feat(swift): add vulns for cocoapods

[DmitriyLewen]

Description

Add vulnerability detection for Cocoapods.
Update purl - use subpath.

➜ trivy fs ./Podfile.lock 
2023-08-25T12:17:43.021+0600    INFO    Vulnerability scanning is enabled
2023-08-25T12:17:43.022+0600    INFO    Secret scanning is enabled
2023-08-25T12:17:43.022+0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-25T12:17:43.022+0600    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-08-25T12:17:43.027+0600    INFO    Number of language-specific files: 1
2023-08-25T12:17:43.027+0600    INFO    Detecting cocoapods vulnerabilities...

Podfile.lock (cocoapods)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability │ Severity │ Status │ Installed Version │     Fixed Version      │                         Title                          │
├────────────────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────┤
│ _NIODataStructures │ CVE-2022-3215 │ MEDIUM   │ fixed  │ 2.41.0            │ 2.29.1, 2.39.1, 2.42.0 │ SwiftNIO vulnerable to Improper Neutralization of CRLF │
│                    │               │          │        │                   │                        │ Sequences in HTTP Headers ('HTTP...                    │
│                    │               │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-3215              │
└────────────────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────────────┴────────────────────────────────────────────────────────┘

Related issues

• Close Add support for Swift packages vulnerabilities #4896

Related PRs

• feat(swift): add Cocoapods advisories trivy-db#344
• refactor(cocoapods): use utils.PackageID for ID go-dep-parser#252

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

Is there any specific logic for the combination of CycloneDX and CocoaPods besides PURL? If not, we don't need to test the same thing again here as we test the PURL logic in the purl package enough.

[DmitriyLewen]

We don't test Package() function in purl package.
I only found 1 my mistake with subpath when testing SBOM manually.
That is why i added tests in SBOM.

[knqyf263]

Oh, we should add TestPackage then.

[DmitriyLewen]

Removed added test for SBOM and added TestPackage.

[knqyf263]

We should mention the limitation that all modules are detected under the same git URL.

[DmitriyLewen]

Done

[knqyf263]

Suggested change

	| Cocoapods | Podfile.lock | ✓ | Included | ✓ | - |
	| CocoaPods | Podfile.lock | ✓ | Included | ✓ | - |

[DmitriyLewen]

Done

[knqyf263]

Suggested change

	## swift
	## Swift

[DmitriyLewen]

Done

[knqyf263]

Suggested change

	## cocoapods
	## CocoaPods

[DmitriyLewen]

Done

[knqyf263]

The link should be permanent. The main branch can be updated.

[DmitriyLewen]

Done

[knqyf263]

Suggested change

	Cocoapods uses package names in `PodFile.lock`, but [GitHub advisory database][ghsa] uses git links.
	CocoaPods uses package names in `PodFile.lock`, but [GitHub Advisory Database][ghsa] uses git links.

[DmitriyLewen]

Done