User-defined private security advisory warnings

[ddalcino]

Is there any way to define my own security advisory warnings? My organization maintains its own private set of ruby gems, and when we release security improvements / discover security issues, I would like to be able to advertise them to my team via bundler-audit, which is run on a regular basis as part of our CI suite. Since these are private gems, it makes no sense to submit them to https://github.com/rubysec/ruby-advisory-db.

Until now, I had thought that it should be possible to maintain my own fork of the ruby-advisory-db.git repository, where I could add my own security advisories and merge from upstream on a regular basis. Then I realized that the git url was hardcoded here, and I do not see any config or CLI option to change it:

bundler-audit/lib/bundler/audit/database.rb

Lines 37 to 38 in 88fa177

	# Git URL of the ruby-advisory-db.
	URL = 'https://github.com/rubysec/ruby-advisory-db.git'

Is there some other approach to this problem that I am overlooking?

Thank you so much for developing/maintaining this tool, it's a lifesaver for my organization!

[postmodern]

This is an interesting idea to support internal advisories. You can specify an alternate database directory with bundler-audit check --database path/to/ruby-advisory-db. Although, much of the code expects each advisory to have either a CVE or GHSA ID and doesn't support printing your own internal advisory IDs. Also, keeping your own fork of ruby-advisory-db up to date with the upstream ruby-advisory-db would be difficult/annoying. Instead, I think you should use your own internal ticketing system to resolve security issues across all of your internal repositories.