Package org.owasp.dependencycheck.analyzer

Class RubyBundlerAnalyzer

  • All Implemented Interfaces:
    java.io.FileFilter, Analyzer, FileTypeAnalyzer
    @ThreadSafe
public class RubyBundlerAnalyzer
extends RubyGemspecAnalyzer
    This analyzer accepts the fully resolved .gemspec created by the Ruby bundler (http://bundler.io) for better evidence results. It also tries to resolve the dependency packagePath to where the gem is actually installed. Then during the AnalysisPhase.PRE_FINDING_ANALYSIS DependencyMergingAnalyzer will merge two .gemspec dependencies together if Dependency.getPackagePath() are the same. Ruby bundler creates new .gemspec files under a folder called "specifications" at deploy time, in addition to the original .gemspec files from source. The bundler generated .gemspec files always contain fully resolved attributes thus provide more accurate evidences, whereas the original .gemspec from source often contain variables for attributes that can't be used for evidences. Note this analyzer share the same Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED as RubyGemspecAnalyzer, so it will enabled/disabled with RubyGemspecAnalyzer.
    Author:
    Bianca Jiang (https://twitter.com/biancajiang)

    • Field Detail

      • DEPENDENCY_ECOSYSTEM

        public static final java.lang.String DEPENDENCY_ECOSYSTEM
        A descriptor for the type of dependencies processed or added by this analyzer.
        See Also:
        Constant Field Values

    • Constructor Detail

      • RubyBundlerAnalyzer

        public RubyBundlerAnalyzer()

    • Method Detail

      • getName

        public java.lang.String getName()
        Returns the name of the analyzer.
        Specified by:
        getName in interface Analyzer
        Overrides:
        getName in class RubyGemspecAnalyzer
        Returns:
        the name of the analyzer.

      • accept

        public boolean accept​(java.io.File pathname)
        Only accept *.gemspec files generated by "bundle install --deployment" under "specifications" folder.
        Specified by:
        accept in interface java.io.FileFilter
        Overrides:
        accept in class AbstractFileTypeAnalyzer
        Parameters:
        pathname - the path name to test
        Returns:
        true if the analyzer can process the given file; otherwise false

      • analyzeDependency

        protected void analyzeDependency​(Dependency dependency,
                                 Engine engine)
                          throws AnalysisException
        Description copied from class: AbstractAnalyzer
        Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned, and added to the list of dependencies within the engine.
        Overrides:
        analyzeDependency in class RubyGemspecAnalyzer
        Parameters:
        dependency - the dependency to analyze
        engine - the engine scanning
        Throws:
        AnalysisException - thrown if there is an analysis exception