Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Product
Eli Insua
Rakesh Chatrath
October 21, 2024
We're excited to announce that Socket’s support for Ruby is now in Beta! This marks another major milestone in our mission to provide comprehensive, enterprise-grade software composition analysis (SCA) across a wide range of programming languages.
Ruby has long been celebrated for its elegance and developer-friendly syntax, powering everything from simple scripts to complex web applications. As the vibrant open source Ruby ecosystem continues to expand, prioritizing the security of Ruby projects is critical for safeguarding collaborative development.
Our robust support for Ruby is now available to all Socket users, enabling you to add security scanning and zero-day supply chain attack prevention to your projects in just two clicks via our free Socket for GitHub app.
Whether you’re working with legacy apps, code inherited from other developers, or a brand new Rails project, Socket has you covered!
Ruby boasts a passionate and active community, driving innovation and fostering a rich ecosystem of libraries and frameworks. At the heart of Ruby’s success is Ruby on Rails, a powerful web framework that has revolutionized web development by promoting convention over configuration. The extensive collection of gems (Ruby libraries) available through RubyGems.org allows developers to rapidly build and scale applications with ease.
However, with the vast number of gems and dependencies, it's impossible to manually review all the code you incorporate, especially when managing multiple Rails applications.
Although tools like Dependabot, Brakeman, and bundle-audit can be useful for catching known security vulnerabilities and insecure coding practices, they typically rely on existing vulnerability databases and are not equipped to detect zero-day supply chain threats.
Socket scans your open source dependencies for vulnerable and malicious code, including CVEs but also a whole host of supply chain risks like typosquatting, protestware, telemetry, network access, file system access, and various other indicators of gem hijacking or compromise. Our AI-powered threat analysis identifies malicious and suspicious behaviors in the code, enabling Socket to detect gems containing malware, mining software, and other harmful components that could compromise your applications.
Understanding the critical role that dependency management plays in Ruby projects, Socket’s new Ruby support focuses on scanning Gemfile.lock manifests. Here’s why:
While our Gemfile.lock-based scanning covers the majority of Ruby projects, we recognize that some applications have more intricate setups. For these advanced or highly customized projects, we recommend leveraging CycloneDX to generate a comprehensive software bill of materials (SBOM).
Here’s how you can integrate CycloneDX with Socket:
1. Generate a CycloneDX Manifest: Use CycloneDX tools to create a detailed manifest of your project's dependencies, including all direct and transitive gems, their versions, and associated metadata.
2. Submit the Manifest to Socket: Once you have your CycloneDX SBOM, you can send it directly to Socket for scanning. This ensures that even the most complex dependency structures are thoroughly analyzed for vulnerabilities and licensing issues.
By adopting CycloneDX for manifest generation, you maintain the flexibility to manage advanced project configurations while still benefiting from Socket’s comprehensive security scanning capabilities.
Although we’re just now opening up the Beta to all Socket users, we have customers who have been battle testing our Ruby support for months. Check out our case study with Doctolib, a premier healthcare scheduling platform that serves 90 million customers, and runs on Typescript and Ruby on Rails.
Whether you’re working on a standard Ruby on Rails app or managing a complex, multi-faceted project, Socket is designed to meet the needs of enterprise organizations. With the recent addition of our state-of-the-art license scanner and license policy enforcement tools, our platform now provides comprehensive security and compliance solutions.
We're committed to expanding our language coverage further and plan to support all major languages within the next six months. Join the growing community of Ruby developers who trust Socket to protect their projects. Get started today with our free GitHub app and take your Ruby application's security to the next level!
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.