cyclonedx-cocoapods 1.2.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f9377b14e9d7b5f41db0b12693b58dd37367e05e72f8ab208178c6d79f38234b
-  data.tar.gz: a8402aabb0a9eb157bbbaab4782a3fc6ce731003b48037c54cb1dc7e2d5fb289
+  metadata.gz: 4b3c1577d54844759e40218fb3b0876014aa8a2eac1a8ea2be2512cab13d79f9
+  data.tar.gz: dd99bd2aa09a1d6ecd956fdd3118a064df6662026b6816ee86f9a2f553347068
 SHA512:
-  metadata.gz: 7fe8629cb7313126a55d2cbae4e7f69ea6fc365336b56093eab5a23e3a27d4fde848a892926ce2fc201509af9c9e4adb9cf59e0940841a03023e344817be2aa2
-  data.tar.gz: 8cc8b64ddcf4292e14c4698e55899a2b6c72de7ed1ed5ee7adcef316fa315286e52b108a5d000a5fa6f6e42333fd752633b7eeb0142fa603b615b05fef688c8e
+  metadata.gz: 5e82c25c27de0fbede464d04a06b9b7f06c3fc79550041835395c6fe5aa32a0f1c4bba1d391b988ff6d39107f696960f064730de43ef8c0f0e8000d576cd1010
+  data.tar.gz: '048fa99979dd4e606b4952412dad3675bad2ebe3e45eccd8513089f18908d5594213031cb85130434f002d7a8edbafbb67818e602c648b49137768e8085c445b'

data/CHANGELOG.md

@@ -4,6 +4,27 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.4.0]
+
+### Added
+- Added `evidence` element to the component output to indicate that we are doing manifest analysis to generate the bom. ([Issue #69](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/69)) [@macblazer](https://github.com/macblazer).
+
+### Fixed
+- Added top level dependencies when the metadata/component is specified (by using the `--name`, `--version`, and `--type` parameters). ([PR #70](https://github.com/CycloneDX/cyclonedx-cocoapods/pull/70)) [@fnxpt](https://github.com/fnxpt)
+- Properly concatenate paths to Podfile and Podfile.lock (with unit tests!). ([Issue #71](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/71)) [@macblazer](https://github.com/macblazer).
+
+## [1.3.0]
+
+### Added
+- Added optional `--shortened-strings` CLI parameter to limit the author, publisher, and purl lengths. ([Issue #65](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/65)) [@macblazer](https://github.com/macblazer).
+
+### Changed
+- Updated to use v1.5 of the CycloneDX specification. ([Issue #57](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/57)) [@macblazer](https://github.com/macblazer)
+- Code cleanup based on [RuboCop](https://rubocop.org/) analysis. ([Issue #45](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/45)) [@macblazer](https://github.com/macblazer).
+
+### Fixed
+- Following the specification to put the `bom-ref` attribute on `component` instead of as a `bomRef` element of `component`. [@macblazer](https://github.com/macblazer).
+
 ## [1.2.0]
 
 ### Added

data/README.md

@@ -21,7 +21,7 @@ The CycloneDX CocoaPods Gem creates a valid CycloneDX software bill-of-material
 
 ### From Source
 
-First, clone/copy the source code from GitHub.  Then in the source code directory run these ommands:
+First, clone/copy the source code from GitHub.  Then in the source code directory run these commands (substituting the actual version number for `x.x.x`):
 
 ```shell
 gem build cyclonedx-cocoapods.gemspec
@@ -32,7 +32,7 @@ Building from source requires Ruby 2.4.0 or newer.
 
 ## Compatibility
 
-*cyclonedx-cocoapods* aims to produce SBOMs according to the latest CycloneDX specification, which currently is [1.4](https://cyclonedx.org/docs/1.4/).
+*cyclonedx-cocoapods* aims to produce SBOMs according to the latest CycloneDX specification, which currently is [1.5](https://cyclonedx.org/docs/1.5/xml/).
 You can use the [CycloneDX CLI](https://github.com/CycloneDX/cyclonedx-cli#convert-command) to convert between multiple BOM formats or specification versions.
 
 ## Usage
@@ -52,6 +52,7 @@ OPTIONS
     -o, --output bom_file_path       Path to output the bom.xml file to (default: "bom.xml")
     -b, --bom-version bom_version    Version of the generated BOM (default: "1")
     -x, --exclude-test-targets       Eliminate Podfile targets whose name contains the word "test"
+    -s, --shortened-strings length   Trim author, publisher, and purl to <length> characters; this may cause data loss but can improve compatibility with other systems
 
   Component Metadata
     -n, --name name                  (If specified version and type are also required) Name of the component for which the BOM is generated

data/exe/cyclonedx-cocoapods

@@ -1,4 +1,6 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -18,6 +20,6 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 #
 
-require "cyclonedx/cocoapods/cli_runner"
+require 'cyclonedx/cocoapods/cli_runner'
 
-CycloneDX::CocoaPods::CLIRunner.new().run
+CycloneDX::CocoaPods::CLIRunner.new.run

data/lib/cyclonedx/cocoapods/bom_builder.rb

@@ -59,18 +59,73 @@ module CycloneDX
       CHECKSUM_ALGORITHM = 'SHA-1'
       HOMEPAGE_REFERENCE_TYPE = 'website'
 
+      def source_qualifier
+        return '' if source.nil? || source.source_qualifier.empty?
+
+        "?#{source.source_qualifier.map do |key, value|
+              "#{key}=#{CGI.escape(value)}"
+            end.join('&')}"
+      end
+
+      def purl_subpath
+        return '' unless name.split('/').length > 1
+
+        "##{name.split('/').drop(1).map do |component|
+              CGI.escape(component)
+            end.join('/')}"
+      end
+
       def purl
         purl_name = CGI.escape(name.split('/').first)
-        source_qualifier = source.nil? || source.source_qualifier.empty? ? '' : "?#{source.source_qualifier.map { |key, value| "#{key}=#{CGI.escape(value)}" }.join('&')}"
-        purl_subpath = name.split('/').length > 1 ? "##{name.split('/').drop(1).map { |component| CGI.escape(component) }.join('/')}" : ''
-        return "pkg:cocoapods/#{purl_name}@#{CGI.escape(version.to_s)}#{source_qualifier}#{purl_subpath}"
+        src_qualifier = source_qualifier
+        subpath = purl_subpath
+        "pkg:cocoapods/#{purl_name}@#{CGI.escape(version.to_s)}#{src_qualifier}#{subpath}"
       end
 
-      def add_to_bom(xml)
-        xml.component(type: 'library') do
-          xml.author author unless author.nil?
-          xml.publisher author unless author.nil?
-          xml.name name
+      def xml_add_author(xml, trim_strings_length)
+        return if author.nil?
+
+        if trim_strings_length.zero?
+          xml.author author
+          xml.publisher author
+        else
+          xml.author author.slice(0, trim_strings_length)
+          xml.publisher author.slice(0, trim_strings_length)
+        end
+      end
+
+      def xml_add_homepage(xml)
+        return if homepage.nil?
+
+        xml.externalReferences do
+          xml.reference(type: HOMEPAGE_REFERENCE_TYPE) do
+            xml.url homepage
+          end
+        end
+      end
+
+      # Add evidence of the purl identity.
+      # See https://github.com/CycloneDX/guides/blob/main/SBOM/en/0x60-Evidence.md for more info
+      def xml_add_evidence(xml, manifest_path)
+        xml.evidence do
+          xml.identity do
+            xml.field 'purl'
+            xml.confidence '0.6'
+            xml.methods_ do
+              xml.method_ do
+                xml.technique 'manifest-analysis'
+                xml.confidence '0.6'
+                xml.value manifest_path
+              end
+            end
+          end
+        end
+      end
+
+      def add_to_bom(xml, manifest_path, trim_strings_length = 0)
+        xml.component(type: 'library', 'bom-ref': purl) do
+          xml_add_author(xml, trim_strings_length)
+          xml.name_ name
           xml.version version.to_s
           xml.description { xml.cdata description } unless description.nil?
           unless checksum.nil?
@@ -83,15 +138,14 @@ module CycloneDX
               license.add_to_bom(xml)
             end
           end
-          xml.purl purl
-          xml.bomRef purl
-          unless homepage.nil?
-            xml.externalReferences do
-              xml.reference(type: HOMEPAGE_REFERENCE_TYPE) do
-                xml.url homepage
-              end
-            end
+          if trim_strings_length.zero?
+            xml.purl purl
+          else
+            xml.purl purl.slice(0, trim_strings_length)
           end
+          xml_add_homepage(xml)
+
+          xml_add_evidence(xml, manifest_path)
         end
       end
 
@@ -99,7 +153,7 @@ module CycloneDX
         def add_to_bom(xml)
           xml.license do
             xml.id identifier if identifier_type == :id
-            xml.name identifier if identifier_type == :name
+            xml.name_ identifier if identifier_type == :name
             xml.text_ text unless text.nil?
             xml.url url unless url.nil?
           end
@@ -109,51 +163,71 @@ module CycloneDX
 
     class Component
       def add_to_bom(xml)
-        xml.component(type: type) do
+        xml.component(type: type, 'bom-ref': bomref) do
           xml.group group unless group.nil?
-          xml.name name
+          xml.name_ name
           xml.version version
         end
       end
     end
 
+    # Turns the internal model data into an XML bom.
     class BOMBuilder
-      NAMESPACE = 'http://cyclonedx.org/schema/bom/1.4'
+      NAMESPACE = 'http://cyclonedx.org/schema/bom/1.5'
 
-      attr_reader :component, :pods, :dependencies
+      attr_reader :component, :pods, :manifest_path, :dependencies
 
-      def initialize(pods:, component: nil, dependencies: nil)
+      def initialize(pods:, manifest_path:, component: nil, dependencies: nil)
         @pods = pods.sort_by(&:purl)
+        @manifest_path = manifest_path
         @component = component
         @dependencies = dependencies&.sort
       end
 
-      def bom(version: 1)
-        raise ArgumentError, "Incorrect version: #{version} should be an integer greater than 0" unless version.to_i > 0
+      def bom(version: 1, trim_strings_length: 0)
+        unless version.to_i.positive?
+          raise ArgumentError,
+                "Incorrect version: #{version} should be an integer greater than 0"
+        end
+
+        unless trim_strings_length.is_a?(Integer) && (trim_strings_length.positive? || trim_strings_length.zero?)
+          raise ArgumentError,
+                "Incorrect string length: #{trim_strings_length} should be an integer greater than 0"
+        end
 
+        unchecked_bom(version: version, trim_strings_length: trim_strings_length)
+      end
+
+      private
+
+      # does not verify parameters because the public method does that.
+      def unchecked_bom(version: 1, trim_strings_length: 0)
         Nokogiri::XML::Builder.new(encoding: 'UTF-8') do |xml|
-          xml.bom('xmlns': NAMESPACE, 'version':  version.to_i.to_s, 'serialNumber': "urn:uuid:#{SecureRandom.uuid}") do
+          xml.bom(xmlns: NAMESPACE, version: version.to_i.to_s, serialNumber: "urn:uuid:#{SecureRandom.uuid}") do
             bom_metadata(xml)
-            xml.components do
-              pods.each do |pod|
-                pod.add_to_bom(xml)
-              end
-            end
 
-            xml.dependencies do
-              bom_dependencies(xml, dependencies)
-            end
+            bom_components(xml, pods, manifest_path, trim_strings_length)
+
+            bom_dependencies(xml, dependencies)
           end
         end.to_xml
       end
 
-      private
+      def bom_components(xml, pods, manifest_path, trim_strings_length)
+        xml.components do
+          pods.each do |pod|
+            pod.add_to_bom(xml, manifest_path, trim_strings_length)
+          end
+        end
+      end
 
       def bom_dependencies(xml, dependencies)
-        dependencies&.each do |key, array|
-          xml.dependency(ref: key) do
-            array.sort.each do |value|
-              xml.dependency(ref: value)
+        xml.dependencies do
+          dependencies&.each do |key, array|
+            xml.dependency(ref: key) do
+              array.sort.each do |value|
+                xml.dependency(ref: value)
+              end
             end
           end
         end
@@ -162,14 +236,18 @@ module CycloneDX
       def bom_metadata(xml)
         xml.metadata do
           xml.timestamp Time.now.getutc.strftime('%Y-%m-%dT%H:%M:%SZ')
-          xml.tools do
-            xml.tool do
-              xml.vendor 'CycloneDX'
-              xml.name 'cyclonedx-cocoapods'
-              xml.version VERSION
-            end
+          bom_tools(xml)
+          component&.add_to_bom(xml)
+        end
+      end
+
+      def bom_tools(xml)
+        xml.tools do
+          xml.tool do
+            xml.vendor 'CycloneDX'
+            xml.name_ 'cyclonedx-cocoapods'
+            xml.version VERSION
           end
-          component.add_to_bom(xml) unless component.nil?
         end
       end
     end

data/lib/cyclonedx/cocoapods/cli_runner.rb

@@ -19,6 +19,7 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 #
 
+require 'English'
 require 'logger'
 require 'optparse'
 
@@ -30,34 +31,26 @@ module CycloneDX
   module CocoaPods
     class BOMOutputError < StandardError; end
 
+    # Interprets CLI parameters and runs the main workflow.
     class CLIRunner
       def run
-        begin
-          setup_logger # Needed in case we have errors while processing CLI parameters
-          options = parseOptions
-          setup_logger(verbose: options[:verbose])
-          @logger.debug "Running cyclonedx-cocoapods with options: #{options}"
-
-          analyzer = PodfileAnalyzer.new(logger: @logger, exclude_test_targets: options[:exclude_test_targets])
-          podfile, lockfile = analyzer.ensure_podfile_and_lock_are_present(options)
-          pods, dependencies = analyzer.parse_pods(podfile, lockfile)
-          analyzer.populate_pods_with_additional_info(pods)
-
-          builder = BOMBuilder.new(pods: pods, component: component_from_options(options), dependencies: dependencies)
-          bom = builder.bom(version: options[:bom_version] || 1)
-          write_bom_to_file(bom: bom, options: options)
-        rescue StandardError => e
-          @logger.error ([e.message] + e.backtrace).join($/)
-          exit 1
-        end
-      end
+        setup_logger # Needed in case we have errors while processing CLI parameters
+        options = parse_options
+        setup_logger(verbose: options[:verbose])
+        @logger.debug "Running cyclonedx-cocoapods with options: #{options}"
 
+        component, pods, manifest_path, dependencies = analyze(options)
 
-      private
+        build_and_write_bom(options, component, pods, manifest_path, dependencies)
+      rescue StandardError => e
+        @logger.error ([e.message] + e.backtrace).join($INPUT_RECORD_SEPARATOR)
+        exit 1
+      end
 
+      private
 
-      def parseOptions
-        parsedOptions = {}
+      def parse_options
+        parsed_options = {}
         component_types = Component::VALID_COMPONENT_TYPES
         OptionParser.new do |options|
           options.banner = <<~BANNER
@@ -71,7 +64,7 @@ module CycloneDX
           BANNER
 
           options.on('--[no-]verbose', 'Show verbose debugging output') do |v|
-            parsedOptions[:verbose] = v
+            parsed_options[:verbose] = v
           end
           options.on('-h', '--help', 'Show help message') do
             puts options
@@ -80,71 +73,128 @@ module CycloneDX
 
           options.separator("\n  BOM Generation")
           options.on('-p', '--path path', 'Path to CocoaPods project directory (default: current directory)') do |path|
-            parsedOptions[:path] = path
+            parsed_options[:path] = path
+          end
+          options.on('-o', '--output bom_file_path',
+                     'Path to output the bom.xml file to (default: "bom.xml")') do |bom_file_path|
+            parsed_options[:bom_file_path] = bom_file_path
           end
-          options.on('-o', '--output bom_file_path', 'Path to output the bom.xml file to (default: "bom.xml")') do |bom_file_path|
-            parsedOptions[:bom_file_path] = bom_file_path
+          options.on('-b', '--bom-version bom_version', Integer,
+                     'Version of the generated BOM (default: "1")') do |version|
+            parsed_options[:bom_version] = version
           end
-          options.on('-b', '--bom-version bom_version', Integer, 'Version of the generated BOM (default: "1")') do |version|
-            parsedOptions[:bom_version] = version
+          options.on('-x', '--exclude-test-targets',
+                     'Eliminate Podfile targets whose name contains the word "test"') do |exclude|
+            parsed_options[:exclude_test_targets] = exclude
           end
-          options.on('-x', '--exclude-test-targets', 'Eliminate Podfile targets whose name contains the word "test"') do |exclude|
-            parsedOptions[:exclude_test_targets] = exclude
+          options.on('-s', '--shortened-strings length', Integer,
+                     'Trim author, publisher, and purl to <length> characters; this may ' \
+                     'cause data loss but can improve compatibility with other systems') do |shortened_strings|
+            parsed_options[:trim_strings_length] = shortened_strings
           end
 
           options.separator("\n  Component Metadata\n")
-          options.on('-n', '--name name', '(If specified version and type are also required) Name of the component for which the BOM is generated') do |name|
-            parsedOptions[:name] = name
+          options.on('-n', '--name name',
+                     '(If specified version and type are also required) Name of the ' \
+                     'component for which the BOM is generated') do |name|
+            parsed_options[:name] = name
           end
           options.on('-v', '--version version', 'Version of the component for which the BOM is generated') do |version|
             begin
               Gem::Version.new(version)
-              parsedOptions[:version] = version
+              parsed_options[:version] = version
             rescue StandardError => e
               raise OptionParser::InvalidArgument, e.message
             end
           end
-          options.on('-t', '--type type', "Type of the component for which the BOM is generated (one of #{component_types.join('|')})") do |type|
-            raise OptionParser::InvalidArgument, "Invalid value for component's type (#{type}). It must be one of #{component_types.join('|')}" unless component_types.include?(type)
-            parsedOptions[:type] = type
+          options.on('-t', '--type type',
+                     'Type of the component for which the BOM is generated ' \
+                     "(one of #{component_types.join('|')})") do |type|
+            unless component_types.include?(type)
+              raise OptionParser::InvalidArgument,
+                    "Invalid value for component's type (#{type}). It must be one of #{component_types.join('|')}"
+            end
+
+            parsed_options[:type] = type
           end
           options.on('-g', '--group group', 'Group of the component for which the BOM is generated') do |group|
-            parsedOptions[:group] = group
+            parsed_options[:group] = group
           end
         end.parse!
 
-        raise OptionParser::InvalidArgument, 'You must also specify --version and --type if --name is provided' if !parsedOptions[:name].nil? && (parsedOptions[:version].nil? || parsedOptions[:type].nil?)
-        return parsedOptions
+        if !parsed_options[:name].nil? && (parsed_options[:version].nil? || parsed_options[:type].nil?)
+          raise OptionParser::InvalidArgument,
+                'You must also specify --version and --type if --name is provided'
+        end
+
+        parsed_options
       end
 
+      def analyze(options)
+        analyzer = PodfileAnalyzer.new(logger: @logger, exclude_test_targets: options[:exclude_test_targets])
+        podfile, lockfile = analyzer.ensure_podfile_and_lock_are_present(options)
+        pods, dependencies = analyzer.parse_pods(podfile, lockfile)
+        analyzer.populate_pods_with_additional_info(pods)
 
-      def component_from_options(options)
-        Component.new(group: options[:group], name: options[:name], version: options[:version], type: options[:type]) if options[:name]
+        component = component_from_options(options)
+
+        unless component.nil?
+          # add top level pods to main component
+          top_deps = analyzer.top_level_deps(podfile, lockfile)
+          dependencies[component.bomref] = top_deps
+        end
+
+        manifest_path = lockfile.defined_in_file
+        if manifest_path.absolute?
+          # Use the folder that we are building in, then the path to the manifest file
+          manifest_path = Pathname.pwd.basename + manifest_path.relative_path_from(Pathname.pwd)
+        end
+
+        [component, pods, manifest_path, dependencies]
       end
 
+      def build_and_write_bom(options, component, pods, manifest_path, dependencies)
+        builder = BOMBuilder.new(pods: pods, manifest_path: manifest_path,
+                                 component: component, dependencies: dependencies)
+        bom = builder.bom(version: options[:bom_version] || 1,
+                          trim_strings_length: options[:trim_strings_length] || 0)
+        write_bom_to_file(bom: bom, options: options)
+      end
+
+      def component_from_options(options)
+        return unless options[:name]
+
+        Component.new(group: options[:group], name: options[:name], version: options[:version],
+                      type: options[:type])
+      end
 
       def setup_logger(verbose: true)
         @logger ||= Logger.new($stdout)
         @logger.level = verbose ? Logger::DEBUG : Logger::INFO
       end
 
-
       def write_bom_to_file(bom:, options:)
+        bom_file_path = prep_for_bom_write(options)
+
+        begin
+          File.write(bom_file_path, bom)
+          @logger.info "BOM written to #{bom_file_path}"
+        rescue StandardError
+          raise BOMOutputError, "Unable to write the BOM to #{bom_file_path}"
+        end
+      end
+
+      def prep_for_bom_write(options)
         bom_file_path = Pathname.new(options[:bom_file_path] || './bom.xml').expand_path
         bom_dir = bom_file_path.dirname
 
         begin
           FileUtils.mkdir_p(bom_dir) unless bom_dir.directory?
-        rescue
+        rescue StandardError
           raise BOMOutputError, "Unable to create the BOM output directory at #{bom_dir}"
         end
 
-        begin
-          File.open(bom_file_path, 'w') { |file| file.write(bom) }
-          @logger.info "BOM written to #{bom_file_path}"
-        rescue
-          raise BOMOutputError, "Unable to write the BOM to #{bom_file_path}"
-        end
+        bom_file_path
       end
     end
   end

data/lib/cyclonedx/cocoapods/component.rb

@@ -24,15 +24,26 @@ module CycloneDX
     class Component
       VALID_COMPONENT_TYPES = %w[application framework library container operating-system device firmware file].freeze
 
-      attr_reader :group, :name, :version, :type
+      attr_reader :group, :name, :version, :type, :bomref
+
+      def initialize(name:, version:, type:, group: nil)
+        raise ArgumentError, 'Group, if specified, must be non empty' if !group.nil? && group.to_s.strip.empty?
+        raise ArgumentError, 'Name must be non empty' if name.nil? || name.to_s.strip.empty?
 
-      def initialize(group: nil, name:, version:, type:)
-        raise ArgumentError, "Group, if specified, must be non empty" if !group.nil? && group.to_s.strip.empty?
-        raise ArgumentError, "Name must be non empty" if name.nil? || name.to_s.strip.empty?
         Gem::Version.new(version) # To check that the version string is well formed
-        raise ArgumentError, "#{type} is not valid component type (#{VALID_COMPONENT_TYPES.join('|')})" unless VALID_COMPONENT_TYPES.include?(type)
+        unless VALID_COMPONENT_TYPES.include?(type)
+          raise ArgumentError, "#{type} is not valid component type (#{VALID_COMPONENT_TYPES.join('|')})"
+        end
+
+        @group = group
+        @name = name
+        @version = version
+        @type = type
+        @bomref = "#{name}@#{version}"
+
+        return if group.nil?
 
-        @group, @name, @version, @type = group, name, version, type
+        @bomref = "#{group}/#{@bomref}"
       end
     end
   end

data/lib/cyclonedx/cocoapods/license.rb

@@ -26,15 +26,13 @@ module CycloneDX
     class Pod
       class License
         SPDX_LICENSES = JSON.parse(File.read("#{__dir__}/spdx-licenses.json")).freeze
-        IDENTIFIER_TYPES = [:id, :name].freeze
+        IDENTIFIER_TYPES = %i[id name].freeze
 
-        attr_reader   :identifier
-        attr_reader   :identifier_type
-        attr_accessor :text
-        attr_accessor :url
+        attr_reader :identifier, :identifier_type
+        attr_accessor :text, :url
 
         def initialize(identifier:)
-          raise ArgumentError, "License identifier must be non empty" if identifier.nil? || identifier.to_s.strip.empty?
+          raise ArgumentError, 'License identifier must be non empty' if identifier.nil? || identifier.to_s.strip.empty?
 
           @identifier = SPDX_LICENSES.find { |license_id| license_id.downcase == identifier.to_s.downcase }
           @identifier_type = @identifier.nil? ? :name : :id

data/lib/cyclonedx/cocoapods/pod.rb

@@ -25,26 +25,40 @@ require_relative 'license'
 module CycloneDX
   module CocoaPods
     class Pod
-      attr_reader :name        # xs:normalizedString
-      attr_reader :version     # xs:normalizedString
-      attr_reader :source      # Anything responding to :source_qualifier
-      attr_reader :homepage    # xs:anyURI - https://cyclonedx.org/docs/1.4/#type_externalReference
-      attr_reader :checksum    # https://cyclonedx.org/docs/1.4/#type_hashValue (We only use SHA-1 hashes - length == 40)
-      attr_reader :author      # xs:normalizedString
-      attr_reader :description # xs:normalizedString
-      attr_reader :license     # https://cyclonedx.org/docs/1.4/#type_licenseType
-                               # We don't currently support several licenses or license expressions https://spdx.github.io/spdx-spec/appendix-IV-SPDX-license-expressions/
+      # xs:normalizedString
+      attr_reader :name
+      # xs:normalizedString
+      attr_reader :version
+      # Anything responding to :source_qualifier
+      attr_reader :source
+      # xs:anyURI - https://cyclonedx.org/docs/1.5/xml/#type_externalReference
+      attr_reader :homepage
+      # https://cyclonedx.org/docs/1.5/xml/#type_hashValue (We only use SHA-1 hashes - length == 40)
+      attr_reader :checksum
+      # xs:normalizedString
+      attr_reader :author
+      # xs:normalizedString
+      attr_reader :description
+      # https://cyclonedx.org/docs/1.5/xml/#type_licenseType
+      # We don't currently support several licenses or license expressions https://spdx.github.io/spdx-spec/appendix-IV-SPDX-license-expressions/
+      attr_reader :license
+
       def initialize(name:, version:, source: nil, checksum: nil)
-        raise ArgumentError, "Name must be non empty" if name.nil? || name.to_s.empty?
+        raise ArgumentError, 'Name must be non empty' if name.nil? || name.to_s.empty?
         raise ArgumentError, "Name shouldn't contain spaces" if name.to_s.include?(' ')
         raise ArgumentError, "Name shouldn't start with a dot" if name.to_s.start_with?('.')
+
         # `pod create` also enforces no plus sign, but more than 500 public pods have a plus in the root name.
         # https://github.com/CocoaPods/CocoaPods/blob/9461b346aeb8cba6df71fd4e71661688138ec21b/lib/cocoapods/command/lib/create.rb#L35
 
         Gem::Version.new(version) # To check that the version string is well formed
-        raise ArgumentError, "Invalid pod source" unless source.nil? || source.respond_to?(:source_qualifier)
+        raise ArgumentError, 'Invalid pod source' unless source.nil? || source.respond_to?(:source_qualifier)
         raise ArgumentError, "#{checksum} is not valid SHA-1 hash" unless checksum.nil? || checksum =~ /[a-fA-F0-9]{40}/
-        @name, @version, @source, @checksum = name.to_s, version, source, checksum
+
+        @name = name.to_s
+        @version = version
+        @source = source
+        @checksum = checksum
       end
 
       def root_name
@@ -61,23 +75,21 @@ module CycloneDX
       end
 
       def to_s
-        "Pod<#{name}, #{version.to_s}>"
+        "Pod<#{name}, #{version}>"
       end
 
       private
 
       def populate_author(attributes)
         authors = attributes[:author] || attributes[:authors]
-        case authors
-        when String
-          @author = authors
-        when Array
-          @author = authors.join(', ')
-        when Hash
-          @author = authors.map { |name, email| "#{name} <#{email}>" }.join(', ')
-        else
-          @author = nil
-        end
+        @author = case authors
+                  when String
+                    authors
+                  when Array
+                    authors.join(', ')
+                  when Hash
+                    authors.map { |name, email| "#{name} <#{email}>" }.join(', ')
+                  end
       end
 
       def populate_description(attributes)
@@ -89,19 +101,23 @@ module CycloneDX
         when String
           @license = License.new(identifier: attributes[:license])
         when Hash
-          attributes[:license].transform_keys!(&:to_sym)
-          identifier = attributes[:license][:type]
-          unless identifier.nil? || identifier.to_s.strip.empty?
-            @license = License.new(identifier: identifier)
-            @license.text = attributes[:license][:text]
-          else
-            @license = nil
-          end
+          populate_hashed_license(attributes)
         else
           @license = nil
         end
       end
 
+      def populate_hashed_license(attributes)
+        attributes[:license].transform_keys!(&:to_sym)
+        identifier = attributes[:license][:type]
+        if identifier.nil? || identifier.to_s.strip.empty?
+          @license = nil
+        else
+          @license = License.new(identifier: identifier)
+          @license.text = attributes[:license][:text]
+        end
+      end
+
       def populate_homepage(attributes)
         @homepage = attributes[:homepage]
       end

data/lib/cyclonedx/cocoapods/pod_attributes.rb

@@ -30,19 +30,35 @@ module CycloneDX
         def self.searchable_source(url:, source_manager:)
           source = CocoaPodsRepository.new(url: url)
           source.source_manager = source_manager
-          return source
+          source
         end
 
         def attributes_for(pod:)
           specification_sets = @source_manager.search_by_name("^#{Regexp.escape(pod.root_name)}$")
-          raise SearchError, "No pod found named #{pod.name}; run 'pod repo update' and try again" if specification_sets.length == 0
-          raise SearchError, "More than one pod found named #{pod.name}; a pod in a private spec repo should not have the same name as a public pod" if specification_sets.length > 1
+          validate_spec_sets(specification_sets, pod)
 
           paths = specification_sets[0].specification_paths_for_version(pod.version)
-          raise SearchError, "Version #{pod.version} not found for pod #{pod.name}; run 'pod repo update' and try again" if paths.length == 0
+          if paths.empty?
+            raise SearchError,
+                  "Version #{pod.version} not found for pod #{pod.name}; run 'pod repo update' and try again"
+          end
 
           ::Pod::Specification.from_file(paths[0]).attributes_hash
         end
+
+        private
+
+        def validate_spec_sets(specification_sets, pod)
+          if specification_sets.empty?
+            raise SearchError,
+                  "No pod found named #{pod.name}; run 'pod repo update' and try again"
+          end
+          return unless specification_sets.length > 1
+
+          raise SearchError,
+                "More than one pod found named #{pod.name}; a pod in a private spec repo " \
+                'should not have the same name as a public pod'
+        end
       end
 
       class GitRepository
@@ -64,7 +80,6 @@ module CycloneDX
       end
     end
 
-
     class Pod
       def complete_information_from_source
         populate(source.attributes_for(pod: self))

data/lib/cyclonedx/cocoapods/podfile_analyzer.rb

@@ -31,36 +31,17 @@ module CycloneDX
   module CocoaPods
     class PodfileParsingError < StandardError; end
 
+    # Uses cocoapods to analyze the Podfile and Podfile.lock for component dependency information
     class PodfileAnalyzer
       def initialize(logger:, exclude_test_targets: false)
         @logger = logger
         @exclude_test_targets = exclude_test_targets
       end
 
-      def load_plugins(podfile_path)
-        podfile_contents = File.read(podfile_path)
-        plugin_syntax = /\s*plugin\s+['"]([^'"]+)['"]/
-        plugin_names = podfile_contents.scan(plugin_syntax).flatten
-
-        plugin_names.each do |plugin_name|
-          @logger.debug("Loading plugin #{plugin_name}")
-          begin
-            plugin_spec = Gem::Specification.find_by_name(plugin_name)
-            plugin_spec.activate if plugin_spec
-            load(plugin_spec.gem_dir + '/lib/cocoapods_plugin.rb') if plugin_spec
-          rescue Gem::LoadError => e
-            @logger.warn("Failed to load plugin #{plugin_name}. #{e.message}")
-          end
-        end
-      end
-
       def ensure_podfile_and_lock_are_present(options)
         project_dir = Pathname.new(options[:path] || Dir.pwd)
-        raise PodfileParsingError, "#{options[:path]} is not a valid directory." unless File.directory?(project_dir)
-        options[:podfile_path] = project_dir + 'Podfile'
-        raise PodfileParsingError, "Missing Podfile in #{project_dir}. Please use the --path option if not running from the CocoaPods project directory." unless File.exist?(options[:podfile_path])
-        options[:podfile_lock_path] = project_dir + 'Podfile.lock'
-        raise PodfileParsingError, "Missing Podfile.lock, please run 'pod install' before generating BOM" unless File.exist?(options[:podfile_lock_path])
+
+        validate_options(project_dir, options)
 
         initialize_cocoapods_config(project_dir)
 
@@ -68,81 +49,145 @@ module CycloneDX
         verify_synced_sandbox(lockfile)
         load_plugins(options[:podfile_path])
 
-        return ::Pod::Podfile.from_file(options[:podfile_path]), lockfile
+        [::Pod::Podfile.from_file(options[:podfile_path]), lockfile]
       end
 
-
       def parse_pods(podfile, lockfile)
         @logger.debug "Parsing pods from #{podfile.defined_in_file}"
         included_pods, dependencies = create_list_of_included_pods(podfile, lockfile)
 
         pods = lockfile.pod_names.select { |name| included_pods.include?(name) }.map do |name|
-          Pod.new(name: name, version: lockfile.version(name), source: source_for_pod(podfile, lockfile, name), checksum: lockfile.checksum(name))
+          Pod.new(name: name, version: lockfile.version(name), source: source_for_pod(podfile, lockfile, name),
+                  checksum: lockfile.checksum(name))
         end
 
-        pod_dependencies = { }
-        dependencies.each {|key, value|
-          if lockfile.pod_names.include? key
-            pod = Pod.new(name: key, version: lockfile.version(key), source: source_for_pod(podfile, lockfile, key), checksum: lockfile.checksum(key))
+        pod_dependencies = parse_dependencies(dependencies, podfile, lockfile)
 
-            pod_dependencies[pod.purl] = lockfile.pod_names.select { |name| value.include?(name) }.map do |name|
-              pod = Pod.new(name: name, version: lockfile.version(name), source: source_for_pod(podfile, lockfile, name), checksum: lockfile.checksum(name))
-              pod.purl
-            end
-          end
-        }
-
-        return pods, pod_dependencies
+        [pods, pod_dependencies]
       end
 
-
       def populate_pods_with_additional_info(pods)
         pods.each do |pod|
           @logger.debug "Completing information for #{pod.name}"
           pod.complete_information_from_source
         end
-        return pods
+        pods
+      end
+
+      def top_level_deps(podfile, lockfile)
+        pods_used = top_level_pods(podfile)
+        dependencies_for_pod(pods_used, podfile, lockfile)
       end
 
       private
 
+      def load_plugins(podfile_path)
+        podfile_contents = File.read(podfile_path)
+        plugin_syntax = /\s*plugin\s+['"]([^'"]+)['"]/
+        plugin_names = podfile_contents.scan(plugin_syntax).flatten
+
+        plugin_names.each do |plugin_name|
+          load_one_plugin(plugin_name)
+        end
+      end
+
+      def load_one_plugin(plugin_name)
+        @logger.debug("Loading plugin #{plugin_name}")
+        begin
+          plugin_spec = Gem::Specification.find_by_name(plugin_name)
+          plugin_spec&.activate
+          load("#{plugin_spec.gem_dir}/lib/cocoapods_plugin.rb") if plugin_spec
+        rescue Gem::LoadError => e
+          @logger.warn("Failed to load plugin #{plugin_name}. #{e.message}")
+        end
+      end
+
+      def validate_options(project_dir, options)
+        raise PodfileParsingError, "#{options[:path]} is not a valid directory." unless File.directory?(project_dir)
+
+        options[:podfile_path] = project_dir + 'Podfile'
+        unless File.exist?(options[:podfile_path])
+          raise PodfileParsingError, "Missing Podfile in #{project_dir}. Please use the --path option if " \
+                                     'not running from the CocoaPods project directory.'
+        end
+
+        options[:podfile_lock_path] = project_dir + 'Podfile.lock'
+        return if File.exist?(options[:podfile_lock_path])
+
+        raise PodfileParsingError, "Missing Podfile.lock, please run 'pod install' before generating BOM"
+      end
+
+      def parse_dependencies(dependencies, podfile, lockfile)
+        pod_dependencies = {}
+        dependencies.each do |key, podname_array|
+          next unless lockfile.pod_names.include? key
+
+          pod = Pod.new(name: key, version: lockfile.version(key), source: source_for_pod(podfile, lockfile, key),
+                        checksum: lockfile.checksum(key))
+
+          pod_dependencies[pod.purl] = dependencies_for_pod(podname_array, podfile, lockfile)
+        end
+
+        pod_dependencies
+      end
+
+      def dependencies_for_pod(podname_array, podfile, lockfile)
+        lockfile.pod_names.select { |name| podname_array.include?(name) }.map do |name|
+          pod = Pod.new(name: name,
+                        version: lockfile.version(name),
+                        source: source_for_pod(podfile, lockfile, name),
+                        checksum: lockfile.checksum(name))
+          pod.purl
+        end
+      end
 
       def initialize_cocoapods_config(project_dir)
+        # First, reset the ::Pod::Config instance in case we need to use this analyzer on multiple pods
+        ::Pod::Config.instance = nil
         ::Pod::Config.instance.installation_root = project_dir
       end
 
-
       def verify_synced_sandbox(lockfile)
-        manifestFile = ::Pod::Config.instance.sandbox.manifest
-        raise PodfileParsingError, "Missing Manifest.lock, please run 'pod install' before generating BOM" if manifestFile.nil?
-        raise PodfileParsingError, "The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation." unless lockfile == manifestFile
+        manifest_file = ::Pod::Config.instance.sandbox.manifest
+        if manifest_file.nil?
+          raise PodfileParsingError,
+                "Missing Manifest.lock, please run 'pod install' before generating BOM"
+        end
+        return if lockfile == manifest_file
+
+        raise PodfileParsingError,
+              "The sandbox is not in sync with the Podfile.lock. Run 'pod install' " \
+              'or update your CocoaPods installation.'
       end
 
       def simple_hash_of_lockfile_pods(lockfile)
-        pods_hash = { }
+        pods_hash = {}
 
         pods_used = lockfile.internal_data['PODS']
-        pods_used&.each { |pod|
-          if pod.is_a?(String)
-            # Pods stored as String have no dependencies
-            pod_name = pod.split.first
-            pods_hash[pod_name] = []
-          else
-            # Pods stored as a hash have pod name and dependencies.
-            pod.each { |pod, dependencies|
-              pod_name = pod.split.first
-              pods_hash[pod_name] = dependencies.map { |d| d.split.first }
-            }
-          end
-        }
+        pods_used&.each do |pod|
+          map_single_pod(pod, pods_hash)
+        end
         pods_hash
       end
 
+      def map_single_pod(pod, pods_hash)
+        if pod.is_a?(String)
+          # Pods stored as String have no dependencies
+          pod_name = pod.split.first
+          pods_hash[pod_name] = []
+        else
+          # Pods stored as a hash have pod name and dependencies.
+          pod.each do |pod, dependencies|
+            pod_name = pod.split.first
+            pods_hash[pod_name] = dependencies.map { |d| d.split.first }
+          end
+        end
+      end
 
       def append_all_pod_dependencies(pods_used, pods_cache)
         result = pods_used
         original_number = 0
-        dependencies_hash = { }
+        dependencies_hash = {}
 
         # Loop adding pod dependencies until we are not adding any more dependencies to the result
         # This brings in all the transitive dependencies of every top level pod.
@@ -152,76 +197,83 @@ module CycloneDX
         while result.length != original_number
           original_number = result.length
 
-          pods_used.each { |pod_name|
+          pods_used.each do |pod_name|
             if pods_cache.key?(pod_name)
               result.push(*pods_cache[pod_name])
               dependencies_hash[pod_name] = pods_cache[pod_name].empty? ? [] : pods_cache[pod_name]
             end
-          }
+          end
 
           result = result.uniq
-          # maybe additional dependency processing needed here???
           pods_used = result
         end
 
-        return result, dependencies_hash
+        [result, dependencies_hash]
+      end
+
+      def top_level_pods(podfile)
+        included_targets = podfile.target_definition_list.select { |target| include_target_named(target.label) }
+        included_target_names = included_targets.map(&:label)
+        @logger.debug "Including all pods for targets: #{included_target_names}"
+
+        top_level_deps = included_targets.map(&:dependencies).flatten.uniq
+        top_level_deps.map(&:name).uniq
       end
 
       def create_list_of_included_pods(podfile, lockfile)
         pods_cache = simple_hash_of_lockfile_pods(lockfile)
 
-        includedTargets = podfile.target_definition_list.select{ |target| include_target_named(target.label) }
-        includedTargetNames = includedTargets.map { |target| target.label }
-        @logger.debug "Including all pods for targets: #{includedTargetNames}"
-
-        topLevelDeps = includedTargets.map(&:dependencies).flatten.uniq
-        pods_used = topLevelDeps.map(&:name).uniq
+        pods_used = top_level_pods(podfile)
         pods_used, dependencies = append_all_pod_dependencies(pods_used, pods_cache)
 
-        return pods_used.sort, dependencies
+        [pods_used.sort, dependencies]
       end
 
-
       def include_target_named(targetname)
-          !@exclude_test_targets || !targetname.downcase.include?('test')
+        !@exclude_test_targets || !targetname.downcase.include?('test')
       end
 
-
       def cocoapods_repository_source(podfile, lockfile, pod_name)
         @source_manager ||= create_source_manager(podfile)
-        return Source::CocoaPodsRepository.searchable_source(url: lockfile.spec_repo(pod_name), source_manager: @source_manager)
+        Source::CocoaPodsRepository.searchable_source(url: lockfile.spec_repo(pod_name),
+                                                      source_manager: @source_manager)
       end
 
-
       def git_source(lockfile, pod_name)
         checkout_options = lockfile.checkout_options_for_pod_named(pod_name)
         url = checkout_options[:git]
-        [:tag, :branch, :commit].each do |type|
-          return Source::GitRepository.new(url: url, type: type, label: checkout_options[type]) if checkout_options[type]
+        %i[tag branch commit].each do |type|
+          if checkout_options[type]
+            return Source::GitRepository.new(url: url, type: type,
+                                             label: checkout_options[type])
+          end
         end
-        return Source::GitRepository.new(url: url)
+        Source::GitRepository.new(url: url)
       end
 
-
       def source_for_pod(podfile, lockfile, pod_name)
         root_name = pod_name.split('/').first
         return cocoapods_repository_source(podfile, lockfile, root_name) unless lockfile.spec_repo(root_name).nil?
         return git_source(lockfile, root_name) unless lockfile.checkout_options_for_pod_named(root_name).nil?
-        return Source::LocalPod.new(path: lockfile.to_hash['EXTERNAL SOURCES'][root_name][:path]) if lockfile.to_hash['EXTERNAL SOURCES'][root_name][:path]
-        return Source::Podspec.new(url: lockfile.to_hash['EXTERNAL SOURCES'][root_name][:podspec]) if lockfile.to_hash['EXTERNAL SOURCES'][root_name][:podspec]
-        return nil
-      end
+        if lockfile.to_hash['EXTERNAL SOURCES'][root_name][:path]
+          return Source::LocalPod.new(path: lockfile.to_hash['EXTERNAL SOURCES'][root_name][:path])
+        end
+        if lockfile.to_hash['EXTERNAL SOURCES'][root_name][:podspec]
+          return Source::Podspec.new(url: lockfile.to_hash['EXTERNAL SOURCES'][root_name][:podspec])
+        end
 
+        nil
+      end
 
       def create_source_manager(podfile)
-        sourceManager = ::Pod::Source::Manager.new(::Pod::Config::instance.repos_dir)
+        source_manager = ::Pod::Source::Manager.new(::Pod::Config.instance.repos_dir)
         @logger.debug "Parsing sources from #{podfile.defined_in_file}"
         podfile.sources.each do |source|
           @logger.debug "Ensuring #{source} is available for searches"
-          sourceManager.find_or_create_source_with_url(source)
+          source_manager.find_or_create_source_with_url(source)
         end
-        @logger.debug "Source manager successfully created with all needed sources"
-        return sourceManager
+        @logger.debug 'Source manager successfully created with all needed sources'
+        source_manager
       end
     end
   end

data/lib/cyclonedx/cocoapods/source.rb

@@ -31,13 +31,16 @@ module CycloneDX
       end
 
       class GitRepository
-        VALID_TYPES = [:branch, :tag, :commit].freeze
+        VALID_TYPES = %i[branch tag commit].freeze
 
         attr_reader :url, :type, :label
 
         def initialize(url:, type: nil, label: nil)
-          raise ArgumentError, "Invalid checkout information" if !type.nil? && !VALID_TYPES.include?(type)
-          @url, @type, @label = url, type, label
+          raise ArgumentError, 'Invalid checkout information' if !type.nil? && !VALID_TYPES.include?(type)
+
+          @url = url
+          @type = type
+          @label = label
         end
       end
 

data/lib/cyclonedx/cocoapods/version.rb

@@ -21,6 +21,6 @@
 
 module CycloneDX
   module CocoaPods
-    VERSION = '1.2.0'
+    VERSION = '1.4.0'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cyclonedx-cocoapods
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.4.0
 platform: ruby
 authors:
 - José González
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-01-06 00:00:00.000000000 Z
+date: 2024-10-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cocoapods
@@ -52,47 +52,47 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: equivalent-xml
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13.0'
+        version: 0.6.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '13.0'
+        version: 0.6.0
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
-  name: equivalent-xml
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: '3.0'
 description: CycloneDX is a lightweight software bill-of-material (SBOM) specification
   designed for use in application security contexts and supply chain component analysis.
   This Gem generates CycloneDX BOMs from CocoaPods projects.
@@ -140,7 +140,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.5.16
 signing_key:
 specification_version: 4
 summary: CycloneDX software bill-of-material (SBOM) generation utility