Ruby Application Analysis

NEW IN RELEASE 86


The Ruby coordinate based matching feature provides the ability to scan and evaluate Ruby dependencies found in the Gemfile.lock file.

What is supported

Files named Gemfile.lock (managed by ruby package manager) will be analyzed. 

What do we parse from the file?

Components from sections GIT, GEM and PATH and with an exact version will be analyzed. For example:

GIT
  remote: https://github.com/phatworx/devise_security_extension.git
  specs:
    devise_security_extension (0.10.0)

GEM
  remote: https://rubygems.org/
  specs:
    actionmailer (5.0.7.2)
      actionpack (= 5.0.7.2)

PATH
  remote: ../some_path
  specs:
    jquery (0.0.1)

Integrations with Ruby scanning support

  • CLI from version 86
  • Jenkins from version 3.8.20200310-130318.c482b58
  • Bamboo from version 1.15.1-01

Steps to analyze using the CLI

Invoke a CLI scan of a directory or subdirectories containing a Gemfile.lock file.  Instructions on how to do this can be found here: Nexus IQ CLI.

Example Gemfile.lock File

GIT
  remote: https://github.com/phatworx/devise_security_extension.git
  revision: b2ee978af7d49f0fb0e7271c6ac074dfb4d39353
  specs:
    devise_security_extension (0.10.0)
      devise (>= 3.0.0, < 5.0)
      railties (>= 3.2.6, < 6.0)

GEM
  remote: https://rubygems.org/
  remote: https://rails-assets.org/
  specs:
    actioncable (5.0.7.2)
      actionpack (= 5.0.7.2)
      nio4r (>= 1.2, < 3.0)
      websocket-driver (~> 0.6.1)
    actionmailer (5.0.7.2)
      actionpack (= 5.0.7.2)
      actionview (= 5.0.7.2)
      activejob (= 5.0.7.2)
      mail (~> 2.5, >= 2.5.4)
      rails-dom-testing (~> 2.0)

PLATFORMS
  ruby

DEPENDENCIES
  acts-as-taggable-on (~> 5.0.0)
  acts_as_votable (~> 0.11.1)
  ahoy_matey (~> 1.6.0)
  ancestry (~> 3.0.7)
  audited (~> 4.9.0)
  autoprefixer-rails (~> 8.2.0)
  bullet (~> 5.7.0)
  
BUNDLED WITH
   1.17.1


Output from cli


Dashboard results


Report results

Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the Gemfile.lock file. A custom Scan Target is needed.

nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/Gemfile.lock']], iqStage: 'build'

To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.

Steps to analyze using the Bamboo plugin

Bamboo Scan Targets control what files are examined.  To evaluate Ruby, add Gemfile.lock to the scan targets via "**/Gemfile.lock".  To find more information on how to configure Bamboo please go to the Nexus IQ for Bamboo.