Allow for ignoring insecure sources.

Ignoring internal sources is already supported with a fixed IP
whitelist, but this doesn't support cases where an internal source
doesn't fall within those IPs blocks. This change allows specific
hostnames to be ignored.

Author: Daniel O'Brien

lib/bundler/audit/scanner.rb

@@ -99,18 +99,21 @@ def scan(options={},&block)
       def scan_sources(options={})
         return enum_for(__method__,options) unless block_given?
 
+        ignore = Set[]
+        ignore += options[:ignore] if options[:ignore]
+
         @lockfile.sources.map do |source|
           case source
           when Source::Git
             case source.uri
             when /^git:/, /^http:/
-              unless internal_source?(source.uri)
+              unless internal_source?(source.uri) || ignore.include?(source.uri)
                 yield InsecureSource.new(source.uri)
               end
             end
           when Source::Rubygems
             source.remotes.each do |uri|
-              if (uri.scheme == 'http' && !internal_source?(uri))
+              if (uri.scheme == 'http' && !internal_source?(uri)) && !ignore.include?(uri.to_s)
                 yield InsecureSource.new(uri.to_s)
               end
             end

spec/scanner_spec.rb

@@ -41,7 +41,7 @@
 
       it "should ignore the specified advisories" do
         ids = subject.map { |result| result.advisory.id }
-        
+
         expect(ids).not_to include('OSVDB-89026')
       end
     end
@@ -58,6 +58,14 @@
       expect(subject[0].source).to eq('git://github.com/rails/jquery-rails.git')
       expect(subject[1].source).to eq('http://rubygems.org/')
     end
+
+    context "when ignoring insecure sources" do
+      subject { scanner.scan(:ignore => ['http://rubygems.org/', 'git://github.com/rails/jquery-rails.git']).to_a }
+
+      it "should print nothing when otherwise fine" do
+        expect(subject).to be_empty
+      end
+    end
   end
 
   context "when auditing a secure bundle" do