Make bundler-audit generate YAML or JSON output

Problem to solve

Right now the Dependency-Scanning analyzer based on bundler-audit parses the text output of bundler-audit. It works but it has some limitations and it makes the implementation more complex than needed. It would be better to improve bundler-audit to make it return a YAML output or JSON output that corresponds to what's in ruby-advisory-db.

Further details

Here are the limitations of the text output of bundler-audit:

summary is missing, and that's something we could leverage in the existing report syntax.
Advisory: mixes up cve and osvdb.
Solution: is generated from patched_versions but we're loosing control over the way the string is rendered.
cvss_v2, cvss_v3 and date are missing too.

Also, parsing the text output is more complex and error prone than parsing the original YAML document.

Proposal

submit a Pull Request on bundler-audit to enable YAML and/or JSON output
update the bundler-audit analyzer to leverage this new output

What does success look like, and how can we measure that?

The generated gl-dependency-scanning-report.json ruby-advisory-db contains all the data that's available in ruby-advisory-db.
The implementation of bundler-audit analyzer is shorter and easier to read.

Links / references

gitlab-org/security-products/analyzers/bundler-audit!1 (comment 117455484)

Edited Nov 29, 2018 by Fabien Catteau