cyclonedx / cyclonedx-cocoapods Goto Github PK

Creates CycloneDX Software Bill-of-Materials (SBOM) from Objective-C and Swift projects that use CocoaPods.

License: Apache License 2.0

Ruby 99.87% Shell 0.13%

bill-of-materials bom cocoapods cyclonedx mbom objective-c obom owasp saasbom sbom sbom-generator software-bill-of-materials swift vex

cyclonedx-cocoapods's People

Contributors

Stargazers

Watchers

Forkers

alitheg openinput vessosa nathanielblackburn masireddy65 shannahshah ariadnext macblazer ichistmeinname okr6666 fnxpt cinkciarzpl

cyclonedx-cocoapods's Issues

Check the Podfile and Podfile.lock are synced

The tool gathers information from both Podfile and Podfile.lock, but it doesn't currently check that they are synced, so it could generate a wrong BOM in case they aren't.

We should check that those files are in sync and abort with an error if they aren't, asking the user to run pod install. There's an open issue asking how to detect this programatically at CocoaPods/CocoaPods#10643

Add 'evidence' element for the components

As an SBOM consumer I would like to have the evidence element added as components/component/evidence (XPath-like syntax) especially for the identity element so that I can make better decisions regarding the contents of SBOMs created with cyclonedx-cocoapods.

This project uses the "manifest-analysis" technique which has confidence from 0.4 to 0.6 (based on this guide).

Here is a JSON example from a Java bom to make it more concrete:

      "evidence": {
        "identity": {
          "field": "purl",
          "confidence": 0.8,
          "methods": [
            {
              "technique": "binary-analysis",
              "confidence": 0.8,
              "value": "/tmp/mvn-deps-fN9MGL/us/springett/alpine-common/2.2.4-SNAPSHOT/alpine-common-2.2.4-SNAPSHOT.jar"
            }
          ]
        },

Github Actions should run unit tests on PRs

A Github Action that runs the unit tests should be added and triggered on all PRs. This action may need to run on a macOS agent in order to have the bundle install work properly, but that can be tested. Preferably a linux agent with ruby could be used, but I'm not sure if the specific CocoaPods gem will work on linux.

Currently there is an Xcode build action that does nothing; this should be removed.

When a pod is not found in the cocoapods local repo have a better error

Improve the error messaging in the code that gathers pod attributes.

When we cannot find information on a pod, we should let the user know that they can try running pod repo update in order to fix the problem for themselves.

See issue #47 for an specific example.

Error after update to latest rubygems version "Version 5.6.2 not found for pod Alamofire"

Worked fine before update the gemfile.lock, but after a bundle update I'm getting this error:

+ cyclonedx-cocoapods --path . --output ./bom.xml

E, [2022-10-05T11:51:12.904570 #78143] ERROR -- : Version 5.6.2 not found for pod Alamofire /Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/lib/cyclonedx/cocoapods/pod_attributes.rb:40:inattributes_for'
/Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/lib/cyclonedx/cocoapods/pod_attributes.rb:68:in complete_information_from_source' /Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/lib/cyclonedx/cocoapods/podfile_analyzer.rb:67:in block in populate_pods_with_additional_info'
/Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/lib/cyclonedx/cocoapods/podfile_analyzer.rb:65:in each' /Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/lib/cyclonedx/cocoapods/podfile_analyzer.rb:65:in populate_pods_with_additional_info'
/Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/lib/cyclonedx/cocoapods/cli_runner.rb:43:in run' /Users/jenkins/.rbenv/versions/2.7.6/lib/ruby/gems/2.7.0/gems/cyclonedx-cocoapods-1.1.0/exe/cyclonedx-cocoapods:23:in <top (required)>'
/Users/jenkins/.rbenv/versions/2.7.6/bin/cyclonedx-cocoapods:23:in load' /Users/jenkins/.rbenv/versions/2.7.6/bin/cyclonedx-cocoapods:23:in

crash with undefined method `empty?' for nil:NilClass

cyclonedx-cocoapods/lib/cyclonedx/cocoapods/podfile_analyzer.rb

Line 116 in 88a6212

result.push(*pods_cache[pod_name]) unless pods_cache[pod_name].empty?

In this line, the check is for an empty string, but if the key pod_name does not exist in the hash pods_cache is getting a null object and crashes.

Adding a check for pods_cache.key?(pod_name) fixed it for me.

cyclonedx-cocoapods version: 1.1.0
ruby version: 2.6
installation Method: https://github.com/CycloneDX/cyclonedx-cocoapods#from-source

Cyclonedx-cocoapods command dosen't work after installing all gems from source

I have installed Cyclonedx-cocoapods on mac from source

Done installing documentation for ffi, ethon, typhoeus, netrc, public_suffix, addressable, cocoapods-core, claide, cocoapods-deintegrate, cocoapods-downloader, cocoapods-plugins, cocoapods-search, cocoapods-trunk, cocoapods-try, molinillo, atomos, rexml, CFPropertyList, colored2, nanaimo, xcodeproj, escape, fourflusher, gh_inspector, ruby-macho, cocoapods, cyclonedx-cocoapods after 10 seconds

27 gems installed

But receiving command not found error while trying cyclonedx-cocoapods --path --output
ZSH: command not found: cyclonedx-cocoapods

Any help appreciable. thanks!

Expand information for local pods

Right now only basic information for dependencies declared using :path is included in the BoM. More information could probably be included directly inspecting the corresponding Podfile.

Unable to install from RubyGems

Hi,
thanks for your work on this tool.

I tried to install cyclonedx-cocoapods as stated in the README.md via gem install cyclonedx-cocoapods and got the following error:

ERROR:  Could not find a valid gem 'cyclonedx-cocoapods' (>= 0) in any repository

(Same for gem install cyclonedx-cocoapods --source http://rubygems.org )

A search on RubyGems has no results ("NO GEMS FOUND").

Am I missing something or is the gem currently not available on RubyGems?

Create Initial Release

Cocoapods itself is written in Ruby. It can be assumed that many of the dependencies used for analyzing the manifest are also written in Ruby. The CycloneDX implementation should also be written in Ruby so that it can take advantage of the native ecosystems ability to resolve dependencies.

Written in Ruby
Include component name, version, hashes, purl, and optionally any additional information.

It may be possible to build on top of the work from https://github.com/CycloneDX/cyclonedx-ruby-gem, as Cocoapods was inspired by Gem.

Add option to ignore dependencies used for testing

As an app developer, I want to more easily create an SBOM that does not include dependencies only used by testing targets so that I can provide the SBOM to customers without exposing internal development-only dependencies.

Other CycloneDX generators offer a parameter to ignore some build targets. cyclonedx-maven uses -DexcludeTestProject=true to skip build targets that include the word "test" in their name. cyclonedx-gradle has a more generic skipConfigs that is a comma-separated list of specific build configs to skip. cyclonedx-dotnet has a -t|-exclude-test-projects parameter to exclude test projects from the BOM.

String contains null byte

Hello,

Installed the gem from source and ran the command against our Podfile.
The command ends with an error claiming that the string (assuming the gathered information ?) is empty.
The debug information is not helping me any further. I'd at least expect the command to not fail on this or am I missing something?

[~/Developer/iOS/__redacted__(develop) » cyclonedx-cocoapods --output ~/Desktop/sbom.xml --version 6 --verbose
D, [2021-06-04T12:00:20.098051 #2818] DEBUG -- : Running cyclonedx-cocoapods with options: {:bom_file_path=>"/Users/__redacted__/Desktop/sbom.xml", :version=>"6", :verbose=>true}
D, [2021-06-04T12:00:20.129243 #2818] DEBUG -- : Parsing pods from /Users/__redacted__/Developer/iOS/__redacted__/Podfile
D, [2021-06-04T12:00:20.130990 #2818] DEBUG -- : Parsing sources from /Users/__redacted__/Developer/iOS/__redacted__/Podfile
D, [2021-06-04T12:00:20.131015 #2818] DEBUG -- : Ensuring ssh://git@__redacted__.com/ci/ios-podspecs.git is available for searches
D, [2021-06-04T12:00:20.145778 #2818] DEBUG -- : Ensuring https://cdn.cocoapods.org/ is available for searches
D, [2021-06-04T12:00:20.157155 #2818] DEBUG -- : Source manager successfully created with all needed sources
D, [2021-06-04T12:00:20.159103 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.159153 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.159169 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.159181 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.159190 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.159199 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.159210 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:20.968949 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769228 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769270 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769284 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769294 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769304 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769313 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769321 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769330 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769339 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769349 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769358 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769415 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769425 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769433 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769442 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769451 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769459 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769468 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769477 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769486 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769494 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769503 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769577 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769617 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769630 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769654 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769682 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769691 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769714 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769723 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769733 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769742 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769752 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769761 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769769 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769778 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769786 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769795 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769804 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:21.769814 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:22.564058 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:23.377236 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.165368 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970466 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970509 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970522 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970532 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970542 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970551 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970561 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:24.970570 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:25.788437 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:26.607824 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:27.402107 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:28.196569 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.009122 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851528 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851572 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851586 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851598 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851607 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851617 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851625 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851634 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851644 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851654 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851663 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851673 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851682 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851692 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851701 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851710 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:29.851739 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752827 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752872 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752885 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752896 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752906 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752915 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752924 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:30.752934 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:31.625014 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:32.466079 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:32.466124 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:32.466138 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:32.466148 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:33.307836 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:34.133026 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:34.982654 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:34.982697 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:34.982711 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:34.982722 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:35.855545 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:36.722789 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:37.539859 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:38.352666 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:39.183909 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:40.062747 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:40.917725 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:41.750894 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:42.567512 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:42.567553 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:42.567566 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:42.567576 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:42.567585 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:42.567595 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:43.371611 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:44.158346 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:44.954720 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:45.746193 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:45.746234 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:45.746247 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:45.746257 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:46.526634 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:47.302412 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:48.085324 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:48.880122 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:49.667318 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:50.444545 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:51.281905 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:52.101963 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:52.898107 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:53.702590 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:54.510911 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:54.510951 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:55.311839 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:56.101243 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:56.883488 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:57.665924 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:58.444985 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241089 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241128 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241141 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241151 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241161 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241169 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241179 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241188 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241198 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241208 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:00:59.241217 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:00.064505 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:00.914531 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:01.740640 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:02.543301 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:03.392991 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:04.221063 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:04.221103 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110176 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110220 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110233 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110244 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110253 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110263 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.110273 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.952391 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.952429 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.952442 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.952452 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:05.952461 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:06.739860 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:07.538798 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:08.366389 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:09.222626 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.013712 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.823147 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.823188 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.823202 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.823212 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.823222 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:10.823232 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:11.641751 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:11.641790 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:11.641803 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:11.641814 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:12.435691 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:12.435730 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:12.435744 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:12.435754 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:12.435764 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:13.280043 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:13.280084 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:13.280098 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:14.075914 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:14.075955 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:14.887470 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:15.708232 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:16.535753 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:16.535796 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:16.535809 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:16.535820 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:17.353114 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:18.161127 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:18.972516 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:19.762288 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:20.560377 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:21.415953 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:22.311584 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:23.122326 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:23.975540 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:24.801319 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:25.614612 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:26.489350 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:27.332639 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:28.226355 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:29.066521 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:29.066560 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:29.885714 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:30.696139 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:31.493590 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:32.271903 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:33.063362 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:33.899812 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778222 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778262 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778275 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778286 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778295 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778304 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778313 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778323 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778332 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778341 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778351 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778359 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:34.778369 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:35.562116 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:35.562157 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:35.562170 #2818] DEBUG -- : Completing information for __redacted__
D, [2021-06-04T12:01:35.562180 #2818] DEBUG -- : Completing information for __redacted__
E, [2021-06-04T12:01:36.355879 #2818] ERROR -- : string contains null byte

Generated SBOM has no dependency graph

Hey, I generated an SBOM using this tool but on uploading this to DTrack I see that there is no dependency graph created, what could be the issue here?

Expand information for downloaded pods

Right now only basic information for dependencies declared using :podspec is included in the BoM. More information could probably be included directly inspecting the corresponding Podfile.

Follow RuboCop formatting and run RuboCop during PRs

RuboCop is a linter and formatter for Ruby code. Following its standards will make the project code better.

This should probably take more than a single PR to accomplish because a basic rubocop lib to check the main library code indicates 323 offenses to change in the 9 ruby files. 239 of those are correctable through automation (although they will have to be checked for correctness) leaving about a hundred offenses to manually correct. The spec folder has even more issues to resolve.

Prep for 1.0.0 release

Get the code ready for the 1.0.0 release to RubyGems.

Update the gemspec version number to 1.0.0.
Update the CHANGELOG.md to put everything under [Unreleased] into the [1.0.0] release.
Update the example_bom.xml to indicate the 1.0.0 tool version.

Use purl subpaths for CocoaPods subspecs

The generated BOM should use purl subpaths for dependencies on CocoaPods subspecs.

Expand information for git pods

Right now only basic information for dependencies declared using :git is included in the BoM. More information could probably be included directly inspecting the corresponding Podfile.

Author import

When the author and publisher is a key / value it's wrong imported:

<component type="library">
			<author>
				Krzysztof Zabłocki
				<krzysztof.zablocki @pixle.pl=>
			</author>
			<publisher>
				Krzysztof Zabłocki
				<krzysztof.zablocki @pixle.pl=>
			</publisher>
			<name>Sourcery</name>
			<version>0.17.0</version>
			<description> A tool that brings meta-programming to Swift, allowing you to code generate Swift code. * Featuring daemon mode that allows you to write templates side-by-side with generated code. * Using SourceKit so you can scan your regular code.  </description>

The original podspec



"description": "A tool that brings meta-programming to Swift, allowing you to code generate Swift code.\n  * Featuring daemon mode that allows you to write templates side-by-side with generated code.\n  * Using SourceKit so you can scan your regular code.",
          "homepage": "https://github.com/krzysztofzablocki/Sourcery",
          "license": "MIT",
          "authors": {
            "Krzysztof Zabłocki": "[email protected]"
          },

Fix length of "author" and "publisher" in order to upload to DT

Hi there!

I noticed that Dependency Track (DT) doesn't analyze the BOM with length of "author" and "publisher" fields more than 255 characters. See the log file below:

2024-01-16 10:14:04,206 ERROR [BomUploadProcessingTask] Error while processing bom
javax.jdo.JDOFatalUserException: Attempt to store value "Mark J. Cox <[email protected]>, Ralf S. Engelschall <[email protected]>, Dr. Stephen Henson <[email protected]>, Ben Laurie <[email protected]>, Lutz Jänicke <[email protected]>, Nils Larsch <[email protected]>, Richard Levitte <[email protected]>, Bodo Möller <[email protected]>, Ulf Möller <[email protected]>, Andy Polyakov <[email protected]>, Geoff Thorpe <[email protected]>, Holger Reif <[email protected]>, Paul C. Sutton <[email protected]>, Eric A. Young <[email protected]>, Tim Hudson <[email protected]>, Justin Plouffe <[email protected]>" in column ""PUBLISHER"" that has maximum length of 255. Please correct your data!
at org.datanucleus.api.jdo.JDOAdapter.getJDOExceptionForNucleusException(JDOAdapter.java:678)
at org.datanucleus.api.jdo.JDOPersistenceManager.jdoMakePersistent(JDOPersistenceManager.java:702)
at org.datanucleus.api.jdo.JDOPersistenceManager.makePersistent(JDOPersistenceManager.java:722)
at alpine.persistence.AbstractAlpineQueryManager.persist(AbstractAlpineQueryManager.java:427)
at org.dependencytrack.persistence.ComponentQueryManager.createComponent(ComponentQueryManager.java:306)
at org.dependencytrack.persistence.QueryManager.createComponent(QueryManager.java:496)
at org.dependencytrack.tasks.BomUploadProcessingTask.processComponent(BomUploadProcessingTask.java:183)
at org.dependencytrack.tasks.BomUploadProcessingTask.inform(BomUploadProcessingTask.java:128)
at alpine.event.framework.BaseEventService.lambda$publish$0(BaseEventService.java:101)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)

According to my internal tests, small changes in the file https://github.com/CycloneDX/cyclonedx-cocoapods/blob/main/lib/cyclonedx/cocoapods/bom_builder.rb on line 71 and 72 helped to put in BOM only first 250 characters:

xml.author author.slice(0, 250) unless author.nil?
xml.publisher author.slice(0, 250) unless author.nil?

This problem sounds similar to these issues in DT repository:

@macblazer Is it possible to add this fix to the next release?

Remove hardcoded location for CocoaPods repositories

In cli_runner.rb we are hardcoding the location of the CocoaPods repositories (local copies). This location may change if the user changes the default configuration. According to CocoaPods/CocoaPods#10643 we could use Config.instance.repos_dir to read this value from the current configuration.

Add proper qualifier to purl for directly downloaded pods

According to the CocoaPods Podfile guide, pods can be directly downloaded using one of the following mechanisms:

Using files from a local path: :path
From a podspec in the root of a library repository: :git possibly adding :branch, :tag or :commit
From a podspec outside a spec repository: :podspec

These cases should be taken into account when generating the purl for the dependency, using download_url/vcs_url as specified in the purl specification

For each of these cases, the following should be decided:

Whether to include the dependency in the generated BOM or not: for example, does it make sense to include a dependency to a local pod (:path) taking into account that any other software processing the BOM won't probably have access to that pod?
Format of the URL:
- :path is usually specified with a plain path, not a URL. If we implement this, should we make sure this is a file: URL?
- Is there any standard for git URLs including both source repository and a location in that repository (branch, tag or commit)?
- Must we validate somehow the URL used in :podspec or can we trust the URL is valid if CocoaPods was already able to download it?

Change master branch name to main

Update output to use specification v1.5

CycloneDX has been updated to specification v1.5 here. This tool should be updated to output v1.5 BOM files.

Update to v1.4 of CycloneDX spec

The code outputs a v1.2 BOM. It should be updated to output the latest version of the CycloneDX spec. Currently v1.4 as of this writing.

Sample bom using the tool

Hi, can you add a sample bom generated using the tool for any podfile.lock of your choice?

Output in JSON format

We can support both XML and JSON as output options using a CLI parameter.

The specification supports JSON and it should be fairly easy to adopt.

https://cyclonedx.org/docs/1.5/json/#

Improve stability of BOM output

Before outputting the BOM file, sort things that are in arrays in the BOM. For example, all of the component elements should be sorted by name or purl.

This will provide stability in the output of the BOM from run to run on the same projects instead of having the same elements in a random order.

Update compatibility with newer CocoaPod-versions

Would it be possible to update the dependency to cocoapods to a newer/the latest version?

We are using 1.11.3 for our builds, but to run this tool I have to use a second installation of Ruby with a lesser CocoaPods version. Seeing how I already built my project with the newer version and this tool actually runs and doesn't (seem) to change anything in my workspace, I assume there is no real reason to have it pinned to an older version.

Add dependencies between components

When importing the generated SBOM in dependency-track, there is no dependency tree available. This seems to be because there is no dependency information available in the SBOM. Could this be added to the SBOM?

Add repository_url to purl for internal pods

To better identify internally developed and hosted CocoaPods, the purl element should have a repository_url parameter added to it when the pod is not from the main CocoaPods git repo or CDN.

repository_url is explained with a couple examples on this page: https://github.com/package-url/purl-spec

The main CocoaPods repositories are https://github.com/CocoaPods/Specs.git and https://cdn.cocoapods.org/.

Is it necessary to check for plus sign in the name?

I get the following error when creating a bom file and one of the libraries has a plus sign in the name, example pod 'NSDate+TimeAgo'

E, [2022-05-09T13:47:34.678733 #54428] ERROR -- : Root name shouldn't contain plus signs
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/lib/cyclonedx/cocoapods/pod.rb:38:in `initialize'
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/lib/cyclonedx/cocoapods/cli_runner.rb:179:in `new'
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/lib/cyclonedx/cocoapods/cli_runner.rb:179:in `block in parse_pods'
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/lib/cyclonedx/cocoapods/cli_runner.rb:178:in `map'
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/lib/cyclonedx/cocoapods/cli_runner.rb:178:in `parse_pods'
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/lib/cyclonedx/cocoapods/cli_runner.rb:45:in `run'
/Users/allan/.rvm/gems/ruby-2.6.5/gems/cyclonedx-cocoapods-0.1.1/exe/cyclonedx-cocoapods:23:in `<top (required)>'
/Users/allan/.rvm/gems/ruby-2.6.5/bin/cyclonedx-cocoapods:25:in `load'
/Users/allan/.rvm/gems/ruby-2.6.5/bin/cyclonedx-cocoapods:25:in `<main>'
/Users/allan/.rvm/gems/ruby-2.6.5/bin/ruby_executable_hooks:24:in `eval'
/Users/allan/.rvm/gems/ruby-2.6.5/bin/ruby_executable_hooks:24:in `<main>'

Is this check necessary?
Related code is at pod.rb line 38

Failing on local pod specs

I'm getting an error [!] Unable to find a pod with name matching ^BNFMatomo$'`

My Podfile.lock has the following lines (showing only those relevant to the Pod)

PODS:
  - BNFMatomo (0.1.2)

DEPENDENCIES:
  - BNFMatomo (from `../node_modules/react-native-matomo`)

EXTERNAL SOURCES:
  BNFMatomo:
    :path: "../node_modules/react-native-matomo"

Any ideas how to make sure it deals with Pods not in the main CocoaPods search?

Transfer copyright to OWASP Foundation

José González Gómez has given permission on the OWASP CycloneDX slack to officially change the copyright.

Change the copyright info in the NOTICE file to Copyright (c) OWASP Foundation. Also change any comments at the tops of source files as needed.

Look into adding the license check job to the GitHub Actions workflow to check the license on all files automatically. See the cyclonedx-gomod project for an example.

Importing created BOM into Dependency-Track multiple times removes components

We have just started using dependency-track and are therefor using this tool to generate BOMs for our iPhone apps. As with other tooling, we run this tool every night and import the result to DT.
Since our depdencies don't change every night, we expected the result to be the same every night. However, the initial import of the BOM shows more components in the project than the following imports.

In the current project, we have 65 components (according to the BOM -- haven't validated manually though), which is the exact amount being shown after the first import. On the newer imports, DT only shows 46 components...
Seeing this only happens when importing my CocaPods-BOM, I assume it is not a problem in DT, but rather in the data generated by this tool.

I've looked through some of the dependencies to maybe make some sense of it and I noticed that the components that are disappearing have similar/the same purl (difference is in the query-part, which I believe is unimportant) -- maybe/probably because they are defined as a subspec?

Attached are the Podfile, Podfile.lock and the generated BOM (local paths/servers removed).
And in case it is important/helps to find the problem: this is a react native iPhone app...

Podfile.txt
Podfile.lock.txt
bom.xml.txt

Do dependencies belong in the bom metadata tools area?

The example_bom.xml file includes the cyclonedx-cocoapods tool and version number which makes sense. But it also includes the two direct dependencies of cyclonedx-cocoapods as tools starting at line 12. I think dependencies shouldn't be listed in the tools section like that. Should they be removed?

The code adding them is in bom_builder.rb at line 152.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.

Jobs

Jooble