diff --git a/artifactory/commands/python/python.go b/artifactory/commands/python/python.go index 8d1afeea6..8a32a689c 100644 --- a/artifactory/commands/python/python.go +++ b/artifactory/commands/python/python.go @@ -106,7 +106,7 @@ func (pc *PythonCommand) SetPypiRepoUrlWithCredentials() error { if err != nil { return err } - pc.args = append(pc.args, python.GetPypiRemoteRegistryFlag(pc.pythonTool), rtUrl.String()) + pc.args = append(pc.args, python.GetPypiRemoteRegistryFlag(pc.pythonTool), rtUrl) return nil } diff --git a/go.mod b/go.mod index fffdf86a1..8ed9ccd71 100644 --- a/go.mod +++ b/go.mod @@ -12,9 +12,9 @@ require ( github.com/google/uuid v1.3.1 github.com/gookit/color v1.5.4 github.com/jedib0t/go-pretty/v6 v6.4.7 - github.com/jfrog/build-info-go v1.9.9 + github.com/jfrog/build-info-go v1.9.10 github.com/jfrog/gofrog v1.3.0 - github.com/jfrog/jfrog-client-go v1.31.6 + github.com/jfrog/jfrog-client-go v1.32.1 github.com/magiconair/properties v1.8.7 github.com/manifoldco/promptui v0.9.0 github.com/owenrumney/go-sarif/v2 v2.2.0 @@ -23,13 +23,12 @@ require ( github.com/stretchr/testify v1.8.4 github.com/urfave/cli v1.22.14 github.com/vbauerster/mpb/v7 v7.5.3 - golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 + golang.org/x/exp v0.0.0-20230905200255-921286631fa9 golang.org/x/mod v0.12.0 golang.org/x/sync v0.3.0 - golang.org/x/term v0.11.0 - golang.org/x/text v0.12.0 + golang.org/x/term v0.12.0 + golang.org/x/text v0.13.0 gopkg.in/yaml.v3 v3.0.1 - ) require ( @@ -86,16 +85,14 @@ require ( github.com/xanzy/ssh-agent v0.3.3 // indirect github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect - golang.org/x/crypto v0.12.0 // indirect - golang.org/x/net v0.14.0 // indirect - golang.org/x/sys v0.11.0 // indirect - golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect + golang.org/x/crypto v0.13.0 // indirect + golang.org/x/net v0.15.0 // indirect + golang.org/x/sys v0.12.0 // indirect + golang.org/x/tools v0.13.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect ) -replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f - -replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230831151231-e5e7bd035ddc +// replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38 // replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27 diff --git a/go.sum b/go.sum index 27735d28e..c0825b56f 100644 --- a/go.sum +++ b/go.sum @@ -194,12 +194,12 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jedib0t/go-pretty/v6 v6.4.7 h1:lwiTJr1DEkAgzljsUsORmWsVn5MQjt1BPJdPCtJ6KXE= github.com/jedib0t/go-pretty/v6 v6.4.7/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVfmHZu9n8rk2xs= -github.com/jfrog/build-info-go v1.8.9-0.20230831151231-e5e7bd035ddc h1:pqu82clhPKyUKJcljMuxYa+kviaWnHycLNCLqZZNl30= -github.com/jfrog/build-info-go v1.8.9-0.20230831151231-e5e7bd035ddc/go.mod h1:QEskae5fQpjeY2PBzsjWtUQVskYSNDF2sSmw/Gx44dQ= +github.com/jfrog/build-info-go v1.9.10 h1:uXnDLVxpqxoAMpXcki00QaBB+M2BoGMMpHODPkmmYOY= +github.com/jfrog/build-info-go v1.9.10/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg= github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk= github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0= -github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f h1:S6l0o2sKFLRJ+QYVB5U/PJhrnwFSmKFFY7eHpRPRH8A= -github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f/go.mod h1:uUnMrqHX7Xi+OCaZEE4b3BtsmGeOSCB7XqaEWVXEH/E= +github.com/jfrog/jfrog-client-go v1.32.1 h1:RQmuPSLsF5222vZJzwkgHSZMMJF83ExS7SwIvh4P+H8= +github.com/jfrog/jfrog-client-go v1.32.1/go.mod h1:362+oa7uTTYurzBs1L0dmUTlLo7uhpAU/pwM5Zb9clg= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= @@ -350,8 +350,8 @@ golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk= -golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= +golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck= +golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -362,8 +362,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ= -golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8= +golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g= +golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -427,8 +427,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= -golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= +golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8= +golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -511,15 +511,15 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= -golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0= -golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= +golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU= +golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -532,8 +532,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= -golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -586,8 +586,8 @@ golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 h1:Vve/L0v7CXXuxUmaMGIEK/dEeq7uiqb5qBgQrZzIE7E= -golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= +golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/utils/config/config.go b/utils/config/config.go index af1774c72..d774bc1b4 100644 --- a/utils/config/config.go +++ b/utils/config/config.go @@ -73,8 +73,14 @@ func GetSpecificConfig(serverId string, defaultOrEmpty bool, excludeRefreshableT return details, nil } -// Disables refreshable tokens if set in details. +// Disables the refreshable tokens mechanism if set in details. +// We identify the refreshable tokens mechanism by having both conditions: +// 1. Non-empty username and password +// 2. Non-empty access and refresh token OR token refresh interval enabled func excludeRefreshableTokensFromDetails(details *ServerDetails) { + if details.WebLogin || details.User == "" || details.Password == "" { + return + } if details.AccessToken != "" && details.ArtifactoryRefreshToken != "" || details.AccessToken != "" && details.RefreshToken != "" { details.AccessToken = "" diff --git a/utils/coreutils/utils.go b/utils/coreutils/utils.go index ae81d84f9..15bb5809f 100644 --- a/utils/coreutils/utils.go +++ b/utils/coreutils/utils.go @@ -584,3 +584,18 @@ func GetServerIdAndRepo(remoteEnv string) (serverID string, repoName string, err } return } + +func GetMaskedCommandString(cmd *exec.Cmd) string { + cmdString := strings.Join(cmd.Args, " ") + // Mask url if required + matchedResult := regexp.MustCompile(utils.CredentialsInUrlRegexp).FindString(cmdString) + if matchedResult != "" { + cmdString = strings.ReplaceAll(cmdString, matchedResult, "***@") + } + + matchedResults := regexp.MustCompile(`--(?:password|access-token)=(\S+)`).FindStringSubmatch(cmdString) + if len(matchedResults) > 1 && matchedResults[1] != "" { + cmdString = strings.ReplaceAll(cmdString, matchedResults[1], "***") + } + return cmdString +} diff --git a/utils/coreutils/utils_test.go b/utils/coreutils/utils_test.go index 1bebe9d9c..8ddffbee4 100644 --- a/utils/coreutils/utils_test.go +++ b/utils/coreutils/utils_test.go @@ -6,6 +6,7 @@ import ( "errors" "fmt" "os" + "os/exec" "path/filepath" "reflect" "testing" @@ -264,3 +265,17 @@ func TestGetFullPathsWorkingDirs(t *testing.T) { }) } } + +func TestGetMaskedCommandString(t *testing.T) { + assert.Equal(t, + "pip -i ***@someurl.com/repo", + GetMaskedCommandString(exec.Command("pip", "-i", "https://user:pass@someurl.com/repo"))) + + assert.Equal(t, + "pip -i ***@someurl.com/repo --password=***", + GetMaskedCommandString(exec.Command("pip", "-i", "https://user:pass@someurl.com/repo", "--password=123"))) + + assert.Equal(t, + "pip -i ***@someurl.com/repo --access-token=***", + GetMaskedCommandString(exec.Command("pip", "-i", "https://user:pass@someurl.com/repo", "--access-token=123"))) +} diff --git a/utils/python/utils.go b/utils/python/utils.go index d5057b894..c44c0385a 100644 --- a/utils/python/utils.go +++ b/utils/python/utils.go @@ -51,15 +51,15 @@ func GetPypiRemoteRegistryFlag(tool pythonutils.PythonTool) string { return pipenvRemoteRegistryFlag } -func GetPypiRepoUrl(serverDetails *config.ServerDetails, repository string) (*url.URL, error) { +func GetPypiRepoUrl(serverDetails *config.ServerDetails, repository string) (string, error) { rtUrl, username, password, err := GetPypiRepoUrlWithCredentials(serverDetails, repository) if err != nil { - return nil, err + return "", err } if password != "" { rtUrl.User = url.UserPassword(username, password) } - return rtUrl, err + return rtUrl.String(), err } func ConfigPoetryRepo(url, username, password, configRepoName string) error { diff --git a/utils/usage/usage.go b/utils/usage/usage.go index ff9660bb2..96b6ae28d 100644 --- a/utils/usage/usage.go +++ b/utils/usage/usage.go @@ -86,18 +86,27 @@ func (ur *UsageReporter) Report(features ...ReportFeature) { } log.Debug(ReportUsagePrefix, "Sending info...") if ur.sendToEcosystem { - ur.reportWaitGroup.Go(func() error { - return ur.reportToEcosystem(features...) + ur.reportWaitGroup.Go(func() (err error) { + if err = ur.reportToEcosystem(features...); err != nil { + err = fmt.Errorf("ecosystem, %s", err.Error()) + } + return }) } if ur.sendToXray { - ur.reportWaitGroup.Go(func() error { - return ur.reportToXray(features...) + ur.reportWaitGroup.Go(func() (err error) { + if err = ur.reportToXray(features...); err != nil { + err = fmt.Errorf("xray, %s", err.Error()) + } + return }) } if ur.sendToArtifactory { - ur.reportWaitGroup.Go(func() error { - return ur.reportToArtifactory(features...) + ur.reportWaitGroup.Go(func() (err error) { + if err = ur.reportToArtifactory(features...); err != nil { + err = fmt.Errorf("artifactory, %s", err.Error()) + } + return }) } } diff --git a/xray/commands/audit/audit.go b/xray/commands/audit/audit.go index 1200a0599..285703371 100644 --- a/xray/commands/audit/audit.go +++ b/xray/commands/audit/audit.go @@ -158,13 +158,13 @@ func RunAudit(auditParams *AuditParams) (results *Results, err error) { return } var xrayManager *xray.XrayServicesManager - xrayManager, auditParams.xrayVersion, err = xrayutils.CreateXrayServiceManagerAndGetVersion(serverDetails) - if err != nil { + if xrayManager, auditParams.xrayVersion, err = xrayutils.CreateXrayServiceManagerAndGetVersion(serverDetails); err != nil { return } if err = clientutils.ValidateMinimumVersion(clientutils.Xray, auditParams.xrayVersion, scangraph.GraphScanMinXrayVersion); err != nil { return } + results.ExtendedScanResults.XrayVersion = auditParams.xrayVersion results.ExtendedScanResults.EntitledForJas, err = isEntitledForJas(xrayManager, auditParams.xrayVersion) if err != nil { return @@ -186,7 +186,7 @@ func RunAudit(auditParams *AuditParams) (results *Results, err error) { // Run scanners only if the user is entitled for Advanced Security if results.ExtendedScanResults.EntitledForJas { - results.JasError = runJasScannersAndSetResults(results.ExtendedScanResults, auditParams.DirectDependencies(), serverDetails, auditParams.workingDirs, auditParams.Progress()) + results.JasError = runJasScannersAndSetResults(results.ExtendedScanResults, auditParams.DirectDependencies(), serverDetails, auditParams.workingDirs, auditParams.Progress(), auditParams.xrayGraphScanParams.MultiScanId) } return } diff --git a/xray/commands/audit/jas/applicability/applicabilitymanager.go b/xray/commands/audit/jas/applicability/applicabilitymanager.go index cbab69833..8c46f4865 100644 --- a/xray/commands/audit/jas/applicability/applicabilitymanager.go +++ b/xray/commands/audit/jas/applicability/applicabilitymanager.go @@ -1,14 +1,13 @@ package applicability import ( - "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas" "path/filepath" - "strings" + + "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas" "github.com/jfrog/gofrog/datastructures" "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils" "github.com/jfrog/jfrog-cli-core/v2/xray/utils" - "github.com/jfrog/jfrog-client-go/utils/errorutils" "github.com/jfrog/jfrog-client-go/utils/log" "github.com/jfrog/jfrog-client-go/xray/services" "github.com/owenrumney/go-sarif/v2/sarif" @@ -22,7 +21,7 @@ const ( ) type ApplicabilityScanManager struct { - applicabilityScanResults map[string]utils.ApplicabilityStatus + applicabilityScanResults []*sarif.Run directDependenciesCves []string xrayResults []services.ScanResponse scanner *jas.JasScanner @@ -38,7 +37,7 @@ type ApplicabilityScanManager struct { // bool: true if the user is entitled to the applicability scan, false otherwise. // error: An error object (if any). func RunApplicabilityScan(xrayResults []services.ScanResponse, directDependencies []string, - scannedTechnologies []coreutils.Technology, scanner *jas.JasScanner) (results map[string]utils.ApplicabilityStatus, err error) { + scannedTechnologies []coreutils.Technology, scanner *jas.JasScanner) (results []*sarif.Run, err error) { applicabilityScanManager := newApplicabilityScanManager(xrayResults, directDependencies, scanner) if !applicabilityScanManager.shouldRunApplicabilityScan(scannedTechnologies) { log.Debug("The technologies that have been scanned are currently not supported for contextual analysis scanning, or we couldn't find any vulnerable direct dependencies. Skipping....") @@ -55,7 +54,7 @@ func RunApplicabilityScan(xrayResults []services.ScanResponse, directDependencie func newApplicabilityScanManager(xrayScanResults []services.ScanResponse, directDependencies []string, scanner *jas.JasScanner) (manager *ApplicabilityScanManager) { directDependenciesCves := extractDirectDependenciesCvesFromScan(xrayScanResults, directDependencies) return &ApplicabilityScanManager{ - applicabilityScanResults: map[string]utils.ApplicabilityStatus{}, + applicabilityScanResults: []*sarif.Run{}, directDependenciesCves: directDependenciesCves, xrayResults: xrayScanResults, scanner: scanner, @@ -111,13 +110,11 @@ func (asm *ApplicabilityScanManager) Run(wd string) (err error) { if err = asm.runAnalyzerManager(); err != nil { return } - var workingDirResults map[string]utils.ApplicabilityStatus - if workingDirResults, err = asm.getScanResults(); err != nil { + workingDirResults, err := jas.ReadJasScanRunsFromFile(asm.scanner.ResultsFileName, wd) + if err != nil { return } - for cve, result := range workingDirResults { - asm.applicabilityScanResults[cve] = result - } + asm.applicabilityScanResults = append(asm.applicabilityScanResults, workingDirResults...) return } @@ -163,37 +160,3 @@ func (asm *ApplicabilityScanManager) createConfigFile(workingDir string) error { func (asm *ApplicabilityScanManager) runAnalyzerManager() error { return asm.scanner.AnalyzerManager.Exec(asm.scanner.ConfigFileName, applicabilityScanCommand, filepath.Dir(asm.scanner.AnalyzerManager.AnalyzerManagerFullPath), asm.scanner.ServerDetails) } - -func (asm *ApplicabilityScanManager) getScanResults() (applicabilityResults map[string]utils.ApplicabilityStatus, err error) { - applicabilityResults = make(map[string]utils.ApplicabilityStatus, len(asm.directDependenciesCves)) - for _, cve := range asm.directDependenciesCves { - applicabilityResults[cve] = utils.ApplicabilityUndetermined - } - - report, err := sarif.Open(asm.scanner.ResultsFileName) - if errorutils.CheckError(err) != nil || len(report.Runs) == 0 { - return - } - // Applicability results contains one run only - for _, sarifResult := range report.Runs[0].Results { - cve := getCveFromRuleId(*sarifResult.RuleID) - if _, exists := applicabilityResults[cve]; !exists { - err = errorutils.CheckErrorf("received unexpected CVE: '%s' from RuleID: '%s' that does not exists on the requested CVEs list", cve, *sarifResult.RuleID) - return - } - applicabilityResults[cve] = resultKindToApplicabilityStatus(sarifResult.Kind) - } - return -} - -// Gets a result of one CVE from the scanner, and returns true if the CVE is applicable, false otherwise -func resultKindToApplicabilityStatus(kind *string) utils.ApplicabilityStatus { - if !(kind != nil && *kind == "pass") { - return utils.Applicable - } - return utils.NotApplicable -} - -func getCveFromRuleId(sarifRuleId string) string { - return strings.TrimPrefix(sarifRuleId, "applic_") -} diff --git a/xray/commands/audit/jas/applicability/applicabilitymanager_test.go b/xray/commands/audit/jas/applicability/applicabilitymanager_test.go index 76a0e567c..f887763c5 100644 --- a/xray/commands/audit/jas/applicability/applicabilitymanager_test.go +++ b/xray/commands/audit/jas/applicability/applicabilitymanager_test.go @@ -3,7 +3,6 @@ package applicability import ( "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils" "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas" - "github.com/jfrog/jfrog-cli-core/v2/xray/utils" "github.com/jfrog/jfrog-client-go/xray/services" "github.com/stretchr/testify/assert" "os" @@ -276,13 +275,12 @@ func TestParseResults_EmptyResults_AllCvesShouldGetUnknown(t *testing.T) { applicabilityManager.scanner.ResultsFileName = filepath.Join(jas.GetTestDataPath(), "applicability-scan", "empty-results.sarif") // Act - results, err := applicabilityManager.getScanResults() + var err error + applicabilityManager.applicabilityScanResults, err = jas.ReadJasScanRunsFromFile(applicabilityManager.scanner.ResultsFileName, scanner.WorkingDirs[0]) - // Assert - assert.NoError(t, err) - assert.Equal(t, 5, len(results)) - for _, cveResult := range results { - assert.Equal(t, utils.ApplicabilityUndetermined, cveResult) + if assert.NoError(t, err) { + assert.Len(t, applicabilityManager.applicabilityScanResults, 1) + assert.Empty(t, applicabilityManager.applicabilityScanResults[0].Results) } } @@ -294,13 +292,13 @@ func TestParseResults_ApplicableCveExist(t *testing.T) { applicabilityManager.scanner.ResultsFileName = filepath.Join(jas.GetTestDataPath(), "applicability-scan", "applicable-cve-results.sarif") // Act - results, err := applicabilityManager.getScanResults() + var err error + applicabilityManager.applicabilityScanResults, err = jas.ReadJasScanRunsFromFile(applicabilityManager.scanner.ResultsFileName, scanner.WorkingDirs[0]) - // Assert - assert.NoError(t, err) - assert.Equal(t, 5, len(results)) - assert.Equal(t, utils.Applicable, results["testCve1"]) - assert.Equal(t, utils.NotApplicable, results["testCve3"]) + if assert.NoError(t, err) && assert.NotNil(t, applicabilityManager.applicabilityScanResults) { + assert.Len(t, applicabilityManager.applicabilityScanResults, 1) + assert.NotEmpty(t, applicabilityManager.applicabilityScanResults[0].Results) + } } func TestParseResults_AllCvesNotApplicable(t *testing.T) { @@ -311,12 +309,11 @@ func TestParseResults_AllCvesNotApplicable(t *testing.T) { applicabilityManager.scanner.ResultsFileName = filepath.Join(jas.GetTestDataPath(), "applicability-scan", "no-applicable-cves-results.sarif") // Act - results, err := applicabilityManager.getScanResults() + var err error + applicabilityManager.applicabilityScanResults, err = jas.ReadJasScanRunsFromFile(applicabilityManager.scanner.ResultsFileName, scanner.WorkingDirs[0]) - // Assert - assert.NoError(t, err) - assert.Equal(t, 5, len(results)) - for _, cveResult := range results { - assert.Equal(t, utils.NotApplicable, cveResult) + if assert.NoError(t, err) && assert.NotNil(t, applicabilityManager.applicabilityScanResults) { + assert.Len(t, applicabilityManager.applicabilityScanResults, 1) + assert.NotEmpty(t, applicabilityManager.applicabilityScanResults[0].Results) } } diff --git a/xray/commands/audit/jas/common.go b/xray/commands/audit/jas/common.go index 30fac5bc7..3814e06d0 100644 --- a/xray/commands/audit/jas/common.go +++ b/xray/commands/audit/jas/common.go @@ -2,6 +2,11 @@ package jas import ( "errors" + "os" + "path/filepath" + "strings" + "testing" + rtutils "github.com/jfrog/jfrog-cli-core/v2/artifactory/utils" "github.com/jfrog/jfrog-cli-core/v2/utils/config" "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils" @@ -12,14 +17,19 @@ import ( "github.com/owenrumney/go-sarif/v2/sarif" "github.com/stretchr/testify/assert" "gopkg.in/yaml.v3" - "os" - "path/filepath" - "strings" - "testing" ) var ( SkippedDirs = []string{"**/*test*/**", "**/*venv*/**", "**/*node_modules*/**", "**/*target*/**"} + + mapSeverityToScore = map[string]string{ + "": "0.0", + "unknown": "0.0", + "low": "3.9", + "medium": "6.9", + "high": "8.9", + "critical": "10", + } ) type JasScanner struct { @@ -31,7 +41,7 @@ type JasScanner struct { ScannerDirCleanupFunc func() error } -func NewJasScanner(workingDirs []string, serverDetails *config.ServerDetails) (scanner *JasScanner, err error) { +func NewJasScanner(workingDirs []string, serverDetails *config.ServerDetails, multiScanId string) (scanner *JasScanner, err error) { scanner = &JasScanner{} if scanner.AnalyzerManager.AnalyzerManagerFullPath, err = utils.GetAnalyzerManagerExecutable(); err != nil { return @@ -47,6 +57,7 @@ func NewJasScanner(workingDirs []string, serverDetails *config.ServerDetails) (s scanner.ConfigFileName = filepath.Join(tempDir, "config.yaml") scanner.ResultsFileName = filepath.Join(tempDir, "results.sarif") scanner.WorkingDirs, err = coreutils.GetFullPathsWorkingDirs(workingDirs) + scanner.AnalyzerManager.MultiScanId = multiScanId return } @@ -88,46 +99,54 @@ func deleteJasProcessFiles(configFile string, resultFile string) error { return errorutils.CheckError(err) } -func GetSourceCodeScanResults(resultsFileName, workingDir string, scanType utils.JasScanType) (results []utils.SourceCodeScanResult, err error) { - // Read Sarif format results generated from the Jas scanner - report, err := sarif.Open(resultsFileName) - if errorutils.CheckError(err) != nil { - return nil, err - } - var sarifResults []*sarif.Result - if len(report.Runs) > 0 { - // Jas scanners returns results in a single run entry - sarifResults = report.Runs[0].Results +func ReadJasScanRunsFromFile(fileName, wd string) (sarifRuns []*sarif.Run, err error) { + if sarifRuns, err = utils.ReadScanRunsFromFile(fileName); err != nil { + return } - resultPointers := convertSarifResultsToSourceCodeScanResults(sarifResults, workingDir, scanType) - for _, res := range resultPointers { - results = append(results, *res) + for _, sarifRun := range sarifRuns { + // Jas reports has only one invocation + // Set the actual working directory to the invocation, not the analyzerManager directory + // Also used to calculate relative paths if needed with it + sarifRun.Invocations[0].WorkingDirectory.WithUri(wd) + // Process runs values + sarifRun.Results = excludeSuppressResults(sarifRun.Results) + addScoreToRunRules(sarifRun) } - return results, nil + return } -func convertSarifResultsToSourceCodeScanResults(sarifResults []*sarif.Result, workingDir string, scanType utils.JasScanType) []*utils.SourceCodeScanResult { - var sourceCodeScanResults []*utils.SourceCodeScanResult +func excludeSuppressResults(sarifResults []*sarif.Result) []*sarif.Result { + results := []*sarif.Result{} for _, sarifResult := range sarifResults { - // Describes a request to “suppress” a result (to exclude it from result lists) if len(sarifResult.Suppressions) > 0 { + // Describes a request to “suppress” a result (to exclude it from result lists) continue } - // Convert - currentResult := utils.GetResultIfExists(sarifResult, workingDir, sourceCodeScanResults) - if currentResult == nil { - currentResult = utils.ConvertSarifResultToSourceCodeScanResult(sarifResult, workingDir) - // Set specific Jas scan attributes - if scanType == utils.Secrets { - currentResult.Text = hideSecret(utils.GetResultLocationSnippet(sarifResult.Locations[0])) + results = append(results, sarifResult) + } + return results +} + +func addScoreToRunRules(sarifRun *sarif.Run) { + for _, sarifResult := range sarifRun.Results { + if rule, err := sarifRun.GetRuleById(*sarifResult.RuleID); err == nil { + // Add to the rule security-severity score based on results severity + score := convertToScore(utils.GetResultSeverity(sarifResult)) + if score != utils.MissingCveScore { + if rule.Properties == nil { + rule.WithProperties(sarif.NewPropertyBag().Properties) + } + rule.Properties["security-severity"] = score } - sourceCodeScanResults = append(sourceCodeScanResults, currentResult) - } - if scanType == utils.Sast { - currentResult.CodeFlow = append(currentResult.CodeFlow, utils.GetResultCodeFlows(sarifResult, workingDir)...) } } - return sourceCodeScanResults +} + +func convertToScore(severity string) string { + if level, ok := mapSeverityToScore[strings.ToLower(severity)]; ok { + return level + } + return "" } func CreateScannersConfigFile(fileName string, fileContent interface{}) error { @@ -139,13 +158,6 @@ func CreateScannersConfigFile(fileName string, fileContent interface{}) error { return errorutils.CheckError(err) } -func hideSecret(secret string) string { - if len(secret) <= 3 { - return "***" - } - return secret[:3] + strings.Repeat("*", 12) -} - var FakeServerDetails = config.ServerDetails{ Url: "platformUrl", Password: "password", @@ -170,7 +182,7 @@ var FakeBasicXrayResults = []services.ScanResponse{ func InitJasTest(t *testing.T, workingDirs ...string) (*JasScanner, func()) { assert.NoError(t, rtutils.DownloadAnalyzerManagerIfNeeded()) - scanner, err := NewJasScanner(workingDirs, &FakeServerDetails) + scanner, err := NewJasScanner(workingDirs, &FakeServerDetails, "") assert.NoError(t, err) return scanner, func() { assert.NoError(t, scanner.ScannerDirCleanupFunc()) diff --git a/xray/commands/audit/jas/common_test.go b/xray/commands/audit/jas/common_test.go deleted file mode 100644 index 305629f31..000000000 --- a/xray/commands/audit/jas/common_test.go +++ /dev/null @@ -1,23 +0,0 @@ -package jas - -import ( - "github.com/stretchr/testify/assert" - "testing" -) - -func TestHideSecret(t *testing.T) { - tests := []struct { - secret string - expectedOutput string - }{ - {secret: "", expectedOutput: "***"}, - {secret: "12", expectedOutput: "***"}, - {secret: "123", expectedOutput: "***"}, - {secret: "123456789", expectedOutput: "123************"}, - {secret: "3478hfnkjhvd848446gghgfh", expectedOutput: "347************"}, - } - - for _, test := range tests { - assert.Equal(t, test.expectedOutput, hideSecret(test.secret)) - } -} diff --git a/xray/commands/audit/jas/iac/iacscanner.go b/xray/commands/audit/jas/iac/iacscanner.go index c4fe18062..c4ccfdd39 100644 --- a/xray/commands/audit/jas/iac/iacscanner.go +++ b/xray/commands/audit/jas/iac/iacscanner.go @@ -6,6 +6,7 @@ import ( "github.com/jfrog/jfrog-cli-core/v2/xray/utils" "github.com/jfrog/jfrog-client-go/utils/log" + "github.com/owenrumney/go-sarif/v2/sarif" ) const ( @@ -14,7 +15,7 @@ const ( ) type IacScanManager struct { - iacScannerResults []utils.SourceCodeScanResult + iacScannerResults []*sarif.Run scanner *jas.JasScanner } @@ -26,7 +27,7 @@ type IacScanManager struct { // []utils.SourceCodeScanResult: a list of the iac violations that were found. // bool: true if the user is entitled to iac scan, false otherwise. // error: An error object (if any). -func RunIacScan(scanner *jas.JasScanner) (results []utils.SourceCodeScanResult, err error) { +func RunIacScan(scanner *jas.JasScanner) (results []*sarif.Run, err error) { iacScanManager := newIacScanManager(scanner) log.Info("Running IaC scanning...") if err = iacScanManager.scanner.Run(iacScanManager); err != nil { @@ -34,7 +35,7 @@ func RunIacScan(scanner *jas.JasScanner) (results []utils.SourceCodeScanResult, return } if len(iacScanManager.iacScannerResults) > 0 { - log.Info("Found", len(iacScanManager.iacScannerResults), "IaC vulnerabilities") + log.Info("Found", utils.GetResultsLocationCount(iacScanManager.iacScannerResults...), "IaC vulnerabilities") } results = iacScanManager.iacScannerResults return @@ -42,7 +43,7 @@ func RunIacScan(scanner *jas.JasScanner) (results []utils.SourceCodeScanResult, func newIacScanManager(scanner *jas.JasScanner) (manager *IacScanManager) { return &IacScanManager{ - iacScannerResults: []utils.SourceCodeScanResult{}, + iacScannerResults: []*sarif.Run{}, scanner: scanner, } } @@ -55,8 +56,8 @@ func (iac *IacScanManager) Run(wd string) (err error) { if err = iac.runAnalyzerManager(); err != nil { return } - var workingDirResults []utils.SourceCodeScanResult - if workingDirResults, err = jas.GetSourceCodeScanResults(scanner.ResultsFileName, wd, utils.IaC); err != nil { + workingDirResults, err := jas.ReadJasScanRunsFromFile(scanner.ResultsFileName, wd) + if err != nil { return } iac.iacScannerResults = append(iac.iacScannerResults, workingDirResults...) diff --git a/xray/commands/audit/jas/iac/iacscanner_test.go b/xray/commands/audit/jas/iac/iacscanner_test.go index a43fef61a..a2332421d 100644 --- a/xray/commands/audit/jas/iac/iacscanner_test.go +++ b/xray/commands/audit/jas/iac/iacscanner_test.go @@ -7,7 +7,6 @@ import ( "testing" "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils" - "github.com/jfrog/jfrog-cli-core/v2/xray/utils" "github.com/stretchr/testify/assert" ) @@ -58,11 +57,11 @@ func TestIacParseResults_EmptyResults(t *testing.T) { // Act var err error - iacScanManager.iacScannerResults, err = jas.GetSourceCodeScanResults(iacScanManager.scanner.ResultsFileName, scanner.WorkingDirs[0], utils.IaC) - - // Assert - assert.NoError(t, err) - assert.Empty(t, iacScanManager.iacScannerResults) + iacScanManager.iacScannerResults, err = jas.ReadJasScanRunsFromFile(iacScanManager.scanner.ResultsFileName, scanner.WorkingDirs[0]) + if assert.NoError(t, err) && assert.NotNil(t, iacScanManager.iacScannerResults) { + assert.Len(t, iacScanManager.iacScannerResults, 1) + assert.Empty(t, iacScanManager.iacScannerResults[0].Results) + } } func TestIacParseResults_ResultsContainIacViolations(t *testing.T) { @@ -74,10 +73,9 @@ func TestIacParseResults_ResultsContainIacViolations(t *testing.T) { // Act var err error - iacScanManager.iacScannerResults, err = jas.GetSourceCodeScanResults(iacScanManager.scanner.ResultsFileName, scanner.WorkingDirs[0], utils.IaC) - - // Assert - assert.NoError(t, err) - assert.NotEmpty(t, iacScanManager.iacScannerResults) - assert.Equal(t, 4, len(iacScanManager.iacScannerResults)) + iacScanManager.iacScannerResults, err = jas.ReadJasScanRunsFromFile(iacScanManager.scanner.ResultsFileName, scanner.WorkingDirs[0]) + if assert.NoError(t, err) && assert.NotNil(t, iacScanManager.iacScannerResults) { + assert.Len(t, iacScanManager.iacScannerResults, 1) + assert.Len(t, iacScanManager.iacScannerResults[0].Results, 4) + } } diff --git a/xray/commands/audit/jas/sast/sastscanner.go b/xray/commands/audit/jas/sast/sastscanner.go index dc31fa9ea..35211396f 100644 --- a/xray/commands/audit/jas/sast/sastscanner.go +++ b/xray/commands/audit/jas/sast/sastscanner.go @@ -4,6 +4,8 @@ import ( "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas" "github.com/jfrog/jfrog-cli-core/v2/xray/utils" "github.com/jfrog/jfrog-client-go/utils/log" + "github.com/owenrumney/go-sarif/v2/sarif" + "golang.org/x/exp/maps" ) const ( @@ -11,11 +13,11 @@ const ( ) type SastScanManager struct { - sastScannerResults []utils.SourceCodeScanResult + sastScannerResults []*sarif.Run scanner *jas.JasScanner } -func RunSastScan(scanner *jas.JasScanner) (results []utils.SourceCodeScanResult, err error) { +func RunSastScan(scanner *jas.JasScanner) (results []*sarif.Run, err error) { sastScanManager := newSastScanManager(scanner) log.Info("Running SAST scanning...") if err = sastScanManager.scanner.Run(sastScanManager); err != nil { @@ -23,7 +25,7 @@ func RunSastScan(scanner *jas.JasScanner) (results []utils.SourceCodeScanResult, return } if len(sastScanManager.sastScannerResults) > 0 { - log.Info("Found", len(sastScanManager.sastScannerResults), "SAST vulnerabilities") + log.Info("Found", utils.GetResultsLocationCount(sastScanManager.sastScannerResults...), "SAST vulnerabilities") } results = sastScanManager.sastScannerResults return @@ -31,7 +33,7 @@ func RunSastScan(scanner *jas.JasScanner) (results []utils.SourceCodeScanResult, func newSastScanManager(scanner *jas.JasScanner) (manager *SastScanManager) { return &SastScanManager{ - sastScannerResults: []utils.SourceCodeScanResult{}, + sastScannerResults: []*sarif.Run{}, scanner: scanner, } } @@ -41,14 +43,53 @@ func (ssm *SastScanManager) Run(wd string) (err error) { if err = ssm.runAnalyzerManager(wd); err != nil { return } - var workingDirResults []utils.SourceCodeScanResult - if workingDirResults, err = jas.GetSourceCodeScanResults(scanner.ResultsFileName, wd, utils.Sast); err != nil { + workingDirRuns, err := jas.ReadJasScanRunsFromFile(scanner.ResultsFileName, wd) + if err != nil { return } - ssm.sastScannerResults = append(ssm.sastScannerResults, workingDirResults...) + ssm.sastScannerResults = append(ssm.sastScannerResults, groupResultsByLocation(workingDirRuns)...) return } func (ssm *SastScanManager) runAnalyzerManager(wd string) error { return ssm.scanner.AnalyzerManager.Exec(ssm.scanner.ResultsFileName, sastScanCommand, wd, ssm.scanner.ServerDetails) } + +// In the Sast scanner, there can be multiple results with the same location. +// The only difference is that their CodeFlow values are different. +// We combine those under the same result location value +func groupResultsByLocation(sarifRuns []*sarif.Run) []*sarif.Run { + for _, sastRun := range sarifRuns { + locationToResult := map[string]*sarif.Result{} + for _, sastResult := range sastRun.Results { + resultID := getResultId(sastResult) + if result, exists := locationToResult[resultID]; exists { + result.CodeFlows = append(result.CodeFlows, sastResult.CodeFlows...) + } else { + locationToResult[resultID] = sastResult + } + } + sastRun.Results = maps.Values(locationToResult) + } + return sarifRuns +} + +// In Sast there is only one location for each result +func getResultFileName(result *sarif.Result) string { + if len(result.Locations) > 0 { + return utils.GetLocationFileName(result.Locations[0]) + } + return "" +} + +// In Sast there is only one location for each result +func getResultStartLocationInFile(result *sarif.Result) string { + if len(result.Locations) > 0 { + return utils.GetStartLocationInFile(result.Locations[0]) + } + return "" +} + +func getResultId(result *sarif.Result) string { + return getResultFileName(result) + getResultStartLocationInFile(result) + utils.GetResultSeverity(result) + utils.GetResultMsgText(result) +} diff --git a/xray/commands/audit/jas/sast/sastscanner_test.go b/xray/commands/audit/jas/sast/sastscanner_test.go index 969ab80ce..66c423403 100644 --- a/xray/commands/audit/jas/sast/sastscanner_test.go +++ b/xray/commands/audit/jas/sast/sastscanner_test.go @@ -1,11 +1,11 @@ package sast import ( - "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas" "path/filepath" "testing" - "github.com/jfrog/jfrog-cli-core/v2/xray/utils" + "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas" + "github.com/stretchr/testify/assert" ) @@ -34,11 +34,16 @@ func TestSastParseResults_EmptyResults(t *testing.T) { // Act var err error - sastScanManager.sastScannerResults, err = jas.GetSourceCodeScanResults(sastScanManager.scanner.ResultsFileName, scanner.WorkingDirs[0], utils.Sast) + sastScanManager.sastScannerResults, err = jas.ReadJasScanRunsFromFile(sastScanManager.scanner.ResultsFileName, scanner.WorkingDirs[0]) // Assert - assert.NoError(t, err) - assert.Empty(t, sastScanManager.sastScannerResults) + if assert.NoError(t, err) && assert.NotNil(t, sastScanManager.sastScannerResults) { + assert.Len(t, sastScanManager.sastScannerResults, 1) + assert.Empty(t, sastScanManager.sastScannerResults[0].Results) + sastScanManager.sastScannerResults = groupResultsByLocation(sastScanManager.sastScannerResults) + assert.Len(t, sastScanManager.sastScannerResults, 1) + assert.Empty(t, sastScanManager.sastScannerResults[0].Results) + } } func TestSastParseResults_ResultsContainIacViolations(t *testing.T) { @@ -50,11 +55,14 @@ func TestSastParseResults_ResultsContainIacViolations(t *testing.T) { // Act var err error - sastScanManager.sastScannerResults, err = jas.GetSourceCodeScanResults(sastScanManager.scanner.ResultsFileName, scanner.WorkingDirs[0], utils.Sast) + sastScanManager.sastScannerResults, err = jas.ReadJasScanRunsFromFile(sastScanManager.scanner.ResultsFileName, scanner.WorkingDirs[0]) // Assert - assert.NoError(t, err) - assert.NotEmpty(t, sastScanManager.sastScannerResults) - // File has 4 results, 2 of them at the same location different codeFlow - assert.Equal(t, 3, len(sastScanManager.sastScannerResults)) + if assert.NoError(t, err) && assert.NotNil(t, sastScanManager.sastScannerResults) { + assert.Len(t, sastScanManager.sastScannerResults, 1) + assert.NotEmpty(t, sastScanManager.sastScannerResults[0].Results) + sastScanManager.sastScannerResults = groupResultsByLocation(sastScanManager.sastScannerResults) + // File has 4 results, 2 of them at the same location different codeFlow + assert.Len(t, sastScanManager.sastScannerResults[0].Results, 3) + } } diff --git a/xray/commands/audit/jas/secrets/secretsscanner.go b/xray/commands/audit/jas/secrets/secretsscanner.go index ef6722ec2..cf5df05f8 100644 --- a/xray/commands/audit/jas/secrets/secretsscanner.go +++ b/xray/commands/audit/jas/secrets/secretsscanner.go @@ -1,10 +1,13 @@ package secrets import ( + "path/filepath" + "strings" + "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas" "github.com/jfrog/jfrog-cli-core/v2/xray/utils" "github.com/jfrog/jfrog-client-go/utils/log" - "path/filepath" + "github.com/owenrumney/go-sarif/v2/sarif" ) const ( @@ -13,7 +16,7 @@ const ( ) type SecretScanManager struct { - secretsScannerResults []utils.SourceCodeScanResult + secretsScannerResults []*sarif.Run scanner *jas.JasScanner } @@ -24,7 +27,7 @@ type SecretScanManager struct { // Return values: // []utils.IacOrSecretResult: a list of the secrets that were found. // error: An error object (if any). -func RunSecretsScan(scanner *jas.JasScanner) (results []utils.SourceCodeScanResult, err error) { +func RunSecretsScan(scanner *jas.JasScanner) (results []*sarif.Run, err error) { secretScanManager := newSecretsScanManager(scanner) log.Info("Running secrets scanning...") if err = secretScanManager.scanner.Run(secretScanManager); err != nil { @@ -33,14 +36,14 @@ func RunSecretsScan(scanner *jas.JasScanner) (results []utils.SourceCodeScanResu } results = secretScanManager.secretsScannerResults if len(results) > 0 { - log.Info("Found", len(results), "secrets") + log.Info("Found", utils.GetResultsLocationCount(results...), "secrets") } return } func newSecretsScanManager(scanner *jas.JasScanner) (manager *SecretScanManager) { return &SecretScanManager{ - secretsScannerResults: []utils.SourceCodeScanResult{}, + secretsScannerResults: []*sarif.Run{}, scanner: scanner, } } @@ -53,11 +56,11 @@ func (s *SecretScanManager) Run(wd string) (err error) { if err = s.runAnalyzerManager(); err != nil { return } - var workingDirResults []utils.SourceCodeScanResult - if workingDirResults, err = jas.GetSourceCodeScanResults(scanner.ResultsFileName, wd, utils.Secrets); err != nil { + workingDirRuns, err := jas.ReadJasScanRunsFromFile(scanner.ResultsFileName, wd) + if err != nil { return } - s.secretsScannerResults = append(s.secretsScannerResults, workingDirResults...) + s.secretsScannerResults = append(s.secretsScannerResults, processSecretScanRuns(workingDirRuns)...) return } @@ -89,3 +92,23 @@ func (s *SecretScanManager) createConfigFile(currentWd string) error { func (s *SecretScanManager) runAnalyzerManager() error { return s.scanner.AnalyzerManager.Exec(s.scanner.ConfigFileName, secretsScanCommand, filepath.Dir(s.scanner.AnalyzerManager.AnalyzerManagerFullPath), s.scanner.ServerDetails) } + +func maskSecret(secret string) string { + if len(secret) <= 3 { + return "***" + } + return secret[:3] + strings.Repeat("*", 12) +} + +func processSecretScanRuns(sarifRuns []*sarif.Run) []*sarif.Run { + for _, secretRun := range sarifRuns { + // Hide discovered secrets value + for _, secretResult := range secretRun.Results { + for _, location := range secretResult.Locations { + secret := utils.GetLocationSnippetPointer(location) + utils.SetLocationSnippet(location, maskSecret(*secret)) + } + } + } + return sarifRuns +} diff --git a/xray/commands/audit/jas/secrets/secretsscanner_test.go b/xray/commands/audit/jas/secrets/secretsscanner_test.go index f403adc86..14e917e16 100644 --- a/xray/commands/audit/jas/secrets/secretsscanner_test.go +++ b/xray/commands/audit/jas/secrets/secretsscanner_test.go @@ -1,13 +1,13 @@ package secrets import ( - "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas" "os" "path/filepath" "testing" + "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas" + "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils" - "github.com/jfrog/jfrog-cli-core/v2/xray/utils" "github.com/stretchr/testify/assert" ) @@ -65,11 +65,17 @@ func TestParseResults_EmptyResults(t *testing.T) { // Act var err error - secretScanManager.secretsScannerResults, err = jas.GetSourceCodeScanResults(secretScanManager.scanner.ResultsFileName, scanner.WorkingDirs[0], utils.Secrets) + secretScanManager.secretsScannerResults, err = jas.ReadJasScanRunsFromFile(secretScanManager.scanner.ResultsFileName, scanner.WorkingDirs[0]) // Assert - assert.NoError(t, err) - assert.Empty(t, secretScanManager.secretsScannerResults) + if assert.NoError(t, err) && assert.NotNil(t, secretScanManager.secretsScannerResults) { + assert.Len(t, secretScanManager.secretsScannerResults, 1) + assert.Empty(t, secretScanManager.secretsScannerResults[0].Results) + secretScanManager.secretsScannerResults = processSecretScanRuns(secretScanManager.secretsScannerResults) + assert.Len(t, secretScanManager.secretsScannerResults, 1) + assert.Empty(t, secretScanManager.secretsScannerResults[0].Results) + } + } func TestParseResults_ResultsContainSecrets(t *testing.T) { @@ -82,12 +88,18 @@ func TestParseResults_ResultsContainSecrets(t *testing.T) { // Act var err error - secretScanManager.secretsScannerResults, err = jas.GetSourceCodeScanResults(secretScanManager.scanner.ResultsFileName, scanner.WorkingDirs[0], utils.Secrets) + secretScanManager.secretsScannerResults, err = jas.ReadJasScanRunsFromFile(secretScanManager.scanner.ResultsFileName, scanner.WorkingDirs[0]) // Assert + if assert.NoError(t, err) && assert.NotNil(t, secretScanManager.secretsScannerResults) { + assert.Len(t, secretScanManager.secretsScannerResults, 1) + assert.NotEmpty(t, secretScanManager.secretsScannerResults[0].Results) + secretScanManager.secretsScannerResults = processSecretScanRuns(secretScanManager.secretsScannerResults) + assert.Len(t, secretScanManager.secretsScannerResults, 1) + assert.Len(t, secretScanManager.secretsScannerResults[0].Results, 7) + } assert.NoError(t, err) - assert.NotEmpty(t, secretScanManager.secretsScannerResults) - assert.Equal(t, 7, len(secretScanManager.secretsScannerResults)) + } func TestGetSecretsScanResults_AnalyzerManagerReturnsError(t *testing.T) { @@ -100,3 +112,20 @@ func TestGetSecretsScanResults_AnalyzerManagerReturnsError(t *testing.T) { assert.ErrorContains(t, err, "failed to run Secrets scan") assert.Nil(t, secretsResults) } + +func TestHideSecret(t *testing.T) { + tests := []struct { + secret string + expectedOutput string + }{ + {secret: "", expectedOutput: "***"}, + {secret: "12", expectedOutput: "***"}, + {secret: "123", expectedOutput: "***"}, + {secret: "123456789", expectedOutput: "123************"}, + {secret: "3478hfnkjhvd848446gghgfh", expectedOutput: "347************"}, + } + + for _, test := range tests { + assert.Equal(t, test.expectedOutput, maskSecret(test.secret)) + } +} diff --git a/xray/commands/audit/jasrunner.go b/xray/commands/audit/jasrunner.go index 67e138151..9f917004b 100644 --- a/xray/commands/audit/jasrunner.go +++ b/xray/commands/audit/jasrunner.go @@ -2,7 +2,6 @@ package audit import ( "errors" - "github.com/jfrog/gofrog/version" "github.com/jfrog/jfrog-cli-core/v2/utils/config" "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas" "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas/applicability" @@ -15,12 +14,12 @@ import ( ) func runJasScannersAndSetResults(scanResults *utils.ExtendedScanResults, directDependencies []string, - serverDetails *config.ServerDetails, workingDirs []string, progress io.ProgressMgr) (err error) { + serverDetails *config.ServerDetails, workingDirs []string, progress io.ProgressMgr, multiScanId string) (err error) { if serverDetails == nil || len(serverDetails.Url) == 0 { log.Warn("To include 'Advanced Security' scan as part of the audit output, please run the 'jf c add' command before running this command.") return } - scanner, err := jas.NewJasScanner(workingDirs, serverDetails) + scanner, err := jas.NewJasScanner(workingDirs, serverDetails, multiScanId) if err != nil { return } @@ -49,12 +48,12 @@ func runJasScannersAndSetResults(scanResults *utils.ExtendedScanResults, directD if err != nil { return } - if !version.NewVersion(utils.AnalyzerManagerVersion).AtLeast(utils.MinAnalyzerManagerVersionForSast) { + if !utils.IsSastSupported() { return } if progress != nil { progress.SetHeadlineMsg("Running SAST scanning") } - scanResults.SastResults, err = sast.RunSastScan(scanner) + scanResults.SastScanResults, err = sast.RunSastScan(scanner) return } diff --git a/xray/commands/audit/jasrunner_test.go b/xray/commands/audit/jasrunner_test.go index 1fcd60976..b6bd121df 100644 --- a/xray/commands/audit/jasrunner_test.go +++ b/xray/commands/audit/jasrunner_test.go @@ -22,14 +22,14 @@ func TestGetExtendedScanResults_AnalyzerManagerDoesntExist(t *testing.T) { assert.NoError(t, os.Unsetenv(coreutils.HomeDir)) }() scanResults := &utils.ExtendedScanResults{XrayResults: jas.FakeBasicXrayResults, ScannedTechnologies: []coreutils.Technology{coreutils.Yarn}} - err = runJasScannersAndSetResults(scanResults, []string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, &jas.FakeServerDetails, nil, nil) + err = runJasScannersAndSetResults(scanResults, []string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, &jas.FakeServerDetails, nil, nil, "") // Expect error: assert.Error(t, err) } func TestGetExtendedScanResults_ServerNotValid(t *testing.T) { scanResults := &utils.ExtendedScanResults{XrayResults: jas.FakeBasicXrayResults, ScannedTechnologies: []coreutils.Technology{coreutils.Pip}} - err := runJasScannersAndSetResults(scanResults, []string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, nil, nil, nil) + err := runJasScannersAndSetResults(scanResults, []string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, nil, nil, nil, "") assert.NoError(t, err) } @@ -37,7 +37,7 @@ func TestGetExtendedScanResults_AnalyzerManagerReturnsError(t *testing.T) { mockDirectDependencies := []string{"issueId_2_direct_dependency", "issueId_1_direct_dependency"} assert.NoError(t, rtutils.DownloadAnalyzerManagerIfNeeded()) scanResults := &utils.ExtendedScanResults{XrayResults: jas.FakeBasicXrayResults, ScannedTechnologies: []coreutils.Technology{coreutils.Yarn}} - err := runJasScannersAndSetResults(scanResults, mockDirectDependencies, &jas.FakeServerDetails, nil, nil) + err := runJasScannersAndSetResults(scanResults, mockDirectDependencies, &jas.FakeServerDetails, nil, nil, "") // Expect error: assert.ErrorContains(t, err, "failed to run Applicability scan") diff --git a/xray/commands/audit/sca/common.go b/xray/commands/audit/sca/common.go index 3176308e3..094746024 100644 --- a/xray/commands/audit/sca/common.go +++ b/xray/commands/audit/sca/common.go @@ -52,6 +52,10 @@ func populateXrayDependencyTree(currNode *xrayUtils.GraphNode, treeHelper map[st func RunXrayDependenciesTreeScanGraph(dependencyTree *xrayUtils.GraphNode, progress ioUtils.ProgressMgr, technology coreutils.Technology, scanGraphParams *scangraph.ScanGraphParams) (results []services.ScanResponse, err error) { scanGraphParams.XrayGraphScanParams().DependenciesGraph = dependencyTree + xscGitInfoContext := scanGraphParams.XrayGraphScanParams().XscGitInfoContext + if xscGitInfoContext != nil { + xscGitInfoContext.Technologies = []string{technology.ToString()} + } scanMessage := fmt.Sprintf("Scanning %d %s dependencies", len(dependencyTree.Nodes), technology) if progress != nil { progress.SetHeadlineMsg(scanMessage) @@ -108,14 +112,18 @@ func GetModule(modules []*xrayUtils.GraphNode, moduleId string) *xrayUtils.Graph // GetExecutableVersion gets an executable version and prints to the debug log if possible. // Only supported for package managers that use "--version". -func GetExecutableVersion(executable string) (version string, err error) { +func LogExecutableVersion(executable string) { verBytes, err := exec.Command(executable, "--version").CombinedOutput() - if err != nil || len(verBytes) == 0 { - return "", err + if err != nil { + log.Debug(fmt.Sprintf("'%q --version' command received an error: %s", executable, err.Error())) + return } - version = strings.TrimSpace(string(verBytes)) + if len(verBytes) == 0 { + log.Debug(fmt.Sprintf("'%q --version' command received an empty response", executable)) + return + } + version := strings.TrimSpace(string(verBytes)) log.Debug(fmt.Sprintf("Used %q version: %s", executable, version)) - return } // BuildImpactPathsForScanResponse builds the full impact paths for each vulnerability found in the scanResult argument, using the dependencyTrees argument. diff --git a/xray/commands/audit/sca/nuget/nuget.go b/xray/commands/audit/sca/nuget/nuget.go index 5f24229c8..ba1b293e0 100644 --- a/xray/commands/audit/sca/nuget/nuget.go +++ b/xray/commands/audit/sca/nuget/nuget.go @@ -1,14 +1,19 @@ package nuget import ( + "errors" + "fmt" + "github.com/jfrog/build-info-go/build/utils/dotnet/solution" + "github.com/jfrog/build-info-go/entities" + biutils "github.com/jfrog/build-info-go/utils" "github.com/jfrog/gofrog/datastructures" "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/sca" + "github.com/jfrog/jfrog-client-go/utils/errorutils" + "github.com/jfrog/jfrog-client-go/utils/io/fileutils" "github.com/jfrog/jfrog-client-go/utils/log" xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils" "os" - - "github.com/jfrog/build-info-go/build/utils/dotnet/solution" - "github.com/jfrog/build-info-go/entities" + "os/exec" ) const ( @@ -24,6 +29,16 @@ func BuildDependencyTree() (dependencyTree []*xrayUtils.GraphNode, uniqueDeps [] if err != nil { return } + + // In case the project's dependencies sources can't be found we run 'dotnet restore' on a copy of the project in order to get its dependencies + if !sol.DependenciesSourcesExist() { + log.Info("Dependencies sources were not detected. Running 'dotnet restore' command") + sol, err = runDotnetRestoreAndLoadSolution(wd) + if err != nil { + return + } + } + buildInfo, err := sol.BuildInfo("", log.Logger) if err != nil { return @@ -32,6 +47,40 @@ func BuildDependencyTree() (dependencyTree []*xrayUtils.GraphNode, uniqueDeps [] return } +func runDotnetRestore(wd string) (err error) { + command := exec.Command("dotnet", "restore") + command.Dir = wd + output, err := command.CombinedOutput() + if err != nil { + err = errorutils.CheckErrorf("'dotnet restore' command failed: %s - %s", err.Error(), output) + } + return +} + +func runDotnetRestoreAndLoadSolution(originalWd string) (sol solution.Solution, err error) { + tmpWd, err := fileutils.CreateTempDir() + if err != nil { + err = fmt.Errorf("failed creating temporary dir: %w", err) + return + } + defer func() { + err = errors.Join(err, fileutils.RemoveTempDir(tmpWd)) + }() + + err = biutils.CopyDir(originalWd, tmpWd, true, nil) + if err != nil { + err = fmt.Errorf("failed copying project to temp dir: %w", err) + return + } + + err = runDotnetRestore(tmpWd) + if err != nil { + return + } + sol, err = solution.Load(tmpWd, "", log.Logger) + return +} + func parseNugetDependencyTree(buildInfo *entities.BuildInfo) (nodes []*xrayUtils.GraphNode, allUniqueDeps []string) { uniqueDepsSet := datastructures.MakeSet[string]() for _, module := range buildInfo.Modules { diff --git a/xray/commands/audit/sca/python/python.go b/xray/commands/audit/sca/python/python.go index e23dc25b0..4efb193ac 100644 --- a/xray/commands/audit/sca/python/python.go +++ b/xray/commands/audit/sca/python/python.go @@ -1,11 +1,13 @@ package python import ( + "errors" "fmt" biutils "github.com/jfrog/build-info-go/utils" "github.com/jfrog/build-info-go/utils/pythonutils" "github.com/jfrog/gofrog/datastructures" "github.com/jfrog/jfrog-cli-core/v2/utils/config" + "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils" utils "github.com/jfrog/jfrog-cli-core/v2/utils/python" "github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/sca" "github.com/jfrog/jfrog-client-go/utils/errorutils" @@ -72,15 +74,11 @@ func getDependencies(auditPython *AuditPython) (dependenciesGraph map[string][]s } defer func() { - e := os.Chdir(wd) - if err == nil { - err = errorutils.CheckError(e) - } - - e = fileutils.RemoveTempDir(tempDirPath) - if err == nil { - err = e - } + err = errors.Join( + err, + errorutils.CheckError(os.Chdir(wd)), + fileutils.RemoveTempDir(tempDirPath), + ) }() err = biutils.CopyDir(wd, tempDirPath, true, nil) @@ -90,10 +88,7 @@ func getDependencies(auditPython *AuditPython) (dependenciesGraph map[string][]s restoreEnv, err := runPythonInstall(auditPython) defer func() { - e := restoreEnv() - if err == nil { - err = e - } + err = errors.Join(err, restoreEnv()) }() if err != nil { return @@ -105,12 +100,8 @@ func getDependencies(auditPython *AuditPython) (dependenciesGraph map[string][]s } dependenciesGraph, directDependencies, err = pythonutils.GetPythonDependencies(auditPython.Tool, tempDirPath, localDependenciesPath) if err != nil { - if _, innerErr := sca.GetExecutableVersion("python"); innerErr != nil { - log.Error(innerErr) - } - if _, innerErr := sca.GetExecutableVersion(string(auditPython.Tool)); innerErr != nil { - log.Error(innerErr) - } + sca.LogExecutableVersion("python") + sca.LogExecutableVersion(string(auditPython.Tool)) } return } @@ -168,14 +159,19 @@ func installPipDeps(auditPython *AuditPython) (restoreEnv func() error, err erro if err != nil { return } + + remoteUrl := "" if auditPython.RemotePypiRepo != "" { - return restoreEnv, runPipInstallFromRemoteRegistry(auditPython.Server, auditPython.RemotePypiRepo, auditPython.PipRequirementsFile) + remoteUrl, err = utils.GetPypiRepoUrl(auditPython.Server, auditPython.RemotePypiRepo) + if err != nil { + return + } } - pipInstallArgs := getPipInstallArgs(auditPython.PipRequirementsFile) + pipInstallArgs := getPipInstallArgs(auditPython.PipRequirementsFile, remoteUrl) err = executeCommand("python", pipInstallArgs...) if err != nil && auditPython.PipRequirementsFile == "" { log.Debug(err.Error() + "\nTrying to install using a requirements file...") - pipInstallArgs = getPipInstallArgs("requirements.txt") + pipInstallArgs = getPipInstallArgs("requirements.txt", remoteUrl) reqErr := executeCommand("python", pipInstallArgs...) if reqErr != nil { // Return Pip install error and log the requirements fallback error. @@ -189,18 +185,17 @@ func installPipDeps(auditPython *AuditPython) (restoreEnv func() error, err erro func executeCommand(executable string, args ...string) error { installCmd := exec.Command(executable, args...) - log.Debug(fmt.Sprintf("Running %q", strings.Join(installCmd.Args, " "))) + maskedCmdString := coreutils.GetMaskedCommandString(installCmd) + log.Debug("Running", maskedCmdString) output, err := installCmd.CombinedOutput() if err != nil { - if _, innerErr := sca.GetExecutableVersion(executable); innerErr != nil { - log.Error(innerErr) - } - return errorutils.CheckErrorf("%q command failed: %s - %s", strings.Join(installCmd.Args, " "), err.Error(), output) + sca.LogExecutableVersion(executable) + return errorutils.CheckErrorf("%q command failed: %s - %s", maskedCmdString, err.Error(), output) } return nil } -func getPipInstallArgs(requirementsFile string) []string { +func getPipInstallArgs(requirementsFile, remoteUrl string) []string { args := []string{"-m", "pip", "install"} if requirementsFile == "" { // Run 'pip install .' @@ -209,17 +204,10 @@ func getPipInstallArgs(requirementsFile string) []string { // Run pip 'install -r requirements ' args = append(args, "-r", requirementsFile) } - return args -} - -func runPipInstallFromRemoteRegistry(server *config.ServerDetails, depsRepoName, pipRequirementsFile string) (err error) { - rtUrl, err := utils.GetPypiRepoUrl(server, depsRepoName) - if err != nil { - return err + if remoteUrl != "" { + args = append(args, utils.GetPypiRemoteRegistryFlag(pythonutils.Pip), remoteUrl) } - args := getPipInstallArgs(pipRequirementsFile) - args = append(args, utils.GetPypiRemoteRegistryFlag(pythonutils.Pip), rtUrl.String()) - return executeCommand("python", args...) + return args } func runPipenvInstallFromRemoteRegistry(server *config.ServerDetails, depsRepoName string) (err error) { @@ -227,7 +215,7 @@ func runPipenvInstallFromRemoteRegistry(server *config.ServerDetails, depsRepoNa if err != nil { return err } - args := []string{"install", "-d", utils.GetPypiRemoteRegistryFlag(pythonutils.Pipenv), rtUrl.String()} + args := []string{"install", "-d", utils.GetPypiRemoteRegistryFlag(pythonutils.Pipenv), rtUrl} return executeCommand("pipenv", args...) } diff --git a/xray/commands/audit/sca/python/python_test.go b/xray/commands/audit/sca/python/python_test.go index 49c3b1f74..bf8ae768d 100644 --- a/xray/commands/audit/sca/python/python_test.go +++ b/xray/commands/audit/sca/python/python_test.go @@ -136,6 +136,9 @@ func TestBuildPoetryDependencyList(t *testing.T) { } func TestGetPipInstallArgs(t *testing.T) { - assert.Equal(t, []string{"-m", "pip", "install", "."}, getPipInstallArgs("")) - assert.Equal(t, []string{"-m", "pip", "install", "-r", "requirements.txt"}, getPipInstallArgs("requirements.txt")) + assert.Equal(t, []string{"-m", "pip", "install", "."}, getPipInstallArgs("", "")) + assert.Equal(t, []string{"-m", "pip", "install", "-r", "requirements.txt"}, getPipInstallArgs("requirements.txt", "")) + + assert.Equal(t, []string{"-m", "pip", "install", ".", "-i", "https://user@pass:remote.url/repo"}, getPipInstallArgs("", "https://user@pass:remote.url/repo")) + assert.Equal(t, []string{"-m", "pip", "install", "-r", "requirements.txt", "-i", "https://user@pass:remote.url/repo"}, getPipInstallArgs("requirements.txt", "https://user@pass:remote.url/repo")) } diff --git a/xray/commands/audit/scarunner.go b/xray/commands/audit/scarunner.go index 231a45c1e..3f8e6144e 100644 --- a/xray/commands/audit/scarunner.go +++ b/xray/commands/audit/scarunner.go @@ -127,8 +127,10 @@ func getDirectDependenciesFromTree(dependencyTrees []*xrayCmdUtils.GraphNode) [] } func GetTechDependencyTree(params *xrayutils.AuditBasicParams, tech coreutils.Technology) (flatTree *xrayCmdUtils.GraphNode, fullDependencyTrees []*xrayCmdUtils.GraphNode, err error) { + logMessage := fmt.Sprintf("Calculating %s dependencies", tech.ToFormal()) + log.Info(logMessage) if params.Progress() != nil { - params.Progress().SetHeadlineMsg(fmt.Sprintf("Calculating %v dependencies", tech.ToFormal())) + params.Progress().SetHeadlineMsg(logMessage) } serverDetails, err := params.ServerDetails() if err != nil { diff --git a/xray/commands/testdata/applicability-scan/applicable-cve-results.sarif b/xray/commands/testdata/applicability-scan/applicable-cve-results.sarif index 71b97e5d6..66aee38a5 100644 --- a/xray/commands/testdata/applicability-scan/applicable-cve-results.sarif +++ b/xray/commands/testdata/applicability-scan/applicable-cve-results.sarif @@ -6,7 +6,7 @@ "name": "JFrog Applicability Scanner", "rules": [ { - "id": "applic_CVE-2021-3807", + "id": "applic_testCve1", "fullDescription": { "text": "The scanner checks whether the vulnerable function `ansi-regex` is called.", "markdown": "The scanner checks whether the vulnerable function `ansi-regex` is called." @@ -17,7 +17,7 @@ } }, { - "id": "applic_CVE-2021-3918", + "id": "applic_testCve3", "fullDescription": { "text": "The scanner checks whether any of the following vulnerable functions are called:\n\n* `json-schema.validate` with external input to its 1st (`instance`) argument.\n* `json-schema.checkPropertyChange` with external input to its 2nd (`schema`) argument.", "markdown": "The scanner checks whether any of the following vulnerable functions are called:\n\n* `json-schema.validate` with external input to its 1st (`instance`) argument.\n* `json-schema.checkPropertyChange` with external input to its 2nd (`schema`) argument." diff --git a/xray/commands/testdata/applicability-scan/no-applicable-cves-results.sarif b/xray/commands/testdata/applicability-scan/no-applicable-cves-results.sarif index a0f9cf39e..4257bc869 100644 --- a/xray/commands/testdata/applicability-scan/no-applicable-cves-results.sarif +++ b/xray/commands/testdata/applicability-scan/no-applicable-cves-results.sarif @@ -6,7 +6,7 @@ "name": "JFrog Applicability Scanner", "rules": [ { - "id": "applic_CVE-2021-3807", + "id": "applic_testCve2", "fullDescription": { "text": "The scanner checks whether the vulnerable function `ansi-regex` is called.", "markdown": "The scanner checks whether the vulnerable function `ansi-regex` is called." @@ -17,7 +17,7 @@ } }, { - "id": "applic_CVE-2021-3918", + "id": "applic_testCve3", "fullDescription": { "text": "The scanner checks whether any of the following vulnerable functions are called:\n\n* `json-schema.validate` with external input to its 1st (`instance`) argument.\n* `json-schema.checkPropertyChange` with external input to its 2nd (`schema`) argument.", "markdown": "The scanner checks whether any of the following vulnerable functions are called:\n\n* `json-schema.validate` with external input to its 1st (`instance`) argument.\n* `json-schema.checkPropertyChange` with external input to its 2nd (`schema`) argument." @@ -26,6 +26,39 @@ "shortDescription": { "text": "Scanner for CVE-2021-3918" } + }, + { + "id": "applic_testCve4", + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `ansi-regex` is called.", + "markdown": "The scanner checks whether the vulnerable function `ansi-regex` is called." + }, + "name": "CVE-2021-3807", + "shortDescription": { + "text": "Scanner for CVE-2021-3807" + } + }, + { + "id": "applic_testCve5", + "fullDescription": { + "text": "The scanner checks whether any of the following vulnerable functions are called:\n\n* `json-schema.validate` with external input to its 1st (`instance`) argument.\n* `json-schema.checkPropertyChange` with external input to its 2nd (`schema`) argument.", + "markdown": "The scanner checks whether any of the following vulnerable functions are called:\n\n* `json-schema.validate` with external input to its 1st (`instance`) argument.\n* `json-schema.checkPropertyChange` with external input to its 2nd (`schema`) argument." + }, + "name": "CVE-2021-3918", + "shortDescription": { + "text": "Scanner for CVE-2021-3918" + } + }, + { + "id": "applic_testCve1", + "fullDescription": { + "text": "The scanner checks whether the vulnerable function `ansi-regex` is called.", + "markdown": "The scanner checks whether the vulnerable function `ansi-regex` is called." + }, + "name": "CVE-2021-3807", + "shortDescription": { + "text": "Scanner for CVE-2021-3807" + } } ], "version": "APPLIC_SCANNERv0.2.3" diff --git a/xray/formats/conversion.go b/xray/formats/conversion.go index 3acb92fbe..83bc09d91 100644 --- a/xray/formats/conversion.go +++ b/xray/formats/conversion.go @@ -1,6 +1,7 @@ package formats import ( + "strconv" "strings" ) @@ -145,32 +146,20 @@ func ConvertToSecretsTableRow(rows []SourceCodeRow) (tableRows []secretsTableRow tableRows = append(tableRows, secretsTableRow{ severity: rows[i].Severity, file: rows[i].File, - lineColumn: rows[i].LineColumn, - text: rows[i].Text, + lineColumn: strconv.Itoa(rows[i].StartLine) + ":" + strconv.Itoa(rows[i].StartColumn), + secret: rows[i].Snippet, }) } return } -func ConvertToIacTableRow(rows []SourceCodeRow) (tableRows []iacTableRow) { +func ConvertToIacOrSastTableRow(rows []SourceCodeRow) (tableRows []iacOrSastTableRow) { for i := range rows { - tableRows = append(tableRows, iacTableRow{ + tableRows = append(tableRows, iacOrSastTableRow{ severity: rows[i].Severity, file: rows[i].File, - lineColumn: rows[i].LineColumn, - text: rows[i].Text, - }) - } - return -} - -func ConvertToSastTableRow(rows []SourceCodeRow) (tableRows []sastTableRow) { - for i := range rows { - tableRows = append(tableRows, sastTableRow{ - severity: rows[i].Severity, - file: rows[i].File, - lineColumn: rows[i].LineColumn, - text: rows[i].Text, + lineColumn: strconv.Itoa(rows[i].StartLine) + ":" + strconv.Itoa(rows[i].StartColumn), + finding: rows[i].Finding, }) } return diff --git a/xray/formats/simplejsonapi.go b/xray/formats/simplejsonapi.go index d56482c25..9bbbdea60 100644 --- a/xray/formats/simplejsonapi.go +++ b/xray/formats/simplejsonapi.go @@ -77,15 +77,19 @@ type OperationalRiskViolationRow struct { type SourceCodeRow struct { Severity string `json:"severity"` SeverityNumValue int `json:"-"` // For sorting - SourceCodeLocationRow - Type string `json:"type"` - CodeFlow [][]SourceCodeLocationRow `json:"codeFlow,omitempty"` + Location + Finding string `json:"finding,omitempty"` + ScannerDescription string `json:"scannerDescription,omitempty"` + CodeFlow [][]Location `json:"codeFlow,omitempty"` } -type SourceCodeLocationRow struct { - File string `json:"file"` - LineColumn string `json:"lineColumn"` - Text string `json:"text"` +type Location struct { + File string `json:"file"` + StartLine int `json:"startLine,omitempty"` + StartColumn int `json:"startColumn,omitempty"` + EndLine int `json:"endLine,omitempty"` + EndColumn int `json:"endColumn,omitempty"` + Snippet string `json:"snippet,omitempty"` } type ComponentRow struct { @@ -94,9 +98,21 @@ type ComponentRow struct { } type CveRow struct { - Id string `json:"id"` - CvssV2 string `json:"cvssV2"` - CvssV3 string `json:"cvssV3"` + Id string `json:"id"` + CvssV2 string `json:"cvssV2"` + CvssV3 string `json:"cvssV3"` + Applicability *Applicability `json:"applicability,omitempty"` +} + +type Applicability struct { + Status string `json:"status"` + ScannerDescription string `json:"scannerDescription,omitempty"` + Evidence []Evidence `json:"evidence,omitempty"` +} + +type Evidence struct { + Location + Reason string `json:"reason,omitempty"` } type SimpleJsonError struct { diff --git a/xray/formats/table.go b/xray/formats/table.go index c099b058d..ea21c845a 100644 --- a/xray/formats/table.go +++ b/xray/formats/table.go @@ -127,19 +127,12 @@ type secretsTableRow struct { severity string `col-name:"Severity"` file string `col-name:"File"` lineColumn string `col-name:"Line:Column"` - text string `col-name:"Secret"` + secret string `col-name:"Secret"` } -type iacTableRow struct { +type iacOrSastTableRow struct { severity string `col-name:"Severity"` file string `col-name:"File"` lineColumn string `col-name:"Line:Column"` - text string `col-name:"Finding"` -} - -type sastTableRow struct { - severity string `col-name:"Severity"` - file string `col-name:"File"` - lineColumn string `col-name:"Line:Column"` - text string `col-name:"Finding"` + finding string `col-name:"Finding"` } diff --git a/xray/scangraph/scangraph.go b/xray/scangraph/scangraph.go index 435fe23db..22dc755f0 100644 --- a/xray/scangraph/scangraph.go +++ b/xray/scangraph/scangraph.go @@ -24,11 +24,20 @@ func RunScanGraphAndGetResults(params *ScanGraphParams) (*services.ScanResponse, // Remove scan type param if Xray version is under the minimum supported version params.xrayGraphScanParams.ScanType = "" } + + if params.xrayGraphScanParams.XscGitInfoContext != nil { + if params.xrayGraphScanParams.XscVersion, err = xrayManager.XscEnabled(); err != nil { + return nil, err + } + } + scanId, err := xrayManager.ScanGraph(*params.xrayGraphScanParams) if err != nil { return nil, err } - scanResult, err := xrayManager.GetScanGraphResults(scanId, params.XrayGraphScanParams().IncludeVulnerabilities, params.XrayGraphScanParams().IncludeLicenses) + + xscEnabled := params.xrayGraphScanParams.XscVersion != "" + scanResult, err := xrayManager.GetScanGraphResults(scanId, params.XrayGraphScanParams().IncludeVulnerabilities, params.XrayGraphScanParams().IncludeLicenses, xscEnabled) if err != nil { return nil, err } diff --git a/xray/utils/analyzermanager.go b/xray/utils/analyzermanager.go index fa770f772..70400d80e 100644 --- a/xray/utils/analyzermanager.go +++ b/xray/utils/analyzermanager.go @@ -3,10 +3,12 @@ package utils import ( "errors" "fmt" + "github.com/jfrog/gofrog/version" "os" "os/exec" "path" "path/filepath" + "strings" "github.com/jfrog/jfrog-cli-core/v2/utils/config" "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils" @@ -14,48 +16,29 @@ import ( "github.com/jfrog/jfrog-client-go/utils/io/fileutils" "github.com/jfrog/jfrog-client-go/utils/log" "github.com/jfrog/jfrog-client-go/xray/services" + "github.com/owenrumney/go-sarif/v2/sarif" ) -type SarifLevel string - const ( - Error SarifLevel = "error" - Warning SarifLevel = "warning" - Info SarifLevel = "info" - Note SarifLevel = "note" - None SarifLevel = "none" - - SeverityDefaultValue = "Medium" -) - -var ( - // All other values (include default) mapped as 'Medium' severity - levelToSeverity = map[SarifLevel]string{ - Error: "High", - Note: "Low", - None: "Unknown", - } -) - -const ( - EntitlementsMinVersion = "3.66.5" - ApplicabilityFeatureId = "contextual_analysis" - AnalyzerManagerZipName = "analyzerManager.zip" - AnalyzerManagerVersion = "1.2.4.1953469" - MinAnalyzerManagerVersionForSast = "1.3" - analyzerManagerDownloadPath = "xsc-gen-exe-analyzer-manager-local/v1" - analyzerManagerDirName = "analyzerManager" - analyzerManagerExecutableName = "analyzerManager" - analyzerManagerLogDirName = "analyzerManagerLogs" - jfUserEnvVariable = "JF_USER" - jfPasswordEnvVariable = "JF_PASS" - jfTokenEnvVariable = "JF_TOKEN" - jfPlatformUrlEnvVariable = "JF_PLATFORM_URL" - logDirEnvVariable = "AM_LOG_DIRECTORY" - notEntitledExitCode = 31 - unsupportedCommandExitCode = 13 - unsupportedOsExitCode = 55 - ErrFailedScannerRun = "failed to run %s scan. Exit code received: %s" + EntitlementsMinVersion = "3.66.5" + ApplicabilityFeatureId = "contextual_analysis" + AnalyzerManagerZipName = "analyzerManager.zip" + defaultAnalyzerManagerVersion = "1.2.4.2000151" + minAnalyzerManagerVersionForSast = "1.3" + analyzerManagerDownloadPath = "xsc-gen-exe-analyzer-manager-local/v1" + analyzerManagerDirName = "analyzerManager" + analyzerManagerExecutableName = "analyzerManager" + analyzerManagerLogDirName = "analyzerManagerLogs" + jfUserEnvVariable = "JF_USER" + jfPasswordEnvVariable = "JF_PASS" + jfTokenEnvVariable = "JF_TOKEN" + jfPlatformUrlEnvVariable = "JF_PLATFORM_URL" + logDirEnvVariable = "AM_LOG_DIRECTORY" + notEntitledExitCode = 31 + unsupportedCommandExitCode = 13 + unsupportedOsExitCode = 55 + ErrFailedScannerRun = "failed to run %s scan. Exit code received: %s" + jfrogCliAnalyzerManagerVersionEnvVariable = "JFROG_CLI_ANALYZER_MANAGER_VERSION" ) type ApplicabilityStatus string @@ -89,26 +72,15 @@ var exitCodeErrorsMap = map[int]string{ unsupportedOsExitCode: "got unsupported operating system error from analyzer manager", } -type SourceCodeLocation struct { - File string - LineColumn string - Text string -} - -type SourceCodeScanResult struct { - SourceCodeLocation - Severity string - Type string - CodeFlow []*[]SourceCodeLocation -} - type ExtendedScanResults struct { - XrayResults []services.ScanResponse - ScannedTechnologies []coreutils.Technology - ApplicabilityScanResults map[string]ApplicabilityStatus - SecretsScanResults []SourceCodeScanResult - IacScanResults []SourceCodeScanResult - SastResults []SourceCodeScanResult + XrayResults []services.ScanResponse + XrayVersion string + ScannedTechnologies []coreutils.Technology + + ApplicabilityScanResults []*sarif.Run + SecretsScanResults []*sarif.Run + IacScanResults []*sarif.Run + SastScanResults []*sarif.Run EntitledForJas bool } @@ -118,13 +90,14 @@ func (e *ExtendedScanResults) getXrayScanResults() []services.ScanResponse { type AnalyzerManager struct { AnalyzerManagerFullPath string + MultiScanId string } func (am *AnalyzerManager) Exec(configFile, scanCommand, workingDir string, serverDetails *config.ServerDetails) (err error) { if err = SetAnalyzerManagerEnvVariables(serverDetails); err != nil { - return err + return } - cmd := exec.Command(am.AnalyzerManagerFullPath, scanCommand, configFile) + cmd := exec.Command(am.AnalyzerManagerFullPath, scanCommand, configFile, am.MultiScanId) defer func() { if !cmd.ProcessState.Exited() { if killProcessError := cmd.Process.Kill(); errorutils.CheckError(killProcessError) != nil { @@ -133,8 +106,11 @@ func (am *AnalyzerManager) Exec(configFile, scanCommand, workingDir string, serv } }() cmd.Dir = workingDir - err = cmd.Run() - return errorutils.CheckError(err) + output, err := cmd.CombinedOutput() + if err != nil { + err = errorutils.CheckErrorf("running %q in directory: %q failed: %s - %s", strings.Join(cmd.Args, " "), workingDir, err.Error(), string(output)) + } + return } func GetAnalyzerManagerDownloadPath() (string, error) { @@ -142,7 +118,18 @@ func GetAnalyzerManagerDownloadPath() (string, error) { if err != nil { return "", err } - return path.Join(analyzerManagerDownloadPath, AnalyzerManagerVersion, osAndArc, AnalyzerManagerZipName), nil + return path.Join(analyzerManagerDownloadPath, GetAnalyzerManagerVersion(), osAndArc, AnalyzerManagerZipName), nil +} + +func GetAnalyzerManagerVersion() string { + if analyzerManagerVersion, exists := os.LookupEnv(jfrogCliAnalyzerManagerVersionEnvVariable); exists { + return analyzerManagerVersion + } + return defaultAnalyzerManagerVersion +} + +func IsSastSupported() bool { + return version.NewVersion(GetAnalyzerManagerVersion()).AtLeast(minAnalyzerManagerVersionForSast) } func GetAnalyzerManagerDirAbsolutePath() (string, error) { diff --git a/xray/utils/analyzermanager_test.go b/xray/utils/analyzermanager_test.go index 7daabaade..602d33686 100644 --- a/xray/utils/analyzermanager_test.go +++ b/xray/utils/analyzermanager_test.go @@ -25,12 +25,10 @@ func TestGetResultFileName(t *testing.T) { {PhysicalLocation: &sarif.PhysicalLocation{ArtifactLocation: &sarif.ArtifactLocation{URI: &fileNameValue}}}, }}, expectedOutput: fileNameValue}, - {result: &sarif.Result{}, - expectedOutput: ""}, } for _, test := range tests { - assert.Equal(t, test.expectedOutput, GetResultFileName(test.result)) + assert.Equal(t, test.expectedOutput, GetLocationFileName(test.result.Locations[0])) } } @@ -67,12 +65,10 @@ func TestGetResultLocationInFile(t *testing.T) { StartColumn: nil, }}}}}, expectedOutput: ""}, - {result: &sarif.Result{}, - expectedOutput: ""}, } for _, test := range tests { - assert.Equal(t, test.expectedOutput, GetResultLocationInFile(test.result)) + assert.Equal(t, test.expectedOutput, GetStartLocationInFile(test.result.Locations[0])) } } @@ -98,11 +94,11 @@ func TestExtractRelativePath(t *testing.T) { } func TestGetResultSeverity(t *testing.T) { - levelValueHigh := string(Error) - levelValueMedium := string(Warning) - levelValueMedium2 := string(Info) - levelValueLow := string(Note) - levelValueUnknown := string(None) + levelValueHigh := string(errorLevel) + levelValueMedium := string(warningLevel) + levelValueMedium2 := string(infoLevel) + levelValueLow := string(noteLevel) + levelValueUnknown := string(noneLevel) tests := []struct { result *sarif.Result diff --git a/xray/utils/resultstable.go b/xray/utils/resultstable.go index 3f5734a14..6a61fb1ad 100644 --- a/xray/utils/resultstable.go +++ b/xray/utils/resultstable.go @@ -8,6 +8,7 @@ import ( "strings" "github.com/jfrog/gofrog/datastructures" + "github.com/owenrumney/go-sarif/v2/sarif" "golang.org/x/exp/maps" "golang.org/x/text/cases" "golang.org/x/text/language" @@ -88,6 +89,11 @@ func prepareViolations(violations []services.Violation, extendedResults *Extende case "security": cves := convertCves(violation.Cves) applicableValue := getApplicableCveValue(extendedResults, cves) + if extendedResults.EntitledForJas { + for i := range cves { + cves[i].Applicability = getCveApplicability(cves[i], extendedResults.ApplicabilityScanResults) + } + } currSeverity := GetSeverity(violation.Severity, applicableValue) jfrogResearchInfo := convertJfrogResearchInformation(violation.ExtendedInformation) for compIndex := 0; compIndex < len(impactedPackagesNames); compIndex++ { @@ -205,6 +211,11 @@ func prepareVulnerabilities(vulnerabilities []services.Vulnerability, extendedRe } cves := convertCves(vulnerability.Cves) applicableValue := getApplicableCveValue(extendedResults, cves) + if extendedResults.EntitledForJas { + for i := range cves { + cves[i].Applicability = getCveApplicability(cves[i], extendedResults.ApplicabilityScanResults) + } + } currSeverity := GetSeverity(vulnerability.Severity, applicableValue) jfrogResearchInfo := convertJfrogResearchInformation(vulnerability.ExtendedInformation) for compIndex := 0; compIndex < len(impactedPackagesNames); compIndex++ { @@ -284,26 +295,33 @@ func PrepareLicenses(licenses []services.License) ([]formats.LicenseRow, error) } // Prepare secrets for all non-table formats (without style or emoji) -func PrepareSecrets(secrets []SourceCodeScanResult) []formats.SourceCodeRow { +func PrepareSecrets(secrets []*sarif.Run) []formats.SourceCodeRow { return prepareSecrets(secrets, false) } -func prepareSecrets(secrets []SourceCodeScanResult, isTable bool) []formats.SourceCodeRow { +func prepareSecrets(secrets []*sarif.Run, isTable bool) []formats.SourceCodeRow { var secretsRows []formats.SourceCodeRow - for _, secret := range secrets { - currSeverity := GetSeverity(secret.Severity, Applicable) - secretsRows = append(secretsRows, - formats.SourceCodeRow{ - Severity: currSeverity.printableTitle(isTable), - SeverityNumValue: currSeverity.numValue, - SourceCodeLocationRow: formats.SourceCodeLocationRow{ - File: secret.File, - LineColumn: secret.LineColumn, - Text: secret.Text, - }, - Type: secret.Type, - }, - ) + for _, secretRun := range secrets { + for _, secretResult := range secretRun.Results { + currSeverity := GetSeverity(GetResultSeverity(secretResult), Applicable) + for _, location := range secretResult.Locations { + secretsRows = append(secretsRows, + formats.SourceCodeRow{ + Severity: currSeverity.printableTitle(isTable), + Finding: GetResultMsgText(secretResult), + SeverityNumValue: currSeverity.numValue, + Location: formats.Location{ + File: GetRelativeLocationFileName(location, secretRun.Invocations), + StartLine: GetLocationStartLine(location), + StartColumn: GetLocationStartColumn(location), + EndLine: GetLocationEndLine(location), + EndColumn: GetLocationEndColumn(location), + Snippet: GetLocationSnippet(location), + }, + }, + ) + } + } } sort.Slice(secretsRows, func(i, j int) bool { @@ -313,7 +331,7 @@ func prepareSecrets(secrets []SourceCodeScanResult, isTable bool) []formats.Sour return secretsRows } -func PrintSecretsTable(secrets []SourceCodeScanResult, entitledForSecretsScan bool) error { +func PrintSecretsTable(secrets []*sarif.Run, entitledForSecretsScan bool) error { if entitledForSecretsScan { secretsRows := prepareSecrets(secrets, true) log.Output() @@ -324,26 +342,38 @@ func PrintSecretsTable(secrets []SourceCodeScanResult, entitledForSecretsScan bo } // Prepare iacs for all non-table formats (without style or emoji) -func PrepareIacs(iacs []SourceCodeScanResult) []formats.SourceCodeRow { +func PrepareIacs(iacs []*sarif.Run) []formats.SourceCodeRow { return prepareIacs(iacs, false) } -func prepareIacs(iacs []SourceCodeScanResult, isTable bool) []formats.SourceCodeRow { +func prepareIacs(iacs []*sarif.Run, isTable bool) []formats.SourceCodeRow { var iacRows []formats.SourceCodeRow - for _, iac := range iacs { - currSeverity := GetSeverity(iac.Severity, Applicable) - iacRows = append(iacRows, - formats.SourceCodeRow{ - Severity: currSeverity.printableTitle(isTable), - SeverityNumValue: currSeverity.numValue, - SourceCodeLocationRow: formats.SourceCodeLocationRow{ - File: iac.File, - LineColumn: iac.LineColumn, - Text: iac.Text, - }, - Type: iac.Type, - }, - ) + for _, iacRun := range iacs { + for _, iacResult := range iacRun.Results { + scannerDescription := "" + if rule, err := iacRun.GetRuleById(*iacResult.RuleID); err == nil { + scannerDescription = GetRuleFullDescription(rule) + } + currSeverity := GetSeverity(GetResultSeverity(iacResult), Applicable) + for _, location := range iacResult.Locations { + iacRows = append(iacRows, + formats.SourceCodeRow{ + Severity: currSeverity.printableTitle(isTable), + Finding: GetResultMsgText(iacResult), + ScannerDescription: scannerDescription, + SeverityNumValue: currSeverity.numValue, + Location: formats.Location{ + File: GetRelativeLocationFileName(location, iacRun.Invocations), + StartLine: GetLocationStartLine(location), + StartColumn: GetLocationStartColumn(location), + EndLine: GetLocationEndLine(location), + EndColumn: GetLocationEndColumn(location), + Snippet: GetLocationSnippet(location), + }, + }, + ) + } + } } sort.Slice(iacRows, func(i, j int) bool { @@ -353,37 +383,51 @@ func prepareIacs(iacs []SourceCodeScanResult, isTable bool) []formats.SourceCode return iacRows } -func PrintIacTable(iacs []SourceCodeScanResult, entitledForIacScan bool) error { +func PrintIacTable(iacs []*sarif.Run, entitledForIacScan bool) error { if entitledForIacScan { iacRows := prepareIacs(iacs, true) log.Output() - return coreutils.PrintTable(formats.ConvertToIacTableRow(iacRows), "Infrastructure as Code Vulnerabilities", + return coreutils.PrintTable(formats.ConvertToIacOrSastTableRow(iacRows), "Infrastructure as Code Vulnerabilities", "✨ No Infrastructure as Code vulnerabilities were found ✨", false) } return nil } -func PrepareSast(sasts []SourceCodeScanResult) []formats.SourceCodeRow { +func PrepareSast(sasts []*sarif.Run) []formats.SourceCodeRow { return prepareSast(sasts, false) } -func prepareSast(sasts []SourceCodeScanResult, isTable bool) []formats.SourceCodeRow { +func prepareSast(sasts []*sarif.Run, isTable bool) []formats.SourceCodeRow { var sastRows []formats.SourceCodeRow - for _, sast := range sasts { - currSeverity := GetSeverity(sast.Severity, Applicable) - sastRows = append(sastRows, - formats.SourceCodeRow{ - Severity: currSeverity.printableTitle(isTable), - SeverityNumValue: currSeverity.numValue, - SourceCodeLocationRow: formats.SourceCodeLocationRow{ - File: sast.File, - LineColumn: sast.LineColumn, - Text: sast.Text, - }, - Type: sast.Type, - CodeFlow: toSourceCodeCodeFlowRow(sast, isTable), - }, - ) + for _, sastRun := range sasts { + for _, sastResult := range sastRun.Results { + scannerDescription := "" + if rule, err := sastRun.GetRuleById(*sastResult.RuleID); err == nil { + scannerDescription = GetRuleFullDescription(rule) + } + currSeverity := GetSeverity(GetResultSeverity(sastResult), Applicable) + + for _, location := range sastResult.Locations { + codeFlows := GetLocationRelatedCodeFlowsFromResult(location, sastResult) + sastRows = append(sastRows, + formats.SourceCodeRow{ + Severity: currSeverity.printableTitle(isTable), + Finding: GetResultMsgText(sastResult), + ScannerDescription: scannerDescription, + SeverityNumValue: currSeverity.numValue, + Location: formats.Location{ + File: GetRelativeLocationFileName(location, sastRun.Invocations), + StartLine: GetLocationStartLine(location), + StartColumn: GetLocationStartColumn(location), + EndLine: GetLocationEndLine(location), + EndColumn: GetLocationEndColumn(location), + Snippet: GetLocationSnippet(location), + }, + CodeFlow: codeFlowToLocationFlow(codeFlows, sastRun.Invocations, isTable), + }, + ) + } + } } sort.Slice(sastRows, func(i, j int) bool { @@ -393,43 +437,40 @@ func prepareSast(sasts []SourceCodeScanResult, isTable bool) []formats.SourceCod return sastRows } -func toSourceCodeCodeFlowRow(result SourceCodeScanResult, isTable bool) (flows [][]formats.SourceCodeLocationRow) { +func codeFlowToLocationFlow(flows []*sarif.CodeFlow, invocations []*sarif.Invocation, isTable bool) (flowRows [][]formats.Location) { if isTable { // Not displaying in table return } - for _, flowStack := range result.CodeFlow { - rowFlow := []formats.SourceCodeLocationRow{} - for _, location := range *flowStack { - rowFlow = append(rowFlow, formats.SourceCodeLocationRow{ - File: location.File, - LineColumn: location.LineColumn, - Text: location.Text, - }) + for _, codeFlow := range flows { + for _, stackTrace := range codeFlow.ThreadFlows { + rowFlow := []formats.Location{} + for _, stackTraceEntry := range stackTrace.Locations { + rowFlow = append(rowFlow, formats.Location{ + File: GetRelativeLocationFileName(stackTraceEntry.Location, invocations), + StartLine: GetLocationStartLine(stackTraceEntry.Location), + StartColumn: GetLocationStartColumn(stackTraceEntry.Location), + EndLine: GetLocationEndLine(stackTraceEntry.Location), + EndColumn: GetLocationEndColumn(stackTraceEntry.Location), + Snippet: GetLocationSnippet(stackTraceEntry.Location), + }) + } + flowRows = append(flowRows, rowFlow) } - flows = append(flows, rowFlow) } return } -func PrintSastTable(sast []SourceCodeScanResult, entitledForSastScan bool) error { +func PrintSastTable(sast []*sarif.Run, entitledForSastScan bool) error { if entitledForSastScan { sastRows := prepareSast(sast, true) log.Output() - return coreutils.PrintTable(formats.ConvertToSastTableRow(sastRows), "Static Application Security Testing (SAST)", + return coreutils.PrintTable(formats.ConvertToIacOrSastTableRow(sastRows), "Static Application Security Testing (SAST)", "✨ No Static Application Security Testing vulnerabilities were found ✨", false) } return nil } -func convertCves(cves []services.Cve) []formats.CveRow { - var cveRows []formats.CveRow - for _, cveObj := range cves { - cveRows = append(cveRows, formats.CveRow{Id: cveObj.Id, CvssV2: cveObj.CvssV2Score, CvssV3: cveObj.CvssV3Score}) - } - return cveRows -} - func convertJfrogResearchInformation(extendedInfo *services.ExtendedInformation) *formats.JfrogResearchInformation { if extendedInfo == nil { return nil @@ -873,6 +914,14 @@ func GetUniqueKey(vulnerableDependency, vulnerableVersion, xrayID string, fixVer return strings.Join([]string{vulnerableDependency, vulnerableVersion, xrayID, strconv.FormatBool(fixVersionExist)}, ":") } +func convertCves(cves []services.Cve) []formats.CveRow { + var cveRows []formats.CveRow + for _, cveObj := range cves { + cveRows = append(cveRows, formats.CveRow{Id: cveObj.Id, CvssV2: cveObj.CvssV2Score, CvssV3: cveObj.CvssV3Score}) + } + return cveRows +} + // If at least one cve is applicable - final value is applicable // Else if at least one cve is undetermined - final value is undetermined // Else (case when all cves aren't applicable) -> final value is not applicable @@ -880,19 +929,22 @@ func getApplicableCveValue(extendedResults *ExtendedScanResults, xrayCves []form if !extendedResults.EntitledForJas || len(extendedResults.ApplicabilityScanResults) == 0 { return NotScanned } - if len(xrayCves) == 0 { return ApplicabilityUndetermined } cveExistsInResult := false finalApplicableValue := NotApplicable - for _, cve := range xrayCves { - if currentCveApplicableValue, exists := extendedResults.ApplicabilityScanResults[cve.Id]; exists { - cveExistsInResult = true - if currentCveApplicableValue == Applicable { - return currentCveApplicableValue - } else if currentCveApplicableValue == ApplicabilityUndetermined { - finalApplicableValue = currentCveApplicableValue + for _, applicabilityRun := range extendedResults.ApplicabilityScanResults { + for _, cve := range xrayCves { + relatedResults := GetResultsByRuleId(applicabilityRun, CveToApplicabilityRuleId(cve.Id)) + if len(relatedResults) == 0 { + finalApplicableValue = ApplicabilityUndetermined + } + for _, relatedResult := range relatedResults { + cveExistsInResult = true + if IsApplicableResult(relatedResult) { + return Applicable + } } } } @@ -902,6 +954,44 @@ func getApplicableCveValue(extendedResults *ExtendedScanResults, xrayCves []form return ApplicabilityUndetermined } +func getCveApplicability(cve formats.CveRow, applicabilityScanResults []*sarif.Run) *formats.Applicability { + applicability := &formats.Applicability{Status: string(ApplicabilityUndetermined)} + for _, applicabilityRun := range applicabilityScanResults { + foundResult, _ := applicabilityRun.GetResultByRuleId(CveToApplicabilityRuleId(cve.Id)) + if foundResult == nil { + continue + } + applicability = &formats.Applicability{} + if IsApplicableResult(foundResult) { + applicability.Status = string(Applicable) + } else { + applicability.Status = string(NotApplicable) + } + + foundRule, _ := applicabilityRun.GetRuleById(CveToApplicabilityRuleId(cve.Id)) + if foundRule != nil { + applicability.ScannerDescription = GetRuleFullDescription(foundRule) + } + + // Add new evidences from locations + for _, location := range foundResult.Locations { + applicability.Evidence = append(applicability.Evidence, formats.Evidence{ + Location: formats.Location{ + File: GetRelativeLocationFileName(location, applicabilityRun.Invocations), + StartLine: GetLocationStartLine(location), + StartColumn: GetLocationStartColumn(location), + EndLine: GetLocationEndLine(location), + EndColumn: GetLocationEndColumn(location), + Snippet: GetLocationSnippet(location), + }, + Reason: GetResultMsgText(foundResult), + }) + } + break + } + return applicability +} + func printApplicableCveValue(applicableValue ApplicabilityStatus, isTable bool) string { if isTable && (log.IsStdOutTerminal() && log.IsColorsSupported() || os.Getenv("GITLAB_CI") != "") { if applicableValue == Applicable { diff --git a/xray/utils/resultstable_test.go b/xray/utils/resultstable_test.go index e7f8b4848..7ed50f24f 100644 --- a/xray/utils/resultstable_test.go +++ b/xray/utils/resultstable_test.go @@ -3,9 +3,11 @@ package utils import ( "errors" "fmt" - "github.com/jfrog/jfrog-cli-core/v2/xray/formats" "testing" + "github.com/jfrog/jfrog-cli-core/v2/xray/formats" + "github.com/owenrumney/go-sarif/v2/sarif" + "github.com/jfrog/jfrog-client-go/xray/services" "github.com/stretchr/testify/assert" ) @@ -426,8 +428,9 @@ func TestGetSeveritiesFormat(t *testing.T) { func TestGetApplicableCveValue(t *testing.T) { testCases := []struct { scanResults *ExtendedScanResults - cves []formats.CveRow + cves []services.Cve expectedResult ApplicabilityStatus + expectedCves []formats.CveRow }{ { scanResults: &ExtendedScanResults{EntitledForJas: false}, @@ -435,54 +438,100 @@ func TestGetApplicableCveValue(t *testing.T) { }, { scanResults: &ExtendedScanResults{ - ApplicabilityScanResults: map[string]ApplicabilityStatus{"testCve1": Applicable, "testCve2": NotApplicable}, - EntitledForJas: true, + ApplicabilityScanResults: []*sarif.Run{ + getRunWithDummyResults( + getDummyResultWithOneLocation("fileName1", 0, 1, "snippet1", "applic_testCve1", "info"), + getDummyPassingResult("applic_testCve2"), + ), + }, + EntitledForJas: true, }, cves: nil, expectedResult: ApplicabilityUndetermined, + expectedCves: nil, }, { scanResults: &ExtendedScanResults{ - ApplicabilityScanResults: map[string]ApplicabilityStatus{"testCve1": NotApplicable, "testCve2": Applicable}, - EntitledForJas: true, + ApplicabilityScanResults: []*sarif.Run{ + getRunWithDummyResults( + getDummyPassingResult("applic_testCve1"), + getDummyResultWithOneLocation("fileName2", 1, 0, "snippet2", "applic_testCve2", "warning"), + ), + }, + EntitledForJas: true, }, - cves: []formats.CveRow{{Id: "testCve2"}}, + cves: []services.Cve{{Id: "testCve2"}}, expectedResult: Applicable, + expectedCves: []formats.CveRow{{Id: "testCve2", Applicability: &formats.Applicability{Status: string(Applicable)}}}, }, { scanResults: &ExtendedScanResults{ - ApplicabilityScanResults: map[string]ApplicabilityStatus{"testCve1": NotApplicable, "testCve2": Applicable}, - EntitledForJas: true, + ApplicabilityScanResults: []*sarif.Run{ + getRunWithDummyResults( + getDummyPassingResult("applic_testCve1"), + getDummyResultWithOneLocation("fileName3", 0, 1, "snippet3", "applic_testCve2", "info"), + ), + }, + EntitledForJas: true, }, - cves: []formats.CveRow{{Id: "testCve3"}}, + cves: []services.Cve{{Id: "testCve3"}}, expectedResult: ApplicabilityUndetermined, + expectedCves: []formats.CveRow{{Id: "testCve3"}}, }, { scanResults: &ExtendedScanResults{ - ApplicabilityScanResults: map[string]ApplicabilityStatus{"testCve1": NotApplicable, "testCve2": NotApplicable}, - EntitledForJas: true}, - cves: []formats.CveRow{{Id: "testCve1"}, {Id: "testCve2"}}, + ApplicabilityScanResults: []*sarif.Run{ + getRunWithDummyResults( + getDummyPassingResult("applic_testCve1"), + getDummyPassingResult("applic_testCve2"), + ), + }, + EntitledForJas: true, + }, + cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}}, expectedResult: NotApplicable, + expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: string(NotApplicable)}}, {Id: "testCve2", Applicability: &formats.Applicability{Status: string(NotApplicable)}}}, }, { scanResults: &ExtendedScanResults{ - ApplicabilityScanResults: map[string]ApplicabilityStatus{"testCve1": NotApplicable, "testCve2": Applicable}, - EntitledForJas: true, + ApplicabilityScanResults: []*sarif.Run{ + getRunWithDummyResults( + getDummyPassingResult("applic_testCve1"), + getDummyResultWithOneLocation("fileName4", 1, 0, "snippet", "applic_testCve2", "warning"), + ), + }, + EntitledForJas: true, }, - cves: []formats.CveRow{{Id: "testCve1"}, {Id: "testCve2"}}, + cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}}, expectedResult: Applicable, + expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: string(NotApplicable)}}, {Id: "testCve2", Applicability: &formats.Applicability{Status: string(Applicable)}}}, }, { scanResults: &ExtendedScanResults{ - ApplicabilityScanResults: map[string]ApplicabilityStatus{"testCve1": NotApplicable, "testCve2": ApplicabilityUndetermined}, - EntitledForJas: true}, - cves: []formats.CveRow{{Id: "testCve1"}, {Id: "testCve2"}}, + ApplicabilityScanResults: []*sarif.Run{ + getRunWithDummyResults(getDummyPassingResult("applic_testCve1")), + }, + EntitledForJas: true}, + cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}}, expectedResult: ApplicabilityUndetermined, + expectedCves: []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: string(NotApplicable)}}, {Id: "testCve2"}}, }, } for _, testCase := range testCases { - assert.Equal(t, testCase.expectedResult, getApplicableCveValue(testCase.scanResults, testCase.cves)) + cves := convertCves(testCase.cves) + applicableValue := getApplicableCveValue(testCase.scanResults, cves) + for i := range cves { + cves[i].Applicability = getCveApplicability(cves[i], testCase.scanResults.ApplicabilityScanResults) + } + assert.Equal(t, testCase.expectedResult, applicableValue) + if assert.True(t, len(testCase.expectedCves) == len(cves)) { + for i := range cves { + if testCase.expectedCves[i].Applicability != nil && assert.NotNil(t, cves[i].Applicability) { + assert.Equal(t, testCase.expectedCves[i].Applicability.Status, cves[i].Applicability.Status) + } + } + } } } diff --git a/xray/utils/resultwriter.go b/xray/utils/resultwriter.go index a1668e49f..dc611d057 100644 --- a/xray/utils/resultwriter.go +++ b/xray/utils/resultwriter.go @@ -4,11 +4,9 @@ import ( "bytes" "encoding/json" "fmt" - "os" "strconv" "strings" - "github.com/jfrog/gofrog/version" "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils" "github.com/jfrog/jfrog-cli-core/v2/xray/formats" clientUtils "github.com/jfrog/jfrog-client-go/utils" @@ -29,27 +27,13 @@ const ( Sarif OutputFormat = "sarif" ) -const missingCveScore = "0" +const MissingCveScore = "0" const maxPossibleCve = 10.0 var OutputFormats = []string{string(Table), string(Json), string(SimpleJson), string(Sarif)} var CurationOutputFormats = []string{string(Table), string(Json)} -type sarifProperties struct { - Applicable string - Cves string - Headline string - Severity string - Description string - MarkdownDescription string - XrayID string - File string - LineColumn string - Type string - CodeFlows [][]formats.SourceCodeLocationRow -} - // PrintScanResults prints the scan results in the specified format. // Note that errors are printed only with SimpleJson format. // @@ -75,7 +59,7 @@ func PrintScanResults(results *ExtendedScanResults, simpleJsonError []formats.Si case Json: return PrintJson(results.getXrayScanResults()) case Sarif: - sarifFile, err := GenerateSarifFileFromScan(results, isMultipleRoots, false, "JFrog Security", coreutils.JFrogComUrl+"xray/") + sarifFile, err := GenerateSarifContentFromResults(results, isMultipleRoots, includeLicenses, false) if err != nil { return err } @@ -114,10 +98,10 @@ func printScanResultsTables(results *ExtendedScanResults, isBinaryScan, includeV if err = PrintIacTable(results.IacScanResults, results.EntitledForJas); err != nil { return } - if !version.NewVersion(AnalyzerManagerVersion).AtLeast(MinAnalyzerManagerVersionForSast) { + if !IsSastSupported() { return } - return PrintSastTable(results.SastResults, results.EntitledForJas) + return PrintSastTable(results.SastScanResults, results.EntitledForJas) } func printMessages(messages []string) { @@ -133,16 +117,22 @@ func printMessage(message string) { log.Output("💬" + message) } -func GenerateSarifFileFromScan(extendedResults *ExtendedScanResults, isMultipleRoots, markdownOutput bool, scanningTool, toolURI string) (string, error) { - report, err := sarif.New(sarif.Version210) +func GenerateSarifContentFromResults(extendedResults *ExtendedScanResults, isMultipleRoots, includeLicenses, markdownOutput bool) (sarifStr string, err error) { + report, err := NewReport() if err != nil { - return "", errorutils.CheckError(err) + return } - run := sarif.NewRunWithInformationURI(scanningTool, toolURI) - if err = convertScanToSarif(run, extendedResults, isMultipleRoots, markdownOutput); err != nil { - return "", err + xrayRun, err := convertXrayResponsesToSarifRun(extendedResults, isMultipleRoots, includeLicenses, markdownOutput) + if err != nil { + return } - report.AddRun(run) + + report.Runs = append(report.Runs, xrayRun) + report.Runs = append(report.Runs, extendedResults.ApplicabilityScanResults...) + report.Runs = append(report.Runs, extendedResults.IacScanResults...) + report.Runs = append(report.Runs, extendedResults.SecretsScanResults...) + report.Runs = append(report.Runs, extendedResults.SastScanResults...) + out, err := json.Marshal(report) if err != nil { return "", errorutils.CheckError(err) @@ -151,7 +141,109 @@ func GenerateSarifFileFromScan(extendedResults *ExtendedScanResults, isMultipleR return clientUtils.IndentJson(out), nil } -func convertScanToSimpleJson(extendedResults *ExtendedScanResults, errors []formats.SimpleJsonError, isMultipleRoots, includeLicenses, simplifiedOutput bool) (formats.SimpleJsonResults, error) { +func convertXrayResponsesToSarifRun(extendedResults *ExtendedScanResults, isMultipleRoots, includeLicenses, markdownOutput bool) (run *sarif.Run, err error) { + xrayJson, err := convertXrayScanToSimpleJson(extendedResults, isMultipleRoots, includeLicenses, true) + if err != nil { + return + } + xrayRun := sarif.NewRunWithInformationURI("JFrog Xray Sca", "https://jfrog.com/xray/") + xrayRun.Tool.Driver.Version = &extendedResults.XrayVersion + if len(xrayJson.Vulnerabilities) > 0 || len(xrayJson.SecurityViolations) > 0 { + if err = extractXrayIssuesToSarifRun(xrayRun, xrayJson, markdownOutput); err != nil { + return + } + } + run = xrayRun + return +} + +func extractXrayIssuesToSarifRun(run *sarif.Run, xrayJson formats.SimpleJsonResults, markdownOutput bool) error { + for _, vulnerability := range xrayJson.Vulnerabilities { + if err := addXrayCveIssueToSarifRun( + vulnerability.Cves, + vulnerability.IssueId, + vulnerability.Severity, + vulnerability.Technology.GetPackageDescriptor(), + vulnerability.Components, + vulnerability.Applicable, + vulnerability.ImpactedDependencyName, + vulnerability.ImpactedDependencyVersion, + vulnerability.Summary, + vulnerability.FixedVersions, + markdownOutput, + run, + ); err != nil { + return err + } + } + for _, violation := range xrayJson.SecurityViolations { + if err := addXrayCveIssueToSarifRun( + violation.Cves, + violation.IssueId, + violation.Severity, + violation.Technology.GetPackageDescriptor(), + violation.Components, + violation.Applicable, + violation.ImpactedDependencyName, + violation.ImpactedDependencyVersion, + violation.Summary, + violation.FixedVersions, + markdownOutput, + run, + ); err != nil { + return err + } + } + for _, license := range xrayJson.LicensesViolations { + msg := getVulnerabilityOrViolationSarifHeadline(license.LicenseKey, license.ImpactedDependencyName, license.ImpactedDependencyVersion) + if rule, isNewRule := addResultToSarifRun(license.LicenseKey, msg, license.Severity, nil, run); isNewRule { + rule.WithDescription("License watch violations") + } + } + return nil +} + +func addXrayCveIssueToSarifRun(cves []formats.CveRow, issueId, severity, file string, components []formats.ComponentRow, applicable, impactedDependencyName, impactedDependencyVersion, summary string, fixedVersions []string, markdownOutput bool, run *sarif.Run) error { + maxCveScore, err := findMaxCVEScore(cves) + if err != nil { + return err + } + cveId := getCves(cves, issueId) + msg := getVulnerabilityOrViolationSarifHeadline(impactedDependencyName, impactedDependencyVersion, cveId) + location := sarif.NewLocation().WithPhysicalLocation(sarif.NewPhysicalLocation().WithArtifactLocation(sarif.NewArtifactLocation().WithUri(file))) + + if rule, isNewRule := addResultToSarifRun(cveId, msg, severity, location, run); isNewRule { + cveRuleProperties := sarif.NewPropertyBag() + if maxCveScore != MissingCveScore { + cveRuleProperties.Add("security-severity", maxCveScore) + } + rule.WithProperties(cveRuleProperties.Properties) + if markdownOutput { + formattedDirectDependencies, err := getDirectDependenciesFormatted(components) + if err != nil { + return err + } + markdownDescription := getSarifTableDescription(formattedDirectDependencies, maxCveScore, applicable, fixedVersions) + "\n" + rule.WithMarkdownHelp(markdownDescription) + } else { + rule.WithDescription(summary) + } + } + return nil +} + +func addResultToSarifRun(issueId, msg, severity string, location *sarif.Location, run *sarif.Run) (rule *sarif.ReportingDescriptor, isNewRule bool) { + if rule, _ = run.GetRuleById(issueId); rule == nil { + isNewRule = true + rule = run.AddRule(issueId) + } + if result := run.CreateResultForRule(issueId).WithMessage(sarif.NewTextMessage(msg)).WithLevel(ConvertToSarifLevel(severity)); location != nil { + result.AddLocation(location) + } + return +} + +func convertXrayScanToSimpleJson(extendedResults *ExtendedScanResults, isMultipleRoots, includeLicenses, simplifiedOutput bool) (formats.SimpleJsonResults, error) { violations, vulnerabilities, licenses := SplitScanResults(extendedResults.XrayResults) jsonTable := formats.SimpleJsonResults{} if len(vulnerabilities) > 0 { @@ -170,18 +262,6 @@ func convertScanToSimpleJson(extendedResults *ExtendedScanResults, errors []form jsonTable.LicensesViolations = licViolationsJsonTable jsonTable.OperationalRiskViolations = opRiskViolationsJsonTable } - if len(extendedResults.SecretsScanResults) > 0 { - secretsRows := PrepareSecrets(extendedResults.SecretsScanResults) - jsonTable.Secrets = secretsRows - } - if len(extendedResults.IacScanResults) > 0 { - iacRows := PrepareIacs(extendedResults.IacScanResults) - jsonTable.Iacs = iacRows - } - if len(extendedResults.SastResults) > 0 { - sastRows := PrepareSast(extendedResults.SastResults) - jsonTable.Sast = sastRows - } if includeLicenses { licJsonTable, err := PrepareLicenses(licenses) if err != nil { @@ -189,99 +269,27 @@ func convertScanToSimpleJson(extendedResults *ExtendedScanResults, errors []form } jsonTable.Licenses = licJsonTable } - jsonTable.Errors = errors return jsonTable, nil } -func convertScanToSarif(run *sarif.Run, extendedResults *ExtendedScanResults, isMultipleRoots, markdownOutput bool) error { - var errors []formats.SimpleJsonError - jsonTable, err := convertScanToSimpleJson(extendedResults, errors, isMultipleRoots, true, markdownOutput) +func convertScanToSimpleJson(extendedResults *ExtendedScanResults, errors []formats.SimpleJsonError, isMultipleRoots, includeLicenses, simplifiedOutput bool) (formats.SimpleJsonResults, error) { + jsonTable, err := convertXrayScanToSimpleJson(extendedResults, isMultipleRoots, includeLicenses, simplifiedOutput) if err != nil { - return err - } - if len(jsonTable.Vulnerabilities) > 0 || len(jsonTable.SecurityViolations) > 0 { - if err = convertToVulnerabilityOrViolationSarif(run, &jsonTable, markdownOutput); err != nil { - return err - } + return formats.SimpleJsonResults{}, err } - return convertToSourceCodeResultSarif(run, &jsonTable, markdownOutput) -} - -func convertToVulnerabilityOrViolationSarif(run *sarif.Run, jsonTable *formats.SimpleJsonResults, markdownOutput bool) error { - if len(jsonTable.SecurityViolations) > 0 { - return convertViolationsToSarif(jsonTable, run, markdownOutput) + if len(extendedResults.SecretsScanResults) > 0 { + jsonTable.Secrets = PrepareSecrets(extendedResults.SecretsScanResults) } - return convertVulnerabilitiesToSarif(jsonTable, run, markdownOutput) -} - -func convertToSourceCodeResultSarif(run *sarif.Run, jsonTable *formats.SimpleJsonResults, markdownOutput bool) (err error) { - for _, secret := range jsonTable.Secrets { - properties := getSourceCodeProperties(secret, markdownOutput, Secrets) - if err = addPropertiesToSarifRun(run, &properties); err != nil { - return - } + if len(extendedResults.IacScanResults) > 0 { + jsonTable.Iacs = PrepareIacs(extendedResults.IacScanResults) } - - for _, iac := range jsonTable.Iacs { - properties := getSourceCodeProperties(iac, markdownOutput, IaC) - if err = addPropertiesToSarifRun(run, &properties); err != nil { - return - } + if len(extendedResults.SastScanResults) > 0 { + jsonTable.Sast = PrepareSast(extendedResults.SastScanResults) } + jsonTable.Errors = errors - for _, sast := range jsonTable.Sast { - properties := getSourceCodeProperties(sast, markdownOutput, Sast) - if err = addPropertiesToSarifRun(run, &properties); err != nil { - return - } - } - return -} - -func getSourceCodeProperties(sourceCodeIssue formats.SourceCodeRow, markdownOutput bool, scanType JasScanType) sarifProperties { - file := strings.TrimPrefix(sourceCodeIssue.File, string(os.PathSeparator)) - mapSeverityToScore := map[string]string{ - "": "0.0", - "unknown": "0.0", - "low": "3.9", - "medium": "6.9", - "high": "8.9", - "critical": "10", - } - severity := mapSeverityToScore[strings.ToLower(sourceCodeIssue.Severity)] - - headline := "" - secretOrFinding := "" - switch scanType { - case IaC: - headline = "Infrastructure as Code Vulnerability" - secretOrFinding = "Finding" - case Sast: - headline = sourceCodeIssue.Text - secretOrFinding = "Finding" - case Secrets: - headline = "Potential Secret Exposed" - secretOrFinding = "Secret" - } - - markdownDescription := "" - if markdownOutput { - headerRow := fmt.Sprintf("| Severity | File | Line:Column | %s |\n", secretOrFinding) - separatorRow := "| :---: | :---: | :---: | :---: |\n" - tableHeader := headerRow + separatorRow - markdownDescription = tableHeader + fmt.Sprintf("| %s | %s | %s | %s |", sourceCodeIssue.Severity, file, sourceCodeIssue.LineColumn, sourceCodeIssue.Text) - } - return sarifProperties{ - Headline: headline, - Severity: severity, - Description: sourceCodeIssue.Text, - MarkdownDescription: markdownDescription, - File: file, - LineColumn: sourceCodeIssue.LineColumn, - Type: sourceCodeIssue.Type, - CodeFlows: sourceCodeIssue.CodeFlow, - } + return jsonTable, nil } func getCves(cvesRow []formats.CveRow, issueId string) string { @@ -304,68 +312,6 @@ func getVulnerabilityOrViolationSarifHeadline(depName, version, key string) stri return fmt.Sprintf("[%s] %s %s", key, depName, version) } -func convertViolationsToSarif(jsonTable *formats.SimpleJsonResults, run *sarif.Run, markdownOutput bool) error { - for _, violation := range jsonTable.SecurityViolations { - properties, err := getViolatedDepsSarifProps(violation, markdownOutput) - if err != nil { - return err - } - if err = addPropertiesToSarifRun(run, &properties); err != nil { - return err - } - } - for _, license := range jsonTable.LicensesViolations { - if err := addPropertiesToSarifRun(run, - &sarifProperties{ - Severity: license.Severity, - Headline: getVulnerabilityOrViolationSarifHeadline(license.LicenseKey, license.ImpactedDependencyName, license.ImpactedDependencyVersion)}); err != nil { - return err - } - } - - return nil -} - -func getViolatedDepsSarifProps(vulnerabilityRow formats.VulnerabilityOrViolationRow, markdownOutput bool) (sarifProperties, error) { - cves := getCves(vulnerabilityRow.Cves, vulnerabilityRow.IssueId) - headline := getVulnerabilityOrViolationSarifHeadline(vulnerabilityRow.ImpactedDependencyName, vulnerabilityRow.ImpactedDependencyVersion, cves) - maxCveScore, err := findMaxCVEScore(vulnerabilityRow.Cves) - if err != nil { - return sarifProperties{}, err - } - formattedDirectDependencies, err := getDirectDependenciesFormatted(vulnerabilityRow.Components) - if err != nil { - return sarifProperties{}, err - } - markdownDescription := "" - if markdownOutput { - markdownDescription = getSarifTableDescription(formattedDirectDependencies, maxCveScore, vulnerabilityRow.Applicable, vulnerabilityRow.FixedVersions) + "\n" - } - return sarifProperties{ - Applicable: vulnerabilityRow.Applicable, - Cves: cves, - Headline: headline, - Severity: maxCveScore, - Description: vulnerabilityRow.Summary, - MarkdownDescription: markdownDescription, - File: vulnerabilityRow.Technology.GetPackageDescriptor(), - }, err -} - -func convertVulnerabilitiesToSarif(jsonTable *formats.SimpleJsonResults, run *sarif.Run, simplifiedOutput bool) error { - for _, vulnerability := range jsonTable.Vulnerabilities { - properties, err := getViolatedDepsSarifProps(vulnerability, simplifiedOutput) - if err != nil { - return err - } - if err = addPropertiesToSarifRun(run, &properties); err != nil { - return err - } - } - - return nil -} - func getDirectDependenciesFormatted(directDependencies []formats.ComponentRow) (string, error) { var formattedDirectDependencies strings.Builder for _, dependency := range directDependencies { @@ -389,92 +335,6 @@ func getSarifTableDescription(formattedDirectDependencies, maxCveScore, applicab maxCveScore, applicable, formattedDirectDependencies, descriptionFixVersions) } -// Adding the Xray scan results details to the sarif struct, for each issue found in the scan -func addPropertiesToSarifRun(run *sarif.Run, properties *sarifProperties) error { - pb := sarif.NewPropertyBag() - if properties.Severity != missingCveScore { - pb.Add("security-severity", properties.Severity) - } - description := properties.Description - markdownDescription := properties.MarkdownDescription - if markdownDescription != "" { - description = "" - } - location, err := getSarifLocation(properties.File, properties.LineColumn) - if err != nil { - return err - } - codeFlows, err := getCodeFlowProperties(properties) - if err != nil { - return err - } - ruleID := generateSarifRuleID(properties) - run.AddRule(ruleID). - WithDescription(description). - WithProperties(pb.Properties). - WithMarkdownHelp(markdownDescription) - run.CreateResultForRule(ruleID). - WithCodeFlows(codeFlows). - WithMessage(sarif.NewTextMessage(properties.Headline)). - AddLocation(location) - return nil -} - -func getSarifLocation(file, lineCol string) (location *sarif.Location, err error) { - line := 0 - column := 0 - if lineCol != "" { - lineColumn := strings.Split(lineCol, ":") - if line, err = strconv.Atoi(lineColumn[0]); err != nil { - return - } - if column, err = strconv.Atoi(lineColumn[1]); err != nil { - return - } - } - location = sarif.NewLocationWithPhysicalLocation( - sarif.NewPhysicalLocation(). - WithArtifactLocation( - sarif.NewSimpleArtifactLocation(file), - ).WithRegion( - sarif.NewSimpleRegion(line, line). - WithStartColumn(column)), - ) - return -} - -func getCodeFlowProperties(properties *sarifProperties) (flows []*sarif.CodeFlow, err error) { - for _, codeFlow := range properties.CodeFlows { - if len(codeFlow) == 0 { - continue - } - converted := sarif.NewCodeFlow() - locations := []*sarif.ThreadFlowLocation{} - for _, location := range codeFlow { - var convertedLocation *sarif.Location - if convertedLocation, err = getSarifLocation(location.File, location.LineColumn); err != nil { - return - } - locations = append(locations, sarif.NewThreadFlowLocation().WithLocation(convertedLocation)) - } - - converted.AddThreadFlow(sarif.NewThreadFlow().WithLocations(locations)) - flows = append(flows, converted) - } - return -} - -func generateSarifRuleID(properties *sarifProperties) string { - switch { - case properties.Cves != "": - return properties.Cves - case properties.XrayID != "": - return properties.XrayID - default: - return properties.File - } -} - func findMaxCVEScore(cves []formats.CveRow) (string, error) { maxCve := 0.0 for _, cve := range cves { diff --git a/xray/utils/resultwriter_test.go b/xray/utils/resultwriter_test.go index 3191f48ef..6f13d6a03 100644 --- a/xray/utils/resultwriter_test.go +++ b/xray/utils/resultwriter_test.go @@ -1,92 +1,12 @@ package utils import ( - "fmt" - "path" "testing" - "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils" "github.com/jfrog/jfrog-cli-core/v2/xray/formats" - "github.com/jfrog/jfrog-client-go/xray/services" "github.com/stretchr/testify/assert" ) -func TestGenerateSarifFileFromScan(t *testing.T) { - extendedResults := &ExtendedScanResults{ - XrayResults: []services.ScanResponse{ - { - Vulnerabilities: []services.Vulnerability{ - { - Cves: []services.Cve{{Id: "CVE-2022-1234", CvssV3Score: "8.0"}, {Id: "CVE-2023-1234", CvssV3Score: "7.1"}}, - Summary: "A test vulnerability the harms nothing", - Severity: "High", - Components: map[string]services.Component{ - "vulnerability1": {FixedVersions: []string{"1.2.3"}}, - }, - Technology: coreutils.Go.ToString(), - }, - }, - }, - }, - SecretsScanResults: []SourceCodeScanResult{ - { - Severity: "Medium", - SourceCodeLocation: SourceCodeLocation{ - File: "found_secrets.js", - LineColumn: "1:18", - Text: "AAA************", - }, - Type: "entropy", - }, - }, - IacScanResults: []SourceCodeScanResult{ - { - Severity: "Medium", - SourceCodeLocation: SourceCodeLocation{ - File: "plan/nonapplicable/req_sw_terraform_azure_compute_no_pass_auth.json", - LineColumn: "229:38", - Text: "BBB************", - }, - Type: "entropy", - }, - }, - } - testCases := []struct { - name string - extendedResults *ExtendedScanResults - isMultipleRoots bool - markdownOutput bool - expectedSarifOutput string - }{ - { - name: "Scan results with vulnerabilities, secrets and IaC", - extendedResults: extendedResults, - expectedSarifOutput: "{\n \"version\": \"2.1.0\",\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n \"runs\": [\n {\n \"tool\": {\n \"driver\": {\n \"informationUri\": \"https://example.com/\",\n \"name\": \"JFrog Security\",\n \"rules\": [\n {\n \"id\": \"CVE-2022-1234, CVE-2023-1234\",\n \"shortDescription\": {\n \"text\": \"A test vulnerability the harms nothing\"\n },\n \"help\": {\n \"markdown\": \"\"\n },\n \"properties\": {\n \"security-severity\": \"8.0\"\n }\n },\n {\n \"id\": \"found_secrets.js\",\n \"shortDescription\": {\n \"text\": \"AAA************\"\n },\n \"help\": {\n \"markdown\": \"\"\n },\n \"properties\": {\n \"security-severity\": \"6.9\"\n }\n },\n {\n \"id\": \"plan/nonapplicable/req_sw_terraform_azure_compute_no_pass_auth.json\",\n \"shortDescription\": {\n \"text\": \"BBB************\"\n },\n \"help\": {\n \"markdown\": \"\"\n },\n \"properties\": {\n \"security-severity\": \"6.9\"\n }\n }\n ]\n }\n },\n \"results\": [\n {\n \"ruleId\": \"CVE-2022-1234, CVE-2023-1234\",\n \"ruleIndex\": 0,\n \"message\": {\n \"text\": \"[CVE-2022-1234, CVE-2023-1234] vulnerability1 \"\n },\n \"locations\": [\n {\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"go.mod\"\n },\n \"region\": {\n \"startLine\": 0,\n \"startColumn\": 0,\n \"endLine\": 0\n }\n }\n }\n ]\n },\n {\n \"ruleId\": \"found_secrets.js\",\n \"ruleIndex\": 1,\n \"message\": {\n \"text\": \"Potential Secret Exposed\"\n },\n \"locations\": [\n {\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"found_secrets.js\"\n },\n \"region\": {\n \"startLine\": 1,\n \"startColumn\": 18,\n \"endLine\": 1\n }\n }\n }\n ]\n },\n {\n \"ruleId\": \"plan/nonapplicable/req_sw_terraform_azure_compute_no_pass_auth.json\",\n \"ruleIndex\": 2,\n \"message\": {\n \"text\": \"Infrastructure as Code Vulnerability\"\n },\n \"locations\": [\n {\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"plan/nonapplicable/req_sw_terraform_azure_compute_no_pass_auth.json\"\n },\n \"region\": {\n \"startLine\": 229,\n \"startColumn\": 38,\n \"endLine\": 229\n }\n }\n }\n ]\n }\n ]\n }\n ]\n}", - }, - { - name: "Scan results with vulnerabilities, secrets and IaC as Markdown", - extendedResults: extendedResults, - markdownOutput: true, - expectedSarifOutput: "{\n \"version\": \"2.1.0\",\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n \"runs\": [\n {\n \"tool\": {\n \"driver\": {\n \"informationUri\": \"https://example.com/\",\n \"name\": \"JFrog Security\",\n \"rules\": [\n {\n \"id\": \"CVE-2022-1234, CVE-2023-1234\",\n \"shortDescription\": {\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"| Severity Score | Direct Dependencies | Fixed Versions |\\n| :---: | :----: | :---: |\\n| 8.0 | | 1.2.3 |\\n\"\n },\n \"properties\": {\n \"security-severity\": \"8.0\"\n }\n },\n {\n \"id\": \"found_secrets.js\",\n \"shortDescription\": {\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"| Severity | File | Line:Column | Secret |\\n| :---: | :---: | :---: | :---: |\\n| Medium | found_secrets.js | 1:18 | AAA************ |\"\n },\n \"properties\": {\n \"security-severity\": \"6.9\"\n }\n },\n {\n \"id\": \"plan/nonapplicable/req_sw_terraform_azure_compute_no_pass_auth.json\",\n \"shortDescription\": {\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"| Severity | File | Line:Column | Finding |\\n| :---: | :---: | :---: | :---: |\\n| Medium | plan/nonapplicable/req_sw_terraform_azure_compute_no_pass_auth.json | 229:38 | BBB************ |\"\n },\n \"properties\": {\n \"security-severity\": \"6.9\"\n }\n }\n ]\n }\n },\n \"results\": [\n {\n \"ruleId\": \"CVE-2022-1234, CVE-2023-1234\",\n \"ruleIndex\": 0,\n \"message\": {\n \"text\": \"[CVE-2022-1234, CVE-2023-1234] vulnerability1 \"\n },\n \"locations\": [\n {\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"go.mod\"\n },\n \"region\": {\n \"startLine\": 0,\n \"startColumn\": 0,\n \"endLine\": 0\n }\n }\n }\n ]\n },\n {\n \"ruleId\": \"found_secrets.js\",\n \"ruleIndex\": 1,\n \"message\": {\n \"text\": \"Potential Secret Exposed\"\n },\n \"locations\": [\n {\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"found_secrets.js\"\n },\n \"region\": {\n \"startLine\": 1,\n \"startColumn\": 18,\n \"endLine\": 1\n }\n }\n }\n ]\n },\n {\n \"ruleId\": \"plan/nonapplicable/req_sw_terraform_azure_compute_no_pass_auth.json\",\n \"ruleIndex\": 2,\n \"message\": {\n \"text\": \"Infrastructure as Code Vulnerability\"\n },\n \"locations\": [\n {\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"plan/nonapplicable/req_sw_terraform_azure_compute_no_pass_auth.json\"\n },\n \"region\": {\n \"startLine\": 229,\n \"startColumn\": 38,\n \"endLine\": 229\n }\n }\n }\n ]\n }\n ]\n }\n ]\n}", - }, - { - name: "Scan results without vulnerabilities", - extendedResults: &ExtendedScanResults{}, - isMultipleRoots: true, - markdownOutput: true, - expectedSarifOutput: "{\n \"version\": \"2.1.0\",\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n \"runs\": [\n {\n \"tool\": {\n \"driver\": {\n \"informationUri\": \"https://example.com/\",\n \"name\": \"JFrog Security\",\n \"rules\": []\n }\n },\n \"results\": []\n }\n ]\n}", - }, - } - - for _, testCase := range testCases { - t.Run(testCase.name, func(t *testing.T) { - sarifOutput, err := GenerateSarifFileFromScan(testCase.extendedResults, testCase.isMultipleRoots, testCase.markdownOutput, "JFrog Security", "https://example.com/") - assert.NoError(t, err) - assert.Equal(t, testCase.expectedSarifOutput, sarifOutput) - }) - } -} - func TestGetVulnerabilityOrViolationSarifHeadline(t *testing.T) { assert.Equal(t, "[CVE-2022-1234] loadsh 1.4.1", getVulnerabilityOrViolationSarifHeadline("loadsh", "1.4.1", "CVE-2022-1234")) assert.NotEqual(t, "[CVE-2022-1234] loadsh 1.4.1", getVulnerabilityOrViolationSarifHeadline("loadsh", "1.2.1", "CVE-2022-1234")) @@ -101,166 +21,6 @@ func TestGetCves(t *testing.T) { assert.Equal(t, issueId, getCves(nil, issueId)) } -func TestGetIacOrSecretsProperties(t *testing.T) { - testCases := []struct { - name string - row formats.SourceCodeRow - markdownOutput bool - isSecret JasScanType - expectedOutput sarifProperties - }{ - { - name: "Infrastructure as Code vulnerability without markdown output", - row: formats.SourceCodeRow{ - Severity: "high", - SourceCodeLocationRow: formats.SourceCodeLocationRow{ - File: path.Join("path", "to", "file"), - LineColumn: "10:5", - Text: "Vulnerable code", - }, - Type: "Terraform", - }, - markdownOutput: false, - isSecret: IaC, - expectedOutput: sarifProperties{ - Applicable: "", - Cves: "", - Headline: "Infrastructure as Code Vulnerability", - Severity: "8.9", - Description: "Vulnerable code", - MarkdownDescription: "", - XrayID: "", - File: path.Join("path", "to", "file"), - LineColumn: "10:5", - Type: "Terraform", - }, - }, - { - name: "Potential secret exposed with markdown output", - row: formats.SourceCodeRow{ - Severity: "medium", - SourceCodeLocationRow: formats.SourceCodeLocationRow{ - File: path.Join("path", "to", "file"), - LineColumn: "5:3", - Text: "Potential secret", - }, - Type: "AWS Secret Manager", - }, - markdownOutput: true, - isSecret: Secrets, - expectedOutput: sarifProperties{ - Applicable: "", - Cves: "", - Headline: "Potential Secret Exposed", - Severity: "6.9", - Description: "Potential secret", - MarkdownDescription: fmt.Sprintf("| Severity | File | Line:Column | Secret |\n| :---: | :---: | :---: | :---: |\n| medium | %s | 5:3 | Potential secret |", path.Join("path", "to", "file")), - XrayID: "", - File: path.Join("path", "to", "file"), - LineColumn: "5:3", - Type: "AWS Secret Manager", - }, - }, - } - - for _, testCase := range testCases { - t.Run(testCase.name, func(t *testing.T) { - output := getSourceCodeProperties(testCase.row, testCase.markdownOutput, testCase.isSecret) - assert.Equal(t, testCase.expectedOutput.Applicable, output.Applicable) - assert.Equal(t, testCase.expectedOutput.Cves, output.Cves) - assert.Equal(t, testCase.expectedOutput.Headline, output.Headline) - assert.Equal(t, testCase.expectedOutput.Severity, output.Severity) - assert.Equal(t, testCase.expectedOutput.Description, output.Description) - assert.Equal(t, testCase.expectedOutput.MarkdownDescription, output.MarkdownDescription) - assert.Equal(t, testCase.expectedOutput.XrayID, output.XrayID) - assert.Equal(t, testCase.expectedOutput.File, output.File) - assert.Equal(t, testCase.expectedOutput.LineColumn, output.LineColumn) - assert.Equal(t, testCase.expectedOutput.Type, output.Type) - }) - } -} - -func TestGetViolatedDepsSarifProps(t *testing.T) { - testCases := []struct { - name string - vulnerability formats.VulnerabilityOrViolationRow - markdownOutput bool - expectedOutput sarifProperties - }{ - { - name: "Vulnerability with markdown output", - vulnerability: formats.VulnerabilityOrViolationRow{ - Summary: "Vulnerable dependency", - Severity: "high", - Applicable: string(Applicable), - ImpactedDependencyName: "example-package", - ImpactedDependencyVersion: "1.0.0", - ImpactedDependencyType: "npm", - FixedVersions: []string{"1.0.1", "1.0.2"}, - Components: []formats.ComponentRow{ - {Name: "example-package", Version: "1.0.0"}, - }, - Cves: []formats.CveRow{ - {Id: "CVE-2021-1234", CvssV3: "7.2"}, - {Id: "CVE-2021-5678", CvssV3: "7.2"}, - }, - IssueId: "XRAY-12345", - }, - markdownOutput: true, - expectedOutput: sarifProperties{ - Applicable: "Applicable", - Cves: "CVE-2021-1234, CVE-2021-5678", - Headline: "[CVE-2021-1234, CVE-2021-5678] example-package 1.0.0", - Severity: "7.2", - Description: "Vulnerable dependency", - MarkdownDescription: "| Severity Score | Contextual Analysis | Direct Dependencies | Fixed Versions |\n| :---: | :---: | :---: | :---: |\n| 7.2 | Applicable | `example-package 1.0.0` | 1.0.1, 1.0.2 |\n", - }, - }, - { - name: "Vulnerability without markdown output", - vulnerability: formats.VulnerabilityOrViolationRow{ - Summary: "Vulnerable dependency", - Severity: "high", - Applicable: string(Applicable), - ImpactedDependencyName: "example-package", - ImpactedDependencyVersion: "1.0.0", - ImpactedDependencyType: "npm", - FixedVersions: []string{"1.0.1", "1.0.2"}, - Components: []formats.ComponentRow{ - {Name: "example-package", Version: "1.0.0"}, - }, - Cves: []formats.CveRow{ - {Id: "CVE-2021-1234", CvssV3: "7.2"}, - {Id: "CVE-2021-5678", CvssV3: "7.2"}, - }, - IssueId: "XRAY-12345", - }, - expectedOutput: sarifProperties{ - Applicable: "Applicable", - Cves: "CVE-2021-1234, CVE-2021-5678", - Headline: "[CVE-2021-1234, CVE-2021-5678] example-package 1.0.0", - Severity: "7.2", - Description: "Vulnerable dependency", - MarkdownDescription: "", - }, - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - output, err := getViolatedDepsSarifProps(tc.vulnerability, tc.markdownOutput) - assert.NoError(t, err) - assert.Equal(t, tc.expectedOutput.Cves, output.Cves) - assert.Equal(t, tc.expectedOutput.Severity, output.Severity) - assert.Equal(t, tc.expectedOutput.XrayID, output.XrayID) - assert.Equal(t, tc.expectedOutput.MarkdownDescription, output.MarkdownDescription) - assert.Equal(t, tc.expectedOutput.Applicable, output.Applicable) - assert.Equal(t, tc.expectedOutput.Description, output.Description) - assert.Equal(t, tc.expectedOutput.Headline, output.Headline) - }) - } -} - func TestGetDirectDependenciesFormatted(t *testing.T) { testCases := []struct { name string diff --git a/xray/utils/sarifutils.go b/xray/utils/sarifutils.go index 0fb9ef5d9..8f7cdf3be 100644 --- a/xray/utils/sarifutils.go +++ b/xray/utils/sarifutils.go @@ -1,96 +1,224 @@ package utils import ( + "fmt" + "path/filepath" "strconv" "strings" + "github.com/jfrog/jfrog-client-go/utils/errorutils" "github.com/owenrumney/go-sarif/v2/sarif" ) -// If exists SourceCodeScanResult with the same location as the provided SarifResult, return it -func GetResultIfExists(result *sarif.Result, workingDir string, results []*SourceCodeScanResult) *SourceCodeScanResult { - file := ExtractRelativePath(GetResultFileName(result), workingDir) - lineCol := GetResultLocationInFile(result) - text := *result.Message.Text - for _, result := range results { - if result.File == file && result.LineColumn == lineCol && result.Text == text { - return result - } +type SarifLevel string + +const ( + errorLevel SarifLevel = "error" + warningLevel SarifLevel = "warning" + infoLevel SarifLevel = "info" + noteLevel SarifLevel = "note" + noneLevel SarifLevel = "none" + + SeverityDefaultValue = "Medium" + + applicabilityRuleIdPrefix = "applic_" +) + +var ( + // All other values (include default) mapped as 'Medium' severity + levelToSeverity = map[SarifLevel]string{ + errorLevel: "High", + noteLevel: "Low", + noneLevel: "Unknown", } - return nil + + severityToLevel = map[string]SarifLevel{ + "critical": errorLevel, + "high": errorLevel, + "medium": warningLevel, + "low": noteLevel, + "unknown": noneLevel, + } +) + +func NewReport() (*sarif.Report, error) { + report, err := sarif.New(sarif.Version210) + if err != nil { + return nil, errorutils.CheckError(err) + } + return report, nil +} + +func ReadScanRunsFromFile(fileName string) (sarifRuns []*sarif.Run, err error) { + report, err := sarif.Open(fileName) + if errorutils.CheckError(err) != nil { + err = fmt.Errorf("can't read valid Sarif run from " + fileName + ": " + err.Error()) + return + } + sarifRuns = report.Runs + return } -func ConvertSarifResultToSourceCodeScanResult(result *sarif.Result, workingDir string) *SourceCodeScanResult { - file := ExtractRelativePath(GetResultFileName(result), workingDir) - lineCol := GetResultLocationInFile(result) - text := *result.Message.Text +func AggregateMultipleRunsIntoSingle(runs []*sarif.Run, destination *sarif.Run) { + if len(runs) == 0 { + return + } + for _, run := range runs { + if run == nil || len(run.Results) == 0 { + continue + } + for _, rule := range GetRunRules(run) { + if destination.Tool.Driver != nil { + destination.Tool.Driver.AddRule(rule) + } + } + for _, result := range run.Results { + destination.AddResult(result) + } + for _, invocation := range run.Invocations { + destination.AddInvocations(invocation) + } + } +} - return &SourceCodeScanResult{ - Severity: GetResultSeverity(result), - SourceCodeLocation: SourceCodeLocation{ - File: file, - LineColumn: lineCol, - Text: text, - }, - Type: *result.RuleID, +func getRunInformationUri(run *sarif.Run) string { + if run != nil && run.Tool.Driver != nil && run.Tool.Driver.InformationURI != nil { + return *run.Tool.Driver.InformationURI } + return "" } -func GetResultCodeFlows(result *sarif.Result, workingDir string) (flows []*[]SourceCodeLocation) { - if len(result.CodeFlows) == 0 { +// Calculate new information that exists at the run and not at the source +func GetDiffFromRun(sources []*sarif.Run, targets []*sarif.Run) (runWithNewOnly *sarif.Run) { + // Combine + combinedSource := sarif.NewRunWithInformationURI(sources[0].Tool.Driver.Name, getRunInformationUri(sources[0])).WithInvocations([]*sarif.Invocation{}) + AggregateMultipleRunsIntoSingle(sources, combinedSource) + if combinedSource == nil { return } - for _, codeFlow := range result.CodeFlows { - if codeFlow == nil || len(codeFlow.ThreadFlows) == 0 { + if len(targets) == 0 { + return combinedSource + } + combinedTarget := sarif.NewRunWithInformationURI(targets[0].Tool.Driver.Name, getRunInformationUri(targets[0])).WithInvocations([]*sarif.Invocation{}) + AggregateMultipleRunsIntoSingle(targets, combinedTarget) + if combinedTarget == nil { + return combinedSource + } + // Get diff + runWithNewOnly = sarif.NewRun(combinedSource.Tool).WithInvocations(combinedSource.Invocations) + for _, sourceResult := range combinedSource.Results { + targetMatchingResults := GetResultsByRuleId(combinedTarget, *sourceResult.RuleID) + if len(targetMatchingResults) == 0 { + runWithNewOnly.AddResult(sourceResult) + if rule, _ := combinedSource.GetRuleById(*sourceResult.RuleID); rule != nil { + runWithNewOnly.Tool.Driver.AddRule(rule) + } continue } - flows = append(flows, extractThreadFlows(codeFlow.ThreadFlows, workingDir)...) + for _, targetMatchingResult := range targetMatchingResults { + if len(sourceResult.Locations) > len(targetMatchingResult.Locations) || + len(sourceResult.CodeFlows) > len(targetMatchingResult.CodeFlows) { + runWithNewOnly.AddResult(sourceResult) + if rule, _ := combinedSource.GetRuleById(*sourceResult.RuleID); rule != nil { + runWithNewOnly.Tool.Driver.AddRule(rule) + } + } + } } return } -func extractThreadFlows(threadFlows []*sarif.ThreadFlow, workingDir string) (flows []*[]SourceCodeLocation) { - for _, threadFlow := range threadFlows { - if threadFlow == nil || len(threadFlow.Locations) == 0 { - continue +func FilterResultsByRuleIdAndMsgText(source []*sarif.Result, ruleId, msgText string) (results []*sarif.Result) { + for _, result := range source { + if ruleId == *result.RuleID && msgText == GetResultMsgText(result) { + results = append(results, result) } - flow := extractStackTraceLocations(threadFlow.Locations, workingDir) - if len(flow) > 0 { - flows = append(flows, &flow) + } + return +} + +func GetLocationRelatedCodeFlowsFromResult(location *sarif.Location, result *sarif.Result) (codeFlows []*sarif.CodeFlow) { + for _, codeFlow := range result.CodeFlows { + for _, stackTrace := range codeFlow.ThreadFlows { + // The threadFlow is reverse stack trace. + // The last location is the location that it relates to. + if isSameLocation(location, stackTrace.Locations[len(stackTrace.Locations)-1].Location) { + codeFlows = append(codeFlows, codeFlow) + } } } return } -func extractStackTraceLocations(locations []*sarif.ThreadFlowLocation, workingDir string) (flow []SourceCodeLocation) { - for _, location := range locations { - if location == nil { - continue +func isSameLocation(location *sarif.Location, other *sarif.Location) bool { + if location == other { + return true + } + return GetLocationFileName(location) == GetLocationFileName(other) && + GetLocationSnippet(location) == GetLocationSnippet(other) && + GetLocationStartLine(location) == GetLocationStartLine(other) && + GetLocationStartColumn(location) == GetLocationStartColumn(other) && + GetLocationEndLine(location) == GetLocationEndLine(other) && + GetLocationEndColumn(location) == GetLocationEndColumn(other) +} + +func GetResultsLocationCount(runs ...*sarif.Run) (count int) { + for _, run := range runs { + for _, result := range run.Results { + count += len(result.Locations) } - flow = append(flow, SourceCodeLocation{ - File: ExtractRelativePath(getResultFileName(location.Location), workingDir), - LineColumn: getResultLocationInFile(location.Location), - Text: GetResultLocationSnippet(location.Location), - }) } return } -func GetResultLocationSnippet(location *sarif.Location) string { - if location != nil && location.PhysicalLocation != nil && location.PhysicalLocation.Region != nil && location.PhysicalLocation.Region.Snippet != nil { - return *location.PhysicalLocation.Region.Snippet.Text +func GetLevelResultsLocationCount(run *sarif.Run, level SarifLevel) (count int) { + for _, result := range run.Results { + if level == SarifLevel(*result.Level) { + count += len(result.Locations) + } } - return "" + return } -func GetResultFileName(result *sarif.Result) string { - if len(result.Locations) > 0 { - return getResultFileName(result.Locations[0]) +func GetResultsByRuleId(run *sarif.Run, ruleId string) (results []*sarif.Result) { + for _, result := range run.Results { + if *result.RuleID == ruleId { + results = append(results, result) + } + } + return +} + +func GetResultMsgText(result *sarif.Result) string { + if result.Message.Text != nil { + return *result.Message.Text } return "" } -func getResultFileName(location *sarif.Location) string { +func GetLocationSnippet(location *sarif.Location) string { + snippet := GetLocationSnippetPointer(location) + if snippet == nil { + return "" + } + return *snippet +} + +func GetLocationSnippetPointer(location *sarif.Location) *string { + region := getLocationRegion(location) + if region != nil && region.Snippet != nil { + return region.Snippet.Text + } + return nil +} + +func SetLocationSnippet(location *sarif.Location, snippet string) { + if location != nil && location.PhysicalLocation != nil && location.PhysicalLocation.Region != nil && location.PhysicalLocation.Region.Snippet != nil { + location.PhysicalLocation.Region.Snippet.Text = &snippet + } +} + +func GetLocationFileName(location *sarif.Location) string { filePath := location.PhysicalLocation.ArtifactLocation.URI if filePath != nil { return *filePath @@ -98,14 +226,65 @@ func getResultFileName(location *sarif.Location) string { return "" } -func GetResultLocationInFile(result *sarif.Result) string { - if len(result.Locations) > 0 { - return getResultLocationInFile(result.Locations[0]) +func GetRelativeLocationFileName(location *sarif.Location, invocations []*sarif.Invocation) string { + wd := "" + if len(invocations) > 0 { + wd = GetInvocationWorkingDirectory(invocations[0]) + } + GetLocationFileName(location) + filePath := GetLocationFileName(location) + if filePath != "" { + return ExtractRelativePath(filePath, wd) } return "" } -func getResultLocationInFile(location *sarif.Location) string { +func SetLocationFileName(location *sarif.Location, fileName string) { + if location != nil && location.PhysicalLocation != nil && location.PhysicalLocation.Region != nil && location.PhysicalLocation.Region.Snippet != nil { + location.PhysicalLocation.ArtifactLocation.URI = &fileName + } +} + +func getLocationRegion(location *sarif.Location) *sarif.Region { + if location != nil && location.PhysicalLocation != nil { + return location.PhysicalLocation.Region + } + return nil +} + +func GetLocationStartLine(location *sarif.Location) int { + region := getLocationRegion(location) + if region != nil && region.StartLine != nil { + return *region.StartLine + } + return 0 +} + +func GetLocationStartColumn(location *sarif.Location) int { + region := getLocationRegion(location) + if region != nil && region.StartColumn != nil { + return *region.StartColumn + } + return 0 +} + +func GetLocationEndLine(location *sarif.Location) int { + region := getLocationRegion(location) + if region != nil && region.EndLine != nil { + return *region.EndLine + } + return 0 +} + +func GetLocationEndColumn(location *sarif.Location) int { + region := getLocationRegion(location) + if region != nil && region.EndColumn != nil { + return *region.EndColumn + } + return 0 +} + +func GetStartLocationInFile(location *sarif.Location) string { startLine := location.PhysicalLocation.Region.StartLine startColumn := location.PhysicalLocation.Region.StartColumn if startLine != nil && startColumn != nil { @@ -115,9 +294,13 @@ func getResultLocationInFile(location *sarif.Location) string { } func ExtractRelativePath(resultPath string, projectRoot string) string { - filePrefix := "file://" - relativePath := strings.ReplaceAll(strings.ReplaceAll(resultPath, projectRoot, ""), filePrefix, "") - return relativePath + // Remove OS-specific file prefix + resultPath = strings.TrimPrefix(resultPath, "file:///private") + resultPath = strings.TrimPrefix(resultPath, "file://") + + // Get relative path + relativePath := strings.ReplaceAll(resultPath, projectRoot, "") + return strings.TrimPrefix(relativePath, string(filepath.Separator)) } func GetResultSeverity(result *sarif.Result) string { @@ -128,3 +311,43 @@ func GetResultSeverity(result *sarif.Result) string { } return SeverityDefaultValue } + +func ConvertToSarifLevel(severity string) string { + if level, ok := severityToLevel[strings.ToLower(severity)]; ok { + return string(level) + } + return string(noneLevel) +} + +func IsApplicableResult(result *sarif.Result) bool { + return !(result.Kind != nil && *result.Kind == "pass") +} + +func GetRuleFullDescription(rule *sarif.ReportingDescriptor) string { + if rule.FullDescription != nil && rule.FullDescription.Text != nil { + return *rule.FullDescription.Text + } + return "" +} + +func CveToApplicabilityRuleId(cveId string) string { + return applicabilityRuleIdPrefix + cveId +} + +func ApplicabilityRuleIdToCve(sarifRuleId string) string { + return strings.TrimPrefix(sarifRuleId, applicabilityRuleIdPrefix) +} + +func GetRunRules(run *sarif.Run) []*sarif.ReportingDescriptor { + if run != nil && run.Tool.Driver != nil { + return run.Tool.Driver.Rules + } + return []*sarif.ReportingDescriptor{} +} + +func GetInvocationWorkingDirectory(invocation *sarif.Invocation) string { + if invocation.WorkingDirectory != nil && invocation.WorkingDirectory.URI != nil { + return *invocation.WorkingDirectory.URI + } + return "" +} diff --git a/xray/utils/sarifutils_test.go b/xray/utils/sarifutils_test.go new file mode 100644 index 000000000..4e0031268 --- /dev/null +++ b/xray/utils/sarifutils_test.go @@ -0,0 +1,43 @@ +package utils + +import ( + "github.com/jfrog/gofrog/datastructures" + "github.com/owenrumney/go-sarif/v2/sarif" +) + +func getRunWithDummyResults(results ...*sarif.Result) *sarif.Run { + run := sarif.NewRunWithInformationURI("", "") + ids := datastructures.MakeSet[string]() + for _, result := range results { + if !ids.Exists(*result.RuleID) { + run.Tool.Driver.Rules = append(run.Tool.Driver.Rules, sarif.NewRule(*result.RuleID)) + ids.Add(*result.RuleID) + } + } + return run.WithResults(results) +} + +func getDummyPassingResult(ruleId string) *sarif.Result { + kind := "pass" + return &sarif.Result{ + Kind: &kind, + RuleID: &ruleId, + } +} + +func getDummyResultWithOneLocation(fileName string, startLine, startCol int, snippet, ruleId string, level string) *sarif.Result { + return &sarif.Result{ + Locations: []*sarif.Location{ + { + PhysicalLocation: &sarif.PhysicalLocation{ + ArtifactLocation: &sarif.ArtifactLocation{URI: &fileName}, + Region: &sarif.Region{ + StartLine: &startLine, + StartColumn: &startCol, + Snippet: &sarif.ArtifactContent{Text: &snippet}}}, + }, + }, + Level: &level, + RuleID: &ruleId, + } +}