Goal
Add a Tier-3 (package-level) reachability analyzer for Ruby / Bundler projects, mirroring pyreach / jvmreach. Annotate PackageVulnerability.Reachability on each Ruby gem as reachable / unreachable / unknown.
Mapping
Ruby's require "foo" typically maps 1:1 to the gem name foo, with a small set of well-known mismatches that warrant a curated table:
require "rspec" → gem rspecrequire "active_record" → gem activerecordrequire "json" → stdlib (drop)require "nokogiri" → gem nokogirirequire "rest-client" → gem rest-client
Hyphens and underscores interchange similarly to Python. A small override table covers the rare cases.
Scope
- New package
internal/analyzers/rubyreach/ mirroring pyreach.
- Source walk:
.rb files under the project root. Skip vendor/, tmp/, coverage/, .bundle/, VCS dirs.
- Scanner: line-oriented
require "..." / require_relative "..." / gem "..." scanner. require_relative is skipped (relative); gem "x" lines in Gemfile-like files are also recognized.
- Mapping: identity normalization (lowercase,
_ ↔ -) plus a small override table for stdlib drops and well-known mismatches.
- Per-project FileCache invalidating on
Gemfile.lock content change.
Smoke fixture
A Veracode example-ruby repo or a small Rails demo with stale Rack / Nokogiri pins.
References
- Template: internal/analyzers/pyreach
- Detector:
internal/detectors/ruby (already in tree)
- SDK:
LanguageRuby + PackageManagerBundler exist.
Tier-3 caveats to document
Dynamic Kernel#require on string interpolation; Bundler.require autoloading; Rails class autoloaders (Zeitwerk); ActiveSupport eager loading — all invisible to a static scanner.
Goal
Add a Tier-3 (package-level) reachability analyzer for Ruby / Bundler projects, mirroring
pyreach/jvmreach. AnnotatePackageVulnerability.Reachabilityon each Ruby gem asreachable/unreachable/unknown.Mapping
Ruby's
require "foo"typically maps 1:1 to the gem namefoo, with a small set of well-known mismatches that warrant a curated table:require "rspec"→ gemrspecrequire "active_record"→ gemactiverecordrequire "json"→ stdlib (drop)require "nokogiri"→ gemnokogirirequire "rest-client"→ gemrest-clientHyphens and underscores interchange similarly to Python. A small override table covers the rare cases.
Scope
internal/analyzers/rubyreach/mirroringpyreach..rbfiles under the project root. Skipvendor/,tmp/,coverage/,.bundle/, VCS dirs.require "..."/require_relative "..."/gem "..."scanner.require_relativeis skipped (relative);gem "x"lines in Gemfile-like files are also recognized._↔-) plus a small override table for stdlib drops and well-known mismatches.Gemfile.lockcontent change.Smoke fixture
A Veracode example-ruby repo or a small Rails demo with stale Rack / Nokogiri pins.
References
internal/detectors/ruby(already in tree)LanguageRuby+PackageManagerBundlerexist.Tier-3 caveats to document
Dynamic
Kernel#requireon string interpolation; Bundler.require autoloading; Rails class autoloaders (Zeitwerk); ActiveSupport eager loading — all invisible to a static scanner.