Can't update ruby-advisory-db

[dssjoblom]

Description

There seems to be a problem with updating ruby-advisory-db.

Steps To Reproduce

Run bundle exec bundle-audit check --update

Expected Behavior

It should do what it normally does. The same command worked yesterday (5.4.2022) FWIW.

Actual Behavior

Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Updating 1b91d1f..c4779d0
error: Your local changes to the following files would be overwritten by merge:
	gems/foreman_ansible/CVE-2021-3589.yml
Please commit your changes or stash them before you merge.
Aborting
Traceback (most recent call last):
	13: from /home/daniel/.rvm/gems/ruby-2.7.5/bin/ruby_executable_hooks:22:in `<main>'
	12: from /home/daniel/.rvm/gems/ruby-2.7.5/bin/ruby_executable_hooks:22:in `eval'
	11: from /home/daniel/.rvm/gems/ruby-2.7.5/bin/bundle-audit:23:in `<main>'
	10: from /home/daniel/.rvm/gems/ruby-2.7.5/bin/bundle-audit:23:in `load'
	 9: from /home/daniel/.rvm/gems/ruby-2.7.5/gems/bundler-audit-0.9.0.1/bin/bundle-audit:10:in `<top (required)>'
	 8: from /home/daniel/.rvm/gems/ruby-2.7.5/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'
	 7: from /home/daniel/.rvm/gems/ruby-2.7.5/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'
	 6: from /home/daniel/.rvm/gems/ruby-2.7.5/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'
	 5: from /home/daniel/.rvm/gems/ruby-2.7.5/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'
	 4: from /home/daniel/.rvm/gems/ruby-2.7.5/gems/bundler-audit-0.9.0.1/lib/bundler/audit/cli.rb:65:in `check'
	 3: from /home/daniel/.rvm/gems/ruby-2.7.5/gems/bundler-audit-0.9.0.1/lib/bundler/audit/cli.rb:138:in `update'
	 2: from /home/daniel/.rvm/gems/ruby-2.7.5/gems/bundler-audit-0.9.0.1/lib/bundler/audit/database.rb:201:in `update!'
	 1: from /home/daniel/.rvm/gems/ruby-2.7.5/gems/bundler-audit-0.9.0.1/lib/bundler/audit/database.rb:201:in `chdir'
/home/daniel/.rvm/gems/ruby-2.7.5/gems/bundler-audit-0.9.0.1/lib/bundler/audit/database.rb:207:in `block in update!': failed to update "/home/daniel/.local/share/ruby-advisory-db" (Bundler::Audit::Database::UpdateFailed)

A workaround is to delete the checkout directory (/home/daniel/.local/share/ruby-advisory-db in this case) and try again.

Environment

$ bundler-audit --version
bundler-audit 0.9.0.1
$ bundle --version
Bundler version 1.17.3
$ ruby --version
ruby 2.7.5p203 (2021-11-24 revision f69aeb8314) [x86_64-linux]

[postmodern]

Could you run git status and git diff within ~/.local/share/ruby-advisory-db/ to see what exactly changed? No other code should write to that directory other than git. Not sure why that file would have changed.

[dssjoblom]

@postmodern not anymore, unfortunately, as the workaround I found was deleting the directory so that the repository is checked out again. I did try git reset --hard 1b91d1f46534973a5c036725c5f597adcc99e31c and then bundle exec bundle-audit check --update again, but this time it works. While I don't know why this error occurred, is it possible that it is because the command was interrupted/killed at some point, leaving some corrupted state behind?

[postmodern]

I'm curious if you were using git worktrees and somehow changes got into ~/.local/share/ruby-advisory-db/: #183 (comment)

[dssjoblom]

@postmodern No, no worktrees. However, as additional info, I usually run the audit in a commit hook from Overcommit (https://github.com/sds/overcommit). I'm not completely familiar with how Overcommit works under the hood, but it does some magic on the current git repository with git stash and maybe something else as well. Could be related (?).

[marcelolx]

Interestingly this happened to me today too, here goes the diff

File: gems/RedCloth/CVE-2012-6684.yml

---
-gem: RedCloth
+gem: redcloth
cve: 2012-6684
-osvdb: 115941
+ghsa: r23g-3qw4-gfh2
-url: https://co3k.org/blog/redcloth-unfixed-xss-en
+url: http://co3k.org/blog/redcloth-unfixed-xss-en
-title: "CVE-2012-6684 rubygem-RedCloth: XSS vulnerability"
+title: RedCloth Cross-site Scripting vulnerability
-date: 2012-02-29
+date: 2017-10-24
-description: 'Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9
-  for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML
-  via a javascript: URI.'
+description: Cross-site scripting (XSS) vulnerability in the
+  RedCloth library 4.2.9 for Ruby and earlier allows remote
+   attackers to inject arbitrary web script or HTML via a
+  "javascript:" URI.
cvss_v2: 4.3
patched_versions:
-  - '>= 4.3.0'
+ - ">= 4.3.0"
related:
  url:
-    - https://github.com/jgarber/redcloth/commit/2f6dab4d6aea5cee778d2f37a135637fe3f1573c
+   - https://nvd.nist.gov/vuln/detail/CVE-2012-6684
+   - http://co3k.org/blog/redcloth-unfixed-xss-en 
    - https://gist.github.com/co3k/75b3cb416c342aa1414c
-    - https://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss
+   - https://github.com/jgarber/redcloth/commit/b24f03db023d1653d60dd33b28e09317cd77c6a0
+   - https://github.com/advisories/GHSA-r23g-3qw4-gfh2
+   - http://seclists.org/fulldisclosure/2014/Dec/50
+   - http://www.debian.org/security/2015/dsa-3168
+   - https://web.archive.org/web/20150128115714/http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss

I haven't changed anything manually, I just ran bundle exec bundle audit check --update

bundler-audit version 0.9.1

[marcelolx]

I bet this is because in this PR rubysec/ruby-advisory-db#598 gems/redcloth/CVE-2012-6684.yml was added, but it did already exist at gems/RedCloth/CVE-2012-6684.yml, notice the folder name difference... and on MacOS, as far as I know the file system is not case sensitive by default, which is why it was "modified", it actually is conflicting, or something like that, because I can't revert the changes to the file, they come back as soon as I do that

[postmodern]

I have since removed the gems/redcloth/CVE-2012-6684.yml file.
rubysec/ruby-advisory-db@aa22f72

[marcelolx]

I ran bundle exec bundle audit check --update again and this time it didn't fail, thanks @postmodern!