cyclonedx-cocoapods 1.4.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4b3c1577d54844759e40218fb3b0876014aa8a2eac1a8ea2be2512cab13d79f9
-  data.tar.gz: dd99bd2aa09a1d6ecd956fdd3118a064df6662026b6816ee86f9a2f553347068
+  metadata.gz: a7dce97ad0ab74a34fbe0e768172779ccbb53189ab786742275b1c5b5f00b7d2
+  data.tar.gz: bfb1e7e6a22778c85995bd7ee7c43cc6aa21896362d4b2cb4ad5fa4b137f4d61
 SHA512:
-  metadata.gz: 5e82c25c27de0fbede464d04a06b9b7f06c3fc79550041835395c6fe5aa32a0f1c4bba1d391b988ff6d39107f696960f064730de43ef8c0f0e8000d576cd1010
-  data.tar.gz: '048fa99979dd4e606b4952412dad3675bad2ebe3e45eccd8513089f18908d5594213031cb85130434f002d7a8edbafbb67818e602c648b49137768e8085c445b'
+  metadata.gz: 2b96c4c4d2225b5aa8f70b4fad6bab563ecfe863b3ec3a2018cfa9d0a5c12e99b8569ff43a52a8ce1b3ec31587af8c705b7a9c9fcba1f13598392a2be10c2dff
+  data.tar.gz: 0be60a77ebd3c442bd25481731eb52fdb53338e8b15d6996396d1b49f17ef778db0e686a9a14b12bd5e0c1902a68087b2926c19bd22852cf1fad16974270aec2

data/CHANGELOG.md

@@ -4,6 +4,31 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.0.0]
+
+### Added
+- Added JSON output if the specified `output` has a `.json` suffix. ([Issue #62](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/62)) [@jeremylong](https://github.com/jeremylong).
+- Added CLI options to set manufacturer metadata about the component being scanned (five separate parameters). ([Issue #72](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/72)) [@jeremylong](https://github.com/jeremylong).
+- Added CLI options to set the VCS URL and build URL of the component being scanned. ([PR #82](https://github.com/CycloneDX/cyclonedx-cocoapods/pull/82)) [@jeremylong](https://github.com/jeremylong).
+
+### Changed
+- Updated to use v1.6 of the CycloneDX specification. ([PR #81](https://github.com/CycloneDX/cyclonedx-cocoapods/pull/81)) [@jeremylong](https://github.com/jeremylong).
+- Updated to use newer `tools` section elements. ([PR #80](https://github.com/CycloneDX/cyclonedx-cocoapods/pull/80)) [@jeremylong](https://github.com/jeremylong).
+- Updated to use a purl for the `bom-ref` of the component being scanned.  When analyzing an app the purl will start with `pkg:generic`. ([PR #84](https://github.com/CycloneDX/cyclonedx-cocoapods/pull/84)) [@jeremylong](https://github.com/jeremylong).
+- Changed the short `-b` CLI parameter to specify the build URL instead of the bom file version.  Use `--bom-version` to specify the bom file version if needed. ([PR #82](https://github.com/CycloneDX/cyclonedx-cocoapods/pull/82)) [@jeremylong](https://github.com/jeremylong).
+- Changed the short `-s` CLI parameter to specify the source VCS URL instead of the shortened string lengths.  Use `--shortened-strings` to specify the max length of strings if needed. ([PR #82](https://github.com/CycloneDX/cyclonedx-cocoapods/pull/82)) [@jeremylong](https://github.com/jeremylong).
+
+### Fixed
+- Fixed XML output when Pod description contains a null byte. ([Issue #85](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/85)) [@fnxpt](https://github.com/fnxpt).
+
+## [1.4.1]
+
+### Changed
+- Minimum Ruby version is now v2.6.3 so the [Array.union](https://apidock.com/ruby/v2_6_3/Array/union) function can be used.
+
+### Fixed
+- Improved performance when analyzing a Podfile with many pods. ([Issue #78](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/78)) [@macblazer](https://github.com/macblazer).
+
 ## [1.4.0]
 
 ### Added

data/README.md

@@ -9,7 +9,9 @@
 
 # CycloneDX CocoaPods (Objective-C/Swift)
 
-The CycloneDX CocoaPods Gem creates a valid CycloneDX software bill-of-material document from all [CocoaPods](https://cocoapods.org/) project dependencies. CycloneDX is a lightweight BoM specification that is easily created, human readable, and simple to parse.
+The CycloneDX CocoaPods Gem creates a valid CycloneDX software bill-of-material document from all
+[CocoaPods](https://cocoapods.org/) project dependencies. CycloneDX is a lightweight BOM specification
+that is easily created, human readable, and simple to parse.
 
 ## Installation
 
@@ -21,18 +23,19 @@ The CycloneDX CocoaPods Gem creates a valid CycloneDX software bill-of-material
 
 ### From Source
 
-First, clone/copy the source code from GitHub.  Then in the source code directory run these commands (substituting the actual version number for `x.x.x`):
+First, clone/copy the source code from GitHub.  Then in the source code directory run these
+commands (substituting the actual version number for `x.x.x`):
 
 ```shell
 gem build cyclonedx-cocoapods.gemspec
 gem install cyclonedx-cocoapods-x.x.x.gem
 ```
 
-Building from source requires Ruby 2.4.0 or newer.
+Building from source requires Ruby 2.6.3 or newer.
 
 ## Compatibility
 
-*cyclonedx-cocoapods* aims to produce SBOMs according to the latest CycloneDX specification, which currently is [1.5](https://cyclonedx.org/docs/1.5/xml/).
+*cyclonedx-cocoapods* aims to produce SBOMs according to the latest CycloneDX specification, which currently is [1.6](https://cyclonedx.org/docs/1.6/xml/).
 You can use the [CycloneDX CLI](https://github.com/CycloneDX/cyclonedx-cli#convert-command) to convert between multiple BOM formats or specification versions.
 
 ## Usage
@@ -49,38 +52,53 @@ OPTIONS
 
   BOM Generation
     -p, --path path                  Path to CocoaPods project directory (default: current directory)
-    -o, --output bom_file_path       Path to output the bom.xml file to (default: "bom.xml")
-    -b, --bom-version bom_version    Version of the generated BOM (default: "1")
+    -o, --output bom_file_path       Path to output the bom file to (default: "bom.xml"); if a *.json file is specified the output format will be JSON
+        --bom-version bom_version    Version of the generated BOM (default: "1")
     -x, --exclude-test-targets       Eliminate Podfile targets whose name contains the word "test"
-    -s, --shortened-strings length   Trim author, publisher, and purl to <length> characters; this may cause data loss but can improve compatibility with other systems
+        --shortened-strings length   Trim author, publisher, and purl to <length> characters; this may cause data loss but can improve compatibility with other systems
 
   Component Metadata
+  If a podspec file is present the name, version, and type do not need to be specified as they will be set automatically.
     -n, --name name                  (If specified version and type are also required) Name of the component for which the BOM is generated
     -v, --version version            Version of the component for which the BOM is generated
     -t, --type type                  Type of the component for which the BOM is generated (one of application|framework|library|container|operating-system|device|firmware|file)
     -g, --group group                Group of the component for which the BOM is generated
+    -s, --source source_url          Optional: The version control system URL of the component for the BOM is generated
+    -b, --build build_url            Optional: The build URL of the component for which the BOM is generated
+
+  Manufacturer Metadata
+        --manufacturer-name name     Name of the manufacturer
+        --manufacturer-url url       URL of the manufacturer
+        --manufacturer-contact-name name
+                                     Name of the manufacturer contact
+        --manufacturer-email email   Email of the manufacturer contact
+        --manufacturer-phone phone   Phone number of the manufacturer contact
 ```
 
-**Output:** BoM file at specified location, `./bom.xml` if not specified
+**Output:** BOM file at specified location, `./bom.xml` if not specified
 
 ### Example
 
 ```shell
-% cyclonedx-cocoapods --path /path/to/cocoapods/project --output /path/to/bom.xml --version 6 
+% cyclonedx-cocoapods --path /path/to/cocoapods/project --output /path/to/bom.xml --version 6
 ```
 
 #### Specific example
 
-This repo contains a file named `example_bom.xml` that was generated with this tool.
+This repo contains files named `example_bom.xml` and `example_bom.json` that were generated with this tool.
 
-It represents the open source [PodsUpdater application](https://github.com/kizitonwose/PodsUpdater).  The PodsUpdater code was checked out,
-then these two commands were run in the checked out code directory.
+They represent the open source [PodsUpdater application](https://github.com/kizitonwose/PodsUpdater).  The PodsUpdater
+code was checked out, then these three commands were run in the checked out code directory.
 
 ```shell
 % pod install
-% cyclonedx-cocoapods -n "kizitonwose/PodsUpdater" -v 1.0.3 -t application --output example_bom.xml
+% cyclonedx-cocoapods -n "kizitonwose-PodsUpdater" -v 1.0.3 -t application -s https://github.com/kizitonwose/PodsUpdater --output example_bom.xml
+% cyclonedx-cocoapods -n "kizitonwose-PodsUpdater" -v 1.0.3 -t application -s https://github.com/kizitonwose/PodsUpdater --output example_bom.json
 ```
 
+The JSON file here has also been run through a JSON formatter for easier reading by humans.  The original JSON
+output is one long line with no extra whitespace - great for computers, but difficult for humans.
+
 ### A Note About CocoaPod Subspecs
 
 Many CocoaPods make use of [subspec functionality](https://guides.cocoapods.org/syntax/podspec.html#subspec).

data/lib/cyclonedx/cocoapods/bom_builder.rb

@@ -127,7 +127,8 @@ module CycloneDX
           xml_add_author(xml, trim_strings_length)
           xml.name_ name
           xml.version version.to_s
-          xml.description { xml.cdata description } unless description.nil?
+          # Use `dump` to escape non-printing characters, then remove the starting/trailing double-quotes from `dump`.
+          xml.description { xml.cdata description.dump[1..-2] } unless description.nil?
           unless checksum.nil?
             xml.hashes do
               xml.hash_(checksum, alg: CHECKSUM_ALGORITHM)
@@ -149,7 +150,57 @@ module CycloneDX
         end
       end
 
+      def to_json_component(manifest_path, trim_strings_length = 0)
+        {
+          type: 'library',
+          'bom-ref': purl,
+          author: trim(author, trim_strings_length),
+          publisher: trim(author, trim_strings_length),
+          name: name,
+          version: version.to_s,
+          description: description,
+          hashes: generate_json_hashes,
+          licenses: generate_json_licenses,
+          purl: purl,
+          externalReferences: generate_json_external_references,
+          evidence: generate_json_evidence(manifest_path)
+        }.compact
+      end
+
+      def generate_json_external_references
+        refs = []
+        refs << { type: HOMEPAGE_REFERENCE_TYPE, url: homepage } if homepage
+        refs.empty? ? nil : refs
+      end
+
+      def generate_json_evidence(manifest_path)
+        {
+          identity: {
+            field: 'purl',
+            confidence: 0.6,
+            methods: [
+              {
+                technique: 'manifest-analysis',
+                confidence: 0.6,
+                value: manifest_path
+              }
+            ]
+          }
+        }
+      end
+
       class License
+        def to_json_component
+          {
+            license: {
+              id: identifier_type == :id ? identifier : nil,
+              name: identifier_type == :name ? identifier : nil,
+              text: text,
+              url: url
+            }.compact
+          }
+        end
+
         def add_to_bom(xml)
           xml.license do
             xml.id identifier if identifier_type == :id
@@ -159,6 +210,20 @@ module CycloneDX
           end
         end
       end
+
+      private
+
+      def generate_json_licenses
+        license ? [license.to_json_component] : nil
+      end
+
+      def generate_json_hashes
+        checksum ? [{ alg: CHECKSUM_ALGORITHM, content: checksum }] : nil
+      end
+
+      def trim(str, trim_strings_length)
+        trim_strings_length.zero? ? str : str&.slice(0, trim_strings_length)
+      end
     end
 
     class Component
@@ -167,52 +232,214 @@ module CycloneDX
           xml.group group unless group.nil?
           xml.name_ name
           xml.version version
+
+          if !build_system.nil? || !vcs.nil?
+            xml.externalReferences do
+              if build_system
+                xml.reference(type: 'build-system') do
+                  xml.url build_system
+                end
+              end
+
+              if vcs
+                xml.reference(type: 'vcs') do
+                  xml.url vcs
+                end
+              end
+            end
+          end
+          xml.purl bomref
+        end
+      end
+
+      def to_json_component
+        {
+          type: type,
+          'bom-ref': bomref,
+          group: group,
+          name: name,
+          version: version,
+          purl: bomref,
+          externalReferences: generate_json_external_references
+        }.compact
+      end
+
+      private
+
+      def generate_json_external_references
+        refs = []
+        refs << { type: 'build-system', url: build_system } if build_system
+        refs << { type: 'vcs', url: vcs } if vcs
+        refs.empty? ? nil : refs
+      end
+    end
+
+    # Represents manufacturer information in a CycloneDX BOM
+    # Handles generation of manufacturer XML elements including basic info and contact details
+    # Used when generating BOM metadata for CycloneDX specification
+    class Manufacturer
+      def add_to_bom(xml)
+        return if all_attributes_nil?
+
+        xml.manufacturer do
+          add_basic_info(xml)
+          add_contact_info(xml)
+        end
+      end
+
+      def to_json_manufacturer
+        return nil if all_attributes_nil?
+
+        {
+          name: name,
+          url: url,
+          contact: generate_json_contact
+        }.compact
+      end
+
+      private
+
+      def generate_json_contact
+        return nil if contact_info_nil?
+
+        [
+          {
+            name: contact_name,
+            email: email,
+            phone: phone
+          }.compact
+        ]
+      end
+
+      def all_attributes_nil?
+        [name, url, contact_name, email, phone].all?(&:nil?)
+      end
+
+      def add_basic_info(xml)
+        xml.name_ name unless name.nil?
+        xml.url url unless url.nil?
+      end
+
+      def add_contact_info(xml)
+        return if contact_info_nil?
+
+        xml.contact do
+          xml.name_ contact_name unless contact_name.nil?
+          xml.email email unless email.nil?
+          xml.phone phone unless phone.nil?
         end
       end
+
+      def contact_info_nil?
+        contact_name.nil? && email.nil? && phone.nil?
+      end
     end
 
     # Turns the internal model data into an XML bom.
     class BOMBuilder
-      NAMESPACE = 'http://cyclonedx.org/schema/bom/1.5'
+      NAMESPACE = 'http://cyclonedx.org/schema/bom/1.6'
 
-      attr_reader :component, :pods, :manifest_path, :dependencies
+      attr_reader :component, :pods, :manifest_path, :dependencies, :manufacturer
 
-      def initialize(pods:, manifest_path:, component: nil, dependencies: nil)
+      def initialize(pods:, manifest_path:, component: nil, dependencies: nil, manufacturer: nil)
         @pods = pods.sort_by(&:purl)
         @manifest_path = manifest_path
         @component = component
         @dependencies = dependencies&.sort
+        @manufacturer = manufacturer
       end
 
-      def bom(version: 1, trim_strings_length: 0)
-        unless version.to_i.positive?
-          raise ArgumentError,
-                "Incorrect version: #{version} should be an integer greater than 0"
-        end
-
-        unless trim_strings_length.is_a?(Integer) && (trim_strings_length.positive? || trim_strings_length.zero?)
-          raise ArgumentError,
-                "Incorrect string length: #{trim_strings_length} should be an integer greater than 0"
-        end
+      def bom(version: 1, trim_strings_length: 0, format: :xml)
+        validate_version(version)
+        validate_trim_length(trim_strings_length)
+        validate_format(format)
 
-        unchecked_bom(version: version, trim_strings_length: trim_strings_length)
+        unchecked_bom(version: version, trim_strings_length: trim_strings_length, format: format)
       end
 
       private
 
+      def validate_version(version)
+        return if version.to_i.positive?
+
+        raise ArgumentError, "Incorrect version: #{version} should be an integer greater than 0"
+      end
+
+      def validate_trim_length(trim_strings_length)
+        return if trim_strings_length.is_a?(Integer) && (trim_strings_length.positive? || trim_strings_length.zero?)
+
+        raise ArgumentError, "Incorrect string length: #{trim_strings_length} should be an integer greater than 0"
+      end
+
+      def validate_format(format)
+        return if %i[xml json].include?(format)
+
+        raise ArgumentError, "Incorrect format: #{format} should be either :xml or :json"
+      end
+
       # does not verify parameters because the public method does that.
-      def unchecked_bom(version: 1, trim_strings_length: 0)
+      def unchecked_bom(version:, trim_strings_length:, format:)
+        case format
+        when :json
+          generate_json(version: version, trim_strings_length: trim_strings_length)
+        when :xml
+          generate_xml(version: version, trim_strings_length: trim_strings_length)
+        end
+      end
+
+      def generate_xml(version:, trim_strings_length:)
         Nokogiri::XML::Builder.new(encoding: 'UTF-8') do |xml|
           xml.bom(xmlns: NAMESPACE, version: version.to_i.to_s, serialNumber: "urn:uuid:#{SecureRandom.uuid}") do
             bom_metadata(xml)
-
             bom_components(xml, pods, manifest_path, trim_strings_length)
-
             bom_dependencies(xml, dependencies)
           end
         end.to_xml
       end
 
+      def generate_json(version:, trim_strings_length:)
+        {
+          '$schema': 'https://cyclonedx.org/schema/bom-1.6.schema.json',
+          bomFormat: 'CycloneDX',
+          specVersion: '1.6',
+          serialNumber: "urn:uuid:#{SecureRandom.uuid}",
+          version: version.to_s,
+          metadata: generate_json_metadata,
+          components: generate_json_components(trim_strings_length),
+          dependencies: generate_json_dependencies
+        }.to_json
+      end
+
+      def generate_json_metadata
+        {
+          timestamp: Time.now.getutc.strftime('%Y-%m-%dT%H:%M:%SZ'),
+          tools: {
+            components: [{
+              type: 'application',
+              group: 'CycloneDX',
+              name: 'cyclonedx-cocoapods',
+              version: VERSION
+            }]
+          },
+          component: component&.to_json_component,
+          manufacturer: manufacturer&.to_json_manufacturer
+        }.compact
+      end
+
+      def generate_json_components(trim_strings_length)
+        pods.map { |pod| pod.to_json_component(manifest_path, trim_strings_length) }
+      end
+
+      def generate_json_dependencies
+        return nil unless dependencies
+
+        dependencies.map do |ref, deps|
+          {
+            ref: ref,
+            dependsOn: deps.sort
+          }
+        end
+      end
       def bom_components(xml, pods, manifest_path, trim_strings_length)
         xml.components do
           pods.each do |pod|
@@ -238,15 +465,17 @@ module CycloneDX
           xml.timestamp Time.now.getutc.strftime('%Y-%m-%dT%H:%M:%SZ')
           bom_tools(xml)
           component&.add_to_bom(xml)
+          manufacturer&.add_to_bom(xml)
         end
       end
-
       def bom_tools(xml)
         xml.tools do
-          xml.tool do
-            xml.vendor 'CycloneDX'
-            xml.name_ 'cyclonedx-cocoapods'
-            xml.version VERSION
+          xml.components do
+            xml.component(type: 'application') do
+              xml.group 'CycloneDX'
+              xml.name_ 'cyclonedx-cocoapods'
+              xml.version VERSION
+            end
           end
         end
       end

data/lib/cyclonedx/cocoapods/cli_runner.rb

@@ -25,7 +25,9 @@ require 'optparse'
 
 require_relative 'bom_builder'
 require_relative 'component'
+require_relative 'manufacturer'
 require_relative 'podfile_analyzer'
+require_relative 'podspec_analyzer'
 
 module CycloneDX
   module CocoaPods
@@ -36,12 +38,13 @@ module CycloneDX
       def run
         setup_logger # Needed in case we have errors while processing CLI parameters
         options = parse_options
+        determine_output_format(options)
         setup_logger(verbose: options[:verbose])
         @logger.debug "Running cyclonedx-cocoapods with options: #{options}"
 
-        component, pods, manifest_path, dependencies = analyze(options)
+        component, manufacturer, pods, manifest_path, dependencies = analyze(options)
 
-        build_and_write_bom(options, component, pods, manifest_path, dependencies)
+        build_and_write_bom(options, component, manufacturer, pods, manifest_path, dependencies)
       rescue StandardError => e
         @logger.error ([e.message] + e.backtrace).join($INPUT_RECORD_SEPARATOR)
         exit 1
@@ -76,7 +79,8 @@ module CycloneDX
             parsed_options[:path] = path
           end
           options.on('-o', '--output bom_file_path',
-                     'Path to output the bom.xml file to (default: "bom.xml")') do |bom_file_path|
+                     'Path to output the bom file to (default: "bom.xml"); ' \
+                     'if a *.json file is specified the output format will be JSON') do |bom_file_path|
             parsed_options[:bom_file_path] = bom_file_path
           end
           options.on('-b', '--bom-version bom_version', Integer,
@@ -94,18 +98,18 @@ module CycloneDX
           end
 
           options.separator("\n  Component Metadata\n")
+          options.separator('  If a podspec file is present the name, version, and type do not ' \
+                            "need to be specified as they will be set automatically.\n")
           options.on('-n', '--name name',
                      '(If specified version and type are also required) Name of the ' \
                      'component for which the BOM is generated') do |name|
             parsed_options[:name] = name
           end
           options.on('-v', '--version version', 'Version of the component for which the BOM is generated') do |version|
-            begin
-              Gem::Version.new(version)
-              parsed_options[:version] = version
-            rescue StandardError => e
-              raise OptionParser::InvalidArgument, e.message
-            end
+            Gem::Version.new(version)
+            parsed_options[:version] = version
+          rescue StandardError => e
+            raise OptionParser::InvalidArgument, e.message
           end
           options.on('-t', '--type type',
                      'Type of the component for which the BOM is generated ' \
@@ -120,6 +124,37 @@ module CycloneDX
           options.on('-g', '--group group', 'Group of the component for which the BOM is generated') do |group|
             parsed_options[:group] = group
           end
+          options.on('-s', '--source source_url',
+                     'Optional: The version control system URL of the component for the BOM is generated') do |vcs|
+            parsed_options[:vcs] = vcs
+          end
+          options.on('-b', '--build build_url',
+                     'Optional: The build URL of the component for which the BOM is generated') do |build|
+            parsed_options[:build] = build
+          end
+
+          # Add this section after the "Component Metadata" options group
+          options.separator("\n  Manufacturer Metadata\n")
+          options.on('--manufacturer-name name',
+                     'Name of the manufacturer') do |name|
+            parsed_options[:manufacturer_name] = name
+          end
+          options.on('--manufacturer-url url',
+                     'URL of the manufacturer') do |url|
+            parsed_options[:manufacturer_url] = url
+          end
+          options.on('--manufacturer-contact-name name',
+                     'Name of the manufacturer contact') do |contact_name|
+            parsed_options[:manufacturer_contact_name] = contact_name
+          end
+          options.on('--manufacturer-email email',
+                     'Email of the manufacturer contact') do |email|
+            parsed_options[:manufacturer_email] = email
+          end
+          options.on('--manufacturer-phone phone',
+                     'Phone number of the manufacturer contact') do |phone|
+            parsed_options[:manufacturer_phone] = phone
+          end
         end.parse!
 
         if !parsed_options[:name].nil? && (parsed_options[:version].nil? || parsed_options[:type].nil?)
@@ -130,13 +165,15 @@ module CycloneDX
         parsed_options
       end
 
-      def analyze(options)
-        analyzer = PodfileAnalyzer.new(logger: @logger, exclude_test_targets: options[:exclude_test_targets])
-        podfile, lockfile = analyzer.ensure_podfile_and_lock_are_present(options)
-        pods, dependencies = analyzer.parse_pods(podfile, lockfile)
-        analyzer.populate_pods_with_additional_info(pods)
+      def determine_output_format(options)
+        options[:format] = options[:bom_file_path]&.end_with?('.json') ? :json : :xml
+      end
 
-        component = component_from_options(options)
+      def analyze(options)
+        analyzer, dependencies, lockfile, podfile, pods = analyze_podfile(options)
+        podspec = analyze_podspec(options)
+        component = component_from_options(options, podspec)
+        manufacturer = manufacturer_from_options(options)
 
         unless component.nil?
           # add top level pods to main component
@@ -150,22 +187,89 @@ module CycloneDX
           manifest_path = Pathname.pwd.basename + manifest_path.relative_path_from(Pathname.pwd)
         end
 
-        [component, pods, manifest_path, dependencies]
+        [component, manufacturer, pods, manifest_path, dependencies]
+      end
+
+      def analyze_podspec(options)
+        spec_analyzer = PodspecAnalyzer.new(logger: @logger)
+        podspec = spec_analyzer.ensure_podspec_is_present(options)
+        spec = spec_analyzer.parse_podspec(podspec) unless podspec.nil?
+        spec
+      end
+
+      def analyze_podfile(options)
+        analyzer = PodfileAnalyzer.new(logger: @logger, exclude_test_targets: options[:exclude_test_targets])
+        podfile, lockfile = analyzer.ensure_podfile_and_lock_are_present(options)
+        pods, dependencies = analyzer.parse_pods(podfile, lockfile)
+        analyzer.populate_pods_with_additional_info(pods)
+        [analyzer, dependencies, lockfile, podfile, pods]
       end
 
-      def build_and_write_bom(options, component, pods, manifest_path, dependencies)
+      def build_and_write_bom(options, component, manufacturer, pods, manifest_path, dependencies)
         builder = BOMBuilder.new(pods: pods, manifest_path: manifest_path,
-                                 component: component, dependencies: dependencies)
+                                 component: component, manufacturer: manufacturer, dependencies: dependencies)
         bom = builder.bom(version: options[:bom_version] || 1,
-                          trim_strings_length: options[:trim_strings_length] || 0)
+                          trim_strings_length: options[:trim_strings_length] || 0,
+                          format: options[:format])
         write_bom_to_file(bom: bom, options: options)
       end
 
-      def component_from_options(options)
-        return unless options[:name]
+      def component_from_options(options, podspec)
+        return unless options[:name] || !podspec.nil?
+
+        ensure_options_match(options, podspec)
 
         Component.new(group: options[:group], name: options[:name], version: options[:version],
-                      type: options[:type])
+                      type: options[:type], build_system: options[:build], vcs: options[:vcs])
+      end
+
+      def manufacturer_from_options(options)
+        Manufacturer.new(
+          name: options[:manufacturer_name],
+          url: options[:manufacturer_url],
+          contact_name: options[:manufacturer_contact_name],
+          email: options[:manufacturer_email],
+          phone: options[:manufacturer_phone]
+        )
+      end
+
+      def ensure_options_match(options, podspec)
+        validate_name_option(options, podspec)
+        validate_version_option(options, podspec)
+        validate_group_option(options, podspec)
+        validate_type_option(options, podspec)
+      end
+
+      def validate_name_option(options, podspec)
+        if !podspec.nil? && options[:name] && options[:name] != podspec.name
+          raise OptionParser::InvalidArgument,
+                "Component name '#{options[:name]}' does not match podspec name '#{podspec.name}'"
+        end
+        options[:name] ||= podspec&.name
+      end
+
+      def validate_version_option(options, podspec)
+        if !podspec.nil? && options[:version] && options[:version] != podspec.version.to_s
+          raise OptionParser::InvalidArgument,
+                "Component version '#{options[:version]}' does not match podspec version '#{podspec.version}'"
+        end
+        options[:version] ||= podspec&.version&.to_s
+      end
+
+      def validate_type_option(options, podspec)
+        if !podspec.nil? && options[:type] && ptions[:type] != 'library'
+          raise OptionParser::InvalidArgument, "Component type must be 'library' when using a podspec"
+        end
+
+        return if podspec.nil?
+
+        options[:type] = 'cocoapods'
+      end
+
+      def validate_group_option(options, podspec)
+        return if podspec.nil?
+        raise OptionParser::InvalidArgument, 'Component group must not be specified when using a podspec' unless
+          options[:group].nil?
       end
 
       def setup_logger(verbose: true)

data/lib/cyclonedx/cocoapods/component.rb

@@ -21,29 +21,89 @@
 
 module CycloneDX
   module CocoaPods
+    # Represents a software component in the CycloneDX BOM specification
+    #
+    # A component is a self-contained unit of software that can be used as a building block
+    # in the architecture of a software system. Components can be of different types like
+    # libraries, frameworks, or applications.
+    #
+    # @attr_reader [String, nil] group The group/organization identifier of the component
+    # @attr_reader [String] name The name of the component
+    # @attr_reader [String] version The version string of the component
+    # @attr_reader [String] type The type of component (must be one of VALID_COMPONENT_TYPES)
+    # @attr_reader [String] bomref The unique reference ID for this component in the BOM
+    # @attr_reader [String, nil] build_system The build system information
+    # @attr_reader [String, nil] vcs The version control system information
+    #
+    # @example Creating a new component
+    #   component = Component.new(
+    #     name: "AFNetworking",
+    #     version: "4.0.1",
+    #     type: "library"
+    #   )
     class Component
       VALID_COMPONENT_TYPES = %w[application framework library container operating-system device firmware file].freeze
 
-      attr_reader :group, :name, :version, :type, :bomref
+      attr_reader :group, :name, :version, :type, :bomref, :build_system, :vcs
 
-      def initialize(name:, version:, type:, group: nil)
-        raise ArgumentError, 'Group, if specified, must be non empty' if !group.nil? && group.to_s.strip.empty?
-        raise ArgumentError, 'Name must be non empty' if name.nil? || name.to_s.strip.empty?
+      def initialize(name:, version:, type:, group: nil, build_system: nil, vcs: nil)
+        # cocoapods is a special case to correctly build a purl
+        package_type = type == 'cocoapods' ? 'cocoapods' : 'generic'
+        @type = type == 'cocoapods' ? 'library' : type
 
-        Gem::Version.new(version) # To check that the version string is well formed
-        unless VALID_COMPONENT_TYPES.include?(type)
-          raise ArgumentError, "#{type} is not valid component type (#{VALID_COMPONENT_TYPES.join('|')})"
-        end
+        validate_attributes(name, version, @type, group)
 
         @group = group
         @name = name
         @version = version
-        @type = type
-        @bomref = "#{name}@#{version}"
+        @build_system = build_system
+        @vcs = vcs
+        @bomref = build_purl(package_type, name, group, version)
+      end
+
+      private
+
+      def build_purl(package_type, name, group, version)
+        if group.nil?
+          purl_name, subpath = parse_name(name)
+        else
+          purl_name = "#{CGI.escape(group)}/#{CGI.escape(name)}"
+          subpath = ''
+        end
+        "pkg:#{package_type}/#{purl_name}@#{CGI.escape(version.to_s)}#{subpath}"
+      end
+
+      private
 
-        return if group.nil?
+      def validate_attributes(name, version, type, group)
+        raise ArgumentError, 'Group, if specified, must be non-empty' if exists_and_blank(group)
+        raise ArgumentError, 'Name must be non-empty' if missing(name)
+
+        Gem::Version.new(version) # To check that the version string is well-formed
+        return if VALID_COMPONENT_TYPES.include?(type)
+
+        raise ArgumentError, "#{type} is not valid component type (#{VALID_COMPONENT_TYPES.join('|')})"
+      end
+
+      def parse_name(name)
+        purls = name.split('/')
+        purl_name = CGI.escape(purls[0])
+        subpath = if purls.length > 1
+                    "##{name.split('/').drop(1).map do |component|
+                      CGI.escape(component)
+                    end.join('/')}"
+                  else
+                    ''
+                  end
+        [purl_name, subpath]
+      end
+
+      def missing(str)
+        str.nil? || str.to_s.strip.empty?
+      end
 
-        @bomref = "#{group}/#{@bomref}"
+      def exists_and_blank(str)
+        !str.nil? && str.to_s.strip.empty?
       end
     end
   end

data/lib/cyclonedx/cocoapods/license.rb

@@ -32,7 +32,7 @@ module CycloneDX
         attr_accessor :text, :url
 
         def initialize(identifier:)
-          raise ArgumentError, 'License identifier must be non empty' if identifier.nil? || identifier.to_s.strip.empty?
+          raise ArgumentError, 'License identifier must be non-empty' if identifier.nil? || identifier.to_s.strip.empty?
 
           @identifier = SPDX_LICENSES.find { |license_id| license_id.downcase == identifier.to_s.downcase }
           @identifier_type = @identifier.nil? ? :name : :id

data/lib/cyclonedx/cocoapods/manufacturer.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+#
+# This file is part of CycloneDX CocoaPods
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+#
+
+module CycloneDX
+  module CocoaPods
+    # Represents manufacturer information in a CycloneDX BOM
+    #
+    # The Manufacturer class holds details about the manufacturer of a component,
+    # including company information and contact details.
+    #
+    # @attr_reader [String] name The name of the manufacturing organization
+    # @attr_reader [String] url The URL of the manufacturer's website
+    # @attr_reader [String] contact_name Name of the manufacturer contact person
+    # @attr_reader [String] email Email address of the manufacturer contact
+    # @attr_reader [String] phone Phone number of the manufacturer contact
+    #
+    # @example Creating a manufacturer with basic info
+    #   manufacturer = Manufacturer.new(
+    #     name: "ACME Corp",
+    #     url: "https://acme.example"
+    #   )
+    #
+    # @example Creating a manufacturer with full contact details
+    #   manufacturer = Manufacturer.new(
+    #     name: "ACME Corp",
+    #     url: "https://acme.example",
+    #     contact_name: "John Doe",
+    #     email: "john@acme.example",
+    #     phone: "+1-555-123-4567"
+    #   )
+    class Manufacturer
+      attr_reader :name, :url, :contact_name, :email, :phone
+
+      def initialize(name: nil, url: nil, contact_name: nil, email: nil, phone: nil)
+        validate_parameters(name, url, contact_name, email, phone)
+
+        @name = name
+        @url = url
+        @contact_name = contact_name
+        @email = email
+        @phone = phone
+      end
+
+      private
+
+      def validate_parameters(name, url, contact_name, email, phone)
+        raise ArgumentError, 'name, if specified, must be non-empty' if blank(name)
+        raise ArgumentError, 'URL, if specified, must be non-empty' if blank(url)
+        raise ArgumentError, 'Contact name, if specified, must be non-empty' if blank(contact_name)
+        raise ArgumentError, 'Email, if specified, must be non-empty' if blank(email)
+        raise ArgumentError, 'Phone, if specified, must be non-empty' if blank(phone)
+      end
+
+      def blank(str)
+        !str.nil? && str.to_s.strip.empty?
+      end
+    end
+  end
+end

data/lib/cyclonedx/cocoapods/pod.rb

@@ -31,20 +31,20 @@ module CycloneDX
       attr_reader :version
       # Anything responding to :source_qualifier
       attr_reader :source
-      # xs:anyURI - https://cyclonedx.org/docs/1.5/xml/#type_externalReference
+      # xs:anyURI - https://cyclonedx.org/docs/1.6/xml/#type_externalReference
       attr_reader :homepage
-      # https://cyclonedx.org/docs/1.5/xml/#type_hashValue (We only use SHA-1 hashes - length == 40)
+      # https://cyclonedx.org/docs/1.6/xml/#type_hashValue (We only use SHA-1 hashes - length == 40)
       attr_reader :checksum
       # xs:normalizedString
       attr_reader :author
       # xs:normalizedString
       attr_reader :description
-      # https://cyclonedx.org/docs/1.5/xml/#type_licenseType
+      # https://cyclonedx.org/docs/1.6/xml/#type_licenseType
       # We don't currently support several licenses or license expressions https://spdx.github.io/spdx-spec/appendix-IV-SPDX-license-expressions/
       attr_reader :license
 
       def initialize(name:, version:, source: nil, checksum: nil)
-        raise ArgumentError, 'Name must be non empty' if name.nil? || name.to_s.empty?
+        raise ArgumentError, 'Name must be non-empty' if name.nil? || name.to_s.empty?
         raise ArgumentError, "Name shouldn't contain spaces" if name.to_s.include?(' ')
         raise ArgumentError, "Name shouldn't start with a dot" if name.to_s.start_with?('.')
 

data/lib/cyclonedx/cocoapods/podfile_analyzer.rb

@@ -184,12 +184,18 @@ module CycloneDX
         end
       end
 
-      def append_all_pod_dependencies(pods_used, pods_cache)
-        result = pods_used
+      # Calculate simple array of all used pods plus their direct dependencies
+      #
+      # @param [Array<String>] top_level_pods List of pod names that are directly imported by the Podfile
+      # @param [Hash<String,Array<String>>] pods_cache Dependency information directly from the Podfile.lock;
+      # keys are string pod names, values are list of direct dependencies of the given pod.
+      # @return [Array<String>, Hash<String,Array<String>>] First element is list of all used pod names.
+      # Second element is a hash: keys are string pod names, values are the direct dependencies of that pod.
+      def append_all_pod_dependencies(top_level_pods, pods_cache)
+        result = top_level_pods
         original_number = 0
-        dependencies_hash = {}
 
-        # Loop adding pod dependencies until we are not adding any more dependencies to the result
+        # Loop adding pod dependencies until we are not adding any more dependencies to the result.
         # This brings in all the transitive dependencies of every top level pod.
         # Note this also handles two edge cases:
         #  1. Having a Podfile with no pods used.
@@ -197,15 +203,20 @@ module CycloneDX
         while result.length != original_number
           original_number = result.length
 
-          pods_used.each do |pod_name|
+          top_level_pods.each do |pod_name|
             if pods_cache.key?(pod_name)
-              result.push(*pods_cache[pod_name])
-              dependencies_hash[pod_name] = pods_cache[pod_name].empty? ? [] : pods_cache[pod_name]
+              # Append all of the dependencies of this pod into the main list, if they aren't already in the list
+              result = result.union(pods_cache[pod_name])
             end
           end
 
-          result = result.uniq
-          pods_used = result
+          top_level_pods = result
+        end
+
+        # Now that we have the simple list of all unique pods, grab their direct dependencies
+        dependencies_hash = {}
+        result.each do |pod_name|
+          dependencies_hash[pod_name] = pods_cache.key?(pod_name) ? pods_cache[pod_name] : []
         end
 
         [result, dependencies_hash]

data/lib/cyclonedx/cocoapods/podspec_analyzer.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+#
+# This file is part of CycloneDX CocoaPods
+#
+# Licensed under the Apache License, Version 2.0 (the “License”);
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an “AS IS” BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+#
+
+require 'cocoapods'
+require 'cocoapods-core'
+require 'logger'
+
+require_relative 'pod'
+require_relative 'pod_attributes'
+require_relative 'source'
+
+module CycloneDX
+  module CocoaPods
+    class PodspecParsingError < StandardError; end
+
+    # Analyzes CocoaPods podspec files to extract component information for CycloneDX BOM generation
+    #
+    # The PodspecAnalyzer is responsible for:
+    # - Validating and loading podspec files from a given path
+    # - Parsing podspec contents to extract pod metadata
+    # - Converting podspec source information into standardized Source objects
+    #
+    # @example
+    #   analyzer = PodspecAnalyzer.new(logger: Logger.new(STDOUT))
+    #   podspec = analyzer.ensure_podspec_is_present(path: '/path/to/project')
+    #   pod = analyzer.parse_podspec(podspec)
+    #
+    class PodspecAnalyzer
+      def initialize(logger:)
+        @logger = logger
+      end
+
+      def ensure_podspec_is_present(options)
+        project_dir = Pathname.new(options[:path] || Dir.pwd)
+        validate_options(project_dir, options)
+        initialize_cocoapods_config(project_dir)
+
+        options[:podspec_path].nil? ? nil : ::Pod::Specification.from_file(options[:podspec_path])
+      end
+
+      def parse_podspec(podspec)
+        return nil if podspec.nil?
+
+        @logger.debug "Parsing podspec from #{podspec.defined_in_file}"
+
+        Pod.new(
+          name: podspec.name,
+          version: podspec.version.to_s,
+          source: source_from_podspec(podspec),
+          checksum: nil
+        )
+      end
+
+      private
+
+      def validate_options(project_dir, options)
+        raise PodspecParsingError, "#{options[:path]} is not a valid directory." unless File.directory?(project_dir)
+
+        podspec_files = Dir.glob("#{project_dir}/*.podspec{.json,}")
+        options[:podspec_path] = podspec_files.first unless podspec_files.empty?
+      end
+
+      def initialize_cocoapods_config(project_dir)
+        ::Pod::Config.instance = nil
+        ::Pod::Config.instance.installation_root = project_dir
+      end
+
+      def source_from_podspec(podspec)
+        return unless podspec.source[:git]
+
+        Source::GitRepository.new(
+          url: podspec.source[:git],
+          type: determine_git_ref_type(podspec.source),
+          label: determine_git_ref_label(podspec.source)
+        )
+      end
+
+      def determine_git_ref_type(source)
+        return :tag if source[:tag]
+        return :commit if source[:commit]
+        return :branch if source[:branch]
+
+        nil
+      end
+
+      def determine_git_ref_label(source)
+        source[:tag] || source[:commit] || source[:branch]
+      end
+    end
+  end
+end

data/lib/cyclonedx/cocoapods/version.rb

@@ -21,6 +21,6 @@
 
 module CycloneDX
   module CocoaPods
-    VERSION = '1.4.0'
+    VERSION = '2.0.0'
   end
 end

metadata

@@ -1,15 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cyclonedx-cocoapods
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 2.0.0
 platform: ruby
 authors:
 - José González
 - Kyle Hammond
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-10-15 00:00:00.000000000 Z
+date: 2025-01-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cocoapods
@@ -51,48 +50,6 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '2.0'
-- !ruby/object:Gem::Dependency
-  name: equivalent-xml
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.6.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.6.0
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
 description: CycloneDX is a lightweight software bill-of-material (SBOM) specification
   designed for use in application security contexts and supply chain component analysis.
   This Gem generates CycloneDX BOMs from CocoaPods projects.
@@ -113,9 +70,11 @@ files:
 - lib/cyclonedx/cocoapods/cli_runner.rb
 - lib/cyclonedx/cocoapods/component.rb
 - lib/cyclonedx/cocoapods/license.rb
+- lib/cyclonedx/cocoapods/manufacturer.rb
 - lib/cyclonedx/cocoapods/pod.rb
 - lib/cyclonedx/cocoapods/pod_attributes.rb
 - lib/cyclonedx/cocoapods/podfile_analyzer.rb
+- lib/cyclonedx/cocoapods/podspec_analyzer.rb
 - lib/cyclonedx/cocoapods/source.rb
 - lib/cyclonedx/cocoapods/spdx-licenses.json
 - lib/cyclonedx/cocoapods/version.rb
@@ -125,7 +84,6 @@ licenses:
 metadata:
   homepage_uri: https://github.com/CycloneDX/cyclonedx-cocoapods
   source_code_uri: https://github.com/CycloneDX/cyclonedx-cocoapods.git
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -133,15 +91,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: 2.6.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.16
-signing_key:
+rubygems_version: 3.6.2
 specification_version: 4
 summary: CycloneDX software bill-of-material (SBOM) generation utility
 test_files: []