Skip to content

MASTG-TECH-0132: Software Composition Analysis (SCA) of iOS Dependencies by Creating a SBOM

You can use cdxgen to generate a Software Bill of Materials (SBOM) in the CycloneDX format when using SwiftPM. Currently, Carthage and CocoaPods are not supported. You can either ask the development team to provide the SBOM file or create it yourself. To do so, navigate to the root directory of the Xcode project you wish to scan, then execute the following command:

$ cdxgen -o sbom.json

The SBOM file needs to be Base64-encoded and uploaded to dependency-track for analysis.

$ cat sbom.json | base64
$ curl -X "PUT" "http://localhost:8081/api/v1/bom" \
     -H 'Content-Type: application/json' \
     -H 'X-API-Key: <YOUR API KEY>>' \
     -d $'{
  "project": "<YOUR PROJECT ID>",
  "bom": "<BASE64-ENCODED SBOM>"
  }'

Also, check the alternatives for uploading the SBOM file if the generated JSON file is too large.

If you are using the default settings of the Visual Studio Code (vscode) Docker container, go to the frontend of dependency-track, which is http://localhost:8080. Open the project you uploaded the SBOM to verify whether there are any vulnerable dependencies.

Note

Transitive dependencies are not supported by cdxgen for SwiftPM.

Tests

MASTG-TEST-0275: Dependencies with Known Vulnerabilities in the App's SBOM

Demos

MASTG-DEMO-0053: Identifying Insecure Dependencies in SwiftPM through SBOM creation