diff --git a/go.mod b/go.mod index 8a15f159b..4e6bc6736 100644 --- a/go.mod +++ b/go.mod @@ -6,17 +6,17 @@ require ( github.com/go-git/go-git/v5 v5.16.3 github.com/golang/mock v1.6.0 github.com/google/go-github/v45 v45.2.0 - github.com/jfrog/build-info-go v1.12.4 + github.com/jfrog/build-info-go v1.12.5-0.20251209031413-f5f0e93dc8db github.com/jfrog/froggit-go v1.20.6 github.com/jfrog/gofrog v1.7.6 - github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251118100843-ac34330a70d3 - github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451 - github.com/jfrog/jfrog-cli-security v1.22.0 - github.com/jfrog/jfrog-client-go v1.55.1-0.20251119183924-d765eb708cec + github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251210074251-c15fabe27f7f + github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251125083543-e689762c4ff0 + github.com/jfrog/jfrog-cli-security v1.24.0 + github.com/jfrog/jfrog-client-go v1.55.1-0.20251209090954-d6b1c70d3a5e github.com/owenrumney/go-sarif/v3 v3.2.3 github.com/stretchr/testify v1.11.1 github.com/urfave/cli/v2 v2.27.7 - golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 + golang.org/x/exp v0.0.0-20251125195548-87e1e737ad39 ) require ( @@ -29,9 +29,11 @@ require ( github.com/buger/jsonparser v1.1.1 // indirect github.com/c-bata/go-prompt v0.2.6 // indirect github.com/chzyer/readline v1.5.1 // indirect + github.com/clipperhouse/stringish v0.1.1 // indirect + github.com/clipperhouse/uax29/v2 v2.3.0 // indirect github.com/cloudflare/circl v1.6.1 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect - github.com/cyphar/filepath-securejoin v0.4.1 // indirect + github.com/cyphar/filepath-securejoin v0.6.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect github.com/emirpasic/gods v1.18.1 // indirect @@ -58,19 +60,19 @@ require ( github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/hashicorp/yamux v0.1.1 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect - github.com/jedib0t/go-pretty/v6 v6.6.8 // indirect + github.com/jedib0t/go-pretty/v6 v6.7.5 // indirect github.com/jfrog/archiver/v3 v3.6.1 // indirect github.com/jfrog/jfrog-apps-config v1.0.1 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect - github.com/klauspost/compress v1.18.0 // indirect + github.com/klauspost/compress v1.18.1 // indirect github.com/klauspost/cpuid/v2 v2.3.0 // indirect github.com/klauspost/pgzip v1.2.6 // indirect github.com/ktrysmt/go-bitbucket v0.9.80 // indirect github.com/manifoldco/promptui v0.9.0 // indirect github.com/mattn/go-colorable v0.1.14 // indirect github.com/mattn/go-isatty v0.0.20 // indirect - github.com/mattn/go-runewidth v0.0.16 // indirect - github.com/mattn/go-tty v0.0.3 // indirect + github.com/mattn/go-runewidth v0.0.19 // indirect + github.com/mattn/go-tty v0.0.7 // indirect github.com/microsoft/azure-devops-go-api/azuredevops/v7 v7.1.0 // indirect github.com/minio/sha256-simd v1.0.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect @@ -85,10 +87,9 @@ require ( github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/rivo/uniseg v0.4.7 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/sagikazarmark/locafero v0.11.0 // indirect + github.com/sagikazarmark/locafero v0.12.0 // indirect github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect github.com/skeema/knownhosts v1.3.1 // indirect - github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect github.com/spf13/afero v1.15.0 // indirect github.com/spf13/cast v1.10.0 // indirect github.com/spf13/pflag v1.0.10 // indirect @@ -107,23 +108,25 @@ require ( github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/crypto v0.45.0 // indirect - golang.org/x/mod v0.29.0 // indirect + golang.org/x/mod v0.30.0 // indirect golang.org/x/net v0.47.0 // indirect - golang.org/x/oauth2 v0.31.0 // indirect + golang.org/x/oauth2 v0.33.0 // indirect golang.org/x/sync v0.18.0 // indirect golang.org/x/sys v0.38.0 // indirect golang.org/x/term v0.37.0 // indirect golang.org/x/text v0.31.0 // indirect golang.org/x/time v0.12.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8 // indirect - google.golang.org/grpc v1.67.3 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect + google.golang.org/grpc v1.72.1 // indirect google.golang.org/protobuf v1.36.8 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) -// replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security dev +// fix-sbom-component-ref-compare +//attiasas:update_ftoggit_1_20_6 +replace github.com/jfrog/jfrog-cli-security => github.com/kerenr-jfrog/jfrog-cli-security v0.0.0-20251210110046-5c022222a67c // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev @@ -131,6 +134,7 @@ require ( // replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go dev -// replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go dev +// attiasas:fix_cdx_remediation_api +replace github.com/jfrog/jfrog-client-go => github.com/attiasas/jfrog-client-go v0.0.0-20251210093930-2b29e73a9eb0 // replace github.com/jfrog/froggit-go => github.com/jfrog/froggit-go master diff --git a/go.sum b/go.sum index fad07a39f..40b622f63 100644 --- a/go.sum +++ b/go.sum @@ -21,6 +21,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/attiasas/jfrog-client-go v0.0.0-20251210093930-2b29e73a9eb0 h1:Xc39FpfwsS2F0eVKmQ2KyMpb/7Yluk56jgLVCd90mT4= +github.com/attiasas/jfrog-client-go v0.0.0-20251210093930-2b29e73a9eb0/go.mod h1:WQ5Y+oKYyHFAlCbHN925bWhnShTd2ruxZ6YTpb76fpU= github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M= github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0= github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA= @@ -38,13 +40,17 @@ github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObk github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04= github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8= +github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfatpWHKCs= +github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA= +github.com/clipperhouse/uax29/v2 v2.3.0 h1:SNdx9DVUqMoBuBoW3iLOj4FQv3dN5mDtuqwuhIGpJy4= +github.com/clipperhouse/uax29/v2 v2.3.0/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g= github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0= github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs= github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo= github.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= -github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/cyphar/filepath-securejoin v0.6.0 h1:BtGB77njd6SVO6VztOHfPxKitJvd/VPT+OFBFMOi1Is= +github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -77,6 +83,10 @@ github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMj github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= github.com/go-git/go-git/v5 v5.16.3 h1:Z8BtvxZ09bYm/yYNgPKCzgWtaRqDTgIKRgIRHBfU6Z8= github.com/go-git/go-git/v5 v5.16.3/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs= github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/gocarina/gocsv v0.0.0-20240520201108-78e41c74b4b1 h1:FWNFq4fM1wPfcK40yHE5UO3RUdSNPaBC+j3PokzA6OQ= @@ -124,35 +134,33 @@ github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= -github.com/jedib0t/go-pretty/v6 v6.6.8 h1:JnnzQeRz2bACBobIaa/r+nqjvws4yEhcmaZ4n1QzsEc= -github.com/jedib0t/go-pretty/v6 v6.6.8/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU= +github.com/jedib0t/go-pretty/v6 v6.7.5 h1:9dJSWTJnsXJVVAbvxIFxeHf/JxoJd7GUl5o3UzhtuiM= +github.com/jedib0t/go-pretty/v6 v6.7.5/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU= github.com/jfrog/archiver/v3 v3.6.1 h1:LOxnkw9pOn45DzCbZNFV6K0+6dCsQ0L8mR3ZcujO5eI= github.com/jfrog/archiver/v3 v3.6.1/go.mod h1:VgR+3WZS4N+i9FaDwLZbq+jeU4B4zctXL+gL4EMzfLw= -github.com/jfrog/build-info-go v1.12.4 h1:eoHoJDOF7Rx2gAOAXEAjbEIpnH+4y5ha2quQT48Py3Q= -github.com/jfrog/build-info-go v1.12.4/go.mod h1:NEJwH1HxzhtWuiT8eR/anbjT0A3OyLBWpZZrDJs+hWQ= +github.com/jfrog/build-info-go v1.12.5-0.20251209031413-f5f0e93dc8db h1:5q4hUqZVl7Xt+R+ono5lDH1/lkvV1spnfDtp0VtJqlo= +github.com/jfrog/build-info-go v1.12.5-0.20251209031413-f5f0e93dc8db/go.mod h1:9W4U440fdTHwW1HiB/R0VQvz/5q8ZHsms9MWcq+JrdY= github.com/jfrog/froggit-go v1.20.6 h1:Xp7+LlEh0m1KGrQstb+u0aGfjRUtv1eh9xQBV3571jQ= github.com/jfrog/froggit-go v1.20.6/go.mod h1:obSG1SlsWjktkuqmKtpq7MNTTL63e0ot+ucTnlOMV88= github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s= github.com/jfrog/gofrog v1.7.6/go.mod h1:ntr1txqNOZtHplmaNd7rS4f8jpA5Apx8em70oYEe7+4= github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY= github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w= -github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251118100843-ac34330a70d3 h1:sIjwBWBmyb7UEqP0IhQ22CWOedOPlNetyHzECS3sUyA= -github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251118100843-ac34330a70d3/go.mod h1:3hLZrM2xT+PkIevIGret4x1xDFTaVoNu3h374QnrKyc= -github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451 h1:Q0PY8VSOVsfvXzKiUnn+Rv7Ynf901QW6Wn1CbWpHBD0= -github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451/go.mod h1:UOeOwEEmRIi57cRwghN5OBVoqkJieYQQfLpeqw8Yv38= -github.com/jfrog/jfrog-cli-security v1.22.0 h1:KNovA+BA1IpE0c0jI6jWF33fOimgylR9a7T84ZmgNJI= -github.com/jfrog/jfrog-cli-security v1.22.0/go.mod h1:uoACrGyWZViNPU0STC0fF38bVKtNXjm3hzWW/DKI0DY= -github.com/jfrog/jfrog-client-go v1.55.1-0.20251119183924-d765eb708cec h1:tNfeGi/2FuxIUSi8urFZuqa33grynAHwLRH6iIK/DB0= -github.com/jfrog/jfrog-client-go v1.55.1-0.20251119183924-d765eb708cec/go.mod h1:ureS+L3wNs0qYUBSwH8C9PjwnraTX9ibZu7JkaqjO/E= +github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251210074251-c15fabe27f7f h1:aoYtLX8ImiaYmStWeTXllidkMy1Hpet/TGOjicf1WhU= +github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251210074251-c15fabe27f7f/go.mod h1:wKTWZqomaLxrHuvVF4iryZ8V4rn6h2y09jbuOBVRQUY= +github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251125083543-e689762c4ff0 h1:EsasTBE5i2MyCESS/icZxKIlObpGiOyW9K67MAaEWco= +github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251125083543-e689762c4ff0/go.mod h1:d9aADumiyjCBvZLffp8wldvP9XFHxcvk2PoOSUYms2g= github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c= github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo= github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k= github.com/k0kubun/pp v3.0.1+incompatible/go.mod h1:GWse8YhT0p8pT4ir3ZgBbfZild3tgzSScAn6HmfYukg= +github.com/kerenr-jfrog/jfrog-cli-security v0.0.0-20251210110046-5c022222a67c h1:cdu69MmULzpDwRtVGQwyjnChlo4f4OA3K/6mLQQWLMs= +github.com/kerenr-jfrog/jfrog-cli-security v0.0.0-20251210110046-5c022222a67c/go.mod h1:mKaAAEI1avRih1vFw9OZE5b5l0H1SkHuTb/hvqjsbbs= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= -github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= -github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= +github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co= +github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0= github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y= github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0= @@ -189,10 +197,11 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= -github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= -github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/mattn/go-tty v0.0.3 h1:5OfyWorkyO7xP52Mq7tB36ajHDG5OHrmBGIS/DtakQI= +github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw= +github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs= github.com/mattn/go-tty v0.0.3/go.mod h1:ihxohKRERHTVzN+aSVRwACLCeqIoZAWpoICkkvrWyR0= +github.com/mattn/go-tty v0.0.7 h1:KJ486B6qI8+wBO7kQxYgmmEFDaFEE96JMBQ7h400N8Q= +github.com/mattn/go-tty v0.0.7/go.mod h1:f2i5ZOvXBU/tCABmLmOfzLz9azMo5wdAaElRNnJKr+k= github.com/microsoft/azure-devops-go-api/azuredevops/v7 v7.1.0 h1:mmJCWLe63QvybxhW1iBmQWEaCKdc4SKgALfTNZ+OphU= github.com/microsoft/azure-devops-go-api/azuredevops/v7 v7.1.0/go.mod h1:mDunUZ1IUJdJIRHvFb+LPBUtxe3AYB5MI6BMXNg8194= github.com/minio/sha256-simd v1.0.1 h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM= @@ -226,7 +235,6 @@ github.com/pkg/term v1.2.0-beta.2/go.mod h1:E25nymQcrSllhX42Ok8MRm1+hyBdHY0dCeiK github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= @@ -235,15 +243,13 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc= -github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik= +github.com/sagikazarmark/locafero v0.12.0 h1:/NQhBAkUb4+fH1jivKHWusDYFjMOOKU88eegjfxfHb4= +github.com/sagikazarmark/locafero v0.12.0/go.mod h1:sZh36u/YSZ918v0Io+U9ogLYQJ9tLLBmM4eneO6WwsI= github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8= github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8= github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY= -github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw= -github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U= github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I= github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg= github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY= @@ -303,6 +309,18 @@ github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZ github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= +go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY= +go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI= +go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ= +go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE= +go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A= +go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU= +go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk= +go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w= +go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k= +go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -313,13 +331,13 @@ golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDf golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q= golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4= -golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY= -golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70= +golang.org/x/exp v0.0.0-20251125195548-87e1e737ad39 h1:DHNhtq3sNNzrvduZZIiFyXWOL9IWaDPHqTnLJp+rCBY= +golang.org/x/exp v0.0.0-20251125195548-87e1e737ad39/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA= -golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w= +golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk= +golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -337,8 +355,8 @@ golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= -golang.org/x/oauth2 v0.31.0 h1:8Fq0yVZLh4j4YA47vHKFTa9Ew5XIrCP8LC6UeNZnLxo= -golang.org/x/oauth2 v0.31.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo= +golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -404,17 +422,17 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ= -golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs= +golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ= +golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8 h1:TqExAhdPaB60Ux47Cn0oLV07rGnxZzIsaRhQaqS666A= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8/go.mod h1:lcTa1sDdWEIHMWlITnIczmw5w60CF9ffkb8Z+DVmmjA= -google.golang.org/grpc v1.67.3 h1:OgPcDAFKHnH8X3O4WcO4XUc8GRDeKsKReqbQtiCj7N8= -google.golang.org/grpc v1.67.3/go.mod h1:YGaHCc6Oap+FzBJTZLBzkGSYt/cvGPFTPxkn7QfSU8s= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I= +google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA= +google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc= google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/scanpullrequest/scanpullrequest.go b/scanpullrequest/scanpullrequest.go index 52ea18769..4b529e873 100644 --- a/scanpullrequest/scanpullrequest.go +++ b/scanpullrequest/scanpullrequest.go @@ -14,12 +14,12 @@ import ( "github.com/jfrog/froggit-go/vcsclient" "github.com/jfrog/froggit-go/vcsutils" "github.com/jfrog/jfrog-cli-security/utils/formats" + "github.com/jfrog/jfrog-cli-security/utils/formats/violationutils" "github.com/jfrog/jfrog-cli-security/utils/jasutils" "github.com/jfrog/jfrog-cli-security/utils/results" "github.com/jfrog/jfrog-cli-security/utils/results/conversion" "github.com/jfrog/jfrog-cli-security/utils/xsc" "github.com/jfrog/jfrog-client-go/utils/log" - "github.com/owenrumney/go-sarif/v3/pkg/report/v210/sarif" ) const ( @@ -158,7 +158,6 @@ func createBaseScanDetails(repoConfig *utils.Repository, client vcsclient.VcsCli SetResultsContext(repositoryCloneUrl, repoConfig.Params.JFrogPlatform.Watches, repoConfig.Params.JFrogPlatform.JFrogProjectKey, repoConfig.Params.JFrogPlatform.IncludeVulnerabilities, len(repoConfig.Params.Scan.AllowedLicenses) > 0). SetFixableOnly(repoConfig.Params.Scan.FixableOnly). SetConfigProfile(repoConfig.Params.Scan.ConfigProfile). - SetSkipAutoInstall(repoConfig.Params.Scan.SkipAutoInstall). SetXscPRGitInfoContext(repoConfig.Params.Git.Project, client, repoConfig.Params.Git.PullRequestDetails). SetDiffScan(!repoConfig.Params.JFrogPlatform.IncludeVulnerabilities). SetAllowPartialResults(repoConfig.Params.Scan.AllowPartialResults) @@ -250,7 +249,7 @@ func auditPullRequestSourceCode(repoConfig *utils.Repository, scanDetails *utils } // Convert to issues - if issues, e := scanResultsToIssuesCollection(scanResults, repoConfig.Params.Scan.AllowedLicenses, workingDirs...); e == nil { + if issues, e := scanResultsToIssuesCollection(scanResults, workingDirs...); e == nil { issuesCollection = issues return } else { @@ -279,109 +278,92 @@ func filterOutFailedScansIfAllowPartialResultsEnabled(targetResults, sourceResul targetResult := targetResults.Targets[idx] sourceResult := sourceResults.Targets[idx] - filterOutScaResultsIfScanFailed(targetResult, sourceResult) - filterJasResultsIfScanFailed(targetResult, sourceResult, jasutils.Applicability) - filterJasResultsIfScanFailed(targetResult, sourceResult, jasutils.Secrets) - filterJasResultsIfScanFailed(targetResult, sourceResult, jasutils.IaC) - filterJasResultsIfScanFailed(targetResult, sourceResult, jasutils.Sast) + filterOutScaResultsIfScanFailed(targetResult, sourceResult, sourceResults.Violations) + filterJasResultsIfScanFailed(targetResult, sourceResult, results.CmdStepContextualAnalysis) + filterJasResultsIfScanFailed(targetResult, sourceResult, results.CmdStepSecrets) + filterJasResultsIfScanFailed(targetResult, sourceResult, results.CmdStepIaC) + filterJasResultsIfScanFailed(targetResult, sourceResult, results.CmdStepSast) } return nil } -func filterJasResultsIfScanFailed(targetResult, sourceResult *results.TargetResults, scanType jasutils.JasScanType) { - switch scanType { - case jasutils.Applicability: - if isJasScanFailedInSourceOrTarget(sourceResult.JasResults.ApplicabilityScanResults, targetResult.JasResults.ApplicabilityScanResults) { - log.Debug(fmt.Sprintf(vulnerabilitiesFilteringErrorMessage, scanType.String())) +func filterJasResultsIfScanFailed(targetResult, sourceResult *results.TargetResults, cmdStep results.SecurityCommandStep) { + sourceResults := []*results.TargetResults{sourceResult} + targetResults := []*results.TargetResults{targetResult} + switch cmdStep { + case results.CmdStepContextualAnalysis: + if isScanFailedInSourceOrTarget(sourceResults, targetResults, cmdStep) { + log.Debug(fmt.Sprintf(vulnerabilitiesFilteringErrorMessage, cmdStep)) sourceResult.JasResults.ApplicabilityScanResults = nil } - case jasutils.Secrets: - if isJasScanFailedInSourceOrTarget(sourceResult.JasResults.JasVulnerabilities.SecretsScanResults, targetResult.JasResults.JasVulnerabilities.SecretsScanResults) { - log.Debug(fmt.Sprintf(vulnerabilitiesFilteringErrorMessage, scanType.String())) + case results.CmdStepSecrets: + if isScanFailedInSourceOrTarget(sourceResults, targetResults, cmdStep) { + log.Debug(fmt.Sprintf(vulnerabilitiesFilteringErrorMessage, cmdStep)) sourceResult.JasResults.JasVulnerabilities.SecretsScanResults = nil } - - if (sourceResult.JasResults.JasViolations.SecretsScanResults != nil || targetResult.JasResults.JasViolations.SecretsScanResults != nil) && isJasScanFailedInSourceOrTarget(sourceResult.JasResults.JasViolations.SecretsScanResults, targetResult.JasResults.JasViolations.SecretsScanResults) { - log.Debug(fmt.Sprintf(violationsFilteringErrorMessage, scanType.String())) + if (sourceResult.JasResults.JasViolations.SecretsScanResults != nil || targetResult.JasResults.JasViolations.SecretsScanResults != nil) && + isScanFailedInSourceOrTarget(sourceResults, targetResults, cmdStep) { + log.Debug(fmt.Sprintf(violationsFilteringErrorMessage, cmdStep)) sourceResult.JasResults.JasViolations.SecretsScanResults = nil } - case jasutils.IaC: - if isJasScanFailedInSourceOrTarget(sourceResult.JasResults.JasVulnerabilities.IacScanResults, targetResult.JasResults.JasVulnerabilities.IacScanResults) { - log.Debug(fmt.Sprintf(vulnerabilitiesFilteringErrorMessage, scanType.String())) + case results.CmdStepIaC: + if isScanFailedInSourceOrTarget(sourceResults, targetResults, cmdStep) { + log.Debug(fmt.Sprintf(vulnerabilitiesFilteringErrorMessage, cmdStep)) sourceResult.JasResults.JasVulnerabilities.IacScanResults = nil } - if (sourceResult.JasResults.JasViolations.IacScanResults != nil || targetResult.JasResults.JasViolations.IacScanResults != nil) && isJasScanFailedInSourceOrTarget(sourceResult.JasResults.JasViolations.IacScanResults, targetResult.JasResults.JasViolations.IacScanResults) { - log.Debug(fmt.Sprintf(violationsFilteringErrorMessage, scanType.String())) + if (sourceResult.JasResults.JasViolations.IacScanResults != nil || targetResult.JasResults.JasViolations.IacScanResults != nil) && isScanFailedInSourceOrTarget(sourceResults, targetResults, cmdStep) { + log.Debug(fmt.Sprintf(violationsFilteringErrorMessage, cmdStep)) sourceResult.JasResults.JasViolations.IacScanResults = nil } - case jasutils.Sast: - if isJasScanFailedInSourceOrTarget(sourceResult.JasResults.JasVulnerabilities.SastScanResults, targetResult.JasResults.JasVulnerabilities.SastScanResults) { - log.Debug(fmt.Sprintf(vulnerabilitiesFilteringErrorMessage, scanType.String())) + case results.CmdStepSast: + if isScanFailedInSourceOrTarget(sourceResults, targetResults, cmdStep) { + log.Debug(fmt.Sprintf(vulnerabilitiesFilteringErrorMessage, cmdStep)) sourceResult.JasResults.JasVulnerabilities.SastScanResults = nil } - if (sourceResult.JasResults.JasViolations.SastScanResults != nil || targetResult.JasResults.JasViolations.SastScanResults != nil) && isJasScanFailedInSourceOrTarget(sourceResult.JasResults.JasViolations.SastScanResults, targetResult.JasResults.JasViolations.SastScanResults) { - log.Debug(fmt.Sprintf(violationsFilteringErrorMessage, scanType.String())) + if (sourceResult.JasResults.JasViolations.SastScanResults != nil || targetResult.JasResults.JasViolations.SastScanResults != nil) && isScanFailedInSourceOrTarget(sourceResults, targetResults, cmdStep) { + log.Debug(fmt.Sprintf(violationsFilteringErrorMessage, cmdStep)) sourceResult.JasResults.JasViolations.SastScanResults = nil } } } -func isJasScanFailedInSourceOrTarget(sourceResults, targetResults []results.ScanResult[[]*sarif.Run]) bool { +func isScanFailedInSourceOrTarget(sourceResults, targetResults []*results.TargetResults, step results.SecurityCommandStep) bool { for _, scanResult := range sourceResults { - if scanResult.StatusCode != 0 { + if scanResult.ResultsStatus.IsScanFailed(step) { return true } } for _, scanResult := range targetResults { - if scanResult.StatusCode != 0 { + if scanResult.ResultsStatus.IsScanFailed(step) { return true } } return false } -func filterOutScaResultsIfScanFailed(targetResult, sourceResult *results.TargetResults) { +func filterOutScaResultsIfScanFailed(targetResult, sourceResult *results.TargetResults, sourceViolations *violationutils.Violations) { // Filter out new Sca results - if sourceResult.ScaResults.ScanStatusCode != 0 || targetResult.ScaResults.ScanStatusCode != 0 { - var statusCode int + if sourceResult.ResultsStatus.IsScanFailed(results.CmdStepSca) || targetResult.ResultsStatus.IsScanFailed(results.CmdStepSca) { + var statusCode *int var errorSource string - if sourceResult.ScaResults.ScanStatusCode != 0 { - statusCode = sourceResult.ScaResults.ScanStatusCode + if sourceResult.ResultsStatus.IsScanFailed(results.CmdStepSca) { + statusCode = sourceResult.ResultsStatus.ScaScanStatusCode errorSource = "source" } else { - statusCode = targetResult.ScaResults.ScanStatusCode + statusCode = targetResult.ResultsStatus.ScaScanStatusCode errorSource = "target" } log.Debug(fmt.Sprintf("Sca scan on %s code has completed with errors (status %d). Sca vulnerability results will be removed from final report", errorSource, statusCode)) sourceResult.ScaResults.Sbom = nil - if sourceResult.ScaResults.Violations != nil { + if sourceViolations != nil && sourceViolations.Sca != nil { log.Debug(fmt.Sprintf("Sca scan on %s has completed with errors (status %d). Sca violations results will be removed from final report", errorSource, statusCode)) - sourceResult.ScaResults.Violations = nil + sourceViolations.Sca = nil } } - // Note: Although we have a slice on ScanResults in DeprecatedXrayResults, in fact there is only a single entry - hasScaFailure := false - for _, deprecatedScaResult := range targetResult.ScaResults.DeprecatedXrayResults { - if deprecatedScaResult.StatusCode != 0 { - hasScaFailure = true - break - } - } - for _, deprecatedScaResult := range sourceResult.ScaResults.DeprecatedXrayResults { - if deprecatedScaResult.StatusCode != 0 { - hasScaFailure = true - break - } - } - if hasScaFailure { - log.Debug("Sca scan has completed with errors. Sca vulnerabilities and violations results will be removed from final report") - // Violations are being filtered as well as they are included in the DeprecatedXrayResults - sourceResult.ScaResults.DeprecatedXrayResults = nil - } } // Sorts the Targets slice in both targetResults and sourceResults @@ -404,11 +386,10 @@ func sortTargetsByPhysicalLocation(targetResults, sourceResults *results.Securit return nil } -func scanResultsToIssuesCollection(scanResults *results.SecurityCommandResults, allowedLicenses []string, workingDirs ...string) (issuesCollection *issues.ScansIssuesCollection, err error) { +func scanResultsToIssuesCollection(scanResults *results.SecurityCommandResults, workingDirs ...string) (issuesCollection *issues.ScansIssuesCollection, err error) { simpleJsonResults, err := conversion.NewCommandResultsConvertor(conversion.ResultConvertParams{ IncludeVulnerabilities: scanResults.IncludesVulnerabilities(), HasViolationContext: scanResults.HasViolationContext(), - AllowedLicenses: allowedLicenses, IncludeLicenses: true, SimplifiedOutput: true, }).ConvertToSimpleJson(scanResults) diff --git a/scanpullrequest/scanpullrequest_test.go b/scanpullrequest/scanpullrequest_test.go index e3b1819e1..28eba9108 100644 --- a/scanpullrequest/scanpullrequest_test.go +++ b/scanpullrequest/scanpullrequest_test.go @@ -16,8 +16,13 @@ import ( "github.com/golang/mock/gomock" "github.com/jfrog/frogbot/v2/testdata" + securityutils "github.com/jfrog/jfrog-cli-security/utils" + "github.com/jfrog/jfrog-cli-security/utils/formats/sarifutils" + "github.com/jfrog/jfrog-cli-security/utils/formats/violationutils" "github.com/jfrog/jfrog-cli-security/utils/jasutils" + "github.com/jfrog/jfrog-cli-security/utils/severityutils" "github.com/jfrog/jfrog-cli-security/utils/xsc" + "github.com/jfrog/jfrog-client-go/xray/services" "github.com/owenrumney/go-sarif/v3/pkg/report/v210/sarif" "github.com/jfrog/frogbot/v2/utils" @@ -26,14 +31,10 @@ import ( "github.com/jfrog/froggit-go/vcsclient" "github.com/jfrog/froggit-go/vcsutils" coreconfig "github.com/jfrog/jfrog-cli-core/v2/utils/config" - "github.com/jfrog/jfrog-cli-security/tests/validations" "github.com/jfrog/jfrog-cli-security/utils/formats" - "github.com/jfrog/jfrog-cli-security/utils/formats/sarifutils" "github.com/jfrog/jfrog-cli-security/utils/results" - "github.com/jfrog/jfrog-cli-security/utils/severityutils" "github.com/jfrog/jfrog-client-go/utils/io/fileutils" "github.com/jfrog/jfrog-client-go/utils/log" - "github.com/jfrog/jfrog-client-go/xray/services" "github.com/stretchr/testify/assert" ) @@ -60,47 +61,53 @@ func CreateMockVcsClient(t *testing.T) *testdata.MockVcsClient { } func TestScanResultsToIssuesCollection(t *testing.T) { - allowedLicenses := []string{"MIT"} - auditResults := &results.SecurityCommandResults{EntitledForJas: true, ResultContext: results.ResultContext{IncludeVulnerabilities: true}, Targets: []*results.TargetResults{{ + auditResults := &results.SecurityCommandResults{ResultsMetaData: results.ResultsMetaData{EntitledForJas: true, ResultContext: results.ResultContext{IncludeVulnerabilities: true}}, Targets: []*results.TargetResults{{ + ResultsStatus: results.ResultsStatus{ + ScaScanStatusCode: securityutils.NewIntPtr(0), + ContextualAnalysisStatusCode: securityutils.NewIntPtr(0), + IacScanStatusCode: securityutils.NewIntPtr(0), + SecretsScanStatusCode: securityutils.NewIntPtr(0), + SastScanStatusCode: securityutils.NewIntPtr(0), + }, ScanTarget: results.ScanTarget{Target: "dummy"}, ScaResults: &results.ScaScanResults{ - DeprecatedXrayResults: validations.NewMockScaResults(services.ScanResponse{ + DeprecatedXrayResults: []services.ScanResponse{{ Vulnerabilities: []services.Vulnerability{ {Cves: []services.Cve{{Id: "CVE-2022-2122"}}, Severity: "High", Components: map[string]services.Component{"Dep-1": {FixedVersions: []string{"1.2.3"}}}}, {Cves: []services.Cve{{Id: "CVE-2023-3122"}}, Severity: "Low", Components: map[string]services.Component{"Dep-2": {FixedVersions: []string{"1.2.2"}}}}, }, Licenses: []services.License{{Key: "Apache-2.0", Components: map[string]services.Component{"Dep-1": {FixedVersions: []string{"1.2.3"}}}}}, - }), + }}, }, JasResults: &results.JasScansResults{ - ApplicabilityScanResults: validations.NewMockJasRuns( + ApplicabilityScanResults: []*sarif.Run{ sarifutils.CreateRunWithDummyResults( sarifutils.CreateDummyPassingResult("applic_CVE-2023-3122"), sarifutils.CreateResultWithOneLocation("file1", 1, 10, 2, 11, "snippet", "applic_CVE-2022-2122", ""), ), - ), + }, JasVulnerabilities: results.JasScanResults{ - IacScanResults: validations.NewMockJasRuns( + IacScanResults: []*sarif.Run{ sarifutils.CreateRunWithDummyResults( sarifutils.CreateResultWithLocations("Missing auto upgrade was detected", "rule", severityutils.SeverityToSarifSeverityLevel(severityutils.High).String(), sarifutils.CreateLocation("file1", 1, 10, 2, 11, "aws-violation"), ), ), - ), - SecretsScanResults: validations.NewMockJasRuns( + }, + SecretsScanResults: []*sarif.Run{ sarifutils.CreateRunWithDummyResults( sarifutils.CreateResultWithLocations("Secret", "rule", severityutils.SeverityToSarifSeverityLevel(severityutils.High).String(), sarifutils.CreateLocation("index.js", 5, 6, 7, 8, "access token exposed"), ), ), - ), - SastScanResults: validations.NewMockJasRuns( + }, + SastScanResults: []*sarif.Run{ sarifutils.CreateRunWithDummyResults( sarifutils.CreateResultWithLocations("XSS Vulnerability", "rule", severityutils.SeverityToSarifSeverityLevel(severityutils.High).String(), sarifutils.CreateLocation("file1", 1, 10, 2, 11, "snippet"), ), ), - ), + }, }, }, }}} @@ -110,7 +117,7 @@ func TestScanResultsToIssuesCollection(t *testing.T) { Applicable: "Applicable", FixedVersions: []string{"1.2.3"}, ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ - SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 26}, + SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 31}, ImpactedDependencyName: "Dep-1", }, Cves: []formats.CveRow{{Id: "CVE-2022-2122", Applicability: &formats.Applicability{Status: "Applicable", ScannerDescription: "rule-msg", Evidence: []formats.Evidence{{Reason: "result-msg", Location: formats.Location{File: "file1", StartLine: 1, StartColumn: 10, EndLine: 2, EndColumn: 11, Snippet: "snippet"}}}}}}, @@ -129,7 +136,7 @@ func TestScanResultsToIssuesCollection(t *testing.T) { { SeverityDetails: formats.SeverityDetails{ Severity: "High", - SeverityNumValue: 26, + SeverityNumValue: 31, }, ScannerInfo: formats.ScannerInfo{ ScannerDescription: "rule-msg", @@ -150,7 +157,7 @@ func TestScanResultsToIssuesCollection(t *testing.T) { { SeverityDetails: formats.SeverityDetails{ Severity: "High", - SeverityNumValue: 26, + SeverityNumValue: 31, }, ScannerInfo: formats.ScannerInfo{ ScannerDescription: "rule-msg", @@ -171,7 +178,7 @@ func TestScanResultsToIssuesCollection(t *testing.T) { { SeverityDetails: formats.SeverityDetails{ Severity: "High", - SeverityNumValue: 26, + SeverityNumValue: 31, }, ScannerInfo: formats.ScannerInfo{ ScannerDescription: "rule-msg", @@ -188,26 +195,9 @@ func TestScanResultsToIssuesCollection(t *testing.T) { }, }, }, - LicensesViolations: []formats.LicenseViolationRow{ - { - LicenseRow: formats.LicenseRow{ - LicenseKey: "Apache-2.0", - ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ - SeverityDetails: formats.SeverityDetails{ - Severity: "Medium", - SeverityNumValue: 19, - }, - ImpactedDependencyName: "Dep-1", - }, - }, - ViolationContext: formats.ViolationContext{ - Watch: "jfrog_custom_license_violation", - }, - }, - }, } - issuesRows, err := scanResultsToIssuesCollection(auditResults, allowedLicenses) + issuesRows, err := scanResultsToIssuesCollection(auditResults) if assert.NoError(t, err) { assert.ElementsMatch(t, expectedOutput.ScaVulnerabilities, issuesRows.ScaVulnerabilities) @@ -577,17 +567,19 @@ func TestFilterJasResultsIfScanFailed(t *testing.T) { name: "Applicability scanner failed - should remove applicability results", scanType: jasutils.Applicability, targetResult: &results.TargetResults{ + ResultsStatus: results.ResultsStatus{ + ContextualAnalysisStatusCode: securityutils.NewIntPtr(0), + }, JasResults: &results.JasScansResults{ - ApplicabilityScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + ApplicabilityScanResults: []*sarif.Run{}, }, }, sourceResult: &results.TargetResults{ + ResultsStatus: results.ResultsStatus{ + ContextualAnalysisStatusCode: securityutils.NewIntPtr(1), + }, JasResults: &results.JasScansResults{ - ApplicabilityScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 1}, - }, + ApplicabilityScanResults: []*sarif.Run{}, }, }, hasFailure: true, @@ -596,30 +588,28 @@ func TestFilterJasResultsIfScanFailed(t *testing.T) { name: "Secrets scanner failed in target - should remove secrets vulnerabilities and violations", scanType: jasutils.Secrets, targetResult: &results.TargetResults{ + ResultsStatus: results.ResultsStatus{ + SecretsScanStatusCode: securityutils.NewIntPtr(1), + }, JasResults: &results.JasScansResults{ JasVulnerabilities: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 1}, - }, + SecretsScanResults: []*sarif.Run{}, }, JasViolations: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 1}, - }, + SecretsScanResults: []*sarif.Run{}, }, }, }, sourceResult: &results.TargetResults{ + ResultsStatus: results.ResultsStatus{ + SecretsScanStatusCode: securityutils.NewIntPtr(0), + }, JasResults: &results.JasScansResults{ JasVulnerabilities: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, }, JasViolations: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, }, }, }, @@ -629,30 +619,28 @@ func TestFilterJasResultsIfScanFailed(t *testing.T) { name: "IaC scanner failed in both source and target - should remove IaC vulnerabilities and violations", scanType: jasutils.IaC, targetResult: &results.TargetResults{ + ResultsStatus: results.ResultsStatus{ + IacScanStatusCode: securityutils.NewIntPtr(1), + }, JasResults: &results.JasScansResults{ JasVulnerabilities: results.JasScanResults{ - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 1}, - }, + IacScanResults: []*sarif.Run{}, }, JasViolations: results.JasScanResults{ - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 1}, - }, + IacScanResults: []*sarif.Run{}, }, }, }, sourceResult: &results.TargetResults{ + ResultsStatus: results.ResultsStatus{ + IacScanStatusCode: securityutils.NewIntPtr(1), + }, JasResults: &results.JasScansResults{ JasVulnerabilities: results.JasScanResults{ - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 1}, - }, + IacScanResults: []*sarif.Run{}, }, JasViolations: results.JasScanResults{ - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 1}, - }, + IacScanResults: []*sarif.Run{}, }, }, }, @@ -662,30 +650,28 @@ func TestFilterJasResultsIfScanFailed(t *testing.T) { name: "SAST scanner failed - should remove SAST vulnerabilities and violations", scanType: jasutils.Sast, targetResult: &results.TargetResults{ + ResultsStatus: results.ResultsStatus{ + SastScanStatusCode: securityutils.NewIntPtr(0), + }, JasResults: &results.JasScansResults{ JasVulnerabilities: results.JasScanResults{ - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SastScanResults: []*sarif.Run{}, }, JasViolations: results.JasScanResults{ - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SastScanResults: []*sarif.Run{}, }, }, }, sourceResult: &results.TargetResults{ + ResultsStatus: results.ResultsStatus{ + SastScanStatusCode: securityutils.NewIntPtr(1), + }, JasResults: &results.JasScansResults{ JasVulnerabilities: results.JasScanResults{ - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 1}, - }, + SastScanResults: []*sarif.Run{}, }, JasViolations: results.JasScanResults{ - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 1}, - }, + SastScanResults: []*sarif.Run{}, }, }, }, @@ -696,59 +682,31 @@ func TestFilterJasResultsIfScanFailed(t *testing.T) { scanType: jasutils.Applicability, targetResult: &results.TargetResults{ JasResults: &results.JasScansResults{ - ApplicabilityScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + ApplicabilityScanResults: []*sarif.Run{}, JasVulnerabilities: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, + IacScanResults: []*sarif.Run{}, + SastScanResults: []*sarif.Run{}, }, JasViolations: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, + IacScanResults: []*sarif.Run{}, + SastScanResults: []*sarif.Run{}, }, }, }, sourceResult: &results.TargetResults{ JasResults: &results.JasScansResults{ - ApplicabilityScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + ApplicabilityScanResults: []*sarif.Run{}, JasVulnerabilities: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, + IacScanResults: []*sarif.Run{}, + SastScanResults: []*sarif.Run{}, }, JasViolations: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, + IacScanResults: []*sarif.Run{}, + SastScanResults: []*sarif.Run{}, }, }, }, @@ -759,7 +717,7 @@ func TestFilterJasResultsIfScanFailed(t *testing.T) { for _, test := range tests { t.Run(test.name, func(t *testing.T) { // Call the function under test - filterJasResultsIfScanFailed(test.targetResult, test.sourceResult, test.scanType) + filterJasResultsIfScanFailed(test.targetResult, test.sourceResult, results.SecurityCommandStep(test.scanType)) // Validate the results based on scan type and test case if !test.hasFailure { @@ -796,40 +754,38 @@ func TestFilterOutScaResultsIfScanFailed(t *testing.T) { name string targetResult *results.TargetResults sourceResult *results.TargetResults + violations *violationutils.Violations hasFailure bool }{ { name: "SCA scan failed - should remove SCA results", targetResult: &results.TargetResults{ + ResultsStatus: results.ResultsStatus{ScaScanStatusCode: &[]int{-1}[0]}, ScaResults: &results.ScaScanResults{ - ScanStatusCode: -1, - Sbom: nil, - Violations: []services.Violation{{IssueId: "test-violation"}}, + Sbom: nil, }, }, sourceResult: &results.TargetResults{ + ResultsStatus: results.ResultsStatus{ScaScanStatusCode: &[]int{0}[0]}, ScaResults: &results.ScaScanResults{ - ScanStatusCode: 0, - Sbom: nil, - Violations: []services.Violation{{IssueId: "source-violation"}}, + Sbom: nil, }, }, + violations: &violationutils.Violations{}, hasFailure: true, }, { name: "SCA scan succeeded - should not remove SCA results", targetResult: &results.TargetResults{ + ResultsStatus: results.ResultsStatus{ScaScanStatusCode: &[]int{0}[0]}, ScaResults: &results.ScaScanResults{ - ScanStatusCode: 0, - Sbom: nil, - Violations: []services.Violation{{IssueId: "target-violation"}}, + Sbom: nil, }, }, sourceResult: &results.TargetResults{ + ResultsStatus: results.ResultsStatus{ScaScanStatusCode: &[]int{0}[0]}, ScaResults: &results.ScaScanResults{ - ScanStatusCode: 0, - Sbom: nil, - Violations: []services.Violation{{IssueId: "source-violation"}}, + Sbom: nil, }, }, hasFailure: false, @@ -838,13 +794,10 @@ func TestFilterOutScaResultsIfScanFailed(t *testing.T) { for _, test := range tests { t.Run(test.name, func(t *testing.T) { - filterOutScaResultsIfScanFailed(test.targetResult, test.sourceResult) + filterOutScaResultsIfScanFailed(test.targetResult, test.sourceResult, test.violations) if test.hasFailure { assert.Nil(t, test.sourceResult.ScaResults.Sbom, "SBOM should be removed when SCA scan failed") - assert.Nil(t, test.sourceResult.ScaResults.Violations, "Violations should be removed when SCA scan failed") - } else { - assert.Equal(t, []services.Violation{{IssueId: "source-violation"}}, test.sourceResult.ScaResults.Violations, "Violations should NOT be removed when SCA scan succeeds") } }) } @@ -862,36 +815,26 @@ func TestFilterOutFailedScansIfAllowPartialResultsEnabled(t *testing.T) { targetResults: &results.SecurityCommandResults{ Targets: []*results.TargetResults{ { - ScanTarget: results.ScanTarget{Target: "test-target"}, - ScaResults: &results.ScaScanResults{ - ScanStatusCode: 0, - Violations: []services.Violation{{IssueId: "target-violation"}}, + ResultsStatus: results.ResultsStatus{ + ScaScanStatusCode: &[]int{0}[0], + ContextualAnalysisStatusCode: &[]int{0}[0], + SecretsScanStatusCode: &[]int{0}[0], + IacScanStatusCode: &[]int{0}[0], + SastScanStatusCode: &[]int{0}[0], }, + ScanTarget: results.ScanTarget{Target: "test-target"}, + ScaResults: &results.ScaScanResults{}, JasResults: &results.JasScansResults{ - ApplicabilityScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + ApplicabilityScanResults: []*sarif.Run{}, JasVulnerabilities: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, + IacScanResults: []*sarif.Run{}, + SastScanResults: []*sarif.Run{}, }, JasViolations: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, + IacScanResults: []*sarif.Run{}, + SastScanResults: []*sarif.Run{}, }, }, }, @@ -900,36 +843,26 @@ func TestFilterOutFailedScansIfAllowPartialResultsEnabled(t *testing.T) { sourceResults: &results.SecurityCommandResults{ Targets: []*results.TargetResults{ { - ScanTarget: results.ScanTarget{Target: "test-target"}, - ScaResults: &results.ScaScanResults{ - ScanStatusCode: 0, - Violations: []services.Violation{{IssueId: "source-violation"}}, + ResultsStatus: results.ResultsStatus{ + ScaScanStatusCode: &[]int{0}[0], + ContextualAnalysisStatusCode: &[]int{0}[0], + SecretsScanStatusCode: &[]int{0}[0], + IacScanStatusCode: &[]int{0}[0], + SastScanStatusCode: &[]int{0}[0], }, + ScanTarget: results.ScanTarget{Target: "test-target"}, + ScaResults: &results.ScaScanResults{}, JasResults: &results.JasScansResults{ - ApplicabilityScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + ApplicabilityScanResults: []*sarif.Run{}, JasVulnerabilities: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, + IacScanResults: []*sarif.Run{}, + SastScanResults: []*sarif.Run{}, }, JasViolations: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, + IacScanResults: []*sarif.Run{}, + SastScanResults: []*sarif.Run{}, }, }, }, @@ -942,36 +875,26 @@ func TestFilterOutFailedScansIfAllowPartialResultsEnabled(t *testing.T) { targetResults: &results.SecurityCommandResults{ Targets: []*results.TargetResults{ { - ScanTarget: results.ScanTarget{Target: "test-target"}, - ScaResults: &results.ScaScanResults{ - ScanStatusCode: -1, - Violations: []services.Violation{{IssueId: "target-violation"}}, + ResultsStatus: results.ResultsStatus{ + ScaScanStatusCode: &[]int{-1}[0], + ContextualAnalysisStatusCode: &[]int{0}[0], + SecretsScanStatusCode: &[]int{1}[0], + IacScanStatusCode: &[]int{1}[0], + SastScanStatusCode: &[]int{0}[0], }, + ScanTarget: results.ScanTarget{Target: "test-target"}, + ScaResults: &results.ScaScanResults{}, JasResults: &results.JasScansResults{ - ApplicabilityScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + ApplicabilityScanResults: []*sarif.Run{}, JasVulnerabilities: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 1}, - }, - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 1}, - }, - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, + IacScanResults: []*sarif.Run{}, + SastScanResults: []*sarif.Run{}, }, JasViolations: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 1}, - }, - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 1}, - }, - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, + IacScanResults: []*sarif.Run{}, + SastScanResults: []*sarif.Run{}, }, }, }, @@ -980,36 +903,26 @@ func TestFilterOutFailedScansIfAllowPartialResultsEnabled(t *testing.T) { sourceResults: &results.SecurityCommandResults{ Targets: []*results.TargetResults{ { - ScanTarget: results.ScanTarget{Target: "test-target"}, - ScaResults: &results.ScaScanResults{ - ScanStatusCode: 0, - Violations: []services.Violation{{IssueId: "source-violation"}}, + ResultsStatus: results.ResultsStatus{ + ScaScanStatusCode: &[]int{0}[0], + ContextualAnalysisStatusCode: &[]int{0}[0], + SecretsScanStatusCode: &[]int{0}[0], + IacScanStatusCode: &[]int{0}[0], + SastScanStatusCode: &[]int{0}[0], }, + ScanTarget: results.ScanTarget{Target: "test-target"}, + ScaResults: &results.ScaScanResults{}, JasResults: &results.JasScansResults{ - ApplicabilityScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + ApplicabilityScanResults: []*sarif.Run{}, JasVulnerabilities: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, + IacScanResults: []*sarif.Run{}, + SastScanResults: []*sarif.Run{}, }, JasViolations: results.JasScanResults{ - SecretsScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - IacScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, - SastScanResults: []results.ScanResult[[]*sarif.Run]{ - {StatusCode: 0}, - }, + SecretsScanResults: []*sarif.Run{}, + IacScanResults: []*sarif.Run{}, + SastScanResults: []*sarif.Run{}, }, }, }, @@ -1026,7 +939,6 @@ func TestFilterOutFailedScansIfAllowPartialResultsEnabled(t *testing.T) { sourceTarget := test.sourceResults.Targets[0] if test.hasFailure { - assert.Nil(t, sourceTarget.ScaResults.Violations, "SCA violations should be removed when SCA scan failed") assert.Nil(t, sourceTarget.JasResults.JasVulnerabilities.SecretsScanResults, "Secrets scan results should be removed when Secrets scan failed") assert.Nil(t, sourceTarget.JasResults.JasViolations.SecretsScanResults, "Secrets violation results should be removed when Secrets scan failed") assert.Nil(t, sourceTarget.JasResults.JasVulnerabilities.IacScanResults, "IaC scan results should be removed when IaC scan failed") @@ -1035,7 +947,6 @@ func TestFilterOutFailedScansIfAllowPartialResultsEnabled(t *testing.T) { assert.NotNil(t, sourceTarget.JasResults.JasVulnerabilities.SastScanResults, "SAST scan results should NOT be removed when SAST scan succeeds") assert.NotNil(t, sourceTarget.JasResults.JasViolations.SastScanResults, "SAST violation results should NOT be removed when SAST scan succeeds") } else { - assert.NotNil(t, sourceTarget.ScaResults.Violations, "SCA violations should NOT be removed when SCA scan succeeds") assert.NotNil(t, sourceTarget.JasResults.JasVulnerabilities.SecretsScanResults, "Secrets scan results should NOT be removed when Secrets scan succeeds") assert.NotNil(t, sourceTarget.JasResults.JasViolations.SecretsScanResults, "Secrets violation results should NOT be removed when Secrets scan succeeds") assert.NotNil(t, sourceTarget.JasResults.JasVulnerabilities.IacScanResults, "IaC scan results should NOT be removed when IaC scan succeeds") diff --git a/scanrepository/scanrepository.go b/scanrepository/scanrepository.go index d57431544..277570d4b 100644 --- a/scanrepository/scanrepository.go +++ b/scanrepository/scanrepository.go @@ -131,7 +131,6 @@ func (cfp *ScanRepositoryCmd) setCommandPrerequisites(repository *utils.Reposito SetResultsContext(repositoryCloneUrl, repository.Params.JFrogPlatform.Watches, repository.Params.JFrogPlatform.JFrogProjectKey, repository.Params.JFrogPlatform.IncludeVulnerabilities, len(repository.Params.Scan.AllowedLicenses) > 0). SetFixableOnly(repository.Params.Scan.FixableOnly). SetConfigProfile(repository.Params.Scan.ConfigProfile). - SetSkipAutoInstall(repository.Params.Scan.SkipAutoInstall). SetAllowPartialResults(repository.Params.Scan.AllowPartialResults) if cfp.scanDetails, err = cfp.scanDetails.SetMinSeverity(repository.Params.Scan.MinSeverity); err != nil { diff --git a/scanrepository/scanrepository_test.go b/scanrepository/scanrepository_test.go index c95ac5a42..f696c2088 100644 --- a/scanrepository/scanrepository_test.go +++ b/scanrepository/scanrepository_test.go @@ -26,7 +26,6 @@ import ( "github.com/jfrog/froggit-go/vcsclient" "github.com/jfrog/froggit-go/vcsutils" "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils" - "github.com/jfrog/jfrog-cli-security/tests/validations" "github.com/jfrog/jfrog-cli-security/utils/formats" "github.com/jfrog/jfrog-cli-security/utils/results" "github.com/jfrog/jfrog-cli-security/utils/techutils" @@ -489,43 +488,11 @@ func TestCreateVulnerabilitiesMap(t *testing.T) { { name: "Scan results with vulnerabilities and no violations", scanResults: &results.SecurityCommandResults{ - ResultContext: results.ResultContext{IncludeVulnerabilities: true}, + ResultsMetaData: results.ResultsMetaData{ + ResultContext: results.ResultContext{IncludeVulnerabilities: true}}, Targets: []*results.TargetResults{{ ScanTarget: results.ScanTarget{Target: "target1"}, - ScaResults: &results.ScaScanResults{ - DeprecatedXrayResults: validations.NewMockScaResults( - services.ScanResponse{ - Vulnerabilities: []services.Vulnerability{ - { - Cves: []services.Cve{ - {Id: "CVE-2023-1234", CvssV3Score: "9.1"}, - {Id: "CVE-2023-4321", CvssV3Score: "8.9"}, - }, - Severity: "Critical", - Components: map[string]services.Component{ - "vuln1": { - FixedVersions: []string{"1.9.1", "2.0.3", "2.0.5"}, - ImpactPaths: [][]services.ImpactPathNode{{{ComponentId: "root"}, {ComponentId: "vuln1"}}}, - }, - }, - }, - { - Cves: []services.Cve{ - {Id: "CVE-2022-1234", CvssV3Score: "7.1"}, - {Id: "CVE-2022-4321", CvssV3Score: "7.9"}, - }, - Severity: "High", - Components: map[string]services.Component{ - "vuln2": { - FixedVersions: []string{"2.4.1", "2.6.3", "2.8.5"}, - ImpactPaths: [][]services.ImpactPathNode{{{ComponentId: "root"}, {ComponentId: "vuln1"}, {ComponentId: "vuln2"}}}, - }, - }, - }, - }, - }, - ), - }, + ScaResults: &results.ScaScanResults{}, JasResults: &results.JasScansResults{}, }}, }, @@ -544,47 +511,11 @@ func TestCreateVulnerabilitiesMap(t *testing.T) { { name: "Scan results with violations and no vulnerabilities", scanResults: &results.SecurityCommandResults{ - ResultContext: results.ResultContext{IncludeVulnerabilities: true, Watches: []string{"w1"}}, + ResultsMetaData: results.ResultsMetaData{ + ResultContext: results.ResultContext{IncludeVulnerabilities: true, Watches: []string{"w1"}}}, Targets: []*results.TargetResults{{ ScanTarget: results.ScanTarget{Target: "target1"}, - ScaResults: &results.ScaScanResults{ - DeprecatedXrayResults: validations.NewMockScaResults( - services.ScanResponse{ - Violations: []services.Violation{ - { - ViolationType: "security", - WatchName: "w1", - Cves: []services.Cve{ - {Id: "CVE-2023-1234", CvssV3Score: "9.1"}, - {Id: "CVE-2023-4321", CvssV3Score: "8.9"}, - }, - Severity: "Critical", - Components: map[string]services.Component{ - "viol1": { - FixedVersions: []string{"1.9.1", "2.0.3", "2.0.5"}, - ImpactPaths: [][]services.ImpactPathNode{{{ComponentId: "root"}, {ComponentId: "viol1"}}}, - }, - }, - }, - { - ViolationType: "security", - WatchName: "w1", - Cves: []services.Cve{ - {Id: "CVE-2022-1234", CvssV3Score: "7.1"}, - {Id: "CVE-2022-4321", CvssV3Score: "7.9"}, - }, - Severity: "High", - Components: map[string]services.Component{ - "viol2": { - FixedVersions: []string{"2.4.1", "2.6.3", "2.8.5"}, - ImpactPaths: [][]services.ImpactPathNode{{{ComponentId: "root"}, {ComponentId: "viol1"}, {ComponentId: "viol2"}}}, - }, - }, - }, - }, - }, - ), - }, + ScaResults: &results.ScaScanResults{}, JasResults: &results.JasScansResults{}, }}, }, diff --git a/testdata/scanpullrequest/clean-test-proj/sourceBranch.gz b/testdata/scanpullrequest/clean-test-proj/sourceBranch.gz index 57c33cddf..7d3ff9834 100755 Binary files a/testdata/scanpullrequest/clean-test-proj/sourceBranch.gz and b/testdata/scanpullrequest/clean-test-proj/sourceBranch.gz differ diff --git a/testdata/scanpullrequest/clean-test-proj/targetBranch.gz b/testdata/scanpullrequest/clean-test-proj/targetBranch.gz index 57c33cddf..1d458a1f4 100755 Binary files a/testdata/scanpullrequest/clean-test-proj/targetBranch.gz and b/testdata/scanpullrequest/clean-test-proj/targetBranch.gz differ diff --git a/testdata/scanpullrequest/multi-dir-test-proj/sourceBranch.gz b/testdata/scanpullrequest/multi-dir-test-proj/sourceBranch.gz index df1167d11..21a5a93ad 100755 Binary files a/testdata/scanpullrequest/multi-dir-test-proj/sourceBranch.gz and b/testdata/scanpullrequest/multi-dir-test-proj/sourceBranch.gz differ diff --git a/testdata/scanpullrequest/multi-dir-test-proj/targetBranch.gz b/testdata/scanpullrequest/multi-dir-test-proj/targetBranch.gz index b56ceaa4b..c77f7fab3 100755 Binary files a/testdata/scanpullrequest/multi-dir-test-proj/targetBranch.gz and b/testdata/scanpullrequest/multi-dir-test-proj/targetBranch.gz differ diff --git a/testdata/scanpullrequest/test-proj-subdir/sourceBranch.gz b/testdata/scanpullrequest/test-proj-subdir/sourceBranch.gz index 232ba33b7..c4a7f4294 100755 Binary files a/testdata/scanpullrequest/test-proj-subdir/sourceBranch.gz and b/testdata/scanpullrequest/test-proj-subdir/sourceBranch.gz differ diff --git a/testdata/scanpullrequest/test-proj-subdir/targetBranch.gz b/testdata/scanpullrequest/test-proj-subdir/targetBranch.gz index effcf4996..ebba86e9e 100755 Binary files a/testdata/scanpullrequest/test-proj-subdir/targetBranch.gz and b/testdata/scanpullrequest/test-proj-subdir/targetBranch.gz differ diff --git a/testdata/scanpullrequest/test-proj/targetBranch.gz b/testdata/scanpullrequest/test-proj/targetBranch.gz index f9ee6af53..3ff8328c5 100755 Binary files a/testdata/scanpullrequest/test-proj/targetBranch.gz and b/testdata/scanpullrequest/test-proj/targetBranch.gz differ diff --git a/testdata/scanrepository/cmd/aggregate-multi-dir/npm1/package-lock.json b/testdata/scanrepository/cmd/aggregate-multi-dir/npm1/package-lock.json new file mode 100644 index 000000000..2a35cf0bd --- /dev/null +++ b/testdata/scanrepository/cmd/aggregate-multi-dir/npm1/package-lock.json @@ -0,0 +1,74 @@ +{ + "name": "aggregate", + "version": "1.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "aggregate", + "version": "1.0.0", + "license": "ISC", + "dependencies": { + "minimatch": "3.0.2", + "mpath": "0.7.0", + "uuid": "^9.0.0" + } + }, + "node_modules/balanced-match": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", + "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", + "license": "MIT" + }, + "node_modules/brace-expansion": { + "version": "1.1.12", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", + "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "license": "MIT", + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/concat-map": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", + "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==", + "license": "MIT" + }, + "node_modules/minimatch": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.2.tgz", + "integrity": "sha512-itcYJNfVYt/6nrpMDiFA6FY9msZ9G7jEfB896PrgYCakHrW0mOPmzBVvfI2b9yoy6kUKNde1Rvw4ah0f1E25tA==", + "license": "ISC", + "dependencies": { + "brace-expansion": "^1.0.0" + }, + "engines": { + "node": "*" + } + }, + "node_modules/mpath": { + "version": "0.7.0", + "resolved": "https://registry.npmjs.org/mpath/-/mpath-0.7.0.tgz", + "integrity": "sha512-Aiq04hILxhz1L+f7sjGyn7IxYzWm1zLNNXcfhDtx04kZ2Gk7uvFdgZ8ts1cWa/6d0TQmag2yR8zSGZUmp0tFNg==", + "license": "MIT", + "engines": { + "node": ">=4.0.0" + } + }, + "node_modules/uuid": { + "version": "9.0.1", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz", + "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==", + "funding": [ + "https://github.com/sponsors/broofa", + "https://github.com/sponsors/ctavan" + ], + "license": "MIT", + "bin": { + "uuid": "dist/bin/uuid" + } + } + } +} diff --git a/testdata/scanrepository/cmd/aggregate-multi-dir/npm2/package-lock.json b/testdata/scanrepository/cmd/aggregate-multi-dir/npm2/package-lock.json new file mode 100644 index 000000000..246e00379 --- /dev/null +++ b/testdata/scanrepository/cmd/aggregate-multi-dir/npm2/package-lock.json @@ -0,0 +1,18 @@ +{ + "name": "npm2", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "dependencies": { + "minimist": "1.2.5" + } + }, + "node_modules/minimist": { + "version": "1.2.5", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz", + "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==", + "license": "MIT" + } + } +} diff --git a/testdata/scanrepository/cmd/aggregate-multi-project/npm/package-lock.json b/testdata/scanrepository/cmd/aggregate-multi-project/npm/package-lock.json new file mode 100644 index 000000000..2a35cf0bd --- /dev/null +++ b/testdata/scanrepository/cmd/aggregate-multi-project/npm/package-lock.json @@ -0,0 +1,74 @@ +{ + "name": "aggregate", + "version": "1.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "aggregate", + "version": "1.0.0", + "license": "ISC", + "dependencies": { + "minimatch": "3.0.2", + "mpath": "0.7.0", + "uuid": "^9.0.0" + } + }, + "node_modules/balanced-match": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", + "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", + "license": "MIT" + }, + "node_modules/brace-expansion": { + "version": "1.1.12", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", + "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "license": "MIT", + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/concat-map": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", + "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==", + "license": "MIT" + }, + "node_modules/minimatch": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.2.tgz", + "integrity": "sha512-itcYJNfVYt/6nrpMDiFA6FY9msZ9G7jEfB896PrgYCakHrW0mOPmzBVvfI2b9yoy6kUKNde1Rvw4ah0f1E25tA==", + "license": "ISC", + "dependencies": { + "brace-expansion": "^1.0.0" + }, + "engines": { + "node": "*" + } + }, + "node_modules/mpath": { + "version": "0.7.0", + "resolved": "https://registry.npmjs.org/mpath/-/mpath-0.7.0.tgz", + "integrity": "sha512-Aiq04hILxhz1L+f7sjGyn7IxYzWm1zLNNXcfhDtx04kZ2Gk7uvFdgZ8ts1cWa/6d0TQmag2yR8zSGZUmp0tFNg==", + "license": "MIT", + "engines": { + "node": ">=4.0.0" + } + }, + "node_modules/uuid": { + "version": "9.0.1", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz", + "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==", + "funding": [ + "https://github.com/sponsors/broofa", + "https://github.com/sponsors/ctavan" + ], + "license": "MIT", + "bin": { + "uuid": "dist/bin/uuid" + } + } + } +} diff --git a/utils/consts.go b/utils/consts.go index 977cc3584..83148332b 100644 --- a/utils/consts.go +++ b/utils/consts.go @@ -65,7 +65,6 @@ const ( FixableOnlyEnv = "JF_FIXABLE_ONLY" DetectionOnlyEnv = "JF_SKIP_AUTOFIX" AllowedLicensesEnv = "JF_ALLOWED_LICENSES" - SkipAutoInstallEnv = "JF_SKIP_AUTO_INSTALL" AllowPartialResultsEnv = "JF_ALLOW_PARTIAL_RESULTS" WatchesDelimiter = "," diff --git a/utils/params.go b/utils/params.go index 04dfcfc7b..51c33c16e 100644 --- a/utils/params.go +++ b/utils/params.go @@ -16,10 +16,11 @@ import ( "github.com/jfrog/jfrog-client-go/xsc/services" "golang.org/x/exp/slices" - "github.com/jfrog/frogbot/v2/utils/outputwriter" securityutils "github.com/jfrog/jfrog-cli-security/utils" "github.com/jfrog/jfrog-cli-security/utils/severityutils" + "github.com/jfrog/frogbot/v2/utils/outputwriter" + "github.com/jfrog/froggit-go/vcsclient" "github.com/jfrog/froggit-go/vcsutils" coreconfig "github.com/jfrog/jfrog-cli-core/v2/utils/config" @@ -77,7 +78,6 @@ type Project struct { DepsRepo string `yaml:"repository,omitempty"` InstallCommandName string InstallCommandArgs []string - IsRecursiveScan bool } func (p *Project) setDefaultsIfNeeded() error { @@ -88,7 +88,6 @@ func (p *Project) setDefaultsIfNeeded() error { // If no working directories are provided, and none exist in the environment variable, we designate the project's root directory as our sole working directory. // We then execute a recursive scan across the entire project, commencing from the root. workingDir = RootDir - p.IsRecursiveScan = true p.WorkingDirs = append(p.WorkingDirs, workingDir) } else { workingDirs := strings.Split(workingDir, ",") @@ -182,11 +181,6 @@ func (s *Scan) setDefaultsIfNeeded() (err error) { } s.MinSeverity = severity.String() } - if !s.SkipAutoInstall { - if s.SkipAutoInstall, err = getBoolEnv(SkipAutoInstallEnv, false); err != nil { - return - } - } if len(s.Projects) == 0 { s.Projects = append(s.Projects, Project{}) } @@ -196,7 +190,7 @@ func (s *Scan) setDefaultsIfNeeded() (err error) { } } if !s.AllowPartialResults { - if s.AllowPartialResults, err = getBoolEnv(AllowPartialResultsEnv, false); err != nil { + if s.AllowPartialResults, err = getBoolEnv(AllowPartialResultsEnv, true); err != nil { return } } diff --git a/utils/params_test.go b/utils/params_test.go index c9fff151d..4ee276e15 100644 --- a/utils/params_test.go +++ b/utils/params_test.go @@ -9,9 +9,10 @@ import ( "testing" "github.com/golang/mock/gomock" - "github.com/jfrog/frogbot/v2/testdata" "github.com/stretchr/testify/require" + "github.com/jfrog/frogbot/v2/testdata" + "github.com/jfrog/froggit-go/vcsclient" "github.com/jfrog/jfrog-cli-core/v2/utils/config" "github.com/jfrog/jfrog-client-go/xsc/services" @@ -326,7 +327,6 @@ func TestExtractProjectParamsFromEnv(t *testing.T) { assert.Equal(t, "", project.PipRequirementsFile) assert.Equal(t, "", project.InstallCommandName) assert.Equal(t, []string(nil), project.InstallCommandArgs) - assert.True(t, project.IsRecursiveScan) // Test value extraction SetEnvAndAssert(t, map[string]string{ @@ -346,7 +346,6 @@ func TestExtractProjectParamsFromEnv(t *testing.T) { assert.Equal(t, "nuget", project.InstallCommandName) assert.Equal(t, []string{"restore"}, project.InstallCommandArgs) assert.Equal(t, "repository", project.DepsRepo) - assert.False(t, project.IsRecursiveScan) } func TestVerifyValidApiEndpoint(t *testing.T) { diff --git a/utils/scandetails.go b/utils/scandetails.go index 38924eba9..3ff0e9b57 100644 --- a/utils/scandetails.go +++ b/utils/scandetails.go @@ -9,8 +9,9 @@ import ( "github.com/jfrog/froggit-go/vcsclient" "github.com/jfrog/jfrog-cli-core/v2/utils/config" "github.com/jfrog/jfrog-cli-security/commands/audit" - "github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo" - "github.com/jfrog/jfrog-cli-security/sca/scan/scangraph" + "github.com/jfrog/jfrog-cli-security/policy/enforcer" + "github.com/jfrog/jfrog-cli-security/sca/bom/xrayplugin" + "github.com/jfrog/jfrog-cli-security/sca/scan/enrich" "github.com/jfrog/jfrog-cli-security/utils/results" "github.com/jfrog/jfrog-cli-security/utils/severityutils" "github.com/jfrog/jfrog-client-go/utils/log" @@ -25,7 +26,6 @@ type ScanDetails struct { *config.ServerDetails client vcsclient.VcsClient fixableOnly bool - skipAutoInstall bool minSeverityFilter severityutils.Severity baseBranch string configProfile *xscservices.ConfigProfile @@ -76,11 +76,6 @@ func (sc *ScanDetails) SetFixableOnly(fixable bool) *ScanDetails { return sc } -func (sc *ScanDetails) SetSkipAutoInstall(skipAutoInstall bool) *ScanDetails { - sc.skipAutoInstall = skipAutoInstall - return sc -} - func (sc *ScanDetails) SetMinSeverity(minSeverity string) (*ScanDetails, error) { if minSeverity == "" { return sc, nil @@ -151,16 +146,17 @@ func (sc *ScanDetails) RunInstallAndAudit(workDirs ...string) (auditResults *res SetInstallCommandName(sc.InstallCommandName). SetInstallCommandArgs(sc.InstallCommandArgs). SetTechnologies(sc.GetTechFromInstallCmdIfExists()). - SetSkipAutoInstall(sc.skipAutoInstall). SetAllowPartialResults(sc.allowPartialResults). SetExclusions(sc.PathExclusions). - SetIsRecursiveScan(sc.IsRecursiveScan). SetUseJas(true). SetConfigProfile(sc.configProfile) auditParams := audit.NewAuditParams(). - SetBomGenerator(buildinfo.NewBuildInfoBomGenerator()). - SetScaScanStrategy(scangraph.NewScanGraphStrategy()). + SetBomGenerator(xrayplugin.NewXrayLibBomGenerator()). + SetScaScanStrategy(enrich.NewEnrichScanStrategy()). + SetUploadCdxResults(!sc.diffScan || sc.ResultsToCompare != nil). + SetGitContext(sc.XscGitInfoContext). + SetRtResultRepository(frogbotUploadRtRepoPath). SetWorkingDirs(workDirs). SetMinSeverityFilter(sc.MinSeverityFilter()). SetFixableOnly(sc.FixableOnly()). @@ -170,7 +166,8 @@ func (sc *ScanDetails) RunInstallAndAudit(workDirs ...string) (auditResults *res SetResultsToCompare(sc.ResultsToCompare). SetMultiScanId(sc.MultiScanId). SetThreads(MaxConcurrentScanners). - SetStartTime(sc.StartTime) + SetStartTime(sc.StartTime). + SetViolationGenerator(enforcer.NewPolicyEnforcerViolationGenerator()) return audit.RunAudit(auditParams) } diff --git a/utils/utils.go b/utils/utils.go index e43dbf1de..50d32b498 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -13,7 +13,6 @@ import ( "strings" "sync" - "github.com/jfrog/frogbot/v2/utils/issues" "github.com/jfrog/froggit-go/vcsclient" "github.com/jfrog/gofrog/version" "github.com/jfrog/jfrog-cli-core/v2/common/commands" @@ -29,6 +28,8 @@ import ( "github.com/jfrog/jfrog-client-go/utils/errorutils" "github.com/jfrog/jfrog-client-go/utils/io/fileutils" "github.com/jfrog/jfrog-client-go/utils/log" + + "github.com/jfrog/frogbot/v2/utils/issues" ) const ( @@ -38,6 +39,7 @@ const ( branchNameRegex = `[~^:?\\\[\]@{}*]` dependencySubmissionFrogbotDetector = "JFrog Frogbot" frogbotUrl = "https://github.com/jfrog/frogbot" + frogbotUploadRtRepoPath = "frogbot" // Branch validation error messages branchInvalidChars = "branch name cannot contain the following chars ~, ^, :, ?, *, [, ], @, {, }" @@ -239,7 +241,6 @@ func GenerateFrogbotSarifReport(extendedResults *results.SecurityCommandResults, convertor := conversion.NewCommandResultsConvertor(conversion.ResultConvertParams{ IncludeVulnerabilities: extendedResults.IncludesVulnerabilities(), HasViolationContext: extendedResults.HasViolationContext(), - AllowedLicenses: allowedLicenses, }) sarifReport, err := convertor.ConvertToSarif(extendedResults) if err != nil { diff --git a/utils/utils_test.go b/utils/utils_test.go index 8c628047b..c179e1a3d 100644 --- a/utils/utils_test.go +++ b/utils/utils_test.go @@ -1,6 +1,13 @@ package utils import ( + "net/http/httptest" + "os" + "path" + "path/filepath" + "testing" + "time" + "github.com/CycloneDX/cyclonedx-go" "github.com/jfrog/frogbot/v2/utils/outputwriter" "github.com/jfrog/froggit-go/vcsclient" @@ -11,12 +18,6 @@ import ( "github.com/jfrog/jfrog-cli-security/utils/results" "github.com/jfrog/jfrog-cli-security/utils/techutils" "github.com/stretchr/testify/assert" - "net/http/httptest" - "os" - "path" - "path/filepath" - "testing" - "time" ) const ( @@ -523,7 +524,8 @@ func createTestSecurityCommandResults() *results.SecurityCommandResults { // Create SecurityCommandResults with the BOM scanResults := &results.SecurityCommandResults{ - StartTime: time.Date(2024, 1, 15, 10, 30, 0, 0, time.UTC), + ResultsMetaData: results.ResultsMetaData{ + StartTime: time.Date(2024, 1, 15, 10, 30, 0, 0, time.UTC)}, Targets: []*results.TargetResults{ { ScanTarget: results.ScanTarget{