bundler-audit reports incorrect, empty vulnerability
Summary
In some cases, the bundler-audit analyzer reports a vulnerability whose fields are empty or have the default value. This happens when bundle audit check
logs a warning message before listing the vulnerabilities or no vulnerabilities at all.
The empty vulnerability looks like the following:
{
"id": "85008fe3bf9c69f6acbc1b2f6f56b1540498ac7abcfc27f589ddd17357968c5f",
"category": "dependency_scanning",
"message": "Vulnerability in ",
"cve": "Gemfile.lock:",
"severity": "Unknown",
"scanner": {
"id": "bundler_audit",
"name": "bundler-audit"
},
"location": {
"file": "Gemfile.lock",
"dependency": {
"package": {}
}
},
However there are no vulnerabilities when running bundler-audit locally:
> /performance - update-ruby-2.7.4: bundle-audit
No vulnerabilities found
Further details
As of today, bundler-audit is one of the two Dependency Scanning scanners capable of scanning bundler lock files. Technically, the analyzer is a wrapper that runs bundle audit
, processes its text output, and generate a GitLab Dependency Scanning report. There's a bug in the text parser.
Steps to reproduce
- Create a GitLab project with Gemfile and Gemfile.lock.
- Enable GitLab Dependency Scanning and run a CI pipeline.
- Check the CI artifact created by the
bundler-audit_dependency-scanning
job.
Sample project
- Open GPT Security report
- Click on
Hide dismissed
and review Vulnerability. - artifact for bundler gl-dependency-scanning-report__4_.json
Artifact - gl-dependency-scanning-report
{
"version": "14.0.0",
"vulnerabilities": [
{
"id": "85008fe3bf9c69f6acbc1b2f6f56b1540498ac7abcfc27f589ddd17357968c5f",
"category": "dependency_scanning",
"message": "Vulnerability in ",
"cve": "Gemfile.lock:",
"severity": "Unknown",
"scanner": {
"id": "bundler_audit",
"name": "bundler-audit"
},
"location": {
"file": "Gemfile.lock",
"dependency": {
"package": {}
}
},
"identifiers": [],
"links": [
{
"url": ""
}
]
}
],
"remediations": [],
"scan": {
"scanner": {
"id": "bundler_audit",
"name": "bundler-audit",
"url": "https://github.com/rubysec/bundler-audit",
"vendor": {
"name": "GitLab"
},
"version": "0.7.0.1"
},
"type": "dependency_scanning",
"start_time": "2021-12-06T14:46:22",
"end_time": "2021-12-06T14:46:24",
"status": "success"
}
}
What is the current bug behavior?
Dependency Scanning shows vulnerability incorrectly due to a possibly a parsing error.
What is the expected correct behavior?
Dependency Scanning doesn't show vulnerability if bundler-audit
passes with No vulnerabilities found
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Implementation plan
-
TIMEBOXED to ~1 day: investigate the problem, try to reproduce and debug/fix if possible.
Possible fixes
We should either:
- Fix the parser of the text output.
- Remove the warnings.
- Ignore everything until there's something that looks like a vulnerability section.
- Use the JSON output bundler-audit.
Parsing the JSON output seems more reliable, and it's possibly less time consuming compared to making sense of a bug in the text parser.