cyclonedx-cocoapods 1.1.1 → 1.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4185f4f9ba77e7307a2f2a93ca2d96412775a6fa1a9d863b0955e0ccde099214
-  data.tar.gz: 4df386bef89ea9bb2bc7bfd9299a582faec48e8887f7443acd2cfb321947c0fd
+  metadata.gz: d9413e8c99e608e82f87b4075e907eb9fd137fd9f67a2c00bb277cf5c7fc2e21
+  data.tar.gz: fd8be60d19ee1e2d84f53bbc16e66734eaffb9b2375f462219bd097fbdb7ef1c
 SHA512:
-  metadata.gz: 847962664a8e0d9eca4ee42d2560151de4f56fbdcb3524ff1ad208f6cac0bc5b234d879f09cccdcaddf6df81096bdb89ea26923e2195e2127334276bfb32b856
-  data.tar.gz: 799ca49eb4e2dd2caf9c93cd211692a364091ef8366895fe6595d109d8b455bf222c607e19b16bd410e927d7099a29a2d1dfad8b0f9d84b837705f7e7b448bb1
+  metadata.gz: 8b1e44bed24cddcce4e550047b39c849167f60d4e3ac86006365a991e70de3de3634a9de0ef90df7e7a3f93a9c255b5df271526a3731b91739726cc400c23889
+  data.tar.gz: f8778db86758639e8c2888a0ccd67d9209d8dac2282e422d75c18a40831c3e89a8c0cac10d8392965b8a47c01341b197dc424912470bc300e06c355e76d76415

data/CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.2]
+
+### Changed
+- Updated gem dependency for cocoapods to be minimum v1.10.1 up to anything less than v2. ([Issue #51](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/51)) [@macblazer](https://github.com/macblazer).
+- Updated gem dependency for nokogiri to be minimum v1.11.2 up to anything less than v2. [@macblazer](https://github.com/macblazer).
+- Updated README.md with a description of what happens with pods or Podfiles that use subspecs. ([Issue #52](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/52)) [@macblazer](https://github.com/macblazer).
+
+### Fixed
+- Fixed parsing of a Podfile that uses CocoaPods plugins.  ([PR #55](https://github.com/CycloneDX/cyclonedx-cocoapods/pull/55)) [@DwayneCoussement](https://github.com/DwayneCoussement).
+
 ## [1.1.1]
 
 ### Changed

data/README.md

@@ -80,6 +80,41 @@ then these two commands were run in the checked out code directory.
 % cyclonedx-cocoapods -n "kizitonwose/PodsUpdater" -v 1.0.3 -t application --output example_bom.xml
 ```
 
+### A Note About CocoaPod Subspecs
+
+Many CocoaPods make use of [subspec functionality](https://guides.cocoapods.org/syntax/podspec.html#subspec).
+Podfiles can require whole pods, or just subspecs; pods themselves may require whole pods or subspecs of other
+pods.  In complex projects such as React Native apps this often results in a single pod being included as a
+dependency multiple times as several of its subspecs are included individually.
+
+*cyclonedx-cocoapods* works properly with this, and adds a dependency in the BOM output for each subspec that is
+required by the Podfile and throughout the chain of dependencies.  Each subspec will only appear once in the BOM
+file.  This gives you granular detail in the BOM of which subspecs of which pods are used.  This is easiest seen
+with an example.
+
+The Podfile
+```ruby
+target 'SampleProject' do
+  pod 'SamplePod/firstsubspec'
+  pod 'SamplePod/secondsubspec'
+end
+```
+
+If the SamplePod is at v2.1, running *cyclonedx-cocoapods* on this will output a BOM file with two `component`
+dependencies:
+- `pkg:cocoapods/SamplePod@2.1#firstsubspec` at `https://github.com/example/SamplePod`
+- `pkg:cocoapods/SamplePod@2.1#secondsubspec` at `https://github.com/example/SamplePod`
+
+[Dependency Track](https://dependencytrack.org) (DT) is a tool that many organizations use to help automate SBOM
+related tasks.  When uploading an SBOM that contains multiple subspecs from the same pod, or a single subspec
+alongside the complete pod dependency, the initial upload will indicate a number of dependencies equal to the number
+of `component` objects within the BOM.  However, DT analysis then looks for unique repositories in use which will
+merge all of the subspecs of a particular pod into a single entry.  On later uploads to DT of the same or similar BOM
+it will indicate just the number of unique repositories.
+
+Uploading the above SamplePod BOM file to DT will initially see two dependencies.  Later analysis by DT notices
+that both dependencies resolve to the same repository, so DT will then only show a single dependency.
+
 ## Contributing
 
 To set up for local development, make a fork of this repo, make a branch on your fork named after the issue or workflow you are improving, checkout your branch, then run `bundle install`.

data/lib/cyclonedx/cocoapods/bom_builder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -26,8 +28,8 @@ module CycloneDX
   module CocoaPods
     module Source
       class CocoaPodsRepository
-        LEGACY_REPOSITORY = 'https://github.com/CocoaPods/Specs.git'.freeze
-        CDN_REPOSITORY = 'trunk'.freeze
+        LEGACY_REPOSITORY = 'https://github.com/CocoaPods/Specs.git'
+        CDN_REPOSITORY = 'trunk'
 
         def source_qualifier
           url == LEGACY_REPOSITORY || url == CDN_REPOSITORY ? {} : { repository_url: url }
@@ -54,8 +56,8 @@ module CycloneDX
     end
 
     class Pod
-      CHECKSUM_ALGORITHM = 'SHA-1'.freeze
-      HOMEPAGE_REFERENCE_TYPE = 'website'.freeze
+      CHECKSUM_ALGORITHM = 'SHA-1'
+      HOMEPAGE_REFERENCE_TYPE = 'website'
 
       def purl
         purl_name = CGI.escape(name.split('/').first)
@@ -115,7 +117,7 @@ module CycloneDX
     end
 
     class BOMBuilder
-      NAMESPACE = 'http://cyclonedx.org/schema/bom/1.4'.freeze
+      NAMESPACE = 'http://cyclonedx.org/schema/bom/1.4'
 
       attr_reader :component, :pods
 
@@ -155,4 +157,4 @@ module CycloneDX
       end
     end
   end
-end
+end

data/lib/cyclonedx/cocoapods/cli_runner.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #

data/lib/cyclonedx/cocoapods/component.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #

data/lib/cyclonedx/cocoapods/license.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #

data/lib/cyclonedx/cocoapods/pod.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -105,4 +107,4 @@ module CycloneDX
       end
     end
   end
-end
+end

data/lib/cyclonedx/cocoapods/pod_attributes.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #

data/lib/cyclonedx/cocoapods/podfile_analyzer.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -19,6 +20,7 @@
 #
 
 require 'cocoapods'
+require 'cocoapods-core'
 require 'logger'
 
 require_relative 'pod'
@@ -35,6 +37,23 @@ module CycloneDX
         @exclude_test_targets = exclude_test_targets
       end
 
+      def load_plugins(podfile_path)
+        podfile_contents = File.read(podfile_path)
+        plugin_syntax = /\s*plugin\s+['"]([^'"]+)['"]/
+        plugin_names = podfile_contents.scan(plugin_syntax).flatten
+      
+        plugin_names.each do |plugin_name|
+          @logger.debug("Loading plugin #{plugin_name}")
+          begin
+            plugin_spec = Gem::Specification.find_by_name(plugin_name)
+            plugin_spec.activate if plugin_spec
+            load(plugin_spec.gem_dir + '/lib/cocoapods_plugin.rb') if plugin_spec
+          rescue Gem::LoadError => e
+            @logger.warn("Failed to load plugin #{plugin_name}. #{e.message}")
+          end
+        end
+      end
+
       def ensure_podfile_and_lock_are_present(options)
         project_dir = Pathname.new(options[:path] || Dir.pwd)
         raise PodfileParsingError, "#{options[:path]} is not a valid directory." unless File.directory?(project_dir)
@@ -47,7 +66,8 @@ module CycloneDX
 
         lockfile = ::Pod::Lockfile.from_file(options[:podfile_lock_path])
         verify_synced_sandbox(lockfile)
-
+        load_plugins(options[:podfile_path])
+        
         return ::Pod::Podfile.from_file(options[:podfile_path]), lockfile
       end
 

data/lib/cyclonedx/cocoapods/source.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #

data/lib/cyclonedx/cocoapods/version.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 #
 # This file is part of CycloneDX CocoaPods
 #
@@ -20,10 +21,6 @@
 
 module CycloneDX
   module CocoaPods
-    VERSION = '1.1.1'
-    DEPENDENCIES = {
-      cocoapods: '~> 1.10.1',
-      nokogiri: '~> 1.11.2'
-    }
+    VERSION = '1.1.2'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cyclonedx-cocoapods
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.1.2
 platform: ruby
 authors:
 - José González
@@ -9,36 +9,48 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-10-12 00:00:00.000000000 Z
+date: 2023-06-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cocoapods
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.10.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.10.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.11.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.11.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement