bundler (ruby ecosystem)
Bomly uses this chain when it finds bundler evidence.
| Property | Value |
|---|---|
| Package manager | bundler |
| Ecosystem | ruby |
| Detector chain | bundler-detector, syft-detector |
| Evidence patterns | Gemfile.lock, Gemfile.next.lock |
| Install-first support | Yes |
| Native command hints | bundle, syft for bomly-lite |
How bundler resolves
bundler-detector is a lockfile parser — it reads Gemfile.lock directly and produces a full transitive graph with RubyGems names and resolved versions. No subprocess runs.
| Step | Strategy | Command |
|---|---|---|
| Resolve graph | Lockfile parser | None |
Network behavior
✅ Fully offline-safe. Bomly does not invoke Ruby, Bundler, or any other tool to resolve the graph.
Prerequisites
- A committed
Gemfile.lock. The detector understands Bundler 1.x, 2.x, and theGemfile.next.lockproduced bybundle update --conservativeworkflows. - No Ruby or Bundler installation is required to scan.
- For
--install-first:bundleonPATH.
--install-first
bundler supports --install-first. When passed, Bomly runs bundle install in the project directory before resolving the graph.
⚠️ --install-first downloads gems from RubyGems (or whatever sources your Gemfile declares) and writes to the configured gem path. Use it on a clean checkout when the lockfile is missing or you want a fresh install.
bomly scan --install-first
Customizing the install command
Append flags to bundle install with repeatable --install-arg. Requires --detectors bundler-detector.
# Production deployment mode: frozen lockfile, no version updates
bomly scan --install-first --detectors bundler-detector \
--install-arg --deployment --install-arg --without --install-arg development
Examples
Fix a direct vulnerability
# Gemfile
gem "rails", "~> 7.1.4"
bundle lock --update rails. Re-scan.
Pin a transitive vulnerability
Add the transitive gem at the top level so Bundler's resolver picks your version:
gem "nokogiri", ">= 1.16.5"
bundle lock --update nokogiri. Re-scan.
Reachability
Not yet supported. Bomly has no Ruby reachability analyzer today.
--analyzeproducesnot_applicablefor Ruby packages.
Limitations
- Local-path gems (
gem "x", path: "../x") are recorded but their internal dependencies come from the local checkout, not RubyGems. - Git-sourced gems (
gem "x", git: "…") are tracked by the URL and ref; advisory matching by name still applies but version-range matching may be imprecise for non-semver refs. - Platform-specific gems (e.g.
nokogiri-x86_64-linux) collapse to the base name; per-platform CVEs are matched against the base name. *.gemspec-only projects (gem libraries with noGemfile.lock) fall back to Syft, which produces a flat package list without edges.