Add automatically generated SBOM #1473
Description
This issue explores automatic SBOM generation for this app.
Existing solutions
- a direct integration like used in [FEATURE REQUEST] Create SBOM by using cyclonedx android#4599 is not available for Xcode projects using SwiftPM
- I couldn't find any third-party project fit for the purpose. The closest I could find is a project generating CycloneDX files for CocoaPods - something which we no longer use
Findings and a possible solution
- a JSON list of Swift packages is maintained inside the Xcode project at ownCloud.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
{
"originHash" : "cc8e62b9f24062ff6e87f5e91e6f6cb41653dcf8250ce8973635e9ed0a5c561d",
"pins" : [
{
"identity" : "down",
"kind" : "remoteSourceControl",
"location" : "https://github.com/johnxnguyen/Down",
"state" : {
"branch" : "master",
"revision" : "e754ab1c80920dd51a8e08290c912ac1c2ac8b58"
}
},
{
"identity" : "openssl",
"kind" : "remoteSourceControl",
"location" : "https://github.com/krzyzanowskim/OpenSSL.git",
"state" : {
"revision" : "8729614a93e6b20307db3c3359aed81f030facaa",
"version" : "3.3.2000"
}
},
{
"identity" : "plcrashreporter",
"kind" : "remoteSourceControl",
"location" : "https://github.com/microsoft/plcrashreporter.git",
"state" : {
"revision" : "8c61e5e38e9f737dd68512ed1ea5ab081244ad65",
"version" : "1.12.0"
}
},
{
"identity" : "pocketsvg",
"kind" : "remoteSourceControl",
"location" : "https://github.com/pocketsvg/PocketSVG.git",
"state" : {
"revision" : "10c6885e427e88d35fbb64010fbd6385cb58fef7",
"version" : "2.7.3"
}
}
],
"version" : 3
}- this information could be rearranged to match the CycloneDX JSON format as seen f.ex. here.
- problem: no license information is available in Package.resolved
- solution:
- license information could be auto-detected (by loading https://raw.githubusercontent.com/$project/refs/heads/master/LICENSE and checking for strings common in MIT, GPL, Apache… licenses) and provided using official SPX IDs. It might also be possible to use CycloneDX/license-scanner for that, but this could end up being more work than necessary (except maybe if writing the tool in golang, from where
license-scannercan be used directly as a library). - additional information (incl. missing or corrections of incorrect license information) could be added through an additional JSON file that allows specifying additional attributes to include on a per-package basis, f.ex.
- license information could be auto-detected (by loading https://raw.githubusercontent.com/$project/refs/heads/master/LICENSE and checking for strings common in MIT, GPL, Apache… licenses) and provided using official SPX IDs. It might also be possible to use CycloneDX/license-scanner for that, but this could end up being more work than necessary (except maybe if writing the tool in golang, from where
{
"https://github.com/krzyzanowskim/OpenSSL.git" : {
"licenses" : [
"license" : {
"id" : "Apache-2.0"
}
]
}
}- addition: license information for all components is also already present in the form of registered extensions inside the app
- this information could also be extended/utilized with SPDX License IDs and used for enriching the package information.
- this could also be an opportunity to detect if packages were added to the Xcode project without also adding license texts/informations to the app
Metadata
Metadata
Assignees
Labels
No labels