Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Add support for rbenv during RubyBundleAuditAnalyzer initialization #2060

Closed
chris-sansone-angi opened this issue Jul 10, 2019 · 0 comments
Closed

Enhancement: Add support for rbenv during RubyBundleAuditAnalyzer initialization #2060

chris-sansone-angi opened this issue Jul 10, 2019 · 0 comments
Labels
enhancement
Milestone
5.2.0

Comments

@chris-sansone-angi
Copy link
Contributor

Right now the RubyBundleAuditAnalyzer does not support rbenv during initialization and it would be awesome if it could support it so that way version specific Ruby installs can be taken into account.

The following demonstrates that just executing the bundler-audit command can differ based on your rbenv config as documented here:

someuser@somepc:~$ cd ~
someuser@somepc:~$ rbenv global
2.6.3
someuser@somepc:~$ rbenv version
2.6.3 (set by /Users/someuser/.rbenv/version)
someuser@somepc:~$ bundler-audit
rbenv: bundler-audit: command not found

The `bundler-audit' command exists in these Ruby versions:
  2.5.0
someuser@somepc:~$ cd ~/path/to/some/project/repo
someuser@somepc:~/path/to/some/project/repo$ cat .ruby-version
2.5.0
someuser@somepc:~/path/to/some/project/repo$ rbenv global
2.6.3
someuser@somepc:~/path/to/some/project/repo$ rbenv version
2.5.0 (set by /Users/someuser/path/to/some/project/repo/.ruby-version)
someuser@somepc:~/path/to/some/project/repo$ bundler-audit
Name: actionview
Version: 5.2.0
Advisory: CVE-2019-5419
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11
...
...

The above demonstrates that...

  1. The global Ruby version is 2.6.3 as set by /Users/someuser/.rbenv/version
  2. Running bundler-audit does not work because the gem is only installed (shimmed) for Ruby 2.5.0
  3. Once we change our working directory to a directory that contains a .ruby-version file which specifies Ruby 2.5.0 we are able to successfully execute the bundler-audit command.

The main issue at hand here is that during the initialization phase the directory for the sub-process executed is set to a temporary directory. If bundler-audit is globally available the initialization works just fine and then during the analysis phase the rbenv specific version of bundler-audit because the working directory will be set to the directory of the Gemfile.lock file which is also the directory that the .ruby-version file lives.
@chris-sansone-angi chris-sansone-angi mentioned this issue Jul 10, 2019
Merged
@jeremylong jeremylong added this to the 5.2.0 milestone Jul 21, 2019
@lock lock bot locked and limited conversation to collaborators Aug 20, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
5.2.0
Development

No branches or pull requests
2 participants
@jeremylong @chris-sansone-angi