Report vulnerable dependency paths for Bundler (Ruby)

Problem to solve

Dependency Scanning should report the dependency paths for vulnerable dependencies found in Ruby projects using Bundler, so that these paths can be shown in the UI, including in the dependency list. See #227620 (closed)

Proposal

Update the lock file parser specific to this package manager, and make it able to build the dependency graph.

Implementation plan

This depends on Migrate existing lock file parsers to new Depen... (#474314 - closed)

Update the specific lock file parser so that it lists dependency links
- An unfinished example can be found in Extract graph info from Gemfile.lock [gemnasium... (gitlab-org/security-products/analyzers/gemnasium!406 - closed)
- The DEPENDENCIES section contains the project's direct dependencies.
- An entry that starts with 6 spaces indicates that you have reached the child dependency state (dependency of a dependency)
Add unit test for expected packages and dependencies
Update Dependency Scanning documentation to show that dependency paths are supported for this particular package manager

Permissions and Security

N/A

Documentation

Dependency Path support for this particular package manager should be documented in Dependency Scanning documentation.

Availability & Testing

To be tested doing automatically when doing QA for the analyzer project and checking the generated report.

What does success look like, and how can we measure that?

The analyzer reports the dependency paths of the vulnerable dependencies for projects using this package manager.

What is the type of buyer?

GitLab Ultimate

Links / references

How To extract Dependency tree for Gemfile

Parsing the Gemfile with the following steps:

Find the Main Dependencies
We look for the DEPENDENCIES section. This is the list of libraries your project directly depends on.
Find Sub-Dependencies

In the GEM section, each library and its sub-dependencies are shown with indentation.
- 4 spaces indicate the start of a "main dependency".
- 6 spaces indicate a "sub-dependency" of the main dependency.
Example from Gemfile.lock:
```
GEM
  rails (7.0.0)
    actionpack (7.0.0)
    activerecord (7.0.0)
  nokogiri (1.13.0)
    libxml2 (2.9.10)
```
Get the "Real"(installed) Version of Sub-Dependencies:

We scan the entire GEM section to find the actual installed version of a sub-dependency.
Build the Tree
We connect the relationships, showing which libraries depend on which. We store this data in a list where each "parent" library points to its "child" dependencies.

Edited Dec 09, 2024 by Joey Khabie