fix(swift): try to use branch to resolve version (aquasecurity#6168)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

Author: DmitriyLewen

pkg/dependency/parser/swift/swift/parse.go

@@ -6,9 +6,11 @@ import (
 	"strings"
 
 	"github.com/liamg/jfather"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
 	dio "github.com/aquasecurity/trivy/pkg/dependency/parser/io"
+	"github.com/aquasecurity/trivy/pkg/dependency/parser/log"
 	"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
 	"github.com/aquasecurity/trivy/pkg/dependency/parser/utils"
 )
@@ -37,10 +39,21 @@ func (Parser) Parse(r dio.ReadSeekerAt) ([]types.Library, []types.Dependency, er
 	}
 	for _, pin := range pins {
 		name := libraryName(pin, lockFile.Version)
+
+		// Skip packages for which we cannot resolve the version
+		if pin.State.Version == "" && pin.State.Branch == "" {
+			log.Logger.Warnf("Unable to resolve %q. Both the version and branch fields are empty.", name)
+			continue
+		}
+
+		// A Pin can be resolved using `branch` without `version`.
+		// e.g. https://github.com/element-hq/element-ios/blob/6a9bcc88ea37147efba8f0a7bcf3ec187f4a4011/Riot.xcworkspace/xcshareddata/swiftpm/Package.resolved#L84-L92
+		version := lo.Ternary(pin.State.Version != "", pin.State.Version, pin.State.Branch)
+
 		libs = append(libs, types.Library{
-			ID:      utils.PackageID(name, pin.State.Version),
+			ID:      utils.PackageID(name, version),
 			Name:    name,
-			Version: pin.State.Version,
+			Version: version,
 			Locations: []types.Location{
 				{
 					StartLine: pin.StartLine,

pkg/dependency/parser/swift/swift/parse_test.go

@@ -37,12 +37,6 @@ func TestParser_Parse(t *testing.T) {
 				},
 			},
 		},
-		// docker run -it --rm swift@sha256:45e5e44ed4873063795f150182437f4dbe7d5527ba5655979d7d11e0829179a7
-		// mkdir app && cd app
-		// swift package init
-		// ## add new deps: ##
-		// sed -i 's/],/],\ndependencies: [\n.package(url: "https:\/\/github.com\/ReactiveCocoa\/ReactiveSwift", from: "7.0.0"),\n.package(url: "https:\/\/github.com\/Quick\/Quick.git", from: "7.0.0"),\n.package(url: "https:\/\/github.com\/Quick\/Nimble.git", .exact("9.2.1")),\n],/' Package.swift
-		// swift package update
 		{
 			name:      "happy path v2",
 			inputFile: "testdata/happy-v2-Package.resolved",
@@ -65,6 +59,12 @@ func TestParser_Parse(t *testing.T) {
 					Version:   "7.1.1",
 					Locations: []types.Location{{StartLine: 39, EndLine: 47}},
 				},
+				{
+					ID:        "github.com/element-hq/[email protected]",
+					Name:      "github.com/element-hq/swift-ogg",
+					Version:   "0.0.1",
+					Locations: []types.Location{{StartLine: 48, EndLine: 56}},
+				},
 				{
 					ID:        "github.com/mattgallagher/[email protected]",
 					Name:      "github.com/mattgallagher/CwlCatchException",

pkg/dependency/parser/swift/swift/testdata/happy-v2-Package.resolved

@@ -20,7 +20,7 @@ type Pin struct {
 }
 
 type State struct {
-	Branch   any    `json:"branch"`
+	Branch   string `json:"branch"`
 	Revision string `json:"revision"`
 	Version  string `json:"version"`
 }