For a ruby project, I need to find a way to check if I know a gem contains some issues, I can tell if the project is impacted.
I can see there is a Gemfile.lock contains many dependency information, which is helpful, but since I'm very new to ruby, I'm not sure if it contains enough information (say, all dependencies including dependencies of dependency)
Yes, it contains all dependencies currently installed for the current project.
No, it only lists dependencies declaired in the Gemfile. If you installed some gems manually and did not add them to your Gemfile (what is not best practice), then this gems aren't listed in your Gemfile.lock.
Gemfile.lock contains the resolved versions of all the gems in the Gemfile, their dependencies, dependencies of those dependencies etc. Once loaded, bundler actually prevents you from loading gems not in Gemfile.lock so as to prevent you from accidentally depending on gems not in your Gemfile.
The one exception might be gems that provided tools that aren't actually loaded by the application. For example I use the mailcatcher gem in development - this is a gem that runs a dummy SMTP server and provides a web UI that allows you to see the emails sent. This isn't in my Gemfile, and strictly speaking you don't need it installed - you could run an actual email server or use the :test delivery mode, but you might still consider it part of the development environment.
Lastly the Gemfile only covers dependencies that are gems - these may depend on OS packages (for example RMagick requires imagemagick) but that information is not part of the Gemfile.
