Auto install Cocoapods when Podfile.lock not exist

audit_test.go

@@ -30,6 +30,7 @@ import (
 
 	"github.com/jfrog/jfrog-cli-core/v2/common/format"
 	"github.com/jfrog/jfrog-cli-core/v2/common/progressbar"
+	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	coreTests "github.com/jfrog/jfrog-cli-core/v2/utils/tests"
 
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo"
@@ -573,12 +574,22 @@ func testXrayAuditPip(t *testing.T, outFormat format.OutputFormat, requirementsF
 
 func TestXrayAuditCocoapods(t *testing.T) {
 	securityIntegrationTestUtils.InitAuditCocoapodsTest(t, scangraph.CocoapodsScanMinXrayVersion)
-	output := testXrayAuditCocoapods(t, format.Json)
+	output := testXrayAuditCocoapods(t, format.Json, "cocoapods-project")
 	validations.VerifyJsonResults(t, output, validations.ValidationParams{Total: &validations.TotalCount{Vulnerabilities: 1}})
 }
 
-func testXrayAuditCocoapods(t *testing.T, format format.OutputFormat) string {
-	_, cleanUp := securityTestUtils.CreateTestProjectEnvAndChdir(t, filepath.Join(filepath.FromSlash(securityTests.GetTestResourcesPath()), "projects", "package-managers", "cocoapods"))
+func TestXrayAuditCocoapodsNoLockFile(t *testing.T) {
+	securityIntegrationTestUtils.InitAuditCocoapodsTest(t, scangraph.CocoapodsScanMinXrayVersion)
+	if coreutils.IsWindows() {
+		t.Skip("Skipping: CocoaPods auto-install (pod install) requires macOS/Linux with Xcode.")
+		return
+	}
+	output := testXrayAuditCocoapods(t, format.SimpleJson, "cocoapods-no-lock-file")
+	validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{Total: &validations.TotalCount{Vulnerabilities: 1}})
+}
+
+func testXrayAuditCocoapods(t *testing.T, format format.OutputFormat, projectName string) string {
+	_, cleanUp := securityTestUtils.CreateTestProjectEnvAndChdir(t, filepath.Join(filepath.FromSlash(securityTests.GetTestResourcesPath()), "projects", "package-managers", "cocoapods", projectName))
 	defer cleanUp()
 	cleanUpHome := securityIntegrationTestUtils.UseTestHomeWithDefaultXrayConfig(t)
 	defer cleanUpHome()

cli/docs/flags.go

@@ -311,7 +311,7 @@ var flagsMap = map[string]components.Flag{
 	WorkingDirs:         components.NewStringFlag(WorkingDirs, "A comma-separated(,) list of relative working directories, to determine the audit targets locations. If flag isn't provided, a recursive scan is triggered from the root directory of the project."),
 	OutputDir:           components.NewStringFlag(OutputDir, "Target directory to save partial results to.", components.SetHiddenStrFlag()),
 	UploadRepoPath:      components.NewStringFlag(UploadRepoPath, "Artifactory repository name or path to upload the cyclonedx file to. If no name or path are provided, a local generic repository will be created which will automatically be indexed by Xray.", components.WithStrDefaultValue("import-cdx-scan-results")),
-	SkipAutoInstall:     components.NewBoolFlag(SkipAutoInstall, "Set to true to skip auto-install of dependencies in un-built modules. Currently supported for Yarn and NPM only.", components.SetHiddenBoolFlag()),
+	SkipAutoInstall:     components.NewBoolFlag(SkipAutoInstall, "Set to true to skip auto-install of dependencies in un-built modules. Currently supported only for some package managers.", components.SetHiddenBoolFlag()),
 	AllowPartialResults: components.NewBoolFlag(AllowPartialResults, "Set to true to allow partial results and continuance of the scan in case of certain errors.", components.SetHiddenBoolFlag()),
 	ExclusionsAudit: components.NewStringFlag(
 		Exclusions,

sca/bom/buildinfo/technologies/cocoapods/cocoapods.go

@@ -2,12 +2,13 @@ package cocoapods
 
 import (
 	"fmt"
-	"golang.org/x/exp/slices"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 
+	"golang.org/x/exp/slices"
+
 	"github.com/jfrog/gofrog/datastructures"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies"
@@ -22,6 +23,9 @@ import (
 // dependencies.
 const (
 	VersionForMainModule = "0.0.0"
+
+	descriptorFileName = "Podfile"
+	lockFileName       = "Podfile.lock"
 )
 
 var (
@@ -34,7 +38,7 @@ func GetTechDependencyLocation(directDependencyName, directDependencyVersion str
 	var podPositions []*sarif.Location
 	for _, descriptorPath := range descriptorPaths {
 		descriptorPath = filepath.Clean(descriptorPath)
-		if !strings.HasSuffix(descriptorPath, "Podfile") {
+		if !strings.HasSuffix(descriptorPath, descriptorFileName) {
 			log.Logger.Warn("Cannot support other files besides Podfile: %s", descriptorPath)
 			continue
 		}
@@ -92,7 +96,7 @@ func parsePodLine(line, directDependencyName, directDependencyVersion, descripto
 func FixTechDependency(dependencyName, dependencyVersion, fixVersion string, descriptorPaths ...string) error {
 	for _, descriptorPath := range descriptorPaths {
 		descriptorPath = filepath.Clean(descriptorPath)
-		if !strings.HasSuffix(descriptorPath, "Podfile") {
+		if !strings.HasSuffix(descriptorPath, descriptorFileName) {
 			log.Logger.Warn("Cannot support other files besides Podfile: %s", descriptorPath)
 			continue
 		}
@@ -180,11 +184,11 @@ func extractPodsSection(filePath string) (string, error) {
 }
 
 func GetDependenciesData(currentDir string) (string, error) {
-	_, err := os.Stat(filepath.Join(currentDir, "Podfile.lock"))
+	_, err := os.Stat(filepath.Join(currentDir, lockFileName))
 	if err != nil {
 		return "", err
 	}
-	result, err := extractPodsSection(filepath.Join(currentDir, "Podfile.lock"))
+	result, err := extractPodsSection(filepath.Join(currentDir, lockFileName))
 	if err != nil {
 		return "", err
 	}
@@ -199,11 +203,21 @@ func BuildDependencyTree(params technologies.BuildInfoBomGeneratorParams) (depen
 
 	packageName := filepath.Base(currentDir)
 	packageInfo := fmt.Sprintf("%s:%s", packageName, VersionForMainModule)
-	_, _, err = getPodVersionAndExecPath()
+	_, podExecPath, err := getPodVersionAndExecPath()
 	if err != nil {
 		err = fmt.Errorf("failed while retrieving pod path: %s", err.Error())
 		return
 	}
+	// Check if lock file exists, if not run 'pod install'
+	lockFilePath := filepath.Join(currentDir, lockFileName)
+	if _, err := os.Stat(lockFilePath); os.IsNotExist(err) {
+		if params.SkipAutoInstall {
+			return nil, nil, fmt.Errorf("the Podfile.lock file was not found and skip auto install is enabled")
+		}
+		if _, err = runPodCmd(podExecPath, currentDir, []string{"install"}); err != nil {
+			return nil, nil, fmt.Errorf("failed to run 'pod install': %w", err)
+		}
+	}
 	// Calculate pod dependencies
 	data, err := GetDependenciesData(currentDir)
 	if err != nil {

sca/bom/buildinfo/technologies/cocoapods/cocoapods_test.go

@@ -20,7 +20,7 @@ import (
 
 func TestBuildCocoapodsDependencyList(t *testing.T) {
 	// Create and change directory to test workspace
-	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods"))
+	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods", "cocoapods-project"))
 	defer cleanUp()
 
 	// Run getModulesDependencyTrees
@@ -62,7 +62,7 @@ func TestBuildCocoapodsDependencyList(t *testing.T) {
 }
 
 func TestGetTechDependencyLocation(t *testing.T) {
-	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods"))
+	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods", "cocoapods-project"))
 	defer cleanUp()
 	currentDir, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)
@@ -93,7 +93,7 @@ func TestPodLineParseFoundOnlyDependencyName(t *testing.T) {
 }
 
 func TestFixTechDependencySingleLocation(t *testing.T) {
-	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods"))
+	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods", "cocoapods-project"))
 	defer cleanUp()
 	currentDir, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)
@@ -105,7 +105,7 @@ func TestFixTechDependencySingleLocation(t *testing.T) {
 }
 
 func TestFixTechDependencyMultipleLocations(t *testing.T) {
-	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods"))
+	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods", "cocoapods-project"))
 	defer cleanUp()
 	currentDir, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)
@@ -118,7 +118,7 @@ func TestFixTechDependencyMultipleLocations(t *testing.T) {
 }
 
 func TestFixTechDependencyNoLocations(t *testing.T) {
-	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods"))
+	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "cocoapods", "cocoapods-project"))
 	defer cleanUp()
 	currentDir, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)

sca/bom/buildinfo/technologies/cocoapods/podcommand.go

@@ -22,15 +22,23 @@ type PodCommand struct {
 	executablePath   string
 }
 
-func getPodVersionAndExecPath() (*version.Version, string, error) {
+func getPodExecPath() (string, error) {
 	podExecPath, err := exec.LookPath("pod")
 	if err != nil {
-		return nil, "", fmt.Errorf("could not find the 'pod' executable in the system PATH %w", err)
+		return "", fmt.Errorf("could not find the 'pod' executable in the system PATH %w", err)
+	}
+	return podExecPath, nil
+}
+
+func getPodVersionAndExecPath() (*version.Version, string, error) {
+	podExecPath, err := getPodExecPath()
+	if err != nil {
+		return nil, "", err
 	}
 	log.Debug("Using pod executable:", podExecPath)
 	versionData, err := runPodCmd(podExecPath, "", []string{"--version"})
 	if err != nil {
-		return nil, "", err
+		return nil, "", fmt.Errorf("failed to get pod version: %w", err)
 	}
 	return version.NewVersion(strings.TrimSpace(string(versionData))), podExecPath, nil
 }

tests/testdata/projects/package-managers/cocoapods/cocoapods-no-lock-file/Podfile

@@ -0,0 +1,9 @@
+platform :ios, '9.0'
+
+target 'Test' do
+  use_frameworks!
+pod 'GoogleSignIn', '~> 6.2.4'
+pod 'AppAuth', '~> 1.7.5'
+pod 'nanopb', '~> 0.3.0'
+
+end