rubysec / bundler-audit

Patch-level verification for Bundler
GNU General Public License v3.0
2.68k stars 228 forks source link

Your local changes to the following files would be overwritten by merge #183

Open saigkill opened 7 years ago

saigkill commented 7 years ago

I tried a bundle_audit:update and got: Updating ruby-advisory-db ... From https://github.com/rubysec/ruby-advisory-db

How can i fix it?

Gasparila commented 6 years ago

Any update to this?

paranoicsan commented 6 years ago

I've got the same sporadical errors ๐Ÿ˜ž Any update or workaround?

Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
* branch            master     -> FETCH_HEAD
error: Your local changes to the following files would be overwritten by merge:
[...]
Please commit your changes or stash them before you merge.
Aborting
Updating c7e3e48..8ad6d62
Failed updating ruby-advisory-db!
paranoicsan commented 6 years ago

Solved.

Found that line to detect where gem stores the DB. Removed all data and updated all from scratch.

sandipsubedi commented 6 years ago

@paranoicsan can you explain what you mean by this:

Removed all data and updated all from scratch.

Also, is there any release coming soon for this ?

paranoicsan commented 6 years ago

@sandipsubedi I just deleted my local copy of the advisory database. And the next update went smoothly.

postmodern commented 6 years ago

I'm not sure where these local changes are coming from, but maybe we could force git to wipe out any local changes? git reset --hard HEAD && git clean -f -d before git pull maybe?

bbugh commented 3 years ago

I have noticed that this happens when using git worktrees and not being in the primary source directory. For example, I have a master folder which is the original repository, and a develop folder that is a worktree of master. If I run the audit in the develop directory, it appears to try to update the master folder instead of the ruby-advisory-db itself.

Example, breaking in a worktree folder:

~/project_folder/develop(some_branch*) ยป git push --set-upstream origin $(git_current_branch)
husky > pre-push (node v14.5.0)
Auditing bundle for security issues...
Updating ruby-advisory-db ...
From https://github.com/my_organization/my_repo โ‰๏ธโ‰๏ธ
 * branch                master     -> FETCH_HEAD
error: Your local changes to the following files would be overwritten by merge:
    Gemfile
    Gemfile.lock
Please commit your changes or stash them before you merge.
Aborting
โŒ Failed updating ruby-advisory-db!
husky > pre-push hook failed (add --no-verify to bypass)
error: failed to push some refs to 'https://github.com/my_organization/my_repo'

Works fine:

~/project_folder/master(master) ยป git push --set-upstream origin $(git_current_branch)
husky > pre-push (node v14.5.0)
Auditing bundle for security issues...
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db ๐Ÿ‘๐Ÿ‘
 * branch            master     -> FETCH_HEAD
Already up to date.
โœ… Updated ruby-advisory-db
ruby-advisory-db: 484 advisories
No vulnerabilities found
Branch 'master' set up to track remote branch 'master' from 'origin'.
Everything up-to-date
abaldwin88 commented 3 years ago

Deleting the advisory database worked for me. In case you're wondering where that database is located like I was, you can pop open irb and enter the following:

File.expand_path(File.join(Gem.user_home,'.local','share','ruby-advisory-db'))

Taken from: https://github.com/rubysec/bundler-audit/blob/master/lib/bundler/audit/database.rb#L41

postmodern commented 3 years ago

@bbugh Database#update always ran the git pull command within a Dir.chdir block. However, the Database.download method runs git pull with the path to ~/.local/share/ruby-advisory-db. Still not sure how git is screwing with ~/.local/share/ruby-advisory-db local repo.