Ruby Application Analysis
Ruby scanning supports packages from RubyGems as (.gem) files with the full support of Security, License, Identity data.
For the best results, the scan should happen after either installing the packages from a clean environment or storing the gems in a local cache to run the analysis.
bundle cache --no-install : package the dependencies to ./vendor/cache without installing them to the local install location
bundle install --deployment: uses gems installed to ./vendor/bundle not your default system location.
The Lifecycle scanner can scan SBOMs generated from CycloneDX for Ruby. See ??? pages for details.
Evaluation: Manifest and lock files
The Ruby coordinate-based matching feature provides the ability to scan and evaluate Ruby dependencies found in the Gemfile.lock file. Support includes manifest analysis using the Gemfile.lock file.
What do we parse from the file?
Components from sections GIT, GEM and PATH and with an exact version will be analyzed. For example:
Gemfile.lock
GIT
remote: https://github.com/phatworx/devise_security_extension.git
specs:
devise_security_extension (0.10.0)
GEM
remote: https://rubygems.org/
specs:
actionmailer (5.0.7.2)
actionpack (= 5.0.7.2)
PATH
remote: ../some_path
specs:
jquery (0.0.1)
Example Gemfile.lock File
Gemfile.lock
GIT
remote: https://github.com/phatworx/devise_security_extension.git
revision: b2ee978af7d49f0fb0e7271c6ac074dfb4d39353
specs:
devise_security_extension (0.10.0)
devise (>= 3.0.0, < 5.0)
railties (>= 3.2.6, < 6.0)
GEM
remote: https://rubygems.org/
remote: https://rails-assets.org/
specs:
actioncable (5.0.7.2)
actionpack (= 5.0.7.2)
nio4r (>= 1.2, < 3.0)
websocket-driver (~> 0.6.1)
actionmailer (5.0.7.2)
actionpack (= 5.0.7.2)
actionview (= 5.0.7.2)
activejob (= 5.0.7.2)
mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0)
PLATFORMS
ruby
DEPENDENCIES
acts-as-taggable-on (~> 5.0.0)
acts_as_votable (~> 0.11.1)
ahoy_matey (~> 1.6.0)
ancestry (~> 3.0.7)
audited (~> 4.9.0)
autoprefixer-rails (~> 8.2.0)
bullet (~> 5.7.0)
BUNDLED WITH
1.17.1