Two Tests you should run on Project Ruby right now

Two Tests you should run on Project Ruby right now

I was lucky enough to attend the wonderful Brighton Ruby conference recently. It was full of great advice, wisdom and code. But one of the lectures made me do something right after I got home to make sure my designs were safe and usable.

Andrew Nesbitt, with the support of libraries.io open data, he told stories about the hidden costs of open-source software in ruby. Here you can see his slides. I’ll also link the video when it’s available.

COUNTING COSTS

From Andrew’s lecture, you can learn two things that need to be checked as soon as possible: security risks and problems with licensing in projects.

SECURITY AUDITS

Rubysec maintains the ruby advisory database, a database of all sensitive gems. There are currently 287 warnings for 147 gems. If you are worried that your project may be compromised by a vulnerable gem RAD publishes bundler-audit, a gem checker Gemfile.lock in their database.

To use bundler-audit you need to install it:

$ gem install bundler-audit

and run in the project directory.

$ bundle-audit
No vulnerabilities found

SECOND OPINION

If one security audit doesn’t allay your fears, you’re in luck. Admittedly, this is not a ruby tool and Andrew did not mention it during his lecture, but Snyk monitors bugs in Ruby, JavaScript and Java projects through its own database.

Snyk offers a tool that you can use to check your applications. To use Snyk you need to create an account and install node.JS and npm. But once you’ve gone through all these steps you can check your designs:

# install
$ npm install -g snyk
# authenticate the client
$ snyk auth
# test the project in the current directory
$ snyk test
✓ Tested 23 dependencies for known vulnerabilities, no vulnerable paths found.

We’ve already checked the security, it’s time for the licenses.

LICENCE AUDITS

Unlicensed code is copyrighted code that you cannot use.

It might not sound so bad until you know that 28% of Ruby gems are unlicensed. That’s over 37,000 gems. And in addition to the installed gems themselves, you will have to worry about their dependencies… and the dependencies of those dependencies… and so on.

Fortunately, there is a tool that will help in this case. licence_finder it is maintained by Pivotal and checks the dependency licenses. This tool reports all license dependencies. Then you just have to decide if the license fits your project. You can accept all dependencies or choose which licenses you accept. licence_finder also useful if you do not use Ruby, it works with many other types of projects.

licence_finder install using Ruby gems.

$ gem install license_finder

Then you run it in the project directory. This is the result I achieved by running it in envyable:

$ license_finder
..............................................................................
Dependencies that need approval:
bundler, 1.12.5, MIT
codeclimate-test-reporter, 1.0.8, MIT
docile, 1.1.5, MIT
envyable, 1.2.0, MIT
minitest, 5.10.2, MIT
rake, 12.0.0, MIT
simplecov, 0.13.0, MIT
simplecov-html, 0.10.1, MIT
thor, 0.19.4, MIT

Then I chose the MIT license and ran it again:

$ license_finder whitelist add MIT
$ license_finder
..............................................................................
All dependencies are approved for use

The licenses have been approved.

TEST EVERY TIME

A security flaw or an unlicensed project could expose you and your customers to problems.

Installing and running these tools will not take much time, but it will save you from dependence. It is also worth adding them to the CI settings, although it will take a little longer.

If you want to learn more watch the video of Andrew’s lecture, check out the list of unlicensed libraries on libraries.io or browse the data and see what you can find in our open-source ecosystem.

Original text: Two tests you should run against your Ruby project now [przyp. red.]

Go to our cases Get a free quote