Skip to main content

verifyos_cli/rules/
privacy_manifest.rs

1use crate::parsers::macho_scanner::scan_usage_from_app_bundle;
2use crate::parsers::plist_reader::InfoPlist;
3use crate::rules::core::{
4    AppStoreRule, ArtifactContext, RuleCategory, RuleError, RuleReport, RuleStatus, Severity,
5};
6
7pub struct PrivacyManifestCompletenessRule;
8
9impl AppStoreRule for PrivacyManifestCompletenessRule {
10    fn id(&self) -> &'static str {
11        "RULE_PRIVACY_MANIFEST_COMPLETENESS"
12    }
13
14    fn name(&self) -> &'static str {
15        "Privacy Manifest Completeness"
16    }
17
18    fn category(&self) -> RuleCategory {
19        RuleCategory::Privacy
20    }
21
22    fn severity(&self) -> Severity {
23        Severity::Warning
24    }
25
26    fn recommendation(&self) -> &'static str {
27        "Declare accessed API categories in PrivacyInfo.xcprivacy."
28    }
29
30    fn evaluate(&self, artifact: &ArtifactContext) -> Result<RuleReport, RuleError> {
31        let manifest_path = artifact.app_bundle_path.join("PrivacyInfo.xcprivacy");
32        if !manifest_path.exists() {
33            return Ok(RuleReport {
34                status: RuleStatus::Skip,
35                message: Some("PrivacyInfo.xcprivacy not found".to_string()),
36                evidence: None,
37            });
38        }
39
40        let manifest = InfoPlist::from_file(&manifest_path)
41            .map_err(|_| crate::rules::entitlements::EntitlementsError::ParseFailure)?;
42
43        let scan = match scan_usage_from_app_bundle(artifact.app_bundle_path) {
44            Ok(scan) => scan,
45            Err(err) => {
46                return Ok(RuleReport {
47                    status: RuleStatus::Skip,
48                    message: Some(format!("Usage scan skipped: {err}")),
49                    evidence: None,
50                });
51            }
52        };
53
54        if scan.required_keys.is_empty() && !scan.requires_location_key {
55            return Ok(RuleReport {
56                status: RuleStatus::Pass,
57                message: Some("No usage APIs detected".to_string()),
58                evidence: None,
59            });
60        }
61
62        let has_accessed_api_types = manifest
63            .get_value("NSPrivacyAccessedAPITypes")
64            .and_then(|v| v.as_array())
65            .map(|arr| !arr.is_empty())
66            .unwrap_or(false);
67
68        if has_accessed_api_types {
69            return Ok(RuleReport {
70                status: RuleStatus::Pass,
71                message: None,
72                evidence: None,
73            });
74        }
75
76        Ok(RuleReport {
77            status: RuleStatus::Fail,
78            message: Some("Privacy manifest missing accessed API types".to_string()),
79            evidence: Some("NSPrivacyAccessedAPITypes is missing or empty".to_string()),
80        })
81    }
82}