fix(swift): try to use branch to resolve version (aquasecurity#6168)

Signed-off-by: knqyf263 <[email protected]> Co-authored-by: knqyf263 <[email protected]>
DmitriyLewen · Feb 21, 2024 · e787e1a · e787e1a
1 parent 327cf88
commit e787e1a
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 9 deletions.
diff --git a/pkg/dependency/parser/swift/swift/parse.go b/pkg/dependency/parser/swift/swift/parse.go
@@ -6,9 +6,11 @@ import (
 	"strings"
 
 	"github.com/liamg/jfather"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
 	dio "github.com/aquasecurity/trivy/pkg/dependency/parser/io"
+	"github.com/aquasecurity/trivy/pkg/dependency/parser/log"
 	"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
 	"github.com/aquasecurity/trivy/pkg/dependency/parser/utils"
 )
@@ -37,10 +39,21 @@ func (Parser) Parse(r dio.ReadSeekerAt) ([]types.Library, []types.Dependency, er
 	}
 	for _, pin := range pins {
 		name := libraryName(pin, lockFile.Version)
+
+		// Skip packages for which we cannot resolve the version
+		if pin.State.Version == "" && pin.State.Branch == "" {
+			log.Logger.Warnf("Unable to resolve %q. Both the version and branch fields are empty.", name)
+			continue
+		}
+
+		// A Pin can be resolved using `branch` without `version`.
+		// e.g. https://github.com/element-hq/element-ios/blob/6a9bcc88ea37147efba8f0a7bcf3ec187f4a4011/Riot.xcworkspace/xcshareddata/swiftpm/Package.resolved#L84-L92
+		version := lo.Ternary(pin.State.Version != "", pin.State.Version, pin.State.Branch)
+
 		libs = append(libs, types.Library{
-			ID:      utils.PackageID(name, pin.State.Version),
+			ID:      utils.PackageID(name, version),
 			Name:    name,
-			Version: pin.State.Version,
+			Version: version,
 			Locations: []types.Location{
 				{
 					StartLine: pin.StartLine,

diff --git a/pkg/dependency/parser/swift/swift/parse_test.go b/pkg/dependency/parser/swift/swift/parse_test.go
@@ -37,12 +37,6 @@ func TestParser_Parse(t *testing.T) {
 				},
 			},
 		},
-		// docker run -it --rm swift@sha256:45e5e44ed4873063795f150182437f4dbe7d5527ba5655979d7d11e0829179a7
-		// mkdir app && cd app
-		// swift package init
-		// ## add new deps: ##
-		// sed -i 's/],/],\ndependencies: [\n.package(url: "https:\/\/github.com\/ReactiveCocoa\/ReactiveSwift", from: "7.0.0"),\n.package(url: "https:\/\/github.com\/Quick\/Quick.git", from: "7.0.0"),\n.package(url: "https:\/\/github.com\/Quick\/Nimble.git", .exact("9.2.1")),\n],/' Package.swift
-		// swift package update
 		{
 			name:      "happy path v2",
 			inputFile: "testdata/happy-v2-Package.resolved",
@@ -65,6 +59,12 @@ func TestParser_Parse(t *testing.T) {
 					Version:   "7.1.1",
 					Locations: []types.Location{{StartLine: 39, EndLine: 47}},
 				},
+				{
+					ID:        "github.com/element-hq/[email protected]",
+					Name:      "github.com/element-hq/swift-ogg",
+					Version:   "0.0.1",
+					Locations: []types.Location{{StartLine: 48, EndLine: 56}},
+				},
 				{
 					ID:        "github.com/mattgallagher/[email protected]",
 					Name:      "github.com/mattgallagher/CwlCatchException",

diff --git a/pkg/dependency/parser/swift/swift/testdata/happy-v2-Package.resolved b/pkg/dependency/parser/swift/swift/testdata/happy-v2-Package.resolved
@@ -44,6 +44,15 @@
         "revision" : "40c465af19b993344e84355c00669ba2022ca3cd",
         "version" : "7.1.1"
       }
+    },
+    {
+          "identity" : "swift-ogg",
+          "kind" : "remoteSourceControl",
+          "location" : "https://github.com/element-hq/swift-ogg",
+          "state" : {
+            "branch" : "0.0.1",
+            "revision" : "e9a9e7601da662fd8b97d93781ff5c60b4becf88"
+          }
     }
   ],
   "version" : 2

diff --git a/pkg/dependency/parser/swift/swift/types.go b/pkg/dependency/parser/swift/swift/types.go
@@ -20,7 +20,7 @@ type Pin struct {
 }
 
 type State struct {
-	Branch   any    `json:"branch"`
+	Branch   string `json:"branch"`
 	Revision string `json:"revision"`
 	Version  string `json:"version"`
 }