Add cocoapods vulnerabilities - Githubissues

nexB / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/

https://public.vulnerablecode.io

Apache License 2.0

502 stars 184 forks source link

Add cocoapods vulnerabilities #1486

Open pombredanne opened 1 month ago

pombredanne commented 1 month ago

This would be useful and this is not trivial as there is no proper feed for these.

We can instead work from GitHub PURLs that hosts the majority of the Cocoapods.
Another source of data may be vulntotal.
Apple has iOS bulletins https://support.apple.com/en-us/103804 and some may be for iOS

pombredanne commented 1 month ago

An example of some investigation:

https://cocoapods.org/pods/expat
This is mostly a pointer to build libxpat https://github.com/CocoaPods/Specs/blob/master/Specs/c/8/9/expat/2.2/expat.podspec.json
Snyk reports https://security.snyk.io/package/cocoapods/expat as vulnerable
https://support.apple.com/en-us/103804 and others Apple bulletins report libexpat on iOS as vulnerable
Upstream has an entry https://libexpat.github.io/doc/cve-2017-9233/
and there is a CVE-2017-9233 of course that we track at https://public.vulnerablecode.io/vulnerabilities/VCID-gnd3-sds3-aaam?search=CVE-2017-9233 (and is a biggie with many affected and fixing packages everywhere)

There are several in/re-directions to follow to assign the CVE-2017-9233 to pkg:cocoapods/expat.

Since there is no security feed I can find for Cocoapods, there is something to work out to help there may be?

@dnkoutso you seem to be one of the more active maintainers ... do you know where we could find vulnerability data for Cocoapods specs?