cyclonedx-cocoapods 1.1.0 → 1.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a3c7ebcac0eb8ea04cf5b1aed4da3bdbe1cadc2acb33e1bc4ebec9f52ac9bad9
-  data.tar.gz: bdc83e96c9b4750bf2135a85b30d384ae2096e4c0591d3db2f65434506f4c220
+  metadata.gz: d9413e8c99e608e82f87b4075e907eb9fd137fd9f67a2c00bb277cf5c7fc2e21
+  data.tar.gz: fd8be60d19ee1e2d84f53bbc16e66734eaffb9b2375f462219bd097fbdb7ef1c
 SHA512:
-  metadata.gz: 94cdbbcb32c6d83dad78c383536dc484f08a040f5104318a3c2355b070fb915474e25027188bcaa8dfffc4222772525e4e051dfc8a1d673a08a31cd51f4d3cc2
-  data.tar.gz: 1c0da4d2d356eb06207f889605e3c65ea0594821b7de130ebe5ce3d182917f87415fdc615d727f54f540b5a3c9c2b58d915117627b7b71c7a115045e799bc0c4
+  metadata.gz: 8b1e44bed24cddcce4e550047b39c849167f60d4e3ac86006365a991e70de3de3634a9de0ef90df7e7a3f93a9c255b5df271526a3731b91739726cc400c23889
+  data.tar.gz: f8778db86758639e8c2888a0ccd67d9209d8dac2282e422d75c18a40831c3e89a8c0cac10d8392965b8a47c01341b197dc424912470bc300e06c355e76d76415

data/CHANGELOG.md

@@ -4,8 +4,28 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.2]
+
+### Changed
+- Updated gem dependency for cocoapods to be minimum v1.10.1 up to anything less than v2. ([Issue #51](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/51)) [@macblazer](https://github.com/macblazer).
+- Updated gem dependency for nokogiri to be minimum v1.11.2 up to anything less than v2. [@macblazer](https://github.com/macblazer).
+- Updated README.md with a description of what happens with pods or Podfiles that use subspecs. ([Issue #52](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/52)) [@macblazer](https://github.com/macblazer).
+
+### Fixed
+- Fixed parsing of a Podfile that uses CocoaPods plugins.  ([PR #55](https://github.com/CycloneDX/cyclonedx-cocoapods/pull/55)) [@DwayneCoussement](https://github.com/DwayneCoussement).
+
+## [1.1.1]
+
+### Changed
+- Better error messaging when a problem is encountered while gathering pod information ([Issue #48](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/48)) [@macblazer](https://github.com/macblazer).
+
+### Fixed
+- Including a pod that has a platform-specific dependency for an unused platform no longer causes a crash ([Issue #46](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/46)) [@macblazer](https://github.com/macblazer).
+- Analyzing a Podfile that has no pods defined in it no longer causes a crash [@macblazer](https://github.com/macblazer).
+
 ## [1.1.0]
 
+### Added
 - Can now eliminate Podfile targets that include "test" in their name ([Issue #43](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/43)) [@macblazer](https://github.com/macblazer).
 
 ## [1.0.0]

data/README.md

@@ -80,6 +80,41 @@ then these two commands were run in the checked out code directory.
 % cyclonedx-cocoapods -n "kizitonwose/PodsUpdater" -v 1.0.3 -t application --output example_bom.xml
 ```
 
+### A Note About CocoaPod Subspecs
+
+Many CocoaPods make use of [subspec functionality](https://guides.cocoapods.org/syntax/podspec.html#subspec).
+Podfiles can require whole pods, or just subspecs; pods themselves may require whole pods or subspecs of other
+pods.  In complex projects such as React Native apps this often results in a single pod being included as a
+dependency multiple times as several of its subspecs are included individually.
+
+*cyclonedx-cocoapods* works properly with this, and adds a dependency in the BOM output for each subspec that is
+required by the Podfile and throughout the chain of dependencies.  Each subspec will only appear once in the BOM
+file.  This gives you granular detail in the BOM of which subspecs of which pods are used.  This is easiest seen
+with an example.
+
+The Podfile
+```ruby
+target 'SampleProject' do
+  pod 'SamplePod/firstsubspec'
+  pod 'SamplePod/secondsubspec'
+end
+```
+
+If the SamplePod is at v2.1, running *cyclonedx-cocoapods* on this will output a BOM file with two `component`
+dependencies:
+- `pkg:cocoapods/SamplePod@2.1#firstsubspec` at `https://github.com/example/SamplePod`
+- `pkg:cocoapods/SamplePod@2.1#secondsubspec` at `https://github.com/example/SamplePod`
+
+[Dependency Track](https://dependencytrack.org) (DT) is a tool that many organizations use to help automate SBOM
+related tasks.  When uploading an SBOM that contains multiple subspecs from the same pod, or a single subspec
+alongside the complete pod dependency, the initial upload will indicate a number of dependencies equal to the number
+of `component` objects within the BOM.  However, DT analysis then looks for unique repositories in use which will
+merge all of the subspecs of a particular pod into a single entry.  On later uploads to DT of the same or similar BOM
+it will indicate just the number of unique repositories.
+
+Uploading the above SamplePod BOM file to DT will initially see two dependencies.  Later analysis by DT notices
+that both dependencies resolve to the same repository, so DT will then only show a single dependency.
+
 ## Contributing
 
 To set up for local development, make a fork of this repo, make a branch on your fork named after the issue or workflow you are improving, checkout your branch, then run `bundle install`.

data/lib/cyclonedx/cocoapods/bom_builder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -26,8 +28,8 @@ module CycloneDX
   module CocoaPods
     module Source
       class CocoaPodsRepository
-        LEGACY_REPOSITORY = 'https://github.com/CocoaPods/Specs.git'.freeze
-        CDN_REPOSITORY = 'trunk'.freeze
+        LEGACY_REPOSITORY = 'https://github.com/CocoaPods/Specs.git'
+        CDN_REPOSITORY = 'trunk'
 
         def source_qualifier
           url == LEGACY_REPOSITORY || url == CDN_REPOSITORY ? {} : { repository_url: url }
@@ -54,8 +56,8 @@ module CycloneDX
     end
 
     class Pod
-      CHECKSUM_ALGORITHM = 'SHA-1'.freeze
-      HOMEPAGE_REFERENCE_TYPE = 'website'.freeze
+      CHECKSUM_ALGORITHM = 'SHA-1'
+      HOMEPAGE_REFERENCE_TYPE = 'website'
 
       def purl
         purl_name = CGI.escape(name.split('/').first)
@@ -115,7 +117,7 @@ module CycloneDX
     end
 
     class BOMBuilder
-      NAMESPACE = 'http://cyclonedx.org/schema/bom/1.4'.freeze
+      NAMESPACE = 'http://cyclonedx.org/schema/bom/1.4'
 
       attr_reader :component, :pods
 
@@ -155,4 +157,4 @@ module CycloneDX
       end
     end
   end
-end
+end

data/lib/cyclonedx/cocoapods/cli_runner.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #

data/lib/cyclonedx/cocoapods/component.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #

data/lib/cyclonedx/cocoapods/license.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #

data/lib/cyclonedx/cocoapods/pod.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -105,4 +107,4 @@ module CycloneDX
       end
     end
   end
-end
+end

data/lib/cyclonedx/cocoapods/pod_attributes.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -33,11 +35,11 @@ module CycloneDX
 
         def attributes_for(pod:)
           specification_sets = @source_manager.search_by_name("^#{Regexp.escape(pod.root_name)}$")
-          raise SearchError, "No pod found named #{pod.name}" if specification_sets.length == 0
-          raise SearchError, "More than one pod found named #{pod.name}" if specification_sets.length > 1
+          raise SearchError, "No pod found named #{pod.name}; run 'pod repo update' and try again" if specification_sets.length == 0
+          raise SearchError, "More than one pod found named #{pod.name}; a pod in a private spec repo should not have the same name as a public pod" if specification_sets.length > 1
 
           paths = specification_sets[0].specification_paths_for_version(pod.version)
-          raise SearchError, "Version #{pod.version} not found for pod #{pod.name}" if paths.length == 0
+          raise SearchError, "Version #{pod.version} not found for pod #{pod.name}; run 'pod repo update' and try again" if paths.length == 0
 
           ::Pod::Specification.from_file(paths[0]).attributes_hash
         end

data/lib/cyclonedx/cocoapods/podfile_analyzer.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -19,6 +20,7 @@
 #
 
 require 'cocoapods'
+require 'cocoapods-core'
 require 'logger'
 
 require_relative 'pod'
@@ -35,6 +37,23 @@ module CycloneDX
         @exclude_test_targets = exclude_test_targets
       end
 
+      def load_plugins(podfile_path)
+        podfile_contents = File.read(podfile_path)
+        plugin_syntax = /\s*plugin\s+['"]([^'"]+)['"]/
+        plugin_names = podfile_contents.scan(plugin_syntax).flatten
+      
+        plugin_names.each do |plugin_name|
+          @logger.debug("Loading plugin #{plugin_name}")
+          begin
+            plugin_spec = Gem::Specification.find_by_name(plugin_name)
+            plugin_spec.activate if plugin_spec
+            load(plugin_spec.gem_dir + '/lib/cocoapods_plugin.rb') if plugin_spec
+          rescue Gem::LoadError => e
+            @logger.warn("Failed to load plugin #{plugin_name}. #{e.message}")
+          end
+        end
+      end
+
       def ensure_podfile_and_lock_are_present(options)
         project_dir = Pathname.new(options[:path] || Dir.pwd)
         raise PodfileParsingError, "#{options[:path]} is not a valid directory." unless File.directory?(project_dir)
@@ -47,7 +66,8 @@ module CycloneDX
 
         lockfile = ::Pod::Lockfile.from_file(options[:podfile_lock_path])
         verify_synced_sandbox(lockfile)
-
+        load_plugins(options[:podfile_path])
+        
         return ::Pod::Podfile.from_file(options[:podfile_path]), lockfile
       end
 
@@ -88,7 +108,7 @@ module CycloneDX
         pods_hash = { }
 
         pods_used = lockfile.internal_data['PODS']
-        pods_used.each { |pod|
+        pods_used&.each { |pod|
           if pod.is_a?(String)
             # Pods stored as String have no dependencies
             pod_name = pod.split.first
@@ -109,11 +129,13 @@ module CycloneDX
         original_number = 0
         # Loop adding pod dependencies until we are not adding any more dependencies to the result
         # This brings in all the transitive dependencies of every top level pod.
-        # Note this also handles the edge case of having a Podfile with no pods used.
+        # Note this also handles two edge cases:
+        #  1. Having a Podfile with no pods used.
+        #  2. Having a pod that has a platform-specific dependency that is unused for this Podfile.
         while result.length != original_number
           original_number = result.length
           pods_used.each { |pod_name|
-            result.push(*pods_cache[pod_name]) unless pods_cache[pod_name].empty?
+            result.push(*pods_cache[pod_name]) unless !pods_cache.key?(pod_name) || pods_cache[pod_name].empty?
           }
           result = result.uniq
           pods_used = result

data/lib/cyclonedx/cocoapods/source.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #

data/lib/cyclonedx/cocoapods/version.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -20,10 +21,6 @@
 
 module CycloneDX
   module CocoaPods
-    VERSION = '1.1.0'
-    DEPENDENCIES = {
-      cocoapods: '~> 1.10.1',
-      nokogiri: '~> 1.11.2'
-    }
+    VERSION = '1.1.2'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cyclonedx-cocoapods
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.2
 platform: ruby
 authors:
 - José González
@@ -9,36 +9,48 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-09-13 00:00:00.000000000 Z
+date: 2023-06-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cocoapods
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.10.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.10.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.11.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.11.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement