cocoapods-audit

Author: barv-jfrog

commands/audit/sca/cocoapods/cocoapods.go

@@ -18,6 +18,8 @@ import (
 	"strings"
 )
 
+// VersionForMainModule - We don't have information in cocoapods on the current package, or main module, we only have information on its
+// dependencies.
 const (
 	VersionForMainModule = "0.0.0"
 )
@@ -45,39 +47,46 @@ func GetTechDependencyLocation(directDependencyName, directDependencyVersion str
 		foundDependency := false
 		var tempIndex int
 		for i, line := range lines {
-			if strings.Contains(line, directDependencyName) {
-				startLine = i
-				startCol = strings.Index(line, directDependencyName)
-				foundDependency = true
-				tempIndex = i
-			}
-			// This means we are in a new dependency (we cannot find dependency name and version together)
-			if i > tempIndex && foundDependency && strings.Contains(line, "pod") {
-				foundDependency = false
-			} else if foundDependency && strings.Contains(line, directDependencyVersion) {
-				endLine = i
-				endCol = len(line)
-				var snippet string
-				if endLine == startLine {
-					snippet = lines[startLine][startCol:endCol]
-				} else {
-					for snippetLine := 1; snippetLine < endLine-startLine+1; snippetLine++ {
-						switch snippetLine {
-						case 0:
-							snippet += "\n" + lines[snippetLine][startLine:]
-						case endLine - startLine:
-							snippet += "\n" + lines[snippetLine][:endCol]
-						default:
-							snippet += "\n" + lines[snippetLine]
-						}
-					}
+			foundDependency, tempIndex, startLine, startCol = parsePodLine(line, directDependencyName, directDependencyVersion, descriptorPath, i, tempIndex, startLine, startCol, endLine, endCol, lines, foundDependency, &podPositions)
+		}
+	}
+	return podPositions, nil
+}
+
+func parsePodLine(line, directDependencyName, directDependencyVersion, descriptorPath string, i, tempIndex, startLine, startCol, endLine, endCol int, lines []string, foundDependency bool, podPositions *[]*sarif.Location) (bool, int, int, int) {
+	if strings.Contains(line, directDependencyName) {
+		startLine = i
+		startCol = strings.Index(line, directDependencyName)
+		foundDependency = true
+		tempIndex = i
+	}
+	// This means we are in a new dependency (we cannot find dependency name and version together)
+	if i > tempIndex && foundDependency && strings.Contains(line, "pod") {
+		foundDependency = false
+	} else if foundDependency && strings.Contains(line, directDependencyVersion) {
+		endLine = i
+		endCol = len(line)
+		var snippet string
+		// if the tech dependency is a one-liner
+		if endLine == startLine {
+			snippet = lines[startLine][startCol:endCol]
+			// else it is more than one line, so we need to parse all lines
+		} else {
+			for snippetLine := 0; snippetLine < endLine-startLine+1; snippetLine++ {
+				switch snippetLine {
+				case 0:
+					snippet += "\n" + lines[snippetLine][startLine:]
+				case endLine - startLine:
+					snippet += "\n" + lines[snippetLine][:endCol]
+				default:
+					snippet += "\n" + lines[snippetLine]
 				}
-				podPositions = append(podPositions, sarifutils.CreateLocation(descriptorPath, startLine, endLine, startCol, endCol, snippet))
-				foundDependency = false
 			}
 		}
+		*podPositions = append(*podPositions, sarifutils.CreateLocation(descriptorPath, startLine, endLine, startCol, endCol, snippet))
+		foundDependency = false
 	}
-	return podPositions, nil
+	return foundDependency, tempIndex, startLine, startCol
 }
 
 func FixTechDependency(dependencyName, dependencyVersion, fixVersion string, descriptorPaths ...string) error {

commands/audit/sca/cocoapods/cocoapods_test.go

@@ -65,10 +65,14 @@ func TestGetTechDependencyLocation(t *testing.T) {
 	locations, err := GetTechDependencyLocation("GoogleSignIn", "6.2.4", filepath.Join(currentDir, "Podfile"))
 	assert.NoError(t, err)
 	assert.Len(t, locations, 1)
+	assert.Equal(t, *locations[0].PhysicalLocation.Region.StartLine, 4)
+	assert.Equal(t, *locations[0].PhysicalLocation.Region.StartColumn, 4)
+	assert.Equal(t, *locations[0].PhysicalLocation.Region.EndLine, 5)
+	assert.Equal(t, *locations[0].PhysicalLocation.Region.EndColumn, 30)
 	assert.Equal(t, *locations[0].PhysicalLocation.Region.Snippet.Text, "GoogleSignIn', '~> 6.2.4'")
 }
 
-func TestFixTechDependency(t *testing.T) {
+func TestFixTechDependencySingleLocation(t *testing.T) {
 	_, cleanUp := sca.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods"))
 	defer cleanUp()
 	currentDir, err := coreutils.GetWorkingDirectory()
@@ -80,3 +84,29 @@ func TestFixTechDependency(t *testing.T) {
 	lines := strings.Split(string(file), "\n")
 	assert.Contains(t, lines, "pod 'GoogleSignIn', '~> 6.2.5'")
 }
+
+func TestFixTechDependencyMultipleLocations(t *testing.T) {
+	_, cleanUp := sca.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods"))
+	defer cleanUp()
+	currentDir, err := coreutils.GetWorkingDirectory()
+	assert.NoError(t, err)
+	err = FixTechDependency("AppAuth", "1.7.5", "1.7.6", filepath.Join(currentDir, "Podfile"))
+	assert.NoError(t, err)
+	file, err := os.ReadFile(filepath.Join(currentDir, "Podfile"))
+	assert.NoError(t, err)
+	numAppearances := strings.Count(string(file), "pod 'AppAuth', '~> 1.7.6'")
+	assert.Equal(t, numAppearances, 2)
+}
+
+func TestFixTechDependencyNoLocations(t *testing.T) {
+	_, cleanUp := sca.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods"))
+	defer cleanUp()
+	currentDir, err := coreutils.GetWorkingDirectory()
+	assert.NoError(t, err)
+	err = FixTechDependency("GoogleSignIn", "1.8.2", "1.8.3", filepath.Join(currentDir, "Podfile"))
+	assert.NoError(t, err)
+	file, err := os.ReadFile(filepath.Join(currentDir, "Podfile"))
+	assert.NoError(t, err)
+	lines := strings.Split(string(file), "\n")
+	assert.Contains(t, lines, "pod 'GoogleSignIn', '~> 6.2.4'")
+}

tests/testdata/projects/package-managers/cocoapods/Podfile

@@ -3,5 +3,7 @@ platform :ios, '9.0'
 target 'Test' do
   use_frameworks!
 pod 'GoogleSignIn', '~> 6.2.4'
+pod 'AppAuth', '~> 1.7.5'
+pod 'AppAuth', '~> 1.7.5'
 
 end