Ruby
Ruby is a widely used open-source programming language. Endor Labs supports scanning and monitoring of Ruby projects.
Using Endor Labs, developers can:
- Test their software for potential issues and violations of organizational policy
- Prioritize vulnerabilities in the context of their applications
- Understand the relationships between software components in their applications
Software prerequisites
The following prerequisites must be fulfilled:
- All applications monitored by Endor Labs must be on Ruby versions 2.6 or higher.
- A Gemfile or a
*.gemspec
file must be present in your Ruby project. - Make sure your repository includes one or more files with
.rb
extension.
Build Ruby projects
You can choose to build your Ruby projects before running a scan. This will ensure thatgemfile.lock
is created.
Ensure your repository has Gemfile and run the following command making sure it builds the project successfully.
bundler install
If the project is not built, endorctl will build the project during the scan and generate Gemfile.lock
. If the repository includes a Gemfile.lock
, endorctl uses this file for dependency resolution and does not create it again.
Configure Ruby private Gem sources
If you have a private registry and internal dependencies on other projects, you must configure private registries. Endor Labs can fetch the gems that are hosted in a private gem repository which are not available publicly after authenticating the endpoints.
- Sign in to Endor Labs and select Integrations under Manage from the left sidebar.
- From Package Managers, select Ruby Gems and click Manage.
- Click Add Package Manager.
- Enter a package manager URL.
- To enable Endor Labs to authenticate to your registry, select Authenticate to this registry and enter the username and password of your private package manager repository.
- Click Add Package Manager to save your configuration.
Run a scan
Perform a scan to get visibility into your software composition and resolve dependencies.
endorctl scan
You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.
endorctl scan -o json | tee /path/to/results.json
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.
Understand the scan process
Endor Labs looks for Gemfile
, *.gemspec
, and Gemfile.lock
files to find and monitor the dependency activity.
- A Gemfile is a configuration file used in Ruby projects to specify the required RubyGems (libraries or packages) for the project’s dependencies.
- A
*.gemspec
file is a RubyGems specification file used to define the metadata and dependencies for a RubyGem. - The
Gemfile.lock
file is automatically generated by Bundler and is used to lock down the specific versions of gems and their dependencies installed in your project’s environment.
If the Gemfile.lock
is not present in your project, Endor Labs generates this file and stores it in a temp directory. The file is deleted after extracting dependency information.
Endor Labs’ dependency resolution mechanism assesses multiple factors, including compatibility, stability, and availability, to determine the most suitable version for usage. The resolved dependency version is used during the build or execution of your Ruby project. By utilizing the dependency graph, you can access significant information regarding the dependencies. This includes determining whether a dependency is direct or transitive, checking its reachability, verifying source availability, and more. The dependency graph provides a visual representation that allows you to examine the graphical details of these dependencies.
Known limitations
- Call graphs are not supported for Ruby projects.
- If a dependency can not be resolved in the Gemfile, building that specific package may not be successful. This package may have been removed from the Gem package manager. Other packages in the workspace are scanned.
Troubleshoot errors
- Unresolved dependency errors:
The Gemfile is not buildable. Try running
bundler install
in the root project to debug this error. - Resolved dependency errors: A version of a dependency does not exist or it cannot be found. It may have been removed from the repository.
Feedback
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.