From 40cfdf7dd4f26f1dbac285159fb1bb1f507acfcc Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Thu, 7 Nov 2024 17:00:43 +0200 Subject: [PATCH 1/8] Fix handling errors in IsDirectDependency when impact path is missing and allow-partial-results is applied --- scanrepository/scanrepository.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scanrepository/scanrepository.go b/scanrepository/scanrepository.go index 09328f9e9..b27173c87 100644 --- a/scanrepository/scanrepository.go +++ b/scanrepository/scanrepository.go @@ -599,7 +599,11 @@ func (cfp *ScanRepositoryCmd) addVulnerabilityToFixVersionsMap(vulnerability *fo } else { isDirectDependency, err := utils.IsDirectDependency(vulnerability.ImpactPaths) if err != nil { - return err + if cfp.scanDetails.AllowPartialResults() { + log.Warn(fmt.Sprintf("An empty impact path was provided for '%s'. Since partial-results is allowed the vulnerability is considered as indirect dependency and will not be fixed", vulnerability.ImpactedDependencyName)) + } else { + return err + } } // First appearance of a version that fixes the current impacted package newVulnDetails := utils.NewVulnerabilityDetails(*vulnerability, vulnFixVersion) From 8a5bfb9637bdc8225f1c73d2cb837359619d9682 Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Thu, 7 Nov 2024 17:07:44 +0200 Subject: [PATCH 2/8] go mod --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 65be252d2..654e525bc 100644 --- a/go.mod +++ b/go.mod @@ -9,9 +9,9 @@ require ( github.com/jfrog/build-info-go v1.10.3 github.com/jfrog/froggit-go v1.16.2 github.com/jfrog/gofrog v1.7.6 - github.com/jfrog/jfrog-cli-core/v2 v2.56.4 + github.com/jfrog/jfrog-cli-core/v2 v2.56.5 github.com/jfrog/jfrog-cli-security v1.12.3 - github.com/jfrog/jfrog-client-go v1.47.3 + github.com/jfrog/jfrog-client-go v1.47.4 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible github.com/owenrumney/go-sarif/v2 v2.3.1 github.com/stretchr/testify v1.9.0 @@ -116,11 +116,11 @@ require ( gopkg.in/warnings.v0 v0.1.2 // indirect ) -replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security v1.12.4-0.20241103154303-1f6712663f75 +replace github.com/jfrog/jfrog-cli-security => github.com/eranturgeman/jfrog-cli-security v0.0.0-20241107145807-946898b94964 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev -// replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go dev +replace github.com/jfrog/build-info-go => github.com/eranturgeman/build-info-go v0.0.0-20241107145115-d783bb77cd72 // replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go dev diff --git a/go.sum b/go.sum index 623fc9ae1..85e48f391 100644 --- a/go.sum +++ b/go.sum @@ -58,6 +58,10 @@ github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcej github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= +github.com/eranturgeman/build-info-go v0.0.0-20241107145115-d783bb77cd72 h1:WcVQHLiY97gnySWZIg5l3dgzjPuj8+P02fINUsOQG7s= +github.com/eranturgeman/build-info-go v0.0.0-20241107145115-d783bb77cd72/go.mod h1:JcISnovFXKx3wWf3p1fcMmlPdt6adxScXvoJN4WXqIE= +github.com/eranturgeman/jfrog-cli-security v0.0.0-20241107145807-946898b94964 h1:aQHJBakDw7QXofJQVT2q+NHtwOYfE489I5OskP1D32w= +github.com/eranturgeman/jfrog-cli-security v0.0.0-20241107145807-946898b94964/go.mod h1:rzm3FIaxdW+w7mY/Jq6JapD/Cry/w7c3ArgjB5wg1Cg= github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/forPelevin/gomoji v1.2.0 h1:9k4WVSSkE1ARO/BWywxgEUBvR/jMnao6EZzrql5nxJ8= @@ -124,20 +128,16 @@ github.com/jedib0t/go-pretty/v6 v6.5.9 h1:ACteMBRrrmm1gMsXe9PSTOClQ63IXDUt03H5U+ github.com/jedib0t/go-pretty/v6 v6.5.9/go.mod h1:zbn98qrYlh95FIhwwsbIip0LYpwSG8SUOScs+v9/t0E= github.com/jfrog/archiver/v3 v3.6.1 h1:LOxnkw9pOn45DzCbZNFV6K0+6dCsQ0L8mR3ZcujO5eI= github.com/jfrog/archiver/v3 v3.6.1/go.mod h1:VgR+3WZS4N+i9FaDwLZbq+jeU4B4zctXL+gL4EMzfLw= -github.com/jfrog/build-info-go v1.10.3 h1:9nqBdZD6xkuxiOvxg+idZ79QLFWQNuucvKkl8Xb42kw= -github.com/jfrog/build-info-go v1.10.3/go.mod h1:JcISnovFXKx3wWf3p1fcMmlPdt6adxScXvoJN4WXqIE= github.com/jfrog/froggit-go v1.16.2 h1:F//S83iXH14qsCwYzv0zB2JtjS2pJVEsUoEmYA+37dQ= github.com/jfrog/froggit-go v1.16.2/go.mod h1:5VpdQfAcbuyFl9x/x8HGm7kVk719kEtW/8YJFvKcHPA= github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s= github.com/jfrog/gofrog v1.7.6/go.mod h1:ntr1txqNOZtHplmaNd7rS4f8jpA5Apx8em70oYEe7+4= github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY= github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w= -github.com/jfrog/jfrog-cli-core/v2 v2.56.4 h1:LqByz2FmVTDQm/u2xGeTL6O8Hs9JadaTj3QMpel9ZwY= -github.com/jfrog/jfrog-cli-core/v2 v2.56.4/go.mod h1:AwQ9WuOA64g3torX9K5kP0xFAAbchfRInhZwbufoW+Q= -github.com/jfrog/jfrog-cli-security v1.12.4-0.20241103154303-1f6712663f75 h1:8Xjom2U0Y3b9/iz6mHaX5tev+vo+NtVwX3BrKAKoiNQ= -github.com/jfrog/jfrog-cli-security v1.12.4-0.20241103154303-1f6712663f75/go.mod h1:BJLwfVZAxsi2iQQ60UYR0os2c23owPwhaRbQUfD8/h4= -github.com/jfrog/jfrog-client-go v1.47.3 h1:99/JSSgU0rvnM2zWYos2n+Gz1IYLCUoIorE4Xco+Dew= -github.com/jfrog/jfrog-client-go v1.47.3/go.mod h1:NepfaidmK/xiKsVC+0Ur9sANOqL6io8Y7pSaCau7J6o= +github.com/jfrog/jfrog-cli-core/v2 v2.56.5 h1:jigHavEpmfBV5tRHkVSW4B/GG5F54UOdNEt2jVyP0qc= +github.com/jfrog/jfrog-cli-core/v2 v2.56.5/go.mod h1:XlN2hMNiNFeNM9aR8H29RZkenI39lDe+LE+BTm1dM6k= +github.com/jfrog/jfrog-client-go v1.47.4 h1:4FAuDDvoDRy9LEFe1WwUO5prBXkgyhaWGEZ0vXYL/Z4= +github.com/jfrog/jfrog-client-go v1.47.4/go.mod h1:NepfaidmK/xiKsVC+0Ur9sANOqL6io8Y7pSaCau7J6o= github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA= github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible/go.mod h1:1c7szIrayyPPB/987hsnvNzLushdWf4o/79s3P08L8A= github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k= From 9d135040d2c8de9b3682f61b2cf5d69280ba3e8f Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Sun, 10 Nov 2024 11:40:54 +0200 Subject: [PATCH 3/8] go mod --- go.mod | 10 +++++----- go.sum | 21 ++++++++++----------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/go.mod b/go.mod index 654e525bc..f8652a49a 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( github.com/c-bata/go-prompt v0.2.5 // indirect github.com/chzyer/readline v1.5.1 // indirect github.com/cloudflare/circl v1.4.0 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect + github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect @@ -55,7 +55,7 @@ require ( github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect - github.com/jedib0t/go-pretty/v6 v6.5.9 // indirect + github.com/jedib0t/go-pretty/v6 v6.6.1 // indirect github.com/jfrog/archiver/v3 v3.6.1 // indirect github.com/jfrog/jfrog-apps-config v1.0.1 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect @@ -92,7 +92,7 @@ require ( github.com/spf13/viper v1.19.0 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/ulikunitz/xz v0.5.12 // indirect - github.com/urfave/cli v1.22.15 // indirect + github.com/urfave/cli v1.22.16 // indirect github.com/xanzy/go-gitlab v0.110.0 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect @@ -116,11 +116,11 @@ require ( gopkg.in/warnings.v0 v0.1.2 // indirect ) -replace github.com/jfrog/jfrog-cli-security => github.com/eranturgeman/jfrog-cli-security v0.0.0-20241107145807-946898b94964 +replace github.com/jfrog/jfrog-cli-security => github.com/eranturgeman/jfrog-cli-security v0.0.0-20241110093806-bbaa5cab19d2 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev -replace github.com/jfrog/build-info-go => github.com/eranturgeman/build-info-go v0.0.0-20241107145115-d783bb77cd72 +replace github.com/jfrog/build-info-go => github.com/eranturgeman/build-info-go v0.0.0-20241110090509-477ca696b49b // replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go dev diff --git a/go.sum b/go.sum index 85e48f391..8fce6846d 100644 --- a/go.sum +++ b/go.sum @@ -2,7 +2,6 @@ cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= -github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0= github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/CycloneDX/cyclonedx-go v0.9.0 h1:inaif7qD8bivyxp7XLgxUYtOXWtDez7+j72qKTMQTb8= @@ -42,8 +41,8 @@ github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38 github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= github.com/cloudflare/circl v1.4.0 h1:BV7h5MgrktNzytKmWjpOtdYrf0lkkbF8YMlBGPhJQrY= github.com/cloudflare/circl v1.4.0/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU= -github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4= -github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= +github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= @@ -58,10 +57,10 @@ github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcej github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= -github.com/eranturgeman/build-info-go v0.0.0-20241107145115-d783bb77cd72 h1:WcVQHLiY97gnySWZIg5l3dgzjPuj8+P02fINUsOQG7s= -github.com/eranturgeman/build-info-go v0.0.0-20241107145115-d783bb77cd72/go.mod h1:JcISnovFXKx3wWf3p1fcMmlPdt6adxScXvoJN4WXqIE= -github.com/eranturgeman/jfrog-cli-security v0.0.0-20241107145807-946898b94964 h1:aQHJBakDw7QXofJQVT2q+NHtwOYfE489I5OskP1D32w= -github.com/eranturgeman/jfrog-cli-security v0.0.0-20241107145807-946898b94964/go.mod h1:rzm3FIaxdW+w7mY/Jq6JapD/Cry/w7c3ArgjB5wg1Cg= +github.com/eranturgeman/build-info-go v0.0.0-20241110090509-477ca696b49b h1:00FnqqriiLfPOOmMSKKs/9fKMPEzfo2VEe3jLZcqEeM= +github.com/eranturgeman/build-info-go v0.0.0-20241110090509-477ca696b49b/go.mod h1:JcISnovFXKx3wWf3p1fcMmlPdt6adxScXvoJN4WXqIE= +github.com/eranturgeman/jfrog-cli-security v0.0.0-20241110093806-bbaa5cab19d2 h1:fBHcpVBaLktoEWlcEv1JpQpNKOofR8CRxbkvrD2S5YM= +github.com/eranturgeman/jfrog-cli-security v0.0.0-20241110093806-bbaa5cab19d2/go.mod h1:NFZ/FimvAKAvvbQUwaK4W6ROTexo2j5tBRy+OWvpjDc= github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/forPelevin/gomoji v1.2.0 h1:9k4WVSSkE1ARO/BWywxgEUBvR/jMnao6EZzrql5nxJ8= @@ -124,8 +123,8 @@ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= -github.com/jedib0t/go-pretty/v6 v6.5.9 h1:ACteMBRrrmm1gMsXe9PSTOClQ63IXDUt03H5U+UV8OU= -github.com/jedib0t/go-pretty/v6 v6.5.9/go.mod h1:zbn98qrYlh95FIhwwsbIip0LYpwSG8SUOScs+v9/t0E= +github.com/jedib0t/go-pretty/v6 v6.6.1 h1:iJ65Xjb680rHcikRj6DSIbzCex2huitmc7bDtxYVWyc= +github.com/jedib0t/go-pretty/v6 v6.6.1/go.mod h1:zbn98qrYlh95FIhwwsbIip0LYpwSG8SUOScs+v9/t0E= github.com/jfrog/archiver/v3 v3.6.1 h1:LOxnkw9pOn45DzCbZNFV6K0+6dCsQ0L8mR3ZcujO5eI= github.com/jfrog/archiver/v3 v3.6.1/go.mod h1:VgR+3WZS4N+i9FaDwLZbq+jeU4B4zctXL+gL4EMzfLw= github.com/jfrog/froggit-go v1.16.2 h1:F//S83iXH14qsCwYzv0zB2JtjS2pJVEsUoEmYA+37dQ= @@ -262,8 +261,8 @@ github.com/terminalstatic/go-xsd-validate v0.1.5/go.mod h1:18lsvYFofBflqCrvo1ump github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc= github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= -github.com/urfave/cli v1.22.15 h1:nuqt+pdC/KqswQKhETJjo7pvn/k4xMUxgW6liI7XpnM= -github.com/urfave/cli v1.22.15/go.mod h1:wSan1hmo5zeyLGBjRJbzRTNk8gwoYa2B9n4q9dmRIc0= +github.com/urfave/cli v1.22.16 h1:MH0k6uJxdwdeWQTwhSO42Pwr4YLrNLwBtg1MRgTqPdQ= +github.com/urfave/cli v1.22.16/go.mod h1:EeJR6BKodywf4zciqrdw6hpCPk68JO9z5LazXZMn5Po= github.com/urfave/cli/v2 v2.27.4 h1:o1owoI+02Eb+K107p27wEX9Bb8eqIoZCfLXloLUSWJ8= github.com/urfave/cli/v2 v2.27.4/go.mod h1:m4QzxcD2qpra4z7WhzEGn74WZLViBnMpb1ToCAKdGRQ= github.com/vbauerster/mpb/v8 v8.8.3 h1:dTOByGoqwaTJYPubhVz3lO5O6MK553XVgUo33LdnNsQ= From 9ffc89a7ba6f2477a84bd5d1243701b6db536b93 Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Sun, 10 Nov 2024 12:15:26 +0200 Subject: [PATCH 4/8] fix linter error - false positive --- integrationutils.go | 1 + 1 file changed, 1 insertion(+) diff --git a/integrationutils.go b/integrationutils.go index b749faa90..209ebb504 100644 --- a/integrationutils.go +++ b/integrationutils.go @@ -75,6 +75,7 @@ func setIntegrationTestEnvs(t *testing.T, testDetails *IntegrationTestDetails) f // Frogbot sanitizes all the environment variables that start with 'JF', // so we restore them at the end of the test to avoid collisions with other tests envRestoreFunc := getJfrogEnvRestoreFunc(t) + //nolint:unused useLocalRepo := "false" if testDetails.UseLocalRepo { useLocalRepo = "true" From f5fa2517a3186c60ccf580e4dbfb8e833ce15de6 Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Sun, 10 Nov 2024 12:27:16 +0200 Subject: [PATCH 5/8] fix linter error= --- integrationutils.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/integrationutils.go b/integrationutils.go index 209ebb504..f8582e35f 100644 --- a/integrationutils.go +++ b/integrationutils.go @@ -75,11 +75,6 @@ func setIntegrationTestEnvs(t *testing.T, testDetails *IntegrationTestDetails) f // Frogbot sanitizes all the environment variables that start with 'JF', // so we restore them at the end of the test to avoid collisions with other tests envRestoreFunc := getJfrogEnvRestoreFunc(t) - //nolint:unused - useLocalRepo := "false" - if testDetails.UseLocalRepo { - useLocalRepo = "true" - } unsetEnvs := utils.SetEnvsAndAssertWithCallback(t, map[string]string{ utils.RequirementsFileEnv: "requirements.txt", utils.GitPullRequestIDEnv: testDetails.PullRequestID, @@ -92,7 +87,7 @@ func setIntegrationTestEnvs(t *testing.T, testDetails *IntegrationTestDetails) f utils.GitProjectEnv: testDetails.GitProject, utils.GitUsernameEnv: testDetails.GitUsername, utils.GitBaseBranchEnv: mainBranch, - utils.GitUseLocalRepositoryEnv: useLocalRepo, + utils.GitUseLocalRepositoryEnv: fmt.Sprintf("%t", testDetails.UseLocalRepo), }) return func() { envRestoreFunc() From 165c09937bf3725d75e6ec667f2f4e947fcb0e40 Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Sun, 10 Nov 2024 13:37:10 +0200 Subject: [PATCH 6/8] go mod and fix breaks --- go.mod | 10 +++++----- go.sum | 16 ++++++++-------- packagehandlers/gopackagehandler.go | 3 +-- 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index f8652a49a..6faee7c1a 100644 --- a/go.mod +++ b/go.mod @@ -6,12 +6,12 @@ require ( github.com/go-git/go-git/v5 v5.12.0 github.com/golang/mock v1.6.0 github.com/google/go-github/v45 v45.2.0 - github.com/jfrog/build-info-go v1.10.3 + github.com/jfrog/build-info-go v1.10.4 github.com/jfrog/froggit-go v1.16.2 github.com/jfrog/gofrog v1.7.6 - github.com/jfrog/jfrog-cli-core/v2 v2.56.5 + github.com/jfrog/jfrog-cli-core/v2 v2.56.6 github.com/jfrog/jfrog-cli-security v1.12.3 - github.com/jfrog/jfrog-client-go v1.47.4 + github.com/jfrog/jfrog-client-go v1.47.5 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible github.com/owenrumney/go-sarif/v2 v2.3.1 github.com/stretchr/testify v1.9.0 @@ -43,7 +43,7 @@ require ( github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.5.0 // indirect github.com/gocarina/gocsv v0.0.0-20240520201108-78e41c74b4b1 // indirect - github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang-jwt/jwt/v4 v4.5.1 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/go-github/v56 v56.0.0 // indirect @@ -116,7 +116,7 @@ require ( gopkg.in/warnings.v0 v0.1.2 // indirect ) -replace github.com/jfrog/jfrog-cli-security => github.com/eranturgeman/jfrog-cli-security v0.0.0-20241110093806-bbaa5cab19d2 +replace github.com/jfrog/jfrog-cli-security => github.com/eranturgeman/jfrog-cli-security v0.0.0-20241110103642-54581f385fbc // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev diff --git a/go.sum b/go.sum index 8fce6846d..de5aef1a9 100644 --- a/go.sum +++ b/go.sum @@ -59,8 +59,8 @@ github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= github.com/eranturgeman/build-info-go v0.0.0-20241110090509-477ca696b49b h1:00FnqqriiLfPOOmMSKKs/9fKMPEzfo2VEe3jLZcqEeM= github.com/eranturgeman/build-info-go v0.0.0-20241110090509-477ca696b49b/go.mod h1:JcISnovFXKx3wWf3p1fcMmlPdt6adxScXvoJN4WXqIE= -github.com/eranturgeman/jfrog-cli-security v0.0.0-20241110093806-bbaa5cab19d2 h1:fBHcpVBaLktoEWlcEv1JpQpNKOofR8CRxbkvrD2S5YM= -github.com/eranturgeman/jfrog-cli-security v0.0.0-20241110093806-bbaa5cab19d2/go.mod h1:NFZ/FimvAKAvvbQUwaK4W6ROTexo2j5tBRy+OWvpjDc= +github.com/eranturgeman/jfrog-cli-security v0.0.0-20241110103642-54581f385fbc h1:D/HicwhOZTY1oRBqqF9PCyxUjlik4KMYNK50Unj5raE= +github.com/eranturgeman/jfrog-cli-security v0.0.0-20241110103642-54581f385fbc/go.mod h1:t9RHfR1iWZBkANAvXTwif/NlrhCAI7FSAqiObA3HBGo= github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/forPelevin/gomoji v1.2.0 h1:9k4WVSSkE1ARO/BWywxgEUBvR/jMnao6EZzrql5nxJ8= @@ -83,8 +83,8 @@ github.com/go-git/go-git/v5 v5.12.0 h1:7Md+ndsjrzZxbddRDZjF14qK+NN56sy6wkqaVrjZt github.com/go-git/go-git/v5 v5.12.0/go.mod h1:FTM9VKtnI2m65hNI/TenDDDnUf2Q9FHnXYjuz9i5OEY= github.com/gocarina/gocsv v0.0.0-20240520201108-78e41c74b4b1 h1:FWNFq4fM1wPfcK40yHE5UO3RUdSNPaBC+j3PokzA6OQ= github.com/gocarina/gocsv v0.0.0-20240520201108-78e41c74b4b1/go.mod h1:5YoVOkjYAQumqlV356Hj3xeYh4BdZuLE0/nRkf2NKkI= -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= -github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo= +github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= @@ -133,10 +133,10 @@ github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s= github.com/jfrog/gofrog v1.7.6/go.mod h1:ntr1txqNOZtHplmaNd7rS4f8jpA5Apx8em70oYEe7+4= github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY= github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w= -github.com/jfrog/jfrog-cli-core/v2 v2.56.5 h1:jigHavEpmfBV5tRHkVSW4B/GG5F54UOdNEt2jVyP0qc= -github.com/jfrog/jfrog-cli-core/v2 v2.56.5/go.mod h1:XlN2hMNiNFeNM9aR8H29RZkenI39lDe+LE+BTm1dM6k= -github.com/jfrog/jfrog-client-go v1.47.4 h1:4FAuDDvoDRy9LEFe1WwUO5prBXkgyhaWGEZ0vXYL/Z4= -github.com/jfrog/jfrog-client-go v1.47.4/go.mod h1:NepfaidmK/xiKsVC+0Ur9sANOqL6io8Y7pSaCau7J6o= +github.com/jfrog/jfrog-cli-core/v2 v2.56.6 h1:2xc71lDPrR0GPplZGW3pS7RONNP6v/AVqepfF9wfDGk= +github.com/jfrog/jfrog-cli-core/v2 v2.56.6/go.mod h1:In9hwLK96tY8Vu79FvahRVpeiV3JCfz6qVtacA5yXfQ= +github.com/jfrog/jfrog-client-go v1.47.5 h1:vNsPPQW+2AJozRH6YY4c7BvSr/y5aFxy/e5HOVSswXo= +github.com/jfrog/jfrog-client-go v1.47.5/go.mod h1:0krZWJWiFMBr4f2BKeQvWF98UCxNFDiom+pEAPcCG+U= github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA= github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible/go.mod h1:1c7szIrayyPPB/987hsnvNzLushdWf4o/79s3P08L8A= github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k= diff --git a/packagehandlers/gopackagehandler.go b/packagehandlers/gopackagehandler.go index 55954f585..0f727900b 100644 --- a/packagehandlers/gopackagehandler.go +++ b/packagehandlers/gopackagehandler.go @@ -3,7 +3,6 @@ package packagehandlers import ( "github.com/jfrog/frogbot/v2/utils" golangutils "github.com/jfrog/jfrog-cli-core/v2/artifactory/commands/golang" - goutils "github.com/jfrog/jfrog-cli-core/v2/utils/golang" ) type GoPackageHandler struct { @@ -13,7 +12,7 @@ type GoPackageHandler struct { func (golang *GoPackageHandler) UpdateDependency(vulnDetails *utils.VulnerabilityDetails) error { // Configure resolution from an Artifactory server if needed if golang.depsRepo != "" { - if err := golangutils.SetArtifactoryAsResolutionServer(golang.serverDetails, golang.depsRepo, goutils.GoProxyUrlParams{}); err != nil { + if err := golangutils.SetArtifactoryAsResolutionServer(golang.serverDetails, golang.depsRepo, golangutils.GoProxyUrlParams{}); err != nil { return err } } From f14b74cc5e15c78fdefa514b1166d5023c0da043 Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Sun, 10 Nov 2024 14:28:32 +0200 Subject: [PATCH 7/8] CR change --- scanrepository/scanrepository.go | 2 +- utils/utils.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scanrepository/scanrepository.go b/scanrepository/scanrepository.go index b27173c87..ae23bd39c 100644 --- a/scanrepository/scanrepository.go +++ b/scanrepository/scanrepository.go @@ -600,7 +600,7 @@ func (cfp *ScanRepositoryCmd) addVulnerabilityToFixVersionsMap(vulnerability *fo isDirectDependency, err := utils.IsDirectDependency(vulnerability.ImpactPaths) if err != nil { if cfp.scanDetails.AllowPartialResults() { - log.Warn(fmt.Sprintf("An empty impact path was provided for '%s'. Since partial-results is allowed the vulnerability is considered as indirect dependency and will not be fixed", vulnerability.ImpactedDependencyName)) + log.Warn(fmt.Sprintf("An error occurred while determining if the dependency '%s' is direct: %s.\nAs partial results are permitted, the vulnerability will not be fixed", vulnerability.ImpactedDependencyName, err.Error())) } else { return err } diff --git a/utils/utils.go b/utils/utils.go index 4d2959b28..6af390241 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -287,7 +287,7 @@ func GetRelativeWd(fullPathWd, baseWd string) string { // The impact graph of direct dependencies consists of only two elements. func IsDirectDependency(impactPath [][]formats.ComponentRow) (bool, error) { if len(impactPath) == 0 { - return false, fmt.Errorf("invalid impact path provided") + return false, fmt.Errorf("empty impact path was provided") } return len(impactPath[0]) < 3, nil } From bf97b407944c9db8a0f9b722adca659c3f31137f Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Mon, 11 Nov 2024 09:42:24 +0200 Subject: [PATCH 8/8] update go mod to latest releases --- go.mod | 12 ++++++------ go.sum | 16 ++++++++-------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/go.mod b/go.mod index 6faee7c1a..47d274f2a 100644 --- a/go.mod +++ b/go.mod @@ -6,12 +6,12 @@ require ( github.com/go-git/go-git/v5 v5.12.0 github.com/golang/mock v1.6.0 github.com/google/go-github/v45 v45.2.0 - github.com/jfrog/build-info-go v1.10.4 + github.com/jfrog/build-info-go v1.10.5 github.com/jfrog/froggit-go v1.16.2 github.com/jfrog/gofrog v1.7.6 - github.com/jfrog/jfrog-cli-core/v2 v2.56.6 - github.com/jfrog/jfrog-cli-security v1.12.3 - github.com/jfrog/jfrog-client-go v1.47.5 + github.com/jfrog/jfrog-cli-core/v2 v2.56.7 + github.com/jfrog/jfrog-cli-security v1.12.5 + github.com/jfrog/jfrog-client-go v1.47.6 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible github.com/owenrumney/go-sarif/v2 v2.3.1 github.com/stretchr/testify v1.9.0 @@ -116,11 +116,11 @@ require ( gopkg.in/warnings.v0 v0.1.2 // indirect ) -replace github.com/jfrog/jfrog-cli-security => github.com/eranturgeman/jfrog-cli-security v0.0.0-20241110103642-54581f385fbc +// replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security dev // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev -replace github.com/jfrog/build-info-go => github.com/eranturgeman/build-info-go v0.0.0-20241110090509-477ca696b49b +// replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go dev // replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go dev diff --git a/go.sum b/go.sum index de5aef1a9..9c139e066 100644 --- a/go.sum +++ b/go.sum @@ -57,10 +57,6 @@ github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcej github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= -github.com/eranturgeman/build-info-go v0.0.0-20241110090509-477ca696b49b h1:00FnqqriiLfPOOmMSKKs/9fKMPEzfo2VEe3jLZcqEeM= -github.com/eranturgeman/build-info-go v0.0.0-20241110090509-477ca696b49b/go.mod h1:JcISnovFXKx3wWf3p1fcMmlPdt6adxScXvoJN4WXqIE= -github.com/eranturgeman/jfrog-cli-security v0.0.0-20241110103642-54581f385fbc h1:D/HicwhOZTY1oRBqqF9PCyxUjlik4KMYNK50Unj5raE= -github.com/eranturgeman/jfrog-cli-security v0.0.0-20241110103642-54581f385fbc/go.mod h1:t9RHfR1iWZBkANAvXTwif/NlrhCAI7FSAqiObA3HBGo= github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/forPelevin/gomoji v1.2.0 h1:9k4WVSSkE1ARO/BWywxgEUBvR/jMnao6EZzrql5nxJ8= @@ -127,16 +123,20 @@ github.com/jedib0t/go-pretty/v6 v6.6.1 h1:iJ65Xjb680rHcikRj6DSIbzCex2huitmc7bDtx github.com/jedib0t/go-pretty/v6 v6.6.1/go.mod h1:zbn98qrYlh95FIhwwsbIip0LYpwSG8SUOScs+v9/t0E= github.com/jfrog/archiver/v3 v3.6.1 h1:LOxnkw9pOn45DzCbZNFV6K0+6dCsQ0L8mR3ZcujO5eI= github.com/jfrog/archiver/v3 v3.6.1/go.mod h1:VgR+3WZS4N+i9FaDwLZbq+jeU4B4zctXL+gL4EMzfLw= +github.com/jfrog/build-info-go v1.10.5 h1:cW03JlPlKv7RMUU896uLUxyLWXAmCgR5Y5QX0fwgz0Q= +github.com/jfrog/build-info-go v1.10.5/go.mod h1:JcISnovFXKx3wWf3p1fcMmlPdt6adxScXvoJN4WXqIE= github.com/jfrog/froggit-go v1.16.2 h1:F//S83iXH14qsCwYzv0zB2JtjS2pJVEsUoEmYA+37dQ= github.com/jfrog/froggit-go v1.16.2/go.mod h1:5VpdQfAcbuyFl9x/x8HGm7kVk719kEtW/8YJFvKcHPA= github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s= github.com/jfrog/gofrog v1.7.6/go.mod h1:ntr1txqNOZtHplmaNd7rS4f8jpA5Apx8em70oYEe7+4= github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY= github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w= -github.com/jfrog/jfrog-cli-core/v2 v2.56.6 h1:2xc71lDPrR0GPplZGW3pS7RONNP6v/AVqepfF9wfDGk= -github.com/jfrog/jfrog-cli-core/v2 v2.56.6/go.mod h1:In9hwLK96tY8Vu79FvahRVpeiV3JCfz6qVtacA5yXfQ= -github.com/jfrog/jfrog-client-go v1.47.5 h1:vNsPPQW+2AJozRH6YY4c7BvSr/y5aFxy/e5HOVSswXo= -github.com/jfrog/jfrog-client-go v1.47.5/go.mod h1:0krZWJWiFMBr4f2BKeQvWF98UCxNFDiom+pEAPcCG+U= +github.com/jfrog/jfrog-cli-core/v2 v2.56.7 h1:pB4ronzVk60k/lf9bUL9HxBZ8PbMW6LhbIFld9NXNNc= +github.com/jfrog/jfrog-cli-core/v2 v2.56.7/go.mod h1:puLwWcnXYCJqUOvhscXRJiKNzPdj0adP+zadKy6A/gU= +github.com/jfrog/jfrog-cli-security v1.12.5 h1:2JHPyapXuHQw/qEaElGxBUGrJCZlVFLXDdxkqhf10vE= +github.com/jfrog/jfrog-cli-security v1.12.5/go.mod h1:5LBGwth7TXkEH8MO0JJXvpoRktMAV2BK7Q5nQePNrv4= +github.com/jfrog/jfrog-client-go v1.47.6 h1:nEMwJvjsuuY6LpOV3e33P4c4irPHkG8Qxw27bgeCl/Y= +github.com/jfrog/jfrog-client-go v1.47.6/go.mod h1:jCpvS83DZHAin2aSG7VroTsILJsyq7AOcFfx++P241E= github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA= github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible/go.mod h1:1c7szIrayyPPB/987hsnvNzLushdWf4o/79s3P08L8A= github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=