CycloneDX / cyclonedx-cocoapods

Creates CycloneDX Software Bill-of-Materials (SBOM) from Objective-C and Swift projects that use CocoaPods.
Apache License 2.0
21 stars 12 forks source link

Gather external pod info #23

Closed macblazer closed 2 years ago

macblazer commented 2 years ago

Fixes #11 Fixes #12 Fixes #13

Reading all of the information from the installed local copy of the external pod thanks to the CocoaPods project code. Writing the information to the bom did not have to change since it is in the same format as standard repository based pods.

I added the file_name purl qualifier for local pods. The reason I did this is that the purl specification says

file_name is an extra file name of a package archive.

Without this extra designation there is no way to tell a local pod from a pod in the default CocoaPods repository list. Here is a made up example of two different CocoaPods purls without the file_name qualifier for a local pod:

pkg:cocoapods/GzipSwift@4.1.0  # this is available for download from the default CocoaPods listings
pkg:cocoapods/MyLocalPod@0.0.10 # this is a local-only pod; how would you know?

Now the same thing with the file_name qualifier:

pkg:cocoapods/GzipSwift@4.1.0
pkg:cocoapods/MyLocalPod@0.0.10?file_name=.%2Fincubator%2FMyLocalPod

By adding the file_name qualifier it is very easy to understand that the local pod is local and within a folder named ./incubator/MyLocalPod in the local project.

macblazer commented 2 years ago

I just realized that when invoking cyclonedx-cocoapods from a different working directory and using the --path parameter, this code for gathering the additional details will fail with an error that it can't find the sandbox directory.

PR #25 includes the initialization of the CocoaPods Config object with the specified path which fixes this problem.

stevespringett commented 2 years ago

Thank you for the PR. Much appreciated.