Update bundler-audit vulnerability database as app user

We're currently installing gems and updating the `bundler-audit` vulnerability
database as the `root` user.

`bundle-audit update` downloads the database relative to the current user's
home directory. As the `root` user, the database is stored at
`/root/.local/share/ruby-advisory-db`.

Following best security practices, we drop down to a less privileged user
within our `Dockerfile`.

Like the `bundle-audit update` command, `bundle-audit check` will refer to a
vulnerability database relative to the current user's home directory. Running
as the `app` user, `bundler-audit` looks for a database at
`/home/app/.local/share/ruby-advisory-db`.

So, to summarize, we've been downloading the vulnerability database to
`/root/.local/share/ruby-advisory-db` and checking for it at
`/home/app/.local/share/ruby-advisory-db` during engine runs. This obviously
doesn't work and consistently produced out-of-date analysis results.

This commit updates this project's Dockerfile to update the `bundler-audit`
vulnerability database after we switch down to the `app` user, so it goes to
the right directory and can be picked up by the running engine.

Author: dblandin

Dockerfile

@@ -6,12 +6,13 @@ RUN apk --update add ruby ruby-dev ruby-bundler build-base git
 COPY Gemfile /usr/src/app/
 COPY Gemfile.lock /usr/src/app/
 RUN bundle install -j 4 && \
-    bundle-audit update && \
     apk del build-base && rm -fr /usr/share/ri
 
 RUN adduser -u 9000 -D app
 USER app
 
+RUN bundle-audit update
+
 COPY . /usr/src/app
 
 CMD ["/usr/src/app/bin/bundler-audit"]