This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Ruby

Learn how to implement Endor Labs in repositories with Ruby packages.

This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Learn how to implement Endor Labs in repositories with Ruby packages.

Ruby is a widely used open-source programming language. Endor Labs supports scanning and monitoring of Ruby projects.

Using Endor Labs, application security engineers and developers can:

  • Scan their software for potential security issues and violations of organizational policy.
  • Prioritize vulnerabilities in the context of their applications.
  • Understand the relationships between software components in their applications.

Before you begin, verify the following prerequisites:

  • All applications monitored by Endor Labs must be on Ruby versions 2.6 or higher.
  • A Gemfile or a *.gemspec file must be present in your Ruby project.
  • Make sure your repository includes one or more files with .rb extension.

You can build your Ruby projects before running a scan. Building first creates the Gemfile.lock file.

Ensure your repository has Gemfile and run the following command making sure it builds the project successfully.

bundler install

If the project is not built, endorctl will build the project during the scan and generate Gemfile.lock. If the repository includes a Gemfile.lock, endorctl uses this file for dependency resolution and does not create it again.

Endor Labs supports fetching and scanning dependencies from private RubyGems package registries. Endor Labs will fetch resources from authenticated endpoints and perform the scan, allowing you to view the resolved dependencies and findings. See RubyGems package manager integrations for more information on configuring private registries.

Perform a scan to get visibility into your software composition and resolve dependencies.

endorctl scan

You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

endorctl scan -o json | tee /path/to/results.json

You can sign in to the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results. Refer to Endor Labs user interface for more details.

Endor Labs looks for Gemfile, *.gemspec, and Gemfile.lock files to find and monitor the dependency activity.

  • A Gemfile is a configuration file used in Ruby projects to specify the required RubyGems (libraries or packages) for the project’s dependencies.
  • A *.gemspec file is a RubyGems specification file used to define the metadata and dependencies for a RubyGem.
  • The Gemfile.lock file is automatically generated by Bundler. Refer to Bundler documentation for more information about getting started.

If the Gemfile.lock is not present in your project, Endor Labs generates this file and stores it in a temp directory. Endor Labs deletes the file after extracting dependency information.

Endor Labs’ dependency resolution mechanism assesses multiple factors, including compatibility, stability, and availability, to determine the most suitable version for usage. Your Ruby project uses the resolved dependency version during build or execution. By utilizing the dependency graph, you can access significant information about the dependencies. This includes determining whether a dependency is direct or transitive, checking its reachability, verifying source availability, and more. The dependency graph provides a visual representation that allows you to examine the graphical details of these dependencies.

  • Call graphs are not supported for Ruby projects.
  • If a dependency cannot resolve in the Gemfile, the build for that specific package may not succeed. The package may no longer exist in the Gem package manager. Other packages in the workspace are scanned.
  • Unresolved dependency errors: The Gemfile is not buildable. Try running bundler install in the root project to debug this error.
  • Resolved dependency errors: A dependency version does not exist or cannot be found. The package may no longer exist in the repository.