Auto install Cocoapods when Podfile.lock not exist

.github/workflows/test.yml

@@ -30,7 +30,7 @@ env:
   JFROG_SECURITY_CLI_TESTS_JFROG_PLATFORM_PROJECT_KEY: ${{ vars.JFROG_TEST_PROJECT_KEY }}
   # Repository variable ENABLE_FASTCI_BOOST (default: true). Set to 'false' to skip jfrog/boost@v0.
   ENABLE_FASTCI_BOOST: ${{ vars.ENABLE_FASTCI_BOOST != 'false' }}
-  
+
 jobs:
   Pretest:
     if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'push'
@@ -58,9 +58,16 @@ jobs:
         with:
           go-version-file: go.mod
 
+      - name: Download Go modules
+        run: go mod download
+        env:
+          GOPROXY: https://proxy.golang.org,direct
+
       - name: Run Go vet
         run: go vet -v ./...
-
+        env:
+          GOPROXY: https://proxy.golang.org,direct
+
   Unit_Tests:
     name: "[${{ matrix.os }}] Unit Tests"
     needs: Pretest
@@ -89,6 +96,8 @@ jobs:
 
       # Test and generate code coverage
       - name: Run tests
+        env:
+          GOPROXY: https://proxy.golang.org,direct
         run: go test ${{ env.GO_COMMON_TEST_ARGS }} --ci.runId=${{ runner.os }}-sec-test -covermode atomic -coverprofile=cover-unit-tests --test.unit
 
   Audit_Command_Integration_Tests:
@@ -141,6 +150,8 @@ jobs:
 
       # Test
       - name: Run tests
+        env:
+          GOPROXY: https://proxy.golang.org,direct
         run: go test ${{ env.GO_COMMON_TEST_ARGS }} ${{ matrix.suite.testFlags }} --ci.runId=${{ runner.os }}-sec-test
 
   Artifactory_Integration_Tests:
@@ -169,6 +180,8 @@ jobs:
 
       # Test
       - name: Run tests
+        env:
+          GOPROXY: https://proxy.golang.org,direct
         run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.artifactory --ci.runId=${{ runner.os }}-sec-test
 
   Xray_Commands_Integration_Tests:
@@ -195,6 +208,8 @@ jobs:
 
       # Test
       - name: Run tests
+        env:
+          GOPROXY: https://proxy.golang.org,direct
         run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.xray --ci.runId=${{ runner.os }}-sec-test
 
   Xsc_Integration_Tests:
@@ -221,6 +236,8 @@ jobs:
 
       # Test
       - name: Run tests
+        env:
+          GOPROXY: https://proxy.golang.org,direct
         run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.xsc --ci.runId=${{ runner.os }}-sec-test
 
   Binary_Scan_Command_Integration_Tests:
@@ -249,6 +266,8 @@ jobs:
 
       # Test
       - name: Run tests
+        env:
+          GOPROXY: https://proxy.golang.org,direct
         run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.scan --ci.runId=${{ runner.os }}-sec-test
 
   Docker_Scan_Commands_Integration_Tests:
@@ -277,6 +296,8 @@ jobs:
 
       # Test
       - name: Run tests
+        env:
+          GOPROXY: https://proxy.golang.org,direct
         run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.dockerScan --ci.runId=${{ runner.os }}-sec-test
 
   Other_Commands_Integration_Tests:
@@ -305,8 +326,10 @@ jobs:
 
       # Test
       - name: Run tests
-        run:  go test ${{ env.GO_COMMON_TEST_ARGS }} --test.curation --test.enrich --test.maliciousScan --ci.runId=${{ runner.os }}-sec-test
-
+        env:
+          GOPROXY: https://proxy.golang.org,direct
+        run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.curation --test.enrich --test.maliciousScan --ci.runId=${{ runner.os }}-sec-test
+
   Git_Commands_Integration_Tests:
     name: "[${{ matrix.os }}] Git Commands Integration Tests"
     needs: Pretest
@@ -333,4 +356,6 @@ jobs:
 
       # Test
       - name: Run tests
+        env:
+          GOPROXY: https://proxy.golang.org,direct
         run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.git --ci.runId=${{ runner.os }}-sec-test

audit_test.go

@@ -30,6 +30,7 @@ import (
 
 	"github.com/jfrog/jfrog-cli-core/v2/common/format"
 	"github.com/jfrog/jfrog-cli-core/v2/common/progressbar"
+	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	coreTests "github.com/jfrog/jfrog-cli-core/v2/utils/tests"
 
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo"
@@ -578,12 +579,21 @@ func testXrayAuditPip(t *testing.T, outFormat format.OutputFormat, requirementsF
 
 func TestXrayAuditCocoapods(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditCocoapodsTest(t, scangraph.CocoapodsScanMinXrayVersion)
-	output := testXrayAuditCocoapods(t, format.Json)
+	output := testXrayAuditCocoapods(t, format.Json, "cocoapods-project")
 	validations.VerifyJsonResults(t, output, validations.ValidationParams{Total: &validations.TotalCount{Vulnerabilities: 1}})
 }
 
-func testXrayAuditCocoapods(t *testing.T, format format.OutputFormat) string {
-	_, cleanUp := securityTestUtils.CreateTestProjectEnvAndChdir(t, filepath.Join(filepath.FromSlash(securityTests.GetTestResourcesPath()), "projects", "package-managers", "cocoapods"))
+func TestXrayAuditCocoapodsNoLockFile(t *testing.T) {
+	securityIntegrationTestUtils.InitAuditCocoapodsTest(t, scangraph.CocoapodsScanMinXrayVersion)
+	if coreutils.IsWindows() {
+		t.Skip("Skipping: CocoaPods auto-install (pod install) requires macOS/Linux with Xcode.")
+	}
+	output := testXrayAuditCocoapods(t, format.SimpleJson, "cocoapods-no-lock-file")
+	validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{Total: &validations.TotalCount{Vulnerabilities: 1}})
+}
+
+func testXrayAuditCocoapods(t *testing.T, format format.OutputFormat, projectName string) string {
+	_, cleanUp := securityTestUtils.CreateTestProjectEnvAndChdir(t, filepath.Join(filepath.FromSlash(securityTests.GetTestResourcesPath()), "projects", "package-managers", "cocoapods", projectName))
 	defer cleanUp()
 	cleanUpHome := securityIntegrationTestUtils.UseTestHomeWithDefaultXrayConfig(t)
 	defer cleanUpHome()

cli/docs/flags.go

@@ -316,7 +316,7 @@ var flagsMap = map[string]components.Flag{
 	WorkingDirs:         components.NewStringFlag(WorkingDirs, "A comma-separated(,) list of relative working directories, to determine the audit targets locations. If flag isn't provided, a recursive scan is triggered from the root directory of the project."),
 	OutputDir:           components.NewStringFlag(OutputDir, "Target directory to save partial results to.", components.SetHiddenStrFlag()),
 	UploadRepoPath:      components.NewStringFlag(UploadRepoPath, "Artifactory repository name or path to upload the cyclonedx file to. If no name or path are provided, a local generic repository will be created which will automatically be indexed by Xray.", components.WithStrDefaultValue("import-cdx-scan-results")),
-	SkipAutoInstall:     components.NewBoolFlag(SkipAutoInstall, "Set to true to skip auto-install of dependencies in un-built modules. Currently supported for Yarn and NPM only.", components.SetHiddenBoolFlag()),
+	SkipAutoInstall:     components.NewBoolFlag(SkipAutoInstall, "Set to true to skip auto-install of dependencies in un-built modules. Currently supported only for some package managers.", components.SetHiddenBoolFlag()),
 	AllowPartialResults: components.NewBoolFlag(AllowPartialResults, "Set to true to allow partial results and continuance of the scan in case of certain errors.", components.SetHiddenBoolFlag()),
 	ExclusionsAudit: components.NewStringFlag(
 		Exclusions,

sca/bom/buildinfo/technologies/cocoapods/cocoapods.go

@@ -2,12 +2,14 @@ package cocoapods
 
 import (
 	"fmt"
-	"golang.org/x/exp/slices"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 
+	"golang.org/x/exp/slices"
+
+	biutils "github.com/jfrog/build-info-go/utils"
 	"github.com/jfrog/gofrog/datastructures"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies"
@@ -22,6 +24,9 @@ import (
 // dependencies.
 const (
 	VersionForMainModule = "0.0.0"
+
+	descriptorFileName = "Podfile"
+	lockFileName       = "Podfile.lock"
 )
 
 var (
@@ -34,7 +39,7 @@ func GetTechDependencyLocation(directDependencyName, directDependencyVersion str
 	var podPositions []*sarif.Location
 	for _, descriptorPath := range descriptorPaths {
 		descriptorPath = filepath.Clean(descriptorPath)
-		if !strings.HasSuffix(descriptorPath, "Podfile") {
+		if !strings.HasSuffix(descriptorPath, descriptorFileName) {
 			log.Logger.Warn("Cannot support other files besides Podfile: %s", descriptorPath)
 			continue
 		}
@@ -92,7 +97,7 @@ func parsePodLine(line, directDependencyName, directDependencyVersion, descripto
 func FixTechDependency(dependencyName, dependencyVersion, fixVersion string, descriptorPaths ...string) error {
 	for _, descriptorPath := range descriptorPaths {
 		descriptorPath = filepath.Clean(descriptorPath)
-		if !strings.HasSuffix(descriptorPath, "Podfile") {
+		if !strings.HasSuffix(descriptorPath, descriptorFileName) {
 			log.Logger.Warn("Cannot support other files besides Podfile: %s", descriptorPath)
 			continue
 		}
@@ -180,11 +185,11 @@ func extractPodsSection(filePath string) (string, error) {
 }
 
 func GetDependenciesData(currentDir string) (string, error) {
-	_, err := os.Stat(filepath.Join(currentDir, "Podfile.lock"))
+	_, err := os.Stat(filepath.Join(currentDir, lockFileName))
 	if err != nil {
 		return "", err
 	}
-	result, err := extractPodsSection(filepath.Join(currentDir, "Podfile.lock"))
+	result, err := extractPodsSection(filepath.Join(currentDir, lockFileName))
 	if err != nil {
 		return "", err
 	}
@@ -199,11 +204,24 @@ func BuildDependencyTree(params technologies.BuildInfoBomGeneratorParams) (depen
 
 	packageName := filepath.Base(currentDir)
 	packageInfo := fmt.Sprintf("%s:%s", packageName, VersionForMainModule)
-	_, _, err = getPodVersionAndExecPath()
+	_, podExecPath, err := getPodVersionAndExecPath()
 	if err != nil {
 		err = fmt.Errorf("failed while retrieving pod path: %s", err.Error())
 		return
 	}
+	// Check if lock file exists, if not run 'pod install'
+	lockFilePath := filepath.Join(currentDir, lockFileName)
+	if _, err := os.Stat(lockFilePath); os.IsNotExist(err) {
+		if params.SkipAutoInstall {
+			return nil, nil, &biutils.ErrProjectNotInstalled{UninstalledDir: currentDir}
+		}
+		log.Debug("Running 'pod install' command to install dependencies...")
+		if _, err = runPodCmd(podExecPath, currentDir, []string{"install"}); err != nil {
+			return nil, nil, fmt.Errorf("failed to run 'pod install': %w", err)
+		}
+	} else if err != nil {
+		return nil, nil, fmt.Errorf("failed to check if lock file exists: %w", err)
+	}
 	// Calculate pod dependencies
 	data, err := GetDependenciesData(currentDir)
 	if err != nil {

sca/bom/buildinfo/technologies/cocoapods/cocoapods_test.go

@@ -20,7 +20,7 @@ import (
 
 func TestBuildCocoapodsDependencyList(t *testing.T) {
 	// Create and change directory to test workspace
-	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods"))
+	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods", "cocoapods-project"))
 	defer cleanUp()
 
 	// Run getModulesDependencyTrees
@@ -62,7 +62,7 @@ func TestBuildCocoapodsDependencyList(t *testing.T) {
 }
 
 func TestGetTechDependencyLocation(t *testing.T) {
-	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods"))
+	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods", "cocoapods-project"))
 	defer cleanUp()
 	currentDir, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)
@@ -93,7 +93,7 @@ func TestPodLineParseFoundOnlyDependencyName(t *testing.T) {
 }
 
 func TestFixTechDependencySingleLocation(t *testing.T) {
-	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods"))
+	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods", "cocoapods-project"))
 	defer cleanUp()
 	currentDir, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)
@@ -105,7 +105,7 @@ func TestFixTechDependencySingleLocation(t *testing.T) {
 }
 
 func TestFixTechDependencyMultipleLocations(t *testing.T) {
-	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods"))
+	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods", "cocoapods-project"))
 	defer cleanUp()
 	currentDir, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)
@@ -118,7 +118,7 @@ func TestFixTechDependencyMultipleLocations(t *testing.T) {
 }
 
 func TestFixTechDependencyNoLocations(t *testing.T) {
-	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods"))
+	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods", "cocoapods-project"))
 	defer cleanUp()
 	currentDir, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)

sca/bom/buildinfo/technologies/cocoapods/podcommand.go

@@ -22,15 +22,23 @@ type PodCommand struct {
 	executablePath   string
 }
 
-func getPodVersionAndExecPath() (*version.Version, string, error) {
+func getPodExecPath() (string, error) {
 	podExecPath, err := exec.LookPath("pod")
 	if err != nil {
-		return nil, "", fmt.Errorf("could not find the 'pod' executable in the system PATH %w", err)
+		return "", fmt.Errorf("could not find the 'pod' executable in the system PATH %w", err)
+	}
+	return podExecPath, nil
+}
+
+func getPodVersionAndExecPath() (*version.Version, string, error) {
+	podExecPath, err := getPodExecPath()
+	if err != nil {
+		return nil, "", err
 	}
 	log.Debug("Using pod executable:", podExecPath)
 	versionData, err := runPodCmd(podExecPath, "", []string{"--version"})
 	if err != nil {
-		return nil, "", err
+		return nil, "", fmt.Errorf("failed to get pod version: %w", err)
 	}
 	return version.NewVersion(strings.TrimSpace(string(versionData))), podExecPath, nil
 }

tests/testdata/projects/package-managers/cocoapods/cocoapods-no-lock-file/Podfile

@@ -0,0 +1,9 @@
+platform :ios, '9.0'
+
+target 'Test' do
+  use_frameworks!
+pod 'GoogleSignIn', '~> 6.2.4'
+pod 'AppAuth', '~> 1.7.5'
+pod 'nanopb', '~> 0.3.0'
+
+end