civisanalytics
Fix check for rubygems vulnerabilities
Welp, I think the check for rubygems vulnerabilities has been broken since February 2021.
Problem
I was looking around the rubysec/ruby-advisory-db repo while working on #34, and I noticed that the /libraries directory that holds the rubygems advisories was gone. Turns out, it was moved to /gems/rubygems-update in July 2019, with a symlink pointing from the old location to the new one, and then the symlink was removed in February 2021. So since then, RubyAudit isn't finding any advisories for any rubygems version.
The good news is, according to the ruby-advisory-db and rubygems's changelog, there doesn't seem to have been any new advisories/CVEs since March 2019 (rubygems v2.7.9 and v3.0.3). So, theoretically, everyone who had kept their rubygems versions up-to-date in 2021 should not have missed out on any advisories.
Solution
I've pointed the rubygems checks at the new home for rubygems advisories, and updated the specs. Updating the specs also required me to update our vendored copy of ruby-advisory-db (that we only use for testing), since the old copy (from 2016) still stores the advisories in /libraries. What do you think?
I'd also like to set up some automatic way to detect this kind of problem if it happens again. We don't control ruby-advisory-db and they have no duty to inform us of changes that may break our specific implementation... and RubyAudit development is very sporadic, so it's hard for its devs to be vigilant for breaking changes. I first thought about a runtime check, but it'd have to error in order to get the user's attention, and they wouldn't be able to do anything about it, so maybe not. Perhaps we can schedule a github CI integration test to run daily/weekly/monthly, which simulates running RubyAudit with the latest ruby-advisory-db on a bunch of ruby and rubygems version that we know have advisories?
