rubysec

rubysec/ruby-advisory-db

Ruby No license Security License not recognized by GitHub

A database of vulnerable Ruby Gems

1.1k stars
241 forks
active
GitHub +1 / week

1.1k

Stars

241

Forks

11

Open issues

30

Contributors

AI Analysis

The Ruby Advisory Database is a community-maintained collection of security vulnerabilities affecting Ruby gems and Ruby implementations, organized in YAML format by gem name and CVE/GHSA identifiers. It serves security researchers, gem maintainers, and Ruby developers who need to audit their dependencies for known vulnerabilities, and integrates with tools like bundler-audit for automated scanning. This is a specialized security reference tool for the Ruby ecosystem, not a general-purpose li...

Security Security Tool Discovery value: 4/10
Documentation 8/10
Activity 9/10
Community 8/10
Code quality 5/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 8/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

security-advisory vulnerability-database ruby-ecosystem cve-tracking dependency-audit
Actively maintained Well documented Niche/specialized use case Community favorite Production ready
Deep Analysis · Based on README and public signals
3d ago

Community-maintained Ruby gem vulnerability database powering security scanning tools since 2013

ruby-advisory-db is a curated YAML-based database of security vulnerabilities affecting Ruby gems and Ruby implementations. It serves as the authoritative data source for bundler-audit and other security scanning tools. The project is maintained by the Ruby security community and tracks CVEs, GHSAs, and OSVDB identifiers. It is widely integrated into Ruby development workflows, particularly in CI/CD pipelines for dependency vulnerability scanning.

Origin

Created in February 2013 as a community-driven response to the lack of centralized Ruby security vulnerability tracking. It predates many ecosystem-level advisory databases and has evolved from a simple listing into a structured, standardized YAML schema used by security tools across the Ruby ecosystem.

Growth

The project shows steady, modest growth typical of foundational infrastructure. Gaining 1 star in the last 7 days reflects maturity rather than decline—this is a utility database, not a feature-driven application. The database likely grows through regular CVE disclosures and community contributions rather than explosive adoption cycles. Real adoption is measured by integration depth, not star velocity.

In production

Adoption appears well-established but adoption not explicitly quantified in available materials. bundler-audit (2,754 stars, tightly coupled to this database) is the primary integration mechanism and is a widely-used Ruby security tool. Integration into GitHub's own advisory database (and equivalents) suggests institutional recognition. However, direct evidence of how many production Ruby teams use this database for scanning is not provided; adoption is inferred from tooling ecosystem integration.

Code analysis
Architecture

Appears to be a flat-file database with structured YAML format organized by gem name and Ruby implementation. Based on README, each vulnerability is a standalone YAML file named by CVE/GHSA identifier, stored in gem-specific or ruby-implementation-specific directories. The schema supports multiple advisory reference systems (CVE, GHSA, OSVDB) and structured patched/unaffected version ranges. Likely uses simple file system traversal for queries, with external tools (bundler-audit) implementing the matching logic.

Tests

Not documented in README. No mention of test suites, validation frameworks, or automated schema verification visible in provided materials. The README does reference external data improvement processes, suggesting some quality gate exists, but testing infrastructure is not transparent.

Maintenance

Last push on 2026-07-07 (current date) indicates active maintenance. The project has 241 forks, suggesting community engagement. However, without access to issue resolution times, PR review velocity, or commit frequency patterns, only the recency of the last push can be confirmed as current. Relative to 2026, the project is maintained but likely not experiencing rapid iteration—consistent with a stable reference database.

Honest verdict

ADOPT IF: You are a Ruby security tool maintainer, your team scans dependencies in CI/CD, or you need authoritative Ruby gem vulnerability data for custom tooling. The database is well-structured, actively maintained, and integrates cleanly with bundler-audit and other standard Ruby security workflows. AVOID IF: You need general advisory data covering multiple languages (use GitHub's advisory database) or do not perform security scanning. MONITOR IF: You rely on community contributions for vulnerability data coverage—check if new CVEs are added promptly and assess whether the specific gems your team uses are well-represented.

Independent dimensions

Mainstream potential

4/10

Technical importance

7/10

Adoption evidence

7/10

Risks
  • Community-maintained data source: vulnerability coverage depends on community submissions and volunteer effort; gaps or delayed entries for less-popular gems are possible but not quantified here.
  • No automated schema validation documented: YAML format is human-edited; risk of malformed entries or inconsistent version range syntax exists, though GitHub's integration suggests some validation is in place.
  • Dependency on tooling ecosystem: the database's value is realized through bundler-audit and similar tools; if those tools diverge or are abandoned, adoption friction increases.
  • CVE/GHSA publication lag: advisory data reflects public disclosures; 0-day or embargoed vulnerabilities are not present by design, which is appropriate but limits real-time threat detection.
  • No SLA or guaranteed response time: as a volunteer project, there is no contractual guarantee of rapid data updates or support, though the current maintenance status suggests active stewardship.
Prediction

ruby-advisory-db will remain a stable, incrementally-updated reference database for the Ruby community. Growth in stars will continue to be modest because the project is mature and foundational—tools that consume it grow faster than the database itself. Integration with GitHub's advisory system may eventually reduce the need for a separate Ruby database, or the two may continue as complementary resources. Maintainer burnout is a long-term risk for all volunteer-driven projects of this type.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

Ruby
91.9%
Shell
7.7%
Python
0.4%

Information

Language
Ruby
License
NOASSERTION
Last updated
2d ago
Created
163mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Recent releases

No releases published yet.

Similar repos

github

github/advisory-database

The GitHub Advisory Database is a free, open-source repository of security...

rubysec

rubysec/bundler-audit

bundler-audit is a specialized security tool for Ruby projects that performs...

2.8k Ruby Security
FriendsOfPHP

FriendsOfPHP/security-advisories

A centralized database of known security vulnerabilities in PHP packages and...

2.1k PHP Security
Roave

Roave/SecurityAdvisories

Roave Security Advisories is a Composer package that prevents installation of...

rustsec

rustsec/rustsec

RustSec is a Rust ecosystem security tooling and advisory database project that...

1.9k Rust Security
vs. alternatives
github/advisory-database

Broader, language-agnostic advisory database (2,357 stars). Covers Ruby but not Ruby-specific. ruby-advisory-db predates GitHub's centralized effort and remains more specialized for Ruby; complementary rather than directly competing.

rubysec/bundler-audit

Sibling project (2,754 stars) that consumes ruby-advisory-db as its data source. bundler-audit is the CLI tool; this repository is the database. Not a competitor—a dependency relationship.

FriendsOfPHP/security-advisories

Equivalent concept for PHP (2,131 stars). Both are language-community-maintained advisory databases using similar YAML-driven structures. Similar maturity and scope; neither competes with the other.

Roave/SecurityAdvisories

Another PHP advisory database (2,908 stars). Demonstrates that language-specific advisory databases are a proven, lasting model rather than a gap filled by centralized systems.