Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Are SWIFT Package.resolved files supported? #3735

Closed
orschaef opened this issue Oct 13, 2021 · 6 comments
Closed

Are SWIFT Package.resolved files supported? #3735

orschaef opened this issue Oct 13, 2021 · 6 comments
Labels
bug
Milestone
6.5.0

Comments

@orschaef
Copy link

orschaef commented Oct 13, 2021
edited

Hi,

in the documentation I see that Package.swift / Package.resolved files should be supported (with the experimental flag). See link: https://jeremylong.github.io/DependencyCheck/analyzers/swift.html

When trying to scan by using the following command

dependency-check --enableExperimental --project myProject --out . --scan path/to/Package.resolved --format HTML --failOnCVSS 0

I see no Info in the logs that the file was analyzed nor do I see any scanned dependency in the HTML output.
Output:

[INFO] Checking for updates
[INFO] Skipping NVD check since last check was within 4 hours.
[INFO] Skipping RetireJS update since last update was within 24 hours.
[INFO] Check for updates complete (152 ms)
[INFO]
 
Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
 
 
   About ODC: https://jeremylong.github.io/DependencyCheck/general/internals.html
   False Positives: https://jeremylong.github.io/DependencyCheck/general/suppression.html
 
💖 Sponsor: https://github.com/sponsors/jeremylong
 
 
[INFO] Analysis Started
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (2 seconds)
[INFO] Finished NPM CPE Analyzer (2 seconds)
[INFO] Created CPE Index (1 seconds)
[INFO] Finished CPE Analyzer (1 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (4 seconds)
[INFO] Writing report to: /Users/orschaef/.../dependency-check-report.html

Used dependency-check version is 6.4.1 via homebrew.

Do I miss something here or is this simply not supported? (Just Package.swift files?)
@orschaef
Copy link
Author

Ping?

@jeremylong
Copy link
Owner

Sorry for the delay - I've been on vacation. A few things could be happening and we'd need more info. In the HTML report the top of the report has the summary numbers at the top of the report:

Project: dependency-check sample
Scan Information (show all):
dependency-check version: 6.4.2-SNAPSHOT
Report Generated On: Sat, 23 Oct 2021 06:03:30 -0400
Dependencies Scanned: 289 (287 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 0
...

Summary
Display: Showing Vulnerable Dependencies (click to show all)

Does your report show Dependencies Scanned: 0 (0 unique) or were there dependencies scanned? If the number is above zero - there is a display toggle (see last line of my report excerpt above) to display all dependencies as opposed to just the vulnerable ones.

If it is showing zero dependencies scanned we would need a bit more info - such as the log file (add --log odc.log to the arguments) and it would be really helpful to have a copy of the package.resolved file.

@orschaef
Copy link
Author

Hi, Jeremy, I hope you had great vacation days!

Yes, zero dependencies were scanned. Ich will send you the log and the Package.swift later.

@orschaef
Copy link
Author

odc.log

And the Package.resolved

{
  "object": {
    "pins": [
      {
        "package": "Alamofire",
        "repositoryURL": "https://github.com/Alamofire/Alamofire.git",
        "state": {
          "branch": null,
          "revision": "f96b619bcb2383b43d898402283924b80e2c4bae",
          "version": "5.4.3"
        }
      },
      {
        "package": "AppAuth",
        "repositoryURL": "https://github.com/openid/AppAuth-iOS.git",
        "state": {
          "branch": null,
          "revision": "01131d68346c8ae552961c768d583c715fbe1410",
          "version": "1.4.0"
        }
      },
      {
        "package": "CocoaLumberjack",
        "repositoryURL": "https://github.com/CocoaLumberjack/CocoaLumberjack.git",
        "state": {
          "branch": null,
          "revision": "e518eb6e362df327574ba5e04269cd6d29f40aec",
          "version": "3.7.2"
        }
      },
      {
        "package": "CwlCatchException",
        "repositoryURL": "https://github.com/mattgallagher/CwlCatchException.git",
        "state": {
          "branch": null,
          "revision": "682841464136f8c66e04afe5dbd01ab51a3a56f2",
          "version": "2.1.0"
        }
      },
      {
        "package": "CwlPreconditionTesting",
        "repositoryURL": "https://github.com/mattgallagher/CwlPreconditionTesting.git",
        "state": {
          "branch": null,
          "revision": "0630439888c94657a235ffcd5977d6047ef3c87b",
          "version": "2.0.1"
        }
      },
      {
        "package": "Datadog",
        "repositoryURL": "https://github.com/DataDog/dd-sdk-ios.git",
        "state": {
          "branch": null,
          "revision": "88bcfc1d9503e8b6e27ac886ddbf0542c7aec8e3",
          "version": "1.6.0"
        }
      },
      {
        "package": "EFQRCode",
        "repositoryURL": "https://github.com/EFPrefix/EFQRCode.git",
        "state": {
          "branch": null,
          "revision": "4a72d79f9cae6d2f189f768178cc8594b427c190",
          "version": "6.1.0"
        }
      },
      {
        "package": "Adjust",
        "repositoryURL": "https://github.com/adjust/ios_sdk.git",
        "state": {
          "branch": null,
          "revision": "14a6d8bd4a9e394625768f366457627bd342922d",
          "version": "4.29.3"
        }
      },
      {
        "package": "KeychainAccess",
        "repositoryURL": "https://github.com/kishikawakatsumi/KeychainAccess.git",
        "state": {
          "branch": null,
          "revision": "84e546727d66f1adc5439debad16270d0fdd04e7",
          "version": "4.2.2"
        }
      },
      {
        "package": "Kronos",
        "repositoryURL": "https://github.com/lyft/Kronos.git",
        "state": {
          "branch": null,
          "revision": "b7f54653a8bb503f42b59ab3160eb11f333b9d3f",
          "version": "4.2.1"
        }
      },
      {
        "package": "Nimble",
        "repositoryURL": "https://github.com/Quick/Nimble",
        "state": {
          "branch": null,
          "revision": "af1730dde4e6c0d45bf01b99f8a41713ce536790",
          "version": "9.2.0"
        }
      },
      {
        "package": "Nuke",
        "repositoryURL": "https://github.com/kean/Nuke.git",
        "state": {
          "branch": null,
          "revision": "83e1edaa5a30c567eb129c21c6d00f2f552d2c6f",
          "version": "10.3.1"
        }
      },
      {
        "package": "OHHTTPStubs",
        "repositoryURL": "https://github.com/AliSoftware/OHHTTPStubs",
        "state": {
          "branch": null,
          "revision": "12f19662426d0434d6c330c6974d53e2eb10ecd9",
          "version": "9.1.0"
        }
      },
      {
        "package": "PromiseKit",
        "repositoryURL": "https://github.com/mxcl/PromiseKit.git",
        "state": {
          "branch": null,
          "revision": "d2f7ba14bcdc45e18f4f60ad9df883fb9055f081",
          "version": "6.15.3"
        }
      },
      {
        "package": "Quick",
        "repositoryURL": "https://github.com/Quick/Quick",
        "state": {
          "branch": null,
          "revision": "bd86ca0141e3cfb333546de5a11ede63f0c4a0e6",
          "version": "4.0.0"
        }
      },
      {
        "package": "QuickLayout",
        "repositoryURL": "https://github.com/huri000/QuickLayout",
        "state": {
          "branch": null,
          "revision": "6be62decbe508d8fc8f9dbafc349d05bab03c38b",
          "version": "3.0.1"
        }
      },
      {
        "package": "SVGKit",
        "repositoryURL": "https://github.com/SVGKit/SVGKit",
        "state": {
          "branch": null,
          "revision": "58152b9f7c85eab239160b36ffdfd364aa43d666",
          "version": "3.0.0"
        }
      },
      {
        "package": "swift-log",
        "repositoryURL": "https://github.com/apple/swift-log.git",
        "state": {
          "branch": null,
          "revision": "5d66f7ba25daf4f94100e7022febf3c75e37a6c7",
          "version": "1.4.2"
        }
      },
      {
        "package": "swift_qrcodejs",
        "repositoryURL": "https://github.com/ApolloZhu/swift_qrcodejs.git",
        "state": {
          "branch": null,
          "revision": "374dc7f7b9e76c6aeb393f6a84590c6d387e1ecb",
          "version": "2.2.2"
        }
      },
      {
        "package": "SwiftEntryKit",
        "repositoryURL": "https://github.com/huri000/SwiftEntryKit.git",
        "state": {
          "branch": null,
          "revision": "c2d42574e4fe4e1f9719843f35add7922942a16b",
          "version": "1.2.7"
        }
      },
      {
        "package": "TimelaneCombine",
        "repositoryURL": "https://github.com/icanzilb/TimelaneCombine.git",
        "state": {
          "branch": null,
          "revision": "e6837bcbb19332866d5e37d501c05d68fbf985f2",
          "version": "2.0.0"
        }
      },
      {
        "package": "TimelaneCore",
        "repositoryURL": "https://github.com/icanzilb/TimelaneCore",
        "state": {
          "branch": null,
          "revision": "1ce6992ee42d88590d38fe6dceae9b6e2a8f4919",
          "version": "2.0.0"
        }
      },
      {
        "package": "Usercentrics",
        "repositoryURL": "https://bitbucket.org/usercentricscode/usercentrics-spm-sdk",
        "state": {
          "branch": null,
          "revision": "948f692529825cf0a90f84f7fa51b2610b19cee9",
          "version": "1.12.6"
        }
      },
      {
        "package": "UsercentricsUI",
        "repositoryURL": "https://bitbucket.org/usercentricscode/usercentrics-spm-ui",
        "state": {
          "branch": null,
          "revision": "75c862a584d06b967f58ffa0b1c0fdc0ce1d5cf4",
          "version": "1.12.6"
        }
      }
    ]
  },
  "version": 1
}

jeremylong added a commit that referenced this issue Oct 31, 2021
@jeremylong
enable the swift resolved analyzer per #3735
80cc56f
@jeremylong jeremylong added bug and removed question labels Oct 31, 2021
@jeremylong jeremylong mentioned this issue Oct 31, 2021
Merged
@jeremylong
Copy link
Owner

Apparently a stupid mistake was made when the Swift Resolved Analyzer was added - the fix will be included in the next release.

@jeremylong jeremylong added this to the 6.5.0 milestone Oct 31, 2021
@orschaef
Copy link
Author

orschaef commented Nov 2, 2021

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
6.5.0
Development

No branches or pull requests
2 participants
@jeremylong @orschaef