search

rubysec / bundler-audit

Patch-level verification for Bundler
GNU General Public License v3.0
2.68k stars 228 forks source link

git not installed #387

Closed chabgood closed 1 year ago

chabgood commented 1 year ago

Description

we run our build on bitbucket, when we run the audit check it says git is not installed. git is the first thing installed.

Steps To Reproduce

Steps to reproduce the bug:

  1. we run our build on bitbucket, when we run the audit check it says git is not installed. git is the first thing installed on ubuntu
  2. Do we need git installed in a different way for the audit to recognize git?

Expected Behavior

Actual Behavior

Environment

$ bundler-audit --version
...
$ bundle --version
...
$ ruby --version
...
postmodern commented 1 year ago

Going to need more information here. What is the exact error message when bundler-audit tries to run git? Is gitreally installed in BitBucket's CI environment? What does which git return? What does dpkg -l git return?

chabgood commented 1 year ago

Linux version: debian gnu/linux 9 (stretch)

which git failed

postmodern commented 1 year ago

@chabgood git does not appear to be installed in the environment. Try adding apt-get install -y git to your CI setup script.

chabgood commented 1 year ago

ya that is the strange thing is git is the first thing installed but then when i do git --version it says git is not installed. something weird i guess with the env on bitbucket. something changed about 4 months ago.

postmodern commented 1 year ago

Marking this as an upstream issue and not bundler-audit related.

davetron5000 commented 1 year ago

I just ran into this with bundle audit only - bundle install worked fine.

The error was not as clear, though. Every invocation of bundle audit (including with --verbose simply said

failed to download https://github.com/rubysec/ruby-advisory-db.git to "/root/.local/share/ruby-advisory-db"

This is in Docker without Git installed. Installing Git fixed it, but it was not clear that it was trying to do anything with Git. Even doing --no-update didn't work. I could not find a way to run bundle audit that provided any additional info.

I believe this code could be changed to provide a better error:

https://github.com/rubysec/bundler-audit/blob/bc041d13eeccab70dd01672c097e8906108d07e3/lib/bundler/audit/database.rb#L124-L130

I'm not sure the "right way" in bundler and related, but I think if the error included the stdout and stderr of the command, that would help:

stdout,stderr,status = Open3.capture3(command)
if !status.success?
  raise DownloadError,"Failed to download #{URL} to #{path.inspect}:\n#{stdout}\n\n#{stderr}"
end

If this is desired I could make a PR

postmodern commented 1 year ago

I started a git_not_installed branch which adds a GitNotInstalled exception.

postmodern commented 1 year ago

I'm fairly confident this commit should clearly communicate that git is not installed. All Database methods that use git will now raise a GitNotInstalled exception, and the CLI will explicitly rescue and print the message as an error.

davetron5000 commented 1 year ago

Nice! Didn't know about the false/nil thing!

Do you think it would be useful to include the command line invocation in the exception message?

I realize that may be a bigger change, but anytime an app shells out and something goes wrong, it's often really hard to figure out why without seeing the command and its output somewhere.

postmodern commented 1 year ago

Maybe for DownloadFailed or UpdateFailed exceptions where the git command failed for some reason, but probably not GitNotInstalled. If the command isn't in $PATH, it doesn't matter what args you give it. I was considering printing out a more detailed error message for GitNotInstalled, like "install git via your package manager" or "check if $PATH is properly configured".

postmodern commented 1 year ago

Implemented by 819c8e1. Will try to wrap up 0.10.0 in a week or two and release it.