Skip to content

Commit 8b7b4bc

Browse files
AlexLarochecuixq
andauthored
feat: Add support for gems.locked (#1987)
This PR adds support for `gems.locked`. --------- Co-authored-by: Xueqin Cui <72771658+cuixq@users.noreply.github.com>
1 parent ebdab87 commit 8b7b4bc

5 files changed

Lines changed: 100 additions & 1 deletion

File tree

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3340,6 +3340,23 @@ Scanned <rootdir>/fixtures/locks-scalibr/depsjson file as a deps.json and found
33403340

33413341
---
33423342

3343+
[TestCommand_MoreLockfiles/gems.locked - 1]
3344+
Scanned <rootdir>/fixtures/locks-scalibr/gems.locked file and found 25 packages
3345+
+-------------------------------------+------+-----------+----------+---------+------------------------------------+
3346+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
3347+
+-------------------------------------+------+-----------+----------+---------+------------------------------------+
3348+
| https://osv.dev/GHSA-9m3q-rhmv-5q44 | 7.5 | RubyGems | json | 2.10.1 | fixtures/locks-scalibr/gems.locked |
3349+
| https://osv.dev/GHSA-5w6v-399v-w3cc | | RubyGems | nokogiri | 1.18.2 | fixtures/locks-scalibr/gems.locked |
3350+
| https://osv.dev/GHSA-mrxw-mxhj-p664 | 7.8 | RubyGems | nokogiri | 1.18.2 | fixtures/locks-scalibr/gems.locked |
3351+
| https://osv.dev/GHSA-vvfq-8hwr-qm4m | | RubyGems | nokogiri | 1.18.2 | fixtures/locks-scalibr/gems.locked |
3352+
+-------------------------------------+------+-----------+----------+---------+------------------------------------+
3353+
3354+
---
3355+
3356+
[TestCommand_MoreLockfiles/gems.locked - 2]
3357+
3358+
---
3359+
33433360
[TestCommand_MoreLockfiles/packages.config - 1]
33443361
Scanned <rootdir>/fixtures/locks-scalibr/packages.config file and found 2 packages
33453362
No issues found

cmd/osv-scanner/scan/source/command_test.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -925,6 +925,11 @@ func TestCommand_MoreLockfiles(t *testing.T) {
925925
Args: []string{"", "source", "-L", "./fixtures/locks-scalibr/packages.lock.json"},
926926
Exit: 0,
927927
},
928+
{
929+
Name: "gems.locked",
930+
Args: []string{"", "source", "-L", "./fixtures/locks-scalibr/gems.locked"},
931+
Exit: 1,
932+
},
928933
/*
929934
{
930935
name: "Package.resolved",
Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
PATH
2+
remote: ..
3+
specs:
4+
rubydns (2.0.2)
5+
async-dns (~> 1.0)
6+
7+
GEM
8+
remote: https://rubygems.org/
9+
specs:
10+
async (2.23.0)
11+
console (~> 1.29)
12+
fiber-annotation
13+
io-event (~> 1.9)
14+
metrics (~> 0.12)
15+
traces (~> 0.15)
16+
async-dns (1.4.1)
17+
async
18+
io-endpoint
19+
async-http (0.87.0)
20+
async (>= 2.10.2)
21+
async-pool (~> 0.9)
22+
io-endpoint (~> 0.14)
23+
io-stream (~> 0.6)
24+
metrics (~> 0.12)
25+
protocol-http (~> 0.49)
26+
protocol-http1 (~> 0.30)
27+
protocol-http2 (~> 0.22)
28+
traces (~> 0.10)
29+
async-pool (0.10.3)
30+
async (>= 1.25)
31+
console (1.29.2)
32+
fiber-annotation
33+
fiber-local (~> 1.1)
34+
json
35+
fiber-annotation (0.2.0)
36+
fiber-local (1.1.0)
37+
fiber-storage
38+
fiber-storage (1.0.0)
39+
geoip (1.6.4)
40+
io-endpoint (0.15.1)
41+
io-event (1.9.0)
42+
io-stream (0.6.1)
43+
json (2.10.1)
44+
metrics (0.12.1)
45+
nokogiri (1.18.2-arm64-darwin)
46+
racc (~> 1.4)
47+
nokogiri (1.18.2-x86_64-linux-gnu)
48+
racc (~> 1.4)
49+
process-daemon (1.0.1)
50+
rainbow (~> 2.0)
51+
protocol-hpack (1.5.1)
52+
protocol-http (0.49.0)
53+
protocol-http1 (0.30.0)
54+
protocol-http (~> 0.22)
55+
protocol-http2 (0.22.1)
56+
protocol-hpack (~> 1.4)
57+
protocol-http (~> 0.47)
58+
racc (1.8.1)
59+
rainbow (2.2.2)
60+
rake
61+
rake (13.2.1)
62+
traces (0.15.2)
63+
64+
PLATFORMS
65+
arm64-darwin-21
66+
x86_64-linux
67+
68+
DEPENDENCIES
69+
async-http
70+
geoip
71+
nokogiri
72+
process-daemon
73+
rubydns!
74+
75+
BUNDLED WITH
76+
2.6.2

docs/supported_languages_and_lockfiles.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,7 @@ When scanning source code (`osv-scanner scan source ...`), OSV-Scanner automatic
5757
| PHP | `composer.lock` |
5858
| Python | `Pipfile.lock`<br>`poetry.lock`<br>`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)<br>`pdm.lock`<br>`uv.lock` |
5959
| R | `renv.lock` |
60-
| Ruby | `Gemfile.lock` |
60+
| Ruby | `Gemfile.lock`<br>`gems.locked` |
6161
| Rust | `Cargo.lock` |
6262

6363
## C/C++ scanning

pkg/osvscanner/internal/scanners/lockfile.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,7 @@ var lockfileExtractorMapping = map[string][]string{
6767
"go.mod": {gomod.Name},
6868
"bun.lock": {bunlock.Name},
6969
"Gemfile.lock": {gemfilelock.Name},
70+
"gems.locked": {gemfilelock.Name},
7071
"cabal.project.freeze": {cabal.Name},
7172
"stack.yaml.lock": {stacklock.Name},
7273
// "Package.resolved": {packageresolved.Name},

0 commit comments

Comments
 (0)