feat(gem): 支持在没有.lock文件时扫描gemfile

Author: chenhaoxuan

module/bundler/Gemfile

@@ -0,0 +1,13 @@
+source 'https://rubygems.org'
+
+gem 'activesupport', '6.1.1'
+gem 'elasticsearch-xpack', '7.10.1'
+gem 'fluentd', '1.12.0'
+gem 'fluent-plugin-concat', '2.4.0'
+gem 'fluent-plugin-detect-exceptions', '0.0.13'
+gem 'fluent-plugin-elasticsearch', '4.3.3'
+gem 'fluent-plugin-kubernetes_metadata_filter', '2.6.0'
+gem 'fluent-plugin-multi-format-parser', '1.0.0'
+gem 'fluent-plugin-prometheus', '1.8.5'
+gem 'fluent-plugin-systemd', '1.0.2'
+gem 'oj', '3.11.0'

module/bundler/gem.go

@@ -7,6 +7,7 @@ import (
 	"github.com/murphysecurity/murphysec/utils"
 	"github.com/pkg/errors"
 	"go.uber.org/zap"
+	"os"
 	"path/filepath"
 )
 
@@ -21,7 +22,7 @@ func (Inspector) String() string {
 }
 
 func (Inspector) CheckDir(ctx context.Context, dir string) bool {
-	return utils.IsFile(filepath.Join(dir, "Gemfile")) && utils.IsFile(filepath.Join(dir, "Gemfile.lock"))
+	return utils.IsFile(filepath.Join(dir, "Gemfile")) || utils.IsFile(filepath.Join(dir, "Gemfile.lock"))
 }
 
 func (Inspector) InspectProject(ctx context.Context) error {
@@ -30,7 +31,30 @@ func (Inspector) InspectProject(ctx context.Context) error {
 	scanDir := task.Dir()
 	gemFile := filepath.Join(scanDir, "Gemfile")
 	gemLockFile := filepath.Join(scanDir, "Gemfile.lock")
-	if !utils.IsFile(gemFile) || !utils.IsFile(gemLockFile) {
+	if utils.IsFile(gemFile) && !utils.IsFile(gemLockFile) {
+		var m gemfile
+		var dep []model.DependencyItem
+		file, _ := os.Open(gemFile)
+		m.Parse(file)
+		for _, j := range m.Gems {
+			dep = append(dep, model.DependencyItem{
+				Component: model.Component{
+					CompName:    j.Name,
+					CompVersion: j.Version,
+					EcoRepo:     EcoRepo,
+				},
+				IsDirectDependency: true,
+			})
+		}
+		task.AddModule(model.Module{
+			PackageManager: "bundler",
+			ModuleName:     "Gemfile",
+			Dependencies:   dep,
+			ModulePath:     gemFile,
+		})
+		return nil
+	}
+	if !utils.IsFile(gemFile) && !utils.IsFile(gemLockFile) {
 		return nil
 	}
 	logger.Debug("Reading Gemfile.lock", zap.String("path", gemLockFile))

module/bundler/gemfile_parser.go

@@ -0,0 +1,85 @@
+package bundler
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"regexp"
+)
+
+type gem struct {
+	Name    string
+	Git     string
+	Version string
+	Tag     string
+	Groups  string
+	Require string
+}
+type gemfile struct {
+	Source string
+	Ruby   string
+	Gems   []*gem
+}
+
+var (
+	// Gem attributes
+	REGEX_GEM            = regexp.MustCompile(`gem\s*['|"](.*?)['|"]`)
+	REGEX_VERSION        = regexp.MustCompile(`,\s*["|'](.*?)['|"]`)
+	REGEX_GIT            = regexp.MustCompile(`git:\s*["|'](.*?)['|"]`)
+	REGEX_TAG            = regexp.MustCompile(`tag:\s*["|'](.*?)['|"]`)
+	REGEX_REQUIRE_STRING = regexp.MustCompile(`require:\s*["|'](.*?)['|"]`)
+	REGEX_REQUIRE_BOOL   = regexp.MustCompile(`require:\s*(false|true)`)
+	// Gemfile header
+	REGEX_SOURCE = regexp.MustCompile(`source\s*['|"](.*?)['|"]`)
+	REGEX_RUBY   = regexp.MustCompile(`ruby\s*['|"](.*?)['|"]`)
+	// Gem Groups
+	REGEX_GROUP     = regexp.MustCompile(`group\s(.*?)\sdo`)
+	REGEX_END_GROUP = regexp.MustCompile(`^end$`)
+)
+
+func (gf *gemfile) Parse(file io.Reader) {
+	scanner := bufio.NewScanner(file)
+	gf.parseGemfile(scanner, "")
+}
+
+func (gf *gemfile) parseGemfile(scanner *bufio.Scanner, groups string) {
+	for scanner.Scan() {
+		line := scanner.Text()
+		gem := gem{}
+
+		if REGEX_RUBY.MatchString(line) {
+			gf.Ruby = REGEX_RUBY.FindStringSubmatch(line)[1]
+		}
+		if REGEX_SOURCE.MatchString(line) {
+			gf.Source = REGEX_SOURCE.FindStringSubmatch(line)[1]
+		}
+		if REGEX_GEM.MatchString(line) {
+			gem.Name = REGEX_GEM.FindStringSubmatch(line)[1]
+		}
+		if REGEX_VERSION.MatchString(line) {
+			gem.Version = REGEX_VERSION.FindStringSubmatch(line)[1]
+		}
+		if REGEX_GIT.MatchString(line) {
+			gem.Git = REGEX_GIT.FindStringSubmatch(line)[1]
+		}
+		if REGEX_TAG.MatchString(line) {
+			gem.Tag = REGEX_TAG.FindStringSubmatch(line)[1]
+		}
+		if REGEX_GROUP.MatchString(line) {
+			gf.parseGemfile(scanner, REGEX_GROUP.FindStringSubmatch(line)[1])
+		}
+		if REGEX_REQUIRE_STRING.MatchString(line) {
+			gem.Require = fmt.Sprintf(`"%s"`, REGEX_REQUIRE_STRING.FindStringSubmatch(line)[1])
+		}
+		if REGEX_REQUIRE_BOOL.MatchString(line) {
+			gem.Require = REGEX_REQUIRE_BOOL.FindStringSubmatch(line)[1]
+		}
+		if REGEX_END_GROUP.MatchString(line) && groups != "" {
+			gf.parseGemfile(scanner, "")
+		}
+		if gem.Name != "" {
+			gem.Groups = groups
+			gf.Gems = append(gf.Gems, &gem)
+		}
+	}
+}

module/bundler/gemlock_parser_test.go

@@ -2,7 +2,9 @@ package bundler
 
 import (
 	_ "embed"
+	"fmt"
 	"github.com/stretchr/testify/assert"
+	"os"
 	"testing"
 )
 
@@ -35,3 +37,11 @@ DEPENDENCIES
 	assert.NoError(t, e)
 	t.Log(tree)
 }
+func TestParseGem(t *testing.T) {
+	var m gemfile
+	file, _ := os.Open("E:\\Desktop\\kubernetes-1.22.1\\cluster\\addons\\fluentd-elasticsearch\\fluentd-es-image\\Gemfile")
+	m.Parse(file)
+	for _, m := range m.Gems {
+		fmt.Printf("%s :%s \n", m.Name, m.Version)
+	}
+}