Ruby Application Analysis

Evaluation: Advance Binary Fingerprinting (ABF)

Ruby scanning supports packages from RubyGems as (.gem) files with the full support of Security, License, Identity data available.  For the best results, the scan should happen after either installing the packages from a clean environment or storing the gems in a local cache to run the analysis.

• bundle cache --no-install : package the dependencies to ./vendor/cache without installing them to the local install location
• bundle install --deployment : uses gems installed to ./vendor/bundle not your default system location. 

In addition to the options listed above, Chelsea is an open-source scanning tool that scans Ruby-powered projects for vulnerable third-party dependencies. Chelsea can use data from Nexus Lifecycle for Sonatype customers.

The Lifecycle scanner can scan SBOMs generated from CycloneDX for Ruby. See CycloneDX pages for details.

Evaluation: Manifest and lock files

The Ruby coordinate-based matching feature provides the ability to scan and evaluate Ruby dependencies found in the Gemfile.lock file. Support includes manifest analysis using the Gemfile.lock file. 

What do we parse from the file?

Components from sections GIT, GEM and PATH and with an exact version will be analyzed. For example:

GIT
  remote: https://github.com/phatworx/devise_security_extension.git
  specs:
    devise_security_extension (0.10.0)

GEM
  remote: https://rubygems.org/
  specs:
    actionmailer (5.0.7.2)
      actionpack (= 5.0.7.2)

PATH
  remote: ../some_path
  specs:
    jquery (0.0.1)

Example Gemfile.lock File

GIT
  remote: https://github.com/phatworx/devise_security_extension.git
  revision: b2ee978af7d49f0fb0e7271c6ac074dfb4d39353
  specs:
    devise_security_extension (0.10.0)
      devise (>= 3.0.0, < 5.0)
      railties (>= 3.2.6, < 6.0)

GEM
  remote: https://rubygems.org/
  remote: https://rails-assets.org/
  specs:
    actioncable (5.0.7.2)
      actionpack (= 5.0.7.2)
      nio4r (>= 1.2, < 3.0)
      websocket-driver (~> 0.6.1)
    actionmailer (5.0.7.2)
      actionpack (= 5.0.7.2)
      actionview (= 5.0.7.2)
      activejob (= 5.0.7.2)
      mail (~> 2.5, >= 2.5.4)
      rails-dom-testing (~> 2.0)

PLATFORMS
  ruby

DEPENDENCIES
  acts-as-taggable-on (~> 5.0.0)
  acts_as_votable (~> 0.11.1)
  ahoy_matey (~> 1.6.0)
  ancestry (~> 3.0.7)
  audited (~> 4.9.0)
  autoprefixer-rails (~> 8.2.0)
  bullet (~> 5.7.0)
  
BUNDLED WITH
   1.17.1

Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the Gemfile.lock file. A custom Scan Target is needed.

nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/Gemfile.lock']], iqStage: 'build'

To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.

Steps to analyze using the Bamboo plugin

Bamboo Scan Targets control what files are examined.  To evaluate Ruby, add Gemfile.lock to the scan targets via "**/Gemfile.lock".  To find more information on how to configure Bamboo please go to the Nexus IQ for Bamboo.