CycloneDX Ruby Gem

CycloneDX Ruby Gem === ###### tags: `SBOM` `CycloneDx` `Ruby` `Gem` `bom.xml` This is a ruby gem that is used to get the Software Bill of Materials (SBOM) for a Ruby project. This gem is developed by OWASP CycloneDX, which is a standard that is widely used in the context of application security. An SBOM provides information about the open source libraries that is being used by the project and documents them in the form of an XML or JSON file. By doing so, we can get to know what open-source libraries are being used and their corresponding versions. In case that version is prone to vulnerabilities then the necessary mitigation steps need to be taken by the developers. ## Installation This ruby gem is installed using the command `gem install cyclonedx-ruby` ## Usage `cyclonedx-ruby -p <path_of_the_project_folder>` ## How it works This gem scans the `Gemfile.lock` file in the project root directory and prepares an XML file called `bom.xml` in the project root folder. This XML file has the following details for all the dependencies: name, version, description, hash algorithm, license id, and package url. ## Example I used this gem with [Hypocryte](https://github.com/dsvinod90/melochat) which is written mostly in Ruby and Javascript. This is my personal repository for my blog site and has multiple vulnerabilities as I have not updated the gems in a while. I ran the command `cyclonedx-ruby -p <path_of_the_project_folder>` and the output of this command was the creation of `bom.xml` file. This file had all the gems that are being used by the project and the details of the gems as mentioned above. [Here](https://github.com/dsvinod90/melochat/blob/master/bom.xml) is the complete file for reference. ## Why need bom.xml when we already have Gemfile.lock? While bom.xml refers so the Gemfile.lock to get all the project dependencies, it is nevertheless important from a security standpoint. The creation of the XML makes it worthwhile as the XML can be used in anyway to understand the project dependencies. It can be used in a web page, or can be sent over a REST framework to an API endpoint to display the dependencies and find out if any of the gems need to be updated or even replaced with another one because of the risks involved. Having the XML version of dependencies makes it very easy for use.