Ruby analyzer - bundle-audit not found

[corey....@cerner.com]

I know the Ruby analyzer is listed as experimental and it is just a wrapper for bundle-audit.  But I tried Dependency Check on a Ruby project and it cannot find bundle-audit even though the bin directory were it resides is in my path.  

$ /c/dependency-check/bin/dependency-check.bat --project test5 --scan .

[INFO] Checking for updates

[INFO] Skipping NVD check since last check was within 4 hours.

[INFO] Check for updates complete (30 ms)

[INFO] Analysis Started

[INFO] Launching: [bundle-audit, check, --verbose] from C:\Users\username\AppDat

a\Local\Temp\dctemp517a5a91-4e49-498e-9210-fd0b6131d443

[ERROR] Exception occurred initializing Ruby Bundle Audit Analyzer.

[INFO] Finished File Name Analyzer (0 seconds)

[INFO] Finished Dependency Merging Analyzer (0 seconds)

[INFO] Finished Version Filter Analyzer (0 seconds)

[INFO] Finished Hint Analyzer (0 seconds)

[INFO] Created CPE Index (1 seconds)

[INFO] Skipping CPE Analysis for npm

[INFO] Finished CPE Analyzer (1 seconds)

[INFO] Finished False Positive Analyzer (0 seconds)

[INFO] Finished Cpe Suppression Analyzer (0 seconds)

[INFO] Finished NVD CVE Analyzer (0 seconds)

[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)

[INFO] Finished Dependency Bundling Analyzer (0 seconds)

[INFO] Analysis Complete (1 seconds)

[ERROR] Exception from bundle-audit process: java.io.IOException: Cannot run pro

gram "bundle-audit" (in directory "C:\Users\username\AppData\Local\Temp\dctemp51

7a5a91-4e49-498e-9210-fd0b6131d443"): CreateProcess error=2, The system cannot f

ind the file specified. Disabling Ruby Bundle Audit Analyzer

My PATH has the directory in it but the message above implies that bundle-audit cannot be found.  

PATH='/c/Users/username/bin:/mingw64/bin:/usr/local/bin:/usr/bin:/bin:/mingw64/bin:/usr/bin:/c/Users/username/bin:/c/Ruby24-x64/bin'

$ where bundle-audit

C:\Ruby24-x64\bin\bundle-audit

C:\Ruby24-x64\bin\bundle-audit.bat

I get the same result in my GitBash shell on Windows and on the straight Windows command prompt.  

Thanks,

Corey

[Jeremy Long]

Can you try specifying the bundle-audit path:

$ /c/dependency-check/bin/dependency-check.bat --project test5 --bundleAudit C:\Ruby24-x64\bin\bundle-audit --scan .

--Jeremy

[corey....@cerner.com]

Thanks, I'm just getting back to this.  I tried your suggestion and I'm getting a different error.  I tried it once with double quotes and without.  

C:\Workarea\Git\client_configuration_console>where bundle-audit

C:\Ruby24-x64\bin\bundle-audit

C:\Ruby24-x64\bin\bundle-audit.bat

C:\Workarea\Git\client_configuration_console>c:\dependency-check\bin\dependency-check.bat --enableExperimental --scan . --bundleAudit C:\Ruby24-x64\bin\bundle-audit --project client_configuration_console

[INFO] Checking for updates

[INFO] Skipping NVD check since last check was within 4 hours.

[INFO] Check for updates complete (19 ms)

[INFO] Analysis Started

[INFO] Launching: [C:\Ruby24-x64\bin\bundle-audit, check, --verbose] from C:\Temp\dctempc1de205e-562e-475a-9042-eafb7c95f5a5

[ERROR] Exception occurred initializing Ruby Bundle Audit Analyzer.

[INFO] Finished File Name Analyzer (0 seconds)

[INFO] Finished Node.js Package Analyzer (0 seconds)

[INFO] Finished Dependency Merging Analyzer (0 seconds)

[INFO] Finished Version Filter Analyzer (0 seconds)

[INFO] Finished Hint Analyzer (0 seconds)

[INFO] Created CPE Index (1 seconds)

[INFO] Skipping CPE Analysis for npm

[INFO] Finished CPE Analyzer (1 seconds)

[INFO] Finished False Positive Analyzer (0 seconds)

[INFO] Finished NVD CVE Analyzer (0 seconds)

[WARN] An error occurred while analyzing 'C:\Workarea\Git\client_configuration_console\package.json' (Node Security Platform Analyzer).

[INFO] Finished Node Security Platform Analyzer (0 seconds)

[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)

[INFO] Finished Dependency Bundling Analyzer (0 seconds)

[INFO] Analysis Complete (1 seconds)

[ERROR] Exception from bundle-audit process: java.io.IOException: Cannot run program "C:\Ruby24-x64\bin\bundle-audit" (in directory "C:\Temp\dctempc1de205e-562e-475a-9042-eafb7c95f5a5"): CreateProcess error=193, %1 is not a valid Win32 application. Disabling Ruby Bundle Audit Analyzer

[ERROR] Failed to connect to the Node Security Project (NspAnalyzer); the analyzer is being disabled and may result in false negatives.

C:\Workarea\Git\client_configuration_console>C:\Ruby24-x64\bin\bundle-audit check --verbose

Name: loofah

Version: 2.1.1

Advisory: CVE-2018-8048

Criticality: Unknown

URL: https://github.com/flavorjones/loofah/issues/144

Description:

  Loofah allows non-whitelisted attributes to be present in sanitized output

  when input with specially-crafted HTML fragments.

Solution: upgrade to >= 2.2.1

Name: rails-html-sanitizer

Version: 1.0.3

Advisory: CVE-2018-3741

Criticality: Unknown

URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBg

AJ

Description:

  There is a possible XSS vulnerability in rails-html-sanitizer. The gem allows

  non-whitelisted attributes to be present in sanitized output when input with

  specially-crafted HTML fragments, and these attributes can lead to an XSS

  attack on target applications.

  This issue is similar to CVE-2018-8048 in Loofah.

Solution: upgrade to >= 1.0.4

Name: rubocop

Version: 0.47.1

Advisory: CVE-2017-8418

Criticality: Low

URL: https://github.com/bbatsov/rubocop/issues/4336

Description:

  RuboCop 0.48.1 and earlier does not use /tmp in safe way, allowing local users

  to exploit this to tamper with cache files belonging to other users.

Solution: upgrade to >= 0.49.0

Vulnerabilities found!

C:\Workarea\Git\client_configuration_console>C:\Ruby24-x64\bin\bundle-audit

Name: loofah

Version: 2.1.1

Advisory: CVE-2018-8048

Criticality: Unknown

URL: https://github.com/flavorjones/loofah/issues/144

Title: Loofah XSS Vulnerability

Solution: upgrade to >= 2.2.1

Name: rails-html-sanitizer

Version: 1.0.3

Advisory: CVE-2018-3741

Criticality: Unknown

URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBg

AJ

Title: XSS vulnerability in rails-html-sanitizer

Solution: upgrade to >= 1.0.4

Name: rubocop

Version: 0.47.1

Advisory: CVE-2017-8418

Criticality: Low

URL: https://github.com/bbatsov/rubocop/issues/4336

Title: RuboCop: insecure use of /tmp

Solution: upgrade to >= 0.49.0

Vulnerabilities found!

C:\Workarea\Git\client_configuration_console>c:\dependency-check\bin\dependency-check.bat --enableExperimental --scan . --bundleAudit "C:\Ruby24-x64\bin\bundle-audit" --project client_configuration_console

[INFO] Checking for updates

[INFO] Skipping NVD check since last check was within 4 hours.

[INFO] Check for updates complete (32 ms)

[INFO] Analysis Started

[INFO] Launching: [C:\Ruby24-x64\bin\bundle-audit, check, --verbose] from C:\Temp\dctemp0106ec96-f12d-4d94-93f8-788dc2599ba0

[ERROR] Exception occurred initializing Ruby Bundle Audit Analyzer.

[INFO] Finished File Name Analyzer (0 seconds)

[INFO] Finished Node.js Package Analyzer (0 seconds)

[INFO] Finished Dependency Merging Analyzer (0 seconds)

[INFO] Finished Version Filter Analyzer (0 seconds)

[INFO] Finished Hint Analyzer (0 seconds)

[INFO] Created CPE Index (1 seconds)

[INFO] Skipping CPE Analysis for npm

[INFO] Finished CPE Analyzer (1 seconds)

[INFO] Finished False Positive Analyzer (0 seconds)

[INFO] Finished NVD CVE Analyzer (0 seconds)

[WARN] An error occurred while analyzing 'C:\Workarea\Git\client_configuration_console\package.json' (Node Security Platform Analyzer).

[INFO] Finished Node Security Platform Analyzer (0 seconds)

[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)

[INFO] Finished Dependency Bundling Analyzer (0 seconds)

[INFO] Analysis Complete (1 seconds)[ERROR] Exception from bundle-audit process: java.io.IOException: Cannot run program "C:\Ruby24-x64\bin\bundle-audit" (in directory "C:\Temp\dctemp0106ec96-f12d-4d94-93f8-788dc2599ba0"): CreateProcess error=193, %1 is not a valid Win32 appl

ication. Disabling Ruby Bundle Audit Analyzer

[ERROR] Failed to connect to the Node Security Project (NspAnalyzer); the analyz

er is being disabled and may result in false negatives.

[Jeremy Long]

The path you provided does not seem to be the full path to a windows executable for bundleaudit: `--bundleAudit C:\Ruby24-x64\bin\bundle-audit`. In that folder is there an actual bundle-audit.bat?

--Jeremy