Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Safely parse Gemfiles and gemspecs

tag: v0.1.5

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 lib
Octocat-spinner-32 spec
Octocat-spinner-32 .gitignore Ignore .rvmrc December 12, 2011
Octocat-spinner-32 .travis.yml
Octocat-spinner-32 Gemfile
Octocat-spinner-32 LICENSE Newlines December 12, 2011
Octocat-spinner-32 README.md
Octocat-spinner-32 Rakefile Add the default rake task December 12, 2011
Octocat-spinner-32 gemnasium-parser.gemspec
README.md

Gemnasium::Parser Build Status Dependency Status

The Gemnasium parser determines gem dependencies from gemfiles and gemspecs, without evaluating the Ruby.

Why?

Bundler is wonderful. It takes your gemfile and your gemspec (both just Ruby) and evaluates them, determining your gem dependencies. This works great locally and even on your production server… but only because you can be trusted!

An untrustworthy character could put some pretty nasty stuff in a gemfile. If Gemnasium were to blindly evaluate that Ruby on its servers, havoc would ensue.

Solution #1

If evaluating Ruby is so dangerous, just sandbox it! Travis CI runs its builds inside isolated environments built with Vagrant. That way, if anything goes awry, it’s in a controlled environment.

This is entirely possible with Gemnasium, but it’s impractical. Gemfiles often require other files in the repository. So to evaluate a gemfile, Gemnasium needs to clone the entire repo. That’s an expensive operation when only a couple files determine the dependencies.

Solution #2

Parse Ruby like Ruby parses Ruby.

Ruby 1.9 includes a library called Ripper. Ripper is a Ruby parsing library that can break down a gemfile or gemspec into bite-sized chunks, without evaluating the source. Then it can be searched for just the methods that matter.

The problem is that it’s hard to make heads or tails from Ripper’s output, at least for me. I could see the Gemnasium parser one day moving to this strategy. But not today.

Third try’s the charm

If we can’t evaluate the Ruby and Ripper’s output is unmanageable, how else can we find patterns in a gemfile or gemspec and get usable output?

Regular expressions!

The Gemnasium parser, for both gemfiles and gemspecs, is based on a number of Ruby regular expressions. These patterns match gem method calls in gemfiles and add_dependency calls in gemspecs.

For a more comprehensive list of its abilities, see the specs.

Contributing

  1. Fork it
  2. Create your branch (git checkout -b my-bugfix)
  3. Commit your changes (git commit -am "Fix my bug")
  4. Push your branch (git push origin my-bugfix)
  5. Send a pull request

Problems?

If you have a gemfile or gemspec that the Gemnasium parser screws up…

  1. Boil it down to its simplest problematic form
  2. Write a failing spec
  3. See Contributing
Something went wrong with that request. Please try again.