►
From YouTube: Gemnasium Implementation: the scanner package
Description
An overview to the Gemnasium internals, focusing on the "scanner" package, and showing how it integrates in the main function, which implements the CLI. https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium
A
A
A
As
you
can
see,
it's
a
common
line
and
in
common
line
interface
and
the
main
command
is
the
rand
command.
It's
based
on
the
rand
command,
defining
the
command
library,
but
again,
I
won't
cover
that
in
this
video
now,
instead,
I
want
to
focus
on
the
scan
the
core
of
the
scan
itself,
because
that's
very
specific
to
gymnasium,
though
it's
meaner
to
what
we
have
in
bender
audit.
A
A
It
essentially
instantiates
the
finder.
This
is
used
to
find
dependency
files
and
also
an
eye
advisory
repo,
an
advisory
repository.
This
is
where
we
have
the
advisory
securities,
these
security
advisories.
Sorry,
that's
the
other
way
around
and
in
instantiating
a
scanner
is
about
creating
a
finder
again
to
find
a
pen
suffice
and
creating
a
repo
tries
repo
and
checking
that
the
security
advisory
repo
provides
advisories
for
all
the
diversified
passers
we
have.
We
want
to
feel
the
security
advisory
repo
is
incomplete.
A
A
A
A
Okay,
and
so
we
need
to
have
a
look
at
these
two
functions.
Sorry
bounce
reader
to
better
understand
how
passing
thighs,
work
and
thought
affections
to
see
how
to
NASM
that's
a
list
of
affected
affected
certifies.
A
A
We
have
here,
dependency,
fie
passer
found
by
the
finder,
and
we
dedicate
the
pausing
of
the
thigh
to
the
passer,
which
processes
a
5-liter
IO.
We're
sorry
and
we
turns
as
a
slice
of
dependencies
and
now
here
we've
got
an
intimate
or
object
different
kind
of
file
which
combines
a
path,
a
package
manager.
A
Yes
here,
we've
got
the
definition,
generic
definition
of
the
password
and
in
the
directories
we've
got
all
the
supported.
All
the
available
three
Bowser's
instance:
we've
got
10
file
that
contains
a
password
for
banner
gem
files,
10
5
o'clock.
Finally,
ok,
so
here
it's
here,
it's
the
definition
of
the
passer,
the
strict
type,
a
password
provides,
a
pass
function
and
a
pass
functions
function.
Sorry
thanks
a
reader
and
returns
a
slice
of
dependencies,
possibly
an
error.
A
A
A
That
processes
attempt
at
a
clock,
so
it
cleans
it
go
through
the
lines
of
that
Empire
clock
and
belted
it
some
dependencies
ultimately
to
convert
to
generic
password
dependencies
with
a
name
and
a
version
and
the
password
is
registered
here
registered
with
the
name
time
time
with
a
past
function.
That's
a
past
function,
we've
seen
here
and
what
else
the
package
manager
it's
bender!
That's
informative!
It's
not
really
used
by
NASM
itself,
but
it
shows
up
in
the
UI.
A
The
package
type.
The
package
type
would
be
gem
in
that
case
and
again
it's
defined
here,
Jan,
that's
the
same
constant
and
the
supported
findings.
So
that's
that
password
report
response
sorry,
two
thousand
five
o'clock
and
James
dot
locked
the
house,
the
definition
of
a
password
and
is
registered
here
because.
A
That's
how
it
works.
We've
got
a
rich
three
where
all
the
dependency
file
transfers
register
themselves.
So
again,
all
that
to
say
that
this
is
how
passers
work
depends
if
I
passwords
going
back
to
the
scanner
here,
the
scanner
again
T
decades.
The
passing
of
the
file
gets
a
list
of
dependencies
slice
actually
of
dependencies
and
again
a
package
type.
A
Okay,
so
here
we
collect
thighs
having
dependencies
and
types
once
we've
done,
that
we
move
on
to
the
next
state.
So
to
speak,
where
we
list
affections
for
these
files
and
again,
an
affection
is
a
security
advisory
applying
to
a
dependency,
and
that
happens
only
if
the
Advisory
Security
Advisory
matches
package
type
lack
Jam.
The
package
name
like
Reyes
and
the
package
version
like
I,
don't
know
an
old
version
which
is
likely
to
be
infected
like
for
the
Towanda,
something
like
that.
A
Okay,
well,
so
we
loop
under
dependencies
and
for
each
dependency
we
between
up
the
package.
Well,
we
need
an
intermediary
package
structure
to
query
the
the
Advisory
Reba
here,
oops
here
and
all
that
to
list
the
advisories
that
possibly
apply
to
the
package,
but
we're
not
sure
yet,
because
here
it's
just
a
match
based
on
the
package
type
and
on
the
dependency
name.
At
this
point,
we
don't
consider
the
exact
version
of
the
dependency,
but
we've
got
a
list
of
the
path.
Are
the
advisories
that
possibly
apply
to
the
to
the
dependency.
A
In
order
to
know
whether
a
particular
security
advisory
applied
to
a
dependency,
we
need
to
perform
a
query
and
evaluate
that
the
effective
range
to
see
if
the
repellency
version
belonged
to
the
affected
range
and
maybe
I
should
I
should
show
you
to
an
advisory.
At
this
point,
some
gallant
charm
to.
A
A
It
provides
many
information
like
it
has
a
title
or
description
or
that
and
it
has
an
effective
range,
and
this
is
where
we
need
to
evaluate
a
version
ranch
in
order
to
know
whether
the
dependency
version
belongs
to
the
affected
branch
and
just
to
show
you
what
it
looks
like.
Let's
jump
to
the
fixtures,
because
we
want
realistic,
advisories
like
here,
we've
got
one
activerecord
yep,
so
here
we've
got
an
advisory,
that's
the
identifier,
and
that
is
the
affected
ranch.
A
A
Well,
so
here
we
collect,
we
collect
possible
affections.
That
is
a
dependency
combined
with
an
an
advisory
and
for
each
affection.
We
wear
collect
queries
because
we
want
to
resolve
the
affected
ranch
again
to
tell
whether
other
pants
evasion
is
affected
or
not.
Okay,
so
we
collect
all
these
ranches,
and
here
we
process
them
all
in
order
to
get
to
know
what
are,
though,
the
de
perĂ³n
see
that
are
truly
affected.
A
A
The
scanner
is
initialized
here
in
the
ran
command
of
the
C&I.
That's
here
that's
a
scanner,
and
here
we
were
in
the
scan
directory.
So
the
output
of
the
scan,
the
result
of
the
scan
is
not
is
not
a
JSON
report.
We
can
directly
use
in
independent
scanning,
so
the
lab
wouldn't
be
able
to
process
that
as
a
dependency
scanning
report
and
it
has
to
be
converted.
This
is
what
we
do
here.
A
So,
for
instance,
in
the
gem
directory,
we've
got
all
the
the
security
advisories
for
repeat
gems
and
in
activerecord
we
got
all
the
advisories
for
this
particular
package
actually
code,
and
here
I've
believed
that's
the
one
he
had
in
the
in
the
fixtures
for
tests
of
gymnasium
itself.
Yes,
so
yeah,
that's
pretty
much
the
same
so
internally,
gymnasium
uses
face
gymnasium,
DB
repo.
This
is
where
it
finds
its
advisories,
okay
and
a
bit
more
on
the
virions
library.
A
A
Compatible
with
bender
and
rubygems
that
wouldn't
be,
that
would
be
different
for
maven,
for
instance.
So
if
we
got
to
Nathan
to
a
security
advisory
affecting
affecting
a
maven
package
like
this
one,
you
can
see
that
the
affected
ranch
is
different,
so
the
the
syntax
really
belongs
to
the
package
manager
and
ultimately
to
the
package
type.
So
that's,
maybe
syntax
fall
of
in
ranges.
A
A
A
A
You
also
know
why
we
need
this
V
range
library,
that's
the
library.
We
knew
we
used
to
tell
whether
a
given
version
dependency
version
belonged
to
an
affected
wrench
and
I
won't
cover
that
that's
for
auto
remediation
and
I
won't
cover
that
either.
Convert
again
is
used
to
convert
the
output
of
scandia
to
a
standard,
JSON
reports,
dependency
scanning
phase
and
we
bought-
and
that's
it.
Thank
you.