feat: replace audit-app and bundler-audit with osv-detector (#351)

Author: G-Rath

.github/workflows/check-with-osv-detector.yml

@@ -0,0 +1,14 @@
+name: Check dependencies for known security vulnerabilities
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  check-dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Check dependencies for security vulnerabilities
+        uses: g-rath/check-with-osv-detector@main

.github/workflows/ci.yml

@@ -106,6 +106,10 @@ jobs:
         with:
           persist-credentials: false
 
+      # this ensures that osv-detector is available for running bin/ci-run
+      - name: Check dependencies for security vulnerabilities (and setup osv-detector)
+        uses: g-rath/check-with-osv-detector@main
+
       - name: Install NodeJS
         uses: actions/setup-node@v3
         with:

README.md

@@ -50,9 +50,9 @@ Where possible we stick to Rails defaults.
     a decision about whether ActiveStorage files must be behind authentication
     or not. The default Rails behaviour here can be a security gotcha.
 - Security
+  - Configure [`osv-detector`](https://github.com/G-Rath/osv-detector) to run in
+    CI
   - Install and configure [brakeman](https://github.com/presidentbeef/brakeman)
-  - Install and configure
-    [bundler-audit](https://github.com/rubysec/bundler-audit)
   - Create `.well-known/security.txt`
   - Add a well documented
     [Content Security Policy initializer](./variants/backend-base/config/initializers/content_security_policy.rb)

template.rb

@@ -95,6 +95,7 @@ def apply_template! # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Met
 
   copy_file "variants/backend-base/Dockerfile", "Dockerfile"
   copy_file "variants/backend-base/docker-compose.yml", "docker-compose.yml"
+  copy_file "variants/backend-base/.osv-detector.yml", ".osv-detector.yml"
   copy_file "variants/backend-base/.dockerignore", ".dockerignore"
 
   apply "variants/backend-base/Rakefile.rb"
@@ -155,14 +156,13 @@ def apply_template! # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Met
     end
 
     binstubs = %w[
-      brakeman bundler bundler-audit rubocop
+      brakeman bundler rubocop
     ]
     run_with_clean_bundler_env "bundle binstubs #{binstubs.join(" ")} --force"
 
     template "variants/backend-base/rubocop.yml.tt", ".rubocop.yml"
     run_rubocop_autocorrections
 
-    apply "variants/frontend-audit-app/template.rb"
     apply "variants/frontend-base/js-lint/fixes.rb"
 
     cleanup_package_json

variants/backend-base/.osv-detector.yml

@@ -0,0 +1 @@
+ignore: []

variants/backend-base/Gemfile.tt

@@ -44,7 +44,6 @@ group :development do
   # Add speed badges [https://github.com/MiniProfiler/rack-mini-profiler]
   # gem "rack-mini-profiler"
 
-  gem "bundler-audit", require: false
   gem "brakeman", require: false
   gem "rubocop", require: false
   gem "rubocop-performance", require: false

variants/backend-base/bin/ci-run

@@ -13,9 +13,10 @@ echo "* ******************************************************"
 bundle exec rubocop -c ./.rubocop.yml
 
 echo "* ******************************************************"
-echo "* Running bundle-audit"
+echo "* Running osv-detector"
 echo "* ******************************************************"
-bundle exec bundle-audit check --update
+# See https://github.com/G-Rath/osv-detector#installation for install details
+osv-detector .
 
 echo "* ******************************************************"
 echo "* Running brakeman"

variants/frontend-audit-app/.auditapprc.json

@@ -28,6 +28,14 @@ permissions:
   contents: read # to fetch code (actions/checkout)
 
 jobs:
+  audit_dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+      - name: Audit dependencies for security vulnerabilities
+        uses: g-rath/check-with-osv-detector@main
   js_based_checks:
     runs-on: ubuntu-latest
     timeout-minutes: 15
@@ -92,7 +100,6 @@ jobs:
         run: bundle exec chusaku --exit-with-error-on-annotation
       - run: bundle exec rubocop
       - run: bundle exec brakeman --run-all-checks --exit-on-warn --format plain .
-      - run: bundle exec bundle audit --update
       - run: bundle exec rails db:setup
       - run: bundle exec rspec spec --format progress
       - name: Archive spec outputs
@@ -115,6 +122,7 @@ jobs:
   # deploy_to_ec2_staging:
   #   if: github.event_name == 'push' && github.ref == 'refs/heads/main'
   #   needs:
+  #     - audit_dependencies
   #     - ruby_based_checks
   #     - js_based_checks
   #   uses: ./.github/workflows/deploy_to_ec2.yml
@@ -131,6 +139,7 @@ jobs:
   # deploy_to_ec2_production:
   #   if: github.event_name == 'push' && github.ref == 'refs/heads/production'
   #   needs:
+  #     - audit_dependencies
   #     - ruby_based_checks
   #     - js_based_checks
   #   uses: ./.github/workflows/deploy_to_ec2.yml
@@ -152,6 +161,7 @@ jobs:
   # deploy_to_heroku_staging:
   #   if: github.event_name == 'push' && github.ref == 'refs/heads/main'
   #   needs:
+  #     - audit_dependencies
   #     - ruby_based_checks
   #     - js_based_checks
   #   uses: ./.github/workflows/deploy_to_heroku.yml
@@ -165,6 +175,7 @@ jobs:
   # deploy_to_heroku_production:
   #   if: github.event_name == 'push' && github.ref == 'refs/heads/production'
   #   needs:
+  #     - audit_dependencies
   #     - ruby_based_checks
   #     - js_based_checks
   #   uses: ./.github/workflows/deploy_to_heroku.yml