Status codes for different status messages

[udaykadaboina]

I am planning to have bundler-audit in my CI and would like to stop/fail the build if there are any vulnerabilities found in my existing gems in Gemfile. So, instead of using regex/string match for "Vulnerabilities found!" etc. it would be good to have status codes for different messages.

I don't know if we have something like this in the roadmap or I can chime into it with some guidance.

[postmodern]

bundler-audit already exits with status code 1 if any vulnerabilities are found, which should cause any CI test suite to fail once any of the commands fail. bundler-audit also exits with 1 if any other errors occur (ex: No such file or directory: or Unknown format:), so maybe I should assign separate error codes for those errors. https://github.com/rubysec/bundler-audit/blob/017d1f5eeb6aa8a3700e0bcfa8d57e5ea00a465e/lib/bundler/audit/cli.rb#L50-L88

[komidore64]

I'd be satisfied with meaningful non-zero exit statuses, or flags similar to brakeman's --no-exit-on-warn and --no-exit-on-error which allow you to suppress exit codes for CI purposes. Thanks!

[postmodern]

Going to close this since I answered OP's question.

However, @komidore64 could you explain how those codes would work? bundler-audit does not "warn", it only indicates that issue(s) were found or no issues were found. If an advisory is explicitly ignored then it is omitted from the report output and will cause bundler-audit to exit successfully. I am assuming --no-exit-on-error would suppress any non-zero exit codes? That could also be accomplished by appending || true to the bundle-audit command.

[komidore64]

However, @komidore64 could you explain how those codes would work?

Mentioning brakeman's flags may have caused more confusion than necessary since bundle-audit doesn't exactly have "warnings" like you described. I apologize.

I would like a flag that I can pass to bundle-audit to suppress non-zero exits even if issues/vulnerabilities are discovered.

I feel I may be high-jacking this issue. I would be happy to open a new issue if this is something you're interested in exploring.

[postmodern]

I would like a flag that I can pass to bundle-audit to suppress non-zero exits even if issues/vulnerabilities are discovered.

Luckily, bash already supports that: bundler-audit ... || true

[komidore64]

I would like a flag that I can pass to bundle-audit to suppress non-zero exits even if issues/vulnerabilities are discovered.

Luckily, bash already supports that: bundler-audit ... || true

That's not the same thing. bundle-audit ... || true suppresses any and all non-zero exits from bundle-audit. I just want > 0 vulnerabilities found to exit as zero, signifying to CI that bundle-audit completed successfully. I still want all other errors (file read errors, runtime errors, etc) to trigger as normal.

[postmodern]

@komidore64 I'm curious how you would identify that bundler-audit found errors if it returns 0? I'm guessing you use a regex on the full CI output?

[komidore64]

@komidore64 I'm curious how you would identify that bundler-audit found errors if it returns 0? I'm guessing you use a regex on the full CI output?

I can tell if bundler-audit discovered vulnerabilities by parsing its JSON output.

[postmodern]

I can tell if bundler-audit discovered vulnerabilities by parsing its JSON output.

AH HA! In that case we could suppress the exit status code when writing the report output to a file?

[komidore64]

AH HA! In that case we could suppress the exit status code when writing the report output to a file?

I'm reading the JSON from stdout, but it wouldn't be much work for me to write it to a file instead.

I'm open to that.