feat: support checking if versions exist in RubyGems (#384)

G-Rath · web-flow · commit 1689edab6c43 · 2025-08-04T13:50:16.000+10:00
This adds support for checking that Ruby gems versions exist in the
repository

Signed-off-by: Gareth Jones &lt;3151613+G-Rath@users.noreply.github.com&gt;
diff --git a/tools/osv-linter/internal/pkgchecker/ecosystems.go b/tools/osv-linter/internal/pkgchecker/ecosystems.go
@@ -25,7 +25,7 @@ var EcosystemBaseURLs = map[string]string{
 	"crates.io": "https://crates.io/api/v1/crates",
 	"npm":       "https://registry.npmjs.org",
 	"NuGet":     "https://api.nuget.org/v3-flatcontainer",
-	"RubyGems":  "https://rubygems.org/api/v1/gems",
+	"RubyGems":  "https://rubygems.org/api/v1",
 	"Packagist": "https://repo.packagist.org/p2",
 	"Pub":       "https://pub.dev/api/packages",
 	"Hackage":   "https://hackage.haskell.org/package",
@@ -173,7 +173,7 @@ func VersionsExistInEcosystem(pkg string, versions []string, ecosystem string) e
 	case "Rocky Linux":
 		return nil
 	case "RubyGems":
-		return nil
+		return versionsExistInRubyGems(pkg, versions)
 	case "SUSE":
 		return nil
 	case "SwiftURL":
diff --git a/tools/osv-linter/internal/pkgchecker/ecosystems_test.go b/tools/osv-linter/internal/pkgchecker/ecosystems_test.go
@@ -2,6 +2,62 @@ package pkgchecker
 
 import "testing"
 
+func Test_versionsExistInRubyGems(t *testing.T) {
+	t.Parallel()
+
+	type args struct {
+		pkg      string
+		versions []string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "multiple_versions_which_all_exist",
+			args: args{
+				pkg:      "capistrano",
+				versions: []string{"2.5.7", "3.0.0.pre4", "3.11.1"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "multiple_versions_with_one_that_does_not_exist",
+			args: args{
+				pkg:      "capistrano",
+				versions: []string{"1.1.1", "2.3rc9", "3.1.5", "5.1rc1"},
+			},
+			wantErr: true,
+		},
+		{
+			name: "an_invalid_version",
+			args: args{
+				pkg:      "capistrano",
+				versions: []string{"!"},
+			},
+			wantErr: true,
+		},
+		{
+			name: "a_package_that_does_not_exit",
+			args: args{
+				pkg:      "not-a-real-package",
+				versions: []string{"1.0.0"},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			if err := versionsExistInRubyGems(tt.args.pkg, tt.args.versions); (err != nil) != tt.wantErr {
+				t.Errorf("versionsExistInRubyGems() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
 func Test_versionsExistInPackagist(t *testing.T) {
 	t.Parallel()
 
diff --git a/tools/osv-linter/internal/pkgchecker/package_check.go b/tools/osv-linter/internal/pkgchecker/package_check.go
@@ -74,7 +74,7 @@ func existsInNuget(pkg string) bool {
 
 // Validate the existence of a package in RubyGems.
 func existsInRubyGems(pkg string) bool {
-	packageInstanceURL := fmt.Sprintf("%s/%s.json", EcosystemBaseURLs["RubyGems"], pkg)
+	packageInstanceURL := fmt.Sprintf("%s/gems/%s.json", EcosystemBaseURLs["RubyGems"], pkg)
 
 	return checkPackageExists(packageInstanceURL)
 }
diff --git a/tools/osv-linter/internal/pkgchecker/version_check.go b/tools/osv-linter/internal/pkgchecker/version_check.go
@@ -15,6 +15,58 @@ import (
 	"golang.org/x/mod/semver"
 )
 
+// Confirm that all specified versions of a package exist in RubyGems.
+func versionsExistInRubyGems(pkg string, versions []string) error {
+	packageInstanceURL := fmt.Sprintf("%s/versions/%s.json", EcosystemBaseURLs["RubyGems"], pkg)
+
+	resp, err := faulttolerant.Get(packageInstanceURL)
+	if err != nil {
+		return fmt.Errorf("unable to validate package: %v", err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("unable to validate package: %q for %s", resp.Status, packageInstanceURL)
+	}
+
+	// Parse the known versions from the JSON.
+	respJSON, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("unable to retrieve JSON for %q: %v", pkg, err)
+	}
+	// Fetch all known versions of package.
+	versionsInRepository := []string{}
+	releases := gjson.GetBytes(respJSON, "@this")
+	releases.ForEach(func(key, value gjson.Result) bool {
+		versionsInRepository = append(versionsInRepository, value.Get("number").String())
+		return true // keep iterating.
+	})
+	// Determine which referenced versions are missing.
+	versionsMissing := []string{}
+	for _, versionToCheckFor := range versions {
+		versionFound := false
+		vc, err := semantic.Parse(versionToCheckFor, "RubyGems")
+		if err != nil {
+			versionsMissing = append(versionsMissing, versionToCheckFor)
+			continue
+		}
+		for _, pkgversion := range versionsInRepository {
+			if r, err := vc.CompareStr(pkgversion); r == 0 && err == nil {
+				versionFound = true
+				break
+			}
+		}
+		if versionFound {
+			continue
+		}
+		versionsMissing = append(versionsMissing, versionToCheckFor)
+	}
+	if len(versionsMissing) > 0 {
+		return &MissingVersionsError{Package: pkg, Ecosystem: "RubyGems", Missing: versionsMissing, Known: versionsInRepository}
+	}
+
+	return nil
+}
+
 // Confirm that all specified versions of a package exist in Packagist.
 func versionsExistInPackagist(pkg string, versions []string) error {
 	packageInstanceURL := fmt.Sprintf("%s/%s.json", EcosystemBaseURLs["Packagist"], pkg)

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ func existsInNuget(pkg string) bool {`
`74`	`74`
`75`	`75`	`// Validate the existence of a package in RubyGems.`
`76`	`76`	`func existsInRubyGems(pkg string) bool {`
`77`		`- packageInstanceURL := fmt.Sprintf("%s/%s.json", EcosystemBaseURLs["RubyGems"], pkg)`
	`77`	`+ packageInstanceURL := fmt.Sprintf("%s/gems/%s.json", EcosystemBaseURLs["RubyGems"], pkg)`
`78`	`78`
`79`	`79`	`return checkPackageExists(packageInstanceURL)`
`80`	`80`	`}`