Proposed User Story: Query what codebases uses a subset of gems

[cmharlow]

I'd like to be able to use Quimby to see what codebases (that are Ruby) use a subset or selection of gems.

Example: Tell me all the repositories that currently use dor-services. Versions too could be helpful, but I'm primarily interested in who is using what gems or libraries.

This can probably be a query completed through Gemfile lookups / searching.

This is a low priority.

[eefahy]

we could potentially look into functionality via the bundler-audit or bundler gem that provides Gemfile.lock parsing classes

[cbeer]

Gemnasium also knows this: https://gemnasium.com/gems/dor-services

[cmharlow]

so maybe in the spirit of quimby handing off queries to other services that are already/better suited to handle them, we just recommend folks needing this go to gemnasium.

[jonrober]

We can query that data via the gemnasium API and load it into a table, then do queries against that. That could provide the search usefulness, but then leaving the UI of actually displaying that information prettily as a link into gemnasium if people want to drill down more.

A lot of the reason why I wanted to look at this was to rethink a little bit from something @eefahy said in the retrospective about using bundler-audit with security parsing as a whole. The advantage to having bundler do the checks for this and for security problems in general is that the developers know for sure that the thing they'll use to distribute a package is happy with it. That does have some appeal.

On the other hand, gemnasium actually provides an API rather than making us figure out how to best run this process and get back the info ourselves. That's a major thing for ease of setting up the app and debugging it in the future.

Having more time to think it through, I think I'd recommend that for now we continue using gemnasium for the alerts that we already are, and that I edit that process to also pull in the names of all the gem dependancies for us to expose as a filter. The thought of a gemnasium/bundler-audit mismatch is only theoretical and they do (IIRC on gemnasium) use the same database to determine this. So we can do the simple thing for now and only spend time on complicating it if it does turn out that in practice there's a good benefit to running the parsing directly ourselves.