Security alerts go free
Until recently, a paid subscription was required to access the details of a security alert on Gemnasium.com. Today we’ve got good news for all free Gemnasium users: you can see the security alerts without paying a dime. Alerts management also went free. Not familiar with this feature? Let’s recap.
When your project turns red
We at Gemnasium are constantly looking for new package advisories that may impact the dependencies of your projects. We review many different feeds, ranging from broad-band feeds like Open Source security mailing lists to specific feeds like nodesecurity.io and ruby-advisory-db. Whenever we publish a new package advisory on Gemnasium.com, all the projects that depend on the affected versions turn to red.
As soon as one of your projects gets affected, you start receiving an “open alert reminder” every day. Yes, we really insist on open alerts. You’ll receive these emails for no more than 8 days though, even if one of your project still has a red badge.
The emails we send contain links so that you can easily review and manage your open alerts.
This is a just shortcut; you can access the same page by visiting your project on Gemnasium.com.
Manage your alerts
Your project has a security alert because a package it depends on is affected? The common solution is to upgrade the dependency: most of the time, the latest version of the dependency fixes the security issue, and upgrading the dependency makes your project “green” again (or “yellow” depending on its original state).
Nevertheless, getting rid of a security alert is not always as simple as upgrading a dependency. Sometimes there’s no security fix available when the security alert is published. Or sometimes a fix is available as a patch but it’s not released as a new version of the package. Last but not least, your project may be incompatible with the latest version of the package - the one that fixes the issue. From here, there’s no other choice than digging in and read more about the alert, and Gemnasium helps you by giving summarized information.
After reviewing a vulnerability your project is reportedly affected by, you may consider that the security alert does not apply to your project. This is typically the case when your project doesn’t satisfy the conditions under which the attack can be conducted. In this case you simply close the alert. Your project won’t have a red badge anymore, unless some other alert is still open. And of course you won’t be notified about the alert anymore. You’re back to normal.
A similar scenario is when you work around the vulnerability by following the instructions given in the package advisory. When this is done, your project is not vulnerable anymore and you can close the alert. Back to normal.
In some rare cases, you may decide that a security alert is not a significant threat even if it does apply. Or maybe you plan to fix it but not anytime soon. In any case, you think that this alert is relevant but don’t want to be notified about, so you acknowledge the alert. In other words, “acknowledge” is a way to say: “I know, you’re right, but please be quiet”. Please note that an acknowledged alert is still open, resulting in a red badge.
Manage your notifications
You can disable the notifications altogether by visiting the user settings on Gemnasium.com. Gemnasium will stop sending emails about newly published versions and about security alerts as well.
You can also administrate your projects and disable the notifications for one given project. But today these settings do not apply to open alerts: if notifications are enable in your user settings, then you get notifications for all your projects, no matter what your project settings are. We decided to behave that way a long time ago, to make sure that you don’t miss any alert. But we have changed our mind, base on users feedback.
Starting from May 15th, project settings will also apply to security-related notifications. No more “open alerts” email when notifications are turned off for the affected project.