DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Ruby

Ruby

Made by DeepSource
Use Analyzer

Using insecure network protocol source RB-S1000

Security
Major
 Autofix a02 cwe-319 owasp top 10

Passing symbol arguments to source (e.g. source :rubygems) is deprecated because they default to using HTTP requests. Instead, specify 'https://rubygems.org' if possible, or 'http://rubygems.org' if not.

Symbol arguments will be replaced with 'https://rubygems.org' when performing Autofix.

Existing sources that use http:// will not be replaced. This may be necessary where HTTPS is not available. For example, where using an internal gem server via an intranet, or where HTTPS is prohibited. However, you should strongly prefer https:// where possible, as it is more secure.

If you do not wish to switch from http:// in any case, consider setting AllowHttpProtocol to false in your .rubocop.yml. This option is true by default for safe autocorrection.

Bad practice

source :gemcutter
source :rubygems
source :rubyforge

Recommended

source 'https://rubygems.org'

References

  1. OWASP A02:2021: Cryptographic Failures
  2. CWE-319: Cleartext Transmission of Sensitive Information