Skip to main content

Ruby Application Analysis

Ruby scanning supports packages from RubyGems as (.gem) files with the full support of Security, License, and Identity data.

For the best results, the scan should happen after either installing the packages from a clean environment or storing the gems in a local cache to run the analysis.

The Lifecycle scanner can scan SBOMs generated from CycloneDX for Ruby. See CycloneDX pages for details.

Evaluation: Manifest and lock files

The Ruby coordinate-based matching feature provides the ability to scan and evaluate Ruby dependencies found in the Gemfile.lock file. Support includes manifest analysis using the Gemfile.lock file.

What do we parse from the file?

Components from sections GIT, GEM and PATH and with an exact version will be analyzed. For example:

Gemfile.lock

GIT
  remote: https://github.com/phatworx/devise_security_extension.git
  specs:
    devise_security_extension (0.10.0)

GEM
  remote: https://rubygems.org/
  specs:
    actionmailer (5.0.7.2)
      actionpack (= 5.0.7.2)

PATH
  remote: ../some_path
  specs:
    jquery (0.0.1)

Example Gemfile.lock File

Gemfile.lock

GIT
  remote: https://github.com/phatworx/devise_security_extension.git
  revision: b2ee978af7d49f0fb0e7271c6ac074dfb4d39353
  specs:
    devise_security_extension (0.10.0)
      devise (>= 3.0.0, < 5.0)
      railties (>= 3.2.6, < 6.0)

GEM
  remote: https://rubygems.org/
  remote: https://rails-assets.org/
  specs:
    actioncable (5.0.7.2)
      actionpack (= 5.0.7.2)
      nio4r (>= 1.2, < 3.0)
      websocket-driver (~> 0.6.1)
    actionmailer (5.0.7.2)
      actionpack (= 5.0.7.2)
      actionview (= 5.0.7.2)
      activejob (= 5.0.7.2)
      mail (~> 2.5, >= 2.5.4)
      rails-dom-testing (~> 2.0)

PLATFORMS
  ruby

DEPENDENCIES
  acts-as-taggable-on (~> 5.0.0)
  acts_as_votable (~> 0.11.1)
  ahoy_matey (~> 1.6.0)
  ancestry (~> 3.0.7)
  audited (~> 4.9.0)
  autoprefixer-rails (~> 8.2.0)
  bullet (~> 5.7.0)
  
BUNDLED WITH
   1.17.1