Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to define the Gemfile via BUNDLE_GEMFILE #200

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

gurix
Copy link

@gurix gurix commented Nov 2, 2018

When using bundler, a common strategy to handle different Gemfiles for a project is to use the environment variable BUNDLE_GEMFILE. Bundle audit does not support to set a specific Gemfile. This pull request addes this abillity.

Example:

markus@markuss-mbp ~/workspace/bundler-audit (master) $ BUNDLE_GEMFILE=../helena/gemfiles/rails_4.2.gemfile bin/bundle-audit 
No vulnerabilities found
markus@markuss-mbp ~/workspace/bundler-audit (master) $ BUNDLE_GEMFILE=../helena/gemfiles/rails_5.1.gemfile bin/bundle-audit 
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: https://github.com/flavorjones/loofah/issues/154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: https://github.com/rubyzip/rubyzip/issues/369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2

Vulnerabilities found!

@postmodern
Copy link
Member

Tagging this for the 0.9.0 milestone. Currently preparing to merge/release 0.8.0, so consider rebasing after 0.8.0 has been released.

@postmodern
Copy link
Member

bundler-audit 0.8.0 added support for a --gemfile-lock option for specifying a custom lock file to scan. Would this feature be more useful for automatically inferring the default lock file to scan?

@postmodern postmodern removed this from the 0.9.0 milestone Aug 31, 2021
@postmodern
Copy link
Member

Going to push this off until 0.10.0.

@pboling
Copy link

pboling commented Sep 6, 2024

Nevermind, I just needed to add --update locally.

Does the --gemfile-lock option still work?

I have a lockfile with nokogiri at ~> 1.15.0 which can't update past the recent security alert here: GHSA-r95h-9x8f-r3f7

Bundle audit normally works when this scenario is reproduced inside my main Gemfile, without using any flags.

But, if I try to specify a different gemfile.lock:

❯ export BUNDLE_GEMFILE=gemfiles/rails_7_2.gemfile

❯ echo $BUNDLE_GEMFILE
gemfiles/rails_7_2.gemfile

❯ cat $BUNDLE_GEMFILE
source "https://rubygems.org"

gem "nokogiri", "~> 1.15.0"

❯ bundle install --gemfile $BUNDLE_GEMFILE
Fetching gem metadata from https://rubygems.org/...........
Resolving dependencies...
Bundle complete! 1 Gemfile dependency, 4 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.

❯ bundle-audit --gemfile-lock $BUNDLE_GEMFILE
No vulnerabilities found

❯ cat $BUNDLE_GEMFILE.lock
GEM
  remote: https://rubygems.org/
  specs:
    mini_portile2 (2.8.7)
    nokogiri (1.15.6)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    racc (1.8.1)

PLATFORMS
  aarch64-linux
  aarch64-linux-gnu
  aarch64-linux-musl
  arm-linux
  arm-linux-gnu
  arm-linux-musl
  arm64-darwin
  x86-linux
  x86-linux-gnu
  x86-linux-musl
  x86_64-darwin
  x86_64-linux
  x86_64-linux-gnu
  x86_64-linux-musl

DEPENDENCIES
  nokogiri (~> 1.15.0)

BUNDLED WITH
   2.5.18

It is not reading my specified lockfile.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants