About Ruby SCA Agent-Based Scanning

Veracode Software Composition Analysis

You can find vulnerabilities in your Ruby applications using Veracode Software Composition Analysis agent-based scanning. You can run a scan on Ruby Gem repositories using the agent-based scanning command-line interface or the CI integrations.

For packaging instructions for Veracode Static Analysis and Veracode SCA upload scans, see Packaging Ruby on Rails Applications.

Requirements

Scanning a repository which utilizes Ruby Gems for package management requires the ability to build the code within the environment you intend to scan the project in. This includes the following requirements based on the various build/package managers:

General Requirements

  • Meet the requirements for the Veracode SCA agent.
  • Have Ruby installed on your local path.
  • Include Gemfile in the repository that you plan to scan.
  • If Gemfile.lock does not exist in the project root where you perform scans, you must be able to run the bundle install command from this project root.
  • Have Bundler 1.1.0 or later installed on the local path.
    Note: Scanning vulnerable methods requires Ruby 2.x or later.

Running a Scan

You can use agent-based scanning to scan any code repository which you have access to and fulfills the above requirements. To demonstrate how to run a scan, you can clone one of the Veracode SCA public Ruby repositories:

git clone https://github.com/srcclr/example-ruby

You can also scan code repositories hosted on git by using the --url argument with the CLI agent. This guide assumea you have the code stored locally.

Once the code has been cloned to your desktop, point the Veracode SCA CLI agent at the directory of the repository and scan:

# Replace "example-ruby" with the project folder name of your choosing
srcclr scan path/to/example-ruby

To view more verbose output during the scan process, you can add the --loud argument as well:

srcclr scan path/to/example-ruby --loud

The Veracode SCA agent will then proceed to parse your Gemfile.lock if it exists or run the following command in order to identify the dependencies and versions in your project:

bundle install --path vendor/bundle

Once the agent has evaluated the open source libraries in use, a summary of the scan results will be produced which will include counts for total libraries used, vulnerable libraries, percentage of third party code, vulnerable methods in use, as well as a list of the vulnerabilities found:

Configuring Scans

One of the requirements for Veracode SCA agent-based scanning is access to the dependencies being used, and many Ruby repositories require a specific scope or configuration option (i.e. specifying the scope of dependencies to analyze). By adding a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives which can be used for scanning your Ruby code. The following are configuration options which can be used within your srcclr.yml for Ruby scanning:

Directive Description
scope Specifies scope of dependency resolution
force_bundle_install If set to true, forces agent to perform bundle install even if Gemfile.lock exists

Viewing Scan Results

After completing a scan, the bottom of the output in your terminal will include a link to the Veracode Platform to view the scan results in more detail:

Licenses
Unique Library Licenses                     8
Libraries Using GPL                         2
Libraries With No License                   21

Full Report Details               https://sca.analysiscenter.veracode.com/teams/abzs0qx/scans/22679557

Navigating to this link will allow you to view the results of your scan in it’s entirety.

The scan results are broken down into the following categories:

  • Issues: This is comprised of out of date libraries, license violations, and vulnerabilities uniquely associated to a specific version of a library within a specific repository.
  • Vulnerabilities: This list represents the set of unique vulnerabilities across a specific project. If multiple libraries in a given project are associated with the same vulnerability, the vulnerability will only appear once in this list.
  • Libraries: Libraries consist of each open-source library that Veracode SCA has identified within a code project. Veracode SCA maintains a database which is in sync with Ruby Gems in order to provide the most up to date information on your Ruby libraries.
  • Licenses: Licenses allow users to view the software license information associated with each open-source library in use. Veracode SCA maintains license information by keeping in sync with Ruby Gems as described above.

You can find more details on these categories in the Issues, Vulnerabilities, Libraries, and Licenses documentation article.

Fixing Vulnerability Issues

After viewing the scan results, users will likely want to fix the vulnerabilities discovered in their Ruby project. Veracode SCA provides clear instructions for fixing vulnerability issues through the Veracode Platform.

Fixing a Direct Vulnerability

When a library is specifically referenced in your Gemfile (not Gemfile.lock), Veracode SCA refers to the library as a direct dependency. Fixing a vulnerability in a direct dependency using agent-based scanning is simple. Using the open-source project mentioned in the Running a scan section and after having navigated to the project scan results within the Veracode Platform, you can filter down to vulnerability issues which are included only in direct libraries.

After filtering the scan results, you can drill into an issue to find out how to fix it by clicking the issue id next to the vulnerability name. This will bring you to the issue details page, where you will find information on fixing the vulnerability. In general, the best way to fix a vulnerability in a direct dependency is to update the version in use to the version recommended by Veracode SCA. The agent-based scan recommends a version which is not associated with the vulnerability you are subject to, in addition to any other vulnerabilities which might result from switching to a different version. In order to prevent the update from having significant impact on your code, the recommended version will be the closest to your current version while still not being associated with other vulnerabilities.

Note: Some libraries include vulnerabilities which have not yet been fixed, and therefore Veracode SCA cannot provide a version to update to. In cases such as this, it is recommended you either create a pull request to the unfixed library or use a different library in your code.

As an example, the following provides a fix for a “Cross-site Request Forgery (CSRF)” vulnerability in administrate, version 0.1.4 in the example-ruby repository.

Instructions

  1. Edit the Gemfile file in the root of the project to match the following:
    gem 'administrate', '0.1.5'
  2. Run the following command from your terminal within the project:
    bundle update administrate
    

Once you have completed these steps, validate the fix.

Fixing a Transitive Vulnerability

Direct dependencies often depend on other libraries which are referred to as transitive dependencies. Vulnerabilities in transitive dependencies are common because often the developer does not realize that the library they are adding to their project depends on a vulnerable library without having a tool such as Veracode SCA to show this information. Fixing vulnerabilities in transitive dependencies can be difficult because the direct dependency may require a specific version rather than a version range. You can find details on these issues by filtering down your issues by Vulnerabilities and leaving the Direct Libraries checkbox unchecked. Transitive vulnerabilities are indicated in the Library column by the smaller arrow next to the library name: . Selecting the issue number to view the issue details will additionally provide the “Type” of library; either direct or transitive.