Does SonarQube scan CocoaPods imported in a Swift iOS App codebase?

Must-share information (formatted with Markdown):

  • Version: 9.9 LTS (latest version)

  • Deployed Instance: Dockerized Container

  • CI Flow: Bitrise.io using the SonarQube Scanner step to submit build / repo to sonarqube instance

  • What do you want to achieve?
    I’m trying to ascertain if there is a way to get the cocoa pods imported in our swift mobile application codebase get scanned. I’m trying to adhere to SOC2 compliance and as part of that we scan all our projects dependencies in languages like on our web projects using Javascript and use dependabot in github to see any imported package vulnerabilities from the package.json manifest. Can I get a similar result using sonarqube on the podfile list? If possible I’d like to use Sonarqube instead of having to manually run the list in the OWASP beta tool. I haven’t been able to get that to successfully work yet either so hoping theres a solution in SonarQube.

  • What have you tried so far to achieve this?
    I tried setting the sonar.sources property in the CI step to include the podfile but it didnt seem to change the result. Is this even possible to do? Any thoughts on how I might do it?

1 Like

Hello Brad and thank you for the interest,

Are you asking if SonarQube can analyze the dependencies declared in your Cocoa Pods file for known vulnerabilities in the same way as dependabot does?

Best,
Ilia

1 Like

Yes. I currently have to do a manual OWASP scan in our own CI and I can’t even upload the report file it produces to sonarqube to store the current report I manually make.

I would prefer sonarqube to do the scan on podfile.lockfile and report vulnerabilities in its dashboard. If sonarqube can’t scan the cocoa pods using the lockfile and give me vulnerability report, it sort of defeats the purpose of paying for sonarqube for swift based apps at this point as it keeps saying our code has 0 vulnerabilities. The entire purpose we got scanning was to scan for vulnerabilities, which is apparently can’t do as it eternally says 0 in every scan. OWASP scan returns 6 vulnerabilities, 2 of which are Critical level. The “duplicate code” and “Bugs” work, but are pretty useless.

Hi,

We don’t do SCA. (I didn’t realize that’s what you were asking for in our previous conversation.) Since the functionality doesn’t exist, I’m going to move this topic to the Product Manager for a Day category.

 
Ann

Is there a way I can upload my manually created report done via OWASP scanner to the sonarqube scan report in that case then? like “Additional files” or something?

My output generates an HTML file report from the owasp tool API and if I could use Sonarqube as a singular dashboard for compliance monitoring perhaps I can get my Sec Ops boss to keep the system running*.

Hi,

Doh! I meant to mention that & got distracted.

I’m guessing you’re using the OWASP Dependency Check tool to check your podfiles? A little digging reveals that it will export to a --format SARIF, which you can then import into analysis. Failing that, you can convert your reports to the Generic Issues format, and import them that way.

 
HTH,
Ann

Brilliant, thanks will try it - am being forced into full SOC2 compliance audit nov 1 so forgive the scramble as we’re having to determine what tools we keep for the audit or not and I love the dashboard but our biggest holes in security are our vulnerabilities, this will help a lot

1 Like