Ruby SBOMs

[konstantinas1]

Problem 1

I have been trying to configure cdxgen to use a private ruby artifactory (Jfrog) but no matter the env variables I set it always attempts to query rubygems.org.
I am using a debian docker container and installing cdxgen in it using npm.
Using a cdxgen cli on my machine seems fine though, but not when installed in Dockerfile.

Any suggestions how this could be setup with the latest version?
Is it even necessary to try and query the artifactory? Is it possible to disable this?

Problem 2

With the previous versions (tested on 10.0.0, does not work anymore after v11) I manage to generate an SBOM however, with the latest version (11.1.8) the generation stops without any error (last output line using debug mode: Querying rubygems.org for ffi).
I attempted to do the same with the recommended docker images, but same issue.

What actually changed?
How can I debug the problem in more depth?

[prabhu]

cdxgen/lib/helpers/utils.js

Line 6585 in d0af121

const RUBYGEMS_V2_URL =

Try using the environment variable RUBYGEMS_V2_URL to customize this. If this works, could you kindly send a PR to update the docs?

[konstantinas1]

It does indeed then try to fetch using the custom host however, the artifactory (JFrog) we use does not fetch the gems using .json extension. The url looks like this
https://<company>.jfrog.io/artifactory/<gem-repo>/gems/<package>-<version>.gem and using .json results in 404.
Any plans to support this way of fetching the metadata of a gem?
For now I can disable fetching the license of the gem with export FETCH_LICENSE=false.
Any help of how to set this up properly is appreciated!

[prabhu]

Sounds like an opportunity for sponsored development. We don't have any capacity for a few months. Could you try and find someone who could contribute this feature? Alternatively, once there is an sbom, use a platform such as scancode to enhance it with license data.