Ruby Application Analysis

NEW IN RELEASE 86


The Ruby coordinate based matching feature provides the ability to scan and evaluate Ruby dependencies found in the Gemfile.lock file.

What is supported

Files named Gemfile.lock (managed by ruby package manager) will be analyzed. 

What do we parse from the file?

Components from sections GIT, GEM and PATH and with an exact version will be analyzed. For example:

GIT
  remote: https://github.com/phatworx/devise_security_extension.git
  specs:
    devise_security_extension (0.10.0)

GEM
  remote: https://rubygems.org/
  specs:
    actionmailer (5.0.7.2)
      actionpack (= 5.0.7.2)

PATH
  remote: ../some_path
  specs:
    jquery (0.0.1)

Integrations with Ruby scanning support

  • CLI from version 86
  • Jenkins from version 3.8.20200310-130318.c482b58
  • Bamboo from version 1.15.1-01

Steps to analyze using the CLI

Invoke a CLI scan of a directory or subdirectories containing a Gemfile.lock file.  Instructions on how to do this can be found here: Nexus IQ CLI.

Example Gemfile.lock File

GIT
  remote: https://github.com/phatworx/devise_security_extension.git
  revision: b2ee978af7d49f0fb0e7271c6ac074dfb4d39353
  specs:
    devise_security_extension (0.10.0)
      devise (>= 3.0.0, < 5.0)
      railties (>= 3.2.6, < 6.0)

GEM
  remote: https://rubygems.org/
  remote: https://rails-assets.org/
  specs:
    actioncable (5.0.7.2)
      actionpack (= 5.0.7.2)
      nio4r (>= 1.2, < 3.0)
      websocket-driver (~> 0.6.1)
    actionmailer (5.0.7.2)
      actionpack (= 5.0.7.2)
      actionview (= 5.0.7.2)
      activejob (= 5.0.7.2)
      mail (~> 2.5, >= 2.5.4)
      rails-dom-testing (~> 2.0)

PLATFORMS
  ruby

DEPENDENCIES
  acts-as-taggable-on (~> 5.0.0)
  acts_as_votable (~> 0.11.1)
  ahoy_matey (~> 1.6.0)
  ancestry (~> 3.0.7)
  audited (~> 4.9.0)
  autoprefixer-rails (~> 8.2.0)
  bullet (~> 5.7.0)
  
BUNDLED WITH
   1.17.1


Output from cli


Dashboard results


Report results