fix: Gemfile / Gemspec parser to ignore commented dependencies (#249)

Author: pboling

pkg/deps/ruby.go

@@ -213,7 +213,7 @@ func hasGemspec(dir string) bool {
 	return false
 }
 
-var gemspecRuntimeRe = regexp.MustCompile(`(?m)\badd_(?:runtime_)?dependency\s*\(?\s*["']([^"']+)["']`)
+var gemspecRuntimeRe = regexp.MustCompile(`\badd_(?:runtime_)?dependency\s*\(?\s*["']([^"']+)["']`)
 
 func runtimeDepsFromGemspecs(dir string) ([]string, error) {
 	entries, err := os.ReadDir(dir)
@@ -225,15 +225,26 @@ func runtimeDepsFromGemspecs(dir string) ([]string, error) {
 		if e.IsDir() || !strings.HasSuffix(e.Name(), ".gemspec") {
 			continue
 		}
-		b, err := os.ReadFile(filepath.Join(dir, e.Name()))
+		path := filepath.Join(dir, e.Name())
+		f, err := os.Open(path)
 		if err != nil {
 			return nil, err
 		}
-		for _, m := range gemspecRuntimeRe.FindAllStringSubmatch(string(b), -1) {
-			if len(m) == 2 {
+		scanner := bufio.NewScanner(f)
+		for scanner.Scan() {
+			line := scanner.Text()
+			trimLeft := strings.TrimLeft(line, " \t")
+			if strings.HasPrefix(trimLeft, "#") {
+				continue // ignore commented-out lines
+			}
+			if m := gemspecRuntimeRe.FindStringSubmatch(line); len(m) == 2 {
 				runtime[m[1]] = struct{}{}
 			}
 		}
+		_ = f.Close()
+		if err := scanner.Err(); err != nil {
+			return nil, err
+		}
 	}
 	res := make([]string, 0, len(runtime))
 	for k := range runtime {

pkg/deps/ruby_test.go

@@ -242,3 +242,53 @@ func TestRubyLibraryWithNoRuntimeDependenciesIncludesNone(t *testing.T) {
 		t.Fatalf("expected 0 dependencies for library with no runtime deps, got %d", got)
 	}
 }
+
+func TestGemspecIgnoresCommentedRuntimeDependencies(t *testing.T) {
+	resolver := new(GemfileLockResolver)
+
+	// Prepare a library project whose gemspec contains a commented runtime dependency line
+	dir := t.TempDir()
+	lockContent := "" +
+		"GEM\n" +
+		"  remote: https://rubygems.org/\n" +
+		"  specs:\n" +
+		"    rake (13.0.6)\n" +
+		"\n" +
+		"PLATFORMS\n" +
+		"  ruby\n" +
+		"\n" +
+		"DEPENDENCIES\n" +
+		"  rake\n" +
+		"\n" +
+		"BUNDLED WITH\n" +
+		"   2.4.10\n"
+	if err := writeFileRuby(filepath.Join(dir, "Gemfile.lock"), lockContent); err != nil {
+		t.Fatal(err)
+	}
+
+	gemspec := "" +
+		"Gem::Specification.new do |spec|\n" +
+		"  spec.name          = \"sample\"\n" +
+		"  spec.version       = \"0.1.0\"\n" +
+		"  spec.summary       = \"Sample gem\"\n" +
+		"  spec.description   = \"Sample\"\n" +
+		"  spec.authors       = [\"Test\"]\n" +
+		"  spec.files         = []\n" +
+		"  # spec.add_dependency(\"git\", \">= 1.19.1\")\n" +
+		"end\n"
+	if err := writeFileRuby(filepath.Join(dir, "sample.gemspec"), gemspec); err != nil {
+		t.Fatal(err)
+	}
+
+	lock := filepath.Join(dir, "Gemfile.lock")
+	cfg := &ConfigDeps{Files: []string{lock}}
+	report := Report{}
+	if err := resolver.Resolve(lock, cfg, &report); err != nil {
+		t.Fatal(err)
+	}
+
+	// There are no runtime dependencies in gemspec; the commented one must be ignored
+	if got := len(report.Resolved) + len(report.Skipped); got != 0 {
+		t.Fatalf("expected 0 dependencies when runtime deps are only commented, got %d", got)
+	}
+}