Ability to define the Gemfile via BUNDLE_GEMFILE

lib/bundler/audit/cli.rb

@@ -37,8 +37,8 @@ class CLI < ::Thor
 
       def check
         update if options[:update]
-
-        scanner    = Scanner.new
+        gemfile_lock = ENV['BUNDLE_GEMFILE'] ? ENV['BUNDLE_GEMFILE'] + '.lock' : 'Gemfile.lock'
+        scanner    = Scanner.new gemfile_lock
         vulnerable = false
 
         scanner.scan(:ignore => options.ignore) do |result|

lib/bundler/audit/scanner.rb

@@ -22,9 +22,6 @@ class Scanner
       # @return [Database]
       attr_reader :database
 
-      # Project root directory
-      attr_reader :root
-
       # The parsed `Gemfile.lock` from the project
       #
       # @return [Bundler::LockfileParser]
@@ -33,17 +30,14 @@ class Scanner
       #
       # Initializes a scanner.
       #
-      # @param [String] root
-      #   The path to the project root.
-      #
+
       # @param [String] gemfile_lock
-      #   Alternative name for the `Gemfile.lock` file.
+      #   Alternative path for the `Gemfile.lock` file.
       #
-      def initialize(root=Dir.pwd,gemfile_lock='Gemfile.lock')
-        @root     = File.expand_path(root)
+      def initialize(gemfile_lock=File.join(Dir.pwd,'Gemfile.lock'))
         @database = Database.new
         @lockfile = LockfileParser.new(
-          File.read(File.join(@root,gemfile_lock))
+          File.read(gemfile_lock)
         )
       end
 

spec/integration_spec.rb

@@ -79,6 +79,16 @@
     end
   end
 
+  context "when auditing a specific Gemfile using BUNDLE_GEMFILE" do
+    subject do
+       sh("BUNDLE_GEMFILE=spec/bundle/secure/Gemfile #{command}")
+    end
+
+    it "should print nothing when everything is fine" do
+      expect(subject.strip).to eq("No vulnerabilities found")
+    end
+  end
+
   describe "update" do
 
     let(:update_command) { "#{command} update" }

spec/scanner_spec.rb

@@ -3,10 +3,9 @@
 
 describe Scanner do
   describe "#scan" do
-    let(:bundle)    { 'unpatched_gems' }
-    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:gemfile_lock) { File.join('spec','bundle','unpatched_gems','Gemfile.lock') }
 
-    subject { described_class.new(directory) }
+    subject { described_class.new(gemfile_lock) }
 
     it "should yield results" do
       results = []
@@ -24,9 +23,9 @@
   end
 
   context "when auditing a bundle with unpatched gems" do
-    let(:bundle)    { 'unpatched_gems' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-    let(:scanner)  { described_class.new(directory)    }
+    let(:gemfile_lock) { File.join('spec','bundle','unpatched_gems','Gemfile.lock') }
+
+    let(:scanner)  { described_class.new(gemfile_lock)    }
 
     subject { scanner.scan.to_a }
 
@@ -41,16 +40,16 @@
 
       it "should ignore the specified advisories" do
         ids = subject.map { |result| result.advisory.id }
-        
+
         expect(ids).not_to include('OSVDB-89026')
       end
     end
   end
 
   context "when auditing a bundle with insecure sources" do
-    let(:bundle)    { 'insecure_sources' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-    let(:scanner)   { described_class.new(directory)    }
+    let(:gemfile_lock) { File.join('spec','bundle','insecure_sources','Gemfile.lock') }
+
+    let(:scanner)   { described_class.new(gemfile_lock)    }
 
     subject { scanner.scan.to_a }
 
@@ -61,9 +60,9 @@
   end
 
   context "when auditing a secure bundle" do
-    let(:bundle)    { 'secure' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-    let(:scanner)   { described_class.new(directory)    }
+    let(:gemfile_lock) { File.join('spec','bundle','secure','Gemfile.lock') }
+
+    let(:scanner)   { described_class.new(gemfile_lock)    }
 
     subject { scanner.scan.to_a }