Ruby Application Analysis
Evaluation: Advance Binary Fingerprinting (ABF)
Ruby scanning supports packages from RubyGems as (.gem) files with the full support of Security, License, Identity data available. For the best results, the scan should happen after either installing the packages from a clean environment or storing the gems in a local cache to run the analysis.
- bundle cache --no-install : package the dependencies to ./vendor/cache without installing them to the local install location
- bundle install --deployment : uses gems installed to ./vendor/bundle not your default system location.
In addition to the options listed above, Chelsea is an open-source scanning tool that scans Ruby-powered projects for vulnerable third-party dependencies. Chelsea can use data from Lifecycle for Sonatype customers.
The Lifecycle scanner can scan SBOMs generated from CycloneDX for Ruby. See CycloneDX pages for details.
Evaluation: Manifest and lock files
The Ruby coordinate-based matching feature provides the ability to scan and evaluate Ruby dependencies found in the Gemfile.lock file. Support includes manifest analysis using the Gemfile.lock file.
What do we parse from the file?
Components from sections GIT, GEM and PATH and with an exact version will be analyzed. For example:
GIT remote: https://github.com/phatworx/devise_security_extension.git specs: devise_security_extension (0.10.0) GEM remote: https://rubygems.org/ specs: actionmailer (5.0.7.2) actionpack (= 5.0.7.2) PATH remote: ../some_path specs: jquery (0.0.1)
Example Gemfile.lock File
GIT remote: https://github.com/phatworx/devise_security_extension.git revision: b2ee978af7d49f0fb0e7271c6ac074dfb4d39353 specs: devise_security_extension (0.10.0) devise (>= 3.0.0, < 5.0) railties (>= 3.2.6, < 6.0) GEM remote: https://rubygems.org/ remote: https://rails-assets.org/ specs: actioncable (5.0.7.2) actionpack (= 5.0.7.2) nio4r (>= 1.2, < 3.0) websocket-driver (~> 0.6.1) actionmailer (5.0.7.2) actionpack (= 5.0.7.2) actionview (= 5.0.7.2) activejob (= 5.0.7.2) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) PLATFORMS ruby DEPENDENCIES acts-as-taggable-on (~> 5.0.0) acts_as_votable (~> 0.11.1) ahoy_matey (~> 1.6.0) ancestry (~> 3.0.7) audited (~> 4.9.0) autoprefixer-rails (~> 8.2.0) bullet (~> 5.7.0) BUNDLED WITH 1.17.1