From ceb7e8422eb4a832660faa0a71113d8ec1f40862 Mon Sep 17 00:00:00 2001
From: Frank Viernau <frank_viernau@epam.com>
Date: Wed, 7 Feb 2024 13:15:00 +0100
Subject: [PATCH] feat(swiftpm): Add missing package references to the lockfile
 analysis

Dependencies should always be (transitively) linked to projects. When
analyzing a lockfile (only), the dependency tree information is not
available. So, simply regard all dependencies as direct dependencies of
the project, which is the only option available.

Fixes #8234.

Signed-off-by: Frank Viernau <frank_viernau@epam.com>
---
 .../expected-output-only-lockfile-v1.yml          |  8 ++++++++
 .../expected-output-only-lockfile-v2.yml          |  4 ++++
 .../expected-output-only-lockfile-v3.yml          |  1 +
 .../swiftpm/src/main/kotlin/SwiftPm.kt            | 15 ++++++++++++---
 4 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/expected-output-only-lockfile-v1.yml b/plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/expected-output-only-lockfile-v1.yml
index 055fa2f37d20e..74a7b2f4fd1b8 100644
--- a/plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/expected-output-only-lockfile-v1.yml
+++ b/plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/expected-output-only-lockfile-v1.yml
@@ -15,6 +15,14 @@ project:
     revision: "<REPLACE_REVISION>"
     path: "<REPLACE_PATH>"
   homepage_url: ""
+  scopes:
+  - name: "dependencies"
+    dependencies:
+    - id: "Swift::github.com/apple/swift-argument-parser:0.2.0"
+    - id: "Swift::github.com/apple/swift-crypto:"
+    - id: "Swift::github.com/apple/swift-llbuild:9.0.8"
+    - id: "Swift::github.com/braze-inc/braze-ios-sdk:branch-master"
+    - id: "Swift::github.com/grpc/grpc-swift:revision-efb67a324eaf1696b50e66bc471a53690e41fbf6"
 packages:
 - id: "Swift::github.com/apple/swift-argument-parser:0.2.0"
   purl: "pkg:swift/github.com%2Fapple%2Fswift-argument-parser@0.2.0"
diff --git a/plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/expected-output-only-lockfile-v2.yml b/plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/expected-output-only-lockfile-v2.yml
index 7d09834e53fea..eaab929f0fc44 100644
--- a/plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/expected-output-only-lockfile-v2.yml
+++ b/plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/expected-output-only-lockfile-v2.yml
@@ -15,6 +15,10 @@ project:
     revision: "<REPLACE_REVISION>"
     path: "<REPLACE_PATH>"
   homepage_url: ""
+  scopes:
+  - name: "dependencies"
+    dependencies:
+    - id: "Swift::github.com/alamofire/alamofire:5.4.4"
 packages:
 - id: "Swift::github.com/alamofire/alamofire:5.4.4"
   purl: "pkg:swift/github.com%2Falamofire%2Falamofire@5.4.4"
diff --git a/plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/expected-output-only-lockfile-v3.yml b/plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/expected-output-only-lockfile-v3.yml
index 373719c2210f2..81c40d1ed47bc 100644
--- a/plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/expected-output-only-lockfile-v3.yml
+++ b/plugins/package-managers/swiftpm/src/funTest/assets/projects/synthetic/expected-output-only-lockfile-v3.yml
@@ -15,6 +15,7 @@ project:
     revision: "<REPLACE_REVISION>"
     path: "<REPLACE_PATH>"
   homepage_url: ""
+  scopes: []
 packages: []
 issues:
 - timestamp: "1970-01-01T00:00:00Z"
diff --git a/plugins/package-managers/swiftpm/src/main/kotlin/SwiftPm.kt b/plugins/package-managers/swiftpm/src/main/kotlin/SwiftPm.kt
index 2cd70a081b27f..d8e237e536b60 100644
--- a/plugins/package-managers/swiftpm/src/main/kotlin/SwiftPm.kt
+++ b/plugins/package-managers/swiftpm/src/main/kotlin/SwiftPm.kt
@@ -28,6 +28,7 @@ import org.ossreviewtoolkit.downloader.VersionControlSystem
 import org.ossreviewtoolkit.model.Identifier
 import org.ossreviewtoolkit.model.Issue
 import org.ossreviewtoolkit.model.Package
+import org.ossreviewtoolkit.model.PackageLinkage
 import org.ossreviewtoolkit.model.PackageReference
 import org.ossreviewtoolkit.model.Project
 import org.ossreviewtoolkit.model.ProjectAnalyzerResult
@@ -94,15 +95,23 @@ class SwiftPm(
      */
     private fun resolveLockfileDependencies(packageResolvedFile: File): List<ProjectAnalyzerResult> {
         val issues = mutableListOf<Issue>()
+        val packages = mutableSetOf<Package>()
+        val scopeDependencies = mutableSetOf<Scope>()
 
-        val pins = parseLockfile(packageResolvedFile).onFailure {
+        parseLockfile(packageResolvedFile).onSuccess { pins ->
+            pins.mapTo(packages) { it.toPackage() }
+            scopeDependencies += Scope(
+                name = DEPENDENCIES_SCOPE_NAME,
+                dependencies = packages.mapTo(mutableSetOf()) { it.toReference(linkage = PackageLinkage.DYNAMIC) }
+            )
+        }.onFailure {
             issues += Issue(source = managerName, message = it.message.orEmpty())
         }.getOrDefault(emptySet())
 
         return listOf(
             ProjectAnalyzerResult(
-                project = projectFromDefinitionFile(packageResolvedFile, emptySet()),
-                packages = pins.mapTo(mutableSetOf()) { it.toPackage() },
+                project = projectFromDefinitionFile(packageResolvedFile, scopeDependencies),
+                packages = packages,
                 issues = issues
             )
         )