Last active
July 22, 2022 09:15
-
-
Save zealot128/675e6ce11bb7e6a63aeba697d540d230 to your computer and use it in GitHub Desktop.
Batch Bundler-audit a whole directory and bundle update all the affected Gems conservatively
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'bundler/inline' | |
| # TODO: Skip Auto udpate when not on master or main branch | |
| gemfile do | |
| source 'https://rubygems.org' | |
| gem 'bundler-audit', "~> 0.9" | |
| gem 'pry' | |
| gem 'tty-prompt' | |
| end | |
| require 'bundler/audit/scanner' | |
| require 'bundler/audit/cli/formats' | |
| IGNORE = [ | |
| "CVE-2016-10735", # Bootstrap | |
| "CVE-2019-8331", # BOostrap | |
| ] | |
| IGNORE_PROJECTS = %w[some_api_client archived_project1] | |
| include Bundler::Audit::CLI::Formats::Text | |
| def say(*args) | |
| @thor ||= Thor::Shell::Color.new | |
| @thor.say(*args) | |
| end | |
| database = Bundler::Audit::Database.new | |
| say 'updating bundle-audit db' | |
| database.update!(quiet: true) | |
| repos = Dir["*/Gemfile.lock"].reject { |i| File.mtime(i).to_date < Date.today - 365 }.sort.reject { |i| IGNORE_PROJECTS.any? { |j| i.include?(j) } } | |
| def options | |
| OpenStruct.new(verbose: false) | |
| end | |
| gems = {} | |
| repos.each do |gemfile| | |
| print "Auditing #{gemfile}..." | |
| dir = File.expand_path(File.dirname(gemfile)) | |
| Dir.chdir(dir) do | |
| audit = Bundler::Audit::Scanner.new(Dir.pwd, "Gemfile.lock", database) | |
| rr = audit.report(ignore: IGNORE) | |
| rr.results.each do |result| | |
| gems[result.gem.name] ||= [] | |
| gems[result.gem.name] << dir | |
| end | |
| if rr.count > 0 | |
| puts " \033[31m[FAIL]\033[0m Found issues" | |
| print_report(rr) | |
| else | |
| puts " \033[32m[CLEAR]\033[0m" | |
| end | |
| end | |
| end | |
| if gems.length == 0 | |
| exit 0 | |
| end | |
| prompt = TTY::Prompt.new | |
| update_that = prompt.select("What gem to update ALL?", gems.keys) | |
| if update_that.to_s[/^active|^action/] | |
| update_that = 'rails' | |
| end | |
| projects = gems[update_that] | |
| color = Pastel.new | |
| with_errors = [] | |
| projects.each do |project_dir| | |
| Dir.chdir(project_dir) do | |
| puts color.green("Updating #{project_dir}..") | |
| if update_that == 'rails' | |
| system %{/bin/bash -l -c "bundle update #{update_that} > /dev/null"} | |
| else | |
| system %{/bin/bash -l -c "bundle update --conservative #{update_that} > /dev/null"} | |
| end | |
| unless $?.success? | |
| with_errors << project_dir | |
| $stderr.puts color.red("Error bundling #{project_dir} - SKIP") | |
| next | |
| end | |
| system %{git add Gemfile.lock && git commit -m "SecFix: #{update_that}" && git push} | |
| unless $?.success? | |
| with_errors << project_dir | |
| $stderr.puts color.red("Error pushing #{project_dir}") | |
| end | |
| end | |
| end | |
| if with_errors.length > 0 | |
| puts color.red("There were errors updating: #{with_errors.join(' ')} please proceed manually") | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment