search

CycloneDX / cyclonedx-cocoapods

Creates CycloneDX Software Bill-of-Materials (SBOM) from Objective-C and Swift projects that use CocoaPods.
Apache License 2.0
21 stars 12 forks source link

Add dependencies between components #58

Closed malice00 closed 8 months ago

malice00 commented 1 year ago

When importing the generated SBOM in dependency-track, there is no dependency tree available. This seems to be because there is no dependency information available in the SBOM. Could this be added to the SBOM?

macblazer commented 1 year ago

This is a great idea to increase the amount of information in the SBOM.

Implementation notes:

  1. In pod.rb add a property for a UUID (that will be the bomRef) of the pod.
  2. Add another data structure type that will hold a hash of UUID to "array of UUID". This will be the data structure that contains each unique bomRef and maps to the list of direct dependencies of that bomRef.
  3. In podfile_analyzer.rb when adding a unique pod as a component, assign it a UUID for the bomRef (from 1 above).
  4. In podfile_analyzer.rb any time a pod dependency is found (unique or not), add it to the UUID hash in the proper place of dependencies (from 2 above).
  5. During output of the SBOM, include each pod's bomRef (from 1 above) and the complete dependency map (from 2 above).
fnxpt commented 8 months ago

PR should have everything