I’m extremely excited to announce new functionality in Hakiri today. It includes version interval parsing from
gemspec files as well as the security leaderboard for open source projects on GitHub.
Version intervals allow Ruby developers to have simple wildcard dependencies. Until today, Hakiri only supported “hardcoded” gem versions from
gemfile.lock for projects but now it can pick up any available dependency file. Say, you have
rails ~> 4.0.1 in your
gemfile, meaning that you can potentially support any Rails version ranging from 4.0.1 to 4.1.0. After pushing this dependency to GitHub, Hakiri will highlight all possible security warnings in this range of versions, prompting you to update to a version range that doesn’t have potential vulnerabilities.
Why should you do version interval scanning? It’s because often developers don’t know that by introducing certain fuzzy dependencies they trigger installs of potentially vulnerable gem versions. Hakiri notifies developers about it.
This new functionality allows us to cover all Ruby projects in terms of CVE security notifications. Once we realized it, an idea for Hakiri Security Watch was born.
Security Watch is a new free tool based on Hakiri technologies that lets you quickly look at the most popular open source projects on GitHub to see if any of them have potential CVE or code vulnerabilities. Our goal with this project is to raise security awareness in the Ruby world.
Go ahead give it a try and let us know what you think!