fix: validation logic of cocoapods purls

snyk · Aug 29, 2023 · 87159ad · 87159ad
1 parent 2f3203e
commit 87159ad
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 0 deletions.
diff --git a/src/core/validate-graph.ts b/src/core/validate-graph.ts
@@ -60,6 +60,19 @@ export function validatePackageURL(pkg: types.PkgInfo): void {
         );
         break;
 
+      // CocoaPods have an optional subspec encoded in the subpath
+      // component of the purl, which – if present – should
+      // be appended to the spec.
+      case 'cocoapods':
+        assert(
+          pkg.name ===
+            (purlPkg.subpath
+              ? `${purlPkg.name}/${purlPkg.subpath}`
+              : purlPkg.name),
+          `name and packageURL name do not match`,
+        );
+        break;
+
       case 'golang': {
         let expected = purlPkg.namespace
           ? `${purlPkg.namespace}/${purlPkg.name}`

diff --git a/test/core/validate-graph.test.ts b/test/core/validate-graph.test.ts
@@ -88,6 +88,58 @@ describe('validatePackageURL', () => {
     });
   });
 
+  describe('cocoapods Purl type tests', () => {
+    it.each([
+      [
+        'cocoapods package without subspec',
+        {
+          name: 'bar',
+          version: '1.2.3',
+          purl: 'pkg:cocoapods/[email protected]',
+        },
+      ],
+      [
+        'cocoapods package with subspec',
+        {
+          name: 'spec/subspec',
+          version: '1.2.3',
+          purl: 'pkg:cocoapods/[email protected]#subspec',
+        },
+      ],
+    ])('validates cocoapods Purls: %s', (name, pkg) => {
+      expect(() => validatePackageURL(pkg)).not.toThrow();
+    });
+
+    it.each([
+      [
+        'package name does not match purl name',
+        {
+          name: 'foo',
+          version: '1.2.3',
+          purl: 'pkg:cocoapods/[email protected]',
+        },
+      ],
+      [
+        'package name does not match subspec',
+        {
+          name: 'baz/foo',
+          version: '1.2.3',
+          purl: 'pkg:cocoapods/[email protected]#bar',
+        },
+      ],
+      [
+        'package name does not include subspec',
+        {
+          name: 'bar',
+          version: '1.2.3',
+          purl: 'pkg:cocoapods/[email protected]#baz',
+        },
+      ],
+    ])('should throw on invalid purl: %s', (name, pkg) => {
+      expect(() => validatePackageURL(pkg)).toThrow();
+    });
+  });
+
   describe('composer Purl type tests', () => {
     it.each([
       [