feat(swift): add vulns for cocoapods (#5037)

* add vulns for cocoapods, fix purl

* update docs

* remove go-dep-parser replace

* update purl and test

* bump github.com/DmitriyLewen/trivy-db

* remove replace for trivy-db

* remove added sbom tests

* add test for Package() func

* add wrong epoch test

* refactor docs

* add comment to join the module and submodule in purl

* docs: add an example

---------

Co-authored-by: knqyf263 <[email protected]>

docs/docs/coverage/language/index.md

@@ -17,7 +17,7 @@ If the target is a pre-build project, like a code repository, Trivy will analyze
 On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like `.gemspec`, binary files, and so on.
 
 | Language             | File                                                                                       | Image[^5] | Rootfs[^6] | Filesystem[^7] | Repository[^8] |
-| -------------------- | ------------------------------------------------------------------------------------------ | :-------: | :--------: | :------------: | :------------: |
+|----------------------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:--------------:|:--------------:|
 | [Ruby](ruby.md)      | Gemfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | gemspec                                                                                    |     ✅     |     ✅      |       -        |       -        |
 | [Python](python.md)  | Pipfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
@@ -45,6 +45,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [Elixir](elixir.md)  | mix.lock[^10]                                                                              |     -     |     -      |       ✅        |       ✅        |
 | [Dart](dart.md)      | pubspec.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 | [Swift](swift.md)    | Podfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
+|                      | Package.resolved                                                                           |     -     |     -      |       ✅        |       ✅        |
 
 The path of these files does not matter.
 

docs/docs/coverage/language/swift.md

@@ -1,10 +1,44 @@
 # Swift
 
-Trivy supports [CocoaPods][cocoapods] for Swift packages.
+Trivy supports [CocoaPods][cocoapods] and [Swift][swift] package managers.
+
 The following scanners are supported.
 
-| Package manager | SBOM  | Vulnerability | License |
-| --------------- | :---: | :-----------: | :-----: |
-| CocoaPods       |   ✓   |       -       |    -    |
+| Package manager | SBOM | Vulnerability | License |
+|-----------------|:----:|:-------------:|:-------:|
+| Swift           |  ✓   |       ✓       |    -    |
+| CocoaPods       |  ✓   |       ✓       |    -    |
+
+The following table provides an outline of the features Trivy offers.
+
+| Package manager | File             | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
+|:---------------:|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
+|      Swift      | Package.resolved |            ✓            |     Included     |                  -                   |    ✓     |
+|    CocoaPods    | Podfile.lock     |            ✓            |     Included     |                  ✓                   |    -     |
+
+These may be enabled or disabled depending on the target.
+See [here](./index.md) for the detail.
+
+## Swift
+Trivy parses [Package.resolved][package-resolved] file to find dependencies.
+Don't forget to update (`swift package update` command) this file before scanning.
+
+## CocoaPods
+CocoaPods uses package names in `PodFile.lock`, but [GitHub Advisory Database (GHSA)][ghsa] Trivy relies on uses Git URLs. 
+We parse [the CocoaPods Specs][cocoapods-specs] to match package names and links.
+
+!!! note "Limitation"
+    Since [GHSA][ghsa] holds only Git URLs, such as github.com/apple/swift-nio, 
+    Trivy can't identify affected submodules, and detect all submodules maintained by the same URL.
+    For example, [SwiftNIOHTTP1][niohttp1] and [SwiftNIOWebSocket][niowebsocket] both are maintained under `github.com/apple/swift-nio`,
+    and Trivy detect CVE-2022-3215 for both of them, even though only [SwiftNIOHTTP1][niohttp1] is actually affected.
+
+[cocoapods]: https://cocoapods.org/
+[cocoapods-specs]: https://github.com/CocoaPods/Specs
+[ghsa]: https://github.com/advisories?query=type%3Areviewed+ecosystem%3Aswift
+[swift]: https://www.swift.org/package-manager/
+[package-resolved]: https://github.com/apple/swift-package-manager/blob/4a42f2519e3f7b8a731c5ed89b47ed577df8f86c/Documentation/Usage.md#resolving-versions-packageresolved-file
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 
-[cocoapods]: https://cocoapods.org/
+[niohttp1]: https://cocoapods.org/pods/SwiftNIOHTTP1
+[niowebsocket]: https://cocoapods.org/pods/SwiftNIOWebSocket

docs/docs/scanner/vulnerability.md

@@ -77,7 +77,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 ### Data Sources
 
 | Language | Source                                              | Commercial Use | Delay[^1] |
-| -------- | --------------------------------------------------- | :------------: | :-------: |
+|----------|-----------------------------------------------------|:--------------:|:---------:|
 | PHP      | [PHP Security Advisories Database][php]             |       ✅        |     -     |
 |          | [GitHub Advisory Database (Composer)][php-ghsa]     |       ✅        |     -     |
 | Python   | [GitHub Advisory Database (pip)][python-ghsa]       |       ✅        |     -     |
@@ -93,7 +93,8 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 | .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     |       ✅        |     -     |
 | C/C++    | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
 | Dart     | [GitHub Advisory Database (Pub)][pub-ghsa]          |       ✅        |     -     |
-| Elixir   | [GitHub Advisory Database (Erlang)][erlang-ghsa]    |       ✅        |           |
+| Elixir   | [GitHub Advisory Database (Erlang)][erlang-ghsa]    |       ✅        |     -     |
+| Swift    | [GitHub Advisory Database (Swift)][swift-ghsa]      |       ✅        |     -     |
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
@@ -168,6 +169,7 @@ Currently, specifying a username and password is not supported.
 [pub-ghsa]: https://github.com/advisories?query=ecosystem%3Apub
 [erlang-ghsa]: https://github.com/advisories?query=ecosystem%3Aerlang
 [go-ghsa]: https://github.com/advisories?query=ecosystem%3Ago
+[swift-ghsa]: https://github.com/advisories?query=ecosystem%3Aswift
 
 [php]: https://github.com/FriendsOfPHP/security-advisories
 [ruby]: https://github.com/rubysec/ruby-advisory-db

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/alicebob/miniredis/v2 v2.30.4
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/defsec v0.91.1
-	github.com/aquasecurity/go-dep-parser v0.0.0-20230823094455-40c1f85cc942
+	github.com/aquasecurity/go-dep-parser v0.0.0-20230825043456-df72a286b673
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -23,7 +23,7 @@ require (
 	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-db v0.0.0-20230823084507-315928e846ff
+	github.com/aquasecurity/trivy-db v0.0.0-20230828105148-2c9c4da5a321
 	github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
 	github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230828123538-ef13fef6ce5b
 	github.com/aws/aws-sdk-go v1.44.273

go.sum

@@ -325,8 +325,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/defsec v0.91.1 h1:dBIPm6Tva9I+ZTQv+6t9wob3ZlMSu8NFqMJr4mgJC5A=
 github.com/aquasecurity/defsec v0.91.1/go.mod h1:l/srzxtuuyb6c6FlqUvMp3xw2ZbvuZ0l9972MNJM7V8=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230823094455-40c1f85cc942 h1:VGfeUtZyya9Vsl8enDurZ7pb/NDp2aJlL2rx2g4pR6A=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230823094455-40c1f85cc942/go.mod h1:0+GvQF0gL4YEAAUPpNeLeGpFDxMvvIHLMd7vk9bpwko=
+github.com/aquasecurity/go-dep-parser v0.0.0-20230825043456-df72a286b673 h1:RMhUzr2ZfQ8OAO26aUkqbwfxK7d3ieFtPqUhiwTxOe0=
+github.com/aquasecurity/go-dep-parser v0.0.0-20230825043456-df72a286b673/go.mod h1:0+GvQF0gL4YEAAUPpNeLeGpFDxMvvIHLMd7vk9bpwko=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20230328195059-5bf52338aec3 h1:Vt9y1gZS5JGY3tsL9zc++Cg4ofX51CG7PaMyC5SXWPg=
@@ -345,8 +345,8 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
 github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
 github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy-db v0.0.0-20230823084507-315928e846ff h1:+MLnPm81Msu921N/lBrKd/NwwBrrzRoTgyMq0pIUhbs=
-github.com/aquasecurity/trivy-db v0.0.0-20230823084507-315928e846ff/go.mod h1:iJSGMMclPEhkYeyiN9i+gzjV9jhEv+XfPzfVgFhfvTE=
+github.com/aquasecurity/trivy-db v0.0.0-20230828105148-2c9c4da5a321 h1:oAXkM8x6jMal+6p2XB78+ntPs5LGjxZhtWHdOy4crlg=
+github.com/aquasecurity/trivy-db v0.0.0-20230828105148-2c9c4da5a321/go.mod h1:WJ5Qnk5ZNGWvks07GOZe2IOsuXrPfSC5c8hYGOGfrsU=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230828123538-ef13fef6ce5b h1:0COfg0HtJm6uKJn/mMBQUgrVmrIxcktlDPR35LracKI=

integration/testdata/cocoapods.json.golden

@@ -21,44 +21,39 @@
       "Type": "cocoapods",
       "Packages": [
         {
-          "ID": "AppCenter/4.2.0",
-          "Name": "AppCenter",
-          "Version": "4.2.0",
-          "DependsOn": [
-            "AppCenter/Analytics/4.2.0",
-            "AppCenter/Crashes/4.2.0"
-          ],
-          "Layer": {}
-        },
-        {
-          "ID": "AppCenter/Analytics/4.2.0",
-          "Name": "AppCenter/Analytics",
-          "Version": "4.2.0",
-          "DependsOn": [
-            "AppCenter/Core/4.2.0"
-          ],
-          "Layer": {}
-        },
-        {
-          "ID": "AppCenter/Core/4.2.0",
-          "Name": "AppCenter/Core",
-          "Version": "4.2.0",
+          "ID": "[email protected]",
+          "Name": "_NIODataStructures",
+          "Version": "2.41.0",
           "Layer": {}
-        },
+        }
+      ],
+      "Vulnerabilities": [
         {
-          "ID": "AppCenter/Crashes/4.2.0",
-          "Name": "AppCenter/Crashes",
-          "Version": "4.2.0",
-          "DependsOn": [
-            "AppCenter/Core/4.2.0"
+          "VulnerabilityID": "CVE-2022-3215",
+          "PkgID": "[email protected]",
+          "PkgName": "_NIODataStructures",
+          "InstalledVersion": "2.41.0",
+          "FixedVersion": "2.29.1, 2.39.1, 2.42.0",
+          "Status": "fixed",
+          "Layer": {},
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3215",
+          "Title": "SwiftNIO vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')",
+          "Description": "`NIOHTTP1` and projects using it for generating HTTP responses, including SwiftNIO, can be subject to a HTTP Response Injection attack...",
+          "Severity": "MEDIUM",
+          "CVSS": {
+            "ghsa": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
+              "V3Score": 5.3
+            }
+          },
+          "References": [
+            "https://github.com/apple/swift-nio/security/advisories/GHSA-7fj7-39wj-c64f",
+            "https://nvd.nist.gov/vuln/detail/CVE-2022-3215",
+            "https://github.com/apple/swift-nio/commit/a16e2f54a25b2af217044e5168997009a505930f",
+            "https://github.com/advisories/GHSA-7fj7-39wj-c64f"
           ],
-          "Layer": {}
-        },
-        {
-          "ID": "KeychainAccess/4.2.1",
-          "Name": "KeychainAccess",
-          "Version": "4.2.1",
-          "Layer": {}
+          "PublishedDate": "2023-06-07T16:01:53Z",
+          "LastModifiedDate": "2023-06-19T16:45:07Z"
         }
       ]
     }

integration/testdata/fixtures/db/cocoapods.yaml

@@ -0,0 +1,14 @@
+- bucket: "cocoapods::GitHub Security Advisory Cocoapods"
+  pairs:
+    - bucket: _NIODataStructures
+      pairs:
+        - key: CVE-2022-3215
+          value:
+            PatchedVersions:
+              - "2.29.1"
+              - "2.39.1"
+              - "2.42.0"
+            VulnerableVersions:
+              - "< 2.29.1"
+              - ">= 2.39.0, < 2.39.1"
+              - ">= 2.41.0, < 2.42.0"

integration/testdata/fixtures/repo/cocoapods/Podfile.lock

@@ -1,12 +1,16 @@
 PODS:
-  - AppCenter (4.2.0):
-    - AppCenter/Analytics (= 4.2.0)
-    - AppCenter/Crashes (= 4.2.0)
-  - AppCenter/Analytics (4.2.0):
-    - AppCenter/Core
-  - AppCenter/Core (4.2.0)
-  - AppCenter/Crashes (4.2.0):
-    - AppCenter/Core
-  - KeychainAccess (4.2.1)
-
-COCOAPODS: 1.11.2
+  - _NIODataStructures (2.41.0)
+
+DEPENDENCIES:
+  - _NIODataStructures (= 2.41.0)
+
+SPEC REPOS:
+  trunk:
+    - _NIODataStructures
+
+SPEC CHECKSUMS:
+  _NIODataStructures: 3d45d8e70a1d17a15b1dc59d102c63dbc0525ffd
+
+PODFILE CHECKSUM: 2acff18c7f9246879b6a1a2d04e5decbc9410ef4
+
+COCOAPODS: 1.12.1

pkg/detector/library/driver.go

@@ -66,8 +66,10 @@ func NewDriver(libType string) (Driver, bool) {
 		ecosystem = vulnerability.Swift
 		comparer = compare.GenericComparer{}
 	case ftypes.Cocoapods:
-		log.Logger.Warn("CocoaPods is supported for SBOM, not for vulnerability scanning")
-		return Driver{}, false
+		// CocoaPods uses RubyGems version specifiers
+		// https://guides.cocoapods.org/making/making-a-cocoapod.html#cocoapods-versioning-specifics
+		ecosystem = vulnerability.Cocoapods
+		comparer = rubygems.Comparer{}
 	case ftypes.CondaPkg:
 		log.Logger.Warn("Conda package is supported for SBOM, not for vulnerability scanning")
 		return Driver{}, false

pkg/fanal/analyzer/const.go

@@ -181,6 +181,7 @@ var (
 		TypeRustBinary,
 		TypeConanLock,
 		TypeCocoaPods,
+		TypeSwift,
 		TypePubSpecLock,
 		TypeMixLock,
 	}
@@ -199,6 +200,7 @@ var (
 		TypeConanLock,
 		TypeGradleLock,
 		TypeCocoaPods,
+		TypeSwift,
 		TypePubSpecLock,
 		TypeMixLock,
 	}

pkg/fanal/analyzer/language/swift/cocoapods/cocoapods_test.go

@@ -27,37 +27,37 @@ func Test_cocoaPodsLockAnalyzer_Analyze(t *testing.T) {
 						FilePath: "testdata/happy.lock",
 						Libraries: types.Packages{
 							{
-								ID:      "AppCenter/4.2.0",
+								ID:      "AppCenter@4.2.0",
 								Name:    "AppCenter",
 								Version: "4.2.0",
 								DependsOn: []string{
-									"AppCenter/Analytics/4.2.0",
-									"AppCenter/Crashes/4.2.0",
+									"AppCenter/Analytics@4.2.0",
+									"AppCenter/Crashes@4.2.0",
 								},
 							},
 							{
-								ID:      "AppCenter/Analytics/4.2.0",
+								ID:      "AppCenter/Analytics@4.2.0",
 								Name:    "AppCenter/Analytics",
 								Version: "4.2.0",
 								DependsOn: []string{
-									"AppCenter/Core/4.2.0",
+									"AppCenter/Core@4.2.0",
 								},
 							},
 							{
-								ID:      "AppCenter/Core/4.2.0",
+								ID:      "AppCenter/Core@4.2.0",
 								Name:    "AppCenter/Core",
 								Version: "4.2.0",
 							},
 							{
-								ID:      "AppCenter/Crashes/4.2.0",
+								ID:      "AppCenter/Crashes@4.2.0",
 								Name:    "AppCenter/Crashes",
 								Version: "4.2.0",
 								DependsOn: []string{
-									"AppCenter/Core/4.2.0",
+									"AppCenter/Core@4.2.0",
 								},
 							},
 							{
-								ID:      "KeychainAccess/4.2.1",
+								ID:      "KeychainAccess@4.2.1",
 								Name:    "KeychainAccess",
 								Version: "4.2.1",
 							},