Open willmurphyscode opened 1 year ago
I haven't run this code, but I think something similar to this would do the trick: https://github.com/anchore/syft/pull/1971#issuecomment-1690484083
The new code added in 0.95.0
will show the gem name as a package but none of the dependencies present in the gemspec file, unless you have a Gemfile.lock
if you don't have a Gemfile.lock
you won't see anything added in Gemfile
or *.gemspec
. That is unfortunate.
Example:
my_gem.gemspec
:
# ...
Gem::Specification.new do |spec|
spec.name = "my_gem"
spec.version = MyGem::VERSION
spec.authors = ["MyTeam"]
spec.email = ["my@email.com"]
# ...
spec.add_dependency "rails"
spec.add_development_dependency "rake"
spec.add_development_dependency "rspec"
end
# ...
This will only list my_gem
as the package.
I would expect that in case of missing Gemfile.lock
, the cataloger would look at Gemfile
or *.gemspec
.
What would you like to be added:
Running
syft
pointed at a directory that contains the source code of a Ruby gem should find that gem and its dependencies.Why is this needed:
Syft's current Ruby catalogers, which focus on
Gemfile.lock
(directory cataloger) and**/specifications/**/*.gemspec
in an image context. However, when running Syft on a directory that contains a checkout of the source of a gem, neither of these catalogers finds anything. (For example, runninggit clone git@github.com:CanCanCommunity/cancancan.git && syft packages --catalogers all dir:cancancan
printsNo packages discovered
; it should instead printcancancan
itself and its dependencies.)Additional context: https://yehudakatz.com/2010/12/16/clarifying-the-roles-of-the-gemspec-and-gemfile/ is a helpful post on understanding how working on a gem is different from having an installed gem and different from working on an application.
Thanks @mscottford for pointing out this issue!