fastlane-plugin-dependency_check_ios_analyzer 0.3.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0c616a1b00b47f1a1617d2d76d68ed0ec3c852dd7ad98063b7642701938fe1c2
-  data.tar.gz: dfedd536f98aa734ee7b77e23c728c7159667853a061fcf22f314c2a00f8ef6d
+  metadata.gz: 6e345f12b5563a7925a7e3f9f68bec30cba87d77c008549f6894a2f2466933bd
+  data.tar.gz: d1c5771351ae90caaf6cde75684fdffdb60a63513f0ea6d6a7464c0a712cd506
 SHA512:
-  metadata.gz: e8d13d7abadb6013b7e94d369f7c53e989b362dabe36af1992da3939cbd71b21ddec902e8582de9b72bf4eaeb892fa537d55fce3e130187786dc96a8f2481be6
-  data.tar.gz: 8310cd0d2fba159280ebf3c52eef846ec99c1b0d2d3ab5c59c4547194478377a269d92f9e0dc99831c4c1ad9466c62581ca5ae0381baf915aed1521dc221bc3d
+  metadata.gz: 00d998579a40c7ff824191c74cdbdae8189c3391a9fc081517798967612d714f71470d0480835dae02bc33526d5982202e1591abf517fa79b34c7cb5124266dc
+  data.tar.gz: 224c59d4cb97b25fdc1dd22983a921b37eed9267bf2903feffe7bdebe8a3c8533da982345dfff2324ed17143c1e03b3f5ad3c9030c55c7f34f68fca9047bb5a6

data/README.md

@@ -4,7 +4,7 @@
 
 ## About dependency_check_ios_analyzer
 
-Fastlane wrapper around the [OWASP dependency-check](https://jeremylong.github.io/DependencyCheck) [Swift Package Manager](https://jeremylong.github.io/DependencyCheck/analyzers/swift.html) and [Cocoapods](https://jeremylong.github.io/DependencyCheck/analyzers/cocoapods.html) analyzers 🚀
+Fastlane wrapper around the [OWASP dependency-check](https://jeremylong.github.io/DependencyCheck) iOS analyzers ([Swift Package Manager](https://jeremylong.github.io/DependencyCheck/analyzers/swift.html) and [CocoaPods](https://jeremylong.github.io/DependencyCheck/analyzers/cocoapods.html)).
 
 This analyzer is considered experimental. While it may be useful and provide valid results more testing must be completed to ensure that the false negative/false positive rates are acceptable.
 
@@ -14,18 +14,18 @@ This analyzer is considered experimental. While it may be useful and provide val
 | ------- |---------------- | ----------- |
 | `skip_spm_analysis` | Skip analysis of `SPM` dependencies | `false` |
 | `skip_pods_analysis` | Skip analysis of `CocoaPods` dependencies | `false` |
-| `spm_checkouts_path` | Path to Swift Packages, if they are resolved | |
-| `pod_file_lock_path` | Path to the `Podfile.lock` file. **Not implemented yet** | |
+| `spm_checkouts_path` | Path to Swift Packages, if resolved | |
+| `pod_file_lock_path` | Path to the `Podfile.lock` file, if exists | |
 | `project_path` | Path to the directory that contains an Xcode project, workspace or package. Defaults to the `root` | |
 | `project_name` | The project's name | `DependencyCheck` |
-| `output_directory` | The directory in which all reports will be stored | dependency-check |
+| `output_directory` | The directory in which all reports will be stored | `dependency-check` |
 | `output_types` | Comma separated list of the output types (e.g. `html`, `xml`, `csv`, `json`, `junit`, `sarif`, `all`) | `sarif` |
 | `cli_version` | Overwrite the version of `DependencyCheck` analyzer | `6.1.6` |
 | `gpg_key` | Overwrite the GPG key to verify the cryptographic integrity of the requested `cli_version` | |
 | `verbose` | The file path to write verbose logging information | |
-| `fail_on_cvss` | Specifies if the build should be failed if a CVSS score above a specified level is identified. Since the CVSS scores are 0-10, by default the build will never fail | |
-| `junit_fail_on_cvss` | Specifies the CVSS score that is considered a failure when generating the junit report | |
-| `keep_binary_on_exit` | Keep `DependencyCheck` binary and data on exit | |
+| `fail_on_cvss` | Specifies if the build should be failed if a CVSS score above a specified level is identified. Since the CVSS scores are 0-10, by default the build will never fail | `11` |
+| `junit_fail_on_cvss` | Specifies the CVSS score that is considered a failure when generating the junit report | `0` |
+| `keep_binary_on_exit` | Keep `DependencyCheck` binary and data on exit | `true` |
 
 ## Requirements
 
@@ -43,8 +43,9 @@ $ fastlane add_plugin dependency_check_ios_analyzer
 ## Usage
 
 ```ruby
-vulnerabilities_count = dependency_check_ios_analyzer(
-  output_types: 'HTML, JUNIT',
+dependency_check_ios_analyzer(
+  project_name: 'SampleProject',
+  output_types: 'html, junit',
   fail_on_cvss: 7
 )
 ```

data/lib/fastlane/plugin/dependency_check_ios_analyzer/actions/dependency_check_ios_analyzer_action.rb

@@ -1,25 +1,25 @@
 require 'fastlane_core/ui/ui'
 require 'fastlane/action'
+require_relative '../helper/configuration_helper'
 require_relative '../helper/analyzer_helper'
-require_relative '../helper/pods_helper'
-require_relative '../helper/spm_helper'
 
 module Fastlane
   module Actions
     class DependencyCheckIosAnalyzerAction < Action
       def self.run(params)
-        params[:output_types] = Helper::AnalyzerHelper.parse_output_types(params[:output_types])
-        bin_path = Helper::AnalyzerHelper.install(params)
-        @success = Helper::SpmHelper.analize(bin_path: bin_path, params: params)
-        @vulnerabilities = Helper::AnalyzerHelper.parse_report("#{params[:output_directory]}/SPM/report/*.sarif")
-        on_exit(params)
+        params[:output_types] = Helper::ConfigurationHelper.parse_output_types(params[:output_types])
+        bin_path = Helper::ConfigurationHelper.install(params)
+
+        spm_analysis = Helper::AnalyzerHelper.analize_packages(bin_path: bin_path, params: params)
+        pods_analysis = Helper::AnalyzerHelper.analize_pods(bin_path: bin_path, params: params)
+
+        on_exit(params: params, result: (spm_analysis && pods_analysis))
       end
 
-      def self.on_exit(params)
-        Helper::AnalyzerHelper.clean_up(params)
-        say_goodbye = "🦠 There are #{@vulnerabilities} potential vulnerabilities. " \
-                      'Check out the report for further investigation.'
-        @success ? UI.important(say_goodbye) : UI.crash!(say_goodbye)
+      def self.on_exit(params:, result:)
+        Helper::ConfigurationHelper.clean_up(params)
+        say_goodbye = '✨ Check out the report for further investigation.'
+        result ? UI.important(say_goodbye) : UI.user_error!(say_goodbye)
       end
 
       #####################################################
@@ -27,7 +27,7 @@ module Fastlane
       #####################################################
 
       def self.description
-        'Fastlane wrapper around the OWASP dependency-check Swift Package Manager and Cocoapods analyzers.'
+        'Fastlane wrapper around the OWASP dependency-check iOS analyzers (Swift Package Manager and CocoaPods).'
       end
 
       def self.authors
@@ -36,19 +36,14 @@ module Fastlane
 
       def self.example_code
         [
-          vulnerabilities_count = dependency_check_ios_analyzer(
+          dependency_check_ios_analyzer(
             project_name: 'SampleProject',
-            skip_pods_analysis: true,
             output_types: 'html, junit',
-            fail_on_cvss: 7
+            fail_on_cvss: 3
           )
         ]
       end
 
-      def self.return_value
-        @vulnerabilities
-      end
-
       def self.available_options
         [
           FastlaneCore::ConfigItem.new(
@@ -69,14 +64,14 @@ module Fastlane
           ),
           FastlaneCore::ConfigItem.new(
             key: :spm_checkouts_path,
-            description: 'Path to Swift Packages, if they are resolved',
+            description: 'Path to Swift Packages, if resolved',
             optional: true,
             is_string: true,
             type: String
           ),
           FastlaneCore::ConfigItem.new(
             key: :pod_file_lock_path,
-            description: 'Path to the Podfile.lock file',
+            description: 'Path to the Podfile.lock file, if exists',
             optional: true,
             is_string: true,
             type: String

data/lib/fastlane/plugin/dependency_check_ios_analyzer/helper/analyzer_helper.rb

@@ -1,90 +1,111 @@
-require 'json'
-require 'curb'
-require 'zip'
-
 module Fastlane
   UI = FastlaneCore::UI unless Fastlane.const_defined?("UI")
 
   module Helper
     class AnalyzerHelper
-      def self.install(params)
-        repo = 'https://github.com/jeremylong/DependencyCheck'
-        name = 'dependency-check'
-        version = params[:cli_version] ? params[:cli_version] : '6.1.6'
-        gpg_key = params[:gpg_key] ? params[:gpg_key] : 'F9514E84AE3708288374BBBE097586CFEA37F9A6'
-        base_url = "#{repo}/releases/download/v#{version}/#{name}-#{version}-release"
-        bin_path = "#{params[:output_directory]}/#{name}/bin/#{name}.sh"
-        zip_path = "#{params[:output_directory]}/#{name}.zip"
-        asc_path = "#{zip_path}.asc"
-
-        unless File.exist?(bin_path)
-          FileUtils.mkdir_p(params[:output_directory])
-
-          unless File.exist?(zip_path)
-            zip_url = "#{base_url}.zip"
-            UI.message("🚀 Downloading DependencyCheck: #{zip_url}")
-            curl = Curl.get(zip_url) { |curl| curl.follow_location = true }
-            File.open(zip_path, 'w+') { |f| f.write(curl.body_str) }
-          end
-
-          asc_url = "#{base_url}.zip.asc"
-          UI.message("🚀 Downloading associated GPG signature file: #{asc_url}")
-          curl = Curl.get(asc_url) { |curl| curl.follow_location = true }
-          File.open(asc_path, 'w+') { |f| f.write(curl.body_str) }
-
-          verify_cryptographic_integrity(asc_path: asc_path, gpg_key: gpg_key)
-
-          unzip(file: zip_path, params: params)
-
-          FileUtils.rm_rf(zip_path)
-          FileUtils.rm_rf(asc_path)
-        end
+      def self.analize_packages(bin_path:, params:)
+        return true if params[:skip_spm_analysis]
+
+        path_to_report = "#{params[:output_directory]}/SwiftPackages"
+        clean_reports_folder(path_to_report)
+        params[:spm_checkouts_path] = resolve_package_dependencies(params)
+
+        check_dependencies(
+          params: params,
+          bin_path: bin_path,
+          path_to_report: path_to_report,
+          destination: params[:spm_checkouts_path]
+        )
+      end
+
+      def self.analize_pods(bin_path:, params:)
+        return true if params[:skip_pods_analysis]
 
-        bin_path
+        path_to_report = "#{params[:output_directory]}/CocoaPods"
+        clean_reports_folder(path_to_report)
+        params[:pod_file_lock_path] = resolve_pods_dependencies(params)
+
+        check_dependencies(
+          params: params,
+          bin_path: bin_path,
+          path_to_report: path_to_report,
+          destination: params[:pod_file_lock_path]
+        )
       end
 
-      def self.parse_output_types(output_types)
-        list = output_types.delete(' ').split(',')
-        list << 'sarif' unless list.include?('sarif')
-        report_types = ''
-        list.each { |output_type| report_types += " --format #{output_type.upcase}" }
+      private
 
-        UI.message("🎥 Output types: #{list}")
-        report_types
+      def self.clean_reports_folder(path)
+        FileUtils.rm_rf(path)
+        FileUtils.mkdir_p(path)
       end
 
-      def self.parse_report(report)
-        if Dir[report].empty?
-          UI.crash!('Something went wrong. There is no report to analyze. Consider reporting a bug.')
+      def self.check_dependencies(params:, bin_path:, path_to_report:, destination:)
+        # Specify verbose output
+        verbose = params[:verbose] ? " --log #{params[:verbose]}" : ''
+
+        # Make the script executable
+        Actions.sh("chmod 775 #{bin_path}")
+
+        # Execute dependency-check
+        begin
+          Actions.sh(
+            "#{bin_path}" \
+              " --enableExperimental" \
+              " --disableBundleAudit" \
+              " --prettyPrint" \
+              " --project #{params[:project_name]}" \
+              " --out #{path_to_report}/report" \
+              " --failOnCVSS #{params[:fail_on_cvss]}" \
+              " --scan #{destination}" \
+              "#{params[:output_types]}" \
+              "#{verbose}"
+          )
+          true
+        rescue
+          false
         end
+      end
+
+      def self.parse_the_report(report)
+        UI.crash!('There is no report to analyze. Consider reporting a bug.') if Dir[report].empty?
 
         JSON.parse(File.read(Dir[report].first))['runs'][0]['results'].size
       end
 
-      def self.clean_up(params)
-        return if params[:keep_binary_on_exit]
+      def self.resolve_package_dependencies(params)
+        return params[:spm_checkouts_path] if params[:spm_checkouts_path]
 
-        FileUtils.rm_rf("#{params[:output_directory]}/dependency-check")
-      end
+        UI.user_error!("xcodebuild not installed") if `which xcodebuild`.length.zero?
 
-      private
+        checkouts_path = "#{params[:output_directory]}/SwiftPackages/checkouts"
+        checkouts_path = "#{Dir.pwd}/#{checkouts_path}" unless params[:output_directory].include?(Dir.pwd)
 
-      def self.unzip(file:, params:)
-        Zip::File.open(file) do |zip_file|
-          zip_file.each do |f|
-            fpath = File.join(params[:output_directory], f.name)
-            zip_file.extract(f, fpath) unless File.exist?(fpath)
-          end
+        if params[:project_path]
+          Actions.sh("cd #{params[:project_path]} && " \
+                     "set -o pipefail && " \
+                     "xcodebuild -resolvePackageDependencies -clonedSourcePackagesDirPath #{checkouts_path}")
+        else
+          Actions.sh("set -o pipefail && " \
+                     "xcodebuild -resolvePackageDependencies -clonedSourcePackagesDirPath #{checkouts_path}")
         end
+
+        UI.message("🎉 SPM checkouts path: #{checkouts_path}")
+        checkouts_path
       end
 
-      # https://jeremylong.github.io/DependencyCheck/dependency-check-cli/
-      def self.verify_cryptographic_integrity(asc_path:, gpg_key:)
-        UI.message("🕵️  Verifying the cryptographic integrity")
-        # Import the GPG key used to sign all DependencyCheck releases
-        Actions.sh("gpg --keyserver hkp://keys.gnupg.net --recv-keys #{gpg_key}")
-        # Verify the cryptographic integrity
-        Actions.sh("gpg --verify #{asc_path}")
+      def self.resolve_pods_dependencies(params)
+        return params[:pod_file_lock_path] if params[:pod_file_lock_path]
+
+        UI.user_error!("pod not installed") if `which pod`.length.zero?
+
+        if params[:project_path]
+          Actions.sh("cd #{params[:project_path]} && set -o pipefail && pod install")
+        else
+          Actions.sh("set -o pipefail && pod install")
+        end
+
+        params[:project_path] ? "#{params[:project_path]}/Podfile.lock" : 'Podfile.lock'
       end
     end
   end

data/lib/fastlane/plugin/dependency_check_ios_analyzer/helper/configuration_helper.rb

@@ -0,0 +1,83 @@
+require 'json'
+require 'curb'
+require 'zip'
+
+module Fastlane
+  UI = FastlaneCore::UI unless Fastlane.const_defined?("UI")
+
+  module Helper
+    class ConfigurationHelper
+      def self.install(params)
+        repo = 'https://github.com/jeremylong/DependencyCheck'
+        name = 'dependency-check'
+        version = params[:cli_version] ? params[:cli_version] : '6.1.6'
+        gpg_key = params[:gpg_key] ? params[:gpg_key] : 'F9514E84AE3708288374BBBE097586CFEA37F9A6'
+        base_url = "#{repo}/releases/download/v#{version}/#{name}-#{version}-release"
+        bin_path = "#{params[:output_directory]}/#{name}/bin/#{name}.sh"
+        zip_path = "#{params[:output_directory]}/#{name}.zip"
+        asc_path = "#{zip_path}.asc"
+
+        unless File.exist?(bin_path)
+          FileUtils.mkdir_p(params[:output_directory])
+
+          unless File.exist?(zip_path)
+            zip_url = "#{base_url}.zip"
+            UI.message("🚀 Downloading DependencyCheck: #{zip_url}")
+            curl = Curl.get(zip_url) { |curl| curl.follow_location = true }
+            File.open(zip_path, 'w+') { |f| f.write(curl.body_str) }
+          end
+
+          asc_url = "#{base_url}.zip.asc"
+          UI.message("🚀 Downloading associated GPG signature file: #{asc_url}")
+          curl = Curl.get(asc_url) { |curl| curl.follow_location = true }
+          File.open(asc_path, 'w+') { |f| f.write(curl.body_str) }
+
+          verify_cryptographic_integrity(asc_path: asc_path, gpg_key: gpg_key)
+
+          unzip(file: zip_path, params: params)
+
+          FileUtils.rm_rf(zip_path)
+          FileUtils.rm_rf(asc_path)
+        end
+
+        bin_path
+      end
+
+      def self.parse_output_types(output_types)
+        list = output_types.delete(' ').split(',')
+        list << 'sarif' unless output_types =~ (/(sarif|all)/)
+        report_types = ''
+        list.each { |output_type| report_types += " --format #{output_type.upcase}" }
+
+        UI.message("🎥 Output types: #{list}")
+        report_types
+      end
+
+      def self.clean_up(params)
+        return if params[:keep_binary_on_exit]
+
+        FileUtils.rm_rf("#{params[:output_directory]}/dependency-check")
+      end
+
+      private
+
+      def self.unzip(file:, params:)
+        Zip::File.open(file) do |zip_file|
+          zip_file.each do |f|
+            fpath = File.join(params[:output_directory], f.name)
+            zip_file.extract(f, fpath) unless File.exist?(fpath)
+          end
+        end
+      end
+
+      # https://jeremylong.github.io/DependencyCheck/dependency-check-cli/
+      def self.verify_cryptographic_integrity(asc_path:, gpg_key:)
+        UI.message("🕵️  Verifying the cryptographic integrity")
+        # Import the GPG key used to sign all DependencyCheck releases
+        Actions.sh("gpg --keyserver hkp://keys.gnupg.net --recv-keys #{gpg_key}")
+        # Verify the cryptographic integrity
+        Actions.sh("gpg --verify #{asc_path}")
+      end
+    end
+  end
+end

data/lib/fastlane/plugin/dependency_check_ios_analyzer/version.rb

@@ -1,5 +1,5 @@
 module Fastlane
   module DependencyCheckIosAnalyzer
-    VERSION = '0.3.0'
+    VERSION = '1.0.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fastlane-plugin-dependency_check_ios_analyzer
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Alexey Alter-Pesotskiy
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-05-01 00:00:00.000000000 Z
+date: 2021-05-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: curb
@@ -38,6 +38,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: cocoapods
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -189,8 +203,7 @@ files:
 - lib/fastlane/plugin/dependency_check_ios_analyzer.rb
 - lib/fastlane/plugin/dependency_check_ios_analyzer/actions/dependency_check_ios_analyzer_action.rb
 - lib/fastlane/plugin/dependency_check_ios_analyzer/helper/analyzer_helper.rb
-- lib/fastlane/plugin/dependency_check_ios_analyzer/helper/pods_helper.rb
-- lib/fastlane/plugin/dependency_check_ios_analyzer/helper/spm_helper.rb
+- lib/fastlane/plugin/dependency_check_ios_analyzer/helper/configuration_helper.rb
 - lib/fastlane/plugin/dependency_check_ios_analyzer/version.rb
 homepage: https://github.com/alteral/fastlane-plugin-dependency_check_ios_analyzer
 licenses:
@@ -214,6 +227,6 @@ requirements: []
 rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
-summary: Fastlane wrapper around the OWASP dependency-check Swift Package Manager
-  and Cocoapods analyzers.
+summary: Fastlane wrapper around the OWASP dependency-check iOS analyzers (Swift Package
+  Manager and CocoaPods).
 test_files: []

data/lib/fastlane/plugin/dependency_check_ios_analyzer/helper/pods_helper.rb

@@ -1,27 +0,0 @@
-module Fastlane
-  UI = FastlaneCore::UI unless Fastlane.const_defined?("UI")
-
-  module Helper
-    class PodsHelper
-      def self.analize(params)
-        if params[:skip_pods_analysis]
-          UI.important("⚡ Cocoapods dependencies will NOT be analyzed.")
-          return 0
-        end
-
-        0 # FIXME: https://github.com/alteral/fastlane-plugin-dependency_check_ios_analyzer/issues/3
-      end
-
-      private
-
-      def self.verify(params)
-        report = "#{params[:output_directory]}/Cocoapods/*.sarif"
-        if Dir[report].empty?
-          UI.crash!('Something went wrong. There is no report to analyze. Consider reporting a bug.')
-        end
-
-        JSON.parse(File.read(Dir[report].first))
-      end
-    end
-  end
-end

data/lib/fastlane/plugin/dependency_check_ios_analyzer/helper/spm_helper.rb

@@ -1,67 +0,0 @@
-module Fastlane
-  UI = FastlaneCore::UI unless Fastlane.const_defined?("UI")
-
-  module Helper
-    class SpmHelper
-      def self.analize(bin_path:, params:)
-        if params[:skip_spm_analysis]
-          UI.important("⚡ SPM dependencies will NOT be analyzed.")
-          return 0
-        end
-
-        # Verify xcodebuild
-        UI.user_error!("xcodebuild not installed") if `which xcodebuild`.length.zero?
-
-        # Specify verbose output
-        verbose = params[:verbose] ? " --log #{params[:verbose]}" : ''
-
-        # Resolve package ddependencies
-        checkouts_path = resolve_package_dependencies(params)
-
-        # Make the script executable
-        Actions.sh("chmod 775 #{bin_path}")
-
-        # Execute DependencyCheck
-        begin
-          Actions.sh(
-            "#{bin_path}" \
-              " --enableExperimental" \
-              " --disableBundleAudit" \
-              " --prettyPrint" \
-              " --project #{params[:project_name]}" \
-              " --out #{params[:output_directory]}/SPM/report" \
-              " --failOnCVSS #{params[:fail_on_cvss]}" \
-              " --scan #{checkouts_path}" \
-              "#{params[:output_types]}" \
-              "#{verbose}"
-          )
-        rescue
-          return false
-        end
-
-        true
-      end
-
-      private
-
-      def self.resolve_package_dependencies(params)
-        return params[:spm_checkouts_path] if params[:spm_checkouts_path]
-
-        checkouts_path = "#{params[:output_directory]}/SPM/SourcePackages"
-        checkouts_path = "#{Dir.pwd}/#{checkouts_path}" unless params[:output_directory].include?(Dir.pwd)
-
-        if params[:project_path]
-          Actions.sh("cd #{params[:project_path]} && " \
-                     "set -o pipefail && " \
-                     "xcodebuild -resolvePackageDependencies -clonedSourcePackagesDirPath #{checkouts_path}")
-        else
-          Actions.sh("set -o pipefail && " \
-                     "xcodebuild -resolvePackageDependencies -clonedSourcePackagesDirPath #{checkouts_path}")
-        end
-
-        UI.message("🎉 SPM checkouts path: #{checkouts_path}")
-        checkouts_path
-      end
-    end
-  end
-end