{"id":20617786,"url":"https://github.com/cyclonedx/cyclonedx-cocoapods","last_synced_at":"2025-04-05T22:07:29.923Z","repository":{"id":40401507,"uuid":"214213114","full_name":"CycloneDX/cyclonedx-cocoapods","owner":"CycloneDX","description":"Creates CycloneDX Software Bill-of-Materials (SBOM) from Objective-C and Swift projects that use CocoaPods.","archived":false,"fork":false,"pushed_at":"2025-02-09T19:10:26.000Z","size":364,"stargazers_count":22,"open_issues_count":1,"forks_count":14,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-03-29T21:07:00.855Z","etag":null,"topics":["bill-of-materials","bom","cocoapods","cyclonedx","mbom","objective-c","obom","owasp","saasbom","sbom","sbom-generator","software-bill-of-materials","swift","vex"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CycloneDX.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"]}},"created_at":"2019-10-10T15:04:12.000Z","updated_at":"2025-02-09T19:18:18.000Z","dependencies_parsed_at":"2024-03-22T17:46:35.767Z","dependency_job_id":"57ede8c8-42f8-451a-8819-be1ab25146b5","html_url":"https://github.com/CycloneDX/cyclonedx-cocoapods","commit_stats":{"total_commits":138,"total_committers":7,"mean_commits":"19.714285714285715","dds":"0.44202898550724634","last_synced_commit":"bd31b91b42cbaa283379b7f5cedd29dcdb2a9450"},"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-cocoapods","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-cocoapods/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-cocoapods/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-cocoapods/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CycloneDX","download_url":"https://codeload.github.com/CycloneDX/cyclonedx-cocoapods/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247406089,"owners_count":20933803,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bill-of-materials","bom","cocoapods","cyclonedx","mbom","objective-c","obom","owasp","saasbom","sbom","sbom-generator","software-bill-of-materials","swift","vex"],"created_at":"2024-11-16T12:05:57.835Z","updated_at":"2025-04-05T22:07:29.871Z","avatar_url":"https://github.com/CycloneDX.png","language":"Ruby","funding_links":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://github.com/CycloneDX/cyclonedx-cocoapods/actions/workflows/ruby.yml/badge.svg)](https://github.com/CycloneDX/cyclonedx-cocoapods/actions/workflows/ruby.yml)\n[![Gem Version](https://badge.fury.io/rb/cyclonedx-cocoapods.svg)](https://badge.fury.io/rb/cyclonedx-cocoapods)\n[![License](https://img.shields.io/badge/license-Apache%202.0-brightgreen.svg)][License]\n[![Website](https://img.shields.io/badge/https://-cyclonedx.org-blue.svg)](https://cyclonedx.org/)\n[![Slack Invite](https://img.shields.io/badge/Slack-Join-blue?logo=slack\u0026labelColor=393939)](https://cyclonedx.org/slack/invite)\n[![Group Discussion](https://img.shields.io/badge/discussion-groups.io-blue.svg)](https://groups.io/g/CycloneDX)\n[![Twitter](https://img.shields.io/twitter/url/http/shields.io.svg?style=social\u0026label=Follow)](https://twitter.com/CycloneDX_Spec)\n\n\n# CycloneDX CocoaPods (Objective-C/Swift)\n\nThe CycloneDX CocoaPods Gem creates a valid CycloneDX software bill-of-material document from all\n[CocoaPods](https://cocoapods.org/) project dependencies. CycloneDX is a lightweight BOM specification\nthat is easily created, human readable, and simple to parse.\n\n## Installation\n\n### From RubyGems\n\n```shell\n% gem install cyclonedx-cocoapods\n```\n\n### From Source\n\nFirst, clone/copy the source code from GitHub.  Then in the source code directory run these\ncommands (substituting the actual version number for `x.x.x`):\n\n```shell\ngem build cyclonedx-cocoapods.gemspec\ngem install cyclonedx-cocoapods-x.x.x.gem\n```\n\nBuilding from source requires Ruby 2.6.3 or newer.\n\n## Compatibility\n\n*cyclonedx-cocoapods* aims to produce SBOMs according to the latest CycloneDX specification, which currently is [1.6](https://cyclonedx.org/docs/1.6/xml/).\nYou can use the [CycloneDX CLI](https://github.com/CycloneDX/cyclonedx-cli#convert-command) to convert between multiple BOM formats or specification versions.\n\n## Usage\n```\nGenerates a BOM with the given parameters. BOM component metadata is only generated if the component's name, version, and type are provided using the --name, --version, and --type parameters.\n[version \u003cversion_number\u003e]\n\nUSAGE\n  cyclonedx-cocoapods [options]\n\nOPTIONS\n        --[no-]verbose               Show verbose debugging output\n    -h, --help                       Show help message\n\n  BOM Generation\n    -p, --path path                  Path to CocoaPods project directory (default: current directory)\n    -o, --output bom_file_path       Path to output the bom file to (default: \"bom.xml\"); if a *.json file is specified the output format will be JSON\n        --bom-version bom_version    Version of the generated BOM (default: \"1\")\n    -x, --exclude-test-targets       Eliminate Podfile targets whose name contains the word \"test\"\n        --shortened-strings length   Trim author, publisher, and purl to \u003clength\u003e characters; this may cause data loss but can improve compatibility with other systems\n\n  Component Metadata\n  If a podspec file is present the name, version, and type do not need to be specified as they will be set automatically.\n    -n, --name name                  (If specified version and type are also required) Name of the component for which the BOM is generated\n    -v, --version version            Version of the component for which the BOM is generated\n    -t, --type type                  Type of the component for which the BOM is generated (one of application|framework|library|container|operating-system|device|firmware|file)\n    -g, --group group                Group of the component for which the BOM is generated\n    -s, --source source_url          Optional: The version control system URL of the component for the BOM is generated\n    -b, --build build_url            Optional: The build URL of the component for which the BOM is generated\n\n  Manufacturer Metadata\n        --manufacturer-name name     Name of the manufacturer\n        --manufacturer-url url       URL of the manufacturer\n        --manufacturer-contact-name name\n                                     Name of the manufacturer contact\n        --manufacturer-email email   Email of the manufacturer contact\n        --manufacturer-phone phone   Phone number of the manufacturer contact\n```\n\n**Output:** BOM file at specified location, `./bom.xml` if not specified\n\n### Example\n\n```shell\n% cyclonedx-cocoapods --path /path/to/cocoapods/project --output /path/to/bom.xml --version 6\n```\n\n#### Specific example\n\nThis repo contains files named `example_bom.xml` and `example_bom.json` that were generated with this tool.\n\nThey represent the open source [PodsUpdater application](https://github.com/kizitonwose/PodsUpdater).  The PodsUpdater\ncode was checked out, then these three commands were run in the checked out code directory.\n\n```shell\n% pod install\n% cyclonedx-cocoapods -n \"kizitonwose-PodsUpdater\" -v 1.0.3 -t application -s https://github.com/kizitonwose/PodsUpdater --output example_bom.xml\n% cyclonedx-cocoapods -n \"kizitonwose-PodsUpdater\" -v 1.0.3 -t application -s https://github.com/kizitonwose/PodsUpdater --output example_bom.json\n```\n\nThe JSON file here has also been run through a JSON formatter for easier reading by humans.  The original JSON\noutput is one long line with no extra whitespace - great for computers, but difficult for humans.\n\n### A Note About CocoaPod Subspecs\n\nMany CocoaPods make use of [subspec functionality](https://guides.cocoapods.org/syntax/podspec.html#subspec).\nPodfiles can require whole pods, or just subspecs; pods themselves may require whole pods or subspecs of other\npods.  In complex projects such as React Native apps this often results in a single pod being included as a\ndependency multiple times as several of its subspecs are included individually.\n\n*cyclonedx-cocoapods* works properly with this, and adds a dependency in the BOM output for each subspec that is\nrequired by the Podfile and throughout the chain of dependencies.  Each subspec will only appear once in the BOM\nfile.  This gives you granular detail in the BOM of which subspecs of which pods are used.  This is easiest seen\nwith an example.\n\nThe Podfile\n```ruby\ntarget 'SampleProject' do\n  pod 'SamplePod/firstsubspec'\n  pod 'SamplePod/secondsubspec'\nend\n```\n\nIf the SamplePod is at v2.1, running *cyclonedx-cocoapods* on this will output a BOM file with two `component`\ndependencies:\n- `pkg:cocoapods/SamplePod@2.1#firstsubspec` at `https://github.com/example/SamplePod`\n- `pkg:cocoapods/SamplePod@2.1#secondsubspec` at `https://github.com/example/SamplePod`\n\n[Dependency Track](https://dependencytrack.org) (DT) is a tool that many organizations use to help automate SBOM\nrelated tasks.  When uploading an SBOM that contains multiple subspecs from the same pod, or a single subspec\nalongside the complete pod dependency, the initial upload will indicate a number of dependencies equal to the number\nof `component` objects within the BOM.  However, DT analysis then looks for unique repositories in use which will\nmerge all of the subspecs of a particular pod into a single entry.  On later uploads to DT of the same or similar BOM\nit will indicate just the number of unique repositories.\n\nUploading the above SamplePod BOM file to DT will initially see two dependencies.  Later analysis by DT notices\nthat both dependencies resolve to the same repository, so DT will then only show a single dependency.\n\n## Contributing\n\nTo set up for local development, make a fork of this repo, make a branch on your fork named after the issue or workflow you are improving, checkout your branch, then run `bundle install`.\n\n### Right to Contribute\n\nThis project runs the [DCO](https://probot.github.io/apps/dco/) checker to validate that the code author has the right to submit the code they are\ncontributing to the project.  Please verify that you do have the right to contribute, then when running `git commit` add the `-s` flag to\nautomatically add the proper `Signed-off-by` line to the commit message.\n\n### Pull requests\n\nBefore submitting your pull request, please do the following:\n\n- Run `rake spec` and make sure all the tests pass. If you are adding new commands or features, they must include tests. If you are changing functionality, update the tests or add new tests as needed.\n- Add a note to the CHANGELOG describing what you changed.\n- Make your pull request. If it is related to an issue, add a link to the issue in the description.\n\n## Copyright \u0026 License\nPermission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE] file for the full license.\n\n[License]: https://github.com/CycloneDX/cyclonedx-cocoapods/blob/master/LICENSE\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyclonedx%2Fcyclonedx-cocoapods","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyclonedx%2Fcyclonedx-cocoapods","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyclonedx%2Fcyclonedx-cocoapods/lists"}