You can find vulnerabilities in your Swift applications using Veracode Software Composition Analysis agent-based scanning. You can run a scan on Swift repositories using the agent-based scanning command-line interface or the CI integrations.
For packaging instructions for Veracode Static Analysis and Veracode SCA upload scans, see Packaging iOS and tvOS Applications.
Scanning a repository that uses Swift and the CocoaPods package manager requires you to assemble the project dependencies within the environment in which you scan the project. Your environment must:
- Meet the requirements for the Veracode SCA agent.
- Have a podfile.lock file present in the Swift repository.
- If podfile.lock does not exist in the project root where you perform scans, you must be able to run the pod install command from the project root.
Running a Scan
git clone https://github.com/srcclr/example-swift-cocoapods
After you clone the code to your desktop, point the Veracode SCA CLI agent to the directory of the repository and scan:
srcclr scan path/to/<project_folder>
To view more verbose output during the scan process, you can add the --loud argument:
srcclr scan path/to/<project_folder> --loud
The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.
Viewing Scan Results
After completing a scan, the bottom of the output in your terminal includes a URL for the Veracode Platform where you can view the scan results in more detail:
Licenses Unique Library Licenses 3 Libraries Using GPL 0 Libraries With No License 1 Full Report Details https://sca.analysiscenter.veracode.com/teams/abzs0qx/scans/22679557
- Includes out-of-date libraries, license violations, and vulnerabilities associated with a specific version of a library within a repository.
- Represents the set of unique vulnerabilities across a project. If multiple libraries in a given project are associated with the same vulnerability, the vulnerability only appears once in this list.
- Includes each open source library Veracode SCA has identified within a code project. From the Libraries tab, you can select Swift from the All languages dropdown to view the Swift libraries found in the project.
- Displays the software license information associated with each open-source library in use.
Fixing Vulnerability Issues
After viewing the scan results, you can access the clear instructions for fixing vulnerability issues that Veracode SCA provides through the Veracode Platform.
Fixing a Direct Vulnerability
When your configuration file references a library, Veracode SCA considers the library a direct dependency. In your workspace, on the Issues page, the Vulnerability section lists the vulnerabilities in direct dependencies. You can click the issue ID for details about the vulnerability and instructions for fixing it. Updating your version to the version that the agent-based scan recommends usually fixes vulnerabilities in a direct dependency.
Some libraries include vulnerabilities that are not yet fixed. Therefore, Veracode SCA cannot always provide reliable update versions. In these cases, Veracode recommends you either create a pull request to the unfixed library or use a different library in your code.
Validating a Fixed Vulnerability
Before committing your code changes, you can run an agent-based scan with the --allow-dirty flag to validate a fix you made to your repository. This flag ignores uncommitted changes in your code:
srcclr scan /path/to/<project_folder> --allow-dirty
When you verify that the vulnerability no longer appears in the scan output, you have fixed the vulnerability and you can commit your code.