rubyPackages: Add command to audit packages (#443737)

doc/languages-frameworks/ruby.section.md

@@ -273,6 +273,8 @@ To test that it works, you can then try using the gem with:
 NIX_PATH=nixpkgs=$PWD nix-shell -p "ruby.withPackages (ps: with ps; [ name-of-your-gem ])"
 ```
 
+To check the gems for any security vulnerabilities, run `./maintainers/scripts/audit-ruby-packages/audit-ruby-packages.bash`.
+
 ### Packaging applications {#packaging-applications}
 
 A common task is to add a Ruby executable to Nixpkgs; popular examples would be `chef`, `jekyll`, or `sass`. A good way to do that is to use the `bundlerApp` function, that allows you to make a package that only exposes the listed executables. Otherwise, the package may cause conflicts through common paths like `bin/rake` or `bin/bundler` that aren't meant to be used.

maintainers/scripts/audit-ruby-packages/audit-ruby-packages.bash

@@ -0,0 +1,6 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bundler-audit
+
+set -o errexit -o nounset -o pipefail
+
+bundle-audit check "$(nix-build --no-out-link maintainers/scripts/audit-ruby-packages/default.nix)"

maintainers/scripts/audit-ruby-packages/default.nix

@@ -0,0 +1,15 @@
+let
+  pkgs = import ../../.. { };
+  lockFileBody = pkgs.lib.concatStringsSep "\n" (
+    pkgs.lib.mapAttrsToList (name: props: "    ${name} (${props.version})") (
+      pkgs.lib.filterAttrs (name: _props: name != "recurseForDerivations") pkgs.rubyPackages
+    )
+  );
+in
+pkgs.runCommand "bundle-audit" { } ''
+  mkdir "$out"
+  echo 'GEM' > "$out/Gemfile.lock"
+  echo '  remote: https://rubygems.org/' >> "$out/Gemfile.lock"
+  echo '  specs:' >> "$out/Gemfile.lock"
+  echo '${lockFileBody}' >> "$out/Gemfile.lock"
+''