verifyos-cli 0.13.1

AI agent-friendly Rust CLI for scanning iOS app bundles for App Store rejection risks before submission.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

use crate::parsers::plist_reader::InfoPlist;
use crate::rules::core::{
    AppStoreRule, ArtifactContext, RuleCategory, RuleError, RuleReport, RuleStatus, Severity,
};

pub struct PrivacyManifestCompletenessRule;

impl AppStoreRule for PrivacyManifestCompletenessRule {
    fn id(&self) -> &'static str {
        "RULE_PRIVACY_MANIFEST_COMPLETENESS"
    }

    fn name(&self) -> &'static str {
        "Privacy Manifest Completeness"
    }

    fn category(&self) -> RuleCategory {
        RuleCategory::Privacy
    }

    fn severity(&self) -> Severity {
        Severity::Warning
    }

    fn recommendation(&self) -> &'static str {
        "Declare accessed API categories in PrivacyInfo.xcprivacy."
    }

    fn evaluate(&self, artifact: &ArtifactContext) -> Result<RuleReport, RuleError> {
        let Some(manifest_path) = artifact.bundle_relative_file("PrivacyInfo.xcprivacy") else {
            return Ok(RuleReport {
                status: RuleStatus::Skip,
                message: Some("PrivacyInfo.xcprivacy not found".to_string()),
                evidence: None,
            });
        };

        let manifest = match InfoPlist::from_file(&manifest_path) {
            Ok(m) => m,
            Err(_) => {
                return Ok(RuleReport {
                    status: RuleStatus::Skip,
                    message: Some(
                        "PrivacyInfo.xcprivacy is empty or invalid; skipping".to_string(),
                    ),
                    evidence: Some(manifest_path.display().to_string()),
                });
            }
        };

        let scan = match artifact.usage_scan() {
            Ok(scan) => scan,
            Err(err) => {
                return Ok(RuleReport {
                    status: RuleStatus::Skip,
                    message: Some(format!("Usage scan skipped: {err}")),
                    evidence: None,
                });
            }
        };

        if scan.required_keys.is_empty() && !scan.requires_location_key {
            return Ok(RuleReport {
                status: RuleStatus::Pass,
                message: Some("No usage APIs detected".to_string()),
                evidence: None,
            });
        }

        let declared_types: std::collections::HashSet<String> = manifest
            .get_value("NSPrivacyAccessedAPITypes")
            .and_then(|v| v.as_array())
            .map(|arr| {
                arr.iter()
                    .filter_map(|v| {
                        v.as_dictionary()
                            .and_then(|d| d.get("NSPrivacyAccessedAPIType"))
                            .and_then(|t| t.as_string())
                            .map(|s| s.to_string())
                    })
                    .collect()
            })
            .unwrap_or_default();

        let mut missing_categories = Vec::new();
        for cat in &scan.privacy_categories {
            if !declared_types.contains(*cat) {
                missing_categories.push(*cat);
            }
        }

        if missing_categories.is_empty() {
            return Ok(RuleReport {
                status: RuleStatus::Pass,
                message: None,
                evidence: None,
            });
        }

        missing_categories.sort();
        Ok(RuleReport {
            status: RuleStatus::Fail,
            message: Some("Privacy manifest missing required API declarations".to_string()),
            evidence: Some(format!(
                "Missing categories in NSPrivacyAccessedAPITypes: {}",
                missing_categories.join(", ")
            )),
        })
    }
}