Known-leaky gems verification for bundler: `bundle leak` to check your app and find leaky gems in your Gemfile :gem::droplet:
Home Page: https://www.rubymem.com
License: GNU General Public License v3.0
Hey @bronzdoc,
It seems that we have a problem with false positives. Some versions of some gems are known to be leaky, but it seems that bundler-leak is reporting them as leaky even if the project is using a patched version.
railsperf Slack)"I just ran this against a project and I think I got two false-positives:"
zsh 2715 (git)-[paj/Introducing-bundler-leak]-% bundle leak
Name: redis
Version: 4.1.2
URL: https://github.com/redis/redis-rb/issues/612
Title: Memory Leak using Celluloid::Future
Solution: remove or disable this gem until a patch is available!
Name: sidekiq
Version: 5.2.7
URL: https://github.com/mperham/sidekiq/pull/2598
Title: Memory Leak in Sidekiq::Manager#real_thread
Solution: remove or disable this gem until a patch is available!
Vulnerabilities found!
"sidekiq/sidekiq@d62ee8f
&
redis/redis-rb@d75708f
Seem to have addressed both of these leaks in earlier versions than we’re running."
railsperf Slack)"The result on my project"
ruby-mem-advisory-db: 9 advisories
Name: oj
Version: 3.6.4
URL: https://github.com/ohler55/oj/issues/229
Title: Memory Leak using Oj::Doc.open
Solution: remove or disable this gem until a patch is available!
Name: redis
Version: 4.0.2
URL: https://github.com/redis/redis-rb/issues/612
Title: Memory Leak using Celluloid::Future
Solution: remove or disable this gem until a patch is available!
Name: sidekiq
Version: 5.2.2
URL: https://github.com/mperham/sidekiq/pull/2598
Title: Memory Leak in Sidekiq::Manager#real_thread
Solution: remove or disable this gem until a patch is available!
We are still showing travis CI status badge in the README, we should change it for a github actions one
see: fastruby#1
Before we start...:
Branch/Commit:
Latest version
We had an issue, that for now, I need to ignore.
Sadly ignoring is not documented, though it is available:
bundler-leak/lib/bundler/plumber/scanner.rb
Line 119 in a3713ab
So my first improvement would be to please add this to the documentation
My second improvement actually requires a code change.
The output does not show the ID of the advisory, needed to be able to ignore it.
I manually needed to look for it.
Can the id please be added to the output to make this easier?
Thanks in advance
We should add a COC to the project
Hey @bronzdoc,
It seems that there is a problem with the redcarpet gem:
$ bundle leak
No leaks found
$ bundle leak --update
Updating ruby-mem-advisory-db ...
Fetching origin
From https://github.com/rubymem/ruby-mem-advisory-db
* [new branch] master -> origin/master
HEAD is now at 352fb1f Merge pull request #19 from rubymem/add-code-of-conduct-1
Updated ruby-mem-advisory-db
ruby-mem-advisory-db: 11 advisories
No leaks found
$ cat Gemfile.lock | grep redcarpet
redcarpet (3.3.2)
redcarpet (= 3.3.2)
I was expecting it to report it as leaky but it did not. :(
I see that the patch for the leaky version is present in versions 3.3.3, 3.5.0, and their main branch: vmg/redcarpet@e2e26e2
According to the database, it should report it as leaky: https://github.com/rubymem/ruby-mem-advisory-db/blob/main/gems/redcarpet/516.yml
So maybe there is something wrong with the version comparison?
Not sure why that one is failing and other gems are working fine.
Before we start...:
Branch/Commit:
Inform what branch/commit of Skunk.fyi you are using.
I am not using Skunk.fyi at all. This is about bundler-leak (0.2.0).
Expected behavior:
I can run bundle leak without runtime error.
Actual behavior:
/usr/local/lib/ruby/3.1.0/psych/class_loader.rb:99:in `find': Tried to load unspecified class: Date (Psych::DisallowedClass)
from /usr/local/lib/ruby/3.1.0/psych/class_loader.rb:28:in `load'
from (eval):2:in `date'
from /usr/local/lib/ruby/3.1.0/psych/scalar_scanner.rb:59:in `tokenize'
from /usr/local/lib/ruby/3.1.0/psych/visitors/to_ruby.rb:65:in `deserialize'
from /usr/local/lib/ruby/3.1.0/psych/visitors/to_ruby.rb:128:in `visit_Psych_Nodes_Scalar'
from /usr/local/lib/ruby/3.1.0/psych/visitors/visitor.rb:30:in `visit'
from /usr/local/lib/ruby/3.1.0/psych/visitors/visitor.rb:6:in `accept'
from /usr/local/lib/ruby/3.1.0/psych/visitors/to_ruby.rb:35:in `accept'
from /usr/local/lib/ruby/3.1.0/psych/visitors/to_ruby.rb:345:in `block in revive_hash'
from /usr/local/lib/ruby/3.1.0/psych/visitors/to_ruby.rb:343:in `each'
from /usr/local/lib/ruby/3.1.0/psych/visitors/to_ruby.rb:343:in `each_slice'
from /usr/local/lib/ruby/3.1.0/psych/visitors/to_ruby.rb:343:in `revive_hash'
from /usr/local/lib/ruby/3.1.0/psych/visitors/to_ruby.rb:167:in `visit_Psych_Nodes_Mapping'
from /usr/local/lib/ruby/3.1.0/psych/visitors/visitor.rb:30:in `visit'
from /usr/local/lib/ruby/3.1.0/psych/visitors/visitor.rb:6:in `accept'
from /usr/local/lib/ruby/3.1.0/psych/visitors/to_ruby.rb:35:in `accept'
from /usr/local/lib/ruby/3.1.0/psych/visitors/to_ruby.rb:318:in `visit_Psych_Nodes_Document'
from /usr/local/lib/ruby/3.1.0/psych/visitors/visitor.rb:30:in `visit'
from /usr/local/lib/ruby/3.1.0/psych/visitors/visitor.rb:6:in `accept'
from /usr/local/lib/ruby/3.1.0/psych/visitors/to_ruby.rb:35:in `accept'
from /usr/local/lib/ruby/3.1.0/psych.rb:335:in `safe_load'
from /usr/local/lib/ruby/3.1.0/psych.rb:370:in `load'
from /usr/local/lib/ruby/3.1.0/psych.rb:671:in `block in load_file'
from /usr/local/lib/ruby/3.1.0/psych.rb:670:in `open'
from /usr/local/lib/ruby/3.1.0/psych.rb:670:in `load_file'
from /usr/local/bundle/gems/bundler-leak-0.2.0/lib/bundler/plumber/advisory.rb:47:in `load'
from /usr/local/bundle/gems/bundler-leak-0.2.0/lib/bundler/plumber/database.rb:156:in `block in advisories_for'
from <internal:dir>:220:in `glob'
from /usr/local/bundle/gems/bundler-leak-0.2.0/lib/bundler/plumber/database.rb:244:in `each_advisory_path_for'
from /usr/local/bundle/gems/bundler-leak-0.2.0/lib/bundler/plumber/database.rb:155:in `advisories_for'
from /usr/local/bundle/gems/bundler-leak-0.2.0/lib/bundler/plumber/database.rb:179:in `check_gem'
from /usr/local/bundle/gems/bundler-leak-0.2.0/lib/bundler/plumber/scanner.rb:117:in `block in scan_specs'
from /usr/local/bundle/gems/bundler-leak-0.2.0/lib/bundler/plumber/scanner.rb:116:in `each'
from /usr/local/bundle/gems/bundler-leak-0.2.0/lib/bundler/plumber/scanner.rb:116:in `scan_specs'
from /usr/local/bundle/gems/bundler-leak-0.2.0/lib/bundler/plumber/scanner.rb:83:in `scan'
from /usr/local/bundle/gems/bundler-leak-0.2.0/lib/bundler/plumber/cli.rb:45:in `check'
from /usr/local/bundle/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'
from /usr/local/bundle/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'
from /usr/local/bundle/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'
from /usr/local/bundle/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'
from /usr/local/bundle/gems/bundler-leak-0.2.0/bin/bundle-leak:10:in `<top (required)>'
from /usr/local/bundle/gems/bundler-leak-0.2.0/bin/bundler-leak:3:in `load'
from /usr/local/bundle/gems/bundler-leak-0.2.0/bin/bundler-leak:3:in `<top (required)>'
from /usr/local/bundle/bin/bundler-leak:25:in `load'
from /usr/local/bundle/bin/bundler-leak:25:in `<main>'
Steps to reproduce:
Install Ruby 3.1.0 and try to run bundle leak.
I will abide by the [code of conduct] (code_of_conduct.md)
When I clone the project and I run ./bin/setup, I get this error:
$ ./bin/setup
Using rake 12.3.3
Using bundler 2.0.1
Using thor 0.20.3
Using bundler-leak 0.1.0 from source at `.`
Using byebug 11.0.1
Using diff-lcs 1.3
Using docile 1.3.2
Using json 2.2.0
Using kramdown 0.14.2
Using rspec-support 3.8.2
Using rspec-core 3.8.2
Using rspec-expectations 3.8.4
Using rspec-mocks 3.8.1
Using rspec 3.8.0
Using rubygems-tasks 0.2.4
Using simplecov-html 0.10.2
Using simplecov 0.17.0
Using yard 0.9.20
Bundle complete! 8 Gemfile dependencies, 18 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.
[!] There was an error parsing `Gemfile`: No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/insecure_sources/Gemfile. Bundler cannot continue.
[!] There was an error parsing `Gemfile`: No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/secure/Gemfile. Bundler cannot continue.
Using rake 12.3.3
Using concurrent-ruby 1.1.5
Using i18n 1.6.0
Using minitest 5.11.3
Using thread_safe 0.3.6
Using tzinfo 1.2.5
Using zeitwerk 2.1.9
Using activesupport 6.0.0
Using builder 3.2.3
Using erubi 1.8.0
Using mini_portile2 2.4.0
Using nokogiri 1.10.4
Using rails-dom-testing 2.0.3
Using crass 1.0.4
Using loofah 2.2.3
Using rails-html-sanitizer 1.2.0
Using actionview 6.0.0
Using rack 2.0.7
Using rack-test 1.1.0
Using actionpack 6.0.0
Using bundler 2.0.1
Using dotenv 2.7.5
Using nenv 0.3.0
Using rspec-logsplit 0.1.3
Using hitimes 1.3.1
Using timers 4.0.4
Using celluloid-essentials 0.20.2
Using celluloid-extras 0.20.0
Using celluloid-fsm 0.20.0
Using celluloid-pool 0.20.0
Using celluloid-supervision 0.20.1
Using celluloid 0.17.0
Using method_source 0.9.2
Using thor 0.20.3
Using railties 6.0.0
Using jquery-rails 4.3.5
Using libv8 3.16.14.19 (x86_64-darwin-17)
Using ref 2.0.0
Using sqlite3 1.4.1
Using therubyracer 0.12.1
Bundle complete! 4 Gemfile dependencies, 40 gems now installed.
Bundled gems are installed into `./vendor/bundle`
Maybe the script is missing a few steps?
Before we start...:
Branch/Commit:
Release 0.3.0
Expected behaviour:
When I type bundle leak update, it should update without git warnings.
Actual behaviour:
I get the following output:
$ bundle leak update
Updating ruby-advisory-db ...
hint: Pulling without specifying how to reconcile divergent branches is
hint: discouraged. You can squelch this message by running one of the following
hint: commands sometime before your next pull:
hint:
hint: git config pull.rebase false # merge (the default strategy)
hint: git config pull.rebase true # rebase
hint: git config pull.ff only # fast-forward only
hint:
hint: You can replace "git config" with "git config --global" to set a default
hint: preference for all repositories. You can also pass --rebase, --no-rebase,
hint: or --ff-only on the command line to override the configured default per
hint: invocation.
From https://github.com/rubysec/ruby-advisory-db
* branch master -> FETCH_HEAD
Already up to date.
Could bundler-leak pass the appropriate flag? The update! method appears to be calling git fetch --all, and that doesn't accept --rebase — which make's git's output a bit baffling.
I'm running in Docker, so setting the git global config on the host machine won't help, and setting the local config would presumably have to be done on bundler-leak's internal copy, rather than the host project. I think it would be better for bundler-leak to be explicit here in any case.
(I suspect that most people not using Docker will have already set a global preference, and so won't have run into this…)
Steps to reproduce:
pull.rebase or pull.ff, either globally or on the project you're working on.bundle leak updateContext and environment:
ruby:3.1.3-bullseye)Screenshots and Videos
n/a
Logs
n/a
It would be useful to have an --ignore option similar to what bundler-audit has.
Before we start...:
Branch/Commit:
main branch.
Expected behavior:
Test suite should pass in both CI and local env.
Actual behavior:
Test suite does not pass in CI, but it passes on local env.
Steps to reproduce:
Stop marking the scenarios in database_spec.rb as pending, watch the CI fail.
Resources:
Found on: #45
Logs
243
Failures:
[244](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:244)
[245](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:245)
1) Bundler::Plumber::Database path should prefer the user repo, if it's as up to date, or more up to date than the vendored one
[246](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:246)
Failure/Error: expect(Bundler::Plumber::Database.path).to eq Bundler::Plumber::Database::VENDORED_PATH
[247](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:247)
[248](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:248)
expected: "/home/runner/work/bundler-leak/bundler-leak/data/ruby-mem-advisory-db"
[249](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:249)
got: "/home/runner/work/bundler-leak/bundler-leak/tmp/ruby-mem-advisory-db"
[250](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:250)
[251](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:251)
(compared using ==)
[252](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:252)
# ./spec/database_spec.rb:29:in `block (3 levels) in <top (required)>'
[253](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:253)
[254](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:254)
Finished in 1.68 seconds (files took 0.33134 seconds to load)
[255](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:255)
46 examples, 1 failure, 1 pending
[256](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:256)
[257](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:257)
Failed examples:
[258](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:258)
[259](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:259)
rspec ./spec/database_spec.rb:17 # Bundler::Plumber::Database path should prefer the user repo, if it's as up to date, or more up to date than the vendored one
[260](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:260)
[261](https://github.com/rubymem/bundler-leak/runs/5687452238?check_suite_focus=true#step:4:261)
Stopped processing SimpleCov as a previous error not related to SimpleCov has been detected
I will abide by the code of conduct
Branch/Commit:
Release 0.3.0 from rubygems.org
Expected behavior:
It just works :)
Actual behavior:
$ bundler-leak
/usr/local/rbenv/versions/2.5.3-p0/lib/ruby/gems/2.5.0/gems/bundler-leak-0.3.0/lib/bundler/plumber/database.rb:58:in `initialize': "/usr/local/rbenv/versions/2.5.3-p0/lib/ruby/gems/2.5.0/gems/bundler-leak-0.3.0/data/ruby-mem-advisory-db" is not a directory (ArgumentError)
from /usr/local/rbenv/versions/2.5.3-p0/lib/ruby/gems/2.5.0/gems/bundler-leak-0.3.0/lib/bundler/plumber/scanner.rb:59:in `new'
from /usr/local/rbenv/versions/2.5.3-p0/lib/ruby/gems/2.5.0/gems/bundler-leak-0.3.0/lib/bundler/plumber/scanner.rb:59:in `initialize'
from /usr/local/rbenv/versions/2.5.3-p0/lib/ruby/gems/2.5.0/gems/bundler-leak-0.3.0/lib/bundler/plumber/cli.rb:42:in `new'
from /usr/local/rbenv/versions/2.5.3-p0/lib/ruby/gems/2.5.0/gems/bundler-leak-0.3.0/lib/bundler/plumber/cli.rb:42:in `check'
from /usr/local/rbenv/versions/2.5.3-p0/lib/ruby/gems/2.5.0/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'
from /usr/local/rbenv/versions/2.5.3-p0/lib/ruby/gems/2.5.0/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'
from /usr/local/rbenv/versions/2.5.3-p0/lib/ruby/gems/2.5.0/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'
from /usr/local/rbenv/versions/2.5.3-p0/lib/ruby/gems/2.5.0/gems/thor-1.2.1/lib/thor/base.rb:[48](https://gitlab.funbox.ru/a2p/vk/beeline-a2p-admin-backend/-/jobs/394127#L48)5:in `start'
from /usr/local/rbenv/versions/2.5.3-p0/lib/ruby/gems/2.5.0/gems/bundler-leak-0.3.0/exe/bundle-leak:10:in `<top (required)>'
from /usr/local/rbenv/versions/2.5.3-p0/lib/ruby/gems/2.5.0/gems/bundler-leak-0.3.0/exe/bundler-leak:3:in `load'
from /usr/local/rbenv/versions/2.5.3-p0/lib/ruby/gems/2.5.0/gems/bundler-leak-0.3.0/exe/bundler-leak:3:in `<top (required)>'
from /usr/local/rbenv/versions/2.5.3/bin/bundler-leak:23:in `load'
from /usr/local/rbenv/versions/2.5.3/bin/bundler-leak:23:in `<main>'
Steps to reproduce:
Just run the executable :)
Context and environment:
GitLab CI
CentOS 7
I will abide by the [code of conduct] (code_of_conduct.md)
I just tried to clone and test the app locally and I found these issues:
$ git submodule update --init
error: Server does not allow request for unadvertised object c4fc78ecc3e02d9523d738662e6d6ed2140fed35
Fetched in submodule path 'data/ruby-mem-advisory-db', but it did not contain c4fc78ecc3e02d9523d738662e6d6ed2140fed35. Direct fetching of that commit failed.
When trying to run the tests I found this error:
$ bundle exec rake
cd spec/bundle/secure
unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle
Fetching gem metadata from https://rubygems.org/.............
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies...
Bundler could not find compatible versions for gem "bundler":
In Gemfile:
rails (~> 4.2.7.1) was resolved to 4.2.7.1, which depends on
bundler (>= 1.3.0, < 2.0)
Current Bundler version:
bundler (2.0.1)
This Gemfile requires a different version of Bundler.
Perhaps you need to update Bundler by running `gem install bundler`?
Could not find gem 'bundler (>= 1.3.0, < 2.0)', which is required by gem 'rails (~> 4.2.7.1)', in any of the sources.
rake aborted!
Command failed with status (6): [unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYO...]
/Users/etagwerker/Projects/fastruby/bundler-leak/Rakefile:45:in `block (4 levels) in <top (required)>'
/Users/etagwerker/Projects/fastruby/bundler-leak/Rakefile:44:in `block (3 levels) in <top (required)>'
/Users/etagwerker/Projects/fastruby/bundler-leak/Rakefile:43:in `each'
/Users/etagwerker/Projects/fastruby/bundler-leak/Rakefile:43:in `block (2 levels) in <top (required)>'
/Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/rake-12.3.3/exe/rake:27:in `<top (required)>'
/Users/etagwerker/.rvm/gems/ruby-2.5.1/bin/ruby_executable_hooks:24:in `eval'
/Users/etagwerker/.rvm/gems/ruby-2.5.1/bin/ruby_executable_hooks:24:in `<main>'
Tasks: TOP => default => spec => spec:bundle
(See full trace by running task with --trace)
I tried with bundle exec rspec spec and I found other errors:
$ bundle exec rspec spec
Bundler::Plumber::Advisory
load
#id
example at ./spec/advisory_spec.rb:34 (FAILED - 1)
#url
example at ./spec/advisory_spec.rb:39 (FAILED - 2)
#title
example at ./spec/advisory_spec.rb:44 (FAILED - 3)
#date
example at ./spec/advisory_spec.rb:49 (FAILED - 4)
#description
example at ./spec/advisory_spec.rb:54 (FAILED - 5)
YAML data not representing a hash
should raise an exception
#patched_versions
should all be Gem::Requirement objects (FAILED - 6)
should parse the versions (FAILED - 7)
#unaffected?
when passed a version that matches one unaffected version
should return true (FAILED - 8)
when passed a version that matches no unaffected version
should return false (FAILED - 9)
#patched?
when passed a version that matches one patched version
should return true (FAILED - 10)
when passed a version that matches no patched version
should return false (FAILED - 11)
#vulnerable?
when passed a version that matches one patched version
should return false (FAILED - 12)
when passed a version that matches no patched version
should return true (FAILED - 13)
when unaffected_versions is not empty
when passed a version that matches one unaffected version
should return false (FAILED - 14)
when passed a version that matches no unaffected version
should return true (FAILED - 15)
Bundler::Plumber
should have a VERSION constant
Bundler::Plumber::CLI
#update
not --quiet (the default)
when update succeeds
prints updated message
prints total advisory count
when update fails
prints failure message
exits with error status code
--quiet
when update succeeds
does not print any output
when update fails
prints failure message
exits with error status code
Bundler::Plumber::Database
path
it should be a directory
Cloning into '/Users/etagwerker/Projects/fastruby/bundler-leak/tmp/ruby-mem-advisory-db'...
done.
Timestamp:
[master 801ba71] Dummy commit.
fatal: ambiguous argument 'HEAD~20': unknown revision or path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'
should prefer the user repo, iff it's as up to date, or more up to date than the vendored one (FAILED - 16)
update!
Cloning into '/Users/etagwerker/Projects/fastruby/bundler-leak/tmp/ruby-mem-advisory-db'...
done.
should create the USER_PATH path as needed
Cloning into '/Users/etagwerker/Projects/fastruby/bundler-leak/tmp/ruby-mem-advisory-db'...
done.
HEAD is now at 231688a Merge pull request #4 from rubymem/add-leaky-gems-missing-fields
should create the repo, then update it given multple successive calls.
#initialize
when given no arguments
should default path to path
when given a directory
should set #path
when given an invalid directory
should raise an ArgumentError
#check_gem
when given a block
should yield every advisory affecting the gem (FAILED - 17)
when given no block
should return an Enumerator
#size
should eq 0
#advisories
should return a list of all advisories.
#to_s
should return the Database path
#inspect
should produce a Ruby-ish instance descriptor
CLI
when auditing a bundle with unpatched gems
should print a warning (FAILED - 18)
should print advisory information for the vulnerable gems (FAILED - 19)
when auditing a secure bundle
should print nothing when everything is fine (FAILED - 20)
update
when advisories update successfully
should print status
Bundler::Plumber::Scanner
#scan
should yield results (FAILED - 21)
when not called with a block
should return an Enumerator (FAILED - 22)
when auditing a bundle with unpatched gems
should match unpatched gems to their advisories (FAILED - 23)
when the :ignore option is given
should ignore the specified advisories (FAILED - 24)
when auditing a secure bundle
should print nothing when everything is fine (FAILED - 25)
Failures:
1) Bundler::Plumber::Advisory load #id
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
# ./spec/advisory_spec.rb:33:in `block (4 levels) in <top (required)>'
# ./spec/advisory_spec.rb:34:in `block (4 levels) in <top (required)>'
2) Bundler::Plumber::Advisory load #url
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
# ./spec/advisory_spec.rb:38:in `block (4 levels) in <top (required)>'
# ./spec/advisory_spec.rb:39:in `block (4 levels) in <top (required)>'
3) Bundler::Plumber::Advisory load #title
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
# ./spec/advisory_spec.rb:43:in `block (4 levels) in <top (required)>'
# ./spec/advisory_spec.rb:44:in `block (4 levels) in <top (required)>'
4) Bundler::Plumber::Advisory load #date
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
# ./spec/advisory_spec.rb:48:in `block (4 levels) in <top (required)>'
# ./spec/advisory_spec.rb:49:in `block (4 levels) in <top (required)>'
5) Bundler::Plumber::Advisory load #description
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
# ./spec/advisory_spec.rb:53:in `block (4 levels) in <top (required)>'
# ./spec/advisory_spec.rb:54:in `block (4 levels) in <top (required)>'
6) Bundler::Plumber::Advisory load #patched_versions should all be Gem::Requirement objects
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:67:in `block (4 levels) in <top (required)>'
# ./spec/advisory_spec.rb:70:in `block (4 levels) in <top (required)>'
7) Bundler::Plumber::Advisory load #patched_versions should parse the versions
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:67:in `block (4 levels) in <top (required)>'
# ./spec/advisory_spec.rb:76:in `block (4 levels) in <top (required)>'
8) Bundler::Plumber::Advisory#unaffected? when passed a version that matches one unaffected version should return true
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
# ./spec/advisory_spec.rb:87:in `block (4 levels) in <top (required)>'
9) Bundler::Plumber::Advisory#unaffected? when passed a version that matches no unaffected version should return false
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
# ./spec/advisory_spec.rb:95:in `block (4 levels) in <top (required)>'
10) Bundler::Plumber::Advisory#patched? when passed a version that matches one patched version should return true
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
# ./spec/advisory_spec.rb:105:in `block (4 levels) in <top (required)>'
11) Bundler::Plumber::Advisory#patched? when passed a version that matches no patched version should return false
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
# ./spec/advisory_spec.rb:113:in `block (4 levels) in <top (required)>'
12) Bundler::Plumber::Advisory#vulnerable? when passed a version that matches one patched version should return false
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
# ./spec/advisory_spec.rb:123:in `block (4 levels) in <top (required)>'
13) Bundler::Plumber::Advisory#vulnerable? when passed a version that matches no patched version should return true
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
# ./spec/advisory_spec.rb:131:in `block (4 levels) in <top (required)>'
14) Bundler::Plumber::Advisory#vulnerable? when passed a version that matches no patched version when unaffected_versions is not empty when passed a version that matches one unaffected version should return false
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:135:in `block (5 levels) in <top (required)>'
# ./spec/advisory_spec.rb:141:in `block (6 levels) in <top (required)>'
15) Bundler::Plumber::Advisory#vulnerable? when passed a version that matches no patched version when unaffected_versions is not empty when passed a version that matches no unaffected version should return true
Failure/Error: data = YAML.load_file(path)
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
# ./spec/advisory_spec.rb:135:in `block (5 levels) in <top (required)>'
# ./spec/advisory_spec.rb:149:in `block (6 levels) in <top (required)>'
16) Bundler::Plumber::Database path should prefer the user repo, iff it's as up to date, or more up to date than the vendored one
Failure/Error: expect(Bundler::Plumber::Database.path).to eq Bundler::Plumber::Database::VENDORED_PATH
expected: "/Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db"
got: "/Users/etagwerker/Projects/fastruby/bundler-leak/tmp/ruby-mem-advisory-db"
(compared using ==)
# ./spec/database_spec.rb:33:in `block (3 levels) in <top (required)>'
17) Bundler::Plumber::Database#check_gem when given a block should yield every advisory affecting the gem
Failure/Error: expect(advisories).not_to be_empty
expected `[].empty?` to return false, got true
# ./spec/database_spec.rb:98:in `block (4 levels) in <top (required)>'
18) CLI when auditing a bundle with unpatched gems should print a warning
Failure/Error: expect(subject).to include("Vulnerabilities found!")
expected "/Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No suc...in `load'\n\tfrom /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `<main>'\n" to include "Vulnerabilities found!"
Diff:
@@ -1,2 +1,12 @@
-Vulnerabilities found!
+/Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock (Errno::ENOENT)
+ from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `initialize'
+ from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/cli.rb:41:in `new'
+ from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/cli.rb:41:in `check'
+ from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
+ from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
+ from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'
+ from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'
+ from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundle-leak:10:in `<top (required)>'
+ from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `load'
+ from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `<main>'
# ./spec/integration_spec.rb:19:in `block (3 levels) in <top (required)>'
19) CLI when auditing a bundle with unpatched gems should print advisory information for the vulnerable gems
Failure/Error: expect(subject).to match(advisory_pattern)
expected "/Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No suc...in `load'\n\tfrom /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `<main>'\n" to match /(Name: [^\n]+
Version: \d+.\d+.\d+
URL: https?:\/\/(www\.)?.+
Title: [^\n]*?
Solution: remove or disable this gem until a patch is available!)+/
Diff:
@@ -1,6 +1,12 @@
-/(Name: [^\n]+
-Version: \d+.\d+.\d+
-URL: https?:\/\/(www\.)?.+
-Title: [^\n]*?
-Solution: remove or disable this gem until a patch is available!)+/
+/Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock (Errno::ENOENT)
+ from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `initialize'
+ from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/cli.rb:41:in `new'
+ from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/cli.rb:41:in `check'
+ from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
+ from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
+ from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'
+ from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'
+ from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundle-leak:10:in `<top (required)>'
+ from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `load'
+ from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `<main>'
# ./spec/integration_spec.rb:29:in `block (3 levels) in <top (required)>'
20) CLI when auditing a secure bundle should print nothing when everything is fine
Failure/Error: raise "FAILED #{command}\n#{result}" if $?.success? == !!options[:fail]
RuntimeError:
FAILED /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak
/Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/secure/Gemfile.lock (Errno::ENOENT)
from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `initialize'
from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/cli.rb:41:in `new'
from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/cli.rb:41:in `check'
from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'
from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'
from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundle-leak:10:in `<top (required)>'
from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `load'
from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `<main>'
# ./spec/spec_helper.rb:12:in `block in sh'
# /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/bundler-2.0.1/lib/bundler.rb:313:in `block in with_clean_env'
# /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/bundler-2.0.1/lib/bundler.rb:562:in `with_env'
# /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/bundler-2.0.1/lib/bundler.rb:313:in `with_clean_env'
# ./spec/spec_helper.rb:10:in `sh'
# ./spec/integration_spec.rb:39:in `block (4 levels) in <top (required)>'
# ./spec/integration_spec.rb:39:in `chdir'
# ./spec/integration_spec.rb:39:in `block (3 levels) in <top (required)>'
# ./spec/integration_spec.rb:43:in `block (3 levels) in <top (required)>'
21) Bundler::Plumber::Scanner#scan should yield results
Failure/Error: File.read(File.join(@root,gemfile_lock))
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock
# ./spec/scanner_spec.rb:9:in `new'
# ./spec/scanner_spec.rb:9:in `block (3 levels) in <top (required)>'
# ./spec/scanner_spec.rb:14:in `block (3 levels) in <top (required)>'
22) Bundler::Plumber::Scanner#scan when not called with a block should return an Enumerator
Failure/Error: File.read(File.join(@root,gemfile_lock))
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock
# ./spec/scanner_spec.rb:9:in `new'
# ./spec/scanner_spec.rb:9:in `block (3 levels) in <top (required)>'
# ./spec/scanner_spec.rb:21:in `block (4 levels) in <top (required)>'
23) Bundler::Plumber::Scanner when auditing a bundle with unpatched gems should match unpatched gems to their advisories
Failure/Error: File.read(File.join(@root,gemfile_lock))
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock
# ./spec/scanner_spec.rb:29:in `new'
# ./spec/scanner_spec.rb:29:in `block (3 levels) in <top (required)>'
# ./spec/scanner_spec.rb:31:in `block (3 levels) in <top (required)>'
# ./spec/scanner_spec.rb:34:in `block (3 levels) in <top (required)>'
24) Bundler::Plumber::Scanner when auditing a bundle with unpatched gems when the :ignore option is given should ignore the specified advisories
Failure/Error: File.read(File.join(@root,gemfile_lock))
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock
# ./spec/scanner_spec.rb:29:in `new'
# ./spec/scanner_spec.rb:29:in `block (3 levels) in <top (required)>'
# ./spec/scanner_spec.rb:40:in `block (4 levels) in <top (required)>'
# ./spec/scanner_spec.rb:43:in `block (4 levels) in <top (required)>'
25) Bundler::Plumber::Scanner when auditing a secure bundle should print nothing when everything is fine
Failure/Error: File.read(File.join(@root,gemfile_lock))
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/secure/Gemfile.lock
# ./spec/scanner_spec.rb:53:in `new'
# ./spec/scanner_spec.rb:53:in `block (3 levels) in <top (required)>'
# ./spec/scanner_spec.rb:55:in `block (3 levels) in <top (required)>'
# ./spec/scanner_spec.rb:58:in `block (3 levels) in <top (required)>'
Finished in 4.01 seconds (files took 0.2112 seconds to load)
46 examples, 25 failures
Failed examples:
rspec ./spec/advisory_spec.rb:34 # Bundler::Plumber::Advisory load #id
rspec ./spec/advisory_spec.rb:39 # Bundler::Plumber::Advisory load #url
rspec ./spec/advisory_spec.rb:44 # Bundler::Plumber::Advisory load #title
rspec ./spec/advisory_spec.rb:49 # Bundler::Plumber::Advisory load #date
rspec ./spec/advisory_spec.rb:54 # Bundler::Plumber::Advisory load #description
rspec ./spec/advisory_spec.rb:69 # Bundler::Plumber::Advisory load #patched_versions should all be Gem::Requirement objects
rspec ./spec/advisory_spec.rb:75 # Bundler::Plumber::Advisory load #patched_versions should parse the versions
rspec ./spec/advisory_spec.rb:86 # Bundler::Plumber::Advisory#unaffected? when passed a version that matches one unaffected version should return true
rspec ./spec/advisory_spec.rb:94 # Bundler::Plumber::Advisory#unaffected? when passed a version that matches no unaffected version should return false
rspec ./spec/advisory_spec.rb:104 # Bundler::Plumber::Advisory#patched? when passed a version that matches one patched version should return true
rspec ./spec/advisory_spec.rb:112 # Bundler::Plumber::Advisory#patched? when passed a version that matches no patched version should return false
rspec ./spec/advisory_spec.rb:122 # Bundler::Plumber::Advisory#vulnerable? when passed a version that matches one patched version should return false
rspec ./spec/advisory_spec.rb:130 # Bundler::Plumber::Advisory#vulnerable? when passed a version that matches no patched version should return true
rspec ./spec/advisory_spec.rb:140 # Bundler::Plumber::Advisory#vulnerable? when passed a version that matches no patched version when unaffected_versions is not empty when passed a version that matches one unaffected version should return false
rspec ./spec/advisory_spec.rb:148 # Bundler::Plumber::Advisory#vulnerable? when passed a version that matches no patched version when unaffected_versions is not empty when passed a version that matches no unaffected version should return true
rspec ./spec/database_spec.rb:17 # Bundler::Plumber::Database path should prefer the user repo, iff it's as up to date, or more up to date than the vendored one
rspec ./spec/database_spec.rb:91 # Bundler::Plumber::Database#check_gem when given a block should yield every advisory affecting the gem
rspec ./spec/integration_spec.rb:18 # CLI when auditing a bundle with unpatched gems should print a warning
rspec ./spec/integration_spec.rb:22 # CLI when auditing a bundle with unpatched gems should print advisory information for the vulnerable gems
rspec ./spec/integration_spec.rb:42 # CLI when auditing a secure bundle should print nothing when everything is fine
rspec ./spec/scanner_spec.rb:11 # Bundler::Plumber::Scanner#scan should yield results
rspec ./spec/scanner_spec.rb:20 # Bundler::Plumber::Scanner#scan when not called with a block should return an Enumerator
rspec ./spec/scanner_spec.rb:33 # Bundler::Plumber::Scanner when auditing a bundle with unpatched gems should match unpatched gems to their advisories
rspec ./spec/scanner_spec.rb:42 # Bundler::Plumber::Scanner when auditing a bundle with unpatched gems when the :ignore option is given should ignore the specified advisories
rspec ./spec/scanner_spec.rb:57 # Bundler::Plumber::Scanner when auditing a secure bundle should print nothing when everything is fine
Coverage report generated for RSpec to /Users/etagwerker/Projects/fastruby/bundler-leak/coverage. 307 / 373 LOC (82.31%) covered.
It seems that I'm missing something when setting up the project locally.
It might be a good idea to have a ./bin/setup which makes sure that the dev environment is properly setup.
Before we start...:
Branch/Commit:
main branch
Expected behavior:
https://rubygems.org/gems/bundler-leak/versions/0.2.0 should have an entry in the changelog
Actual behavior:
https://rubygems.org/gems/bundler-leak/versions/0.2.0 does not have an entry in the changelog
I will abide by the [code of conduct] (code_of_conduct.md)
Something like brakeman's gem feature?
I downloaded the repository fresh and changed to the fix-dev-environment branch to avoid the issues described in #12.
Then I ran the following commands:
bundle install
git submodule update --init --recursive
bundle exec rspec
The following tests failed:
Failures:
1) CLI when auditing a bundle with unpatched gems should print a warning
Failure/Error: expect(subject).to include("Leaks found!")
expected "/Users/nate/code/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No such file or directory...bin/bundler-leak:3:in `load'\n\tfrom /Users/nate/code/bundler-leak/bin/bundler-leak:3:in `<main>'\n" to include "Leaks found!"
Diff:
@@ -1,2 +1,12 @@
-Leaks found!
+/Users/nate/code/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No such file or directory @ rb_sysopen - /Users/nate/code/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock (Errno::ENOENT)
+ from /Users/nate/code/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `initialize'
+ from /Users/nate/code/bundler-leak/lib/bundler/plumber/cli.rb:41:in `new'
+ from /Users/nate/code/bundler-leak/lib/bundler/plumber/cli.rb:41:in `check'
+ from /Users/nate/.gem/ruby/2.6.2/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
+ from /Users/nate/.gem/ruby/2.6.2/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
+ from /Users/nate/.gem/ruby/2.6.2/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'
+ from /Users/nate/.gem/ruby/2.6.2/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'
+ from /Users/nate/code/bundler-leak/bin/bundle-leak:10:in `<top (required)>'
+ from /Users/nate/code/bundler-leak/bin/bundler-leak:3:in `load'
+ from /Users/nate/code/bundler-leak/bin/bundler-leak:3:in `<main>'
# ./spec/integration_spec.rb:19:in `block (3 levels) in <top (required)>'
2) CLI when auditing a bundle with unpatched gems should print advisory information for the vulnerable gems
Failure/Error: expect(subject).to match(advisory_pattern)
expected "/Users/nate/code/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No such file or directory...bin/bundler-leak:3:in `load'\n\tfrom /Users/nate/code/bundler-leak/bin/bundler-leak:3:in `<main>'\n" to match /(Name: [^\n]+
Version: \d+.\d+.\d+
URL: https?:\/\/(www\.)?.+
Title: [^\n]*?
Solution: upgrade to (~>|>=) \d+\.\d+\.\d+(\.\d+)?(, (~>|>=) \d+\.\d+\.\d+(\.\d+)?)*[\s\n]*?)/
Diff:
@@ -1,6 +1,12 @@
-/(Name: [^\n]+
-Version: \d+.\d+.\d+
-URL: https?:\/\/(www\.)?.+
-Title: [^\n]*?
-Solution: upgrade to (~>|>=) \d+\.\d+\.\d+(\.\d+)?(, (~>|>=) \d+\.\d+\.\d+(\.\d+)?)*[\s\n]*?)/
+/Users/nate/code/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No such file or directory @ rb_sysopen - /Users/nate/code/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock (Errno::ENOENT)
+ from /Users/nate/code/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `initialize'
+ from /Users/nate/code/bundler-leak/lib/bundler/plumber/cli.rb:41:in `new'
+ from /Users/nate/code/bundler-leak/lib/bundler/plumber/cli.rb:41:in `check'
+ from /Users/nate/.gem/ruby/2.6.2/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
+ from /Users/nate/.gem/ruby/2.6.2/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
+ from /Users/nate/.gem/ruby/2.6.2/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'
+ from /Users/nate/.gem/ruby/2.6.2/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'
+ from /Users/nate/code/bundler-leak/bin/bundle-leak:10:in `<top (required)>'
+ from /Users/nate/code/bundler-leak/bin/bundler-leak:3:in `load'
+ from /Users/nate/code/bundler-leak/bin/bundler-leak:3:in `<main>'
# ./spec/integration_spec.rb:29:in `block (3 levels) in <top (required)>'
3) Bundler::Plumber::Scanner#scan should yield results
Failure/Error: File.read(File.join(@root,gemfile_lock))
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/nate/code/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock
# ./spec/scanner_spec.rb:9:in `new'
# ./spec/scanner_spec.rb:9:in `block (3 levels) in <top (required)>'
# ./spec/scanner_spec.rb:14:in `block (3 levels) in <top (required)>'
4) Bundler::Plumber::Scanner#scan when not called with a block should return an Enumerator
Failure/Error: File.read(File.join(@root,gemfile_lock))
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/nate/code/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock
# ./spec/scanner_spec.rb:9:in `new'
# ./spec/scanner_spec.rb:9:in `block (3 levels) in <top (required)>'
# ./spec/scanner_spec.rb:21:in `block (4 levels) in <top (required)>'
5) Bundler::Plumber::Scanner when auditing a bundle with unpatched gems should match unpatched gems to their advisories
Failure/Error: File.read(File.join(@root,gemfile_lock))
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/nate/code/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock
# ./spec/scanner_spec.rb:29:in `new'
# ./spec/scanner_spec.rb:29:in `block (3 levels) in <top (required)>'
# ./spec/scanner_spec.rb:31:in `block (3 levels) in <top (required)>'
# ./spec/scanner_spec.rb:34:in `block (3 levels) in <top (required)>'
6) Bundler::Plumber::Scanner when auditing a bundle with unpatched gems when the :ignore option is given should ignore the specified advisories
Failure/Error: File.read(File.join(@root,gemfile_lock))
Errno::ENOENT:
No such file or directory @ rb_sysopen - /Users/nate/code/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock
# ./spec/scanner_spec.rb:29:in `new'
# ./spec/scanner_spec.rb:29:in `block (3 levels) in <top (required)>'
# ./spec/scanner_spec.rb:40:in `block (4 levels) in <top (required)>'
# ./spec/scanner_spec.rb:43:in `block (4 levels) in <top (required)>'
Finished in 1.25 seconds (files took 0.20536 seconds to load)
44 examples, 6 failures
Failed examples:
rspec ./spec/integration_spec.rb:18 # CLI when auditing a bundle with unpatched gems should print a warning
rspec ./spec/integration_spec.rb:22 # CLI when auditing a bundle with unpatched gems should print advisory information for the vulnerable gems
rspec ./spec/scanner_spec.rb:11 # Bundler::Plumber::Scanner#scan should yield results
rspec ./spec/scanner_spec.rb:20 # Bundler::Plumber::Scanner#scan when not called with a block should return an Enumerator
rspec ./spec/scanner_spec.rb:33 # Bundler::Plumber::Scanner when auditing a bundle with unpatched gems should match unpatched gems to their advisories
rspec ./spec/scanner_spec.rb:42 # Bundler::Plumber::Scanner when auditing a bundle with unpatched gems when the :ignore option is given should ignore the specified advisories
Before we start...:
Branch/Commit:
main
Expected behavior:
Test suite should pass.
Actual behavior:
Test suite does not pass.
Steps to reproduce:
Context and environment:
You can see this failure in GitHub Actions. It should be easy to replicate in a Mac OS X environment too (I did!)
Part of the problem is that every time we run the test suite we are creating a brand new Gemfile.lock inside the unpatched_gems directory: https://github.com/rubymem/bundler-leak/blob/main/Rakefile#L43-L47
I don't see why that is necessary, that particular Gemfile.lock could be checked in to the repository. The important part is to have the unpatched gem inside the Gemfile.lock file.
Logs
bundle exec rake
cd spec/bundle/unpatched_gems
unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle config set --local path '../../../vendor/bundle' && bundle install
Fetching gem metadata from https://rubygems.org/...........
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies...
Using bundler 2.1.4
Using dotenv 2.7.6
Using nenv 0.3.0
Using rspec-logsplit 0.1.3
Using hitimes 2.0.0
Using libv8 3.16.14.19
Using ref 2.0.0
Using timers 4.0.4
Fetching therubyracer 0.12.1
Using celluloid-essentials 0.20.2
Using celluloid-extras 0.20.0
Using celluloid-fsm 0.20.0
Using celluloid-pool 0.20.0
Using celluloid-supervision 0.20.1
Using celluloid 0.17.0
Installing therubyracer 0.12.1 with native extensions
Gem::Ext::BuildError: ERROR: Failed to build gem native extension.
current directory: /Users/etagwerker/Projects/rubymem/bundler-leak/vendor/bundle/ruby/2.7.0/gems/therubyracer-0.12.1/ext/v8
/Users/etagwerker/.rvm/rubies/ruby-2.7.3/bin/ruby -I /Users/etagwerker/.rvm/rubies/ruby-2.7.3/lib/ruby/2.7.0 -r ./siteconf20220315-10483-1353tzy.rb extconf.rb --with-v8-dir\=/usr/local/opt/v8
checking for -lpthread... yes
checking for -lobjc... yes
checking for v8.h... no
*** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of necessary
libraries and/or headers. Check the mkmf.log file for more details. You may
need configuration options.
Provided configuration options:
--with-opt-dir
--with-opt-include
--without-opt-include=${opt-dir}/include
--with-opt-lib
--without-opt-lib=${opt-dir}/lib
--with-make-prog
--without-make-prog
--srcdir=.
--curdir
--ruby=/Users/etagwerker/.rvm/rubies/ruby-2.7.3/bin/$(RUBY_BASE_NAME)
--with-pthread-dir
--without-pthread-dir
--with-pthread-include
--without-pthread-include=${pthread-dir}/include
--with-pthread-lib
--without-pthread-lib=${pthread-dir}/lib
--with-pthreadlib
--without-pthreadlib
--with-objc-dir
--without-objc-dir
--with-objc-include
--without-objc-include=${objc-dir}/include
--with-objc-lib
--without-objc-lib=${objc-dir}/lib
--with-objclib
--without-objclib
--enable-debug
--disable-debug
--with-v8-dir
--with-v8-include
--without-v8-include=${v8-dir}/include
--with-v8-lib
--without-v8-lib=${v8-dir}/lib
/Users/etagwerker/Projects/rubymem/bundler-leak/vendor/bundle/ruby/2.7.0/gems/libv8-3.16.14.19/ext/libv8/location.rb:50:in `configure': By using --with-system-v8, you have chosen to use the version (Libv8::Location::System::NotFoundError)
of V8 found on your system and *not* the one that is bundled with
the libv8 rubygem.
However, your system version of v8 could not be located.
Please make sure your system version of v8 that is compatible
with 3.16.14.19 installed. You may need to use the
--with-v8-dir option if it is installed in a non-standard location
from /Users/etagwerker/Projects/rubymem/bundler-leak/vendor/bundle/ruby/2.7.0/gems/libv8-3.16.14.19/lib/libv8.rb:7:in `configure_makefile'
from extconf.rb:32:in `<main>'
To see why this extension failed to compile, please check the mkmf.log which can be found here:
/Users/etagwerker/Projects/rubymem/bundler-leak/vendor/bundle/ruby/2.7.0/extensions/x86_64-darwin-19/2.7.0/therubyracer-0.12.1/mkmf.log
extconf failed, exit code 1
Gem files will remain installed in /Users/etagwerker/Projects/rubymem/bundler-leak/vendor/bundle/ruby/2.7.0/gems/therubyracer-0.12.1 for inspection.
Results logged to /Users/etagwerker/Projects/rubymem/bundler-leak/vendor/bundle/ruby/2.7.0/extensions/x86_64-darwin-19/2.7.0/therubyracer-0.12.1/gem_make.out
An error occurred while installing therubyracer (0.12.1), and Bundler cannot continue.
Make sure that `gem install therubyracer -v '0.12.1' --source 'https://rubygems.org/'` succeeds before bundling.
In Gemfile:
therubyracer
rake aborted!
Command failed with status (5): [unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYO...]
/Users/etagwerker/Projects/rubymem/bundler-leak/Rakefile:45:in `block (4 levels) in <top (required)>'
/Users/etagwerker/Projects/rubymem/bundler-leak/Rakefile:44:in `block (3 levels) in <top (required)>'
/Users/etagwerker/Projects/rubymem/bundler-leak/Rakefile:43:in `each'
/Users/etagwerker/Projects/rubymem/bundler-leak/Rakefile:43:in `block (2 levels) in <top (required)>'
/Users/etagwerker/.rvm/rubies/ruby-2.7.3/bin/bundle:23:in `load'
/Users/etagwerker/.rvm/rubies/ruby-2.7.3/bin/bundle:23:in `<main>'
/Users/etagwerker/.rvm/gems/ruby-2.7.3@leak/bin/ruby_executable_hooks:22:in `eval'
/Users/etagwerker/.rvm/gems/ruby-2.7.3@leak/bin/ruby_executable_hooks:22:in `<main>'
Tasks: TOP => default => spec => spec:bundle
(See full trace by running task with --trace)
I will abide by the code of conduct
Creating this issue to keep track of #10 (comment).
It seems that bundle leak check --update is necessary for the tool to work out of the box
It would be great if bundle leak did an update the first time it runs. What do you think, @bronzdoc?
bundle leak help check output says:
Checks the Gemfile.lock for insecure dependencies
(Presumably because this is based on bundler-audit and wasn't changed).
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.