FOSSA supports Swift, Objective-C and Cocoa projects through CocoaPods and Carthage.
|Tool||Quick Import (app.fossa.com)||CLI (fossa-cli)|
|Swift Package Manager||N/A|
When iOS code is imported, FOSSA will inspect the codebase for dependencies resolvable by CocoaPods or Carthage.
The CocoaPods build system pulls in dependencies based on:
- SemVer Version
- External Repository (Git, Subversion, Mercurial, HTTP)
FOSSA derives dependencies by analyzing your
Podfile.lock files and seeing which dependencies are brought in. Other metadata is fetched directly from repository
To add your own Podspec repos, see the Authentication section below.
Requires CocoaPods >= 1.0
FOSSA's Repository Scanning uses CocoaPods version ~1.0. If your Podfile is built using an earlier version, there is a chance that it may not build correctly. See Migrating to 1.0.
- We don't factor in the platform specified in the Podfile. For each dependency, we will fetch the code for all valid platforms.
- Build configurations are not being taken into account at the moment.
- If a subspec(s) of a pod is given, FOSSA will analyze the entire Pod.
- Only git external sources are supported. Subversion, Mercurial, and HTTP sources are currently not supported.
- Plugins in Podfiles are currently being ignored.
- Pre and Post install hooks sometimes do not work properly.
- Pre-release version ranges currently just resolve to the version given (i.e. >=10.1.1.beta will resolve to 10.1.1.beta, as well as ~>10.1.1.beta).
- Multi range versions with pre-releases may not work properly (i.e. >10.1.1.beta1 <10.1.1.beta4).
FOSSA scans through your Project and analyzes any
Cartfile that is found.
Cartfile.resolved files are currently ignored. It grabs dependencies based on:
- SemVer Version
- External Repository (Git, Github)
- Nested dependencies aren't properly handled.
Cartfile.resolvefiles aren't being analyzed, so versioning may be inconsistant.
- Local file repositories (i.e. File:///) in Cartfile's aren't analyzed.
To install the fossa-cli run the following command:
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
To successfully build Cocoapods projects, you will need a
Podfile.lock file in your repository.
To successfully build Carthage projects, you will need a
Cartfile.resolved file in your repository.
To successfully build Swift projects using swift package manager, you will need a
Package.resolved file in your repository.
For more information on running the CLI, please read the documentation at https://github.com/fossas/fossa-cli
FOSSA allows you to add your own podspec repos as well. This is done via the Language Settings page under
Cocoapods Settings. The url should be of the form:
https://github.com/artsy/Specs for public repos, and
[email protected]:artsy/Specs.git for private repos.
When adding a new spec repo, FOSSA will attempt to automatically add our public key to the github repo.
If your private spec repos are not working in FOSSA, please make sure that the following public key is added to your github settings:
This is done via the Project Settings deploy key section in your github project:
On-prem users will need to get their public key from the host server (if one doesn't exist, the Cocoapods migration will create a key pair).
Updated about 1 month ago