Ruby security alerts displayed on ruby-doc
A few weeks ago I read about some critical security issues that affected Rails. I’m not a Rails user; don’t really care for it (Ramaze rules), but it’s still of interest because often what’s claimed to be a problem with some specific application can in fact be caused by something more fundamental, making it a problem for other Rubyists as well.
I learned of this issue form reading Hacker News, but that seems like a poor way to get security updates. I looked around for a better source. The main Ruby web site has a page for security issues but it seems to be out of date. Some other efforts have sprung up to make security issues more readily available but they all seem to require that people actively go look for the info.
Having to remember to go check for security issues is an unreliable way to stay informed. Better to have that information put in front of you as it occurs.
I run Ruby-doc.org, which serves up API documentation for multiple versions of Ruby and most (if not all) available gems, and it gets a fair amount of traffic. It occurred to me that it would be a really good place to display security alerts.
The NVD search results page presents the data in well-formed HTML. This made it fairly easy (modulo some corner cases) to extract the specifics of current vulnerabilities, generate a short announcement blurb, and write it to a file.
I tried to do it in a way that is noticeable but not terribly in-your-face. I opted for 14 days as a balance between reaching a larger number of people while (I hope) not having a perpetual alert banner that people ignore.
That number of days was based on a guesstimate about how often new alerts come up. I may lower it, maybe to 10 or 7 days, to avoid alert fatigue if there are too many issues reported. Or alter the color of the banner based on the severity of the most recent alert, or color it using some aggregate severity based on what was found. Or skip listing low-severity alerts. I’ll have to see what kind of feedback I get.
The goal isn’t to reach everyone, but to reach enough people who will take notice and help spread the word when there are Ruby vulnerability issues.