fastlane-plugin-dependency_check_ios_analyzer 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 660f1ed90d6f3f6f65d75491077ff0163590226fc0cf71dc00604af2565ac317
+  data.tar.gz: 8a02db2fb5c3d921e60b9fd4dbdb8aa879f923baa7ef22127c4853b36fade699
+SHA512:
+  metadata.gz: 9d2afdd951f732aa69b4f39c9d7b4b7e4921912ae877e9828d8ec8351fb74713c4cefcd4a4cec0aa8be9ba6b2f1c91001aac4dd86e8816cbf3bb5477c5cd260b
+  data.tar.gz: 10ea8e5bfb61ad113dd578f8b1eb33f511469db0e69a4cc17aa4fc5785cda3c2a7fa851b09394aaf14d899cf2dbfa7565ec6399b4a9383d9182390bca49a55e0

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Alexey Alter-Pesotskiy
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,49 @@
+# fastlane-plugin-dependency_check_ios_analyzer
+
+[![fastlane Plugin Badge](https://rawcdn.githack.com/fastlane/fastlane/master/fastlane/assets/plugin-badge.svg)](https://rubygems.org/gems/fastlane-plugin-dependency_check_ios_analyzer)
+
+## About dependency_check_ios_analyzer
+
+Fastlane wrapper around the [OWASP dependency-check](https://jeremylong.github.io/DependencyCheck) [Swift Package Manager](https://jeremylong.github.io/DependencyCheck/analyzers/swift.html) and [Cocoapods](https://jeremylong.github.io/DependencyCheck/analyzers/cocoapods.html) analyzers 🚀
+
+This analyzer is considered experimental. While it may be useful and provide valid results more testing must be completed to ensure that the false negative/false positive rates are acceptable.
+
+## Parameters
+
+| *Key* | *Description* | *Default* |
+| ------|-------------- | --------- |
+| `skip_spm_analysis` | Skip analysis of SPM dependencies | `false` |
+| `skip_pods_analysis` | Skip analysis of Cocoapods dependencies | `false` |
+| `spm_checkouts_path` | Path to Swift Packages, if they are resolved | |
+| `pod_file_lock_path` | Path to the `Podfile.lock` file | |
+| `project_name` | The project's name | DependencyCheck |
+| `output_directory` | The directory in which all reports will be stored | dependency-check |
+| `output_types` | Comma separated list of the output types (e.g. `html`, `xml`, `csv`, `json`, `junit`, `sarif`, `all`) | `sarif` |
+| `cli_version` | Specify the required version of DependencyCheck analyzer. *Not recommended* | |
+| `rsa_key` | Specify the RSA_KEY of DependencyCheck analyzer download. *Not recommended* | |
+| `verbose` | The file path to write verbose logging information | |
+| `fail_on_cvss` | Specifies if the build should be failed if a CVSS score above a specified level is identified. Since the CVSS scores are 0-10, by default the build will never fail | |
+| `junit_fail_on_cvss` | Specifies the CVSS score that is considered a failure when generating the junit report | |
+| `keep_binary_on_exit` | Keep `DependencyCheck` binary and data on exit | |
+
+## Requirements
+
+* [Xcode](https://developer.apple.com/downloads)
+* [Xcode Command Line Tools](http://railsapps.github.io/xcode-command-line-tools.html)
+
+## Getting Started
+
+To get started with `dependency_check_ios_analyzer`, add it to your project by running:
+
+```bash
+$ fastlane add_plugin dependency_check_ios_analyzer
+```
+
+## Usage
+
+```ruby
+vulnerabilities_count = dependency_check_ios_analyzer(
+  output_types: 'HTML, JUNIT',
+  fail_on_cvss: 7
+)
+```

data/lib/fastlane/plugin/dependency_check_ios_analyzer.rb

@@ -0,0 +1,16 @@
+require 'fastlane/plugin/dependency_check_ios_analyzer/version'
+
+module Fastlane
+  module DependencyCheckIosAnalyzer
+    # Return all .rb files inside the "actions" and "helper" directory
+    def self.all_classes
+      Dir[File.expand_path('**/{actions,helper}/*.rb', File.dirname(__FILE__))]
+    end
+  end
+end
+
+# By default we want to import all available actions and helpers
+# A plugin can contain any number of actions and plugins
+Fastlane::DependencyCheckIosAnalyzer.all_classes.each do |current|
+  require current
+end

data/lib/fastlane/plugin/dependency_check_ios_analyzer/actions/dependency_check_ios_analyzer_action.rb

@@ -0,0 +1,166 @@
+require 'fastlane_core/ui/ui'
+require 'fastlane/action'
+require_relative '../helper/analyzer_helper'
+require_relative '../helper/pods_helper'
+require_relative '../helper/spm_helper'
+
+module Fastlane
+  module Actions
+    class DependencyCheckIosAnalyzerAction < Action
+      def self.run(params)
+        params[:output_types] = Helper::AnalyzerHelper.parse_output_types(params[:output_types])
+        bin_path = Helper::AnalyzerHelper.install(params)
+        @success = Helper::SpmHelper.analize(bin_path: bin_path, params: params)
+        @vulnerabilities = Helper::AnalyzerHelper.parse_report("#{params[:output_directory]}/SPM/*.sarif")
+        on_exit(params)
+      end
+
+      def self.on_exit(params)
+        Helper::AnalyzerHelper.clean_up(params)
+        say_goodbye = "🦠 There are #{@vulnerabilities} potential vulnerabilities. " \
+                      'Check out the report for further investigation.'
+        @success ? UI.important(say_goodbye) : UI.crash!(say_goodbye)
+      end
+
+      #####################################################
+      #                   Documentation                   #
+      #####################################################
+
+      def self.description
+        'Fastlane wrapper around the OWASP dependency-check Swift Package Manager and Cocoapods analyzers.'
+      end
+
+      def self.authors
+        ["Alexey Alter-Pesotskiy"]
+      end
+
+      def self.example_code
+        [
+          vulnerabilities_count = dependency_check_ios_analyzer(
+            project_name: 'MyProject',
+            skip_pods_analysis: true,
+            output_types: 'HTML, JUNIT',
+            fail_on_cvss: 7
+          )
+        ]
+      end
+
+      def self.return_value
+        @vulnerabilities
+      end
+
+      def self.available_options
+        [
+          FastlaneCore::ConfigItem.new(
+            key: :skip_spm_analysis,
+            description: 'Skip analysis of SPM dependencies',
+            optional: true,
+            default_value: false,
+            is_string: false,
+            type: Boolean
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :skip_pods_analysis,
+            description: 'Skip analysis of Cocoapods dependencies',
+            optional: true,
+            default_value: false,
+            is_string: false,
+            type: Boolean
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :spm_checkouts_path,
+            description: 'Path to Swift Packages, if they are resolved',
+            optional: true,
+            is_string: true,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :pod_file_lock_path,
+            description: 'Path to the Podfile.lock file',
+            optional: true,
+            is_string: true,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :project_name,
+            description: "The project's name",
+            optional: true,
+            default_value: 'DependencyCheck',
+            is_string: true,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :output_directory,
+            description: 'The directory in which all reports will be stored',
+            optional: true,
+            default_value: 'dependency-check',
+            is_string: true,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :output_types,
+            description: 'Comma separated list of the output types (e.g. html, xml, csv, json, junit, sarif, all)',
+            optional: true,
+            default_value: 'SARIF',
+            is_string: true,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :cli_version,
+            description: 'Specify the required version of DependencyCheck analyzer. Not recommended',
+            optional: true,
+            is_string: true,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :rsa_key,
+            description: 'Specify the RSA_KEY of DependencyCheck analyzer download. Not recommended',
+            optional: true,
+            is_string: true,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :verbose,
+            description: 'The file path to write verbose logging information',
+            optional: true,
+            is_string: true,
+            type: String
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :fail_on_cvss,
+            description: 'Specifies if the build should be failed if a CVSS score above a specified level is identified. ' \
+                         'Since the CVSS scores are 0-10, by default the build will never fail',
+            optional: true,
+            default_value: 11,
+            is_string: false,
+            type: Integer
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :junit_fail_on_cvss,
+            description: 'Specifies the CVSS score that is considered a failure when generating the junit report',
+            optional: true,
+            default_value: 0,
+            is_string: false,
+            type: Integer
+          ),
+          FastlaneCore::ConfigItem.new(
+            key: :keep_binary_on_exit,
+            description: 'Keep DependencyCheck binary and data on exit',
+            optional: true,
+            default_value: true,
+            is_string: false,
+            type: Boolean
+          )
+        ]
+      end
+
+      def self.category
+        :testing
+      end
+
+      def self.is_supported?(platform)
+        [:ios, :mac].include?(platform)
+      end
+    end
+  end
+end

data/lib/fastlane/plugin/dependency_check_ios_analyzer/helper/analyzer_helper.rb

@@ -0,0 +1,91 @@
+require 'json'
+require 'curb'
+require 'zip'
+
+module Fastlane
+  UI = FastlaneCore::UI unless Fastlane.const_defined?("UI")
+
+  module Helper
+    class AnalyzerHelper
+      def self.install(params)
+        repo = 'https://github.com/jeremylong/DependencyCheck'
+        name = 'dependency-check'
+        version = params[:cli_version] ? params[:cli_version] : '6.1.6'
+        rsa_key = params[:rsa_key] ? params[:rsa_key] : 'F9514E84AE3708288374BBBE097586CFEA37F9A6'
+        base_url = "#{repo}/releases/download/v#{version}/#{name}-#{version}-release"
+        bin_path = "#{params[:output_directory]}/#{name}/bin/#{name}.sh"
+        zip_path = "#{params[:output_directory]}/#{name}.zip"
+        asc_path = "#{zip_path}.asc"
+
+        unless File.exist?(bin_path)
+          FileUtils.mkdir_p(params[:output_directory])
+
+          unless File.exist?(zip_path)
+            zip_url = "#{base_url}.zip"
+            UI.message("🚀 Downloading DependencyCheck: #{zip_url}")
+            curl = Curl.get(zip_url) { |curl| curl.follow_location = true }
+            File.open(zip_path, 'w+') { |f| f.write(curl.body_str) }
+          end
+
+          asc_url = "#{base_url}.zip.asc"
+          UI.message("🚀 Downloading associated GPG signature file: #{asc_url}")
+          curl = Curl.get(asc_url) { |curl| curl.follow_location = true }
+          File.open(asc_path, 'w+') { |f| f.write(curl.body_str) }
+
+          verify_cryptographic_integrity(asc_path: asc_path, rsa_key: rsa_key)
+
+          unzip(file: zip_path, params: params)
+
+          FileUtils.rm_rf(zip_path)
+          FileUtils.rm_rf(asc_path)
+        end
+
+        bin_path
+      end
+
+      def self.parse_output_types(output_types)
+        list = output_types.delete(' ').split(',')
+        list << 'sarif' unless list.include?('sarif')
+        report_types = ''
+        list.each { |output_type| report_types += " --format #{output_type.upcase}" }
+
+        UI.message("🎥 Output types: #{list}")
+        report_types
+      end
+
+      def self.parse_report(report)
+        if Dir[report].empty?
+          UI.crash!('Something went wrong. There is no report to analyze. Consider reporting a bug.')
+        end
+
+        JSON.parse(File.read(Dir[report].first))['runs'][0]['results'].size
+      end
+
+      def self.clean_up(params)
+        return if params[:keep_binary_on_exit]
+
+        FileUtils.rm_rf("#{params[:output_directory]}/dependency-check")
+      end
+
+      private
+
+      def self.unzip(file:, params:)
+        Zip::File.open(file) do |zip_file|
+          zip_file.each do |f|
+            fpath = File.join(params[:output_directory], f.name)
+            zip_file.extract(f, fpath) unless File.exist?(fpath)
+          end
+        end
+      end
+
+      # https://jeremylong.github.io/DependencyCheck/dependency-check-cli/
+      def self.verify_cryptographic_integrity(asc_path:, rsa_key:)
+        UI.message("🕵️  Verifying the cryptographic integrity")
+        # Import the GPG key used to sign all DependencyCheck releases
+        Actions.sh("gpg --keyserver hkp://keys.gnupg.net --recv-keys #{rsa_key}")
+        # Verify the cryptographic integrity
+        Actions.sh("gpg --verify #{asc_path}")
+      end
+    end
+  end
+end

data/lib/fastlane/plugin/dependency_check_ios_analyzer/helper/pods_helper.rb

@@ -0,0 +1,27 @@
+module Fastlane
+  UI = FastlaneCore::UI unless Fastlane.const_defined?("UI")
+
+  module Helper
+    class PodsHelper
+      def self.analize(params)
+        if params[:skip_pods_analysis]
+          UI.important("⚡ Cocoapods dependencies will NOT be analyzed.")
+          return 0
+        end
+
+        0 # FIXME: https://github.com/alteral/fastlane-plugin-dependency_check_ios_analyzer/issues/3
+      end
+
+      private
+
+      def self.verify(params)
+        report = "#{params[:output_directory]}/Cocoapods/*.sarif"
+        if Dir[report].empty?
+          UI.crash!('Something went wrong. There is no report to analyze. Consider reporting a bug.')
+        end
+
+        JSON.parse(File.read(Dir[report].first))
+      end
+    end
+  end
+end

data/lib/fastlane/plugin/dependency_check_ios_analyzer/helper/spm_helper.rb

@@ -0,0 +1,58 @@
+module Fastlane
+  UI = FastlaneCore::UI unless Fastlane.const_defined?("UI")
+
+  module Helper
+    class SpmHelper
+      def self.analize(bin_path:, params:)
+        if params[:skip_spm_analysis]
+          UI.important("⚡ SPM dependencies will NOT be analyzed.")
+          return 0
+        end
+
+        # Verify xcodebuild
+        UI.user_error!("xcodebuild not installed") if `which xcodebuild`.length.zero?
+
+        # Specify verbose output
+        verbose = params[:verbose] ? " --log #{params[:verbose]}" : ''
+
+        # Resolve package ddependencies
+        checkouts_path = resolve_package_dependencies(params)
+
+        # Make the script executable
+        Actions.sh("chmod 775 #{bin_path}")
+
+        # Execute DependencyCheck
+        begin
+          Actions.sh(
+            "#{bin_path}" \
+              " --enableExperimental" \
+              " --disableBundleAudit" \
+              " --prettyPrint" \
+              " --project #{params[:project_name]}" \
+              " --out #{params[:output_directory]}/SPM" \
+              " --failOnCVSS #{params[:fail_on_cvss]}" \
+              " --scan #{checkouts_path}" \
+              "#{params[:output_types]}" \
+              "#{verbose}"
+          )
+        rescue
+          return false
+        end
+
+        true
+      end
+
+      private
+
+      def self.resolve_package_dependencies(params)
+        return params[:spm_checkouts_path] if params[:spm_checkouts_path]
+
+        checkouts_path = "#{params[:output_directory]}/SPM/SourcePackages"
+        Actions.sh("set -o pipefail && xcodebuild -resolvePackageDependencies -clonedSourcePackagesDirPath #{checkouts_path}")
+
+        UI.message("🎉 SPM checkouts path: #{checkouts_path}")
+        checkouts_path
+      end
+    end
+  end
+end

data/lib/fastlane/plugin/dependency_check_ios_analyzer/version.rb

@@ -0,0 +1,5 @@
+module Fastlane
+  module DependencyCheckIosAnalyzer
+    VERSION = '0.1.0'
+  end
+end

metadata

@@ -0,0 +1,205 @@
+--- !ruby/object:Gem::Specification
+name: fastlane-plugin-dependency_check_ios_analyzer
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Alexey Alter-Pesotskiy
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-05-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: curb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubyzip
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.49.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.49.1
+- !ruby/object:Gem::Dependency
+  name: rubocop-require_tools
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: fastlane
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.144.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.144.0
+description:
+email: a.alterpesotskiy@mail.ru
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/fastlane/plugin/dependency_check_ios_analyzer.rb
+- lib/fastlane/plugin/dependency_check_ios_analyzer/actions/dependency_check_ios_analyzer_action.rb
+- lib/fastlane/plugin/dependency_check_ios_analyzer/helper/analyzer_helper.rb
+- lib/fastlane/plugin/dependency_check_ios_analyzer/helper/pods_helper.rb
+- lib/fastlane/plugin/dependency_check_ios_analyzer/helper/spm_helper.rb
+- lib/fastlane/plugin/dependency_check_ios_analyzer/version.rb
+homepage: https://github.com/alteral/fastlane-plugin-dependency_check_ios_analyzer
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key:
+specification_version: 4
+summary: Fastlane wrapper around the OWASP dependency-check Swift Package Manager
+  and Cocoapods analyzers.
+test_files: []