Swift
Trivy supports CocoaPods and Swift package managers.
The following scanners are supported.
| Package manager | SBOM | Vulnerability | License |
|---|---|---|---|
| Swift | ✓ | ✓ | - |
| CocoaPods | ✓ | ✓ | - |
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position |
|---|---|---|---|---|---|
| Swift | Package.resolved | ✓ | Included | - | ✓ |
| CocoaPods | Podfile.lock | ✓ | Included | ✓ | - |
These may be enabled or disabled depending on the target. See here for the detail.
Swift
Trivy parses Package.resolved file to find dependencies.
Don't forget to update (swift package update command) this file before scanning.
CocoaPods
CocoaPods uses package names in PodFile.lock, but GitHub Advisory Database (GHSA) Trivy relies on uses Git URLs.
We parse the CocoaPods Specs to match package names and links.
Limitation
Since GHSA holds only Git URLs, such as github.com/apple/swift-nio,
Trivy can't identify affected submodules, and detect all submodules maintained by the same URL.
For example, SwiftNIOHTTP1 and SwiftNIOWebSocket both are maintained under github.com/apple/swift-nio,
and Trivy detect CVE-2022-3215 for both of them, even though only SwiftNIOHTTP1 is actually affected.