Support scanning .gemspec files
reedloden opened this issue · comments
I noticed that GitHub's Dependabot checks .gemspec files, as well as Gemfile.lock. We should do the same, as it would let bundler-audit monitor gems directly.
They also check other files as well, so may also want to add that.
See https://github.com/dependabot/dependabot-core/tree/main/bundler/lib/dependabot/bundler for how they do it.
I believe bundler already includes any dependencies from the .gemspec
into Gemfile.lock
, if the Gemfile
contains gemspec
.Also .gemspec
does not contain the exact gem versions, but only the version ranges, so we'd need additional logic for determining whether a version range intersects with a vulnerable version range.
It might be useful for indicating to the user that they need to change the version range in the .gemspec
vs just running bundle update
, but that would require some clever to logic to detect overly strict version ranges in the .gemspec
vs. the Gemfile.lock
.