Ruby on Rails packaging
Your Ruby on Rails applications must meet specific packaging requirements before you can submit them for scanning.
See Supported languages and platforms for instructions for other platforms.
You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) upload and scan, if licensed. For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.
Automated packaging
Auto-packaging simplifies the packaging process for Ruby on Rails projects.
Required files
The Veracode RubyGem generates a ZIP file containing all necessary files for analysis, ensuring compatibility with Veracode Static Analysis.
Supported Ruby on Rails versions
Rails versions | Ruby versions |
---|---|
5.x | 2.3.x–2.7.x |
6.0.x | 2.5.x–2.7.x |
6.1.x | 2.5.x–3.2.x |
7.0.x | 2.7.x–3.2.x |
7.1.x | 2.7.x–3.3.x |
7.2.x | 3.1.x–3.3.x |
Veracode Static Analysis does not support non-Rails applications.
Use of the Veracode RubyGem on a non-Rails Ruby application will not result in a scannable artifact.
Supported template formats
Veracode supports these template formats for analyzing Ruby on Rails applications:
- Builder
- ERB/Erubis
- HAML
Packaging guidance
Prerequisite - Ensure you have the right environment
Veracode Static Analysis does not analyze Ruby source code directly. Instead, it uses the Veracode RubyGem to compile your Ruby code into YARV (Yet Another Ruby VM) instructions, which are the only supported input for analysis of Ruby applications.
To achieve this, the Veracode RubyGem runs your application server, loading all Ruby files and compiling them using RubyVM::InstructionSequence
. The resulting instructions are stored in a text file within a ZIP archive, which can then be used for analysis.
This means that when you run veracode prepare
, the machine you use to package your application must be setup for your application server to run.
For example, if your application server does not run without an environment variable called API_KEY
and this is not available when running veracode prepare
, then veracode prepare
will not be able to run.
We typically recommend you use a container image used by the development team.
Prerequisite - Opening a terminal and navigating to your Ruby application
In a terminal window change directories to your Ruby application, for example:
cd /your/ruby/on/railsapp
Prerequisite - Ruby
To ensure Ruby is installed with the correct version, run the following command:
ruby --version
Check the output against our Supported Ruby on Rails versions.
Prerequisite - Selecting a Rails environment
The Veracode RubyGem uses RAILS_ENV
which is set to development
by default.
You may wish to select the production
environment as this may produce improved results,
namely no results from development functionality.
However, depending on your application's configuration,
it may not significantly impact results and may make packaging significantly harder.
Veracode recommends starting with the default development
environment and evaluating the results.
If these results contain many non-production relevant flaws and
you want to switch to the production environment you can do so with:
# OPTIONAL - Using a production environment may simplify results but can complicate packaging due to configuration differences. Proceed with caution.
export RAILS_ENV=production
Important:
For the veracode
gem to properly analyze and package your application,
you must disable the application setting config.cache_classes
.
You can verify that this setting is disabled in the appropriate environment configuration file.
For example, if you are using the development
environment,
validate that config/environments/development.rb
contains the line config.cache_classes = false
.
# /your/ruby/on/railsapp/config/environments/development.rb
YourApp::Application.configure do
config.cache_classes = false
# Log error messages when you accidentally call methods on nil.
config.whiny_nils = true
Prerequisite - Ruby Gems
Veracode Static Analysis and Veracode Software Composition Analysis require use of Bundler. Run the following command to ensure you have bundler installed and working:
# OPTIONAL - If you are using the "production" RAILS_ENV you should consider adding "--without development test".
bundle install
Veracode Static Analysis requires use of Ruby on Rails. Run the following command to ensure you have Rails installed:
bundle info rails
Check the output against our Supported Ruby on Rails versions.