Skip to content

MASTG-DEMO-0053: Identifying Insecure Dependencies in SwiftPM through SBOM creation

Download MASTG-DEMO-0053 IPA Open MASTG-DEMO-0053 Folder Build MASTG-DEMO-0053 IPA

Steps

Execute cdxgen in the root directory of the Xcode project.

run.sh
1
cdxgen -o sbom.json

This will create a SBOM file that can be uploaded to dependency-track by following Software Composition Analysis (SCA) of iOS Dependencies by Creating a SBOM.

Observation

In the project of dependency-track, where the SBOM has been uploaded, the scan should have identified 2 unique dependencies (components) with 2 vulnerable dependencies and 2 vulnerabilities (as more vulnerabilities might be found over time this number might increase).

output.txt
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
{
    "bomFormat": "CycloneDX",
    "specVersion": "1.5",
    "serialNumber": "urn:uuid:54c73891-97b0-40be-90a1-a432ffc62330",
    "version": 1,
    "metadata": {
        "timestamp": "2024-10-20T17:34:54Z",
        "tools": {
            "components": [
                {
                    "group": "@cyclonedx",
                    "name": "cdxgen",
                    "version": "10.10.5",
                    "purl": "pkg:npm/%40cyclonedx/[email protected]",
                    "type": "application",
                    "bom-ref": "pkg:npm/@cyclonedx/[email protected]",
                    "author": "OWASP Foundation",
                    "publisher": "OWASP Foundation"
                }
            ]
        },
        "authors": [
            {
                "name": "OWASP Foundation"
            }
        ],
        "lifecycles": [
            {
                "phase": "build"
            }
        ],
        "component": {
            "group": "",
            "name": "MASTestApp-iOS-MASWE-0076",
            "version": "latest",
            "type": "application",
            "bom-ref": "pkg:swift/MASTestApp-iOS-MASWE-0076@latest",
            "purl": "pkg:swift/MASTestApp-iOS-MASWE-0076@latest"
        },
        "properties": [
            {
                "name": "cdx:bom:componentTypes",
                "value": "github\\nswift"
            },
            {
                "name": "cdx:bom:componentNamespaces",
                "value": "actions\\ngithub.com/apple"
            }
        ]
    },
    "components": [
        {
            "group": "actions",
            "name": "checkout",
            "version": "v4",
            "purl": "pkg:github/actions/checkout@v4",
            "type": "application",
            "bom-ref": "pkg:github/actions/checkout@v4"
        },
        {
            "group": "github.com/apple",
            "name": "swift-nio",
            "version": "1.4.0",
            "purl": "pkg:swift/github.com/apple/[email protected]",
            "externalReferences": [
                {
                    "type": "vcs",
                    "url": "https://github.com/apple/swift-nio.git"
                }
            ],
            "type": "library",
            "bom-ref": "pkg:swift/github.com/apple/[email protected]",
            "evidence": {
                "identity": {
                    "field": "purl",
                    "confidence": 1,
                    "methods": [
                        {
                            "technique": "manifest-analysis",
                            "confidence": 1,
                            "value": "/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"
                        }
                    ]
                }
            },
            "properties": [
                {
                    "name": "SrcFile",
                    "value": "/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"
                }
            ]
        },
        {
            "group": "github.com/apple",
            "name": "swift-nio-zlib-support",
            "version": "1.0.0",
            "purl": "pkg:swift/github.com/apple/[email protected]",
            "externalReferences": [
                {
                    "type": "vcs",
                    "url": "https://github.com/apple/swift-nio-zlib-support.git"
                }
            ],
            "type": "library",
            "bom-ref": "pkg:swift/github.com/apple/[email protected]",
            "evidence": {
                "identity": {
                    "field": "purl",
                    "confidence": 1,
                    "methods": [
                        {
                            "technique": "manifest-analysis",
                            "confidence": 1,
                            "value": "/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"
                        }
                    ]
                }
            },
            "properties": [
                {
                    "name": "SrcFile",
                    "value": "/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"
                }
            ]
        }
    ],
    "services": [],
    "dependencies": []
}

Evaluation

Review each of the reported instances. The dependency swift-nio has 2 known vulnerabilities and should be updated to the latest version.