feat(swift): add vulns for cocoapods

docs/docs/coverage/language/index.md

@@ -17,7 +17,7 @@ If the target is a pre-build project, like a code repository, Trivy will analyze
 On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like `.gemspec`, binary files, and so on.
 
 | Language             | File                                                                                       | Image[^5] | Rootfs[^6] | Filesystem[^7] | Repository[^8] |
-| -------------------- | ------------------------------------------------------------------------------------------ | :-------: | :--------: | :------------: | :------------: |
+|----------------------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:--------------:|:--------------:|
 | [Ruby](ruby.md)      | Gemfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | gemspec                                                                                    |     ✅     |     ✅      |       -        |       -        |
 | [Python](python.md)  | Pipfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
@@ -45,6 +45,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [Elixir](elixir.md)  | mix.lock[^10]                                                                              |     -     |     -      |       ✅        |       ✅        |
 | [Dart](dart.md)      | pubspec.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 | [Swift](swift.md)    | Podfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
+|                      | Package.resolved                                                                           |     -     |     -      |       ✅        |       ✅        |
 
 The path of these files does not matter.
 

docs/docs/coverage/language/swift.md

@@ -1,10 +1,34 @@
 # Swift
 
-Trivy supports [CocoaPods][cocoapods] for Swift packages.
+Trivy supports [CocoaPods][cocoapods] and [Swift][swift] package managers.
+
 The following scanners are supported.
 
-| Package manager | SBOM  | Vulnerability | License |
-| --------------- | :---: | :-----------: | :-----: |
-| CocoaPods       |   ✓   |       -       |    -    |
+| Package manager | SBOM | Vulnerability | License |
+|-----------------|:----:|:-------------:|:-------:|
+| Swift           |  ✓   |       ✓       |    -    |
+| CocoaPods       |  ✓   |       ✓       |    -    |
+
+The following table provides an outline of the features Trivy offers.
+
+| Package manager | File             | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
+|:---------------:|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
+|      Swift      | Package.resolved |            ✓            |     Included     |                  -                   |    ✓     |
+|    Cocoapods    | Podfile.lock     |            ✓            |     Included     |                  ✓                   |    -     |
+
+These may be enabled or disabled depending on the target.
+See [here](./index.md) for the detail.
+
+## swift
+Trivy parses [Package.resolved][package-resolved] file to find dependencies. Don't forger to update (`swift package update` command) this file before scanning.
+
+## cocoapods
+Cocoapods uses package names in `PodFile.lock`, but [GitHub advisory database][ghsa] uses git links. 
+We parse [Cocoapods Specs][cocoapods-specs] to match package names and links.
 
-[cocoapods]: https://cocoapods.org/
+[cocoapods]: https://cocoapods.org/
+[cocoapods-specs]: https://github.com/CocoaPods/Specs
+[ghsa]: https://github.com/advisories?query=type%3Areviewed+ecosystem%3Aswift
+[swift]: https://www.swift.org/package-manager/
+[package-resolved]: https://github.com/apple/swift-package-manager/blob/main/Documentation/Usage.md#resolving-versions-packageresolved-file
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies

docs/docs/scanner/vulnerability.md

@@ -77,7 +77,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 ### Data Sources
 
 | Language | Source                                              | Commercial Use | Delay[^1] |
-| -------- | --------------------------------------------------- | :------------: | :-------: |
+|----------|-----------------------------------------------------|:--------------:|:---------:|
 | PHP      | [PHP Security Advisories Database][php]             |       ✅        |     -     |
 |          | [GitHub Advisory Database (Composer)][php-ghsa]     |       ✅        |     -     |
 | Python   | [GitHub Advisory Database (pip)][python-ghsa]       |       ✅        |     -     |
@@ -93,7 +93,8 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 | .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     |       ✅        |     -     |
 | C/C++    | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
 | Dart     | [GitHub Advisory Database (Pub)][pub-ghsa]          |       ✅        |     -     |
-| Elixir   | [GitHub Advisory Database (Erlang)][erlang-ghsa]    |       ✅        |           |
+| Elixir   | [GitHub Advisory Database (Erlang)][erlang-ghsa]    |       ✅        |     -     |
+| Swift    | [GitHub Advisory Database (Swift)][swift-ghsa]      |       ✅        |     -     |
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
@@ -168,6 +169,7 @@ Currently, specifying a username and password is not supported.
 [pub-ghsa]: https://github.com/advisories?query=ecosystem%3Apub
 [erlang-ghsa]: https://github.com/advisories?query=ecosystem%3Aerlang
 [go-ghsa]: https://github.com/advisories?query=ecosystem%3Ago
+[swift-ghsa]: https://github.com/advisories?query=ecosystem%3Aswift
 
 [php]: https://github.com/FriendsOfPHP/security-advisories
 [ruby]: https://github.com/rubysec/ruby-advisory-db

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/alicebob/miniredis/v2 v2.30.4
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/defsec v0.91.1
-	github.com/aquasecurity/go-dep-parser v0.0.0-20230823094455-40c1f85cc942
+	github.com/aquasecurity/go-dep-parser v0.0.0-20230825043456-df72a286b673
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -403,3 +403,5 @@ require (
 // oras 1.2.2 is incompatible with github.com/docker/docker v24.0.2
 // cf. https://github.com/oras-project/oras-go/pull/527
 replace oras.land/oras-go => oras.land/oras-go v1.2.4-0.20230801060855-932dd06d38af
+
+replace github.com/aquasecurity/trivy-db => github.com/DmitriyLewen/trivy-db v0.0.0-20230824102611-4e398f81cb3b

go.sum

@@ -240,6 +240,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
 github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3 h1:NqeV+ZMqpcosu0Xg2VW14Ru9ayBs/toe2oihS7sN6Xo=
 github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3/go.mod h1:fGXSp1lCDfMQ8KR1EjxT4ewc5HHhGczRF2pWhLSWohs=
 github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
+github.com/DmitriyLewen/trivy-db v0.0.0-20230824102611-4e398f81cb3b h1:n44r0G1H353jpO+i5kFTxmWHl2ZsDtETwRSI4Bt62VQ=
+github.com/DmitriyLewen/trivy-db v0.0.0-20230824102611-4e398f81cb3b/go.mod h1:iJSGMMclPEhkYeyiN9i+gzjV9jhEv+XfPzfVgFhfvTE=
 github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible h1:juIaKLLVhqzP55d8x4cSVgwyQv76Z55/fRv/UBr2KkQ=
 github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
 github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
@@ -325,8 +327,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/defsec v0.91.1 h1:dBIPm6Tva9I+ZTQv+6t9wob3ZlMSu8NFqMJr4mgJC5A=
 github.com/aquasecurity/defsec v0.91.1/go.mod h1:l/srzxtuuyb6c6FlqUvMp3xw2ZbvuZ0l9972MNJM7V8=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230823094455-40c1f85cc942 h1:VGfeUtZyya9Vsl8enDurZ7pb/NDp2aJlL2rx2g4pR6A=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230823094455-40c1f85cc942/go.mod h1:0+GvQF0gL4YEAAUPpNeLeGpFDxMvvIHLMd7vk9bpwko=
+github.com/aquasecurity/go-dep-parser v0.0.0-20230825043456-df72a286b673 h1:RMhUzr2ZfQ8OAO26aUkqbwfxK7d3ieFtPqUhiwTxOe0=
+github.com/aquasecurity/go-dep-parser v0.0.0-20230825043456-df72a286b673/go.mod h1:0+GvQF0gL4YEAAUPpNeLeGpFDxMvvIHLMd7vk9bpwko=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20230328195059-5bf52338aec3 h1:Vt9y1gZS5JGY3tsL9zc++Cg4ofX51CG7PaMyC5SXWPg=
@@ -345,8 +347,6 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
 github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
 github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy-db v0.0.0-20230823084507-315928e846ff h1:+MLnPm81Msu921N/lBrKd/NwwBrrzRoTgyMq0pIUhbs=
-github.com/aquasecurity/trivy-db v0.0.0-20230823084507-315928e846ff/go.mod h1:iJSGMMclPEhkYeyiN9i+gzjV9jhEv+XfPzfVgFhfvTE=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230814115812-7afa52705226 h1:fL4BpAfnLFruHqkomRDAB7Lv8yv3zuKdg71mZk9y61c=

integration/testdata/cocoapods.json.golden

@@ -21,44 +21,39 @@
       "Type": "cocoapods",
       "Packages": [
         {
-          "ID": "AppCenter/4.2.0",
-          "Name": "AppCenter",
-          "Version": "4.2.0",
-          "DependsOn": [
-            "AppCenter/Analytics/4.2.0",
-            "AppCenter/Crashes/4.2.0"
-          ],
-          "Layer": {}
-        },
-        {
-          "ID": "AppCenter/Analytics/4.2.0",
-          "Name": "AppCenter/Analytics",
-          "Version": "4.2.0",
-          "DependsOn": [
-            "AppCenter/Core/4.2.0"
-          ],
-          "Layer": {}
-        },
-        {
-          "ID": "AppCenter/Core/4.2.0",
-          "Name": "AppCenter/Core",
-          "Version": "4.2.0",
+          "ID": "[email protected]",
+          "Name": "_NIODataStructures",
+          "Version": "2.41.0",
           "Layer": {}
-        },
+        }
+      ],
+      "Vulnerabilities": [
         {
-          "ID": "AppCenter/Crashes/4.2.0",
-          "Name": "AppCenter/Crashes",
-          "Version": "4.2.0",
-          "DependsOn": [
-            "AppCenter/Core/4.2.0"
+          "VulnerabilityID": "CVE-2022-3215",
+          "PkgID": "[email protected]",
+          "PkgName": "_NIODataStructures",
+          "InstalledVersion": "2.41.0",
+          "FixedVersion": "2.29.1, 2.39.1, 2.42.0",
+          "Status": "fixed",
+          "Layer": {},
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3215",
+          "Title": "SwiftNIO vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')",
+          "Description": "`NIOHTTP1` and projects using it for generating HTTP responses, including SwiftNIO, can be subject to a HTTP Response Injection attack...",
+          "Severity": "MEDIUM",
+          "CVSS": {
+            "ghsa": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
+              "V3Score": 5.3
+            }
+          },
+          "References": [
+            "https://github.com/apple/swift-nio/security/advisories/GHSA-7fj7-39wj-c64f",
+            "https://nvd.nist.gov/vuln/detail/CVE-2022-3215",
+            "https://github.com/apple/swift-nio/commit/a16e2f54a25b2af217044e5168997009a505930f",
+            "https://github.com/advisories/GHSA-7fj7-39wj-c64f"
           ],
-          "Layer": {}
-        },
-        {
-          "ID": "KeychainAccess/4.2.1",
-          "Name": "KeychainAccess",
-          "Version": "4.2.1",
-          "Layer": {}
+          "PublishedDate": "2023-06-07T16:01:53Z",
+          "LastModifiedDate": "2023-06-19T16:45:07Z"
         }
       ]
     }

integration/testdata/fixtures/db/cocoapods.yaml

@@ -0,0 +1,14 @@
+- bucket: "cocoapods::GitHub Security Advisory Cocoapods"
+  pairs:
+    - bucket: _NIODataStructures
+      pairs:
+        - key: CVE-2022-3215
+          value:
+            PatchedVersions:
+              - "2.29.1"
+              - "2.39.1"
+              - "2.42.0"
+            VulnerableVersions:
+              - "< 2.29.1"
+              - ">= 2.39.0, < 2.39.1"
+              - ">= 2.41.0, < 2.42.0"

integration/testdata/fixtures/repo/cocoapods/Podfile.lock

@@ -1,12 +1,16 @@
 PODS:
-  - AppCenter (4.2.0):
-    - AppCenter/Analytics (= 4.2.0)
-    - AppCenter/Crashes (= 4.2.0)
-  - AppCenter/Analytics (4.2.0):
-    - AppCenter/Core
-  - AppCenter/Core (4.2.0)
-  - AppCenter/Crashes (4.2.0):
-    - AppCenter/Core
-  - KeychainAccess (4.2.1)
-
-COCOAPODS: 1.11.2
+  - _NIODataStructures (2.41.0)
+
+DEPENDENCIES:
+  - _NIODataStructures (= 2.41.0)
+
+SPEC REPOS:
+  trunk:
+    - _NIODataStructures
+
+SPEC CHECKSUMS:
+  _NIODataStructures: 3d45d8e70a1d17a15b1dc59d102c63dbc0525ffd
+
+PODFILE CHECKSUM: 2acff18c7f9246879b6a1a2d04e5decbc9410ef4
+
+COCOAPODS: 1.12.1

pkg/detector/library/driver.go

@@ -66,8 +66,10 @@ func NewDriver(libType string) (Driver, bool) {
 		ecosystem = vulnerability.Swift
 		comparer = compare.GenericComparer{}
 	case ftypes.Cocoapods:
-		log.Logger.Warn("CocoaPods is supported for SBOM, not for vulnerability scanning")
-		return Driver{}, false
+		// Cocoapods uses RubyGems version specifiers
+		// https://guides.cocoapods.org/making/making-a-cocoapod.html#cocoapods-versioning-specifics
+		ecosystem = vulnerability.Cocoapods
+		comparer = rubygems.Comparer{}
 	case ftypes.CondaPkg:
 		log.Logger.Warn("Conda package is supported for SBOM, not for vulnerability scanning")
 		return Driver{}, false

pkg/fanal/analyzer/const.go

@@ -181,6 +181,7 @@ var (
 		TypeRustBinary,
 		TypeConanLock,
 		TypeCocoaPods,
+		TypeSwift,
 		TypePubSpecLock,
 		TypeMixLock,
 	}
@@ -199,6 +200,7 @@ var (
 		TypeConanLock,
 		TypeGradleLock,
 		TypeCocoaPods,
+		TypeSwift,
 		TypePubSpecLock,
 		TypeMixLock,
 	}

pkg/fanal/analyzer/language/swift/cocoapods/cocoapods_test.go

@@ -27,37 +27,37 @@ func Test_cocoaPodsLockAnalyzer_Analyze(t *testing.T) {
 						FilePath: "testdata/happy.lock",
 						Libraries: types.Packages{
 							{
-								ID:      "AppCenter/4.2.0",
+								ID:      "AppCenter@4.2.0",
 								Name:    "AppCenter",
 								Version: "4.2.0",
 								DependsOn: []string{
-									"AppCenter/Analytics/4.2.0",
-									"AppCenter/Crashes/4.2.0",
+									"AppCenter/Analytics@4.2.0",
+									"AppCenter/Crashes@4.2.0",
 								},
 							},
 							{
-								ID:      "AppCenter/Analytics/4.2.0",
+								ID:      "AppCenter/Analytics@4.2.0",
 								Name:    "AppCenter/Analytics",
 								Version: "4.2.0",
 								DependsOn: []string{
-									"AppCenter/Core/4.2.0",
+									"AppCenter/Core@4.2.0",
 								},
 							},
 							{
-								ID:      "AppCenter/Core/4.2.0",
+								ID:      "AppCenter/Core@4.2.0",
 								Name:    "AppCenter/Core",
 								Version: "4.2.0",
 							},
 							{
-								ID:      "AppCenter/Crashes/4.2.0",
+								ID:      "AppCenter/Crashes@4.2.0",
 								Name:    "AppCenter/Crashes",
 								Version: "4.2.0",
 								DependsOn: []string{
-									"AppCenter/Core/4.2.0",
+									"AppCenter/Core@4.2.0",
 								},
 							},
 							{
-								ID:      "KeychainAccess/4.2.1",
+								ID:      "KeychainAccess@4.2.1",
 								Name:    "KeychainAccess",
 								Version: "4.2.1",
 							},