cyclonedx-cocoapods 1.0.0

data/lib/cyclonedx/cocoapods/cli_runner.rb

@@ -0,0 +1,224 @@
+# frozen_string_literal: true
+#
+# This file is part of CycloneDX CocoaPods
+#
+# Licensed under the Apache License, Version 2.0 (the “License”);
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an “AS IS” BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+#
+
+require 'optparse'
+require 'logger'
+require 'cocoapods'
+
+require_relative 'component'
+require_relative 'pod'
+require_relative 'pod_attributes'
+require_relative 'source'
+require_relative 'bom_builder'
+
+module CycloneDX
+  module CocoaPods
+    class PodfileParsingError < StandardError; end
+    class BOMOutputError < StandardError; end
+
+    class CLIRunner
+      def run
+        begin
+          setup_logger # Needed in case we have errors while processing CLI parameters
+          options = parseOptions
+          setup_logger(verbose: options[:verbose])
+          @logger.debug "Running cyclonedx-cocoapods with options: #{options}"
+
+          podfile, lockfile = ensure_podfile_and_lock_are_present(options)
+          pods = parse_pods(podfile, lockfile)
+
+          populate_pods_with_additional_info(pods)
+
+          bom = BOMBuilder.new(component: component_from_options(options), pods: pods).bom(version: options[:bom_version] || 1)
+          write_bom_to_file(bom: bom, options: options)
+        rescue StandardError => e
+          @logger.error ([e.message] + e.backtrace).join($/)
+          exit 1
+        end
+      end
+
+
+      private
+
+      def parseOptions
+        parsedOptions = {}
+        component_types = Component::VALID_COMPONENT_TYPES
+        OptionParser.new do |options|
+          options.banner = <<~BANNER
+            Usage: cyclonedx-cocoapods [options]
+            Generates a BOM with the given parameters. BOM component metadata is only generated if the component's name and version are provided using the --name and --version parameters.
+          BANNER
+
+          options.on('--[no-]verbose', 'Run verbosely') do |v|
+            parsedOptions[:verbose] = v
+          end
+          options.on('-p', '--path path', '(Optional) Path to CocoaPods project directory, current directory if missing') do |path|
+            parsedOptions[:path] = path
+          end
+          options.on('-o', '--output bom_file_path', '(Optional) Path to output the bom.xml file to') do |bom_file_path|
+            parsedOptions[:bom_file_path] = bom_file_path
+          end
+          options.on('-b', '--bom-version bom_version', Integer, '(Optional) Version of the generated BOM, 1 if not provided') do |version|
+            parsedOptions[:bom_version] = version
+          end
+          options.on('-g', '--group group', '(Optional) Group of the component for which the BOM is generated') do |group|
+            parsedOptions[:group] = group
+          end
+          options.on('-n', '--name name', '(Optional, if specified version and type are also required) Name of the component for which the BOM is generated') do |name|
+            parsedOptions[:name] = name
+          end
+          options.on('-v', '--version version', '(Optional) Version of the component for which the BOM is generated') do |version|
+            begin
+              Gem::Version.new(version)
+              parsedOptions[:version] = version
+            rescue StandardError => e
+              raise OptionParser::InvalidArgument, e.message
+            end
+          end
+          options.on('-t', '--type type', "(Optional) Type of the component for which the BOM is generated (one of #{component_types.join('|')})") do |type|
+            raise OptionParser::InvalidArgument, "Invalid value for component's type (#{type}). It must be one of #{component_types.join('|')}" unless component_types.include?(type)
+            parsedOptions[:type] = type
+          end
+          options.on_tail('-h', '--help', 'Show help message') do
+            puts options
+            exit
+          end
+        end.parse!
+
+        raise OptionParser::InvalidArgument, 'You must also specify --version and --type if --name is provided' if !parsedOptions[:name].nil? && (parsedOptions[:version].nil? || parsedOptions[:type].nil?)
+        return parsedOptions
+      end
+
+
+      def component_from_options(options)
+        Component.new(group: options[:group], name: options[:name], version: options[:version], type: options[:type]) if options[:name]
+      end
+
+
+      def setup_logger(verbose: true)
+        @logger ||= Logger.new($stdout)
+        @logger.level = verbose ? Logger::DEBUG : Logger::INFO
+      end
+
+
+      def ensure_podfile_and_lock_are_present(options)
+        project_dir = Pathname.new(options[:path] || Dir.pwd)
+        raise PodfileParsingError, "#{options[:path]} is not a valid directory." unless File.directory?(project_dir)
+        options[:podfile_path] = project_dir + 'Podfile'
+        raise PodfileParsingError, "Missing Podfile in #{project_dir}. Please use the --path option if not running from the CocoaPods project directory." unless File.exist?(options[:podfile_path])
+        options[:podfile_lock_path] = project_dir + 'Podfile.lock'
+        raise PodfileParsingError, "Missing Podfile.lock, please run 'pod install' before generating BOM" unless File.exist?(options[:podfile_lock_path])
+
+        initialize_cocoapods_config(project_dir)
+
+        lockfile = ::Pod::Lockfile.from_file(options[:podfile_lock_path])
+        verify_synced_sandbox(lockfile)
+
+        return ::Pod::Podfile.from_file(options[:podfile_path]), lockfile
+      end
+
+
+      def initialize_cocoapods_config(project_dir)
+        ::Pod::Config.instance.installation_root = project_dir
+      end
+
+
+      def verify_synced_sandbox(lockfile)
+        manifestFile = ::Pod::Config.instance.sandbox.manifest
+        raise PodfileParsingError, "Missing Manifest.lock, please run 'pod install' before generating BOM" if manifestFile.nil?
+        raise PodfileParsingError, "The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation." unless lockfile == manifestFile
+      end
+
+
+      def cocoapods_repository_source(podfile, lockfile, pod_name)
+        @source_manager ||= create_source_manager(podfile)
+        return Source::CocoaPodsRepository.searchable_source(url: lockfile.spec_repo(pod_name), source_manager: @source_manager)
+      end
+
+
+      def git_source(lockfile, pod_name)
+        checkout_options = lockfile.checkout_options_for_pod_named(pod_name)
+        url = checkout_options[:git]
+        [:tag, :branch, :commit].each do |type|
+          return Source::GitRepository.new(url: url, type: type, label: checkout_options[type]) if checkout_options[type]
+        end
+        return Source::GitRepository.new(url: url)
+      end
+
+
+      def source_for_pod(podfile, lockfile, pod_name)
+        root_name = pod_name.split('/').first
+        return cocoapods_repository_source(podfile, lockfile, root_name) unless lockfile.spec_repo(root_name).nil?
+        return git_source(lockfile, root_name) unless lockfile.checkout_options_for_pod_named(root_name).nil?
+        return Source::LocalPod.new(path: lockfile.to_hash['EXTERNAL SOURCES'][root_name][:path]) if lockfile.to_hash['EXTERNAL SOURCES'][root_name][:path]
+        return Source::Podspec.new(url: lockfile.to_hash['EXTERNAL SOURCES'][root_name][:podspec]) if lockfile.to_hash['EXTERNAL SOURCES'][root_name][:podspec]
+        return nil
+      end
+
+
+      def parse_pods(podfile, lockfile)
+        @logger.debug "Parsing pods from #{podfile.defined_in_file}"
+        return lockfile.pod_names.map do |name|
+          Pod.new(name: name, version: lockfile.version(name), source: source_for_pod(podfile, lockfile, name), checksum: lockfile.checksum(name))
+        end
+      end
+
+
+      def create_source_manager(podfile)
+        sourceManager = ::Pod::Source::Manager.new(::Pod::Config::instance.repos_dir)
+        @logger.debug "Parsing sources from #{podfile.defined_in_file}"
+        podfile.sources.each do |source|
+          @logger.debug "Ensuring #{source} is available for searches"
+          sourceManager.find_or_create_source_with_url(source)
+        end
+        @logger.debug "Source manager successfully created with all needed sources"
+        return sourceManager
+      end
+
+
+      def populate_pods_with_additional_info(pods)
+        pods.each do |pod|
+          @logger.debug "Completing information for #{pod.name}"
+          pod.complete_information_from_source
+        end
+        return pods
+      end
+
+
+      def write_bom_to_file(bom:, options:)
+        bom_file_path = Pathname.new(options[:bom_file_path] || './bom.xml').expand_path
+        bom_dir = bom_file_path.dirname
+
+        begin
+          FileUtils.mkdir_p(bom_dir) unless bom_dir.directory?
+        rescue
+          raise BOMOutputError, "Unable to create the BOM output directory at #{bom_dir}"
+        end
+
+        begin
+          File.open(bom_file_path, 'w') { |file| file.write(bom) }
+          @logger.info "BOM written to #{bom_file_path}"
+        rescue
+          raise BOMOutputError, "Unable to write the BOM to #{bom_file_path}"
+        end
+      end
+    end
+  end
+end

data/lib/cyclonedx/cocoapods/component.rb

@@ -0,0 +1,37 @@
+#
+# This file is part of CycloneDX CocoaPods
+#
+# Licensed under the Apache License, Version 2.0 (the “License”);
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an “AS IS” BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+#
+
+module CycloneDX
+  module CocoaPods
+    class Component
+      VALID_COMPONENT_TYPES = %w[application framework library container operating-system device firmware file].freeze
+
+      attr_reader :group, :name, :version, :type
+
+      def initialize(group: nil, name:, version:, type:)
+        raise ArgumentError, "Group, if specified, must be non empty" if !group.nil? && group.to_s.strip.empty?
+        raise ArgumentError, "Name must be non empty" if name.nil? || name.to_s.strip.empty?
+        Gem::Version.new(version) # To check that the version string is well formed
+        raise ArgumentError, "#{type} is not valid component type (#{VALID_COMPONENT_TYPES.join('|')})" unless VALID_COMPONENT_TYPES.include?(type)
+
+        @group, @name, @version, @type = group, name, version, type
+      end
+    end
+  end
+end

data/lib/cyclonedx/cocoapods/license.rb

@@ -0,0 +1,44 @@
+#
+# This file is part of CycloneDX CocoaPods
+#
+# Licensed under the Apache License, Version 2.0 (the “License”);
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an “AS IS” BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+#
+
+require 'json'
+
+module CycloneDX
+  module CocoaPods
+    class Pod
+      class License
+        SPDX_LICENSES = JSON.parse(File.read("#{__dir__}/spdx-licenses.json")).freeze
+        IDENTIFIER_TYPES = [:id, :name].freeze
+
+        attr_reader   :identifier
+        attr_reader   :identifier_type
+        attr_accessor :text
+        attr_accessor :url
+
+        def initialize(identifier:)
+          raise ArgumentError, "License identifier must be non empty" if identifier.nil? || identifier.to_s.strip.empty?
+
+          @identifier = SPDX_LICENSES.find { |license_id| license_id.downcase == identifier.to_s.downcase }
+          @identifier_type = @identifier.nil? ? :name : :id
+          @identifier ||= identifier
+        end
+      end
+    end
+  end
+end

data/lib/cyclonedx/cocoapods/pod.rb

@@ -0,0 +1,108 @@
+#
+# This file is part of CycloneDX CocoaPods
+#
+# Licensed under the Apache License, Version 2.0 (the “License”);
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an “AS IS” BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+#
+
+require 'rubygems/version'
+require_relative 'license'
+
+module CycloneDX
+  module CocoaPods
+    class Pod
+      attr_reader :name        # xs:normalizedString
+      attr_reader :version     # xs:normalizedString
+      attr_reader :source      # Anything responding to :source_qualifier
+      attr_reader :homepage    # xs:anyURI - https://cyclonedx.org/docs/1.4/#type_externalReference
+      attr_reader :checksum    # https://cyclonedx.org/docs/1.4/#type_hashValue (We only use SHA-1 hashes - length == 40)
+      attr_reader :author      # xs:normalizedString
+      attr_reader :description # xs:normalizedString
+      attr_reader :license     # https://cyclonedx.org/docs/1.4/#type_licenseType
+                               # We don't currently support several licenses or license expressions https://spdx.github.io/spdx-spec/appendix-IV-SPDX-license-expressions/
+      def initialize(name:, version:, source: nil, checksum: nil)
+        raise ArgumentError, "Name must be non empty" if name.nil? || name.to_s.empty?
+        raise ArgumentError, "Name shouldn't contain spaces" if name.to_s.include?(' ')
+        raise ArgumentError, "Name shouldn't start with a dot" if name.to_s.start_with?('.')
+        # `pod create` also enforces no plus sign, but more than 500 public pods have a plus in the root name.
+        # https://github.com/CocoaPods/CocoaPods/blob/9461b346aeb8cba6df71fd4e71661688138ec21b/lib/cocoapods/command/lib/create.rb#L35
+
+        Gem::Version.new(version) # To check that the version string is well formed
+        raise ArgumentError, "Invalid pod source" unless source.nil? || source.respond_to?(:source_qualifier)
+        raise ArgumentError, "#{checksum} is not valid SHA-1 hash" unless checksum.nil? || checksum =~ /[a-fA-F0-9]{40}/
+        @name, @version, @source, @checksum = name.to_s, version, source, checksum
+      end
+
+      def root_name
+        @name.split('/').first
+      end
+
+      def populate(attributes)
+        attributes.transform_keys!(&:to_sym)
+        populate_author(attributes)
+        populate_description(attributes)
+        populate_license(attributes)
+        populate_homepage(attributes)
+        self
+      end
+
+      def to_s
+        "Pod<#{name}, #{version.to_s}>"
+      end
+
+      private
+
+      def populate_author(attributes)
+        authors = attributes[:author] || attributes[:authors]
+        case authors
+        when String
+          @author = authors
+        when Array
+          @author = authors.join(', ')
+        when Hash
+          @author = authors.map { |name, email| "#{name} <#{email}>" }.join(', ')
+        else
+          @author = nil
+        end
+      end
+
+      def populate_description(attributes)
+        @description = attributes[:description] || attributes[:summary]
+      end
+
+      def populate_license(attributes)
+        case attributes[:license]
+        when String
+          @license = License.new(identifier: attributes[:license])
+        when Hash
+          attributes[:license].transform_keys!(&:to_sym)
+          identifier = attributes[:license][:type]
+          unless identifier.nil? || identifier.to_s.strip.empty?
+            @license = License.new(identifier: identifier)
+            @license.text = attributes[:license][:text]
+          else
+            @license = nil
+          end
+        else
+          @license = nil
+        end
+      end
+
+      def populate_homepage(attributes)
+        @homepage = attributes[:homepage]
+      end
+    end
+  end
+end

data/lib/cyclonedx/cocoapods/pod_attributes.rb

@@ -0,0 +1,72 @@
+#
+# This file is part of CycloneDX CocoaPods
+#
+# Licensed under the Apache License, Version 2.0 (the “License”);
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an “AS IS” BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+#
+
+module CycloneDX
+  module CocoaPods
+    class SearchError < StandardError; end
+
+    module Source
+      class CocoaPodsRepository
+        attr_accessor :source_manager
+
+        def self.searchable_source(url:, source_manager:)
+          source = CocoaPodsRepository.new(url: url)
+          source.source_manager = source_manager
+          return source
+        end
+
+        def attributes_for(pod:)
+          specification_sets = @source_manager.search_by_name("^#{Regexp.escape(pod.root_name)}$")
+          raise SearchError, "No pod found named #{pod.name}" if specification_sets.length == 0
+          raise SearchError, "More than one pod found named #{pod.name}" if specification_sets.length > 1
+
+          paths = specification_sets[0].specification_paths_for_version(pod.version)
+          raise SearchError, "Version #{pod.version} not found for pod #{pod.name}" if paths.length == 0
+
+          ::Pod::Specification.from_file(paths[0]).attributes_hash
+        end
+      end
+
+      class GitRepository
+        def attributes_for(pod:)
+          ::Pod::Config.instance.sandbox.specification(pod.name).attributes_hash
+        end
+      end
+
+      class LocalPod
+        def attributes_for(pod:)
+          ::Pod::Config.instance.sandbox.specification(pod.name).attributes_hash
+        end
+      end
+
+      class Podspec
+        def attributes_for(pod:)
+          ::Pod::Config.instance.sandbox.specification(pod.name).attributes_hash
+        end
+      end
+    end
+
+
+    class Pod
+      def complete_information_from_source
+        populate(source.attributes_for(pod: self))
+      end
+    end
+  end
+end

data/lib/cyclonedx/cocoapods/source.rb

@@ -0,0 +1,59 @@
+#
+# This file is part of CycloneDX CocoaPods
+#
+# Licensed under the Apache License, Version 2.0 (the “License”);
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an “AS IS” BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+#
+
+module CycloneDX
+  module CocoaPods
+    module Source
+      class CocoaPodsRepository
+        attr_reader :url
+
+        def initialize(url:)
+          @url = url
+        end
+      end
+
+      class GitRepository
+        VALID_TYPES = [:branch, :tag, :commit].freeze
+
+        attr_reader :url, :type, :label
+
+        def initialize(url:, type: nil, label: nil)
+          raise ArgumentError, "Invalid checkout information" if !type.nil? && !VALID_TYPES.include?(type)
+          @url, @type, @label = url, type, label
+        end
+      end
+
+      class LocalPod
+        attr_reader :path
+
+        def initialize(path:)
+          @path = path
+        end
+      end
+
+      class Podspec
+        attr_reader :url
+
+        def initialize(url:)
+          @url = url
+        end
+      end
+    end
+  end
+end