Syft missing direct dependencies from the gemfile.lock

[diptanshumittal]

What happened:
Used Syft tool for the following gemfile.lock and the output received was missing dependencies.

diptanshu-macbookpro:google-cloud-firestore diptanshu$ cat gemfile.lock
PATH
  remote: ../google-cloud-core
  specs:
    google-cloud-core (1.6.0)
      google-cloud-env (~> 1.0)
      google-cloud-errors (~> 1.0)

PATH
  remote: ../google-cloud-errors
  specs:
    google-cloud-errors (1.3.0)

PATH
  remote: ../google-cloud-firestore-v1
  specs:
    google-cloud-firestore-v1 (0.8.0)
      gapic-common (>= 0.16.0, < 2.a)
      google-cloud-errors (~> 1.0)
      google-cloud-location (>= 0.3, < 2.a)

PATH
  remote: .
  specs:
    google-cloud-firestore (2.8.0)
      concurrent-ruby (~> 1.0)
      google-cloud-core (~> 1.5)
      google-cloud-firestore-v1 (~> 0.0)
      rbtree (~> 0.4.2)

GEM
  remote: https://rubygems.org/
  specs:
    addressable (2.8.1)
      public_suffix (>= 2.0.2, < 6.0)
    ast (2.4.2)
    autotest-suffix (1.1.0)
    concurrent-ruby (1.2.2)
    docile (1.4.0)
    faraday (2.7.4)
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-net_http (3.0.2)
    faraday-retry (2.0.0)
      faraday (~> 2.0)
    gapic-common (0.17.1)
      faraday (>= 1.9, < 3.a)
      faraday-retry (>= 1.0, < 3.a)
      google-protobuf (~> 3.14)
      googleapis-common-protos (>= 1.3.12, < 2.a)
      googleapis-common-protos-types (>= 1.3.1, < 2.a)
      googleauth (~> 1.0)
      grpc (~> 1.36)
    google-cloud-env (1.6.0)
      faraday (>= 0.17.3, < 3.0)
    google-cloud-location (0.4.0)
      gapic-common (>= 0.17.1, < 2.a)
      google-cloud-errors (~> 1.0)
    google-protobuf (3.22.0)
    google-style (1.26.3)
      rubocop (~> 1.31)
    googleapis-common-protos (1.4.0)
      google-protobuf (~> 3.14)
      googleapis-common-protos-types (~> 1.2)
      grpc (~> 1.27)
    googleapis-common-protos-types (1.5.0)
      google-protobuf (~> 3.14)
    googleauth (1.3.0)
      faraday (>= 0.17.3, < 3.a)
      jwt (>= 1.4, < 3.0)
      memoist (~> 0.16)
      multi_json (~> 1.11)
      os (>= 0.9, < 2.0)
      signet (>= 0.16, < 2.a)
    grpc (1.52.0)
      google-protobuf (~> 3.21)
      googleapis-common-protos-types (~> 1.0)
    json (2.6.3)
    jwt (2.7.0)
    memoist (0.16.2)
    minitest (5.17.0)
    minitest-autotest (1.1.1)
      minitest-server (~> 1.0)
      path_expander (~> 1.0)
    minitest-focus (1.3.1)
      minitest (>= 4, < 6)
    minitest-rg (5.2.0)
      minitest (~> 5.0)
    minitest-server (1.0.7)
      minitest (~> 5.16)
    multi_json (1.15.0)
    os (1.1.4)
    parallel (1.22.1)
    parser (3.2.1.0)
      ast (~> 2.4.1)
    path_expander (1.1.1)
    public_suffix (5.0.1)
    rainbow (3.1.1)
    rake (13.0.6)
    rbtree (0.4.6)
    redcarpet (3.6.0)
    regexp_parser (2.7.0)
    rexml (3.2.5)
    rubocop (1.46.0)
      json (~> 2.3)
      parallel (~> 1.10)
      parser (>= 3.2.0.0)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
      rubocop-ast (>= 1.26.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
    rubocop-ast (1.26.0)
      parser (>= 3.2.1.0)
    ruby-progressbar (1.11.0)
    ruby2_keywords (0.0.5)
    signet (0.17.0)
      addressable (~> 2.8)
      faraday (>= 0.17.5, < 3.a)
      jwt (>= 1.5, < 3.0)
      multi_json (~> 1.10)
    simplecov (0.22.0)
      docile (~> 1.1)
      simplecov-html (~> 0.11)
      simplecov_json_formatter (~> 0.1)
    simplecov-html (0.12.3)
    simplecov_json_formatter (0.1.4)
    stackprof (0.2.23)
    unicode-display_width (2.4.2)
    webrick (1.7.0)
    yard (0.9.28)
      webrick (~> 1.7.0)
    yard-doctest (0.1.17)
      minitest
      yard

PLATFORMS
  ruby

DEPENDENCIES
  autotest-suffix (~> 1.1)
  google-cloud-core!
  google-cloud-errors!
  google-cloud-firestore!
  google-cloud-firestore-v1!
  google-style (~> 1.26.1)
  minitest (~> 5.16)
  minitest-autotest (~> 1.0)
  minitest-focus (~> 1.1)
  minitest-rg (~> 5.2)
  rake
  redcarpet (~> 3.0)
  simplecov (~> 0.9)
  stackprof
  yard (~> 0.9)
  yard-doctest (~> 0.1.13)

BUNDLED WITH
   2.2.33
diptanshu-macbookpro:google-cloud-firestore diptanshu$ syft .
 ✔ Indexed .               
 ✔ Cataloged packages      [50 packages]

NAME                            VERSION  TYPE 
addressable                     2.8.1    gem   
ast                             2.4.2    gem   
autotest-suffix                 1.1.0    gem   
concurrent-ruby                 1.2.2    gem   
docile                          1.4.0    gem   
faraday                         2.7.4    gem   
faraday-net_http                3.0.2    gem   
faraday-retry                   2.0.0    gem   
gapic-common                    0.17.1   gem   
google-cloud-env                1.6.0    gem   
google-cloud-location           0.4.0    gem   
google-protobuf                 3.22.0   gem   
google-style                    1.26.3   gem   
googleapis-common-protos        1.4.0    gem   
googleapis-common-protos-types  1.5.0    gem   
googleauth                      1.3.0    gem   
grpc                            1.52.0   gem   
json                            2.6.3    gem   
jwt                             2.7.0    gem   
memoist                         0.16.2   gem   
minitest                        5.17.0   gem   
minitest-autotest               1.1.1    gem   
minitest-focus                  1.3.1    gem   
minitest-rg                     5.2.0    gem   
minitest-server                 1.0.7    gem   
multi_json                      1.15.0   gem   
os                              1.1.4    gem   
parallel                        1.22.1   gem   
parser                          3.2.1.0  gem   
path_expander                   1.1.1    gem   
public_suffix                   5.0.1    gem   
rainbow                         3.1.1    gem   
rake                            13.0.6   gem   
rbtree                          0.4.6    gem   
redcarpet                       3.6.0    gem   
regexp_parser                   2.7.0    gem   
rexml                           3.2.5    gem   
rubocop                         1.46.0   gem   
rubocop-ast                     1.26.0   gem   
ruby-progressbar                1.11.0   gem   
ruby2_keywords                  0.0.5    gem   
signet                          0.17.0   gem   
simplecov                       0.22.0   gem   
simplecov-html                  0.12.3   gem   
simplecov_json_formatter        0.1.4    gem   
stackprof                       0.2.23   gem   
unicode-display_width           2.4.2    gem   
webrick                         1.7.0    gem   
yard                            0.9.28   gem   
yard-doctest                    0.1.17   gem 

What you expected to happen:
Output should have included gems with local remote, i.e. google-cloud-firestore-v1

Environment:

• Output of syft version:

 Application:        syft
 Version:            0.73.0
 JsonSchemaVersion:  7.0.0
 BuildDate:          2023-02-22T19:08:35Z
 GitCommit:          aa151da5fe2a1b11502c852fd2d3ad462c1d245f
 GitDescription:     [not provided]
 Platform:           darwin/arm64
 GoVersion:          go1.20.1
 Compiler:           gc

• OS (e.g: cat /etc/os-release or similar): macOS 13.2.1 (22D68)

[tgerla]

Hi @diptanshumittal, thanks for the issue. We believe our gemfile.lock parser is only looking under the "GEM" section. We will take a look and see how to fix this. If you are interested in taking a look at the code and working on a fix yourself, we would be happy to help.

[wagoodman]

Note for anyone interested in contributing a PR, the bundler lockfile parser source might be a pretty good reference for understanding which other sections to additionally include for parsing (instead of just GEM as done today)