Stop publishing Gemfile in default gem template #6723
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Similarly to how the other ignored files are intended for local development and not for production, the Gemfile and Gemfile.lock files for a gem only relate to local development and aren't useful to people installing the gem.
What was the end-user or developer problem that led to this PR?
As part of our organisational security measures, internal systems with our Ruby projects deployed onto them are scanned by a vulnerability management tool. In our case, this tool identifies Ruby vulnerabilities by looking for
Gemfile.lock
files installed on the system and comparing the referenced library versions to the list of relevant vulnerabilities based on the CVE database.In a broad sense, this is a reasonable check - as far as our deployed application is concerned, if its
Gemfile.lock
contains vulnerable libraries then we probably installed those libraries while deploying the app: if youbundle install
in a project containing a file like this, of course you'll pull in the bad dependencies.However, every gem chooses (either explicitly or implicitly) which of its source code's files get included and installed as part of its gem packaging. A large number of gems include their own development
Gemfile.lock
in that list. So that means our vulnerability scanner generates a number of false positives from all of the unusedGemfile.lock
files that have been included in any of those gems.False positives in security scans are bad because where they can't easily be worked around, people often get lazy and start getting used to warning messages and paying less attention to them.
This is not at all the fault of rubygems, or even a strong concern for gem authors, but it's a problem whose root cause is contributed to (in part) by the bundler gem defaults.
What is your fix for the problem, implemented in this PR?
So first up, this fix does not immediately and directly fix the problem I described. In general the approach taken by our scanning tool is overly broad, and we have successfully argued that just identifying
Gemfile.lock
files that reference vulnerable libraries is not enough to demonstrate a vulnerability. We would like to configure our tool to identify just the lock files that we're actively installing against.However, after some research I wasn't able to find a good reason for
Gemfile*
files to get published as part of a gem at all. Just like withtest
files, they're only really useful for local development. If someone was looking to start working on a gem, they shouldn't be starting from the published bundle.This PR stops the gemspec including files beginning with "Gemfile", meaning
Gemfile
andGemfile.lock
.Even though not everyone uses
bundle gem
to get their gem started, by including a template that publishesGemfile
files, this project is suggesting that this is the correct behaviour. That will cascade down to other libraries, blogposts about the process, and so on.Fixing the template also won't tidy up pre-existing gems that mistakenly publish these development files, but it might stop people from creating new ones, and at least provides a point of reference for anyone else who wonders about this.
Make sure the following tasks are checked
*The new test takes inspiration from the similar
gemspec
exclusion test. I wasn't able to testGemfile.lock
because it looks like similar tests in the same file don't actually runbundle install
and I wasn't sure if that was necessary.