Class RubyBundlerAnalyzer

java.lang.Object

org.owasp.dependencycheck.analyzer.AbstractAnalyzer

org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer

org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer

org.owasp.dependencycheck.analyzer.RubyBundlerAnalyzer

All Implemented Interfaces:

FileFilter, Analyzer, FileTypeAnalyzer

@ThreadSafe
public class RubyBundlerAnalyzer
extends RubyGemspecAnalyzer

This analyzer accepts the fully resolved .gemspec created by the Ruby bundler (http://bundler.io) for better evidence results. It also tries to resolve the dependency packagePath to where the gem is actually installed. Then during the AnalysisPhase.PRE_FINDING_ANALYSIS DependencyMergingAnalyzer will merge two .gemspec dependencies together if Dependency.getPackagePath() are the same. Ruby bundler creates new .gemspec files under a folder called "specifications" at deploy time, in addition to the original .gemspec files from source. The bundler generated .gemspec files always contain fully resolved attributes thus provide more accurate evidences, whereas the original .gemspec from source often contain variables for attributes that can't be used for evidences. Note this analyzer share the same Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED as RubyGemspecAnalyzer, so it will enabled/disabled with RubyGemspecAnalyzer.

Author:

Bianca Jiang (https://twitter.com/biancajiang)

Field Summary

Fields

Modifier and Type	Field	Description
static final String	DEPENDENCY_ECOSYSTEM	A descriptor for the type of dependencies processed or added by this analyzer.

Constructor Summary

Constructors

Constructor	Description
RubyBundlerAnalyzer()

Method Summary

Modifier and Type	Method	Description
boolean	accept(File pathname)	Only accept *.gemspec files generated by "bundle install --deployment" under "specifications" folder.
protected void	analyzeDependency(Dependency dependency, Engine engine)	Analyzes a given dependency.
String	getName()	Returns the name of the analyzer.

Methods inherited from class RubyGemspecAnalyzer

getAnalysisPhase, getAnalyzerEnabledSettingKey, getFileFilter, prepareFileTypeAnalyzer

Methods inherited from class AbstractFileTypeAnalyzer

getFilesMatched, newHashSet, prepareAnalyzer, setFilesMatched

Methods inherited from class AbstractAnalyzer

analyze, close, closeAnalyzer, getSettings, initialize, isEnabled, prepare, setEnabled, supportsParallelProcessing

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface Analyzer

analyze, close, initialize, isEnabled, prepare, supportsParallelProcessing

Field Details

DEPENDENCY_ECOSYSTEM

public static final String DEPENDENCY_ECOSYSTEM

A descriptor for the type of dependencies processed or added by this analyzer.

See Also:

• Constant Field Values

Constructor Details

RubyBundlerAnalyzer

public RubyBundlerAnalyzer()

Method Details

getName

public String getName()

Returns the name of the analyzer.

Specified by:

getName in interface Analyzer

Overrides:

getName in class RubyGemspecAnalyzer

Returns:

the name of the analyzer.

accept

public boolean accept(File pathname)

Only accept *.gemspec files generated by "bundle install --deployment" under "specifications" folder.

Specified by:

accept in interface FileFilter

Overrides:

accept in class AbstractFileTypeAnalyzer

Parameters:

pathname - the path name to test

Returns:

true if the analyzer can process the given file; otherwise false

analyzeDependency

protected void analyzeDependency(Dependency dependency,
 Engine engine)
                          throws AnalysisException

Description copied from class: AbstractAnalyzer

Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned, and added to the list of dependencies within the engine.

Overrides:

analyzeDependency in class RubyGemspecAnalyzer

Parameters:

dependency - the dependency to analyze

engine - the engine scanning

Throws:

AnalysisException - thrown if there is an analysis exception