cyclonedx-cocoapods 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e656666b5b0297c98ddebe571a31e68ada3ff7fa9a048fc10f4f824fee1982c8
-  data.tar.gz: d398292e90265bf460874a2db759fb20a7d596067c4aa35afdb07d942aead192
+  metadata.gz: a3c7ebcac0eb8ea04cf5b1aed4da3bdbe1cadc2acb33e1bc4ebec9f52ac9bad9
+  data.tar.gz: bdc83e96c9b4750bf2135a85b30d384ae2096e4c0591d3db2f65434506f4c220
 SHA512:
-  metadata.gz: 1d7e28f6e783cc643d6563671412747c57ed8f26c49fdb34df1bc708662e6369027444f3ef2a4b0be84e1429538d12f80017a7ea61be0b5612210ae272ee00fa
-  data.tar.gz: 2e99db6f7a0f502190ace2511e954b6c43439eb21b5b13509165590ea3075b30ea8ee9fdb7f88a5986ae767c487abb941d6d5548e91448edc11784a377dec25b
+  metadata.gz: 94cdbbcb32c6d83dad78c383536dc484f08a040f5104318a3c2355b070fb915474e25027188bcaa8dfffc4222772525e4e051dfc8a1d673a08a31cd51f4d3cc2
+  data.tar.gz: 1c0da4d2d356eb06207f889605e3c65ea0594821b7de130ebe5ce3d182917f87415fdc615d727f54f540b5a3c9c2b58d915117627b7b71c7a115045e799bc0c4

data/CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.0]
+
+- Can now eliminate Podfile targets that include "test" in their name ([Issue #43](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/43)) [@macblazer](https://github.com/macblazer).
+
 ## [1.0.0]
 
 ### Added

data/README.md

@@ -9,7 +9,7 @@
 
 # CycloneDX CocoaPods (Objective-C/Swift)
 
-The CycloneDX CocoaPods Gem creates a valid CycloneDX software bill-of-material document from all project dependencies. CycloneDX is a lightweight BoM specification that is easily created, human readable, and simple to parse.
+The CycloneDX CocoaPods Gem creates a valid CycloneDX software bill-of-material document from all [CocoaPods](https://cocoapods.org/) project dependencies. CycloneDX is a lightweight BoM specification that is easily created, human readable, and simple to parse.
 
 ## Installation
 
@@ -36,18 +36,30 @@ Building from source requires Ruby 2.4.0 or newer.
 You can use the [CycloneDX CLI](https://github.com/CycloneDX/cyclonedx-cli#convert-command) to convert between multiple BOM formats or specification versions.
 
 ## Usage
-Usage: `cyclonedx-cocoapods` [options]
-
-        --[no-]verbose               Run verbosely
-    -p, --path path                  (Optional) Path to CocoaPods project directory, current directory if missing
-    -o, --output bom_file_path       (Optional) Path to output the bom.xml file to
-    -b, --bom-version bom_version    (Optional) Version of the generated BOM, 1 if not provided
-    -g, --group group                (Optional) Group of the component for which the BOM is generated
-    -n, --name name                  (Optional, if specified version and type are also required) Name of the component for which the BOM is generated
-    -v, --version version            (Optional) Version of the component for which the BOM is generated
-    -t, --type type                  (Optional) Type of the component for which the BOM is generated (one of application|framework|library|container|operating-system|device|firmware|file)
+```
+Generates a BOM with the given parameters. BOM component metadata is only generated if the component's name, version, and type are provided using the --name, --version, and --type parameters.
+[version <version_number>]
+
+USAGE
+  cyclonedx-cocoapods [options]
+
+OPTIONS
+        --[no-]verbose               Show verbose debugging output
     -h, --help                       Show help message
 
+  BOM Generation
+    -p, --path path                  Path to CocoaPods project directory (default: current directory)
+    -o, --output bom_file_path       Path to output the bom.xml file to (default: "bom.xml")
+    -b, --bom-version bom_version    Version of the generated BOM (default: "1")
+    -x, --exclude-test-targets       Eliminate Podfile targets whose name contains the word "test"
+
+  Component Metadata
+    -n, --name name                  (If specified version and type are also required) Name of the component for which the BOM is generated
+    -v, --version version            Version of the component for which the BOM is generated
+    -t, --type type                  Type of the component for which the BOM is generated (one of application|framework|library|container|operating-system|device|firmware|file)
+    -g, --group group                Group of the component for which the BOM is generated
+```
+
 **Output:** BoM file at specified location, `./bom.xml` if not specified
 
 ### Example

data/lib/cyclonedx/cocoapods/cli_runner.rb

@@ -18,19 +18,15 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 #
 
-require 'optparse'
 require 'logger'
-require 'cocoapods'
+require 'optparse'
 
-require_relative 'component'
-require_relative 'pod'
-require_relative 'pod_attributes'
-require_relative 'source'
 require_relative 'bom_builder'
+require_relative 'component'
+require_relative 'podfile_analyzer'
 
 module CycloneDX
   module CocoaPods
-    class PodfileParsingError < StandardError; end
     class BOMOutputError < StandardError; end
 
     class CLIRunner
@@ -41,10 +37,10 @@ module CycloneDX
           setup_logger(verbose: options[:verbose])
           @logger.debug "Running cyclonedx-cocoapods with options: #{options}"
 
-          podfile, lockfile = ensure_podfile_and_lock_are_present(options)
-          pods = parse_pods(podfile, lockfile)
-
-          populate_pods_with_additional_info(pods)
+          analyzer = PodfileAnalyzer.new(logger: @logger, exclude_test_targets: options[:exclude_test_targets])
+          podfile, lockfile = analyzer.ensure_podfile_and_lock_are_present(options)
+          pods = analyzer.parse_pods(podfile, lockfile)
+          analyzer.populate_pods_with_additional_info(pods)
 
           bom = BOMBuilder.new(component: component_from_options(options), pods: pods).bom(version: options[:bom_version] || 1)
           write_bom_to_file(bom: bom, options: options)
@@ -57,34 +53,48 @@ module CycloneDX
 
       private
 
+
       def parseOptions
         parsedOptions = {}
         component_types = Component::VALID_COMPONENT_TYPES
         OptionParser.new do |options|
           options.banner = <<~BANNER
-            Usage: cyclonedx-cocoapods [options]
-            Generates a BOM with the given parameters. BOM component metadata is only generated if the component's name and version are provided using the --name and --version parameters.
+            Generates a BOM with the given parameters. BOM component metadata is only generated if the component's name, version, and type are provided using the --name, --version, and --type parameters.
+            [version #{CycloneDX::CocoaPods::VERSION}]
+
+            USAGE
+              cyclonedx-cocoapods [options]
+
+            OPTIONS
           BANNER
 
-          options.on('--[no-]verbose', 'Run verbosely') do |v|
+          options.on('--[no-]verbose', 'Show verbose debugging output') do |v|
             parsedOptions[:verbose] = v
           end
-          options.on('-p', '--path path', '(Optional) Path to CocoaPods project directory, current directory if missing') do |path|
+          options.on('-h', '--help', 'Show help message') do
+            puts options
+            exit
+          end
+
+          options.separator("\n  BOM Generation")
+          options.on('-p', '--path path', 'Path to CocoaPods project directory (default: current directory)') do |path|
             parsedOptions[:path] = path
           end
-          options.on('-o', '--output bom_file_path', '(Optional) Path to output the bom.xml file to') do |bom_file_path|
+          options.on('-o', '--output bom_file_path', 'Path to output the bom.xml file to (default: "bom.xml")') do |bom_file_path|
             parsedOptions[:bom_file_path] = bom_file_path
           end
-          options.on('-b', '--bom-version bom_version', Integer, '(Optional) Version of the generated BOM, 1 if not provided') do |version|
+          options.on('-b', '--bom-version bom_version', Integer, 'Version of the generated BOM (default: "1")') do |version|
             parsedOptions[:bom_version] = version
           end
-          options.on('-g', '--group group', '(Optional) Group of the component for which the BOM is generated') do |group|
-            parsedOptions[:group] = group
+          options.on('-x', '--exclude-test-targets', 'Eliminate Podfile targets whose name contains the word "test"') do |exclude|
+            parsedOptions[:exclude_test_targets] = exclude
           end
-          options.on('-n', '--name name', '(Optional, if specified version and type are also required) Name of the component for which the BOM is generated') do |name|
+
+          options.separator("\n  Component Metadata\n")
+          options.on('-n', '--name name', '(If specified version and type are also required) Name of the component for which the BOM is generated') do |name|
             parsedOptions[:name] = name
           end
-          options.on('-v', '--version version', '(Optional) Version of the component for which the BOM is generated') do |version|
+          options.on('-v', '--version version', 'Version of the component for which the BOM is generated') do |version|
             begin
               Gem::Version.new(version)
               parsedOptions[:version] = version
@@ -92,13 +102,12 @@ module CycloneDX
               raise OptionParser::InvalidArgument, e.message
             end
           end
-          options.on('-t', '--type type', "(Optional) Type of the component for which the BOM is generated (one of #{component_types.join('|')})") do |type|
+          options.on('-t', '--type type', "Type of the component for which the BOM is generated (one of #{component_types.join('|')})") do |type|
             raise OptionParser::InvalidArgument, "Invalid value for component's type (#{type}). It must be one of #{component_types.join('|')}" unless component_types.include?(type)
             parsedOptions[:type] = type
           end
-          options.on_tail('-h', '--help', 'Show help message') do
-            puts options
-            exit
+          options.on('-g', '--group group', 'Group of the component for which the BOM is generated') do |group|
+            parsedOptions[:group] = group
           end
         end.parse!
 
@@ -118,90 +127,6 @@ module CycloneDX
       end
 
 
-      def ensure_podfile_and_lock_are_present(options)
-        project_dir = Pathname.new(options[:path] || Dir.pwd)
-        raise PodfileParsingError, "#{options[:path]} is not a valid directory." unless File.directory?(project_dir)
-        options[:podfile_path] = project_dir + 'Podfile'
-        raise PodfileParsingError, "Missing Podfile in #{project_dir}. Please use the --path option if not running from the CocoaPods project directory." unless File.exist?(options[:podfile_path])
-        options[:podfile_lock_path] = project_dir + 'Podfile.lock'
-        raise PodfileParsingError, "Missing Podfile.lock, please run 'pod install' before generating BOM" unless File.exist?(options[:podfile_lock_path])
-
-        initialize_cocoapods_config(project_dir)
-
-        lockfile = ::Pod::Lockfile.from_file(options[:podfile_lock_path])
-        verify_synced_sandbox(lockfile)
-
-        return ::Pod::Podfile.from_file(options[:podfile_path]), lockfile
-      end
-
-
-      def initialize_cocoapods_config(project_dir)
-        ::Pod::Config.instance.installation_root = project_dir
-      end
-
-
-      def verify_synced_sandbox(lockfile)
-        manifestFile = ::Pod::Config.instance.sandbox.manifest
-        raise PodfileParsingError, "Missing Manifest.lock, please run 'pod install' before generating BOM" if manifestFile.nil?
-        raise PodfileParsingError, "The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation." unless lockfile == manifestFile
-      end
-
-
-      def cocoapods_repository_source(podfile, lockfile, pod_name)
-        @source_manager ||= create_source_manager(podfile)
-        return Source::CocoaPodsRepository.searchable_source(url: lockfile.spec_repo(pod_name), source_manager: @source_manager)
-      end
-
-
-      def git_source(lockfile, pod_name)
-        checkout_options = lockfile.checkout_options_for_pod_named(pod_name)
-        url = checkout_options[:git]
-        [:tag, :branch, :commit].each do |type|
-          return Source::GitRepository.new(url: url, type: type, label: checkout_options[type]) if checkout_options[type]
-        end
-        return Source::GitRepository.new(url: url)
-      end
-
-
-      def source_for_pod(podfile, lockfile, pod_name)
-        root_name = pod_name.split('/').first
-        return cocoapods_repository_source(podfile, lockfile, root_name) unless lockfile.spec_repo(root_name).nil?
-        return git_source(lockfile, root_name) unless lockfile.checkout_options_for_pod_named(root_name).nil?
-        return Source::LocalPod.new(path: lockfile.to_hash['EXTERNAL SOURCES'][root_name][:path]) if lockfile.to_hash['EXTERNAL SOURCES'][root_name][:path]
-        return Source::Podspec.new(url: lockfile.to_hash['EXTERNAL SOURCES'][root_name][:podspec]) if lockfile.to_hash['EXTERNAL SOURCES'][root_name][:podspec]
-        return nil
-      end
-
-
-      def parse_pods(podfile, lockfile)
-        @logger.debug "Parsing pods from #{podfile.defined_in_file}"
-        return lockfile.pod_names.map do |name|
-          Pod.new(name: name, version: lockfile.version(name), source: source_for_pod(podfile, lockfile, name), checksum: lockfile.checksum(name))
-        end
-      end
-
-
-      def create_source_manager(podfile)
-        sourceManager = ::Pod::Source::Manager.new(::Pod::Config::instance.repos_dir)
-        @logger.debug "Parsing sources from #{podfile.defined_in_file}"
-        podfile.sources.each do |source|
-          @logger.debug "Ensuring #{source} is available for searches"
-          sourceManager.find_or_create_source_with_url(source)
-        end
-        @logger.debug "Source manager successfully created with all needed sources"
-        return sourceManager
-      end
-
-
-      def populate_pods_with_additional_info(pods)
-        pods.each do |pod|
-          @logger.debug "Completing information for #{pod.name}"
-          pod.complete_information_from_source
-        end
-        return pods
-      end
-
-
       def write_bom_to_file(bom:, options:)
         bom_file_path = Pathname.new(options[:bom_file_path] || './bom.xml').expand_path
         bom_dir = bom_file_path.dirname

data/lib/cyclonedx/cocoapods/podfile_analyzer.rb

@@ -0,0 +1,182 @@
+# frozen_string_literal: true
+#
+# This file is part of CycloneDX CocoaPods
+#
+# Licensed under the Apache License, Version 2.0 (the “License”);
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an “AS IS” BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+#
+
+require 'cocoapods'
+require 'logger'
+
+require_relative 'pod'
+require_relative 'pod_attributes'
+require_relative 'source'
+
+module CycloneDX
+  module CocoaPods
+    class PodfileParsingError < StandardError; end
+
+    class PodfileAnalyzer
+      def initialize(logger:, exclude_test_targets: false)
+        @logger = logger
+        @exclude_test_targets = exclude_test_targets
+      end
+
+      def ensure_podfile_and_lock_are_present(options)
+        project_dir = Pathname.new(options[:path] || Dir.pwd)
+        raise PodfileParsingError, "#{options[:path]} is not a valid directory." unless File.directory?(project_dir)
+        options[:podfile_path] = project_dir + 'Podfile'
+        raise PodfileParsingError, "Missing Podfile in #{project_dir}. Please use the --path option if not running from the CocoaPods project directory." unless File.exist?(options[:podfile_path])
+        options[:podfile_lock_path] = project_dir + 'Podfile.lock'
+        raise PodfileParsingError, "Missing Podfile.lock, please run 'pod install' before generating BOM" unless File.exist?(options[:podfile_lock_path])
+
+        initialize_cocoapods_config(project_dir)
+
+        lockfile = ::Pod::Lockfile.from_file(options[:podfile_lock_path])
+        verify_synced_sandbox(lockfile)
+
+        return ::Pod::Podfile.from_file(options[:podfile_path]), lockfile
+      end
+
+
+      def parse_pods(podfile, lockfile)
+        @logger.debug "Parsing pods from #{podfile.defined_in_file}"
+        included_pods = create_list_of_included_pods(podfile, lockfile)
+        return lockfile.pod_names.select { |name| included_pods.include?(name) }.map do |name|
+          Pod.new(name: name, version: lockfile.version(name), source: source_for_pod(podfile, lockfile, name), checksum: lockfile.checksum(name))
+        end
+      end
+
+
+      def populate_pods_with_additional_info(pods)
+        pods.each do |pod|
+          @logger.debug "Completing information for #{pod.name}"
+          pod.complete_information_from_source
+        end
+        return pods
+      end
+
+
+      private
+
+
+      def initialize_cocoapods_config(project_dir)
+        ::Pod::Config.instance.installation_root = project_dir
+      end
+
+
+      def verify_synced_sandbox(lockfile)
+        manifestFile = ::Pod::Config.instance.sandbox.manifest
+        raise PodfileParsingError, "Missing Manifest.lock, please run 'pod install' before generating BOM" if manifestFile.nil?
+        raise PodfileParsingError, "The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation." unless lockfile == manifestFile
+      end
+
+      def simple_hash_of_lockfile_pods(lockfile)
+        pods_hash = { }
+
+        pods_used = lockfile.internal_data['PODS']
+        pods_used.each { |pod|
+          if pod.is_a?(String)
+            # Pods stored as String have no dependencies
+            pod_name = pod.split.first
+            pods_hash[pod_name] = []
+          else
+            # Pods stored as a hash have pod name and dependencies.
+            pod.each { |pod, dependencies|
+              pod_name = pod.split.first
+              pods_hash[pod_name] = dependencies.map { |d| d.split.first }
+            }
+          end
+        }
+        pods_hash
+      end
+
+      def append_all_pod_dependencies(pods_used, pods_cache)
+        result = pods_used
+        original_number = 0
+        # Loop adding pod dependencies until we are not adding any more dependencies to the result
+        # This brings in all the transitive dependencies of every top level pod.
+        # Note this also handles the edge case of having a Podfile with no pods used.
+        while result.length != original_number
+          original_number = result.length
+          pods_used.each { |pod_name|
+            result.push(*pods_cache[pod_name]) unless pods_cache[pod_name].empty?
+          }
+          result = result.uniq
+          pods_used = result
+        end
+        result
+      end
+
+      def create_list_of_included_pods(podfile, lockfile)
+        pods_cache = simple_hash_of_lockfile_pods(lockfile)
+
+        includedTargets = podfile.target_definition_list.select{ |target| include_target_named(target.label) }
+        includedTargetNames = includedTargets.map { |target| target.label }
+        @logger.debug "Including all pods for targets: #{includedTargetNames}"
+
+        topLevelDeps = includedTargets.map(&:dependencies).flatten.uniq
+        pods_used = topLevelDeps.map(&:name).uniq
+        pods_used = append_all_pod_dependencies(pods_used, pods_cache)
+
+        return pods_used.sort
+      end
+
+
+      def include_target_named(targetname)
+          !@exclude_test_targets || !targetname.downcase.include?('test')
+      end
+
+
+      def cocoapods_repository_source(podfile, lockfile, pod_name)
+        @source_manager ||= create_source_manager(podfile)
+        return Source::CocoaPodsRepository.searchable_source(url: lockfile.spec_repo(pod_name), source_manager: @source_manager)
+      end
+
+
+      def git_source(lockfile, pod_name)
+        checkout_options = lockfile.checkout_options_for_pod_named(pod_name)
+        url = checkout_options[:git]
+        [:tag, :branch, :commit].each do |type|
+          return Source::GitRepository.new(url: url, type: type, label: checkout_options[type]) if checkout_options[type]
+        end
+        return Source::GitRepository.new(url: url)
+      end
+
+
+      def source_for_pod(podfile, lockfile, pod_name)
+        root_name = pod_name.split('/').first
+        return cocoapods_repository_source(podfile, lockfile, root_name) unless lockfile.spec_repo(root_name).nil?
+        return git_source(lockfile, root_name) unless lockfile.checkout_options_for_pod_named(root_name).nil?
+        return Source::LocalPod.new(path: lockfile.to_hash['EXTERNAL SOURCES'][root_name][:path]) if lockfile.to_hash['EXTERNAL SOURCES'][root_name][:path]
+        return Source::Podspec.new(url: lockfile.to_hash['EXTERNAL SOURCES'][root_name][:podspec]) if lockfile.to_hash['EXTERNAL SOURCES'][root_name][:podspec]
+        return nil
+      end
+
+
+      def create_source_manager(podfile)
+        sourceManager = ::Pod::Source::Manager.new(::Pod::Config::instance.repos_dir)
+        @logger.debug "Parsing sources from #{podfile.defined_in_file}"
+        podfile.sources.each do |source|
+          @logger.debug "Ensuring #{source} is available for searches"
+          sourceManager.find_or_create_source_with_url(source)
+        end
+        @logger.debug "Source manager successfully created with all needed sources"
+        return sourceManager
+      end
+    end
+  end
+end

data/lib/cyclonedx/cocoapods/version.rb

@@ -20,7 +20,7 @@
 
 module CycloneDX
   module CocoaPods
-    VERSION = '1.0.0'
+    VERSION = '1.1.0'
     DEPENDENCIES = {
       cocoapods: '~> 1.10.1',
       nokogiri: '~> 1.11.2'

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: cyclonedx-cocoapods
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - José González
+- Kyle Hammond
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-08-12 00:00:00.000000000 Z
+date: 2022-09-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cocoapods
@@ -85,6 +86,7 @@ description: CycloneDX is a lightweight software bill-of-material (SBOM) specifi
   This Gem generates CycloneDX BOMs from CocoaPods projects.
 email:
 - jose.gonzalez@openinput.com
+- kyle.hammond@jamf.com
 executables:
 - cyclonedx-cocoapods
 extensions: []
@@ -101,6 +103,7 @@ files:
 - lib/cyclonedx/cocoapods/license.rb
 - lib/cyclonedx/cocoapods/pod.rb
 - lib/cyclonedx/cocoapods/pod_attributes.rb
+- lib/cyclonedx/cocoapods/podfile_analyzer.rb
 - lib/cyclonedx/cocoapods/source.rb
 - lib/cyclonedx/cocoapods/spdx-licenses.json
 - lib/cyclonedx/cocoapods/version.rb