Find vulnerabilities in Objective-C
You can find vulnerabilities in your Objective-C applications. You can scan Objective-C repositories using the command-line interface or the CI integrations.
SCA Agent-based Scan supports scanning Objective-C repositories managed with CocoaPods. It does not support other package managers.
For packaging instructions for Veracode Static Analysis, see Packaging Apple Platform applications.
You can scan any code repository to which you have access and meet the requirements. To run an example scan, you can clone one of the public Veracode SCA repositories:
git clone https://github.com/veracode/example-objc-cocoapods
Before you begin:
Scanning a repository that uses Objective-C and the CocoaPods package manager requires you to assemble the project dependencies within the environment in which you scan the project. Your environment must:
- Meet the requirements for the Veracode SCA agent
- Have access to the Objective-C repository
- Have a
podfile.lockfile present in the Objective-C repository. Ifpodfile.lockdoes not exist in the project root where you perform scans, you must be able to run thepod installcommand from the project root.
To complete this task:
At the command line, run the scan command pointed to the directory of the Objective-C repository. For example:
srcclr scan path/to/{project_folder}
To scan code repositories hosted in Git, use the --url argument at the command line.
To view more verbose output during the scan process, add the --loud argument:
srcclr scan path/to/{project_folder} --loud
Results:
The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open-source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.
Next steps:
After completing the scan, you can view the results.