Ability to define the Gemfile via BUNDLE_GEMFILE

[gurix]

When using bundler, a common strategy to handle different Gemfiles for a project is to use the environment variable BUNDLE_GEMFILE. Bundle audit does not support to set a specific Gemfile. This pull request addes this abillity.

Example:

markus@markuss-mbp ~/workspace/bundler-audit (master) $ BUNDLE_GEMFILE=../helena/gemfiles/rails_4.2.gemfile bin/bundle-audit 
No vulnerabilities found
markus@markuss-mbp ~/workspace/bundler-audit (master) $ BUNDLE_GEMFILE=../helena/gemfiles/rails_5.1.gemfile bin/bundle-audit 
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: https://github.com/flavorjones/loofah/issues/154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: https://github.com/rubyzip/rubyzip/issues/369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2

Vulnerabilities found!

[postmodern]

Tagging this for the 0.9.0 milestone. Currently preparing to merge/release 0.8.0, so consider rebasing after 0.8.0 has been released.

[postmodern]

bundler-audit 0.8.0 added support for a --gemfile-lock option for specifying a custom lock file to scan. Would this feature be more useful for automatically inferring the default lock file to scan?

[postmodern]

Going to push this off until 0.10.0.