Git is not installed!

Question

Git is not installed!

Domon opened this issue 4 years ago · comments

Hi,

bundle-audit check --update failed to run in our build process suddenly and returned the following error message.

Git is not installed!

I checked the Changelog but couldn't find any related information or upgrading suggestion.
https://github.com/rubysec/bundler-audit/blob/e64c5c7197edcb5b19bb94f63a39b6819a26e03b/ChangeLog.md

I wonder if that error comes from a PR merged recently.
https://github.com/rubysec/bundler-audit/pull/230/files#diff-f3ec31a31911b9265366828e72a41e68R77

I'm curious why we were able to run bundler-audit without coming across this error message previously.

Does bundler-audit require git to run? Is this something new? 🤔

Thanks.

Reed Loden · Answer 1 · Mon Jun 15 2020 14:47:47 GMT+0800 (China Standard Time)

bundler-audit has always required git for keeping its advisory database updated. The repository comes from https://github.com/rubysec/ruby-advisory-db. Without git, any use of bundler-audit would not be using an updated database, meaning any checks run would likely miss all vulnerabilities added since the last bundler-audit gem release.

Reed Loden · Answer 2 · Mon Jun 15 2020 14:49:27 GMT+0800 (China Standard Time)

See also #259.

Chun-wei Kuo · Answer 3 · Mon Jun 15 2020 17:01:59 GMT+0800 (China Standard Time)

Thanks @reedloden for the explanation. 🙇

Out of curiosity, I installed 0.6.1 and tried the same command. The command was executed successfully with a message saying that the database was not updated.

$ bundle-audit check --update
Updating ruby-advisory-db ...
Skipping update
ruby-advisory-db: 287 advisories
No vulnerabilities found

In comparison, the command failed in 0.7.0.1.

$ bundle-audit check --update
Updating ruby-advisory-db ...
Git is not installed!

I guess most people would like to run the command with the latest database. It's just not very obvious in the error message and the breaking change was not highlighted in the change log.

I wonder if the latest database can be downloaded without git though. 🤔

Mark · Answer 4 · Mon Jun 15 2020 22:44:58 GMT+0800 (China Standard Time)

@Domon are you using andrewmcodes/bundler-audit-action?

Chun-wei Kuo · Answer 5 · Tue Jun 16 2020 09:28:28 GMT+0800 (China Standard Time)

@Domon are you using andrewmcodes/bundler-audit-action?

No. Good to know there is a Github Action for bundler audit though.

enthusiasmus · Answer 6 · Wed Jun 17 2020 20:31:16 GMT+0800 (China Standard Time)

For us it is the most important feature ever! No one knew that the advisories db doesn't get updated without git.

Postmodern · Answer 7 · Sat Dec 05 2020 05:51:20 GMT+0800 (China Standard Time)

In addition to mentioning that git is a dependency, I've added explicit instructions on how to install git in 256ad82.