Skip to main content

Objective-C Application Analysis

The Cocoapods coordinate-based matching feature provides the ability to scan and evaluate Objective-C dependencies found in the Podfile.lock file.

Cocoapods Approaching End-of-Life

In response to the observed shift in interest towards other ecosystems (e.g. Swift), Cocoapods has announced plans to stop addition of new versions or pods to the Cocoapods trunk by the end of December 2026. As a result, there will be no updates to dependencies which come to Sonatype Component Intelligence through the Cocoapods trunk after December 2026.

We will continue to support analysis of these dependencies/components, but they will be marked as End-of-Life components at all occurrences within Lifecyle. (e.g. policies).

What is supported

Files named Podfile.lock (generated by Cocoapods) will be analyzed.

What do we parse from the file?

The dependencies under the "PODS" section are evaluated. For example:

PODS:
  - GDTMobSDK (4.10.2):
    - GDTMobSDK/GDTMobSDK (= 4.10.2)

Steps to analyze using the Sonatype IQ CLI

Invoke a Sonatype IQ CLI scan of a directory or subdirectories containing a Podfile.lock file.

Example Podfile.lock file (file is edited for clarity)

PODS:
  - ADMobGenAdapter (1.5.2):
    - ADMobGenFoundation
  - ADMobGenFoundation (0.7.2)
  - ADMobGenGDT (4.10.0):
    - ADMobGenAdapter
    - ADMobGenFoundation
    - GDTMobSDK (= 4.10.2)
  - GDTMobSDK (4.10.2):
    - GDTMobSDK/GDTMobSDK (= 4.10.2)
  - GDTMobSDK/GDTMobSDK (4.10.2)
  - YogaKit (1.2.0)
  - libpng (1.4.9)
  - libpng (1.0.8)
  - GethDevelop (1.8.17)

DEPENDENCIES:
  - ADMobGenGDT (from `../`)

SPEC REPOS:
  https://github.com/cocoapods/specs.git:
    - ADMobGenAdapter
    - ADMobGenFoundation
    - GDTMobSDK

EXTERNAL SOURCES:
  ADMobGenGDT:
    :path: "../"

SPEC CHECKSUMS:
  ADMobGenAdapter: 5ab3531d5659c96812e6da545c1ec160b9991a2e
  ADMobGenFoundation: de6e4f7b09df256a347878d0f0e0438c1feac94e
  ADMobGenGDT: 77d18f682136e9e90fc9e5dfb0fc57637d5441d7
  GDTMobSDK: 6fde44a4f80c36051d5d879df8bb280034c31431

PODFILE CHECKSUM: 441850ec31e67c6ea8241a64c55657d490e51d66

COCOAPODS: 1.7.0.beta.2

Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the Podfile.lock file. A custom Scan Target is needed.

Example Pipeline Script with Scan Patterns

nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/Podfile.lock']], iqStage: 'build'

Steps to analyze using the Bamboo plugin

Bamboo Scan Targets control what files are examined. To evaluate Objective-C, add Podfile.lock to the scan targets via "**/Podfile.lock".