cyclonedx-cocoapods 1.1.1 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4185f4f9ba77e7307a2f2a93ca2d96412775a6fa1a9d863b0955e0ccde099214
-  data.tar.gz: 4df386bef89ea9bb2bc7bfd9299a582faec48e8887f7443acd2cfb321947c0fd
+  metadata.gz: f9377b14e9d7b5f41db0b12693b58dd37367e05e72f8ab208178c6d79f38234b
+  data.tar.gz: a8402aabb0a9eb157bbbaab4782a3fc6ce731003b48037c54cb1dc7e2d5fb289
 SHA512:
-  metadata.gz: 847962664a8e0d9eca4ee42d2560151de4f56fbdcb3524ff1ad208f6cac0bc5b234d879f09cccdcaddf6df81096bdb89ea26923e2195e2127334276bfb32b856
-  data.tar.gz: 799ca49eb4e2dd2caf9c93cd211692a364091ef8366895fe6595d109d8b455bf222c607e19b16bd410e927d7099a29a2d1dfad8b0f9d84b837705f7e7b448bb1
+  metadata.gz: 7fe8629cb7313126a55d2cbae4e7f69ea6fc365336b56093eab5a23e3a27d4fde848a892926ce2fc201509af9c9e4adb9cf59e0940841a03023e344817be2aa2
+  data.tar.gz: 8cc8b64ddcf4292e14c4698e55899a2b6c72de7ed1ed5ee7adcef316fa315286e52b108a5d000a5fa6f6e42333fd752633b7eeb0142fa603b615b05fef688c8e

data/CHANGELOG.md

@@ -4,6 +4,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.0]
+
+### Added
+- Includes dependency relationship information for each of the components. ([Issue #58](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/58)) [@fnxpt](https://github.com/fnxpt).
+
+### Changed
+- Components and dependencies are output in alphabetically sorted order by `purl` to increase reproducability of BOM generation. ([Issue #59](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/59)) [@macblazer](https://github.com/macblazer).
+
+## [1.1.2]
+
+### Changed
+- Updated gem dependency for cocoapods to be minimum v1.10.1 up to anything less than v2. ([Issue #51](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/51)) [@macblazer](https://github.com/macblazer).
+- Updated gem dependency for nokogiri to be minimum v1.11.2 up to anything less than v2. [@macblazer](https://github.com/macblazer).
+- Updated README.md with a description of what happens with pods or Podfiles that use subspecs. ([Issue #52](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/52)) [@macblazer](https://github.com/macblazer).
+
+### Fixed
+- Fixed parsing of a Podfile that uses CocoaPods plugins.  ([PR #55](https://github.com/CycloneDX/cyclonedx-cocoapods/pull/55)) [@DwayneCoussement](https://github.com/DwayneCoussement).
+
 ## [1.1.1]
 
 ### Changed

data/README.md

@@ -80,6 +80,41 @@ then these two commands were run in the checked out code directory.
 % cyclonedx-cocoapods -n "kizitonwose/PodsUpdater" -v 1.0.3 -t application --output example_bom.xml
 ```
 
+### A Note About CocoaPod Subspecs
+
+Many CocoaPods make use of [subspec functionality](https://guides.cocoapods.org/syntax/podspec.html#subspec).
+Podfiles can require whole pods, or just subspecs; pods themselves may require whole pods or subspecs of other
+pods.  In complex projects such as React Native apps this often results in a single pod being included as a
+dependency multiple times as several of its subspecs are included individually.
+
+*cyclonedx-cocoapods* works properly with this, and adds a dependency in the BOM output for each subspec that is
+required by the Podfile and throughout the chain of dependencies.  Each subspec will only appear once in the BOM
+file.  This gives you granular detail in the BOM of which subspecs of which pods are used.  This is easiest seen
+with an example.
+
+The Podfile
+```ruby
+target 'SampleProject' do
+  pod 'SamplePod/firstsubspec'
+  pod 'SamplePod/secondsubspec'
+end
+```
+
+If the SamplePod is at v2.1, running *cyclonedx-cocoapods* on this will output a BOM file with two `component`
+dependencies:
+- `pkg:cocoapods/SamplePod@2.1#firstsubspec` at `https://github.com/example/SamplePod`
+- `pkg:cocoapods/SamplePod@2.1#secondsubspec` at `https://github.com/example/SamplePod`
+
+[Dependency Track](https://dependencytrack.org) (DT) is a tool that many organizations use to help automate SBOM
+related tasks.  When uploading an SBOM that contains multiple subspecs from the same pod, or a single subspec
+alongside the complete pod dependency, the initial upload will indicate a number of dependencies equal to the number
+of `component` objects within the BOM.  However, DT analysis then looks for unique repositories in use which will
+merge all of the subspecs of a particular pod into a single entry.  On later uploads to DT of the same or similar BOM
+it will indicate just the number of unique repositories.
+
+Uploading the above SamplePod BOM file to DT will initially see two dependencies.  Later analysis by DT notices
+that both dependencies resolve to the same repository, so DT will then only show a single dependency.
+
 ## Contributing
 
 To set up for local development, make a fork of this repo, make a branch on your fork named after the issue or workflow you are improving, checkout your branch, then run `bundle install`.

data/lib/cyclonedx/cocoapods/bom_builder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -26,8 +28,8 @@ module CycloneDX
   module CocoaPods
     module Source
       class CocoaPodsRepository
-        LEGACY_REPOSITORY = 'https://github.com/CocoaPods/Specs.git'.freeze
-        CDN_REPOSITORY = 'trunk'.freeze
+        LEGACY_REPOSITORY = 'https://github.com/CocoaPods/Specs.git'
+        CDN_REPOSITORY = 'trunk'
 
         def source_qualifier
           url == LEGACY_REPOSITORY || url == CDN_REPOSITORY ? {} : { repository_url: url }
@@ -54,8 +56,8 @@ module CycloneDX
     end
 
     class Pod
-      CHECKSUM_ALGORITHM = 'SHA-1'.freeze
-      HOMEPAGE_REFERENCE_TYPE = 'website'.freeze
+      CHECKSUM_ALGORITHM = 'SHA-1'
+      HOMEPAGE_REFERENCE_TYPE = 'website'
 
       def purl
         purl_name = CGI.escape(name.split('/').first)
@@ -82,6 +84,7 @@ module CycloneDX
             end
           end
           xml.purl purl
+          xml.bomRef purl
           unless homepage.nil?
             xml.externalReferences do
               xml.reference(type: HOMEPAGE_REFERENCE_TYPE) do
@@ -115,12 +118,14 @@ module CycloneDX
     end
 
     class BOMBuilder
-      NAMESPACE = 'http://cyclonedx.org/schema/bom/1.4'.freeze
+      NAMESPACE = 'http://cyclonedx.org/schema/bom/1.4'
 
-      attr_reader :component, :pods
+      attr_reader :component, :pods, :dependencies
 
-      def initialize(component: nil, pods:)
-        @component, @pods = component, pods
+      def initialize(pods:, component: nil, dependencies: nil)
+        @pods = pods.sort_by(&:purl)
+        @component = component
+        @dependencies = dependencies&.sort
       end
 
       def bom(version: 1)
@@ -134,12 +139,26 @@ module CycloneDX
                 pod.add_to_bom(xml)
               end
             end
+
+            xml.dependencies do
+              bom_dependencies(xml, dependencies)
+            end
           end
         end.to_xml
       end
 
       private
 
+      def bom_dependencies(xml, dependencies)
+        dependencies&.each do |key, array|
+          xml.dependency(ref: key) do
+            array.sort.each do |value|
+              xml.dependency(ref: value)
+            end
+          end
+        end
+      end
+
       def bom_metadata(xml)
         xml.metadata do
           xml.timestamp Time.now.getutc.strftime('%Y-%m-%dT%H:%M:%SZ')
@@ -155,4 +174,4 @@ module CycloneDX
       end
     end
   end
-end
+end

data/lib/cyclonedx/cocoapods/cli_runner.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -39,10 +40,11 @@ module CycloneDX
 
           analyzer = PodfileAnalyzer.new(logger: @logger, exclude_test_targets: options[:exclude_test_targets])
           podfile, lockfile = analyzer.ensure_podfile_and_lock_are_present(options)
-          pods = analyzer.parse_pods(podfile, lockfile)
+          pods, dependencies = analyzer.parse_pods(podfile, lockfile)
           analyzer.populate_pods_with_additional_info(pods)
 
-          bom = BOMBuilder.new(component: component_from_options(options), pods: pods).bom(version: options[:bom_version] || 1)
+          builder = BOMBuilder.new(pods: pods, component: component_from_options(options), dependencies: dependencies)
+          bom = builder.bom(version: options[:bom_version] || 1)
           write_bom_to_file(bom: bom, options: options)
         rescue StandardError => e
           @logger.error ([e.message] + e.backtrace).join($/)

data/lib/cyclonedx/cocoapods/component.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #

data/lib/cyclonedx/cocoapods/license.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #

data/lib/cyclonedx/cocoapods/pod.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -105,4 +107,4 @@ module CycloneDX
       end
     end
   end
-end
+end

data/lib/cyclonedx/cocoapods/pod_attributes.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #

data/lib/cyclonedx/cocoapods/podfile_analyzer.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -19,6 +20,7 @@
 #
 
 require 'cocoapods'
+require 'cocoapods-core'
 require 'logger'
 
 require_relative 'pod'
@@ -35,6 +37,23 @@ module CycloneDX
         @exclude_test_targets = exclude_test_targets
       end
 
+      def load_plugins(podfile_path)
+        podfile_contents = File.read(podfile_path)
+        plugin_syntax = /\s*plugin\s+['"]([^'"]+)['"]/
+        plugin_names = podfile_contents.scan(plugin_syntax).flatten
+
+        plugin_names.each do |plugin_name|
+          @logger.debug("Loading plugin #{plugin_name}")
+          begin
+            plugin_spec = Gem::Specification.find_by_name(plugin_name)
+            plugin_spec.activate if plugin_spec
+            load(plugin_spec.gem_dir + '/lib/cocoapods_plugin.rb') if plugin_spec
+          rescue Gem::LoadError => e
+            @logger.warn("Failed to load plugin #{plugin_name}. #{e.message}")
+          end
+        end
+      end
+
       def ensure_podfile_and_lock_are_present(options)
         project_dir = Pathname.new(options[:path] || Dir.pwd)
         raise PodfileParsingError, "#{options[:path]} is not a valid directory." unless File.directory?(project_dir)
@@ -47,6 +66,7 @@ module CycloneDX
 
         lockfile = ::Pod::Lockfile.from_file(options[:podfile_lock_path])
         verify_synced_sandbox(lockfile)
+        load_plugins(options[:podfile_path])
 
         return ::Pod::Podfile.from_file(options[:podfile_path]), lockfile
       end
@@ -54,10 +74,25 @@ module CycloneDX
 
       def parse_pods(podfile, lockfile)
         @logger.debug "Parsing pods from #{podfile.defined_in_file}"
-        included_pods = create_list_of_included_pods(podfile, lockfile)
-        return lockfile.pod_names.select { |name| included_pods.include?(name) }.map do |name|
+        included_pods, dependencies = create_list_of_included_pods(podfile, lockfile)
+
+        pods = lockfile.pod_names.select { |name| included_pods.include?(name) }.map do |name|
           Pod.new(name: name, version: lockfile.version(name), source: source_for_pod(podfile, lockfile, name), checksum: lockfile.checksum(name))
         end
+
+        pod_dependencies = { }
+        dependencies.each {|key, value|
+          if lockfile.pod_names.include? key
+            pod = Pod.new(name: key, version: lockfile.version(key), source: source_for_pod(podfile, lockfile, key), checksum: lockfile.checksum(key))
+
+            pod_dependencies[pod.purl] = lockfile.pod_names.select { |name| value.include?(name) }.map do |name|
+              pod = Pod.new(name: name, version: lockfile.version(name), source: source_for_pod(podfile, lockfile, name), checksum: lockfile.checksum(name))
+              pod.purl
+            end
+          end
+        }
+
+        return pods, pod_dependencies
       end
 
 
@@ -69,7 +104,6 @@ module CycloneDX
         return pods
       end
 
-
       private
 
 
@@ -104,9 +138,12 @@ module CycloneDX
         pods_hash
       end
 
+
       def append_all_pod_dependencies(pods_used, pods_cache)
         result = pods_used
         original_number = 0
+        dependencies_hash = { }
+
         # Loop adding pod dependencies until we are not adding any more dependencies to the result
         # This brings in all the transitive dependencies of every top level pod.
         # Note this also handles two edge cases:
@@ -114,13 +151,20 @@ module CycloneDX
         #  2. Having a pod that has a platform-specific dependency that is unused for this Podfile.
         while result.length != original_number
           original_number = result.length
+
           pods_used.each { |pod_name|
-            result.push(*pods_cache[pod_name]) unless !pods_cache.key?(pod_name) || pods_cache[pod_name].empty?
+            if pods_cache.key?(pod_name)
+              result.push(*pods_cache[pod_name])
+              dependencies_hash[pod_name] = pods_cache[pod_name].empty? ? [] : pods_cache[pod_name]
+            end
           }
+
           result = result.uniq
+          # maybe additional dependency processing needed here???
           pods_used = result
         end
-        result
+
+        return result, dependencies_hash
       end
 
       def create_list_of_included_pods(podfile, lockfile)
@@ -132,9 +176,9 @@ module CycloneDX
 
         topLevelDeps = includedTargets.map(&:dependencies).flatten.uniq
         pods_used = topLevelDeps.map(&:name).uniq
-        pods_used = append_all_pod_dependencies(pods_used, pods_cache)
+        pods_used, dependencies = append_all_pod_dependencies(pods_used, pods_cache)
 
-        return pods_used.sort
+        return pods_used.sort, dependencies
       end
 
 

data/lib/cyclonedx/cocoapods/source.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #

data/lib/cyclonedx/cocoapods/version.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -20,10 +21,6 @@
 
 module CycloneDX
   module CocoaPods
-    VERSION = '1.1.1'
-    DEPENDENCIES = {
-      cocoapods: '~> 1.10.1',
-      nokogiri: '~> 1.11.2'
-    }
+    VERSION = '1.2.0'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cyclonedx-cocoapods
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.2.0
 platform: ruby
 authors:
 - José González
@@ -9,36 +9,48 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-10-12 00:00:00.000000000 Z
+date: 2024-01-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cocoapods
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.10.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.10.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.11.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.11.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement