cyclonedx-cocoapods 1.3.0 → 1.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5b02ca712eff5c74b3c7a4e3c59ab7a402a87cf2f3053be388f64a702ca0d3a1
-  data.tar.gz: ca6e3d81e4b255dfcd43add1017e1b5dc939274544b6bade803da0246c544ebc
+  metadata.gz: 84ed77501efec7ca77fce507dd1dbc4a29ffb4b8cf45fc6b942eafe3901af95a
+  data.tar.gz: 85204bb25786de11c3dc7ec302d016431ebecd7078149081a6b294ba65f756aa
 SHA512:
-  metadata.gz: 74af3ed1ceded419670e4e4cc2b69a955730f963ef92510159505809a02681ae39347c91a24ac99d988f142f987465998fdd4bf4629e799d0dc33e01f96fbb9a
-  data.tar.gz: b1ce5ceae85c7b3ff993109203a53f9f7fa61397f8d58f6b18220ee2ed5e866ab1bc210b6ac48b375de3ec49e6928abe2245413fac56b437403317fb1c2ba783
+  metadata.gz: 7f4b84eb0a11f7f6488fe9fccef7806e786db41ea647806046b729b39952172175df7b8884b17c60e5cac0b246a9bfc6e56d8e53f69b3ad9521c9cde0f19726b
+  data.tar.gz: f719564347931af554dbc2705022a548405bbd95320db5c094f5616166a46ecd830d8fddedcaebd9e24fd76ff6e8be2e1917d3a3be8bc6ede3f21e77e763af77

data/CHANGELOG.md

@@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.4.1]
+
+### Changed
+- Minimum Ruby version is now v2.6.3 so the [Array.union](https://apidock.com/ruby/v2_6_3/Array/union) function can be used.
+
+### Fixed
+- Improved performance when analyzing a Podfile with many pods. ([Issue #78](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/78)) [@macblazer](https://github.com/macblazer).
+
+## [1.4.0]
+
+### Added
+- Added `evidence` element to the component output to indicate that we are doing manifest analysis to generate the bom. ([Issue #69](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/69)) [@macblazer](https://github.com/macblazer).
+
+### Fixed
+- Added top level dependencies when the metadata/component is specified (by using the `--name`, `--version`, and `--type` parameters). ([PR #70](https://github.com/CycloneDX/cyclonedx-cocoapods/pull/70)) [@fnxpt](https://github.com/fnxpt)
+- Properly concatenate paths to Podfile and Podfile.lock (with unit tests!). ([Issue #71](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/71)) [@macblazer](https://github.com/macblazer).
+
 ## [1.3.0]
 
 ### Added

data/lib/cyclonedx/cocoapods/bom_builder.rb

@@ -104,10 +104,28 @@ module CycloneDX
         end
       end
 
-      def add_to_bom(xml, trim_strings_length = 0)
+      # Add evidence of the purl identity.
+      # See https://github.com/CycloneDX/guides/blob/main/SBOM/en/0x60-Evidence.md for more info
+      def xml_add_evidence(xml, manifest_path)
+        xml.evidence do
+          xml.identity do
+            xml.field 'purl'
+            xml.confidence '0.6'
+            xml.methods_ do
+              xml.method_ do
+                xml.technique 'manifest-analysis'
+                xml.confidence '0.6'
+                xml.value manifest_path
+              end
+            end
+          end
+        end
+      end
+
+      def add_to_bom(xml, manifest_path, trim_strings_length = 0)
         xml.component(type: 'library', 'bom-ref': purl) do
           xml_add_author(xml, trim_strings_length)
-          xml.name name
+          xml.name_ name
           xml.version version.to_s
           xml.description { xml.cdata description } unless description.nil?
           unless checksum.nil?
@@ -126,6 +144,8 @@ module CycloneDX
             xml.purl purl.slice(0, trim_strings_length)
           end
           xml_add_homepage(xml)
+
+          xml_add_evidence(xml, manifest_path)
         end
       end
 
@@ -133,7 +153,7 @@ module CycloneDX
         def add_to_bom(xml)
           xml.license do
             xml.id identifier if identifier_type == :id
-            xml.name identifier if identifier_type == :name
+            xml.name_ identifier if identifier_type == :name
             xml.text_ text unless text.nil?
             xml.url url unless url.nil?
           end
@@ -143,21 +163,23 @@ module CycloneDX
 
     class Component
       def add_to_bom(xml)
-        xml.component(type: type) do
+        xml.component(type: type, 'bom-ref': bomref) do
           xml.group group unless group.nil?
-          xml.name name
+          xml.name_ name
           xml.version version
         end
       end
     end
 
+    # Turns the internal model data into an XML bom.
     class BOMBuilder
       NAMESPACE = 'http://cyclonedx.org/schema/bom/1.5'
 
-      attr_reader :component, :pods, :dependencies
+      attr_reader :component, :pods, :manifest_path, :dependencies
 
-      def initialize(pods:, component: nil, dependencies: nil)
+      def initialize(pods:, manifest_path:, component: nil, dependencies: nil)
         @pods = pods.sort_by(&:purl)
+        @manifest_path = manifest_path
         @component = component
         @dependencies = dependencies&.sort
       end
@@ -184,17 +206,17 @@ module CycloneDX
           xml.bom(xmlns: NAMESPACE, version: version.to_i.to_s, serialNumber: "urn:uuid:#{SecureRandom.uuid}") do
             bom_metadata(xml)
 
-            bom_components(xml, pods, trim_strings_length)
+            bom_components(xml, pods, manifest_path, trim_strings_length)
 
             bom_dependencies(xml, dependencies)
           end
         end.to_xml
       end
 
-      def bom_components(xml, pods, trim_strings_length)
+      def bom_components(xml, pods, manifest_path, trim_strings_length)
         xml.components do
           pods.each do |pod|
-            pod.add_to_bom(xml, trim_strings_length)
+            pod.add_to_bom(xml, manifest_path, trim_strings_length)
           end
         end
       end
@@ -223,7 +245,7 @@ module CycloneDX
         xml.tools do
           xml.tool do
             xml.vendor 'CycloneDX'
-            xml.name 'cyclonedx-cocoapods'
+            xml.name_ 'cyclonedx-cocoapods'
             xml.version VERSION
           end
         end

data/lib/cyclonedx/cocoapods/cli_runner.rb

@@ -39,9 +39,9 @@ module CycloneDX
         setup_logger(verbose: options[:verbose])
         @logger.debug "Running cyclonedx-cocoapods with options: #{options}"
 
-        pods, dependencies = analyze(options)
+        component, pods, manifest_path, dependencies = analyze(options)
 
-        build_and_write_bom(options, pods, dependencies)
+        build_and_write_bom(options, component, pods, manifest_path, dependencies)
       rescue StandardError => e
         @logger.error ([e.message] + e.backtrace).join($INPUT_RECORD_SEPARATOR)
         exit 1
@@ -100,12 +100,10 @@ module CycloneDX
             parsed_options[:name] = name
           end
           options.on('-v', '--version version', 'Version of the component for which the BOM is generated') do |version|
-            begin
-              Gem::Version.new(version)
-              parsed_options[:version] = version
-            rescue StandardError => e
-              raise OptionParser::InvalidArgument, e.message
-            end
+            Gem::Version.new(version)
+            parsed_options[:version] = version
+          rescue StandardError => e
+            raise OptionParser::InvalidArgument, e.message
           end
           options.on('-t', '--type type',
                      'Type of the component for which the BOM is generated ' \
@@ -136,11 +134,26 @@ module CycloneDX
         pods, dependencies = analyzer.parse_pods(podfile, lockfile)
         analyzer.populate_pods_with_additional_info(pods)
 
-        [pods, dependencies]
+        component = component_from_options(options)
+
+        unless component.nil?
+          # add top level pods to main component
+          top_deps = analyzer.top_level_deps(podfile, lockfile)
+          dependencies[component.bomref] = top_deps
+        end
+
+        manifest_path = lockfile.defined_in_file
+        if manifest_path.absolute?
+          # Use the folder that we are building in, then the path to the manifest file
+          manifest_path = Pathname.pwd.basename + manifest_path.relative_path_from(Pathname.pwd)
+        end
+
+        [component, pods, manifest_path, dependencies]
       end
 
-      def build_and_write_bom(options, pods, dependencies)
-        builder = BOMBuilder.new(pods: pods, component: component_from_options(options), dependencies: dependencies)
+      def build_and_write_bom(options, component, pods, manifest_path, dependencies)
+        builder = BOMBuilder.new(pods: pods, manifest_path: manifest_path,
+                                 component: component, dependencies: dependencies)
         bom = builder.bom(version: options[:bom_version] || 1,
                           trim_strings_length: options[:trim_strings_length] || 0)
         write_bom_to_file(bom: bom, options: options)

data/lib/cyclonedx/cocoapods/component.rb

@@ -24,7 +24,7 @@ module CycloneDX
     class Component
       VALID_COMPONENT_TYPES = %w[application framework library container operating-system device firmware file].freeze
 
-      attr_reader :group, :name, :version, :type
+      attr_reader :group, :name, :version, :type, :bomref
 
       def initialize(name:, version:, type:, group: nil)
         raise ArgumentError, 'Group, if specified, must be non empty' if !group.nil? && group.to_s.strip.empty?
@@ -39,6 +39,11 @@ module CycloneDX
         @name = name
         @version = version
         @type = type
+        @bomref = "#{name}@#{version}"
+
+        return if group.nil?
+
+        @bomref = "#{group}/#{@bomref}"
       end
     end
   end

data/lib/cyclonedx/cocoapods/podfile_analyzer.rb

@@ -74,6 +74,11 @@ module CycloneDX
         pods
       end
 
+      def top_level_deps(podfile, lockfile)
+        pods_used = top_level_pods(podfile)
+        dependencies_for_pod(pods_used, podfile, lockfile)
+      end
+
       private
 
       def load_plugins(podfile_path)
@@ -137,6 +142,8 @@ module CycloneDX
       end
 
       def initialize_cocoapods_config(project_dir)
+        # First, reset the ::Pod::Config instance in case we need to use this analyzer on multiple pods
+        ::Pod::Config.instance = nil
         ::Pod::Config.instance.installation_root = project_dir
       end
 
@@ -177,12 +184,18 @@ module CycloneDX
         end
       end
 
-      def append_all_pod_dependencies(pods_used, pods_cache)
-        result = pods_used
+      # Calculate simple array of all used pods plus their direct dependencies
+      #
+      # @param [Array<String>] top_level_pods List of pod names that are directly imported by the Podfile
+      # @param [Hash<String,Array<String>>] pods_cache Dependency information directly from the Podfile.lock;
+      # keys are string pod names, values are list of direct dependencies of the given pod.
+      # @return [Array<String>, Hash<String,Array<String>>] First element is list of all used pod names.
+      # Second element is a hash: keys are string pod names, values are the direct dependencies of that pod.
+      def append_all_pod_dependencies(top_level_pods, pods_cache)
+        result = top_level_pods
         original_number = 0
-        dependencies_hash = {}
 
-        # Loop adding pod dependencies until we are not adding any more dependencies to the result
+        # Loop adding pod dependencies until we are not adding any more dependencies to the result.
         # This brings in all the transitive dependencies of every top level pod.
         # Note this also handles two edge cases:
         #  1. Having a Podfile with no pods used.
@@ -190,29 +203,38 @@ module CycloneDX
         while result.length != original_number
           original_number = result.length
 
-          pods_used.each do |pod_name|
+          top_level_pods.each do |pod_name|
             if pods_cache.key?(pod_name)
-              result.push(*pods_cache[pod_name])
-              dependencies_hash[pod_name] = pods_cache[pod_name].empty? ? [] : pods_cache[pod_name]
+              # Append all of the dependencies of this pod into the main list, if they aren't already in the list
+              result = result.union(pods_cache[pod_name])
             end
           end
 
-          result = result.uniq
-          pods_used = result
+          top_level_pods = result
+        end
+
+        # Now that we have the simple list of all unique pods, grab their direct dependencies
+        dependencies_hash = {}
+        result.each do |pod_name|
+          dependencies_hash[pod_name] = pods_cache.key?(pod_name) ? pods_cache[pod_name] : []
         end
 
         [result, dependencies_hash]
       end
 
-      def create_list_of_included_pods(podfile, lockfile)
-        pods_cache = simple_hash_of_lockfile_pods(lockfile)
-
+      def top_level_pods(podfile)
         included_targets = podfile.target_definition_list.select { |target| include_target_named(target.label) }
         included_target_names = included_targets.map(&:label)
         @logger.debug "Including all pods for targets: #{included_target_names}"
 
         top_level_deps = included_targets.map(&:dependencies).flatten.uniq
-        pods_used = top_level_deps.map(&:name).uniq
+        top_level_deps.map(&:name).uniq
+      end
+
+      def create_list_of_included_pods(podfile, lockfile)
+        pods_cache = simple_hash_of_lockfile_pods(lockfile)
+
+        pods_used = top_level_pods(podfile)
         pods_used, dependencies = append_all_pod_dependencies(pods_used, pods_cache)
 
         [pods_used.sort, dependencies]

data/lib/cyclonedx/cocoapods/version.rb

@@ -21,6 +21,6 @@
 
 module CycloneDX
   module CocoaPods
-    VERSION = '1.3.0'
+    VERSION = '1.4.1'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cyclonedx-cocoapods
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.1
 platform: ruby
 authors:
 - José González
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-02-08 00:00:00.000000000 Z
+date: 2024-11-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cocoapods
@@ -51,48 +51,6 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '2.0'
-- !ruby/object:Gem::Dependency
-  name: equivalent-xml
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.6.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.6.0
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
 description: CycloneDX is a lightweight software bill-of-material (SBOM) specification
   designed for use in application security contexts and supply chain component analysis.
   This Gem generates CycloneDX BOMs from CocoaPods projects.
@@ -133,14 +91,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: 2.6.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.4
+rubygems_version: 3.5.23
 signing_key:
 specification_version: 4
 summary: CycloneDX software bill-of-material (SBOM) generation utility