A database of vulnerable Ruby Gems
AI Analysis
The Ruby Advisory Database is a community-maintained collection of security vulnerabilities affecting Ruby gems and Ruby implementations, organized in YAML format by gem name and CVE/GHSA identifiers. It serves security researchers, gem maintainers, and Ruby developers who need to audit their dependencies for known vulnerabilities, and integrates with tools like bundler-audit for automated scanning. This is a specialized security reference tool for the Ruby ecosystem, not a general-purpose li...
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
Community-maintained Ruby gem vulnerability database powering security scanning tools since 2013
ruby-advisory-db is a curated YAML-based database of security vulnerabilities affecting Ruby gems and Ruby implementations. It serves as the authoritative data source for bundler-audit and other security scanning tools. The project is maintained by the Ruby security community and tracks CVEs, GHSAs, and OSVDB identifiers. It is widely integrated into Ruby development workflows, particularly in CI/CD pipelines for dependency vulnerability scanning.
Created in February 2013 as a community-driven response to the lack of centralized Ruby security vulnerability tracking. It predates many ecosystem-level advisory databases and has evolved from a simple listing into a structured, standardized YAML schema used by security tools across the Ruby ecosystem.
The project shows steady, modest growth typical of foundational infrastructure. Gaining 1 star in the last 7 days reflects maturity rather than decline—this is a utility database, not a feature-driven application. The database likely grows through regular CVE disclosures and community contributions rather than explosive adoption cycles. Real adoption is measured by integration depth, not star velocity.
Adoption appears well-established but adoption not explicitly quantified in available materials. bundler-audit (2,754 stars, tightly coupled to this database) is the primary integration mechanism and is a widely-used Ruby security tool. Integration into GitHub's own advisory database (and equivalents) suggests institutional recognition. However, direct evidence of how many production Ruby teams use this database for scanning is not provided; adoption is inferred from tooling ecosystem integration.
Appears to be a flat-file database with structured YAML format organized by gem name and Ruby implementation. Based on README, each vulnerability is a standalone YAML file named by CVE/GHSA identifier, stored in gem-specific or ruby-implementation-specific directories. The schema supports multiple advisory reference systems (CVE, GHSA, OSVDB) and structured patched/unaffected version ranges. Likely uses simple file system traversal for queries, with external tools (bundler-audit) implementing the matching logic.
Not documented in README. No mention of test suites, validation frameworks, or automated schema verification visible in provided materials. The README does reference external data improvement processes, suggesting some quality gate exists, but testing infrastructure is not transparent.
Last push on 2026-07-07 (current date) indicates active maintenance. The project has 241 forks, suggesting community engagement. However, without access to issue resolution times, PR review velocity, or commit frequency patterns, only the recency of the last push can be confirmed as current. Relative to 2026, the project is maintained but likely not experiencing rapid iteration—consistent with a stable reference database.
ADOPT IF: You are a Ruby security tool maintainer, your team scans dependencies in CI/CD, or you need authoritative Ruby gem vulnerability data for custom tooling. The database is well-structured, actively maintained, and integrates cleanly with bundler-audit and other standard Ruby security workflows. AVOID IF: You need general advisory data covering multiple languages (use GitHub's advisory database) or do not perform security scanning. MONITOR IF: You rely on community contributions for vulnerability data coverage—check if new CVEs are added promptly and assess whether the specific gems your team uses are well-represented.
Independent dimensions
Mainstream potential
4/10
Technical importance
7/10
Adoption evidence
7/10
- Community-maintained data source: vulnerability coverage depends on community submissions and volunteer effort; gaps or delayed entries for less-popular gems are possible but not quantified here.
- No automated schema validation documented: YAML format is human-edited; risk of malformed entries or inconsistent version range syntax exists, though GitHub's integration suggests some validation is in place.
- Dependency on tooling ecosystem: the database's value is realized through bundler-audit and similar tools; if those tools diverge or are abandoned, adoption friction increases.
- CVE/GHSA publication lag: advisory data reflects public disclosures; 0-day or embargoed vulnerabilities are not present by design, which is appropriate but limits real-time threat detection.
- No SLA or guaranteed response time: as a volunteer project, there is no contractual guarantee of rapid data updates or support, though the current maintenance status suggests active stewardship.
ruby-advisory-db will remain a stable, incrementally-updated reference database for the Ruby community. Growth in stars will continue to be modest because the project is mature and foundational—tools that consume it grow faster than the database itself. Integration with GitHub's advisory system may eventually reduce the need for a separate Ruby database, or the two may continue as complementary resources. Maintainer burnout is a long-term risk for all volunteer-driven projects of this type.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Website
- https://rubysec.com
- Language
- Ruby
- License
- NOASSERTION
- Last updated
- 2d ago
- Created
- 163mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
Advisory Creation WORKFLOW Loose-Ends
OSVDB in license
Shared vulnerability format for vulnerabilities
Add advisory for intercom-rails
"encryptor" gem v2.0.0: AES-GCM nonce reuse vulnerability
Open pull requests
Top contributors
Recent releases
No releases published yet.
Similar repos
github/advisory-database
The GitHub Advisory Database is a free, open-source repository of security...
rubysec/bundler-audit
bundler-audit is a specialized security tool for Ruby projects that performs...
FriendsOfPHP/security-advisories
A centralized database of known security vulnerabilities in PHP packages and...
Roave/SecurityAdvisories
Roave Security Advisories is a Composer package that prevents installation of...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
1.1k | +1 | Ruby | 8/10 | 2d ago |
|
|
2.4k | — | — | 8/10 | 7h ago |
|
|
2.8k | — | Ruby | 8/10 | 3d ago |
|
|
2.1k | — | PHP | 8/10 | 2w ago |
|
|
2.9k | — | — | 8/10 | 16h ago |
|
|
1.9k | — | Rust | 8/10 | 2d ago |
Broader, language-agnostic advisory database (2,357 stars). Covers Ruby but not Ruby-specific. ruby-advisory-db predates GitHub's centralized effort and remains more specialized for Ruby; complementary rather than directly competing.
Sibling project (2,754 stars) that consumes ruby-advisory-db as its data source. bundler-audit is the CLI tool; this repository is the database. Not a competitor—a dependency relationship.
Equivalent concept for PHP (2,131 stars). Both are language-community-maintained advisory databases using similar YAML-driven structures. Similar maturity and scope; neither competes with the other.
Another PHP advisory database (2,908 stars). Demonstrates that language-specific advisory databases are a proven, lasting model rather than a gap filled by centralized systems.