cyclonedx / cyclonedx-cocoapods Goto Github PK
View Code? Open in Web Editor NEWCreates CycloneDX Software Bill-of-Materials (SBOM) from Objective-C and Swift projects that use CocoaPods.
License: Apache License 2.0
Creates CycloneDX Software Bill-of-Materials (SBOM) from Objective-C and Swift projects that use CocoaPods.
License: Apache License 2.0
The tool gathers information from both Podfile
and Podfile.lock
, but it doesn't currently check that they are synced, so it could generate a wrong BOM in case they aren't.
We should check that those files are in sync and abort with an error if they aren't, asking the user to run pod install
. There's an open issue asking how to detect this programatically at CocoaPods/CocoaPods#10643
As an SBOM consumer I would like to have the evidence
element added as components/component/evidence
(XPath-like syntax) especially for the identity
element so that I can make better decisions regarding the contents of SBOMs created with cyclonedx-cocoapods.
This project uses the "manifest-analysis" technique which has confidence from 0.4 to 0.6 (based on this guide).
Here is a JSON example from a Java bom to make it more concrete:
"evidence": {
"identity": {
"field": "purl",
"confidence": 0.8,
"methods": [
{
"technique": "binary-analysis",
"confidence": 0.8,
"value": "/tmp/mvn-deps-fN9MGL/us/springett/alpine-common/2.2.4-SNAPSHOT/alpine-common-2.2.4-SNAPSHOT.jar"
}
]
},
A Github Action that runs the unit tests should be added and triggered on all PRs. This action may need to run on a macOS agent in order to have the bundle install
work properly, but that can be tested. Preferably a linux agent with ruby could be used, but I'm not sure if the specific CocoaPods gem will work on linux.
Currently there is an Xcode build action that does nothing; this should be removed.
Improve the error messaging in the code that gathers pod attributes.
When we cannot find information on a pod, we should let the user know that they can try running pod repo update
in order to fix the problem for themselves.
See issue #47 for an specific example.
Worked fine before update the gemfile.lock, but after a bundle update I'm getting this error:
+ cyclonedx-cocoapods --path . --output ./bom.xml
E, [2022-10-05T11:51:12.904570 #78143] ERROR -- : Version 5.6.2 not found for pod Alamofire /Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/lib/cyclonedx/cocoapods/pod_attributes.rb:40:in
attributes_for'
/Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/lib/cyclonedx/cocoapods/pod_attributes.rb:68:in complete_information_from_source' /Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/lib/cyclonedx/cocoapods/podfile_analyzer.rb:67:in
block in populate_pods_with_additional_info'
/Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/lib/cyclonedx/cocoapods/podfile_analyzer.rb:65:in each' /Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/lib/cyclonedx/cocoapods/podfile_analyzer.rb:65:in
populate_pods_with_additional_info'
/Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/lib/cyclonedx/cocoapods/cli_runner.rb:43:in run' /Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/exe/cyclonedx-cocoapods:23:in
<top (required)>'
/Users/jenkins/.rbenv/versions/2.7.6/bin/cyclonedx-cocoapods:23:in load' /Users/jenkins/.rbenv/versions/2.7.6/bin/cyclonedx-cocoapods:23:in
In this line, the check is for an empty string, but if the key pod_name
does not exist in the hash pods_cache
is getting a null object and crashes.
Adding a check for pods_cache.key?(pod_name)
fixed it for me.
cyclonedx-cocoapods version: 1.1.0
ruby version: 2.6
installation Method: https://github.com/CycloneDX/cyclonedx-cocoapods#from-source
I have installed Cyclonedx-cocoapods on mac from source
Done installing documentation for ffi, ethon, typhoeus, netrc, public_suffix, addressable, cocoapods-core, claide, cocoapods-deintegrate, cocoapods-downloader, cocoapods-plugins, cocoapods-search, cocoapods-trunk, cocoapods-try, molinillo, atomos, rexml, CFPropertyList, colored2, nanaimo, xcodeproj, escape, fourflusher, gh_inspector, ruby-macho, cocoapods, cyclonedx-cocoapods after 10 seconds
27 gems installed
But receiving command not found error while trying cyclonedx-cocoapods --path --output
ZSH: command not found: cyclonedx-cocoapods
Any help appreciable. thanks!
Right now only basic information for dependencies declared using :path
is included in the BoM. More information could probably be included directly inspecting the corresponding Podfile
.
Hi,
thanks for your work on this tool.
I tried to install cyclonedx-cocoapods
as stated in the README.md
via gem install cyclonedx-cocoapods
and got the following error:
ERROR: Could not find a valid gem 'cyclonedx-cocoapods' (>= 0) in any repository
(Same for gem install cyclonedx-cocoapods --source http://rubygems.org
)
A search on RubyGems has no results ("NO GEMS FOUND").
Am I missing something or is the gem currently not available on RubyGems?
Cocoapods itself is written in Ruby. It can be assumed that many of the dependencies used for analyzing the manifest are also written in Ruby. The CycloneDX implementation should also be written in Ruby so that it can take advantage of the native ecosystems ability to resolve dependencies.
It may be possible to build on top of the work from https://github.com/CycloneDX/cyclonedx-ruby-gem, as Cocoapods was inspired by Gem.
As an app developer, I want to more easily create an SBOM that does not include dependencies only used by testing targets so that I can provide the SBOM to customers without exposing internal development-only dependencies.
Other CycloneDX generators offer a parameter to ignore some build targets. cyclonedx-maven uses -DexcludeTestProject=true
to skip build targets that include the word "test" in their name. cyclonedx-gradle has a more generic skipConfigs
that is a comma-separated list of specific build configs to skip. cyclonedx-dotnet has a -t|-exclude-test-projects
parameter to exclude test projects from the BOM.
Hello,
Installed the gem from source and ran the command against our Podfile.
The command ends with an error claiming that the string (assuming the gathered information ?) is empty.
The debug information is not helping me any further. I'd at least expect the command to not fail on this or am I missing something?
[~/Developer/iOS/__redacted__(develop) » cyclonedx-cocoapods --output ~/Desktop/sbom.xml --version 6 --verbose
D, [2021-06-04T12:00:20.098051 #2818] DEBUG -- : Running cyclonedx-cocoapods with options: {:bom_file_path=>"/Users/__redacted__/Desktop/sbom.xml", :version=>"6", :verbose=>true}
D, [2021-06-04T12:00:20.129243 #2818] DEBUG -- : Parsing pods from /Users/__redacted__/Developer/iOS/__redacted__/Podfile
D, [2021-06-04T12:00:20.130990 #2818] DEBUG -- : Parsing sources from /Users/__redacted__/Developer/iOS/__redacted__/Podfile
D, [2021-06-04T12:00:20.131015 #2818] DEBUG -- : Ensuring ssh://git@__redacted__.com/ci/ios-podspecs.git is available for searches
D, [2021-06-04T12:00:20.145778 #2818] DEBUG -- : Ensuring https://cdn.cocoapods.org/ is available for searches
D, [2021-06-04T12:00:20.157155 #2818] DEBUG -- : Source manager successfully created with all needed sources
D, [2021-06-04T12:00:20.159103 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.159153 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.159169 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.159181 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.159190 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.159199 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.159210 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.968949 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769228 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769270 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769284 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769294 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769304 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769313 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769321 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769330 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769339 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769349 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769358 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769415 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769425 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769433 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769442 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769451 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769459 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769468 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769477 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769486 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769494 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769503 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769577 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769617 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769630 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769654 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769682 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769691 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769714 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769723 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769733 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769742 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769752 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769761 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769769 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769778 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769786 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769795 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769804 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769814 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:22.564058 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:23.377236 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.165368 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970466 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970509 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970522 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970532 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970542 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970551 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970561 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970570 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:25.788437 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:26.607824 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:27.402107 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:28.196569 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.009122 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851528 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851572 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851586 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851598 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851607 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851617 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851625 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851634 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851644 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851654 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851663 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851673 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851682 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851692 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851701 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851710 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851739 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752827 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752872 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752885 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752896 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752906 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752915 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752924 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752934 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:31.625014 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:32.466079 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:32.466124 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:32.466138 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:32.466148 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:33.307836 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:34.133026 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:34.982654 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:34.982697 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:34.982711 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:34.982722 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:35.855545 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:36.722789 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:37.539859 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:38.352666 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:39.183909 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:40.062747 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:40.917725 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:41.750894 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:42.567512 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:42.567553 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:42.567566 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:42.567576 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:42.567585 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:42.567595 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:43.371611 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:44.158346 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:44.954720 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:45.746193 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:45.746234 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:45.746247 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:45.746257 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:46.526634 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:47.302412 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:48.085324 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:48.880122 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:49.667318 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:50.444545 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:51.281905 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:52.101963 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:52.898107 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:53.702590 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:54.510911 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:54.510951 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:55.311839 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:56.101243 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:56.883488 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:57.665924 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:58.444985 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241089 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241128 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241141 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241151 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241161 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241169 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241179 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241188 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241198 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241208 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241217 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:00.064505 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:00.914531 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:01.740640 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:02.543301 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:03.392991 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:04.221063 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:04.221103 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110176 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110220 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110233 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110244 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110253 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110263 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110273 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.952391 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.952429 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.952442 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.952452 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.952461 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:06.739860 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:07.538798 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:08.366389 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:09.222626 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.013712 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.823147 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.823188 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.823202 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.823212 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.823222 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.823232 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:11.641751 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:11.641790 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:11.641803 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:11.641814 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:12.435691 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:12.435730 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:12.435744 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:12.435754 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:12.435764 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:13.280043 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:13.280084 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:13.280098 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:14.075914 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:14.075955 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:14.887470 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:15.708232 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:16.535753 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:16.535796 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:16.535809 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:16.535820 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:17.353114 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:18.161127 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:18.972516 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:19.762288 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:20.560377 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:21.415953 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:22.311584 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:23.122326 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:23.975540 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:24.801319 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:25.614612 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:26.489350 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:27.332639 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:28.226355 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:29.066521 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:29.066560 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:29.885714 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:30.696139 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:31.493590 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:32.271903 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:33.063362 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:33.899812 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778222 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778262 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778275 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778286 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778295 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778304 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778313 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778323 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778332 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778341 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778351 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778359 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778369 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:35.562116 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:35.562157 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:35.562170 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:35.562180 #2818] DEBUG -- : Completing information for __redacted__
E, [2021-06-04T12:01:36.355879 #2818] ERROR -- : string contains null byte
Hey, I generated an SBOM using this tool but on uploading this to DTrack I see that there is no dependency graph created, what could be the issue here?
Right now only basic information for dependencies declared using :podspec
is included in the BoM. More information could probably be included directly inspecting the corresponding Podfile
.
RuboCop is a linter and formatter for Ruby code. Following its standards will make the project code better.
This should probably take more than a single PR to accomplish because a basic rubocop lib
to check the main library code indicates 323 offenses to change in the 9 ruby files. 239 of those are correctable through automation (although they will have to be checked for correctness) leaving about a hundred offenses to manually correct. The spec
folder has even more issues to resolve.
Get the code ready for the 1.0.0 release to RubyGems.
The generated BOM should use purl subpaths for dependencies on CocoaPods subspecs.
Right now only basic information for dependencies declared using :git
is included in the BoM. More information could probably be included directly inspecting the corresponding Podfile
.
When the author and publisher is a key / value it's wrong imported:
<component type="library">
<author>
Krzysztof Zabłocki
<krzysztof.zablocki @pixle.pl=>
</author>
<publisher>
Krzysztof Zabłocki
<krzysztof.zablocki @pixle.pl=>
</publisher>
<name>Sourcery</name>
<version>0.17.0</version>
<description> A tool that brings meta-programming to Swift, allowing you to code generate Swift code. * Featuring daemon mode that allows you to write templates side-by-side with generated code. * Using SourceKit so you can scan your regular code. </description>
The original podspec
"description": "A tool that brings meta-programming to Swift, allowing you to code generate Swift code.\n * Featuring daemon mode that allows you to write templates side-by-side with generated code.\n * Using SourceKit so you can scan your regular code.",
"homepage": "https://github.com/krzysztofzablocki/Sourcery",
"license": "MIT",
"authors": {
"Krzysztof Zabłocki": "[email protected]"
},
Hi there!
I noticed that Dependency Track (DT) doesn't analyze the BOM with length of "author" and "publisher" fields more than 255 characters. See the log file below:
2024-01-16 10:14:04,206 ERROR [BomUploadProcessingTask] Error while processing bom
javax.jdo.JDOFatalUserException: Attempt to store value "Mark J. Cox <[email protected]>, Ralf S. Engelschall <[email protected]>, Dr. Stephen Henson <[email protected]>, Ben Laurie <[email protected]>, Lutz Jänicke <[email protected]>, Nils Larsch <[email protected]>, Richard Levitte <[email protected]>, Bodo Möller <[email protected]>, Ulf Möller <[email protected]>, Andy Polyakov <[email protected]>, Geoff Thorpe <[email protected]>, Holger Reif <[email protected]>, Paul C. Sutton <[email protected]>, Eric A. Young <[email protected]>, Tim Hudson <[email protected]>, Justin Plouffe <[email protected]>" in column ""PUBLISHER"" that has maximum length of 255. Please correct your data!
at org.datanucleus.api.jdo.JDOAdapter.getJDOExceptionForNucleusException(JDOAdapter.java:678)
at org.datanucleus.api.jdo.JDOPersistenceManager.jdoMakePersistent(JDOPersistenceManager.java:702)
at org.datanucleus.api.jdo.JDOPersistenceManager.makePersistent(JDOPersistenceManager.java:722)
at alpine.persistence.AbstractAlpineQueryManager.persist(AbstractAlpineQueryManager.java:427)
at org.dependencytrack.persistence.ComponentQueryManager.createComponent(ComponentQueryManager.java:306)
at org.dependencytrack.persistence.QueryManager.createComponent(QueryManager.java:496)
at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:183)
at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:128)
at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
According to my internal tests, small changes in the file https://github.com/CycloneDX/cyclonedx-cocoapods/blob/main/lib/cyclonedx/cocoapods/bom_builder.rb on line 71 and 72 helped to put in BOM only first 250 characters:
xml.author author.slice(0, 250) unless author.nil?
xml.publisher author.slice(0, 250) unless author.nil?
This problem sounds similar to these issues in DT repository:
@macblazer Is it possible to add this fix to the next release?
In cli_runner.rb we are hardcoding the location of the CocoaPods repositories (local copies). This location may change if the user changes the default configuration. According to CocoaPods/CocoaPods#10643 we could use Config.instance.repos_dir
to read this value from the current configuration.
According to the CocoaPods Podfile guide, pods can be directly downloaded using one of the following mechanisms:
:path
:git
possibly adding :branch
, :tag
or :commit
:podspec
These cases should be taken into account when generating the purl for the dependency, using download_url
/vcs_url
as specified in the purl specification
For each of these cases, the following should be decided:
:path
) taking into account that any other software processing the BOM won't probably have access to that pod?:path
is usually specified with a plain path, not a URL. If we implement this, should we make sure this is a file:
URL?:podspec
or can we trust the URL is valid if CocoaPods was already able to download it?CycloneDX has been updated to specification v1.5 here. This tool should be updated to output v1.5 BOM files.
The code outputs a v1.2 BOM. It should be updated to output the latest version of the CycloneDX spec. Currently v1.4 as of this writing.
Hi, can you add a sample bom generated using the tool for any podfile.lock of your choice?
We can support both XML and JSON as output options using a CLI parameter.
The specification supports JSON and it should be fairly easy to adopt.
Before outputting the BOM file, sort things that are in arrays in the BOM. For example, all of the component
elements should be sorted by name or purl.
This will provide stability in the output of the BOM from run to run on the same projects instead of having the same elements in a random order.
Would it be possible to update the dependency to cocoapods to a newer/the latest version?
We are using 1.11.3 for our builds, but to run this tool I have to use a second installation of Ruby with a lesser CocoaPods version. Seeing how I already built my project with the newer version and this tool actually runs and doesn't (seem) to change anything in my workspace, I assume there is no real reason to have it pinned to an older version.
When importing the generated SBOM in dependency-track, there is no dependency tree available. This seems to be because there is no dependency information available in the SBOM. Could this be added to the SBOM?
To better identify internally developed and hosted CocoaPods, the purl
element should have a repository_url
parameter added to it when the pod is not from the main CocoaPods git repo or CDN.
repository_url
is explained with a couple examples on this page: https://github.com/package-url/purl-spec
The main CocoaPods repositories are https://github.com/CocoaPods/Specs.git
and https://cdn.cocoapods.org/
.
I get the following error when creating a bom file and one of the libraries has a plus sign in the name, example pod 'NSDate+TimeAgo'
E, [2022-05-09T13:47:34.678733 #54428] ERROR -- : Root name shouldn't contain plus signs
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/lib/cyclonedx/cocoapods/pod.rb:38:in `initialize'
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/lib/cyclonedx/cocoapods/cli_runner.rb:179:in `new'
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/lib/cyclonedx/cocoapods/cli_runner.rb:179:in `block in parse_pods'
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/lib/cyclonedx/cocoapods/cli_runner.rb:178:in `map'
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/lib/cyclonedx/cocoapods/cli_runner.rb:178:in `parse_pods'
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/lib/cyclonedx/cocoapods/cli_runner.rb:45:in `run'
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/exe/cyclonedx-cocoapods:23:in `<top (required)>'
/Users/allan/.rvm/gems/ruby-2.6.5/bin/cyclonedx-cocoapods:25:in `load'
/Users/allan/.rvm/gems/ruby-2.6.5/bin/cyclonedx-cocoapods:25:in `<main>'
/Users/allan/.rvm/gems/ruby-2.6.5/bin/ruby_executable_hooks:24:in `eval'
/Users/allan/.rvm/gems/ruby-2.6.5/bin/ruby_executable_hooks:24:in `<main>'
Is this check necessary?
Related code is at pod.rb line 38
I'm getting an error [!] Unable to find a pod with name matching
^BNFMatomo$'`
My Podfile.lock
has the following lines (showing only those relevant to the Pod)
PODS:
- BNFMatomo (0.1.2)
DEPENDENCIES:
- BNFMatomo (from `../node_modules/react-native-matomo`)
EXTERNAL SOURCES:
BNFMatomo:
:path: "../node_modules/react-native-matomo"
Any ideas how to make sure it deals with Pods not in the main CocoaPods search?
José González Gómez has given permission on the OWASP CycloneDX slack to officially change the copyright.
Change the copyright info in the NOTICE
file to Copyright (c) OWASP Foundation
. Also change any comments at the tops of source files as needed.
Look into adding the license check job to the GitHub Actions workflow to check the license on all files automatically. See the cyclonedx-gomod project for an example.
We have just started using dependency-track and are therefor using this tool to generate BOMs for our iPhone apps. As with other tooling, we run this tool every night and import the result to DT.
Since our depdencies don't change every night, we expected the result to be the same every night. However, the initial import of the BOM shows more components in the project than the following imports.
In the current project, we have 65 components (according to the BOM -- haven't validated manually though), which is the exact amount being shown after the first import. On the newer imports, DT only shows 46 components...
Seeing this only happens when importing my CocaPods-BOM, I assume it is not a problem in DT, but rather in the data generated by this tool.
I've looked through some of the dependencies to maybe make some sense of it and I noticed that the components that are disappearing have similar/the same purl (difference is in the query-part, which I believe is unimportant) -- maybe/probably because they are defined as a subspec?
Attached are the Podfile, Podfile.lock and the generated BOM (local paths/servers removed).
And in case it is important/helps to find the problem: this is a react native iPhone app...
The example_bom.xml file includes the cyclonedx-cocoapods
tool and version number which makes sense. But it also includes the two direct dependencies of cyclonedx-cocoapods
as tools starting at line 12. I think dependencies shouldn't be listed in the tools section like that. Should they be removed?
The code adding them is in bom_builder.rb
at line 152.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.