Skip to main content

Swift Application Analysis

The Swift coordinate-based scanning feature provides the ability to scan and evaluate Swift dependencies found in Cocoapods and Swift Package Manager ecosystems.

Cocoapods

Podfile.lock - - CocoaPods is a dependency manager for Swift and Objective-C Cocoa projects.

Lifecycle analyzes files named Podfile.lock (generated by Cocoapods.)

The Podfile.lock file is generated after the first run of pod install and tracks the version of each dependency that was installed. CocoaPods will maintain the dependency versions found in the Podfile.lock until the dependency is updated in the Podfile or pod update is called.

See the Cocoapod documentation for details on updating dependencies.

Steps to analyze

Invoke a scan of a directory or subdirectories containing a Podfile.lock file. 

Podfile.lock

PODS:
  - ADMobGenAdapter (1.5.2):
    - ADMobGenFoundation
  - ADMobGenFoundation (0.7.2)
  - ADMobGenGDT (4.10.0):
    - ADMobGenAdapter
    - ADMobGenFoundation
    - GDTMobSDK (= 4.10.2)
  - GDTMobSDK (4.10.2):
    - GDTMobSDK/GDTMobSDK (= 4.10.2)
  - GDTMobSDK/GDTMobSDK (4.10.2)
  - YogaKit (1.2.0)
  - libpng (1.4.9)
  - libpng (1.0.8)
  - GethDevelop (1.8.17)

DEPENDENCIES:
  - ADMobGenGDT (from `../`)

SPEC REPOS:
  https://github.com/cocoapods/specs.git:
    - ADMobGenAdapter
    - ADMobGenFoundation
    - GDTMobSDK

EXTERNAL SOURCES:
  ADMobGenGDT:
    :path: "../"

SPEC CHECKSUMS:
  ADMobGenAdapter: 5ab3531d5659c96812e6da545c1ec160b9991a2e
  ADMobGenFoundation: de6e4f7b09df256a347878d0f0e0438c1feac94e
  ADMobGenGDT: 77d18f682136e9e90fc9e5dfb0fc57637d5441d7
  GDTMobSDK: 6fde44a4f80c36051d5d879df8bb280034c31431

PODFILE CHECKSUM: 441850ec31e67c6ea8241a64c55657d490e51d66

COCOAPODS: 1.7.0.beta.2

Swift Package Manager

Swift Package Manager (SPM) is a tool for managing the distribution of Swift packages. SPM is similar to Cocoapods, Ruby Gems, and NPM. You can use SPM from the command line with commands like swift build and swift test or with compatible IDEs. SPM leverages URLs to Git repositories and version dependencies using Git tags. [0]

Lifecycle analyzes the file named Package.resolved. The dependencies under the "pins" section are evaluated.

Example Package.resolved file

{
  "object": {
    "pins": [
      {
        "package": "RxSwift",
        "repositoryURL": "https://github.com/ReactiveX/RxSwift.git",
        "state": {
          "branch": null,
          "revision": "980d2afceb985a5598d7bc6116557b75469857f2",
          "version": "5.1.0"
        }
      }
    ]
  },
  "version": 1
}

Supported versions of Package.resolved

Starting in XCode (SwiftPM 5.6), Apple changed the way the package.resolved file references the repository and components. Our scanning only supports version 1 and not versions 2 or greater.

Until this is supported, you may use third-party tooling to generate an SBOM from the later versions of the package.resolved files to analysis with Lifecycle scanners.

Learn more on the CycloneDX Analysis or try out the CLI tool from their repository. While this mention has worked with customers these third-party scanners are not supported by Sonatype.