Skip to content

Duplicate vulnerabilities reported for gems that have multiple arch specs on the lockfile #438

Description

@jrodriigues

Description

Steps To Reproduce

In a fresh directory:

  1. $ bundle init
  2. $ bundle add nokogiri --version 1.19.3
  3. $ bundler-audit check --update

Expected Behavior

nokogiri 1.19.4 fixed 9 security advisories, even though only 8 seem to be registered in the database (GHSA-g9g8-vgvw-g3vf is not showing).
The output of bundler-audit check should print 8 vulnerabilities, one for each database entry.

Actual Behaviour

The output of bundler-audit check prints 64 vulnerabilities.
This can be confirmed by running:

$ irb -r bundler/audit/scanner/

scanner = Bundler::Audit::Scanner.new
scanner.report.advisories.length
=> 64

The reason for this behaviour is because scanner.lockfile.specs contains a spec for each arch of nokogiri registered in the lockfile. In my case:

scanner.lockfile.specs
=>
[#<Bundler::LazySpecification @name="nokogiri" (1.19.3-aarch64-linux-gnu)>,
 #<Bundler::LazySpecification @name="nokogiri" (1.19.3-aarch64-linux-musl)>,
 #<Bundler::LazySpecification @name="nokogiri" (1.19.3-arm-linux-gnu)>,
 #<Bundler::LazySpecification @name="nokogiri" (1.19.3-arm-linux-musl)>,
 #<Bundler::LazySpecification @name="nokogiri" (1.19.3-arm64-darwin)>,
 #<Bundler::LazySpecification @name="nokogiri" (1.19.3-x86_64-darwin)>,
 #<Bundler::LazySpecification @name="nokogiri" (1.19.3-x86_64-linux-gnu)>,
 #<Bundler::LazySpecification @name="nokogiri" (1.19.3-x86_64-linux-musl)>,
 #<Bundler::LazySpecification @name="racc" (1.8.1)>]

So each vulnerability on the database is declared once for each nokogiri spec.

Environment

$ bundler-audit --version
bundler-audit 0.9.3
$ bundle --version
4.0.14
$ ruby --version
ruby 3.3.11 (2026-03-26 revision 1f2d15125a) [x86_64-linux]
$ git --version
git version 2.34.1

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions