Fossa supports Swift and Objective-C Cocoa projects with both CocoaPods and Carthage.
Fossa is using CocoaPods Version ~1.0. If your Podfile is built using an earlier version, there is a chance that it may not build correctly. To upgrade See doc.
The CocoaPods build system pulls in dependencies based on:
Fossa derives dependencies by analyzing your Podfile/Podfile.lock files and seeing which dependencies are brought in. Other metadata is fetched directly from repository podspec files.
FOSSA allows you to add your own podspec repos as well. This is done via the Language Settings page under Cocoapods Settings
. The url should be of the form: https://github.com/artsy/Specs
for public repos, and git@github.com:artsy/Specs.git
for private repos.
When adding a new spec repo, FOSSA will attempt to automatically add our public key to the github repo.
If your private spec repos are not working in FOSSA, please make sure that the following public key is added to your github settings:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvWCpvoCLbHt6+VfYhK1gHpWnDegn7xGLLJ3sdg/crdBjXIRkWQ5ABpoJ8OohMY6ulGzhdCA3jh9jShTfcd6etotyVC2+troKbJ8Jpn8rFaMR6df5ij7TSakHV1pAKijLpaFcRdLQQE2hoTqkIQCwLBevWKkM4hAiZky/cI62cg+AaM+8cjpih0Ok3t7fgtY7ei2AGXKBS4zHg/YYl9rSQ1tWBV605K25tGvsmTdtddvaTIGqV5svGea7+txvJFo4NW6YI9U99EkeFMkkz9IF6nK5kPlElledAqtD05Ui3WSbOEQNvesetPJc+PwUiCSLjsMGYjO2PM5V5tw8orNW5vQKZlt2IaZ5ZDHLIz9KI5R/Y61jPkaCOcHBErSD5oWX018vqmi9/5xyM6jeyy7XK193929smc+OeF79p2zaIOVEiVnTDcvu/8DIFvrCiQiU7NNFkey7Umawy5QvYnJcdU+p9cuk6s63jheyfczYQZtTEb6q/VgwfC3RXm7t3/h/mV6XvCRoORLm5ViD21DDdyWAnMXzJ9EPfvxnkM2SuUoMhEdITWIUkbDv8sK1g9F6kLoaeC8kYrGe0RiyJMbLJ8IxK6Pa6Ztohs7xIoHdGDfhFr1DoNkuYC+VMpp8SLAOeOsh0J8DVa8af0MrdK0+N85y0MPt9yFkTiAT1l7ayPw==
This is done via the Project Settings deploy key section in your github project:
On-prem users will need to get their public key from the host server (if one doesn't exist, the Cocoapods migration will create a key pair)
Fossa scans through your Project and analyzes any Cartfile that is found. Cartfile.private and Cartfile.resolved files are ignored. It grabs dependencies based on: