Swift¶
Tunnel supports CocoaPods and Swift package managers.
The following scanners are supported.
| Package manager | SBOM | Vulnerability | License |
|---|---|---|---|
| Swift | ✓ | ✓ | - |
| CocoaPods | ✓ | ✓ | - |
The following table provides an outline of the features Tunnel offers.
| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position |
|---|---|---|---|---|---|
| Swift | Package.resolved | ✓ | Included | - | ✓ |
| CocoaPods | Podfile.lock | ✓ | Included | ✓ | - |
These may be enabled or disabled depending on the target. See here for the detail.
Swift¶
Tunnel parses Package.resolved file to find dependencies.
Don't forget to update (swift package update command) this file before scanning.
CocoaPods¶
CocoaPods uses package names in PodFile.lock, but GitHub Advisory Database (GHSA) Tunnel relies on uses Git URLs.
We parse the CocoaPods Specs to match package names and links.
Limitation
Since GHSA holds only Git URLs, such as github.com/apple/swift-nio,
Tunnel can't identify affected submodules, and detect all submodules maintained by the same URL.
For example, SwiftNIOHTTP1 and SwiftNIOWebSocket both are maintained under github.com/apple/swift-nio,
and Tunnel detect CVE-2022-3215 for both of them, even though only SwiftNIOHTTP1 is actually affected.