feat: add Package.resolved swift files support

[DmitriyLewen]

Description

Add Package.resolved files support.

Example of work:

➜  trivy fs Package.resolved
2023-08-23T15:44:40.465+0600    INFO    Vulnerability scanning is enabled
2023-08-23T15:44:40.465+0600    INFO    Secret scanning is enabled
2023-08-23T15:44:40.465+0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-23T15:44:40.465+0600    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-08-23T15:44:40.471+0600    INFO    Number of language-specific files: 1
2023-08-23T15:44:40.471+0600    INFO    Detecting swift vulnerabilities...

Package.resolved (swift)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────────────┬────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability │ Severity │ Status │ Installed Version │     Fixed Version      │                         Title                          │
├────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────────────┼────────────────────────────────────────────────────────┤
│ github.com/apple/swift-nio │ CVE-2022-3215 │ MEDIUM   │ fixed  │ 2.41.0            │ 2.29.1, 2.39.1, 2.42.0 │ SwiftNIO vulnerable to Improper Neutralization of CRLF │
│                            │               │          │        │                   │                        │ Sequences in HTTP Headers ('HTTP...                    │
│                            │               │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2022-3215              │
└────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────────────┴────────────────────────────────────────────────────────┘

Related issues

• Close add support Swift Package Manager #4926

Related PRs

• feat(ghsa): add swift support trivy-db#339
• feat(ghsa): add swift support vuln-list-update#233
• feat(swift): add Package.resolved file support go-dep-parser#245
• fix(swift): add ID field go-dep-parser#250

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

We didn't add ID in Package. Didn't you see any implications?
https://github.com/aquasecurity/go-dep-parser/blob/e39b9645d9b842013a443b800af87608f010a532/pkg/swift/swift/parse.go#L37-L44

[knqyf263]

I think other analyzers use filePath.

Suggested change

	func (a swiftLockAnalyzer) Required(_ string, fileInfo os.FileInfo) bool {
	return fileInfo.Name() == types.SwiftResolved
	}
	func (a swiftLockAnalyzer) Required(filePath string, _ os.FileInfo) bool {
	return path.Base(filePath) == types.SwiftResolved
	}

[DmitriyLewen]

hm.. i don't know why i used FileInfo...
Thanks! Changed in 9d1e8b6

[DmitriyLewen]

Package.Resolved files contain package names (e.g. https://github.com/aquasecurity/go-dep-parser/blob/e39b9645d9b842013a443b800af87608f010a532/pkg/swift/swift/testdata/happy-v1-Package.resolved#L5).
But Package.swift files don't have names. To add dependencies you need to use URL in Package.swift file.

We usually use <pkg_name>@<version> schema for ID.
But use of package name can be confusing.

Peghaps we can use <URL>@<version> for Package.Resolved.

[knqyf263]

We already use <URL>@<version> schema for Go like github.com/aquasecurity/trivy@v0.44.0. Can't we do the same for Swift?

[DmitriyLewen]

You are right. I will add this.

UPD: added changes in 3479840