Dependency-scanning bundler-audit analyzer does not support ruby bundler 2
Summary
Dependency-scanning bundler-audit analyzer does not support ruby bundler 2. This is the version people get when they gem install bundler
.
Steps to reproduce
- Change the last lines of any Gemfile.lock of a project that is scanned by dependency-scanning to read
BUNDLED WITH
2.0.1
- The CI step using the dependency-scanning docker image will fail with a message similar to this:
Found project in /tmp/app
/usr/local/lib/ruby/gems/2.5.0/gems/bundler-1.17.3/lib/bundler/lockfile_parser.rb:108:in `warn_for_outdated_bundler_version': You must use Bundler 2 or greater with this lockfile. (Bundler::LockfileError)
from /usr/local/lib/ruby/gems/2.5.0/gems/bundler-1.17.3/lib/bundler/lockfile_parser.rb:95:in `initialize'
from /usr/local/bundle/gems/bundler-audit-0.6.0/lib/bundler/audit/scanner.rb:42:in `new'
from /usr/local/bundle/gems/bundler-audit-0.6.0/lib/bundler/audit/scanner.rb:42:in `initialize'
from /usr/local/bundle/gems/bundler-audit-0.6.0/lib/bundler/audit/cli.rb:41:in `new'
from /usr/local/bundle/gems/bundler-audit-0.6.0/lib/bundler/audit/cli.rb:41:in `check'
from /usr/local/bundle/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
from /usr/local/bundle/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
from /usr/local/bundle/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'
from /usr/local/bundle/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'
from /usr/local/bundle/gems/bundler-audit-0.6.0/bin/bundle-audit:10:in `<top (required)>'
from /usr/local/bundle/gems/bundler-audit-0.6.0/bin/bundler-audit:3:in `load'
from /usr/local/bundle/gems/bundler-audit-0.6.0/bin/bundler-audit:3:in `<top (required)>'
from /usr/local/bundle/bin/bundler-audit:23:in `load'
from /usr/local/bundle/bin/bundler-audit:23:in `<main>'
2019/02/15 14:01:55 exit status 1
2019/02/15 14:01:55 Container exited with non zero status code
Possible fixes
A 1 character version change in the bundler-audit analyzer: gitlab-org/security-products/analyzers/bundler-audit!4 (closed)