Add Ruby Gemspec support

[RTann]

Background

ACS's scanner supports scanning Ruby Gemspec files for vulnerabilities. ACS is looking to add this ability to ClairCore.

ClairCore now has the ability to obtain language-specific vulnerability data from OSV. OSV's database includes Ruby data, so ClairCore has a datasource for Ruby packages.

Proposal

ACS's Ruby Gemspec scanning support is pretty straightforward. Simply look for a regular file whose path adheres to the following regexp: ".*specifications/.*\.gemspec".

An example file is as follows:

Gem::Specification.new do |s|
  s.name        = 'example'
  s.version     = '0.1.0'
  s.licenses    = ['MIT']
  s.summary     = "This is an example!"
  s.description = "Much longer explanation of the example!"
  s.authors     = ["Ruby Coder"]
  s.email       = '[email protected]'
  s.files       = ["lib/example.rb"]
  s.homepage    = 'https://rubygems.org/gems/example'
  s.metadata    = { "source_code_uri" => "https://github.com/example/example" }
end

We simply care about name and version, both of which are required fields. Once those are determined, we may determine the related vulnerabilities by matching the package name, version, and repository ("https://rubygems.org/gems/").

[RTann]

Created https://issues.redhat.com/browse/PROJQUAY-5100 to track this request.

[hdonnay]

Is this arbitrary ruby, or is it line-oriented? I guess what I'm really asking is: how much of a ruby parser we need?

[RTann]

I haven't written Ruby since I did the Codecademy course 12 years ago, but this tells me Ruby is line-oriented, so I believe we'd just need to scan the file line-by-line.

ACS uses the following regexps:

nameRegexp    = regexp.MustCompile(`^.*\.name *= *(.*)$`)
versionRegexp = regexp.MustCompile(`^.*\.version *= *(.*)$`)

I see Trivy also has Gemspec support and uses these two regexps:

// Capture the value of "name"
// e.g. s.name = "async".freeze
//      => "async".freeze
nameRegexp = regexp.MustCompile(`\.name\s*=\s*(?P<name>\S+)`)

// Capture the value of "version"
// e.g. s.version = "1.2.3"
//      => "1.2.3"
versionRegexp = regexp.MustCompile(`\.version\s*=\s*(?P<version>\S+)`)

[hdonnay]

Okay, I refuse to re-inflict the braindamage of reading parse.y on myself again, so line-oriented sounds good. We can handle a line escape if it comes up.

[RTann]

Started a draft PR: #836

[RTann]

This was completed in #836