I'm looking at gathering dependency graphs for builds that use Swift Package Manager. I'd like to know what dependencies went into a build so they can be tracked for security reasons. This is similar to how a tool like Xray collects dependency information for a build, and then can watch for known exploits on library dependencies.
I'm finding there isn't a great way to collect what dependencies went into a build:
- Swift Package's "show-dependencies" subcommand works great, but it only works on Swift packages. I don't think there is a corresponding option for xcodebuild when the final build is an Xcode project. I'm also not sure how archivable or parsable this output is (especially if xcodebuild introduces it's own version with different output.)
- The manifest file also seems like a good option. Both Xcode and Swift packages maintain this file. But it only captures (I think) dependency state one level deep. If project A depends on library B, and library B depends on library C, only the state of library B is captured. I don't know what version of library C was used for the build.
Has anyone else found a good method or tooling for archiving the state of dependencies for a build?