MASTG-TECH-0133: Software Composition Analysis (SCA) of iOS Dependencies by Scanning Package Manager Artifacts

iOS has several dependency managers, where the most popular are:

• Carthage,
• CocoaPods and
• SwiftPM (Swift Package Manager)

Dependencies are integrated into the project during the build process and then compiled into the IPA file. However, the version information in the dependencies may be stripped during compilation, so we cannot scan the IPA file. Fortunately, we can scan the artifacts produced by the dependency managers.

Tools such as dependency-check can scan files created by all three dependency managers. These files list dependencies as Common Platform Enumeration (CPE) and their versions. The CPE will be included in the iOS app. These tools then search for known vulnerabilities, or CVEs (Common Vulnerability and Exposure), in dependencies by checking them against vulnerability databases such as the National Vulnerability Database (NVD).

Note

dependency-check supports Carthage, CocoaPods and SwiftPM, but these analyzers are considered experimental. While these analyzers may be useful and provide valid results, additional testing is needed to ensure the false-negative/positive rates are acceptable.

To test with dependency-check, we need to retrieve the dependency manager's corresponding file:

• For Carthage, it is the file Cartfile.resolved.
• For CocoaPods, it is the file *.podspec or Podfile.lock
• For SwiftPM, it is the file Package.swift or Package.resolved

Keep in mind that developers may use multiple dependency managers, so you may need to run various scans. When scanning with dependency-check, scanning the file created by the dependency manager is enough; you don't need access to the entire Xcode project or source code.

Before running the scan, obtain an NVD API key. This key is used to retrieve the latest CVE information. You can request the API key to access the NVD API from https://nvd.nist.gov/developers/request-an-api-key.

• To start a scan for a project using SwiftPM, execute the following command to scan the Package.Swift or Package.resolved:

$ dependency-check --enableExperimental -f SARIF --nvdApiKey <YOUR-API-KEY> -s Package.resolved

• To start a scan for a project using CocoaPods, execute the following command to scan the Podfile.lock or *.podspec:

$ dependency-check --enableExperimental -f SARIF --nvdApiKey <YOUR-API-KEY> -s Podfile.lock

• To start a scan for a project using Carthage, execute the following command to scan the Cartfile.resolved.:

$ dependency-check --enableExperimental -f SARIF --nvdApiKey <YOUR-API-KEY> -s Cartfile.resolved

The output is always a SARIF file, which can be viewed using the Sarif viewer plugin in Visual Studio Code (vscode). Any known vulnerabilities will be listed with their CVE numbers and descriptions.

You can only scan one file at a time. When scanning for CocoaPods or Carthage, use the same command but scan the corresponding dependency manager file.

Tests

MASTG-TEST-0273: Identify Dependencies with Known Vulnerabilities by Scanning Dependency Managers Artifacts