search

CycloneDX / cyclonedx-cocoapods

Creates CycloneDX Software Bill-of-Materials (SBOM) from Objective-C and Swift projects that use CocoaPods.
Apache License 2.0
21 stars 12 forks source link

add support for dependencies #61

Closed fnxpt closed 8 months ago

fnxpt commented 9 months ago

Fixes #58

Still need to add tests for this

fnxpt commented 9 months ago

Sorry for the delay, I added tests for pod analyzer I will do the same with bom builder later, but for the restrictedPod the code is breaking on the sources, any idea why?

macblazer commented 9 months ago

Sorry for the delay, I added tests for pod analyzer I will do the same with bom builder later, but for the restrictedPod the code is breaking on the sources, any idea why?

The RestrictedPod is a fixture because it has a nice edge case where the Podfile is for iOS, and the EFQRCode pod has a dependency that is not used for iOS. The way CocoaPods works in this case is that the Podfile.lock shows the dependency on swift_qrcodejs under the PODS section, but swift_qrcodejs is not listed as a top-level pod in the PODS section and is not present at all in the DEPENDENCIES, SPEC REPOS, or SPEC CHECKSUMS sections. The function append_all_pod_dependencies in the podfile_analyzer.rb takes this into account, but your new function dependencies_hash_of_lockfile_pods does not.

In the bom.xml output tests for the RestrictedPod, I would not expect to see any references to swift_qrcodejs because it is not actually being used for this iOS target.

It might be better to restructure the new code by adding new capability to the append_all_pod_dependencies function (at line 169) instead of having the whole new function that iterates over the entire lock file a second time. Something like


def append_all_pod_dependencies(pods_used, pods_cache)
  result = pods_used
  dependencies_hash = [] # new
  original_number = 0
  # Loop adding pod dependencies until we are not adding any more dependencies to the result
  # This brings in all the transitive dependencies of every top level pod.
  # Note this also handles two edge cases:
  #  1. Having a Podfile with no pods used.
  #  2. Having a pod that has a platform-specific dependency that is unused for this Podfile.
  while result.length != original_number
    original_number = result.length
    pods_used.each { |pod_name|
      if pods_cache.key?(pod_name) && !pods_cache[pod_name].empty? # new
         result.push(*pods_cache[pod_name]) # changed
         dependencies_hash[pod_name] = *pods_cache[pod_name] # new
         # maybe additional dependency processing needed here???
      end
    }
    result = result.uniq
    # maybe additional dependency processing needed here???
    pods_used = result
  end
  result # change this to return result and dependencies_hash or make dependencies_hash a class property
end
fnxpt commented 9 months ago

I will change it to reflect that

fnxpt commented 9 months ago

Fixed the issue with Reserved Podfile... @macblazer I think the only thing missing is adding tests to the bom builder. Are you able to help with this part?

fnxpt commented 9 months ago

cleaned up a little bit the code, following your advice, also added bom_builder tests following the already existing tests. Tomorrow I will fix the remaining lint issues

fnxpt commented 8 months ago

Everything should be ok now

fnxpt commented 8 months ago

@macblazer can you have another look?