diff --git a/pkg/dependency/parser/swift/swift/parse.go b/pkg/dependency/parser/swift/swift/parse.go index 6488f75dc7e2..e8848da24e7d 100644 --- a/pkg/dependency/parser/swift/swift/parse.go +++ b/pkg/dependency/parser/swift/swift/parse.go @@ -6,9 +6,11 @@ import ( "strings" "github.com/liamg/jfather" + "github.com/samber/lo" "golang.org/x/xerrors" dio "github.com/aquasecurity/trivy/pkg/dependency/parser/io" + "github.com/aquasecurity/trivy/pkg/dependency/parser/log" "github.com/aquasecurity/trivy/pkg/dependency/parser/types" "github.com/aquasecurity/trivy/pkg/dependency/parser/utils" ) @@ -37,10 +39,21 @@ func (Parser) Parse(r dio.ReadSeekerAt) ([]types.Library, []types.Dependency, er } for _, pin := range pins { name := libraryName(pin, lockFile.Version) + + // Skip packages for which we cannot resolve the version + if pin.State.Version == "" && pin.State.Branch == "" { + log.Logger.Warnf("Unable to resolve %q. Both the version and branch fields are empty.", name) + continue + } + + // A Pin can be resolved using `branch` without `version`. + // e.g. https://github.com/element-hq/element-ios/blob/6a9bcc88ea37147efba8f0a7bcf3ec187f4a4011/Riot.xcworkspace/xcshareddata/swiftpm/Package.resolved#L84-L92 + version := lo.Ternary(pin.State.Version != "", pin.State.Version, pin.State.Branch) + libs = append(libs, types.Library{ - ID: utils.PackageID(name, pin.State.Version), + ID: utils.PackageID(name, version), Name: name, - Version: pin.State.Version, + Version: version, Locations: []types.Location{ { StartLine: pin.StartLine, diff --git a/pkg/dependency/parser/swift/swift/parse_test.go b/pkg/dependency/parser/swift/swift/parse_test.go index 27ab277646b5..530186c419d0 100644 --- a/pkg/dependency/parser/swift/swift/parse_test.go +++ b/pkg/dependency/parser/swift/swift/parse_test.go @@ -37,12 +37,6 @@ func TestParser_Parse(t *testing.T) { }, }, }, - // docker run -it --rm swift@sha256:45e5e44ed4873063795f150182437f4dbe7d5527ba5655979d7d11e0829179a7 - // mkdir app && cd app - // swift package init - // ## add new deps: ## - // sed -i 's/],/],\ndependencies: [\n.package(url: "https:\/\/github.com\/ReactiveCocoa\/ReactiveSwift", from: "7.0.0"),\n.package(url: "https:\/\/github.com\/Quick\/Quick.git", from: "7.0.0"),\n.package(url: "https:\/\/github.com\/Quick\/Nimble.git", .exact("9.2.1")),\n],/' Package.swift - // swift package update { name: "happy path v2", inputFile: "testdata/happy-v2-Package.resolved", @@ -65,6 +59,12 @@ func TestParser_Parse(t *testing.T) { Version: "7.1.1", Locations: []types.Location{{StartLine: 39, EndLine: 47}}, }, + { + ID: "github.com/element-hq/swift-ogg@0.0.1", + Name: "github.com/element-hq/swift-ogg", + Version: "0.0.1", + Locations: []types.Location{{StartLine: 48, EndLine: 56}}, + }, { ID: "github.com/mattgallagher/CwlCatchException@2.1.2", Name: "github.com/mattgallagher/CwlCatchException", diff --git a/pkg/dependency/parser/swift/swift/testdata/happy-v2-Package.resolved b/pkg/dependency/parser/swift/swift/testdata/happy-v2-Package.resolved index b3b406f042c9..d3a189b88337 100644 --- a/pkg/dependency/parser/swift/swift/testdata/happy-v2-Package.resolved +++ b/pkg/dependency/parser/swift/swift/testdata/happy-v2-Package.resolved @@ -44,6 +44,15 @@ "revision" : "40c465af19b993344e84355c00669ba2022ca3cd", "version" : "7.1.1" } + }, + { + "identity" : "swift-ogg", + "kind" : "remoteSourceControl", + "location" : "https://github.com/element-hq/swift-ogg", + "state" : { + "branch" : "0.0.1", + "revision" : "e9a9e7601da662fd8b97d93781ff5c60b4becf88" + } } ], "version" : 2 diff --git a/pkg/dependency/parser/swift/swift/types.go b/pkg/dependency/parser/swift/swift/types.go index ec96063bf217..a196b7d6628a 100644 --- a/pkg/dependency/parser/swift/swift/types.go +++ b/pkg/dependency/parser/swift/swift/types.go @@ -20,7 +20,7 @@ type Pin struct { } type State struct { - Branch any `json:"branch"` + Branch string `json:"branch"` Revision string `json:"revision"` Version string `json:"version"` }