ruby-advisory-db out of date, CC wrongly analyzing upgrades to Rails v4.2.6
dcarral opened this issue ยท 12 comments
On one hand, according to https://hub.docker.com/r/codeclimate/codeclimate-bundler-audit/, it was last pushed 9 days ago.
On the other hand, due to this (already solved) issue in ruby-advisory-db, several vulnerabilities were being wrongly reported for Rails v4.2.6.
It would be nice if you could re-build the image (so it runs bundle-audit update) to get rid of all those fake warnings when analyzing the dependencies' upgrade.
Thank you in advance!
๐
By the way, what about setting up a remote build trigger (as described in Automated Builds on Docker Hub) to periodically update the image? It seems like that approach would fit what @dblandin commented some months ago @ issue #7
Hey @dcarral, thanks for the report!
I've just pushed an updated engine image to Docker Hub which is now available through the CLI. You can update your local engines by running codeclimate engines:install.
As for updating the engine on a periodic basis, our current solution has been to use @krallin's Github File Watcher to ping an internal slack channel in response to changes in the ruby-advisory-db repo, prompting the engineering team to build and release a new image. Our release process for engines running on codeclimate.com currently requires some manual steps so unfortunately we're not at a point where we can automate the entire release.
Additionally, GitHub File Watcher seems to have missed some updates to our watch patterns recently and failed to notify our slack channel. One guess is that the service is using a single application token for GitHub API access and is hitting GitHub's rate limiting.
This is still an issue we're working on and we'll be working towards a better approach.
Thanks again for the issue!
@dblandin Thanks for the heads-up about the recent missed notifications from Github File Watcher. I'm not sure exactly what happened there. I'll try to look further into what happened. Please feel free to ping me if that ever happens again. I'll look into setting up better monitoring to make sure I can catch this earlier.
@krallin No problem! We just received the missing notifications ๐
Thanks for the quick fix!
Awesome; I'm glad that fixed it. Obviously, the goal of Github File Watcher is to not miss changes, so I'm going to look into how I can make this more reliable!
@krallin Were you able to tell whether the Github File Watcher hit some API rate limiting? If that's the case, I think it would be reasonable to allow users to supply their own personal access token for API requests.
I don't think so, but I'll double check. It looks like the daemon that processes notifications somehow deadlocked. I'm a little unsure how that happened. I'm going to add some monitoring that checks the daemon is making progress and notifies me otherwise, which should be a start!
It looks like the daemon that processes notifications somehow deadlocked.
Gotcha. Thanks makes sense! Monitoring sounds like a good step to take ๐
Thanks for creating and maintaining Github File Watcher! Is the project open source? I wasn't able to find the project on GitHub.
Thanks for creating and maintaining Github File Watcher!
You're of course welcome! :)
Is the project open source? I wasn't able to find the project on GitHub.
It's not open-source right now. It's not that I don't want to make it open-source, but rather than I never really took the time to write docs for how to run it (though it's largely just docker-compose up -d though).
I should probably open-source it to let others run their own instance though.. if you'd like to run it for yourself / code climate and don't mind the rough edges, just let me know (email thomas@orozco.fr), I can always just add a LICENSE to the repo, add you, and send some quick instructions.
Thank you for the engine update as well as for the info ;)