feat(engine): implement multi-target scanning and result aggregation

Author: tranhoangpich

examples/Payload/BadApp.app/BadApp

@@ -2,20 +2,9 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<!-- Missing NSCameraUsageDescription intentionally to trigger rule failure -->
-    <key>CFBundleIdentifier</key>
-    <string>com.example.BadApp</string>
-    <key>LSApplicationQueriesSchemes</key>
-    <array>
-        <string>fb</string>
-    </array>
-    <key>UIRequiredDeviceCapabilities</key>
-    <array>
-        <string>arm64</string>
-    </array>
-    <key>CFBundleShortVersionString</key>
-    <string>1.0.0</string>
-    <key>CFBundleVersion</key>
-    <string>100</string>
+	<key>CFBundleIdentifier</key>
+	<string>com.verifyos.BadApp</string>
+	<key>CFBundleExecutable</key>
+	<string>BadApp</string>
 </dict>
 </plist>

examples/Payload/BadApp.app/Info.plist

@@ -2,22 +2,27 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>NSCameraUsageDescription</key>
-	<string>Camera is used to scan barcodes.</string>
-    <key>CFBundleIdentifier</key>
-    <string>com.example.GoodApp</string>
-    <key>LSApplicationQueriesSchemes</key>
-    <array>
-        <string>fb</string>
-        <string>twitter</string>
-    </array>
-    <key>UIRequiredDeviceCapabilities</key>
-    <array>
-        <string>arm64</string>
-    </array>
-    <key>CFBundleShortVersionString</key>
-    <string>1.0.0</string>
-    <key>CFBundleVersion</key>
-    <string>100</string>
+	<key>CFBundleIdentifier</key>
+	<string>com.verifyos.GoodApp</string>
+	<key>CFBundleExecutable</key>
+	<string>GoodApp</string>
+	<key>CFBundleName</key>
+	<string>GoodApp</string>
+	<key>CFBundleShortVersionString</key>
+	<string>1.0.0</string>
+	<key>CFBundleVersion</key>
+	<string>1</string>
+	<key>ITSAppUsesNonExemptEncryption</key>
+	<false/>
+	<key>LSApplicationQueriesSchemes</key>
+	<array/>
+	<key>UIRequiredDeviceCapabilities</key>
+	<array>
+		<string>arm64</string>
+	</array>
+    <key>DTXcode</key>
+    <string>1500</string>
+    <key>NSCameraUsageDescription</key>
+    <string>We need camera access to scan QR codes.</string>
 </dict>
 </plist>

examples/Payload/GoodApp.app/GoodApp

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>NSPrivacyCollectedDataTypes</key>
+	<array/>
+	<key>NSPrivacyAccessedAPITypes</key>
+	<array/>
+</dict>
+</plist>

examples/Payload/GoodApp.app/Info.plist

@@ -336,6 +336,7 @@ mod tests {
             rule_name,
             category: RuleCategory::Other,
             severity,
+            target: "Bundle".to_string(),
             recommendation: "",
             report: Ok(report),
             duration_ms: 1,

examples/Payload/GoodApp.app/PrivacyInfo.xcprivacy

@@ -24,6 +24,7 @@ pub struct EngineResult {
     pub rule_name: &'static str,
     pub category: RuleCategory,
     pub severity: Severity,
+    pub target: String,
     pub recommendation: &'static str,
     pub report: Result<RuleReport, RuleError>,
     pub duration_ms: u128,
@@ -61,52 +62,72 @@ impl Engine {
         }
 
         let extracted_ipa = extract_ipa(path)?;
-
-        // Attempt to discover project metadata during extraction
-        let discovered_project_path = extracted_ipa
-            .get_project_path()
+        let targets = extracted_ipa
+            .discover_targets()
             .map_err(|e| OrchestratorError::Extraction(ExtractionError::Io(e)))?;
 
-        let discovered_project = discovered_project_path.as_ref().and_then(|p| {
-            if p.extension().is_some_and(|e| e == "xcworkspace") {
-                crate::parsers::xcworkspace_parser::Xcworkspace::from_path(p)
+        let mut all_results = Vec::new();
+        let mut total_cache_stats = ArtifactCacheStats::default();
+
+        if targets.is_empty() {
+            // Fallback to original logic if no specific targets found
+            let res = self.run_on_bundle_internal(&extracted_ipa.payload_dir, run_started, None)?;
+            return Ok(res);
+        }
+
+        for (target_path, target_type) in targets {
+            let project_context = if target_type == "app" {
+                // Try to find a project context for this app if it's in a larger folder
+                extracted_ipa.get_project_path().ok().flatten().and_then(|p| {
+                    if p.extension().is_some_and(|e| e == "xcworkspace") {
+                        crate::parsers::xcworkspace_parser::Xcworkspace::from_path(&p)
+                            .ok()
+                            .and_then(|ws| ws.project_paths.first().cloned())
+                            .and_then(|proj_path| {
+                                crate::parsers::xcode_parser::XcodeProject::from_path(proj_path).ok()
+                            })
+                    } else {
+                        crate::parsers::xcode_parser::XcodeProject::from_path(&p).ok()
+                    }
+                })
+            } else if target_type == "project" {
+                crate::parsers::xcode_parser::XcodeProject::from_path(&target_path).ok()
+            } else if target_type == "workspace" {
+                crate::parsers::xcworkspace_parser::Xcworkspace::from_path(&target_path)
                     .ok()
                     .and_then(|ws| ws.project_paths.first().cloned())
                     .and_then(|proj_path| {
                         crate::parsers::xcode_parser::XcodeProject::from_path(proj_path).ok()
                     })
             } else {
-                crate::parsers::xcode_parser::XcodeProject::from_path(p).ok()
+                None
+            };
+
+            let app_results =
+                self.run_on_bundle_internal(&target_path, run_started, project_context)?;
+            
+            // Tag results with target name
+            let target_name = target_path
+                .file_name()
+                .map(|n| n.to_string_lossy().into_owned())
+                .unwrap_or_else(|| "Unknown".to_string());
+
+            for mut res in app_results.results {
+                res.target = target_name.clone();
+                all_results.push(res);
             }
-        });
-
-        let app_bundle_path = extracted_ipa
-            .get_app_bundle_path()
-            .map_err(|e| OrchestratorError::Extraction(ExtractionError::Io(e)))?;
 
-        let app_bundle_path = match app_bundle_path {
-            Some(p) => p,
-            None => {
-                // If we found a project but no .app, we can still proceed with the extraction root
-                // as a context and let rules that check project metadata run.
-                if discovered_project_path.is_some() {
-                    extracted_ipa.payload_dir.clone()
-                } else {
-                    let mut entries = Vec::new();
-                    if let Ok(rd) = std::fs::read_dir(&extracted_ipa.payload_dir) {
-                        for entry in rd.flatten().take(10) {
-                            entries.push(entry.file_name().to_string_lossy().into_owned());
-                        }
-                    }
-                    return Err(OrchestratorError::AppBundleNotFoundWithContext(
-                        extracted_ipa.payload_dir.display().to_string(),
-                        entries.join(", "),
-                    ));
-                }
-            }
-        };
+            // Merge stats (simplified)
+            total_cache_stats.nested_bundles.hits += app_results.cache_stats.nested_bundles.hits;
+            total_cache_stats.nested_bundles.misses += app_results.cache_stats.nested_bundles.misses;
+            // ... other stats could be merged if needed, but for now we focus on results
+        }
 
-        self.run_on_bundle_internal(&app_bundle_path, run_started, discovered_project)
+        Ok(EngineRun {
+            results: all_results,
+            total_duration_ms: run_started.elapsed().as_millis(),
+            cache_stats: total_cache_stats,
+        })
     }
 
     pub fn run_on_bundle<P: AsRef<Path>>(
@@ -147,6 +168,10 @@ impl Engine {
                 rule_name: rule.name(),
                 category: rule.category(),
                 severity: rule.severity(),
+                target: app_bundle_path
+                    .file_name()
+                    .map(|n| n.to_string_lossy().into_owned())
+                    .unwrap_or_else(|| "Bundle".to_string()),
                 recommendation: rule.recommendation(),
                 report: res,
                 duration_ms: rule_started.elapsed().as_millis(),

examples/bad_app.ipa

@@ -77,6 +77,33 @@ impl ExtractedIpa {
 
         Ok(project)
     }
+
+    pub fn discover_targets(&self) -> io::Result<Vec<(PathBuf, String)>> {
+        let mut targets = Vec::new();
+        let mut queue = vec![self.payload_dir.clone()];
+
+        while let Some(dir) = queue.pop() {
+            if let Ok(entries) = fs::read_dir(dir) {
+                for entry in entries.flatten() {
+                    let path = entry.path();
+                    if path.is_dir() {
+                        let extension = path.extension().and_then(|e| e.to_str());
+                        match extension {
+                            Some("app") => targets.push((path.clone(), "app".to_string())),
+                            Some("xcodeproj") => targets.push((path.clone(), "project".to_string())),
+                            Some("xcworkspace") => {
+                                targets.push((path.clone(), "workspace".to_string()))
+                            }
+                            _ => queue.push(path),
+                        }
+                    } else if path.extension().and_then(|e| e.to_str()) == Some("ipa") {
+                        targets.push((path.clone(), "ipa".to_string()));
+                    }
+                }
+            }
+        }
+        Ok(targets)
+    }
 }
 
 pub fn extract_ipa<P: AsRef<Path>>(ipa_path: P) -> Result<ExtractedIpa, ExtractionError> {