rubysec/bundler-audit

git not installed

chabgood opened this issue · 11 comments

Description

we run our build on bitbucket, when we run the audit check it says git is not installed. git is the first thing installed.

Steps To Reproduce

Steps to reproduce the bug:

  1. we run our build on bitbucket, when we run the audit check it says git is not installed. git is the first thing installed on ubuntu
  2. Do we need git installed in a different way for the audit to recognize git?

Expected Behavior

Actual Behavior

Environment

$ bundler-audit --version
...
$ bundle --version
...
$ ruby --version
...

Going to need more information here. What is the exact error message when bundler-audit tries to run git? Is git really installed in BitBucket's CI environment? What does which git return? What does dpkg -l git return?

Linux version:
debian gnu/linux 9 (stretch)

which git failed

  • dpkg -l git
    dpkg-query: no packages found matching git

@chabgood git does not appear to be installed in the environment. Try adding apt-get install -y git to your CI setup script.

ya that is the strange thing is git is the first thing installed but then when i do git --version it says git is not installed. something weird i guess with the env on bitbucket. something changed about 4 months ago.

Marking this as an upstream issue and not bundler-audit related.

I just ran into this with bundle audit only - bundle install worked fine.

The error was not as clear, though. Every invocation of bundle audit (including with --verbose simply said

failed to download https://github.com/rubysec/ruby-advisory-db.git to "/root/.local/share/ruby-advisory-db"

This is in Docker without Git installed. Installing Git fixed it, but it was not clear that it was trying to do anything with Git. Even doing --no-update didn't work. I could not find a way to run bundle audit that provided any additional info.

I believe this code could be changed to provide a better error:

command = %w[git clone]
command << '--quiet' if options[:quiet]
command << URL << path
unless system(*command)
raise(DownloadFailed,"failed to download #{URL} to #{path.inspect}")
end

I'm not sure the "right way" in bundler and related, but I think if the error included the stdout and stderr of the command, that would help:

stdout,stderr,status = Open3.capture3(command)
if !status.success?
  raise DownloadError,"Failed to download #{URL} to #{path.inspect}:\n#{stdout}\n\n#{stderr}"
end

If this is desired I could make a PR

I started a git_not_installed branch which adds a GitNotInstalled exception.

I'm fairly confident this commit should clearly communicate that git is not installed. All Database methods that use git will now raise a GitNotInstalled exception, and the CLI will explicitly rescue and print the message as an error.

Nice! Didn't know about the false/nil thing!

Do you think it would be useful to include the command line invocation in the exception message?

I realize that may be a bigger change, but anytime an app shells out and something goes wrong, it's often really hard to figure out why without seeing the command and its output somewhere.

Maybe for DownloadFailed or UpdateFailed exceptions where the git command failed for some reason, but probably not GitNotInstalled. If the command isn't in $PATH, it doesn't matter what args you give it. I was considering printing out a more detailed error message for GitNotInstalled, like "install git via your package manager" or "check if $PATH is properly configured".

Implemented by 819c8e1. Will try to wrap up 0.10.0 in a week or two and release it.