-
-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove platform duplicates #356
base: master
Are you sure you want to change the base?
Conversation
@@ -1,4 +1,4 @@ | |||
source 'https://rubygems.org' | |||
|
|||
gem 'rails', '~> 5.2' | |||
gem 'rails', '~> 7.0.4' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need after changing the fixed commit of the advisory db
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we need to bump the rails
version and the ruby-advisory-db
commit, that can be done in a separate PR which I can immediately merge.
@@ -12,7 +12,7 @@ module Fixtures | |||
module Database | |||
PATH = File.join(ROOT,'database') | |||
|
|||
COMMIT = '89cdde9a725bb6f8a483bca97c5da344e060ac61' | |||
COMMIT = '137a425b9f4f30f895df8765b0e773400170803d' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needed to get latest advisory for nokogiri
@ylecuyer maybe a better fix would be to print the gem's platform (if set) along with the gem name and version in the report? I think it would be bad if Also, under normal circumstances, you shouldn't have gems from multiple platforms in the
I suspect the multiple platforms are due to gems having explicit |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some of these commits could be separate PRs. Also, I'm afraid that by filtering out other non-ruby
platforms, bundler-audit
might miss information vulnerabilities.
@@ -224,7 +224,7 @@ def scan_specs(options={}) | |||
config.ignore | |||
end | |||
|
|||
@lockfile.specs.each do |gem| | |||
@lockfile.specs.select { |gem| gem.platform == "ruby" }.each do |gem| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would cause bundler-audit
to ignore platform specific gems, potentially allowing vulnerabilities to slip by.
@@ -67,7 +67,6 @@ | |||
subject { super().scan.to_a } | |||
|
|||
it "should print nothing when everything is fine" do | |||
puts subject.inspect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could totally be a separate PR that I could instantly merge.
mini_portile2 (~> 2.8.0) | ||
racc (~> 1.4) | ||
nokogiri (1.13.6-x86_64-linux) | ||
racc (~> 1.4) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we are going to test Gemfile.lock
containing gems from multiple platforms or gems which explicit platforms set in the Gemfile
, I think that should be a separate spec/bundle/
directory (ex: spec/bundle/unpatched_multi_platform/
).
@@ -1,4 +1,4 @@ | |||
source 'https://rubygems.org' | |||
|
|||
gem 'rails', '~> 5.2' | |||
gem 'rails', '~> 7.0.4' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we need to bump the rails
version and the ruby-advisory-db
commit, that can be done in a separate PR which I can immediately merge.
Hello, lately we noticed some gems having duplicates in the report because of the various platform.
Here is an example with nokogiri:
And this is causing the duplicates.
As a fix, I suggest to filter and keep only the ruby platform for the check.