Syft missing direct dependencies from the gemfile.lock #1660

diptanshumittal · 2023-03-09T09:15:41Z

What happened:
Used Syft tool for the following gemfile.lock and the output received was missing dependencies.

diptanshu-macbookpro:google-cloud-firestore diptanshu$ cat gemfile.lock
PATH
  remote: ../google-cloud-core
  specs:
    google-cloud-core (1.6.0)
      google-cloud-env (~> 1.0)
      google-cloud-errors (~> 1.0)

PATH
  remote: ../google-cloud-errors
  specs:
    google-cloud-errors (1.3.0)

PATH
  remote: ../google-cloud-firestore-v1
  specs:
    google-cloud-firestore-v1 (0.8.0)
      gapic-common (>= 0.16.0, < 2.a)
      google-cloud-errors (~> 1.0)
      google-cloud-location (>= 0.3, < 2.a)

PATH
  remote: .
  specs:
    google-cloud-firestore (2.8.0)
      concurrent-ruby (~> 1.0)
      google-cloud-core (~> 1.5)
      google-cloud-firestore-v1 (~> 0.0)
      rbtree (~> 0.4.2)

GEM
  remote: https://rubygems.org/
  specs:
    addressable (2.8.1)
      public_suffix (>= 2.0.2, < 6.0)
    ast (2.4.2)
    autotest-suffix (1.1.0)
    concurrent-ruby (1.2.2)
    docile (1.4.0)
    faraday (2.7.4)
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-net_http (3.0.2)
    faraday-retry (2.0.0)
      faraday (~> 2.0)
    gapic-common (0.17.1)
      faraday (>= 1.9, < 3.a)
      faraday-retry (>= 1.0, < 3.a)
      google-protobuf (~> 3.14)
      googleapis-common-protos (>= 1.3.12, < 2.a)
      googleapis-common-protos-types (>= 1.3.1, < 2.a)
      googleauth (~> 1.0)
      grpc (~> 1.36)
    google-cloud-env (1.6.0)
      faraday (>= 0.17.3, < 3.0)
    google-cloud-location (0.4.0)
      gapic-common (>= 0.17.1, < 2.a)
      google-cloud-errors (~> 1.0)
    google-protobuf (3.22.0)
    google-style (1.26.3)
      rubocop (~> 1.31)
    googleapis-common-protos (1.4.0)
      google-protobuf (~> 3.14)
      googleapis-common-protos-types (~> 1.2)
      grpc (~> 1.27)
    googleapis-common-protos-types (1.5.0)
      google-protobuf (~> 3.14)
    googleauth (1.3.0)
      faraday (>= 0.17.3, < 3.a)
      jwt (>= 1.4, < 3.0)
      memoist (~> 0.16)
      multi_json (~> 1.11)
      os (>= 0.9, < 2.0)
      signet (>= 0.16, < 2.a)
    grpc (1.52.0)
      google-protobuf (~> 3.21)
      googleapis-common-protos-types (~> 1.0)
    json (2.6.3)
    jwt (2.7.0)
    memoist (0.16.2)
    minitest (5.17.0)
    minitest-autotest (1.1.1)
      minitest-server (~> 1.0)
      path_expander (~> 1.0)
    minitest-focus (1.3.1)
      minitest (>= 4, < 6)
    minitest-rg (5.2.0)
      minitest (~> 5.0)
    minitest-server (1.0.7)
      minitest (~> 5.16)
    multi_json (1.15.0)
    os (1.1.4)
    parallel (1.22.1)
    parser (3.2.1.0)
      ast (~> 2.4.1)
    path_expander (1.1.1)
    public_suffix (5.0.1)
    rainbow (3.1.1)
    rake (13.0.6)
    rbtree (0.4.6)
    redcarpet (3.6.0)
    regexp_parser (2.7.0)
    rexml (3.2.5)
    rubocop (1.46.0)
      json (~> 2.3)
      parallel (~> 1.10)
      parser (>= 3.2.0.0)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
      rubocop-ast (>= 1.26.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
    rubocop-ast (1.26.0)
      parser (>= 3.2.1.0)
    ruby-progressbar (1.11.0)
    ruby2_keywords (0.0.5)
    signet (0.17.0)
      addressable (~> 2.8)
      faraday (>= 0.17.5, < 3.a)
      jwt (>= 1.5, < 3.0)
      multi_json (~> 1.10)
    simplecov (0.22.0)
      docile (~> 1.1)
      simplecov-html (~> 0.11)
      simplecov_json_formatter (~> 0.1)
    simplecov-html (0.12.3)
    simplecov_json_formatter (0.1.4)
    stackprof (0.2.23)
    unicode-display_width (2.4.2)
    webrick (1.7.0)
    yard (0.9.28)
      webrick (~> 1.7.0)
    yard-doctest (0.1.17)
      minitest
      yard

PLATFORMS
  ruby

DEPENDENCIES
  autotest-suffix (~> 1.1)
  google-cloud-core!
  google-cloud-errors!
  google-cloud-firestore!
  google-cloud-firestore-v1!
  google-style (~> 1.26.1)
  minitest (~> 5.16)
  minitest-autotest (~> 1.0)
  minitest-focus (~> 1.1)
  minitest-rg (~> 5.2)
  rake
  redcarpet (~> 3.0)
  simplecov (~> 0.9)
  stackprof
  yard (~> 0.9)
  yard-doctest (~> 0.1.13)

BUNDLED WITH
   2.2.33
diptanshu-macbookpro:google-cloud-firestore diptanshu$ syft .
 ✔ Indexed .               
 ✔ Cataloged packages      [50 packages]

NAME                            VERSION  TYPE 
addressable                     2.8.1    gem   
ast                             2.4.2    gem   
autotest-suffix                 1.1.0    gem   
concurrent-ruby                 1.2.2    gem   
docile                          1.4.0    gem   
faraday                         2.7.4    gem   
faraday-net_http                3.0.2    gem   
faraday-retry                   2.0.0    gem   
gapic-common                    0.17.1   gem   
google-cloud-env                1.6.0    gem   
google-cloud-location           0.4.0    gem   
google-protobuf                 3.22.0   gem   
google-style                    1.26.3   gem   
googleapis-common-protos        1.4.0    gem   
googleapis-common-protos-types  1.5.0    gem   
googleauth                      1.3.0    gem   
grpc                            1.52.0   gem   
json                            2.6.3    gem   
jwt                             2.7.0    gem   
memoist                         0.16.2   gem   
minitest                        5.17.0   gem   
minitest-autotest               1.1.1    gem   
minitest-focus                  1.3.1    gem   
minitest-rg                     5.2.0    gem   
minitest-server                 1.0.7    gem   
multi_json                      1.15.0   gem   
os                              1.1.4    gem   
parallel                        1.22.1   gem   
parser                          3.2.1.0  gem   
path_expander                   1.1.1    gem   
public_suffix                   5.0.1    gem   
rainbow                         3.1.1    gem   
rake                            13.0.6   gem   
rbtree                          0.4.6    gem   
redcarpet                       3.6.0    gem   
regexp_parser                   2.7.0    gem   
rexml                           3.2.5    gem   
rubocop                         1.46.0   gem   
rubocop-ast                     1.26.0   gem   
ruby-progressbar                1.11.0   gem   
ruby2_keywords                  0.0.5    gem   
signet                          0.17.0   gem   
simplecov                       0.22.0   gem   
simplecov-html                  0.12.3   gem   
simplecov_json_formatter        0.1.4    gem   
stackprof                       0.2.23   gem   
unicode-display_width           2.4.2    gem   
webrick                         1.7.0    gem   
yard                            0.9.28   gem   
yard-doctest                    0.1.17   gem

What you expected to happen:
Output should have included gems with local remote, i.e. google-cloud-firestore-v1

Environment:

Output of syft version:

 Application:        syft
 Version:            0.73.0
 JsonSchemaVersion:  7.0.0
 BuildDate:          2023-02-22T19:08:35Z
 GitCommit:          aa151da5fe2a1b11502c852fd2d3ad462c1d245f
 GitDescription:     [not provided]
 Platform:           darwin/arm64
 GoVersion:          go1.20.1
 Compiler:           gc

OS (e.g: cat /etc/os-release or similar): macOS 13.2.1 (22D68)

The text was updated successfully, but these errors were encountered:

tgerla · 2023-03-09T21:35:26Z

Hi @diptanshumittal, thanks for the issue. We believe our gemfile.lock parser is only looking under the "GEM" section. We will take a look and see how to fix this. If you are interested in taking a look at the code and working on a fix yourself, we would be happy to help.

wagoodman · 2023-03-09T22:22:54Z

Note for anyone interested in contributing a PR, the bundler lockfile parser source might be a pretty good reference for understanding which other sections to additionally include for parsing (instead of just GEM as done today)

- Updated tests to reflect the new sections being added to show they function properly. Closes anchore#1660 Signed-off-by: Shane Dell <shanedell100@gmail.com>

- Updated tests to reflect the new sections being added to show they function properly. Closes #1660 Signed-off-by: Shane Dell <shanedell100@gmail.com>

- Updated tests to reflect the new sections being added to show they function properly. Closes anchore#1660 Signed-off-by: Shane Dell <shanedell100@gmail.com>

diptanshumittal added the bug Something isn't working label Mar 9, 2023

tgerla added this to OSS Mar 9, 2023

tgerla moved this to Backlog in OSS Mar 9, 2023

wagoodman added the good-first-issue Good for newcomers label Mar 9, 2023

shanedell mentioned this issue Apr 18, 2023

Add sections of interest for Gemfile.lock cataloger #1749

Merged

spiffcs closed this as completed in #1749 Apr 19, 2023

spiffcs pushed a commit that referenced this issue Apr 19, 2023

Add sections of interest for Gemfile.lock cataloger (#1749)

98a6c6e

- Updated tests to reflect the new sections being added to show they function properly. Closes #1660 Signed-off-by: Shane Dell <shanedell100@gmail.com>

github-project-automation bot moved this from Backlog to Done in OSS Apr 19, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Syft missing direct dependencies from the gemfile.lock #1660

Syft missing direct dependencies from the gemfile.lock #1660

diptanshumittal commented Mar 9, 2023

tgerla commented Mar 9, 2023

wagoodman commented Mar 9, 2023

Syft missing direct dependencies from the gemfile.lock #1660

Syft missing direct dependencies from the gemfile.lock #1660

Comments

diptanshumittal commented Mar 9, 2023

tgerla commented Mar 9, 2023

wagoodman commented Mar 9, 2023