Ruby on Rails packaging
Your Ruby on Rails applications must meet specific packaging requirements before you can submit them for scanning.
See Supported languages and platforms for instructions for other platforms.
You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) upload and scan, if licensed. For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.
Automated packaging
Auto-packaging simplifies the packaging process for Ruby on Rails projects.
Supported template formats
Veracode supports these template formats for analyzing Ruby on Rails applications:
- ERB/Erubis
- HAML
- Builder
Required files
Veracode requires that you use a custom Veracode RubyGem to package Ruby on Rails applications.
Veracode packaging gem
Before uploading your Ruby on Rails code, Veracode requires you to run a special packaging gem. The gem uses features introduced in Ruby 1.9 to translate your application to an archive format that Veracode can scan. The resulting archive contains this information:
- Modules and classes, including disassembled instruction sequences for all Ruby methods. Disassembly is not available for methods implemented in C.
- A log of errors generated by the Veracode gem or other code in your application environment during disassembly.
- Configuration files for Rails, Bundler, or other common gems.
- Ruby source and template files.
- A list of included files.
- A recursive list of all files in the application directory, including those not contained in the archive.
To prepare your application for analysis:
- Ensure that the application can run.
- Ensure that you have a functional Rails environment on the system preparing your application.
You can test your system for these requirements by running the rails server
command.
Supported Ruby on Rails versions
Rails versions | Ruby versions |
---|---|
5.x | 2.3.x–2.7.x |
6.0.x | 2.5.x–2.7.x |
6.1.x | 2.5.x–3.2.x |
7.0.x | 2.7.x–3.2.x |
7.1.x | 2.7.x–3.3.x |
7.2.x | 3.1.x–3.3.x |
Packaging guidance
To set up a clean Ruby environment before installing and running the Veracode gem, Veracode recommends you use RVM. After you install RVM, create the Ruby environment by running the following command sequence:
rvm install {your version}
rvm use {your version}@veracode --create
To install the gem, Veracode recommends that you use Bundler. Run the following command to update your gem to the latest version:
railsapp $ bundle update veracode
As an alternative to Bundler, you can install the gem with the install
command. After you install RVM and ensure you meet all other application dependencies, run the following command sequence:
rvm install {your version}
rvm use {your version}@veracode --create
gem install veracode
The packaging gem includes the veracode
command-line tool that you run in the directory that contains your Rails application. For a list of subcommands and options, run veracode
or veracode help
.
For the veracode
gem to properly analyze and package your application, you must disable the application setting config.cache_classes
. You can verify that this setting is disabled in the appropriate environment configuration file. For example, if you are using the development
environment, RAILS_ENV=development veracode prepare
, validate that config/environments/development.rb
contains the line config.cache_classes = false
.
/your/ruby/on/railsapp/config/environments/development.rb
YourApp::Application.configure do
config.cache_classes = false
# Log error messages when you accidentally call methods on nil.
config.whiny_nils = true
Package your Ruby on Rails application
You package Ruby on Rails applications with the veracode
gem.
To complete this task:
-
Insert the following dependency in the
Gemfile
of your application:#Add the following to /your/ruby/on/railsapp/Gemfile
gem 'veracode'noteIf you removed the default
https://rubygems.org/
from your Ruby configuration file, you must restore it. -
For Ruby versions earlier than 2.4, you must add the following lines to your
Gemfile
to specify a compatible version ofrubyzip
:source 'https://rubygems.org'
gem 'rubyzip', '~>1.0' -
Run the following command sequence to install the application dependencies, Rails, and the
veracode
gem:$ cd /your/ruby/on/railsapp
railsapp $ rvm use {your version}@veracode
railsapp $ bundle install --without development test # or other non-production dependency groups -
Run the following subcommand to create the ZIP archive:
railsapp $ veracode prepare
-
In the
tmp
folder of the application, find the new file namedveracode-[application name]-[YYYYmmddHHMMSS timestamp].zip
. -
Upload the ZIP archive to Veracode.
Using veracode prepare
You can create an archive by running the veracode prepare
command with the following sequence:
$ cd /{user-folder}/ruby/on/railsapp
railsapp $ rvm current # validates correct ruby and gemset are being used
railsapp $ veracode prepare
The prepare
subcommand uses the following syntax:
veracode prepare
veracode prepare [-h|--help]
veracode prepare [-v|--verbose]
The prepare
subcommand creates the archive that you upload to Veracode.
The gem produces an archive in ZIP format and saves it in the tmp
folder of the application, for example, /my/ruby/on/railsapp/tmp
. The prepare
subcommand creates a file named veracode-[application name]-[YYYYmmddHHMMSS timestamp].zip
. Upload this file to Veracode.
If an error occurs while preparing the application, you can view the error log at tmp/veracode-[YYYYmmddHHMMSS timestamp]/error.log
. Include this file with any support requests you make to Veracode.