Add Gemfile.lock parser for Ruby/Rails projects#49
Open
Ayush-Bulbule wants to merge 6 commits intotiluckdave:mainfrom
Open
Add Gemfile.lock parser for Ruby/Rails projects#49Ayush-Bulbule wants to merge 6 commits intotiluckdave:mainfrom
Ayush-Bulbule wants to merge 6 commits intotiluckdave:mainfrom
Conversation
- Add parseGemfileLock() function to parse Bundler lockfiles - Extract gem dependencies from specs section with rubygems ecosystem - Add comprehensive test coverage with 6 test cases - Include real-world Rails 7 example in examples/audit-ruby-project/ - Support gems with hyphens, underscores, and version constraints
- Update hound_audit tool description and error messages - Update hound_license_check input schema and error messages - Update tools.md documentation to include Gemfile.lock
- Only parse gems from GEM section, ignore GIT/PATH sections - Fix misleading comment about dependency line format - Add test case for GIT section handling - Ensure parser correctly tracks section boundaries
- Strip platform suffixes (e.g., -x86_64-darwin, -java, -mingw32) from gem versions - Ensures OSV/deps.dev lookups succeed with base version (1.14.2 vs 1.14.2-x86_64-darwin) - Preserve legitimate prerelease identifiers (beta, rc, alpha) - Add comprehensive tests for platform normalization and prerelease preservation
Ayush-Bulbule
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Adds Ruby/Rails dependency support by parsing Gemfile.lock and wiring that into the existing audit + license-check flows, enabling OSV vulnerability scanning and deps.dev license resolution for RubyGems.
Changes:
- Extend
parseLockfileto recognize and parseGemfile.lockintorubygemsdependencies. - Add unit tests covering Gemfile.lock parsing behaviors (section handling, name formats, version normalization).
- Update tool/docs messaging and add an end-to-end Ruby audit example project.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/parsers/index.test.ts | Adds Gemfile.lock parsing test coverage. |
| src/parsers/index.ts | Introduces rubygems ecosystem + parseGemfileLock implementation. |
| src/tools/audit.ts | Updates tool copy to include Gemfile.lock as supported. |
| src/tools/license-check.ts | Updates tool copy to include Gemfile.lock as supported. |
| docs/tools.md | Documents Gemfile.lock support for hound_audit. |
| examples/audit-ruby-project/README.md | Adds usage instructions for Ruby audit example. |
| examples/audit-ruby-project/Gemfile.lock | Provides a real-world sample Gemfile.lock for demos/testing. |
Owner
|
Thanks @Ayush-Bulbule 🙌 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Adds support for parsing
Gemfile.lockfiles from Ruby/Rails projects, enabling vulnerability scanning and license checking for RubyGems dependencies.Closes #40
Why?
Ruby/Rails projects use
Gemfile.lockto lock dependency versions, but Hound MCP previously only supported JavaScript (npm/yarn/pnpm), Python (pip), Rust (Cargo), and Go ecosystems. This adds Ruby/RubyGems support, allowing users to scan Rails applications and Ruby gems for security vulnerabilities and license compliance issues.Type of change
Checklist
pnpm checkpasses (typecheck + lint + tests)Testing
Unit Tests (23 test cases)
nokogiri 1.14.2-x86_64-darwin→1.14.2)7.1.0-beta.1stays unchanged)=prefix)Real-world Validation
Tested with Mastodon's production
Gemfile.lock(348 gems):[email protected](GHSA-f27w-vcwj-c954)Example Files
examples/audit-ruby-project/Gemfile.lockwith real Rails dependenciesexamples/audit-ruby-project/README.mdwith usage instructionsTools Updated
hound_audit- now supports Gemfile.lockhound_license_check- now supports Gemfile.lockdocs/tools.md