Merge pull request #817 from jeremylong/bundleaudit

Resolve issue #810

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -50,7 +50,6 @@ import org.slf4j.LoggerFactory;
  *
  * @author Dale Visser
  */
-@Experimental
 public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -97,6 +97,7 @@ analyzer.composer.lock.enabled=true
 analyzer.python.distribution.enabled=true
 analyzer.python.package.enabled=true
 analyzer.ruby.gemspec.enabled=true
+analyzer.bundle.audit.enabled=true
 analyzer.autoconf.enabled=true
 analyzer.cmake.enabled=true
 analyzer.assembly.enabled=true

src/site/markdown/analyzers/bundle-audit.md

@@ -0,0 +1,16 @@
+Ruby Bundle-audit Analyzer
+=====================
+
+OWASP dependency-check includes an analyzer that will execute [bundle-audit](https://github.com/rubysec/bundler-audit#readme)
+and include the results in the dependency-check report. This is useful for multi-language
+projects and merging the results of multiple software composition analysis tools.
+
+**NOTE** - it is important to run `bundle-audit update` occasionally to keep the bundle-audit
+database current. ATM - dependency-check does **not** perform the `bundle-audit update` automatically.
+
+```shell
+$ sudo gem install bundler-audit
+$ bundle-audit update
+```
+
+Files Types Scanned: Gemfile.lock

src/site/markdown/analyzers/index.md

@@ -12,6 +12,7 @@ to extract identification information from the files analyzed.
 | [NSP](./nsp-analyzer.html) | [Node Security Project](https://nodesecurity.io) is used to analyze Node.js' `package.json` files for known vulnerable packages.|
 | [Nuspec](./nuspec-analyzer.html) | Nuget package specification file (\*.nuspec) | Uses XPath to parse specification XML. |
 | [OpenSSL](./openssl.html) | OpenSSL Version Source Header File (opensslv.h) | Regex parse of the OPENSSL_VERSION_NUMBER macro definition. |
+| [Ruby bundler‑audit](./bundle-audit.html) | Ruby `Gemfile.lock` files | Executes bundle-audit and incorporates the results into the dependency-check report. |
 
 Experimental Analyzers
 ----------------------

src/site/markdown/analyzers/ruby-gemspec.md

@@ -14,6 +14,8 @@ evidence to identify any Common Platform Enumeration (CPE) identifiers that
 apply.
 
 *Note*: It is highly recommended that Ruby projects use
-[bundler-audit](https://github.com/rubysec/bundler-audit#readme).
+[bundler-audit](https://github.com/rubysec/bundler-audit#readme). It is possible
+to incorporate the results of bundle-audit into the dependency-check report(s) by
+using the [bundle-audit analyzer](./bundle-audit.html).
 
 Files Types Scanned: Rakefile, \*.gemspec