search

rubymem / bundler-leak

Known-leaky gems verification for bundler: `bundle leak` to check your app and find leaky gems in your Gemfile :gem::droplet:
https://www.rubymem.com
GNU General Public License v3.0
288 stars 11 forks source link

`bundle exec rake` and `bundle exec rspec spec` fail after a fresh `git clone` #12

Closed etagwerker closed 5 years ago

etagwerker commented 5 years ago

I just tried to clone and test the app locally and I found these issues: 

$ git submodule update --init
error: Server does not allow request for unadvertised object c4fc78ecc3e02d9523d738662e6d6ed2140fed35
Fetched in submodule path 'data/ruby-mem-advisory-db', but it did not contain c4fc78ecc3e02d9523d738662e6d6ed2140fed35. Direct fetching of that commit failed.

When trying to run the tests I found this error: 

$ bundle exec rake
cd spec/bundle/secure
unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle
Fetching gem metadata from https://rubygems.org/.............
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies...
Bundler could not find compatible versions for gem "bundler":
  In Gemfile:
    rails (~> 4.2.7.1) was resolved to 4.2.7.1, which depends on
      bundler (>= 1.3.0, < 2.0)

  Current Bundler version:
    bundler (2.0.1)
This Gemfile requires a different version of Bundler.
Perhaps you need to update Bundler by running `gem install bundler`?

Could not find gem 'bundler (>= 1.3.0, < 2.0)', which is required by gem 'rails (~> 4.2.7.1)', in any of the sources.
rake aborted!
Command failed with status (6): [unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYO...]
/Users/etagwerker/Projects/fastruby/bundler-leak/Rakefile:45:in `block (4 levels) in <top (required)>'
/Users/etagwerker/Projects/fastruby/bundler-leak/Rakefile:44:in `block (3 levels) in <top (required)>'
/Users/etagwerker/Projects/fastruby/bundler-leak/Rakefile:43:in `each'
/Users/etagwerker/Projects/fastruby/bundler-leak/Rakefile:43:in `block (2 levels) in <top (required)>'
/Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/rake-12.3.3/exe/rake:27:in `<top (required)>'
/Users/etagwerker/.rvm/gems/ruby-2.5.1/bin/ruby_executable_hooks:24:in `eval'
/Users/etagwerker/.rvm/gems/ruby-2.5.1/bin/ruby_executable_hooks:24:in `<main>'
Tasks: TOP => default => spec => spec:bundle
(See full trace by running task with --trace)

I tried with bundle exec rspec spec and I found other errors: 

$ bundle exec rspec spec

Bundler::Plumber::Advisory
  load
    #id
      example at ./spec/advisory_spec.rb:34 (FAILED - 1)
    #url
      example at ./spec/advisory_spec.rb:39 (FAILED - 2)
    #title
      example at ./spec/advisory_spec.rb:44 (FAILED - 3)
    #date
      example at ./spec/advisory_spec.rb:49 (FAILED - 4)
    #description
      example at ./spec/advisory_spec.rb:54 (FAILED - 5)
    YAML data not representing a hash
      should raise an exception
    #patched_versions
      should all be Gem::Requirement objects (FAILED - 6)
      should parse the versions (FAILED - 7)
  #unaffected?
    when passed a version that matches one unaffected version
      should return true (FAILED - 8)
    when passed a version that matches no unaffected version
      should return false (FAILED - 9)
  #patched?
    when passed a version that matches one patched version
      should return true (FAILED - 10)
    when passed a version that matches no patched version
      should return false (FAILED - 11)
  #vulnerable?
    when passed a version that matches one patched version
      should return false (FAILED - 12)
    when passed a version that matches no patched version
      should return true (FAILED - 13)
      when unaffected_versions is not empty
        when passed a version that matches one unaffected version
          should return false (FAILED - 14)
        when passed a version that matches no unaffected version
          should return true (FAILED - 15)

Bundler::Plumber
  should have a VERSION constant

Bundler::Plumber::CLI
  #update
    not --quiet (the default)
      when update succeeds
        prints updated message
        prints total advisory count
      when update fails
        prints failure message
        exits with error status code
    --quiet
      when update succeeds
        does not print any output
      when update fails
        prints failure message
        exits with error status code

Bundler::Plumber::Database
  path
    it should be a directory
Cloning into '/Users/etagwerker/Projects/fastruby/bundler-leak/tmp/ruby-mem-advisory-db'...
done.
Timestamp:
[master 801ba71] Dummy commit.
fatal: ambiguous argument 'HEAD~20': unknown revision or path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'
    should prefer the user repo, iff it's as up to date, or more up to date than the vendored one (FAILED - 16)
  update!
Cloning into '/Users/etagwerker/Projects/fastruby/bundler-leak/tmp/ruby-mem-advisory-db'...
done.
    should create the USER_PATH path as needed
Cloning into '/Users/etagwerker/Projects/fastruby/bundler-leak/tmp/ruby-mem-advisory-db'...
done.
HEAD is now at 231688a Merge pull request #4 from rubymem/add-leaky-gems-missing-fields
    should create the repo, then update it given multple successive calls.
  #initialize
    when given no arguments
      should default path to path
    when given a directory
      should set #path
    when given an invalid directory
      should raise an ArgumentError
  #check_gem
    when given a block
      should yield every advisory affecting the gem (FAILED - 17)
    when given no block
      should return an Enumerator
  #size
    should eq 0
  #advisories
    should return a list of all advisories.
  #to_s
    should return the Database path
  #inspect
    should produce a Ruby-ish instance descriptor

CLI
  when auditing a bundle with unpatched gems
    should print a warning (FAILED - 18)
    should print advisory information for the vulnerable gems (FAILED - 19)
  when auditing a secure bundle
    should print nothing when everything is fine (FAILED - 20)
  update
    when advisories update successfully
      should print status

Bundler::Plumber::Scanner
  #scan
    should yield results (FAILED - 21)
    when not called with a block
      should return an Enumerator (FAILED - 22)
  when auditing a bundle with unpatched gems
    should match unpatched gems to their advisories (FAILED - 23)
    when the :ignore option is given
      should ignore the specified advisories (FAILED - 24)
  when auditing a secure bundle
    should print nothing when everything is fine (FAILED - 25)

Failures:

  1) Bundler::Plumber::Advisory load #id
     Failure/Error: data = YAML.load_file(path)

     Errno::ENOENT:
       No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
     # ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:33:in `block (4 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:34:in `block (4 levels) in <top (required)>'

  2) Bundler::Plumber::Advisory load #url
     Failure/Error: data = YAML.load_file(path)

     Errno::ENOENT:
       No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
     # ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:38:in `block (4 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:39:in `block (4 levels) in <top (required)>'

  3) Bundler::Plumber::Advisory load #title
     Failure/Error: data = YAML.load_file(path)

     Errno::ENOENT:
       No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
     # ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:43:in `block (4 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:44:in `block (4 levels) in <top (required)>'

  4) Bundler::Plumber::Advisory load #date
     Failure/Error: data = YAML.load_file(path)

     Errno::ENOENT:
       No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
     # ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:48:in `block (4 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:49:in `block (4 levels) in <top (required)>'

  5) Bundler::Plumber::Advisory load #description
     Failure/Error: data = YAML.load_file(path)

     Errno::ENOENT:
       No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
     # ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:53:in `block (4 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:54:in `block (4 levels) in <top (required)>'

  6) Bundler::Plumber::Advisory load #patched_versions should all be Gem::Requirement objects
     Failure/Error: data = YAML.load_file(path)

     Errno::ENOENT:
       No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
     # ./spec/advisory_spec.rb:67:in `block (4 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:70:in `block (4 levels) in <top (required)>'

  7) Bundler::Plumber::Advisory load #patched_versions should parse the versions
     Failure/Error: data = YAML.load_file(path)

     Errno::ENOENT:
       No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
     # ./spec/advisory_spec.rb:67:in `block (4 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:76:in `block (4 levels) in <top (required)>'

  8) Bundler::Plumber::Advisory#unaffected? when passed a version that matches one unaffected version should return true
     Failure/Error: data = YAML.load_file(path)

     Errno::ENOENT:
       No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
     # ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:87:in `block (4 levels) in <top (required)>'

  9) Bundler::Plumber::Advisory#unaffected? when passed a version that matches no unaffected version should return false
     Failure/Error: data = YAML.load_file(path)

     Errno::ENOENT:
       No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
     # ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
     # ./spec/advisory_spec.rb:95:in `block (4 levels) in <top (required)>'

  10) Bundler::Plumber::Advisory#patched? when passed a version that matches one patched version should return true
      Failure/Error: data = YAML.load_file(path)

      Errno::ENOENT:
        No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
      # ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
      # ./spec/advisory_spec.rb:105:in `block (4 levels) in <top (required)>'

  11) Bundler::Plumber::Advisory#patched? when passed a version that matches no patched version should return false
      Failure/Error: data = YAML.load_file(path)

      Errno::ENOENT:
        No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
      # ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
      # ./spec/advisory_spec.rb:113:in `block (4 levels) in <top (required)>'

  12) Bundler::Plumber::Advisory#vulnerable? when passed a version that matches one patched version should return false
      Failure/Error: data = YAML.load_file(path)

      Errno::ENOENT:
        No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
      # ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
      # ./spec/advisory_spec.rb:123:in `block (4 levels) in <top (required)>'

  13) Bundler::Plumber::Advisory#vulnerable? when passed a version that matches no patched version should return true
      Failure/Error: data = YAML.load_file(path)

      Errno::ENOENT:
        No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
      # ./spec/advisory_spec.rb:27:in `block (2 levels) in <top (required)>'
      # ./spec/advisory_spec.rb:131:in `block (4 levels) in <top (required)>'

  14) Bundler::Plumber::Advisory#vulnerable? when passed a version that matches no patched version when unaffected_versions is not empty when passed a version that matches one unaffected version should return false
      Failure/Error: data = YAML.load_file(path)

      Errno::ENOENT:
        No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
      # ./spec/advisory_spec.rb:135:in `block (5 levels) in <top (required)>'
      # ./spec/advisory_spec.rb:141:in `block (6 levels) in <top (required)>'

  15) Bundler::Plumber::Advisory#vulnerable? when passed a version that matches no patched version when unaffected_versions is not empty when passed a version that matches no unaffected version should return true
      Failure/Error: data = YAML.load_file(path)

      Errno::ENOENT:
        No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db/gems/therubyracer/336.yml
      # ./spec/advisory_spec.rb:135:in `block (5 levels) in <top (required)>'
      # ./spec/advisory_spec.rb:149:in `block (6 levels) in <top (required)>'

  16) Bundler::Plumber::Database path should prefer the user repo, iff it's as up to date, or more up to date than the vendored one
      Failure/Error: expect(Bundler::Plumber::Database.path).to eq Bundler::Plumber::Database::VENDORED_PATH

        expected: "/Users/etagwerker/Projects/fastruby/bundler-leak/data/ruby-mem-advisory-db"
             got: "/Users/etagwerker/Projects/fastruby/bundler-leak/tmp/ruby-mem-advisory-db"

        (compared using ==)
      # ./spec/database_spec.rb:33:in `block (3 levels) in <top (required)>'

  17) Bundler::Plumber::Database#check_gem when given a block should yield every advisory affecting the gem
      Failure/Error: expect(advisories).not_to be_empty
        expected `[].empty?` to return false, got true
      # ./spec/database_spec.rb:98:in `block (4 levels) in <top (required)>'

  18) CLI when auditing a bundle with unpatched gems should print a warning
      Failure/Error: expect(subject).to include("Vulnerabilities found!")

        expected "/Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No suc...in `load'\n\tfrom /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `<main>'\n" to include "Vulnerabilities found!"
        Diff:
        @@ -1,2 +1,12 @@
        -Vulnerabilities found!
        +/Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock (Errno::ENOENT)
        +   from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `initialize'
        +   from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/cli.rb:41:in `new'
        +   from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/cli.rb:41:in `check'
        +   from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
        +   from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
        +   from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'
        +   from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'
        +   from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundle-leak:10:in `<top (required)>'
        +   from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `load'
        +   from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `<main>'

      # ./spec/integration_spec.rb:19:in `block (3 levels) in <top (required)>'

  19) CLI when auditing a bundle with unpatched gems should print advisory information for the vulnerable gems
      Failure/Error: expect(subject).to match(advisory_pattern)

        expected "/Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No suc...in `load'\n\tfrom /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `<main>'\n" to match /(Name: [^\n]+
        Version: \d+.\d+.\d+
        URL: https?:\/\/(www\.)?.+
        Title: [^\n]*?
        Solution: remove or disable this gem until a patch is available!)+/
        Diff:
        @@ -1,6 +1,12 @@
        -/(Name: [^\n]+
        -Version: \d+.\d+.\d+
        -URL: https?:\/\/(www\.)?.+
        -Title: [^\n]*?
        -Solution: remove or disable this gem until a patch is available!)+/
        +/Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock (Errno::ENOENT)
        +   from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `initialize'
        +   from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/cli.rb:41:in `new'
        +   from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/cli.rb:41:in `check'
        +   from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
        +   from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
        +   from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'
        +   from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'
        +   from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundle-leak:10:in `<top (required)>'
        +   from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `load'
        +   from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `<main>'

      # ./spec/integration_spec.rb:29:in `block (3 levels) in <top (required)>'

  20) CLI when auditing a secure bundle should print nothing when everything is fine
      Failure/Error: raise "FAILED #{command}\n#{result}" if $?.success? == !!options[:fail]

      RuntimeError:
        FAILED /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak
        /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `read': No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/secure/Gemfile.lock (Errno::ENOENT)
            from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/scanner.rb:61:in `initialize'
            from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/cli.rb:41:in `new'
            from /Users/etagwerker/Projects/fastruby/bundler-leak/lib/bundler/plumber/cli.rb:41:in `check'
            from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/command.rb:27:in `run'
            from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/invocation.rb:126:in `invoke_command'
            from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor.rb:387:in `dispatch'
            from /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/thor-0.20.3/lib/thor/base.rb:466:in `start'
            from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundle-leak:10:in `<top (required)>'
            from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `load'
            from /Users/etagwerker/Projects/fastruby/bundler-leak/bin/bundler-leak:3:in `<main>'
      # ./spec/spec_helper.rb:12:in `block in sh'
      # /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/bundler-2.0.1/lib/bundler.rb:313:in `block in with_clean_env'
      # /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/bundler-2.0.1/lib/bundler.rb:562:in `with_env'
      # /Users/etagwerker/.rvm/gems/ruby-2.5.1/gems/bundler-2.0.1/lib/bundler.rb:313:in `with_clean_env'
      # ./spec/spec_helper.rb:10:in `sh'
      # ./spec/integration_spec.rb:39:in `block (4 levels) in <top (required)>'
      # ./spec/integration_spec.rb:39:in `chdir'
      # ./spec/integration_spec.rb:39:in `block (3 levels) in <top (required)>'
      # ./spec/integration_spec.rb:43:in `block (3 levels) in <top (required)>'

  21) Bundler::Plumber::Scanner#scan should yield results
      Failure/Error: File.read(File.join(@root,gemfile_lock))

      Errno::ENOENT:
        No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock
      # ./spec/scanner_spec.rb:9:in `new'
      # ./spec/scanner_spec.rb:9:in `block (3 levels) in <top (required)>'
      # ./spec/scanner_spec.rb:14:in `block (3 levels) in <top (required)>'

  22) Bundler::Plumber::Scanner#scan when not called with a block should return an Enumerator
      Failure/Error: File.read(File.join(@root,gemfile_lock))

      Errno::ENOENT:
        No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock
      # ./spec/scanner_spec.rb:9:in `new'
      # ./spec/scanner_spec.rb:9:in `block (3 levels) in <top (required)>'
      # ./spec/scanner_spec.rb:21:in `block (4 levels) in <top (required)>'

  23) Bundler::Plumber::Scanner when auditing a bundle with unpatched gems should match unpatched gems to their advisories
      Failure/Error: File.read(File.join(@root,gemfile_lock))

      Errno::ENOENT:
        No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock
      # ./spec/scanner_spec.rb:29:in `new'
      # ./spec/scanner_spec.rb:29:in `block (3 levels) in <top (required)>'
      # ./spec/scanner_spec.rb:31:in `block (3 levels) in <top (required)>'
      # ./spec/scanner_spec.rb:34:in `block (3 levels) in <top (required)>'

  24) Bundler::Plumber::Scanner when auditing a bundle with unpatched gems when the :ignore option is given should ignore the specified advisories
      Failure/Error: File.read(File.join(@root,gemfile_lock))

      Errno::ENOENT:
        No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/unpatched_gems/Gemfile.lock
      # ./spec/scanner_spec.rb:29:in `new'
      # ./spec/scanner_spec.rb:29:in `block (3 levels) in <top (required)>'
      # ./spec/scanner_spec.rb:40:in `block (4 levels) in <top (required)>'
      # ./spec/scanner_spec.rb:43:in `block (4 levels) in <top (required)>'

  25) Bundler::Plumber::Scanner when auditing a secure bundle should print nothing when everything is fine
      Failure/Error: File.read(File.join(@root,gemfile_lock))

      Errno::ENOENT:
        No such file or directory @ rb_sysopen - /Users/etagwerker/Projects/fastruby/bundler-leak/spec/bundle/secure/Gemfile.lock
      # ./spec/scanner_spec.rb:53:in `new'
      # ./spec/scanner_spec.rb:53:in `block (3 levels) in <top (required)>'
      # ./spec/scanner_spec.rb:55:in `block (3 levels) in <top (required)>'
      # ./spec/scanner_spec.rb:58:in `block (3 levels) in <top (required)>'

Finished in 4.01 seconds (files took 0.2112 seconds to load)
46 examples, 25 failures

Failed examples:

rspec ./spec/advisory_spec.rb:34 # Bundler::Plumber::Advisory load #id
rspec ./spec/advisory_spec.rb:39 # Bundler::Plumber::Advisory load #url
rspec ./spec/advisory_spec.rb:44 # Bundler::Plumber::Advisory load #title
rspec ./spec/advisory_spec.rb:49 # Bundler::Plumber::Advisory load #date
rspec ./spec/advisory_spec.rb:54 # Bundler::Plumber::Advisory load #description
rspec ./spec/advisory_spec.rb:69 # Bundler::Plumber::Advisory load #patched_versions should all be Gem::Requirement objects
rspec ./spec/advisory_spec.rb:75 # Bundler::Plumber::Advisory load #patched_versions should parse the versions
rspec ./spec/advisory_spec.rb:86 # Bundler::Plumber::Advisory#unaffected? when passed a version that matches one unaffected version should return true
rspec ./spec/advisory_spec.rb:94 # Bundler::Plumber::Advisory#unaffected? when passed a version that matches no unaffected version should return false
rspec ./spec/advisory_spec.rb:104 # Bundler::Plumber::Advisory#patched? when passed a version that matches one patched version should return true
rspec ./spec/advisory_spec.rb:112 # Bundler::Plumber::Advisory#patched? when passed a version that matches no patched version should return false
rspec ./spec/advisory_spec.rb:122 # Bundler::Plumber::Advisory#vulnerable? when passed a version that matches one patched version should return false
rspec ./spec/advisory_spec.rb:130 # Bundler::Plumber::Advisory#vulnerable? when passed a version that matches no patched version should return true
rspec ./spec/advisory_spec.rb:140 # Bundler::Plumber::Advisory#vulnerable? when passed a version that matches no patched version when unaffected_versions is not empty when passed a version that matches one unaffected version should return false
rspec ./spec/advisory_spec.rb:148 # Bundler::Plumber::Advisory#vulnerable? when passed a version that matches no patched version when unaffected_versions is not empty when passed a version that matches no unaffected version should return true
rspec ./spec/database_spec.rb:17 # Bundler::Plumber::Database path should prefer the user repo, iff it's as up to date, or more up to date than the vendored one
rspec ./spec/database_spec.rb:91 # Bundler::Plumber::Database#check_gem when given a block should yield every advisory affecting the gem
rspec ./spec/integration_spec.rb:18 # CLI when auditing a bundle with unpatched gems should print a warning
rspec ./spec/integration_spec.rb:22 # CLI when auditing a bundle with unpatched gems should print advisory information for the vulnerable gems
rspec ./spec/integration_spec.rb:42 # CLI when auditing a secure bundle should print nothing when everything is fine
rspec ./spec/scanner_spec.rb:11 # Bundler::Plumber::Scanner#scan should yield results
rspec ./spec/scanner_spec.rb:20 # Bundler::Plumber::Scanner#scan when not called with a block should return an Enumerator
rspec ./spec/scanner_spec.rb:33 # Bundler::Plumber::Scanner when auditing a bundle with unpatched gems should match unpatched gems to their advisories
rspec ./spec/scanner_spec.rb:42 # Bundler::Plumber::Scanner when auditing a bundle with unpatched gems when the :ignore option is given should ignore the specified advisories
rspec ./spec/scanner_spec.rb:57 # Bundler::Plumber::Scanner when auditing a secure bundle should print nothing when everything is fine

Coverage report generated for RSpec to /Users/etagwerker/Projects/fastruby/bundler-leak/coverage. 307 / 373 LOC (82.31%) covered.

It seems that I'm missing something when setting up the project locally.

It might be a good idea to have a ./bin/setup which makes sure that the dev environment is properly setup.