InsecureSource results in exit code 1

[krigar]

We're about to integrate bundler-audit into our CircleCI build process and it's looking really promising except for one fact: ignoring vulnerabilities leads to none being listed by bundler-audit, but it still exits with exit code 1, making CircleCI think it failed.

The reason why we ignore some vulnerabilities is because we're running on a forked version of https://github.com/spree/spree and we have to monkey patch their security patches instead of upgrading the version.

Example output:

$ bundle exec bundle-audit check --update --ignore OSVDB-119205 OSVDB-125699 OSVDB-125701
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up-to-date.
ruby-advisory-db: 226 advisories
Vulnerabilities found!

[krigar]

Figured this one out, it was due to some git repositories in our lockfile that got marked as InsecureSource.

I understand the need to generate a warning when using external git repositories, but should the warning result in vulnerable being set to true?

[postmodern]

If the repositories are insecure, an attacker could MITM them and inject arbitrary code. If your threat model involves MITMing, then it makes sense to mark them as vulnerable; plus it's not hard to switch to https:// or git@.

[reedloden]

Why would git@ be more secure than http://? Aren't they effectively both unauthenticated and unencrypted? Are you referring to git over ssh, perhaps?

[Mange]

Yes. git@ is the syntax for GitHub as the SSH user is named git there.
git:// and http:// are insecure.

lör 29 aug 2015 00:29 Reed Loden notifications@github.com skrev:

Why would git@ be more secure than http://? Aren't they effectively both
unauthenticated and unencrypted? Are you referring to git over ssh, perhaps?

—
Reply to this email directly or view it on GitHub
#106 (comment)
.

[reedloden]

Oh, duh. Reading comprehension fail. My bad.

On Friday, August 28, 2015, Magnus Bergmark notifications@github.com
wrote:

Yes. git@ is the syntax for GitHub as the SSH user is named git there.
git:// and http:// are insecure.

lör 29 aug 2015 00:29 Reed Loden <notifications@github.com
javascript:_e(%7B%7D,'cvml','notifications@github.com');> skrev:

Why would git@ be more secure than http://? Aren't they effectively both
unauthenticated and unencrypted? Are you referring to git over ssh,
perhaps?

—
Reply to this email directly or view it on GitHub
<
#106 (comment)

.

—
Reply to this email directly or view it on GitHub
#106 (comment)
.

[JuanitoFatas]

@krigar Hi! Did you solve the rake task? You could use the rake task in your project from #115 or try this commit.

Then I think this issue can be closed? InsecureSource results in exit code 1 is correct as @postmodern mentioned in this comment.

Thanks!

[postmodern]

Can this be closed?

[krigar]

Hey, yeah, I'll close it now.

On 29 February 2016 at 04:06, Postmodern notifications@github.com wrote:

Can this be closed?

—
Reply to this email directly or view it on GitHub
#106 (comment)
.