Improve cataloging of Ruby Gems under development

[willmurphyscode]

What would you like to be added:

Running syft pointed at a directory that contains the source code of a Ruby gem should find that gem and its dependencies.

Why is this needed:

Syft's current Ruby catalogers, which focus on Gemfile.lock (directory cataloger) and **/specifications/**/*.gemspec in an image context. However, when running Syft on a directory that contains a checkout of the source of a gem, neither of these catalogers finds anything. (For example, running git clone git@github.com:CanCanCommunity/cancancan.git && syft packages --catalogers all dir:cancancan prints No packages discovered; it should instead print cancancan itself and its dependencies.)

Additional context: https://yehudakatz.com/2010/12/16/clarifying-the-roles-of-the-gemspec-and-gemfile/ is a helpful post on understanding how working on a gem is different from having an installed gem and different from working on an application.

Thanks @mscottford for pointing out this issue!

[wagoodman]

I haven't run this code, but I think something similar to this would do the trick: https://github.com/anchore/syft/pull/1971#issuecomment-1690484083

[AshDevFr]

The new code added in 0.95.0 will show the gem name as a package but none of the dependencies present in the gemspec file, unless you have a Gemfile.lock

if you don't have a Gemfile.lock you won't see anything added in Gemfile or *.gemspec. That is unfortunate.

Example: my_gem.gemspec:

# ...

Gem::Specification.new do |spec|
  spec.name          = "my_gem"
  spec.version       = MyGem::VERSION
  spec.authors       = ["MyTeam"]
  spec.email         = ["my@email.com"]

  # ...

  spec.add_dependency "rails"
  spec.add_development_dependency "rake"
  spec.add_development_dependency "rspec"
end

# ...

This will only list my_gem as the package.

I would expect that in case of missing Gemfile.lock, the cataloger would look at Gemfile or *.gemspec.