bundle the same SWIFT package by different analyzers

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java

@@ -114,7 +114,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
      */
     @Override
     protected String getAnalyzerEnabledSettingKey() {
-        return Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED;
+        return Settings.KEYS.ANALYZER_COCOAPODS_ENABLED;
     }
 
     @Override

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -112,6 +112,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                     final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
                     while (subIterator.hasNext()) {
                         final Dependency nextDependency = subIterator.next();
+                        Dependency main = null;
                         if (hashesMatch(dependency, nextDependency) && !containedInWar(dependency.getFilePath())
                                 && !containedInWar(nextDependency.getFilePath())) {
                             if (firstPathIsShortest(dependency.getFilePath(), nextDependency.getFilePath())) {
@@ -138,8 +139,14 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                                 mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                                 break; //since we merged into the next dependency - skip forward to the next in mainIterator
                             }
-                        } else if ( isSameRubyGem(dependency, nextDependency) ) {
+                        } else if ( (main = getMainGemspecDependency(dependency, nextDependency)) != null ) {
-                        	Dependency main = getMainGemspecDependency(dependency, nextDependency);
+                        	if (main == dependency) {
+                        		mergeDependencies(dependency, nextDependency, dependenciesToRemove);
+                        	} else {
+                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
+                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
+                            }
+                        } else if ( (main = getMainSwiftDependency(dependency, nextDependency)) != null) {
                         	if (main == dependency) {
                         		mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                         	} else {
@@ -349,6 +356,33 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         return null;
     }
     
+    /**
+     * Bundling same swift dependencies with the same packagePath but identified by different analyzers.
+     */
+    private boolean isSameSwiftPackage(Dependency dependency1, Dependency dependency2) {
+    	if (dependency1 == null || dependency2 == null ||
+    		(!dependency1.getFileName().endsWith(".podspec") &&
+    		!dependency1.getFileName().equals("Package.swift")) ||
+    		(!dependency2.getFileName().endsWith(".podspec") &&
+    		!dependency2.getFileName().equals("Package.swift")) ||
+    		dependency1.getPackagePath() == null ||
+    		dependency2.getPackagePath() == null) {
+            return false;
+        }
+        if (dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath()))
+        	return true;
+
+       	return false;
+    }
+    private Dependency getMainSwiftDependency(Dependency dependency1, Dependency dependency2) {
+    	if (isSameSwiftPackage(dependency1, dependency2)) {
+    		if(dependency1.getFileName().endsWith(".podspec"))
+    			return dependency1;
+            return dependency2;
+        }
+        return null;
+    }
+
     /**
      * This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison to the
      * 'right' library.

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java

@@ -21,14 +21,9 @@ import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.nio.charset.Charset;
-import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import javax.json.JsonObject;
-import javax.json.JsonString;
-import javax.json.JsonValue;
-
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -37,8 +32,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 /**
  * @author Bianca Xue Jiang
@@ -119,7 +112,7 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
      */
     @Override
     protected String getAnalyzerEnabledSettingKey() {
-        return Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED;
+        return Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED;
     }
 
     @Override
@@ -149,8 +142,8 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
             if (!name.isEmpty()) {
                 vendor.addEvidence(SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST);
             }
-            setPackagePath(dependency);
         }
+        setPackagePath(dependency);
     }
     
     private String addStringEvidence(EvidenceCollection evidences,

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -102,6 +102,8 @@ analyzer.nuspec.enabled=true
 analyzer.openssl.enabled=true
 analyzer.central.enabled=true
 analyzer.nexus.enabled=false
+analyzer.cocoapods.enabled=true
+analyzer.swift.package.manager.enabled=true
 #whether the nexus analyzer uses the proxy
 analyzer.nexus.proxy=true
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/SwiftAnalyzersTest.java

@@ -117,12 +117,7 @@ public class SwiftAnalyzersTest extends BaseTest {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                 "swift/Gloss/Package.swift"));
         spmAnalyzer.analyze(result, null);
-        System.out.println(result.getProductEvidence().toString());
 
-//        assertThat(vendorString, containsString("Carlos Vidal"));
-//        assertThat(vendorString, containsString("https://github.com/nakiostudio/EasyPeasy"));
-//        assertThat(vendorString, containsString("MIT"));
         assertThat(result.getProductEvidence().toString(), containsString("Gloss"));
-//        assertThat(result.getVersionEvidence().toString(), containsString("0.2.3"));
     }
 }

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -253,6 +253,14 @@ public final class Settings {
          * The properties key for whether the OpenSSL analyzer is enabled.
          */
         public static final String ANALYZER_OPENSSL_ENABLED = "analyzer.openssl.enabled";
+        /**
+         * The properties key for whether the cocoapods analyzer is enabled.
+         */
+        public static final String ANALYZER_COCOAPODS_ENABLED = "analyzer.cocoapods.enabled";
+        /**
+         * The properties key for whether the SWIFT package manager analyzer is enabled.
+         */
+        public static final String ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED = "analyzer.swift.package.manager.enabled";
         /**
          * The properties key for the Central search URL.
          */