cyclonedx-cocoapods 1.3.0 → 1.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/lib/cyclonedx/cocoapods/bom_builder.rb +33 -11
- data/lib/cyclonedx/cocoapods/cli_runner.rb +20 -5
- data/lib/cyclonedx/cocoapods/component.rb +6 -1
- data/lib/cyclonedx/cocoapods/podfile_analyzer.rb +15 -4
- data/lib/cyclonedx/cocoapods/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4b3c1577d54844759e40218fb3b0876014aa8a2eac1a8ea2be2512cab13d79f9
|
|
4
|
+
data.tar.gz: dd99bd2aa09a1d6ecd956fdd3118a064df6662026b6816ee86f9a2f553347068
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5e82c25c27de0fbede464d04a06b9b7f06c3fc79550041835395c6fe5aa32a0f1c4bba1d391b988ff6d39107f696960f064730de43ef8c0f0e8000d576cd1010
|
|
7
|
+
data.tar.gz: '048fa99979dd4e606b4952412dad3675bad2ebe3e45eccd8513089f18908d5594213031cb85130434f002d7a8edbafbb67818e602c648b49137768e8085c445b'
|
data/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
|
|
|
4
4
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
5
5
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
6
6
|
|
|
7
|
+
## [1.4.0]
|
|
8
|
+
|
|
9
|
+
### Added
|
|
10
|
+
- Added `evidence` element to the component output to indicate that we are doing manifest analysis to generate the bom. ([Issue #69](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/69)) [@macblazer](https://github.com/macblazer).
|
|
11
|
+
|
|
12
|
+
### Fixed
|
|
13
|
+
- Added top level dependencies when the metadata/component is specified (by using the `--name`, `--version`, and `--type` parameters). ([PR #70](https://github.com/CycloneDX/cyclonedx-cocoapods/pull/70)) [@fnxpt](https://github.com/fnxpt)
|
|
14
|
+
- Properly concatenate paths to Podfile and Podfile.lock (with unit tests!). ([Issue #71](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/71)) [@macblazer](https://github.com/macblazer).
|
|
15
|
+
|
|
7
16
|
## [1.3.0]
|
|
8
17
|
|
|
9
18
|
### Added
|
|
@@ -104,10 +104,28 @@ module CycloneDX
|
|
|
104
104
|
end
|
|
105
105
|
end
|
|
106
106
|
|
|
107
|
-
|
|
107
|
+
# Add evidence of the purl identity.
|
|
108
|
+
# See https://github.com/CycloneDX/guides/blob/main/SBOM/en/0x60-Evidence.md for more info
|
|
109
|
+
def xml_add_evidence(xml, manifest_path)
|
|
110
|
+
xml.evidence do
|
|
111
|
+
xml.identity do
|
|
112
|
+
xml.field 'purl'
|
|
113
|
+
xml.confidence '0.6'
|
|
114
|
+
xml.methods_ do
|
|
115
|
+
xml.method_ do
|
|
116
|
+
xml.technique 'manifest-analysis'
|
|
117
|
+
xml.confidence '0.6'
|
|
118
|
+
xml.value manifest_path
|
|
119
|
+
end
|
|
120
|
+
end
|
|
121
|
+
end
|
|
122
|
+
end
|
|
123
|
+
end
|
|
124
|
+
|
|
125
|
+
def add_to_bom(xml, manifest_path, trim_strings_length = 0)
|
|
108
126
|
xml.component(type: 'library', 'bom-ref': purl) do
|
|
109
127
|
xml_add_author(xml, trim_strings_length)
|
|
110
|
-
xml.
|
|
128
|
+
xml.name_ name
|
|
111
129
|
xml.version version.to_s
|
|
112
130
|
xml.description { xml.cdata description } unless description.nil?
|
|
113
131
|
unless checksum.nil?
|
|
@@ -126,6 +144,8 @@ module CycloneDX
|
|
|
126
144
|
xml.purl purl.slice(0, trim_strings_length)
|
|
127
145
|
end
|
|
128
146
|
xml_add_homepage(xml)
|
|
147
|
+
|
|
148
|
+
xml_add_evidence(xml, manifest_path)
|
|
129
149
|
end
|
|
130
150
|
end
|
|
131
151
|
|
|
@@ -133,7 +153,7 @@ module CycloneDX
|
|
|
133
153
|
def add_to_bom(xml)
|
|
134
154
|
xml.license do
|
|
135
155
|
xml.id identifier if identifier_type == :id
|
|
136
|
-
xml.
|
|
156
|
+
xml.name_ identifier if identifier_type == :name
|
|
137
157
|
xml.text_ text unless text.nil?
|
|
138
158
|
xml.url url unless url.nil?
|
|
139
159
|
end
|
|
@@ -143,21 +163,23 @@ module CycloneDX
|
|
|
143
163
|
|
|
144
164
|
class Component
|
|
145
165
|
def add_to_bom(xml)
|
|
146
|
-
xml.component(type: type) do
|
|
166
|
+
xml.component(type: type, 'bom-ref': bomref) do
|
|
147
167
|
xml.group group unless group.nil?
|
|
148
|
-
xml.
|
|
168
|
+
xml.name_ name
|
|
149
169
|
xml.version version
|
|
150
170
|
end
|
|
151
171
|
end
|
|
152
172
|
end
|
|
153
173
|
|
|
174
|
+
# Turns the internal model data into an XML bom.
|
|
154
175
|
class BOMBuilder
|
|
155
176
|
NAMESPACE = 'http://cyclonedx.org/schema/bom/1.5'
|
|
156
177
|
|
|
157
|
-
attr_reader :component, :pods, :dependencies
|
|
178
|
+
attr_reader :component, :pods, :manifest_path, :dependencies
|
|
158
179
|
|
|
159
|
-
def initialize(pods:, component: nil, dependencies: nil)
|
|
180
|
+
def initialize(pods:, manifest_path:, component: nil, dependencies: nil)
|
|
160
181
|
@pods = pods.sort_by(&:purl)
|
|
182
|
+
@manifest_path = manifest_path
|
|
161
183
|
@component = component
|
|
162
184
|
@dependencies = dependencies&.sort
|
|
163
185
|
end
|
|
@@ -184,17 +206,17 @@ module CycloneDX
|
|
|
184
206
|
xml.bom(xmlns: NAMESPACE, version: version.to_i.to_s, serialNumber: "urn:uuid:#{SecureRandom.uuid}") do
|
|
185
207
|
bom_metadata(xml)
|
|
186
208
|
|
|
187
|
-
bom_components(xml, pods, trim_strings_length)
|
|
209
|
+
bom_components(xml, pods, manifest_path, trim_strings_length)
|
|
188
210
|
|
|
189
211
|
bom_dependencies(xml, dependencies)
|
|
190
212
|
end
|
|
191
213
|
end.to_xml
|
|
192
214
|
end
|
|
193
215
|
|
|
194
|
-
def bom_components(xml, pods, trim_strings_length)
|
|
216
|
+
def bom_components(xml, pods, manifest_path, trim_strings_length)
|
|
195
217
|
xml.components do
|
|
196
218
|
pods.each do |pod|
|
|
197
|
-
pod.add_to_bom(xml, trim_strings_length)
|
|
219
|
+
pod.add_to_bom(xml, manifest_path, trim_strings_length)
|
|
198
220
|
end
|
|
199
221
|
end
|
|
200
222
|
end
|
|
@@ -223,7 +245,7 @@ module CycloneDX
|
|
|
223
245
|
xml.tools do
|
|
224
246
|
xml.tool do
|
|
225
247
|
xml.vendor 'CycloneDX'
|
|
226
|
-
xml.
|
|
248
|
+
xml.name_ 'cyclonedx-cocoapods'
|
|
227
249
|
xml.version VERSION
|
|
228
250
|
end
|
|
229
251
|
end
|
|
@@ -39,9 +39,9 @@ module CycloneDX
|
|
|
39
39
|
setup_logger(verbose: options[:verbose])
|
|
40
40
|
@logger.debug "Running cyclonedx-cocoapods with options: #{options}"
|
|
41
41
|
|
|
42
|
-
pods, dependencies = analyze(options)
|
|
42
|
+
component, pods, manifest_path, dependencies = analyze(options)
|
|
43
43
|
|
|
44
|
-
build_and_write_bom(options, pods, dependencies)
|
|
44
|
+
build_and_write_bom(options, component, pods, manifest_path, dependencies)
|
|
45
45
|
rescue StandardError => e
|
|
46
46
|
@logger.error ([e.message] + e.backtrace).join($INPUT_RECORD_SEPARATOR)
|
|
47
47
|
exit 1
|
|
@@ -136,11 +136,26 @@ module CycloneDX
|
|
|
136
136
|
pods, dependencies = analyzer.parse_pods(podfile, lockfile)
|
|
137
137
|
analyzer.populate_pods_with_additional_info(pods)
|
|
138
138
|
|
|
139
|
-
|
|
139
|
+
component = component_from_options(options)
|
|
140
|
+
|
|
141
|
+
unless component.nil?
|
|
142
|
+
# add top level pods to main component
|
|
143
|
+
top_deps = analyzer.top_level_deps(podfile, lockfile)
|
|
144
|
+
dependencies[component.bomref] = top_deps
|
|
145
|
+
end
|
|
146
|
+
|
|
147
|
+
manifest_path = lockfile.defined_in_file
|
|
148
|
+
if manifest_path.absolute?
|
|
149
|
+
# Use the folder that we are building in, then the path to the manifest file
|
|
150
|
+
manifest_path = Pathname.pwd.basename + manifest_path.relative_path_from(Pathname.pwd)
|
|
151
|
+
end
|
|
152
|
+
|
|
153
|
+
[component, pods, manifest_path, dependencies]
|
|
140
154
|
end
|
|
141
155
|
|
|
142
|
-
def build_and_write_bom(options, pods, dependencies)
|
|
143
|
-
builder = BOMBuilder.new(pods: pods,
|
|
156
|
+
def build_and_write_bom(options, component, pods, manifest_path, dependencies)
|
|
157
|
+
builder = BOMBuilder.new(pods: pods, manifest_path: manifest_path,
|
|
158
|
+
component: component, dependencies: dependencies)
|
|
144
159
|
bom = builder.bom(version: options[:bom_version] || 1,
|
|
145
160
|
trim_strings_length: options[:trim_strings_length] || 0)
|
|
146
161
|
write_bom_to_file(bom: bom, options: options)
|
|
@@ -24,7 +24,7 @@ module CycloneDX
|
|
|
24
24
|
class Component
|
|
25
25
|
VALID_COMPONENT_TYPES = %w[application framework library container operating-system device firmware file].freeze
|
|
26
26
|
|
|
27
|
-
attr_reader :group, :name, :version, :type
|
|
27
|
+
attr_reader :group, :name, :version, :type, :bomref
|
|
28
28
|
|
|
29
29
|
def initialize(name:, version:, type:, group: nil)
|
|
30
30
|
raise ArgumentError, 'Group, if specified, must be non empty' if !group.nil? && group.to_s.strip.empty?
|
|
@@ -39,6 +39,11 @@ module CycloneDX
|
|
|
39
39
|
@name = name
|
|
40
40
|
@version = version
|
|
41
41
|
@type = type
|
|
42
|
+
@bomref = "#{name}@#{version}"
|
|
43
|
+
|
|
44
|
+
return if group.nil?
|
|
45
|
+
|
|
46
|
+
@bomref = "#{group}/#{@bomref}"
|
|
42
47
|
end
|
|
43
48
|
end
|
|
44
49
|
end
|
|
@@ -74,6 +74,11 @@ module CycloneDX
|
|
|
74
74
|
pods
|
|
75
75
|
end
|
|
76
76
|
|
|
77
|
+
def top_level_deps(podfile, lockfile)
|
|
78
|
+
pods_used = top_level_pods(podfile)
|
|
79
|
+
dependencies_for_pod(pods_used, podfile, lockfile)
|
|
80
|
+
end
|
|
81
|
+
|
|
77
82
|
private
|
|
78
83
|
|
|
79
84
|
def load_plugins(podfile_path)
|
|
@@ -137,6 +142,8 @@ module CycloneDX
|
|
|
137
142
|
end
|
|
138
143
|
|
|
139
144
|
def initialize_cocoapods_config(project_dir)
|
|
145
|
+
# First, reset the ::Pod::Config instance in case we need to use this analyzer on multiple pods
|
|
146
|
+
::Pod::Config.instance = nil
|
|
140
147
|
::Pod::Config.instance.installation_root = project_dir
|
|
141
148
|
end
|
|
142
149
|
|
|
@@ -204,15 +211,19 @@ module CycloneDX
|
|
|
204
211
|
[result, dependencies_hash]
|
|
205
212
|
end
|
|
206
213
|
|
|
207
|
-
def
|
|
208
|
-
pods_cache = simple_hash_of_lockfile_pods(lockfile)
|
|
209
|
-
|
|
214
|
+
def top_level_pods(podfile)
|
|
210
215
|
included_targets = podfile.target_definition_list.select { |target| include_target_named(target.label) }
|
|
211
216
|
included_target_names = included_targets.map(&:label)
|
|
212
217
|
@logger.debug "Including all pods for targets: #{included_target_names}"
|
|
213
218
|
|
|
214
219
|
top_level_deps = included_targets.map(&:dependencies).flatten.uniq
|
|
215
|
-
|
|
220
|
+
top_level_deps.map(&:name).uniq
|
|
221
|
+
end
|
|
222
|
+
|
|
223
|
+
def create_list_of_included_pods(podfile, lockfile)
|
|
224
|
+
pods_cache = simple_hash_of_lockfile_pods(lockfile)
|
|
225
|
+
|
|
226
|
+
pods_used = top_level_pods(podfile)
|
|
216
227
|
pods_used, dependencies = append_all_pod_dependencies(pods_used, pods_cache)
|
|
217
228
|
|
|
218
229
|
[pods_used.sort, dependencies]
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cyclonedx-cocoapods
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- José González
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: exe
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2024-
|
|
12
|
+
date: 2024-10-15 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: cocoapods
|
|
@@ -140,7 +140,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
140
140
|
- !ruby/object:Gem::Version
|
|
141
141
|
version: '0'
|
|
142
142
|
requirements: []
|
|
143
|
-
rubygems_version: 3.5.
|
|
143
|
+
rubygems_version: 3.5.16
|
|
144
144
|
signing_key:
|
|
145
145
|
specification_version: 4
|
|
146
146
|
summary: CycloneDX software bill-of-material (SBOM) generation utility
|