Skip to content

Commit

Permalink
Refactor after severity and utils changes in security-cli (#719)
Browse files Browse the repository at this point in the history
  • Loading branch information
@attiasas
attiasas authored Jun 30, 2024
1 parent 5d9c42c commit a1c9444
Show file tree
Hide file tree
Showing 13 changed files with 144 additions and 116 deletions.
7 changes: 4 additions & 3 deletions commands.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ package main
import (
"errors"
"fmt"
"os"

"github.com/jfrog/frogbot/v2/scanpullrequest"
"github.com/jfrog/frogbot/v2/scanrepository"
"github.com/jfrog/frogbot/v2/utils"
Expand All @@ -12,9 +14,8 @@ import (
"github.com/jfrog/jfrog-cli-core/v2/utils/usage"
"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
"github.com/jfrog/jfrog-client-go/utils/log"
"os"

securityutils "github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-cli-security/utils/xsc"
clitool "github.com/urfave/cli/v2"
)

Expand Down Expand Up @@ -105,7 +106,7 @@ func Exec(command FrogbotCommand, commandName string) (err error) {
waitForUsageResponse()

if err != nil && usage.ShouldReportUsage() {
if reportError := securityutils.ReportError(frogbotDetails.ServerDetails, err, "frogbot"); reportError != nil {
if reportError := xsc.ReportError(frogbotDetails.ServerDetails, err, "frogbot"); reportError != nil {
log.Debug(reportError)
}
} else {
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ require (
gopkg.in/warnings.v0 v0.1.2 // indirect
)

// replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security dev
replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security v1.4.2-0.20240630105549-4aca7e8b4acf

// replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev

Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -900,8 +900,8 @@ github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYL
github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
github.com/jfrog/jfrog-cli-core/v2 v2.53.1 h1:odwPJlrUVw7yKIYctVIn7/8YW/Ynwq4vvsmrXOzAAa8=
github.com/jfrog/jfrog-cli-core/v2 v2.53.1/go.mod h1:4iTSevmlThM1Aw5NAY4WyVxim5US4SkrmxHSHFimaqk=
github.com/jfrog/jfrog-cli-security v1.4.1 h1:7RKcpa3NLWPYuZaochpRr4LJ296B60P0+wZSibOcK4Q=
github.com/jfrog/jfrog-cli-security v1.4.1/go.mod h1:8Jmr6CBQIgB6zbyxuZLg/66x7M+7WWDkXBGCQPkw+j8=
github.com/jfrog/jfrog-cli-security v1.4.2-0.20240630105549-4aca7e8b4acf h1:DxFgIOejzagAIMuQpI8obqn1S1+OEoVhDNgauwLTBM8=
github.com/jfrog/jfrog-cli-security v1.4.2-0.20240630105549-4aca7e8b4acf/go.mod h1:8Jmr6CBQIgB6zbyxuZLg/66x7M+7WWDkXBGCQPkw+j8=
github.com/jfrog/jfrog-client-go v1.41.0 h1:g5OTFvreOVQ6U/5LUXFJfA3Bc+AZCo2PO/EzCLxLbLE=
github.com/jfrog/jfrog-client-go v1.41.0/go.mod h1:AN+/mT2DIBE4oRZicJojqND2BEKLfA7f73i5rT3Lfcc=
github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA=
Expand Down
7 changes: 5 additions & 2 deletions scanpullrequest/scanpullrequest.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"github.com/jfrog/gofrog/datastructures"
"github.com/jfrog/jfrog-cli-security/formats"
securityutils "github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-cli-security/utils/xsc"
"github.com/jfrog/jfrog-client-go/utils/log"
"github.com/jfrog/jfrog-client-go/xray/services"
)
Expand Down Expand Up @@ -127,12 +128,14 @@ func toFailTaskStatus(repo *utils.Repository, issues *utils.IssuesCollection) bo
}

// Downloads Pull Requests branches code and audits them
func auditPullRequest(repoConfig *utils.Repository, client vcsclient.VcsClient, analyticsService *securityutils.AnalyticsMetricsService) (issuesCollection *utils.IssuesCollection, err error) {
func auditPullRequest(repoConfig *utils.Repository, client vcsclient.VcsClient, analyticsService *xsc.AnalyticsMetricsService) (issuesCollection *utils.IssuesCollection, err error) {
scanDetails := utils.NewScanDetails(client, &repoConfig.Server, &repoConfig.Git).
SetXrayGraphScanParams(repoConfig.Watches, repoConfig.JFrogProjectKey, len(repoConfig.AllowedLicenses) > 0).
SetMinSeverity(repoConfig.MinSeverity).
SetFixableOnly(repoConfig.FixableOnly).
SetFailOnInstallationErrors(*repoConfig.FailOnSecurityIssues)
if scanDetails, err = scanDetails.SetMinSeverity(repoConfig.MinSeverity); err != nil {
return
}

// If MSI exists we always need to report events
if analyticsService.GetMsi() != "" {
Expand Down
109 changes: 57 additions & 52 deletions scanpullrequest/scanpullrequest_test.go
View file

Large diffs are not rendered by default.

9 changes: 6 additions & 3 deletions scanrepository/scanrepository.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import (
"github.com/jfrog/jfrog-cli-security/formats"
securityutils "github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-cli-security/utils/techutils"
"github.com/jfrog/jfrog-cli-security/utils/xsc"
"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
"github.com/jfrog/jfrog-client-go/utils/log"
"golang.org/x/exp/maps"
Expand Down Expand Up @@ -45,7 +46,7 @@ type ScanRepositoryCmd struct {
// Stores all package manager handlers for detected issues
handlers map[techutils.Technology]packagehandlers.PackageHandler
// The AnalyticsMetricsService used for analytics event report
analyticsService *securityutils.AnalyticsMetricsService
analyticsService *xsc.AnalyticsMetricsService
}

func (cfp *ScanRepositoryCmd) Run(repoAggregator utils.RepoAggregator, client vcsclient.VcsClient, frogbotRepoConnection *utils.UrlAccessChecker) (err error) {
Expand Down Expand Up @@ -115,8 +116,10 @@ func (cfp *ScanRepositoryCmd) setCommandPrerequisites(repository *utils.Reposito
cfp.scanDetails = utils.NewScanDetails(client, &repository.Server, &repository.Git).
SetXrayGraphScanParams(repository.Watches, repository.JFrogProjectKey, len(repository.AllowedLicenses) > 0).
SetFailOnInstallationErrors(*repository.FailOnSecurityIssues).
SetFixableOnly(repository.FixableOnly).
SetMinSeverity(repository.MinSeverity)
SetFixableOnly(repository.FixableOnly)
if cfp.scanDetails, err = cfp.scanDetails.SetMinSeverity(repository.MinSeverity); err != nil {
return
}
repositoryInfo, err := client.GetRepositoryInfo(context.Background(), cfp.scanDetails.RepoOwner, cfp.scanDetails.RepoName)
if err != nil {
return
Expand Down
13 changes: 7 additions & 6 deletions utils/analytics.go
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,19 @@
package utils

import (
"os"
"strings"

"github.com/jfrog/jfrog-cli-core/v2/utils/config"
"github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-cli-security/utils/xsc"
"github.com/jfrog/jfrog-client-go/utils/log"
"github.com/jfrog/jfrog-client-go/xray/services"
xscservices "github.com/jfrog/jfrog-client-go/xsc/services"
"os"
"strings"
)

func AddAnalyticsGeneralEvent(gitInfoContext *services.XscGitInfoContext, serverDetails *config.ServerDetails, scanType string) *utils.AnalyticsMetricsService {
func AddAnalyticsGeneralEvent(gitInfoContext *services.XscGitInfoContext, serverDetails *config.ServerDetails, scanType string) *xsc.AnalyticsMetricsService {
log.Debug("Initiating General Event report to Analytics service")
analyticsService := utils.NewAnalyticsMetricsService(serverDetails)
analyticsService := xsc.NewAnalyticsMetricsService(serverDetails)
if !analyticsService.ShouldReportEvents() {
return analyticsService
}
Expand All @@ -25,7 +26,7 @@ func AddAnalyticsGeneralEvent(gitInfoContext *services.XscGitInfoContext, server
return analyticsService
}

func createAnalyticsGeneralEvent(analyticsService *utils.AnalyticsMetricsService, gitInfo *services.XscGitInfoContext, scanType string) *xscservices.XscAnalyticsGeneralEvent {
func createAnalyticsGeneralEvent(analyticsService *xsc.AnalyticsMetricsService, gitInfo *services.XscGitInfoContext, scanType string) *xscservices.XscAnalyticsGeneralEvent {
generalEvent := analyticsService.CreateGeneralEvent(xscservices.FrogbotProduct, xscservices.FrogbotType)
generalEvent.ProductVersion = FrogbotVersion
generalEvent.FrogbotScanType = scanType
Expand Down
7 changes: 4 additions & 3 deletions utils/analytics_test.go
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
package utils

import (
"testing"

"github.com/jfrog/jfrog-cli-core/v2/utils/config"
"github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-cli-security/utils/xsc"
"github.com/jfrog/jfrog-client-go/xray/services"
xscservices "github.com/jfrog/jfrog-client-go/xsc/services"
"github.com/stretchr/testify/assert"
"testing"
)

func TestCreateAnalyticsGeneralEvent(t *testing.T) {
Expand All @@ -31,7 +32,7 @@ func TestCreateAnalyticsGeneralEvent(t *testing.T) {
Password: "password",
}

analyticsService := utils.NewAnalyticsMetricsService(serverDetails)
analyticsService := xsc.NewAnalyticsMetricsService(serverDetails)
analyticsGeneralEvent := createAnalyticsGeneralEvent(analyticsService, gitInfoContext, "monitor")

// Comparison is made manually for selected fields since some of the fields are machine-dependent and cannot be known in advance
Expand Down
11 changes: 6 additions & 5 deletions utils/outputwriter/outputcontent_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ import (

"github.com/jfrog/froggit-go/vcsutils"
"github.com/jfrog/jfrog-cli-security/formats"
"github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-cli-security/utils/jasutils"
"github.com/jfrog/jfrog-cli-security/utils/severityutils"
"github.com/stretchr/testify/assert"
)

Expand Down Expand Up @@ -290,7 +291,7 @@ func TestVulnerabilitiesContent(t *testing.T) {
vulnerabilities: []formats.VulnerabilityOrViolationRow{
{
ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
SeverityDetails: formats.SeverityDetails{Severity: "Critical", SeverityNumValue: utils.GetSeverity("Critical", utils.NotApplicable).SeverityNumValue},
SeverityDetails: severityutils.GetAsDetails(severityutils.Critical, jasutils.NotApplicable, false),
ImpactedDependencyName: "impacted",
ImpactedDependencyVersion: "3.0.0",
Components: []formats.ComponentRow{
Expand All @@ -305,7 +306,7 @@ func TestVulnerabilitiesContent(t *testing.T) {
{
Summary: "Summary XRAY-122345",
ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: utils.GetSeverity("High", utils.ApplicabilityUndetermined).SeverityNumValue},
SeverityDetails: severityutils.GetAsDetails(severityutils.High, jasutils.ApplicabilityUndetermined, false),
ImpactedDependencyName: "github.com/nats-io/nats-streaming-server",
ImpactedDependencyVersion: "v0.21.0",
Components: []formats.ComponentRow{
Expand All @@ -325,7 +326,7 @@ func TestVulnerabilitiesContent(t *testing.T) {
},
{
ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
SeverityDetails: formats.SeverityDetails{Severity: "Medium", SeverityNumValue: utils.GetSeverity("Medium", utils.Applicable).SeverityNumValue},
SeverityDetails: severityutils.GetAsDetails(severityutils.Medium, jasutils.Applicable, false),
ImpactedDependencyName: "component-D",
ImpactedDependencyVersion: "v0.21.0",
Components: []formats.ComponentRow{
Expand All @@ -348,7 +349,7 @@ func TestVulnerabilitiesContent(t *testing.T) {
{
Summary: "Summary",
ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
SeverityDetails: formats.SeverityDetails{Severity: "Low", SeverityNumValue: utils.GetSeverity("Low", utils.ApplicabilityUndetermined).SeverityNumValue},
SeverityDetails: severityutils.GetAsDetails(severityutils.Low, jasutils.ApplicabilityUndetermined, false),
ImpactedDependencyName: "github.com/mholt/archiver/v3",
ImpactedDependencyVersion: "v3.5.1",
Components: []formats.ComponentRow{
Expand Down
15 changes: 9 additions & 6 deletions utils/params.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,9 @@ import (
"strconv"
"strings"

"github.com/jfrog/jfrog-cli-security/commands/audit/sca"

"github.com/jfrog/frogbot/v2/utils/outputwriter"
xrutils "github.com/jfrog/jfrog-cli-security/utils"
securityutils "github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-cli-security/utils/severityutils"

"github.com/jfrog/build-info-go/utils"
"github.com/jfrog/froggit-go/vcsclient"
Expand Down Expand Up @@ -103,7 +102,7 @@ func (p *Project) setDefaultsIfNeeded() error {
}
if len(p.PathExclusions) == 0 {
if p.PathExclusions, _ = readArrayParamFromEnv(PathExclusionsEnv, ";"); len(p.PathExclusions) == 0 {
p.PathExclusions = sca.DefaultScaExcludePatterns
p.PathExclusions = securityutils.DefaultScaExcludePatterns
}
}
if p.UseWrapper == nil {
Expand Down Expand Up @@ -203,8 +202,12 @@ func (s *Scan) setDefaultsIfNeeded() (err error) {
return
}
}
if s.MinSeverity, err = xrutils.GetSeveritiesFormat(s.MinSeverity); err != nil {
return
if s.MinSeverity != "" {
var severity severityutils.Severity
if severity, err = severityutils.ParseSeverity(s.MinSeverity, false); err != nil {
return
}
s.MinSeverity = severity.String()
}
if len(s.Projects) == 0 {
s.Projects = append(s.Projects, Project{})
Expand Down
25 changes: 17 additions & 8 deletions utils/scandetails.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,18 @@ import (
"context"
"errors"
"fmt"
"os"
"path/filepath"

"github.com/jfrog/froggit-go/vcsclient"
"github.com/jfrog/jfrog-cli-core/v2/utils/config"
"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
"github.com/jfrog/jfrog-cli-security/commands/audit"
"github.com/jfrog/jfrog-cli-security/scangraph"
xrayutils "github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-cli-security/utils/severityutils"
"github.com/jfrog/jfrog-cli-security/utils/xray/scangraph"
"github.com/jfrog/jfrog-client-go/utils/log"
"github.com/jfrog/jfrog-client-go/xray/services"
"os"
"path/filepath"
)

type ScanDetails struct {
Expand All @@ -24,7 +26,7 @@ type ScanDetails struct {
client vcsclient.VcsClient
failOnInstallationErrors bool
fixableOnly bool
minSeverityFilter string
minSeverityFilter severityutils.Severity
baseBranch string
}

Expand Down Expand Up @@ -52,9 +54,16 @@ func (sc *ScanDetails) SetFixableOnly(fixable bool) *ScanDetails {
return sc
}

func (sc *ScanDetails) SetMinSeverity(minSeverity string) *ScanDetails {
sc.minSeverityFilter = minSeverity
return sc
func (sc *ScanDetails) SetMinSeverity(minSeverity string) (*ScanDetails, error) {
if minSeverity == "" {
return sc, nil
}
if severity, err := severityutils.ParseSeverity(minSeverity, false); err != nil {
return sc, err
} else {
sc.minSeverityFilter = severity
}
return sc, nil
}

func (sc *ScanDetails) SetBaseBranch(branch string) *ScanDetails {
Expand All @@ -78,7 +87,7 @@ func (sc *ScanDetails) FixableOnly() bool {
return sc.fixableOnly
}

func (sc *ScanDetails) MinSeverityFilter() string {
func (sc *ScanDetails) MinSeverityFilter() severityutils.Severity {
return sc.minSeverityFilter
}

Expand Down
19 changes: 10 additions & 9 deletions utils/utils.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"github.com/jfrog/jfrog-cli-core/v2/utils/config"
"github.com/jfrog/jfrog-cli-core/v2/utils/usage"
"github.com/jfrog/jfrog-cli-security/formats"
"github.com/jfrog/jfrog-cli-security/formats/sarifutils"
xrayutils "github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-cli-security/utils/techutils"
"github.com/jfrog/jfrog-client-go/http/httpclient"
Expand Down Expand Up @@ -259,20 +260,20 @@ func prepareRunsForGithubReport(runs []*sarif.Run) []*sarif.Run {
// If we upload to Github security tab multiple runs, it will only display the last run as active issues.
// Combine all runs into one run with multiple invocations, so the Github security tab will display all the results as not resolved.
combined := sarif.NewRunWithInformationURI(sarifToolName, outputwriter.FrogbotRepoUrl)
xrayutils.AggregateMultipleRunsIntoSingle(runs, combined)
sarifutils.AggregateMultipleRunsIntoSingle(runs, combined)
return []*sarif.Run{combined}
}

func convertToRelativePath(runs []*sarif.Run) {
for _, run := range runs {
for _, result := range run.Results {
for _, location := range result.Locations {
xrayutils.SetLocationFileName(location, xrayutils.GetRelativeLocationFileName(location, run.Invocations))
sarifutils.SetLocationFileName(location, sarifutils.GetRelativeLocationFileName(location, run.Invocations))
}
for _, flows := range result.CodeFlows {
for _, flow := range flows.ThreadFlows {
for _, location := range flow.Locations {
xrayutils.SetLocationFileName(location.Location, xrayutils.GetRelativeLocationFileName(location.Location, run.Invocations))
sarifutils.SetLocationFileName(location.Location, sarifutils.GetRelativeLocationFileName(location.Location, run.Invocations))
}
}
}
Expand All @@ -286,7 +287,7 @@ func GenerateFrogbotSarifReport(extendedResults *xrayutils.Results, isMultipleRo
return "", err
}
sarifReport.Runs = prepareRunsForGithubReport(sarifReport.Runs)
return xrayutils.ConvertSarifReportToString(sarifReport)
return sarifutils.ConvertSarifReportToString(sarifReport)
}

func DownloadRepoToTempDir(client vcsclient.VcsClient, repoOwner, repoName, branch string) (wd string, cleanup func() error, err error) {
Expand Down Expand Up @@ -389,7 +390,7 @@ func convertSarifPathsInCveApplicability(vulnerabilities []formats.Vulnerability
if cve.Applicability != nil {
for i := range cve.Applicability.Evidence {
for _, wd := range workingDirs {
cve.Applicability.Evidence[i].File = xrayutils.ExtractRelativePath(cve.Applicability.Evidence[i].File, wd)
cve.Applicability.Evidence[i].File = sarifutils.ExtractRelativePath(cve.Applicability.Evidence[i].File, wd)
}
}
}
Expand All @@ -401,7 +402,7 @@ func convertSarifPathsInIacs(iacs []formats.SourceCodeRow, workingDirs ...string
for i := range iacs {
iac := &iacs[i]
for _, wd := range workingDirs {
iac.Location.File = xrayutils.ExtractRelativePath(iac.Location.File, wd)
iac.Location.File = sarifutils.ExtractRelativePath(iac.Location.File, wd)
}
}
}
Expand All @@ -410,7 +411,7 @@ func convertSarifPathsInSecrets(secrets []formats.SourceCodeRow, workingDirs ...
for i := range secrets {
secret := &secrets[i]
for _, wd := range workingDirs {
secret.Location.File = xrayutils.ExtractRelativePath(secret.Location.File, wd)
secret.Location.File = sarifutils.ExtractRelativePath(secret.Location.File, wd)
}
}
}
Expand All @@ -419,10 +420,10 @@ func convertSarifPathsInSast(sast []formats.SourceCodeRow, workingDirs ...string
for i := range sast {
sastIssue := &sast[i]
for _, wd := range workingDirs {
sastIssue.Location.File = xrayutils.ExtractRelativePath(sastIssue.Location.File, wd)
sastIssue.Location.File = sarifutils.ExtractRelativePath(sastIssue.Location.File, wd)
for f := range sastIssue.CodeFlow {
for l := range sastIssue.CodeFlow[f] {
sastIssue.CodeFlow[f][l].File = xrayutils.ExtractRelativePath(sastIssue.CodeFlow[f][l].File, wd)
sastIssue.CodeFlow[f][l].File = sarifutils.ExtractRelativePath(sastIssue.CodeFlow[f][l].File, wd)
}
}
}
Expand Down
Loading

0 comments on commit a1c9444

Please sign in to comment.