add vulns for cocoapods, fix purl

go.mod

@@ -403,3 +403,7 @@ require (
 // oras 1.2.2 is incompatible with github.com/docker/docker v24.0.2
 // cf. https://github.com/oras-project/oras-go/pull/527
 replace oras.land/oras-go => oras.land/oras-go v1.2.4-0.20230801060855-932dd06d38af
+
+replace github.com/aquasecurity/trivy-db => github.com/DmitriyLewen/trivy-db v0.0.0-20230824102611-4e398f81cb3b
+
+replace github.com/aquasecurity/go-dep-parser => github.com/DmitriyLewen/go-dep-parser v0.0.0-20230824105602-3f7622fbbc25

go.sum

@@ -240,6 +240,10 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
 github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3 h1:NqeV+ZMqpcosu0Xg2VW14Ru9ayBs/toe2oihS7sN6Xo=
 github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3/go.mod h1:fGXSp1lCDfMQ8KR1EjxT4ewc5HHhGczRF2pWhLSWohs=
 github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
+github.com/DmitriyLewen/go-dep-parser v0.0.0-20230824105602-3f7622fbbc25 h1:6sLAQT10WhpBb+JYpKXnHhYtBh5rM1U3ulhRfS57Lk0=
+github.com/DmitriyLewen/go-dep-parser v0.0.0-20230824105602-3f7622fbbc25/go.mod h1:0+GvQF0gL4YEAAUPpNeLeGpFDxMvvIHLMd7vk9bpwko=
+github.com/DmitriyLewen/trivy-db v0.0.0-20230824102611-4e398f81cb3b h1:n44r0G1H353jpO+i5kFTxmWHl2ZsDtETwRSI4Bt62VQ=
+github.com/DmitriyLewen/trivy-db v0.0.0-20230824102611-4e398f81cb3b/go.mod h1:iJSGMMclPEhkYeyiN9i+gzjV9jhEv+XfPzfVgFhfvTE=
 github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible h1:juIaKLLVhqzP55d8x4cSVgwyQv76Z55/fRv/UBr2KkQ=
 github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
 github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
@@ -325,8 +329,6 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/defsec v0.91.1 h1:dBIPm6Tva9I+ZTQv+6t9wob3ZlMSu8NFqMJr4mgJC5A=
 github.com/aquasecurity/defsec v0.91.1/go.mod h1:l/srzxtuuyb6c6FlqUvMp3xw2ZbvuZ0l9972MNJM7V8=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230823094455-40c1f85cc942 h1:VGfeUtZyya9Vsl8enDurZ7pb/NDp2aJlL2rx2g4pR6A=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230823094455-40c1f85cc942/go.mod h1:0+GvQF0gL4YEAAUPpNeLeGpFDxMvvIHLMd7vk9bpwko=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20230328195059-5bf52338aec3 h1:Vt9y1gZS5JGY3tsL9zc++Cg4ofX51CG7PaMyC5SXWPg=
@@ -345,8 +347,6 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
 github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
 github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy-db v0.0.0-20230823084507-315928e846ff h1:+MLnPm81Msu921N/lBrKd/NwwBrrzRoTgyMq0pIUhbs=
-github.com/aquasecurity/trivy-db v0.0.0-20230823084507-315928e846ff/go.mod h1:iJSGMMclPEhkYeyiN9i+gzjV9jhEv+XfPzfVgFhfvTE=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230814115812-7afa52705226 h1:fL4BpAfnLFruHqkomRDAB7Lv8yv3zuKdg71mZk9y61c=

integration/testdata/cocoapods.json.golden

@@ -21,44 +21,39 @@
       "Type": "cocoapods",
       "Packages": [
         {
-          "ID": "AppCenter/4.2.0",
-          "Name": "AppCenter",
-          "Version": "4.2.0",
-          "DependsOn": [
-            "AppCenter/Analytics/4.2.0",
-            "AppCenter/Crashes/4.2.0"
-          ],
-          "Layer": {}
-        },
-        {
-          "ID": "AppCenter/Analytics/4.2.0",
-          "Name": "AppCenter/Analytics",
-          "Version": "4.2.0",
-          "DependsOn": [
-            "AppCenter/Core/4.2.0"
-          ],
-          "Layer": {}
-        },
-        {
-          "ID": "AppCenter/Core/4.2.0",
-          "Name": "AppCenter/Core",
-          "Version": "4.2.0",
+          "ID": "[email protected]",
+          "Name": "_NIODataStructures",
+          "Version": "2.41.0",
           "Layer": {}
-        },
+        }
+      ],
+      "Vulnerabilities": [
         {
-          "ID": "AppCenter/Crashes/4.2.0",
-          "Name": "AppCenter/Crashes",
-          "Version": "4.2.0",
-          "DependsOn": [
-            "AppCenter/Core/4.2.0"
+          "VulnerabilityID": "CVE-2022-3215",
+          "PkgID": "[email protected]",
+          "PkgName": "_NIODataStructures",
+          "InstalledVersion": "2.41.0",
+          "FixedVersion": "2.29.1, 2.39.1, 2.42.0",
+          "Status": "fixed",
+          "Layer": {},
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3215",
+          "Title": "SwiftNIO vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')",
+          "Description": "`NIOHTTP1` and projects using it for generating HTTP responses, including SwiftNIO, can be subject to a HTTP Response Injection attack...",
+          "Severity": "MEDIUM",
+          "CVSS": {
+            "ghsa": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
+              "V3Score": 5.3
+            }
+          },
+          "References": [
+            "https://github.com/apple/swift-nio/security/advisories/GHSA-7fj7-39wj-c64f",
+            "https://nvd.nist.gov/vuln/detail/CVE-2022-3215",
+            "https://github.com/apple/swift-nio/commit/a16e2f54a25b2af217044e5168997009a505930f",
+            "https://github.com/advisories/GHSA-7fj7-39wj-c64f"
           ],
-          "Layer": {}
-        },
-        {
-          "ID": "KeychainAccess/4.2.1",
-          "Name": "KeychainAccess",
-          "Version": "4.2.1",
-          "Layer": {}
+          "PublishedDate": "2023-06-07T16:01:53Z",
+          "LastModifiedDate": "2023-06-19T16:45:07Z"
         }
       ]
     }

integration/testdata/fixtures/db/cocoapods.yaml

@@ -0,0 +1,14 @@
+- bucket: "cocoapods::GitHub Security Advisory Cocoapods"
+  pairs:
+    - bucket: _NIODataStructures
+      pairs:
+        - key: CVE-2022-3215
+          value:
+            PatchedVersions:
+              - "2.29.1"
+              - "2.39.1"
+              - "2.42.0"
+            VulnerableVersions:
+              - "< 2.29.1"
+              - ">= 2.39.0, < 2.39.1"
+              - ">= 2.41.0, < 2.42.0"

integration/testdata/fixtures/repo/cocoapods/Podfile.lock

@@ -1,12 +1,16 @@
 PODS:
-  - AppCenter (4.2.0):
-    - AppCenter/Analytics (= 4.2.0)
-    - AppCenter/Crashes (= 4.2.0)
-  - AppCenter/Analytics (4.2.0):
-    - AppCenter/Core
-  - AppCenter/Core (4.2.0)
-  - AppCenter/Crashes (4.2.0):
-    - AppCenter/Core
-  - KeychainAccess (4.2.1)
-
-COCOAPODS: 1.11.2
+  - _NIODataStructures (2.41.0)
+
+DEPENDENCIES:
+  - _NIODataStructures (= 2.41.0)
+
+SPEC REPOS:
+  trunk:
+    - _NIODataStructures
+
+SPEC CHECKSUMS:
+  _NIODataStructures: 3d45d8e70a1d17a15b1dc59d102c63dbc0525ffd
+
+PODFILE CHECKSUM: 2acff18c7f9246879b6a1a2d04e5decbc9410ef4
+
+COCOAPODS: 1.12.1

pkg/detector/library/driver.go

@@ -66,8 +66,10 @@ func NewDriver(libType string) (Driver, bool) {
 		ecosystem = vulnerability.Swift
 		comparer = compare.GenericComparer{}
 	case ftypes.Cocoapods:
-		log.Logger.Warn("CocoaPods is supported for SBOM, not for vulnerability scanning")
-		return Driver{}, false
+		// Cocoapods uses RubyGems version specifiers
+		// https://guides.cocoapods.org/making/making-a-cocoapod.html#cocoapods-versioning-specifics
+		ecosystem = vulnerability.Cocoapods
+		comparer = rubygems.Comparer{}
 	case ftypes.CondaPkg:
 		log.Logger.Warn("Conda package is supported for SBOM, not for vulnerability scanning")
 		return Driver{}, false

pkg/fanal/analyzer/language/swift/cocoapods/cocoapods_test.go

@@ -27,37 +27,37 @@ func Test_cocoaPodsLockAnalyzer_Analyze(t *testing.T) {
 						FilePath: "testdata/happy.lock",
 						Libraries: types.Packages{
 							{
-								ID:      "AppCenter/4.2.0",
+								ID:      "AppCenter@4.2.0",
 								Name:    "AppCenter",
 								Version: "4.2.0",
 								DependsOn: []string{
-									"AppCenter/Analytics/4.2.0",
-									"AppCenter/Crashes/4.2.0",
+									"AppCenter/Analytics@4.2.0",
+									"AppCenter/Crashes@4.2.0",
 								},
 							},
 							{
-								ID:      "AppCenter/Analytics/4.2.0",
+								ID:      "AppCenter/Analytics@4.2.0",
 								Name:    "AppCenter/Analytics",
 								Version: "4.2.0",
 								DependsOn: []string{
-									"AppCenter/Core/4.2.0",
+									"AppCenter/Core@4.2.0",
 								},
 							},
 							{
-								ID:      "AppCenter/Core/4.2.0",
+								ID:      "AppCenter/Core@4.2.0",
 								Name:    "AppCenter/Core",
 								Version: "4.2.0",
 							},
 							{
-								ID:      "AppCenter/Crashes/4.2.0",
+								ID:      "AppCenter/Crashes@4.2.0",
 								Name:    "AppCenter/Crashes",
 								Version: "4.2.0",
 								DependsOn: []string{
-									"AppCenter/Core/4.2.0",
+									"AppCenter/Core@4.2.0",
 								},
 							},
 							{
-								ID:      "KeychainAccess/4.2.1",
+								ID:      "KeychainAccess@4.2.1",
 								Name:    "KeychainAccess",
 								Version: "4.2.1",
 							},

pkg/purl/purl.go

@@ -109,6 +109,8 @@ func (p *PackageURL) PackageType() string {
 	case packageurl.TypeNuget:
 		return ftypes.NuGet
 	case packageurl.TypeSwift:
+		return ftypes.Swift
+	case packageurl.TypeCocoapods:
 		return ftypes.Cocoapods
 	case packageurl.TypeHex:
 		return ftypes.Hex
@@ -180,6 +182,8 @@ func NewPackageURL(t string, metadata types.Metadata, pkg ftypes.Package) (Packa
 		namespace, name = parseGolang(name)
 	case packageurl.TypeNPM:
 		namespace, name = parseNpm(name)
+	case packageurl.TypeSwift:
+		namespace, name = parseSwift(name)
 	case packageurl.TypeOCI:
 		purl, err := parseOCI(metadata)
 		if err != nil {
@@ -306,6 +310,11 @@ func parseComposer(pkgName string) (string, string) {
 	return parsePkgName(pkgName)
 }
 
+// ref. https://github.com/package-url/purl-spec/blob/a748c36ad415c8aeffe2b8a4a5d8a50d16d6d85f/PURL-TYPES.rst#swift
+func parseSwift(pkgName string) (string, string) {
+	return parsePkgName(pkgName)
+}
+
 // ref. https://github.com/package-url/purl-spec/blob/a748c36ad415c8aeffe2b8a4a5d8a50d16d6d85f/PURL-TYPES.rst#npm
 func parseNpm(pkgName string) (string, string) {
 	// the name must be lowercased
@@ -330,6 +339,8 @@ func purlType(t string) string {
 	case ftypes.Npm, ftypes.NodePkg, ftypes.Yarn, ftypes.Pnpm:
 		return packageurl.TypeNPM
 	case ftypes.Cocoapods:
+		return packageurl.TypeCocoapods
+	case ftypes.Swift:
 		return packageurl.TypeSwift
 	case ftypes.Hex:
 		return packageurl.TypeHex

pkg/purl/purl_test.go

@@ -213,6 +213,38 @@ func TestNewPackageURL(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "swift package",
+			typ:  ftypes.Swift,
+			pkg: ftypes.Package{
+				ID:      "github.com/apple/[email protected]",
+				Name:    "github.com/apple/swift-atomics",
+				Version: "1.1.0",
+			},
+			want: purl.PackageURL{
+				PackageURL: packageurl.PackageURL{
+					Type:    packageurl.TypeSwift,
+					Name:    "github.com/apple/swift-atomics",
+					Version: "1.1.0",
+				},
+			},
+		},
+		{
+			name: "cocoapods package",
+			typ:  ftypes.Cocoapods,
+			pkg: ftypes.Package{
+				ID:      "[email protected]",
+				Name:    "_NIODataStructures",
+				Version: "2.41.0",
+			},
+			want: purl.PackageURL{
+				PackageURL: packageurl.PackageURL{
+					Type:    packageurl.TypeCocoapods,
+					Name:    "_NIODataStructures",
+					Version: "2.41.0",
+				},
+			},
+		},
 		{
 			name: "os package",
 			typ:  os.RedHat,