Ruby dependency license scanning support via Gemfile.lock. (#205)

* Ruby dependency license scanning support via Gemfile.lock.

- Implements apache/skywalking#7744
- Library projects (with a *.gemspec in the same directory as Gemfile.lock) ignore development dependencies and include runtime dependencies and their transitives.
- App projects (no *.gemspec) include both runtime and development dependencies from Gemfile.lock.
- Will only work if Gemfile.lock is committed to version control, but this is the official recommendation of RubyGems:
  - https://bundler.io/guides/faq.html#using-gemfiles-inside-gems
- License resolution honors user overrides/exclusions and may query the RubyGems API when necessary, with proper support for handling of various status codes.
- Documentation updated (README.md)
  - Ruby setup and GitHub Actions example are in <details> tag to reduce noise

Author: pboling

.licenserc.yaml

@@ -76,6 +76,8 @@ header: # `header` section is configurations for source codes license header.
     - "**/assets/assets.gen.go"
     - "docs/**.svg"
     - "pkg/gitignore/dir.go"
+    - "pkg/deps/testdata/ruby/app/Gemfile.lock"
+    - "pkg/deps/testdata/ruby/library/Gemfile.lock"
 
   comment: on-failure # on what condition license-eye will comment on the pull request, `on-failure`, `always`, `never`.
 

README.md

@@ -38,6 +38,7 @@ dependency:
     - Cargo.toml        # If this is a rust project.
     - package.json      # If this is a npm project.
     - go.mod            # If this is a Go project.
+    - Gemfile.lock      # If this is a Ruby project (Bundler). Ensure Gemfile.lock is committed.
 ```
 
 #### Check License Headers
@@ -102,6 +103,40 @@ To check dependencies license in GitHub Actions, add a step in your GitHub workf
       # flags: # optional: Extra flags appended to the command, for example, `--summary=path/to/template.tmpl`
 ```
 
+<details>
+<summary>Ruby projects (Bundler)</summary>
+
+License-Eye can resolve Ruby dependencies and their licenses directly from Gemfile.lock.
+
+Rules applied:
+- If a .gemspec file exists in the same directory as Gemfile.lock, the project is treated as a library and development dependencies are ignored. Runtime dependencies (and their transitives) are included.
+- If no .gemspec is present, the project is treated as an app and all dependencies from Gemfile.lock are considered (both runtime and development).
+
+Requirements:
+- Commit Gemfile.lock to version control so License-Eye can read the locked dependency graph.
+- For libraries, ensure the .gemspec is present in the same directory as Gemfile.lock.
+
+Minimal config snippet:
+
+```yaml
+dependency:
+  files:
+    - Gemfile.lock
+```
+
+GitHub Actions example:
+
+```yaml
+- name: Check Ruby dependencies' licenses
+  uses: apache/skywalking-eyes/dependency@main
+  with:
+    config: .licenserc.yaml
+```
+
+Note: License-Eye may query the RubyGems API to determine licenses when they are not specified in your configuration. Ensure the workflow has network access.
+
+</details>
+
 ### Docker Image
 
 For Bash, users can execute the following command,

pkg/deps/resolve.go

@@ -32,6 +32,7 @@ var Resolvers = []Resolver{
 	new(MavenPomResolver),
 	new(JarResolver),
 	new(CargoTomlResolver),
+	new(GemfileLockResolver),
 }
 
 func Resolve(config *ConfigDeps, report *Report) error {