Ability to define the Gemfile via BUNDLE_GEMFILE

[gurix]

When using bundler, a common strategy to handle different Gemfiles for a project is to use the environment variable BUNDLE_GEMFILE. Bundle audit does not support to set a specific Gemfile. This pull request addes this abillity.

Example:

markus@markuss-mbp ~/workspace/bundler-audit (master) $ BUNDLE_GEMFILE=../helena/gemfiles/rails_4.2.gemfile bin/bundle-audit 
No vulnerabilities found
markus@markuss-mbp ~/workspace/bundler-audit (master) $ BUNDLE_GEMFILE=../helena/gemfiles/rails_5.1.gemfile bin/bundle-audit 
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: https://github.com/flavorjones/loofah/issues/154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: https://github.com/rubyzip/rubyzip/issues/369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2

Vulnerabilities found!

[postmodern]

Tagging this for the 0.9.0 milestone. Currently preparing to merge/release 0.8.0, so consider rebasing after 0.8.0 has been released.

[postmodern]

bundler-audit 0.8.0 added support for a --gemfile-lock option for specifying a custom lock file to scan. Would this feature be more useful for automatically inferring the default lock file to scan?

[postmodern]

Going to push this off until 0.10.0.

[pboling]

Nevermind, I just needed to add --update locally.

Does the --gemfile-lock option still work?

I have a lockfile with nokogiri at ~> 1.15.0 which can't update past the recent security alert here: GHSA-r95h-9x8f-r3f7

Bundle audit normally works when this scenario is reproduced inside my main Gemfile, without using any flags.

But, if I try to specify a different gemfile.lock:

❯ export BUNDLE_GEMFILE=gemfiles/rails_7_2.gemfile

❯ echo $BUNDLE_GEMFILE
gemfiles/rails_7_2.gemfile

❯ cat $BUNDLE_GEMFILE
source "https://rubygems.org"

gem "nokogiri", "~> 1.15.0"

❯ bundle install --gemfile $BUNDLE_GEMFILE
Fetching gem metadata from https://rubygems.org/...........
Resolving dependencies...
Bundle complete! 1 Gemfile dependency, 4 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.

❯ bundle-audit --gemfile-lock $BUNDLE_GEMFILE
No vulnerabilities found

❯ cat $BUNDLE_GEMFILE.lock
GEM
  remote: https://rubygems.org/
  specs:
    mini_portile2 (2.8.7)
    nokogiri (1.15.6)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    racc (1.8.1)

PLATFORMS
  aarch64-linux
  aarch64-linux-gnu
  aarch64-linux-musl
  arm-linux
  arm-linux-gnu
  arm-linux-musl
  arm64-darwin
  x86-linux
  x86-linux-gnu
  x86-linux-musl
  x86_64-darwin
  x86_64-linux
  x86_64-linux-gnu
  x86_64-linux-musl

DEPENDENCIES
  nokogiri (~> 1.15.0)

BUNDLED WITH
   2.5.18

It is not reading my specified lockfile.