bundler-audit analyzer may be working with outdated data
Summary
The bundler-audit gem
relies on ruby-advisory-db
to provide it with the latest advisories for ruby dependencies.
The bundler-audit analyzer
does a build-time and scan-time refresh of the advisory database. Because of the way that the scan-time refresh is implemented, the advisory database is not updated. Thus the advisory db is as stale as the last build time.
Steps to reproduce
You can reproduce this via steps similar to #294296 (closed).
What is the current bug behavior?
The ruby advisory db is not updated at scan time.
What is the expected correct behavior?
The ruby advisory db should be updated at scan time.
Possible fixes
Apply fix as in #294296 (closed) by checking out the specified git ref and then doing a hard reset.
Implementation plan
-
change bundler-audit similar to gemnasium: do git fetch
,git pull
if possible, andgit reset --hard
gitlab-org/security-products/analyzers/bundler-audit!70 (merged) -
add missing tests gitlab-org/security-products/tests/ruby-bundler!1263 (merged) -
publish blog post
Edited by Fabien Catteau