merge from ruby_dependency

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -311,6 +311,10 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         return false;
     }
     
+    /**
+     * Bundling Ruby gems that are identified from different .gemspec files but denote the same package path.
+     * This happens when Ruby bundler installs an app's dependencies by running "bundle install".
+     */
     private boolean isSameRubyGem(Dependency dependency1, Dependency dependency2) {
     	if (dependency1 == null || dependency2 == null ||
     		!dependency1.getFileName().endsWith(".gemspec") ||
@@ -326,8 +330,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     }
     
     /**
-     * A gem install may have zero or more *.gemspec files, all of which have the same packagePath and should be grouped.
+     * Ruby gems installed by "bundle install" can have zero or more *.gemspec files, all of which have the same packagePath and should be grouped.
-     * If one of these gemspec is from <parent>/specifications/*.gemspec, which is a stub with fully resolved gem meta-data
+     * If one of these gemspec is from <parent>/specifications/*.gemspec, because it is a stub with fully resolved gem meta-data
      * created by Ruby bundler, this dependency should be the main one.  Otherwise, use dependency2 as main.
      * 
      * This method returns null if any dependency is not from *.gemspec, or the two do not have the same packagePath.

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -17,10 +17,22 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileFilter;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.nio.charset.Charset;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Reference;
@@ -30,12 +42,6 @@ import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.*;
-import java.nio.charset.Charset;
-import java.util.*;
-import java.util.logging.Level;
-import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
-
 /**
  * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party
  * bundle-audit tool.
@@ -364,6 +370,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         final File gemFile = new File(Settings.getTempDirectory(), gem + "_Gemfile.lock");
         gemFile.createNewFile();
         final String displayFileName = String.format("%s%c%s:%s", parentName, File.separatorChar, fileName, gem);
+
         FileUtils.write(gemFile, displayFileName, Charset.defaultCharset()); // unique contents to avoid dependency bundling
         final Dependency dependency = new Dependency(gemFile);
         dependency.getProductEvidence().addEvidence("bundler-audit", "Name", gem, Confidence.HIGHEST);