Different end results for the same xcarchive and log file

[alminveh]

We have an archive with two targets, one is building a framework (xcframework) and another one is building the app that is consuming the framework. When we run gen-ir multiple times with the same xcarchive and log file we get different end results -> size of the xcarchive after running gen-ir is in range between 700 MB and 3 GB. When we scan files smaller than 1 GB we get partial results (only app files are scanned, framework files are not scanned).

After running gen-ir in the IR directory we have .framework and .app. When we get a valid result (files greater than 1 GB) we have all the files from .framework also in the .app directory. When we get a file smaller than 1 GB, in the .app directory we don't have any framework files.

[KrishnaRLolage]

For e.g.
There are 2 targets in the .xcprojects
1. First target is to create iOS framework (MACH_O_TYPE = static library). Lets call it A.framework
2. Second target is a application, MyApp.app, which has a dependency on the first target A.framework

Our Objective:
- Our objective is to static scan the A.framework's code as this is our product

Afaik, Veracode does not support scanning an iOS framework or xcFramework and so we followed the below steps.
Steps
1. We create archive of MyApp.app using the "xcodebuild clean && xcodebuild build......." cmd
3. After archive build is succeeded, we run the "gen-ir build_log.txt ........" cmd
4. The existing app archive is modified by the gen-ir tool (a new folder named IR is added) and inside the IR folder we see there is MyApp.app and inside the app we see all the source files for MyApp.app and A.framework as well

The issue:
At step 4, from the steps above, sometimes gen-ir does not add the source files from A.framework target to MyApp.app in IR folder and so when we submit this package for Veracode static scan, the framework's source files are not getting scanned.

[NinjaLikesCheez]

Thank you for your report - I'll raise this internall today.

In the meantime, could you try the same run against our latest 0.5.0-alpha build and see if you have the same results? You can install this with brew install [email protected] and then brew link [email protected].

As for the issue with frameworks - you can scan frameworks as standalone artefacts with Veracode SAST. You may need to adjust your build settings so that Xcode correctly places your framework into the xcarchive bundle - but once that's there you should be able to upload it to the platform for scanning.

[KrishnaRLolage]

Hi, thanks for the reply. We tried with the alpha version and the results seems to be promising and consistent 👍

While, the other thing, scan framework as standalone artefacts, I tried to upload a archive of framework target on veracode portal (after gen-ir cmd) but the I am seeing this issue after pre-scan
==> There are no entry points found in the uploaded files.

Could you enlighten me how to scan framework as standalone artefacts, is there any documentation or steps?

[NinjaLikesCheez]

Hi @KrishnaRLolage,

It may be worth opening a support ticket so we can inspect the upload and determine what may need to change in your packaging. Glad to hear that the alpha version resolves your issue.

In general, you can set the SKIP_INSTALL build setting to NO then archive the framework - this will force Xcode to copy the framework into the archive which is normally skips, then you can run Gen IR and upload.

[KrishnaRLolage]

while using SKIP_INSTALL=NO, the gen-ir command fails with below error, even for a app target.

Error: tooManyDirectories("Expected exactly one target folder at path: file:///<project_path>/Intermediates.noindex/ArchiveIntermediates, but found: [].\nPlease manually clear your derived data before rebuilding.")