Skip to content

Fix #403: exit with error when --gemfile-lock is not a valid lock file#414

Open
kallal79 wants to merge 2 commits into
rubysec:masterfrom
kallal79:fix/issue-403-invalid-gemfile-lock
Open

Fix #403: exit with error when --gemfile-lock is not a valid lock file#414
kallal79 wants to merge 2 commits into
rubysec:masterfrom
kallal79:fix/issue-403-invalid-gemfile-lock

Conversation

@kallal79
Copy link
Copy Markdown
Contributor

@kallal79 kallal79 commented Mar 10, 2026

Bundler::LockfileParser silently accepts any file (Gemfile, README.md, etc.) and returns empty results, causing bundle-audit to exit 0 with 'No vulnerabilities found' even when given the wrong file.

Changes:

  • Add Scanner::InvalidGemfileLock exception class
  • Add LOCKFILE_HEADER_RE regexp to validate lock file content before parsing
  • Raise InvalidGemfileLock in Scanner#initialize when file does not start with a recognised Bundler lockfile section header
  • Rescue InvalidGemfileLock in CLI#check and exit with status 1 plus a descriptive stderr message
  • Add spec for Scanner#initialize raising InvalidGemfileLock
  • Add specs for CLI#check printing error to stderr and exiting with 1

Fixes #403

@kallal79
Fix rubysec#403: exit with error when --gemfile-lock is not a valid l…
d964d9e 
…ock file

Bundler::LockfileParser silently accepts any file (Gemfile, README.md,
etc.) and returns empty results, causing bundle-audit to exit 0 with
'No vulnerabilities found' even when given the wrong file.

Changes:
- Add Scanner::InvalidGemfileLock exception class
- Add LOCKFILE_HEADER_RE regexp to validate lock file content before parsing
- Raise InvalidGemfileLock in Scanner#initialize when file does not start
  with a recognised Bundler lockfile section header
- Rescue InvalidGemfileLock in CLI#check and exit with status 1 plus a
  descriptive stderr message
- Add spec for Scanner#initialize raising InvalidGemfileLock
- Add specs for CLI#check printing error to stderr and exiting with 1

Fixes rubysec#403
@simi simi requested review from flavorjones and jasnow May 31, 2026 02:29
@kallal79
Copy link
Copy Markdown
Contributor Author

kallal79 commented May 31, 2026

Thanks @simi for the approval — I’ll resolve the merge conflicts in spec/scanner_spec.rb and update the branch so it’s ready for review by @flavorjones and @jasnow.

@simi
Copy link
Copy Markdown
Contributor

simi commented May 31, 2026

@kallal79 I'm happy to rebase also or help, just ping me.

@jasnow jasnow added the Ready to Review Ready to Review label May 31, 2026
@jasnow
Copy link
Copy Markdown
Member

jasnow commented Jun 1, 2026

Please fix "MERGE CONFLICTS".

@kallal79 kallal79 force-pushed the fix/issue-403-invalid-gemfile-lock branch from b3e3205 to edfe07d Compare June 2, 2026 17:46
jasnow
jasnow approved these changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jasnow jasnow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not see anything to comment on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasnow jasnow jasnow approved these changes

@simi simi simi approved these changes

@flavorjones flavorjones Awaiting requested review from flavorjones

Assignees

No one assigned

Labels

Ready to Review Ready to Review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Exits normally when --gemfile-lock is not a lock file, should exit with error

3 participants

@kallal79 @simi @jasnow