaning that you can potentially support any Rails version ranging from 4.0.1 to 4.1.0. After pushing this dependency to GitHub, Hakiri will highlight all possible security warnings in this range of versions, prompting you to update to a version range that doesn’t have potential vulnerabilities.

Hakiri: version intervals

Why should you do version interval scanning? It’s because often developers don’t know that by introducing certain fuzzy dependencies they trigger installs of potentially vulnerable gem versions. Hakiri notifies developers about it.

This new functionality allows us to cover all Ruby projects in terms of CVE security notifications. Once we realized it, an idea for Hakiri Security Watch was born.

Security Watch

Security Watch is a new free tool based on Hakiri technologies that lets you quickly look at the most popular open source projects on GitHub to see if any of them have potential CVE or code vulnerabilities. Our goal with this project is to raise security awareness in the Ruby world.

Hakiri: Security Watch

Go ahead give it a try and let us know what you think!