Graciously fail for fastlane managed swift projects (#1443)

* Update packages

Signed-off-by: Prabhu Subramanian <[email protected]>

* Tweaks

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

.github/workflows/repotests.yml

@@ -12,10 +12,10 @@ concurrency:
 jobs:
   build:
     strategy:
-      fail-fast: false
+      fail-fast: true
       matrix:
-        node-version: ['21.x', '22.x', '23.x']
-        os: ['ubuntu-latest', 'windows-latest']
+        node-version: ['23.x']
+        os: ['ubuntu-latest', 'windows-latest', 'self-hosted']
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
@@ -33,6 +33,7 @@ jobs:
           deno-version: v2.x
       - uses: oven-sh/setup-bun@v1
       - name: Trim CI agent
+        if: matrix.os == 'ubuntu-latest'
         run: |
           chmod +x contrib/free_disk_space.sh
           ./contrib/free_disk_space.sh
@@ -57,6 +58,7 @@ jobs:
           CI: true
       - name: Setup Android SDK
         uses: android-actions/setup-android@v3
+        if: matrix.os != 'self-hosted'
       - uses: swift-actions/setup-swift@v2
         if: matrix.os == 'ubuntu-latest'
       - name: Set up Python
@@ -268,17 +270,14 @@ jobs:
       - name: repotests basic-ftp
         run: |
           FETCH_LICENSE=false bin/cdxgen.js -p -t nodejs10 repotests/basic-ftp -o bomresults/basic-ftp.json
-          node bin/evinse.js -i bomresults/basic-ftp.json -o bomresults/basic-ftp.evinse.json -l javascript --with-data-flow -p repotests/basic-ftp
         shell: bash
       - name: repotests llama-node
         run: |
           FETCH_LICENSE=false bin/cdxgen.js -p -t nodejs16 repotests/llama-node -o bomresults/llama-node.json
-          node bin/evinse.js -i bomresults/llama-node.json -o bomresults/llama-node.evinse.json -l javascript --with-data-flow -p repotests/llama-node
         shell: bash
       - name: repotests RSSHub
         run: |
           FETCH_LICENSE=false bin/cdxgen.js -p -t nodejs22 repotests/RSSHub -o bomresults/RSSHub.json
-          node bin/evinse.js -i bomresults/RSSHub.json -o bomresults/RSSHub.evinse.json -l javascript --with-data-flow -p repotests/RSSHub
         shell: bash
       - name: repotests java-sec-code
         run: |

deno.json

@@ -50,7 +50,7 @@
   "imports": {
     "@appthreat/atom": "npm:@appthreat/[email protected]",
     "@appthreat/cdx-proto": "npm:@appthreat/[email protected]",
-    "@babel/parser": "npm:@babel/parser@^7.25.8",
+    "@babel/parser": "npm:@babel/parser@^7.26.2",
     "@babel/traverse": "npm:@babel/traverse@^7.25.7",
     "@npmcli/arborist": "npm:@npmcli/[email protected]",
     "ajv": "npm:ajv@^8.16.0",
@@ -72,7 +72,7 @@
     "ssri": "npm:ssri@^12.0.0",
     "table": "npm:table@^6.8.2",
     "tar": "npm:tar@^7.4.3",
-    "uuid": "npm:uuid@^10.0.0",
+    "uuid": "npm:uuid@^11.0.2",
     "xml-js": "npm:xml-js@^1.6.11",
     "yargs": "npm:yargs@^17.7.2",
     "jest": "npm:jest@^29.7.0",

lib/cli/index.js

@@ -19,8 +19,12 @@ import process from "node:process";
 import { URL } from "node:url";
 import got from "got";
 import { PackageURL } from "packageurl-js";
+import { gte, lte } from "semver";
 import { parse } from "ssri";
+import { table } from "table";
 import { v4 as uuidv4 } from "uuid";
+import { findJSImportsExports } from "../helpers/analyzer.js";
+import { collectOSCryptoLibs } from "../helpers/cbomutils.js";
 import {
   collectEnvInfo,
   getBranch,
@@ -144,19 +148,6 @@ import {
   recomputeScope,
   splitOutputByGradleProjects,
 } from "../helpers/utils.js";
-let url = import.meta.url;
-if (!url.startsWith("file://")) {
-  url = new URL(`file://${import.meta.url}`).toString();
-}
-const dirName = dirNameStr;
-
-const selfPJson = JSON.parse(
-  readFileSync(join(dirName, "package.json"), "utf-8"),
-);
-const _version = selfPJson.version;
-import { gte, lte } from "semver";
-import { findJSImportsExports } from "../helpers/analyzer.js";
-import { collectOSCryptoLibs } from "../helpers/cbomutils.js";
 import {
   executeOsQuery,
   getBinaryBom,
@@ -171,6 +162,17 @@ import {
   parseImageName,
 } from "../managers/docker.js";
 
+let url = import.meta.url;
+if (!url.startsWith("file://")) {
+  url = new URL(`file://${import.meta.url}`).toString();
+}
+const dirName = dirNameStr;
+
+const selfPJson = JSON.parse(
+  readFileSync(join(dirName, "package.json"), "utf-8"),
+);
+const _version = selfPJson.version;
+
 const isWin = _platform() === "win32";
 
 let osQueries = {};
@@ -195,8 +197,6 @@ const cosDbQueries = JSON.parse(
   readFileSync(join(dirName, "data", "cosdb-queries.json"), "utf-8"),
 );
 
-import { table } from "table";
-
 // Construct gradle cache directory
 let GRADLE_CACHE_DIR =
   process.env.GRADLE_CACHE_DIR ||
@@ -221,8 +221,9 @@ const HASH_PATTERN =
 /**
  * Creates a default parent component based on the directory name.
  *
- * @param {string} path Directory or file name
- * @param {string} type Package type
+ * @param {String} path Directory or file name
+ * @param {String} type Package type
+ * @param {Object} options CLI options
  * @returns component object
  */
 const createDefaultParentComponent = (
@@ -734,7 +735,7 @@ function addMetadata(parentComponent = {}, options = {}, context = {}) {
  */
 function addExternalReferences(opkg) {
   let externalReferences = [];
-  let pkgList = [];
+  let pkgList;
   if (Array.isArray(opkg)) {
     pkgList = opkg;
   } else {
@@ -843,11 +844,12 @@ function addComponent(
         pkg.qualifiers,
         encodeForPurl(pkg.subpath),
       );
+    let purlString = purl.toString();
     // There is no purl for cryptographic-asset
     if (ptype === "cryptographic-asset") {
       purl = undefined;
+      purlString = undefined;
     }
-    const purlString = purl.toString();
     const description = pkg.description || undefined;
     let compScope = pkg.scope;
     if (allImports) {
@@ -1025,8 +1027,7 @@ function processHashes(pkg, component) {
       addComponentHash(ahash.alg, ahash.content, component);
     }
   } else if (pkg._shasum) {
-    let ahash = { "@alg": "SHA-1", "#text": pkg._shasum };
-    ahash = { alg: "SHA-1", content: pkg._shasum };
+    const ahash = { alg: "SHA-1", content: pkg._shasum };
     component.hashes.push(ahash);
   } else if (pkg._integrity) {
     const integrity = parse(pkg._integrity) || {};
@@ -1054,7 +1055,7 @@ function processHashes(pkg, component) {
  * Adds a hash to component.
  */
 function addComponentHash(alg, digest, component) {
-  let hash = "";
+  let hash;
   // If it is a valid hash simply use it
   if (new RegExp(HASH_PATTERN).test(digest)) {
     hash = digest;
@@ -1135,7 +1136,7 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
  */
 export async function createJarBom(path, options) {
   let pkgList = [];
-  let jarFiles = [];
+  let jarFiles;
   let nsMapping = {};
   const parentComponent = createDefaultParentComponent(path, "maven", options);
   if (options.useGradleCache) {
@@ -2668,8 +2669,7 @@ export function createPixiBom(path, options) {
   // Add parentComponent Details
   const pixiTomlMode = existsSync(pixiToml);
   if (pixiTomlMode) {
-    const tmpParentComponent = parsePixiTomlFile(pixiToml);
-    parentComponent = tmpParentComponent;
+    parentComponent = parsePixiTomlFile(pixiToml);
     parentComponent.type = "application";
     const ppurl = new PackageURL(
       "pixi",
@@ -3188,7 +3188,7 @@ export async function createGoBom(path, options) {
   const allImports = {};
   let parentComponent = createDefaultParentComponent(path, "golang", options);
   // Is this a binary file
-  let maybeBinary = false;
+  let maybeBinary;
   try {
     maybeBinary = statSync(path).isFile();
   } catch (err) {
@@ -3590,7 +3590,7 @@ export async function createRustBom(path, options) {
   let pkgList = [];
   let parentComponent = {};
   // Is this a binary file
-  let maybeBinary = false;
+  let maybeBinary;
   try {
     maybeBinary = statSync(path).isFile();
   } catch (err) {
@@ -4202,7 +4202,7 @@ export function createCloudBuildBom(path, options) {
 /**
  * Function to create obom string for the current OS using osquery
  *
- * @param {string} path to the project
+ * @param {string} _path to the project
  * @param {Object} options Parse options from the cli
  */
 export function createOSBom(_path, options) {
@@ -4810,9 +4810,9 @@ export function createPHPBom(path, options) {
     if (DEBUG_MODE) {
       console.log("Parsing version", versionResult.stdout);
     }
-    const tmpV = undefined;
+    let tmpV = undefined;
     if (versionResult?.stdout) {
-      versionResult.stdout.split(" ");
+      tmpV = versionResult.stdout.split(" ");
     }
     if (tmpV && tmpV.length > 1) {
       composerVersion = tmpV[1];
@@ -6434,7 +6434,7 @@ export async function createBom(path, options) {
     options.path = path;
     options.parentComponent = {};
     // Create parent component based on the inspect config
-    const inspectData = exportData.inspectData;
+    const inspectData = exportData?.inspectData;
     if (
       inspectData?.RepoDigests &&
       inspectData.RepoTags &&
@@ -6484,13 +6484,12 @@ export async function createBom(path, options) {
     }
     // Pass the entire export data about the image layers
     options.exportData = exportData;
-    options.lastWorkingDir = exportData.lastWorkingDir;
-    options.allLayersExplodedDir = exportData.allLayersExplodedDir;
-    const bomData = await createMultiXBom(
-      [...new Set(exportData.pkgPathList)],
+    options.lastWorkingDir = exportData?.lastWorkingDir;
+    options.allLayersExplodedDir = exportData?.allLayersExplodedDir;
+    return await createMultiXBom(
+      [...new Set(exportData?.pkgPathList)],
       options,
     );
-    return bomData;
   }
   if (path.endsWith(".war")) {
     projectType = ["java"];

lib/evinser/swiftsem.js

@@ -53,11 +53,19 @@ const SWIFT_ENTITY_KINDS = {
   DECL_VAR_LOCAL: "source.lang.swift.decl.var.local",
   REF_VAR_LOCAL: "source.lang.swift.ref.var.local",
 };
-for (const key of Object.keys(SWIFT_ENTITY_KINDS)) {
-  if (key.toUpperCase() === key) {
-    SWIFT_ENTITY_KINDS[SWIFT_ENTITY_KINDS[key]] = key;
-  }
-}
+
+// Array of standard types that can be ignored
+const IGNORABLE_TYPES = [
+  "Bool",
+  "Error?",
+  "AnyObject",
+  "()",
+  "Any?",
+  "Void",
+  "[String]",
+  "String?",
+  "String",
+];
 
 /**
  * Retrieve the structure information of a .swift file in json format
@@ -107,15 +115,13 @@ function collectStructureTypes(substructures, refTypes) {
   for (const asubstruct of substructures) {
     if (
       asubstruct["key.typename"] &&
-      !["String", "Bool", "Error?", "()", "Any?"].includes(
-        asubstruct["key.typename"],
-      )
+      !IGNORABLE_TYPES.includes(asubstruct["key.typename"])
     ) {
       refTypes.add(asubstruct["key.typename"]);
     }
     if (asubstruct["key.inheritedtypes"]) {
       for (const inheritedType of asubstruct["key.inheritedtypes"]) {
-        if (!["AnyObject", "()", "Any?"].includes(inheritedType["key.name"])) {
+        if (!IGNORABLE_TYPES.includes(inheritedType["key.name"])) {
           refTypes.add(inheritedType["key.name"]);
         }
       }
@@ -543,12 +549,20 @@ export function parseOutputFileMap(filemap) {
  * @param options options CLI options
  */
 export function createSemanticsSlices(basePath, options) {
-  const semanticsSlicesFile = options.semanticsSlicesFile;
   let compilerArgs = process?.env?.SWIFT_COMPILER_ARGS;
   let sdkArgs = process?.env?.SWIFT_SDK_ARGS;
+  const pkgSwiftFiles = getAllFiles(
+    basePath,
+    `${options.multiProject ? "**/" : ""}Package*.swift`,
+    options,
+  );
+  if (!pkgSwiftFiles.length) {
+    return undefined;
+  }
   if (!compilerArgs || !sdkArgs) {
     // We begin by performing a clean verbose debug build to learn the compiler arguments needed for a successful build
     // We do this because most users would not know the compiler arguments themselves!
+    // FIXME: This needs to be improved to support monorepos with multiple Package.swift files
     const paramsObj = extractCompilerParamsFromBuild(verboseBuild(basePath));
     // Our auto-detection attempt has failed.
     if (!paramsObj) {