Skip to content

Commit

Permalink
Audit - licenses and build impact paths refactor (#927)
Browse files Browse the repository at this point in the history
  • Loading branch information
omerzi authored Sep 19, 2023
1 parent bb19a7a commit f3f76b6
Show file tree
Hide file tree
Showing 15 changed files with 336 additions and 277 deletions.
6 changes: 3 additions & 3 deletions general/cisetup/jenkinsfiledslgenerator.go
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ func generateEnvironments(buildType coreutils.Technology) string {
case coreutils.Maven:
fallthrough
case coreutils.Gradle:
envs += fmt.Sprintf(homeEnv, strings.ToUpper(buildType.ToString()))
envs += fmt.Sprintf(homeEnv, strings.ToUpper(buildType.String()))
default:
envs += ""
}
Expand Down Expand Up @@ -197,8 +197,8 @@ func generateRtConfigSteps(techInfo *TechnologyInfo, rtUrl string) string {

func generateBuildStages(buildCmd string, buildType coreutils.Technology) (buildStages string) {
buildStages = ""
resolverId := fmt.Sprintf(resolverIdTemplate, strings.ToUpper(buildType.ToString()))
deployerId := fmt.Sprintf(deployerIdTemplate, strings.ToUpper(buildType.ToString()))
resolverId := fmt.Sprintf(resolverIdTemplate, strings.ToUpper(buildType.String()))
deployerId := fmt.Sprintf(deployerIdTemplate, strings.ToUpper(buildType.String()))
switch buildType {
case coreutils.Maven:
buildStages += generateStage("Exec Maven", fmt.Sprintf(mavenRunStepTemplate, buildCmd, resolverId, deployerId))
Expand Down
8 changes: 4 additions & 4 deletions utils/coreutils/techutils.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,25 +130,25 @@ var technologiesData = map[Technology]TechData{

func (tech Technology) ToFormal() string {
if technologiesData[tech].formal == "" {
return cases.Title(language.Und).String(tech.ToString())
return cases.Title(language.Und).String(tech.String())
}
return technologiesData[tech].formal
}

func (tech Technology) ToString() string {
func (tech Technology) String() string {
return string(tech)
}

func (tech Technology) GetExecCommandName() string {
if technologiesData[tech].execCommand == "" {
return tech.ToString()
return tech.String()
}
return technologiesData[tech].execCommand
}

func (tech Technology) GetPackageType() string {
if technologiesData[tech].packageType == "" {
return tech.ToString()
return tech.String()
}
return technologiesData[tech].packageType
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,13 @@ func TestNewApplicabilityScanManager_NoDirectDependenciesInScan(t *testing.T) {
{
ScanId: "scanId_1",
Vulnerabilities: []services.Vulnerability{
{IssueId: "issueId_1", Technology: coreutils.Pipenv.ToString(),
{IssueId: "issueId_1", Technology: coreutils.Pipenv.String(),
Cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}, {Id: "testCve3"}},
Components: map[string]services.Component{
"issueId_1_non_direct_dependency": {}}},
},
Violations: []services.Violation{
{IssueId: "issueId_2", Technology: coreutils.Pipenv.ToString(),
{IssueId: "issueId_2", Technology: coreutils.Pipenv.String(),
Cves: []services.Cve{{Id: "testCve4"}, {Id: "testCve5"}},
Components: map[string]services.Component{
"issueId_2_non_direct_dependency": {}}},
Expand Down Expand Up @@ -105,7 +105,7 @@ func TestNewApplicabilityScanManager_ViolationsDontExistInResults(t *testing.T)
{
ScanId: "scanId_1",
Vulnerabilities: []services.Vulnerability{
{IssueId: "issueId_1", Technology: coreutils.Pipenv.ToString(),
{IssueId: "issueId_1", Technology: coreutils.Pipenv.String(),
Cves: []services.Cve{{Id: "test_cve_1"}, {Id: "test_cve_2"}, {Id: "test_cve_3"}},
Components: map[string]services.Component{"issueId_1_direct_dependency": {}}},
},
Expand All @@ -131,7 +131,7 @@ func TestNewApplicabilityScanManager_VulnerabilitiesDontExist(t *testing.T) {
{
ScanId: "scanId_1",
Violations: []services.Violation{
{IssueId: "issueId_2", Technology: coreutils.Pipenv.ToString(),
{IssueId: "issueId_2", Technology: coreutils.Pipenv.String(),
Cves: []services.Cve{{Id: "test_cve_3"}, {Id: "test_cve_4"}},
Components: map[string]services.Component{"issueId_2_direct_dependency": {}}},
},
Expand Down Expand Up @@ -178,7 +178,7 @@ func TestExtractXrayDirectViolations(t *testing.T) {
var xrayResponseForDirectViolationsTest = []services.ScanResponse{
{
Violations: []services.Violation{
{IssueId: "issueId_2", Technology: coreutils.Pipenv.ToString(),
{IssueId: "issueId_2", Technology: coreutils.Pipenv.String(),
Cves: []services.Cve{{Id: "testCve4"}, {Id: "testCve5"}},
Components: map[string]services.Component{"issueId_2_direct_dependency": {}}},
},
Expand Down Expand Up @@ -212,12 +212,12 @@ func TestExtractXrayDirectVulnerabilities(t *testing.T) {
ScanId: "scanId_1",
Vulnerabilities: []services.Vulnerability{
{
IssueId: "issueId_1", Technology: coreutils.Pipenv.ToString(),
IssueId: "issueId_1", Technology: coreutils.Pipenv.String(),
Cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}, {Id: "testCve3"}},
Components: map[string]services.Component{"issueId_1_direct_dependency": {}},
},
{
IssueId: "issueId_2", Technology: coreutils.Pipenv.ToString(),
IssueId: "issueId_2", Technology: coreutils.Pipenv.String(),
Cves: []services.Cve{{Id: "testCve4"}, {Id: "testCve5"}},
Components: map[string]services.Component{"issueId_2_direct_dependency": {}},
},
Expand Down
4 changes: 2 additions & 2 deletions xray/commands/audit/jas/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -172,12 +172,12 @@ var FakeBasicXrayResults = []services.ScanResponse{
{
ScanId: "scanId_1",
Vulnerabilities: []services.Vulnerability{
{IssueId: "issueId_1", Technology: coreutils.Pipenv.ToString(),
{IssueId: "issueId_1", Technology: coreutils.Pipenv.String(),
Cves: []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}, {Id: "testCve3"}},
Components: map[string]services.Component{"issueId_1_direct_dependency": {}, "issueId_3_direct_dependency": {}}},
},
Violations: []services.Violation{
{IssueId: "issueId_2", Technology: coreutils.Pipenv.ToString(),
{IssueId: "issueId_2", Technology: coreutils.Pipenv.String(),
Cves: []services.Cve{{Id: "testCve4"}, {Id: "testCve5"}},
Components: map[string]services.Component{"issueId_2_direct_dependency": {}, "issueId_4_direct_dependency": {}}},
},
Expand Down
47 changes: 25 additions & 22 deletions xray/commands/audit/sca/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ func RunXrayDependenciesTreeScanGraph(dependencyTree *xrayUtils.GraphNode, progr
scanGraphParams.XrayGraphScanParams().DependenciesGraph = dependencyTree
xscGitInfoContext := scanGraphParams.XrayGraphScanParams().XscGitInfoContext
if xscGitInfoContext != nil {
xscGitInfoContext.Technologies = []string{technology.ToString()}
xscGitInfoContext.Technologies = []string{technology.String()}
}
scanMessage := fmt.Sprintf("Scanning %d %s dependencies", len(dependencyTree.Nodes), technology)
if progress != nil {
Expand All @@ -68,10 +68,10 @@ func RunXrayDependenciesTreeScanGraph(dependencyTree *xrayUtils.GraphNode, progr
return
}
for i := range scanResults.Vulnerabilities {
scanResults.Vulnerabilities[i].Technology = technology.ToString()
scanResults.Vulnerabilities[i].Technology = technology.String()
}
for i := range scanResults.Violations {
scanResults.Violations[i].Technology = technology.ToString()
scanResults.Violations[i].Technology = technology.String()
}
results = append(results, *scanResults)
return
Expand Down Expand Up @@ -143,29 +143,24 @@ func BuildImpactPathsForScanResponse(scanResult []services.ScanResponse, depende
return scanResult
}

// Initialize a map of issues to their components with empty impact paths
func fillImpactPathsMapWithIssues(issuesImpactPathsMap map[string]*services.Component, components map[string]services.Component) {
// Initialize a map of issues empty impact paths
func fillIssuesMapWithEmptyImpactPaths(issuesImpactPathsMap map[string][][]services.ImpactPathNode, components map[string]services.Component) {
for dependencyName := range components {
emptyPathsComponent := &services.Component{
ImpactPaths: [][]services.ImpactPathNode{},
FixedVersions: components[dependencyName].FixedVersions,
Cpes: components[dependencyName].Cpes,
}
issuesImpactPathsMap[dependencyName] = emptyPathsComponent
issuesImpactPathsMap[dependencyName] = [][]services.ImpactPathNode{}
}
}

// Set the impact paths for each issue in the map
func buildImpactPaths(issuesImpactPathsMap map[string]*services.Component, dependencyTrees []*xrayUtils.GraphNode) {
func buildImpactPaths(issuesImpactPathsMap map[string][][]services.ImpactPathNode, dependencyTrees []*xrayUtils.GraphNode) {
for _, dependency := range dependencyTrees {
setPathsForIssues(dependency, issuesImpactPathsMap, []services.ImpactPathNode{})
}
}

func buildVulnerabilitiesImpactPaths(vulnerabilities []services.Vulnerability, dependencyTrees []*xrayUtils.GraphNode) {
issuesMap := make(map[string]*services.Component)
issuesMap := make(map[string][][]services.ImpactPathNode)
for _, vulnerability := range vulnerabilities {
fillImpactPathsMapWithIssues(issuesMap, vulnerability.Components)
fillIssuesMapWithEmptyImpactPaths(issuesMap, vulnerability.Components)
}
buildImpactPaths(issuesMap, dependencyTrees)
for i := range vulnerabilities {
Expand All @@ -174,9 +169,9 @@ func buildVulnerabilitiesImpactPaths(vulnerabilities []services.Vulnerability, d
}

func buildViolationsImpactPaths(violations []services.Violation, dependencyTrees []*xrayUtils.GraphNode) {
issuesMap := make(map[string]*services.Component)
issuesMap := make(map[string][][]services.ImpactPathNode)
for _, violation := range violations {
fillImpactPathsMapWithIssues(issuesMap, violation.Components)
fillIssuesMapWithEmptyImpactPaths(issuesMap, violation.Components)
}
buildImpactPaths(issuesMap, dependencyTrees)
for i := range violations {
Expand All @@ -185,26 +180,34 @@ func buildViolationsImpactPaths(violations []services.Violation, dependencyTrees
}

func buildLicensesImpactPaths(licenses []services.License, dependencyTrees []*xrayUtils.GraphNode) {
issuesMap := make(map[string]*services.Component)
issuesMap := make(map[string][][]services.ImpactPathNode)
for _, license := range licenses {
fillImpactPathsMapWithIssues(issuesMap, license.Components)
fillIssuesMapWithEmptyImpactPaths(issuesMap, license.Components)
}
buildImpactPaths(issuesMap, dependencyTrees)
for i := range licenses {
updateComponentsWithImpactPaths(licenses[i].Components, issuesMap)
}
}

func updateComponentsWithImpactPaths(components map[string]services.Component, issuesMap map[string]*services.Component) {
func updateComponentsWithImpactPaths(components map[string]services.Component, issuesMap map[string][][]services.ImpactPathNode) {
for dependencyName := range components {
components[dependencyName] = *issuesMap[dependencyName]
updatedComponent := services.Component{
FixedVersions: components[dependencyName].FixedVersions,
ImpactPaths: issuesMap[dependencyName],
Cpes: components[dependencyName].Cpes,
}
components[dependencyName] = updatedComponent
}
}

func setPathsForIssues(dependency *xrayUtils.GraphNode, issuesImpactPathsMap map[string]*services.Component, pathFromRoot []services.ImpactPathNode) {
func setPathsForIssues(dependency *xrayUtils.GraphNode, issuesImpactPathsMap map[string][][]services.ImpactPathNode, pathFromRoot []services.ImpactPathNode) {
pathFromRoot = append(pathFromRoot, services.ImpactPathNode{ComponentId: dependency.Id})
if _, exists := issuesImpactPathsMap[dependency.Id]; exists {
issuesImpactPathsMap[dependency.Id].ImpactPaths = append(issuesImpactPathsMap[dependency.Id].ImpactPaths, pathFromRoot)
// Create a copy of pathFromRoot to avoid modifying the original slice
pathCopy := make([]services.ImpactPathNode, len(pathFromRoot))
copy(pathCopy, pathFromRoot)
issuesImpactPathsMap[dependency.Id] = append(issuesImpactPathsMap[dependency.Id], pathCopy)
}
for _, depChild := range dependency.Nodes {
setPathsForIssues(depChild, issuesImpactPathsMap, pathFromRoot)
Expand Down
77 changes: 53 additions & 24 deletions xray/commands/audit/sca/common_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"github.com/jfrog/jfrog-client-go/xray/services"
xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
"github.com/stretchr/testify/assert"
"reflect"
"testing"
)

Expand All @@ -20,51 +21,44 @@ func TestSetPathsForIssues(t *testing.T) {
childNode3.Nodes = []*xrayUtils.GraphNode{childNode5}

// Create a test issues map
issuesMap := make(map[string]*services.Component)
issuesMap["child1"] = &services.Component{ImpactPaths: [][]services.ImpactPathNode{}}
issuesMap["child4"] = &services.Component{ImpactPaths: [][]services.ImpactPathNode{}}
issuesMap["child5"] = &services.Component{ImpactPaths: [][]services.ImpactPathNode{}}
issuesMap := make(map[string][][]services.ImpactPathNode)
issuesMap["child1"] = [][]services.ImpactPathNode{}
issuesMap["child4"] = [][]services.ImpactPathNode{}
issuesMap["child5"] = [][]services.ImpactPathNode{}

// Call setPathsForIssues with the test data
setPathsForIssues(rootNode, issuesMap, []services.ImpactPathNode{})

// Check the results
assert.Equal(t, issuesMap["child1"].ImpactPaths[0][0].ComponentId, "root")
assert.Equal(t, issuesMap["child1"].ImpactPaths[0][1].ComponentId, "child1")
assert.Equal(t, issuesMap["child1"][0][0].ComponentId, "root")
assert.Equal(t, issuesMap["child1"][0][1].ComponentId, "child1")

assert.Equal(t, issuesMap["child4"].ImpactPaths[0][0].ComponentId, "root")
assert.Equal(t, issuesMap["child4"].ImpactPaths[0][1].ComponentId, "child2")
assert.Equal(t, issuesMap["child4"].ImpactPaths[0][2].ComponentId, "child4")
assert.Equal(t, issuesMap["child4"][0][0].ComponentId, "root")
assert.Equal(t, issuesMap["child4"][0][1].ComponentId, "child2")
assert.Equal(t, issuesMap["child4"][0][2].ComponentId, "child4")

assert.Equal(t, issuesMap["child5"].ImpactPaths[0][0].ComponentId, "root")
assert.Equal(t, issuesMap["child5"].ImpactPaths[0][1].ComponentId, "child3")
assert.Equal(t, issuesMap["child5"].ImpactPaths[0][2].ComponentId, "child5")
assert.Equal(t, issuesMap["child5"][0][0].ComponentId, "root")
assert.Equal(t, issuesMap["child5"][0][1].ComponentId, "child3")
assert.Equal(t, issuesMap["child5"][0][2].ComponentId, "child5")
}

func TestUpdateVulnerableComponent(t *testing.T) {
// Create test data
components := map[string]services.Component{
"dependency1": {
FixedVersions: []string{"1.0.0"},
ImpactPaths: [][]services.ImpactPathNode{},
},
}
dependencyName := "dependency1"
issuesMap := map[string]*services.Component{
dependencyName: {
FixedVersions: []string{"1.0.0"},
ImpactPaths: [][]services.ImpactPathNode{
{{ComponentId: "dependency2"}},
},
},
dependencyName, issuesMap := "dependency1", map[string][][]services.ImpactPathNode{
"dependency1": {},
}

updateComponentsWithImpactPaths(components, issuesMap)

// Check the result
expected := services.Component{
FixedVersions: []string{"1.0.0"},
ImpactPaths: issuesMap[dependencyName].ImpactPaths,
ImpactPaths: issuesMap[dependencyName],
}
assert.Equal(t, expected, components[dependencyName])
}
Expand All @@ -80,6 +74,9 @@ func TestBuildImpactPaths(t *testing.T) {
FixedVersions: []string{"1.2.3"},
Cpes: []string{"cpe:/o:vendor:product:1.2.3"},
},
"dep2": {
FixedVersions: []string{"3.0.0"},
},
},
},
},
Expand Down Expand Up @@ -120,14 +117,46 @@ func TestBuildImpactPaths(t *testing.T) {
},
},
},
{
Id: "dep7",
Nodes: []*xrayUtils.GraphNode{
{
Id: "dep4",
Nodes: []*xrayUtils.GraphNode{
{
Id: "dep2",
Nodes: []*xrayUtils.GraphNode{},
},
{
Id: "dep5",
Nodes: []*xrayUtils.GraphNode{},
},
{
Id: "dep6",
Nodes: []*xrayUtils.GraphNode{},
},
},
},
},
},
}

scanResult = BuildImpactPathsForScanResponse(scanResult, dependencyTrees)
// assert that the components were updated with impact paths
expectedImpactPaths := [][]services.ImpactPathNode{{{ComponentId: "dep1"}}}
assert.Equal(t, expectedImpactPaths, scanResult[0].Vulnerabilities[0].Components["dep1"].ImpactPaths)
expectedImpactPaths = [][]services.ImpactPathNode{{{ComponentId: "dep1"}, {ComponentId: "dep2"}}}
assert.Equal(t, expectedImpactPaths, scanResult[0].Violations[0].Components["dep2"].ImpactPaths)
reflect.DeepEqual(expectedImpactPaths, scanResult[0].Vulnerabilities[0].Components["dep2"].ImpactPaths[0])
expectedImpactPaths = [][]services.ImpactPathNode{{{ComponentId: "dep7"}, {ComponentId: "dep4"}, {ComponentId: "dep2"}}}
reflect.DeepEqual(expectedImpactPaths, scanResult[0].Vulnerabilities[0].Components["dep2"].ImpactPaths[1])
expectedImpactPaths = [][]services.ImpactPathNode{{{ComponentId: "dep1"}}}
reflect.DeepEqual(expectedImpactPaths, scanResult[0].Violations[0].Components["dep1"].ImpactPaths)
expectedImpactPaths = [][]services.ImpactPathNode{{{ComponentId: "dep1"}, {ComponentId: "dep2"}}}
reflect.DeepEqual(expectedImpactPaths, scanResult[0].Violations[0].Components["dep2"].ImpactPaths[0])
expectedImpactPaths = [][]services.ImpactPathNode{{{ComponentId: "dep7"}, {ComponentId: "dep4"}, {ComponentId: "dep2"}}}
reflect.DeepEqual(expectedImpactPaths, scanResult[0].Violations[0].Components["dep2"].ImpactPaths[1])
expectedImpactPaths = [][]services.ImpactPathNode{{{ComponentId: "dep7"}, {ComponentId: "dep4"}, {ComponentId: "dep2"}}}
reflect.DeepEqual(expectedImpactPaths, scanResult[0].Violations[0].Components["dep2"].ImpactPaths)
expectedImpactPaths = [][]services.ImpactPathNode{{{ComponentId: "dep1"}, {ComponentId: "dep2"}, {ComponentId: "dep3"}}}
assert.Equal(t, expectedImpactPaths, scanResult[0].Licenses[0].Components["dep3"].ImpactPaths)
reflect.DeepEqual(expectedImpactPaths, scanResult[0].Licenses[0].Components["dep3"].ImpactPaths)
}
6 changes: 3 additions & 3 deletions xray/commands/curation/curationaudit.go
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,7 @@ func (ca *CurationAuditCommand) auditTree(tech coreutils.Technology, results map
}
// Validate the graph isn't empty.
if len(fullDependenciesTree) == 0 {
return errorutils.CheckErrorf("found no dependencies for the audited project using '%v' as the package manager", tech.ToString())
return errorutils.CheckErrorf("found no dependencies for the audited project using '%v' as the package manager", tech.String())
}
if err = ca.SetRepo(tech); err != nil {
return err
Expand Down Expand Up @@ -333,7 +333,7 @@ func (ca *CurationAuditCommand) SetRepo(tech coreutils.Technology) error {
}
ca.setPackageManagerConfig(resolverParams)
default:
return errorutils.CheckErrorf(errorTemplateUnsupportedTech, tech.ToString())
return errorutils.CheckErrorf(errorTemplateUnsupportedTech, tech.String())
}
return nil
}
Expand Down Expand Up @@ -502,7 +502,7 @@ func makeLegiblePolicyDetails(explanation, recommendation string) (string, strin

func getUrlNameAndVersionByTech(tech coreutils.Technology, nodeId, artiUrl, repo string) (downloadUrl string, name string, scope string, version string) {
if tech == coreutils.Npm {
return getNpmNameScopeAndVersion(nodeId, artiUrl, repo, coreutils.Npm.ToString())
return getNpmNameScopeAndVersion(nodeId, artiUrl, repo, coreutils.Npm.String())
}
return
}
Expand Down
Loading

0 comments on commit f3f76b6

Please sign in to comment.