Poor man's dependabot (for Ruby)

bundle_vulnerability_check.rb

#!/usr/bin/env ruby

`gem install bundler-audit && bundle audit download`

require 'set'
require 'json'

audit_output = `bundle audit check --format json`
audit_data = JSON.parse(audit_output)

# possible values: none, low, medium, high, critical
intolerable_levels = Set.new(%w[ high critical ])

found_intolerable = false

result = audit_data.fetch('results', []).reduce({}) do |grouped, vuln|
  gem_name_and_version = vuln["gem"].values_at("name", "version").join(":")
  advisory = vuln["advisory"]
  if intolerable_levels.include?(advisory["criticality"])
    found_intolerable = true
    advisory["intolerable"] = true
  end
  grouped[gem_name_and_version] ||= Set.new
  grouped[gem_name_and_version] << advisory
  grouped
end

exit if result.empty?

puts "Found vulnerabilities:"
puts

result.each do |gem, advisories|
  puts <<~END
    #{gem}
    #{"-" * gem.length}
  END

  advisories.each do |advisory|
    puts <<~END
      #{advisory["intolerable"] ? "🚨" : "💬"} #{advisory["title"]}
         url: #{advisory["url"]}
         criticality: #{advisory["criticality"] || "unknown"}
         patched versions: #{advisory["patched_versions"]}

    END
  end
end

exit 1 if found_intolerable