Skip to content

Commit

Permalink
Refactor after Results changes in security-cli (#724)
Browse files Browse the repository at this point in the history
  • Loading branch information
@attiasas
attiasas authored Oct 14, 2024
1 parent 76c8ca8 commit 9d5ed08
Show file tree
Hide file tree
Showing 18 changed files with 268 additions and 265 deletions.
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ require (
gopkg.in/warnings.v0 v0.1.2 // indirect
)

// replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security dev
replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security v1.11.5-0.20241013154337-2f7858923804

// replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev

Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,8 +134,8 @@ github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYL
github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
github.com/jfrog/jfrog-cli-core/v2 v2.56.3 h1:9ZZ7TGpobk4XShPzrHkRGfpYzs1w0rg7Hqtfg51iNRg=
github.com/jfrog/jfrog-cli-core/v2 v2.56.3/go.mod h1:xL9b2DrH5FemiTuk2bfUBfbQYC/RvpBkPxxV6XxssXs=
github.com/jfrog/jfrog-cli-security v1.11.4 h1:aMNTcz/w75IfHfsNuJqoHu38+35L9JH8DnTEqOhW8Ao=
github.com/jfrog/jfrog-cli-security v1.11.4/go.mod h1:XRev43n6+C48UJGbRGCI5eqtQ4tF5T6hxnIa4+ULiMI=
github.com/jfrog/jfrog-cli-security v1.11.5-0.20241013154337-2f7858923804 h1:cYd1+uqVgzSj9g2p3+RqfdM6G4xJBAgB9ODvvfuC0MI=
github.com/jfrog/jfrog-cli-security v1.11.5-0.20241013154337-2f7858923804/go.mod h1:XRev43n6+C48UJGbRGCI5eqtQ4tF5T6hxnIa4+ULiMI=
github.com/jfrog/jfrog-client-go v1.47.2 h1:Lu+2n4EU+MzNfotV1VOvF/ZQIWsQJg11Z4YSVhumFy0=
github.com/jfrog/jfrog-client-go v1.47.2/go.mod h1:fx2fq5XwZ7e2pzpBB9pXsP8+ZdKLB8g+A6fjGU6F2XI=
github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA=
Expand Down
2 changes: 1 addition & 1 deletion packagehandlers/packagehandlers_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import (
biutils "github.com/jfrog/build-info-go/utils"
"github.com/jfrog/frogbot/v2/utils"
"github.com/jfrog/jfrog-cli-security/commands/audit/sca/java"
"github.com/jfrog/jfrog-cli-security/formats"
"github.com/jfrog/jfrog-cli-security/utils/formats"
"github.com/jfrog/jfrog-cli-security/utils/techutils"
"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
"github.com/stretchr/testify/assert"
Expand Down
150 changes: 50 additions & 100 deletions scanpullrequest/scanpullrequest.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,10 @@ import (
"github.com/jfrog/froggit-go/vcsclient"
"github.com/jfrog/froggit-go/vcsutils"
"github.com/jfrog/gofrog/datastructures"
"github.com/jfrog/jfrog-cli-security/formats"
securityutils "github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-cli-security/utils/formats"
"github.com/jfrog/jfrog-cli-security/utils/jasutils"
"github.com/jfrog/jfrog-cli-security/utils/results"
"github.com/jfrog/jfrog-cli-security/utils/results/conversion"
"github.com/jfrog/jfrog-cli-security/utils/xsc"
"github.com/jfrog/jfrog-client-go/utils/log"
"github.com/jfrog/jfrog-client-go/xray/services"
Expand Down Expand Up @@ -172,7 +174,7 @@ func auditPullRequestInProject(repoConfig *utils.Repository, scanDetails *utils.
}()

// Audit source branch
var sourceResults *securityutils.Results
var sourceResults *results.SecurityCommandResults
workingDirs := utils.GetFullPathWorkingDirs(scanDetails.Project.WorkingDirs, sourceBranchWd)
log.Info("Scanning source branch...")
sourceResults, err = scanDetails.RunInstallAndAudit(workingDirs...)
Expand All @@ -181,12 +183,11 @@ func auditPullRequestInProject(repoConfig *utils.Repository, scanDetails *utils.
}

// Set JAS output flags
sourceScanResults := sourceResults.ExtendedScanResults
repoConfig.OutputWriter.SetJasOutputFlags(sourceScanResults.EntitledForJas, len(sourceScanResults.ApplicabilityScanResults) > 0)
repoConfig.OutputWriter.SetJasOutputFlags(sourceResults.EntitledForJas, len(sourceResults.GetJasScansResults(jasutils.Applicability)) > 0)

// Get all issues that exist in the source branch
if repoConfig.IncludeAllVulnerabilities {
if auditIssues, err = getAllIssues(sourceResults, repoConfig.AllowedLicenses); err != nil {
if auditIssues, err = getAllIssues(sourceResults, repoConfig.AllowedLicenses, scanDetails.HasViolationContext()); err != nil {
return
}
utils.ConvertSarifPathsToRelative(auditIssues, sourceBranchWd)
Expand All @@ -201,7 +202,7 @@ func auditPullRequestInProject(repoConfig *utils.Repository, scanDetails *utils.
return
}

func auditTargetBranch(repoConfig *utils.Repository, scanDetails *utils.ScanDetails, sourceScanResults *securityutils.Results) (newIssues *utils.IssuesCollection, targetBranchWd string, err error) {
func auditTargetBranch(repoConfig *utils.Repository, scanDetails *utils.ScanDetails, sourceScanResults *results.SecurityCommandResults) (newIssues *utils.IssuesCollection, targetBranchWd string, err error) {
// Download target branch (if needed)
cleanupTarget := func() error { return nil }
if !repoConfig.IncludeAllVulnerabilities {
Expand All @@ -215,7 +216,7 @@ func auditTargetBranch(repoConfig *utils.Repository, scanDetails *utils.ScanDeta
}()

// Set target branch scan details
var targetResults *securityutils.Results
var targetResults *results.SecurityCommandResults
workingDirs := utils.GetFullPathWorkingDirs(scanDetails.Project.WorkingDirs, targetBranchWd)
log.Info("Scanning target branch...")
targetResults, err = scanDetails.RunInstallAndAudit(workingDirs...)
Expand All @@ -224,56 +225,68 @@ func auditTargetBranch(repoConfig *utils.Repository, scanDetails *utils.ScanDeta
}

// Get newly added issues
newIssues, err = getNewlyAddedIssues(targetResults, sourceScanResults, repoConfig.AllowedLicenses)
newIssues, err = getNewlyAddedIssues(targetResults, sourceScanResults, repoConfig.AllowedLicenses, scanDetails.HasViolationContext())
return
}

func getAllIssues(results *securityutils.Results, allowedLicenses []string) (*utils.IssuesCollection, error) {
func getAllIssues(cmdResults *results.SecurityCommandResults, allowedLicenses []string, hasViolationContext bool) (*utils.IssuesCollection, error) {
log.Info("Frogbot is configured to show all vulnerabilities")
scanResults := results.ExtendedScanResults
xraySimpleJson, err := securityutils.ConvertXrayScanToSimpleJson(results, results.IsMultipleProject(), false, true, allowedLicenses)
simpleJsonResults, err := conversion.NewCommandResultsConvertor(conversion.ResultConvertParams{
IncludeVulnerabilities: true,
HasViolationContext: hasViolationContext,
AllowedLicenses: allowedLicenses,
IncludeLicenses: true,
SimplifiedOutput: true,
}).ConvertToSimpleJson(cmdResults)
if err != nil {
return nil, err
}
return &utils.IssuesCollection{
Vulnerabilities: append(xraySimpleJson.Vulnerabilities, xraySimpleJson.SecurityViolations...),
Iacs: securityutils.PrepareIacs(scanResults.IacScanResults),
Secrets: securityutils.PrepareSecrets(scanResults.SecretsScanResults),
Sast: securityutils.PrepareSast(scanResults.SastScanResults),
Licenses: xraySimpleJson.LicensesViolations,
Vulnerabilities: append(simpleJsonResults.Vulnerabilities, simpleJsonResults.SecurityViolations...),
Iacs: simpleJsonResults.Iacs,
Secrets: simpleJsonResults.Secrets,
Sast: simpleJsonResults.Sast,
Licenses: simpleJsonResults.LicensesViolations,
}, nil
}

// Returns all the issues found in the source branch that didn't exist in the target branch.
func getNewlyAddedIssues(targetResults, sourceResults *securityutils.Results, allowedLicenses []string) (*utils.IssuesCollection, error) {
func getNewlyAddedIssues(targetResults, sourceResults *results.SecurityCommandResults, allowedLicenses []string, hasViolationContext bool) (*utils.IssuesCollection, error) {
var err error
convertor := conversion.NewCommandResultsConvertor(conversion.ResultConvertParams{IncludeVulnerabilities: true, HasViolationContext: hasViolationContext, IncludeLicenses: len(allowedLicenses) > 0, AllowedLicenses: allowedLicenses, SimplifiedOutput: true})
simpleJsonSource, err := convertor.ConvertToSimpleJson(sourceResults)
if err != nil {
return nil, err
}
simpleJsonTarget, err := convertor.ConvertToSimpleJson(targetResults)
if err != nil {
return nil, err
}

var newVulnerabilitiesOrViolations []formats.VulnerabilityOrViolationRow
if len(simpleJsonSource.Vulnerabilities) > 0 || len(simpleJsonSource.SecurityViolations) > 0 {
newVulnerabilitiesOrViolations = append(
getUniqueVulnerabilityOrViolationRows(simpleJsonTarget.Vulnerabilities, simpleJsonSource.Vulnerabilities),
getUniqueVulnerabilityOrViolationRows(simpleJsonTarget.SecurityViolations, simpleJsonSource.SecurityViolations)...,
)
}

var newLicenses []formats.LicenseRow
var err error
if len(sourceResults.GetScaScansXrayResults()) > 0 {
if newVulnerabilitiesOrViolations, newLicenses, err = createNewVulnerabilitiesRows(targetResults, sourceResults, allowedLicenses); err != nil {
return nil, err
}
if len(simpleJsonSource.LicensesViolations) > 0 {
newLicenses = getUniqueLicenseRows(simpleJsonTarget.LicensesViolations, simpleJsonSource.LicensesViolations)
}

var newIacs []formats.SourceCodeRow
if len(sourceResults.ExtendedScanResults.IacScanResults) > 0 {
targetIacRows := securityutils.PrepareIacs(targetResults.ExtendedScanResults.IacScanResults)
sourceIacRows := securityutils.PrepareIacs(sourceResults.ExtendedScanResults.IacScanResults)
newIacs = createNewSourceCodeRows(targetIacRows, sourceIacRows)
if len(simpleJsonSource.Iacs) > 0 {
newIacs = createNewSourceCodeRows(simpleJsonTarget.Iacs, simpleJsonSource.Iacs)
}

var newSecrets []formats.SourceCodeRow
if len(sourceResults.ExtendedScanResults.SecretsScanResults) > 0 {
targetSecretsRows := securityutils.PrepareIacs(targetResults.ExtendedScanResults.SecretsScanResults)
sourceSecretsRows := securityutils.PrepareIacs(sourceResults.ExtendedScanResults.SecretsScanResults)
newSecrets = createNewSourceCodeRows(targetSecretsRows, sourceSecretsRows)
if len(simpleJsonSource.Secrets) > 0 {
newSecrets = createNewSourceCodeRows(simpleJsonTarget.Secrets, simpleJsonSource.Secrets)
}

var newSast []formats.SourceCodeRow
if len(targetResults.ExtendedScanResults.SastScanResults) > 0 {
targetSastRows := securityutils.PrepareSast(targetResults.ExtendedScanResults.SastScanResults)
sourceSastRows := securityutils.PrepareSast(sourceResults.ExtendedScanResults.SastScanResults)
newSast = createNewSourceCodeRows(targetSastRows, sourceSastRows)
if len(simpleJsonSource.Sast) > 0 {
newSast = createNewSourceCodeRows(simpleJsonTarget.Sast, simpleJsonSource.Sast)
}

return &utils.IssuesCollection{
Expand Down Expand Up @@ -303,40 +316,6 @@ func createNewSourceCodeRows(targetResults, sourceResults []formats.SourceCodeRo
return addedSourceCodeVulnerabilities
}

// Create vulnerabilities rows. The rows should contain only the new issues added by this PR
func createNewVulnerabilitiesRows(targetResults, sourceResults *securityutils.Results, allowedLicenses []string) (vulnerabilityOrViolationRows []formats.VulnerabilityOrViolationRow, licenseRows []formats.LicenseRow, err error) {
targetScanAggregatedResults := aggregateScanResults(targetResults.GetScaScansXrayResults())
sourceScanAggregatedResults := aggregateScanResults(sourceResults.GetScaScansXrayResults())

if len(sourceScanAggregatedResults.Violations) > 0 {
return getNewViolations(&targetScanAggregatedResults, &sourceScanAggregatedResults, sourceResults)
}
if len(sourceScanAggregatedResults.Vulnerabilities) > 0 {
if vulnerabilityOrViolationRows, err = getNewSecurityVulnerabilities(&targetScanAggregatedResults, &sourceScanAggregatedResults, sourceResults); err != nil {
return
}
}
var newLicenses []formats.LicenseRow
if newLicenses, err = getNewLicenseRows(&targetScanAggregatedResults, &sourceScanAggregatedResults); err != nil {
return
}
licenseRows = securityutils.GetViolatedLicenses(allowedLicenses, newLicenses)
return
}

func getNewSecurityVulnerabilities(targetScan, sourceScan *services.ScanResponse, auditResults *securityutils.Results) (newVulnerabilitiesRows []formats.VulnerabilityOrViolationRow, err error) {
targetVulnerabilitiesRows, err := securityutils.PrepareVulnerabilities(targetScan.Vulnerabilities, auditResults, auditResults.IsMultipleProject(), true)
if err != nil {
return newVulnerabilitiesRows, err
}
sourceVulnerabilitiesRows, err := securityutils.PrepareVulnerabilities(sourceScan.Vulnerabilities, auditResults, auditResults.IsMultipleProject(), true)
if err != nil {
return newVulnerabilitiesRows, err
}
newVulnerabilitiesRows = getUniqueVulnerabilityOrViolationRows(targetVulnerabilitiesRows, sourceVulnerabilitiesRows)
return
}

func getUniqueVulnerabilityOrViolationRows(targetRows, sourceRows []formats.VulnerabilityOrViolationRow) []formats.VulnerabilityOrViolationRow {
existingRows := make(map[string]formats.VulnerabilityOrViolationRow)
var newRows []formats.VulnerabilityOrViolationRow
Expand All @@ -351,35 +330,6 @@ func getUniqueVulnerabilityOrViolationRows(targetRows, sourceRows []formats.Vuln
return newRows
}

func getNewViolations(targetScan, sourceScan *services.ScanResponse, auditResults *securityutils.Results) (newSecurityViolationsRows []formats.VulnerabilityOrViolationRow, newLicenseViolationsRows []formats.LicenseRow, err error) {
targetSecurityViolationsRows, targetLicenseViolationsRows, _, err := securityutils.PrepareViolations(targetScan.Violations, auditResults, auditResults.IsMultipleProject(), true)
if err != nil {
return
}
sourceSecurityViolationsRows, sourceLicenseViolationsRows, _, err := securityutils.PrepareViolations(sourceScan.Violations, auditResults, auditResults.IsMultipleProject(), true)
if err != nil {
return
}
newSecurityViolationsRows = getUniqueVulnerabilityOrViolationRows(targetSecurityViolationsRows, sourceSecurityViolationsRows)
if len(sourceLicenseViolationsRows) > 0 {
newLicenseViolationsRows = getUniqueLicenseRows(targetLicenseViolationsRows, sourceLicenseViolationsRows)
}
return
}

func getNewLicenseRows(targetScan, sourceScan *services.ScanResponse) (newLicenses []formats.LicenseRow, err error) {
targetLicenses, err := securityutils.PrepareLicenses(targetScan.Licenses)
if err != nil {
return
}
sourceLicenses, err := securityutils.PrepareLicenses(sourceScan.Licenses)
if err != nil {
return
}
newLicenses = getUniqueLicenseRows(targetLicenses, sourceLicenses)
return
}

func getUniqueLicenseRows(targetRows, sourceRows []formats.LicenseRow) []formats.LicenseRow {
existingLicenses := make(map[string]formats.LicenseRow)
var newLicenses []formats.LicenseRow
Expand Down
Loading

0 comments on commit 9d5ed08

Please sign in to comment.