Skip to content

Update bundler-audit to 0.6.0 #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 22, 2017
Merged

Update bundler-audit to 0.6.0 #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
454c359
Update bundler-audit to 0.6.0
pointlessone Nov 15, 2017
3720a84
Slim down the image
pointlessone Nov 15, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 24 additions & 9 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,34 @@
FROM codeclimate/alpine-ruby:b38
FROM alpine:3.6
Copy link
Contributor

@dblandin dblandin Nov 21, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think of using the 2.4-alpine3.6 base image so we can skip the ruby/bundler install?

Copy link
Contributor Author

@pointlessone pointlessone Nov 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For whatever reason I had issues with that base image. Engine code could not find bundler-audit files.

`require': cannot load such file -- bundler/audit/scanner (LoadError)

I spent more time than I should've had on it and didn't find the cause of it. Vanilla Alpine and packaged Ruby worked so I stuck with it.


RUN adduser -u 9000 -D app

WORKDIR /usr/src/app
RUN apk --update add ruby ruby-bundler git

COPY Gemfile* /usr/src/app/
RUN bundle install --jobs 4 && \
rm -rf /usr/share/ri
RUN apk add --no-cache ruby ruby-json git && \
gem install --no-ri --no-rdoc bundler && \
rm -r ~/.gem

RUN adduser -u 9000 -D app
USER app
COPY Gemfile* /usr/src/app/
RUN bundle install --without=test --no-cache && \
rm -rf ~/.bundle /usr/lib/ruby/gems/2.4.0/cache/* /usr/share/ri

COPY DATABASE_VERSION /usr/src/app/DATABASE_VERSION

RUN bundle-audit update
COPY bin bin/
COPY lib lib/
Copy link
Contributor

@dblandin dblandin Nov 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to avoid a simpler COPY . ./ here?

Copy link
Contributor Author

@pointlessone pointlessone Nov 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smaller image. That is all. And we can't put all the unwanted files in .dockerignore because we want some of them included in test image.

RUN chown -R app:app .

USER app

COPY . /usr/src/app
# The following step has to be ran by app user aas it depends on $HOME
RUN bundle-audit update && \
for f in ~/.local/share/ruby-advisory-db/* ~/.local/share/ruby-advisory-db/.*; do \
name="$(basename "$f")"; \
test "$name" = "gems" || \
test "$name" = "." || \
test "$name" = ".." || \
test "$name" = ".git" || \
rm -r "$f"; \
done
Copy link
Contributor

@dblandin dblandin Nov 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How much do we save by removing these files? Would just the bundle-audit update suffice?


CMD ["/usr/src/app/bin/bundler-audit"]
13 changes: 13 additions & 0 deletions Dockerfile.test
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
FROM codeclimate/codeclimate-bundler-audit

USER root

RUN bundler install --no-cache --with="development test"

COPY Rakefile ./
COPY spec spec/
RUN chown -R app:app Rakefile spec

user app

CMD ["bundle", "exec", "rake"]
7 changes: 5 additions & 2 deletions Gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
source "https://rubygems.org"

gem "bundler-audit", "~> 0.5.0"
gem "bundler-audit", "~> 0.6.0"
gem "versionomy", "~> 0.5.0"
gem "rake"

group :development do
gem "rake"
end

group :test do
gem "pry"
Expand Down
46 changes: 23 additions & 23 deletions Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,44 +2,44 @@ GEM
remote: https://rubygems.org/
specs:
blockenspiel (0.5.0)
bundler-audit (0.5.0)
bundler-audit (0.6.0)
bundler (~> 1.2)
thor (~> 0.18)
coderay (1.1.1)
diff-lcs (1.2.5)
method_source (0.8.2)
pry (0.10.4)
coderay (1.1.2)
diff-lcs (1.3)
json (2.1.0)
method_source (0.9.0)
pry (0.11.3)
coderay (~> 1.1.0)
method_source (~> 0.8.1)
slop (~> 3.4)
rake (10.4.2)
rspec (3.3.0)
rspec-core (~> 3.3.0)
rspec-expectations (~> 3.3.0)
rspec-mocks (~> 3.3.0)
rspec-core (3.3.1)
rspec-support (~> 3.3.0)
rspec-expectations (3.3.0)
method_source (~> 0.9.0)
rake (12.2.1)
rspec (3.7.0)
rspec-core (~> 3.7.0)
rspec-expectations (~> 3.7.0)
rspec-mocks (~> 3.7.0)
rspec-core (3.7.0)
rspec-support (~> 3.7.0)
rspec-expectations (3.7.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.3.0)
rspec-mocks (3.3.1)
rspec-support (~> 3.7.0)
rspec-mocks (3.7.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.3.0)
rspec-support (3.3.0)
slop (3.6.0)
thor (0.19.1)
rspec-support (~> 3.7.0)
rspec-support (3.7.0)
thor (0.20.0)
versionomy (0.5.0)
blockenspiel (~> 0.5)

PLATFORMS
ruby

DEPENDENCIES
bundler-audit (~> 0.5.0)
bundler-audit (~> 0.6.0)
json
pry
rake
rspec
versionomy (~> 0.5.0)

BUNDLED WITH
1.15.3
1.16.0
13 changes: 9 additions & 4 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,20 @@
.PHONY: image test citest update_version

IMAGE_NAME ?= codeclimate/codeclimate-bundler-audit
TEST_IMAGE_NAME ?= $(IMAGE_NAME)-test

image:
docker build --rm -t $(IMAGE_NAME) .

test: image
docker run -e PAGER=more --tty --interactive --rm $(IMAGE_NAME) bundle exec rake
test-image: image
Copy link
Contributor

@dblandin dblandin Nov 21, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the difference in image size by maintaining a separate Docker image? I'm wondering if the extra complexity of two images/Dockerfiles is worth the gain.

Copy link
Contributor Author

@pointlessone pointlessone Nov 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The way it's setup in this PR prod image is 19MB/30% smaller than the test image. Prod image is 43.7MB, test image is 62.7MB.

With proposed changes (ruby base image, copy all, bundler-audit cleanup removed) the image ends up clocking in at 74MB. Or 69% larger.

docker build --rm -t $(TEST_IMAGE_NAME) -f Dockerfile.test .

citest:
docker run --rm $(IMAGE_NAME) bundle exec rake
test:
@$(MAKE) test-image > /dev/null
docker run \
-e PAGER=more \
--tty --interactive --rm \
$(TEST_IMAGE_NAME)

update_database:
date > DATABASE_VERSION
Expand Down
4 changes: 2 additions & 2 deletions circle.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,11 @@ dependencies:
--env GCR_JSON_KEY
--volume /var/run/docker.sock:/var/run/docker.sock
codeclimate/patrick pull || true
- make image
- make test-image

test:
override:
- make citest
- make test

deployment:
registry:
Expand Down
2 changes: 2 additions & 0 deletions lib/cc/engine/bundler_audit/analyzer.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
require "tmpdir"

module CC
module Engine
module BundlerAudit
Expand Down