Merge branch 'dev' into apps-config2

jfrog · Sep 12, 2023 · 333c55e · 333c55e
2 parents 64051d3 + 7931ffa
commit 333c55e
Show file tree

Hide file tree

Showing 6 changed files with 131 additions and 80 deletions.
diff --git a/xray/formats/conversion.go b/xray/formats/conversion.go
@@ -1,6 +1,7 @@
 package formats
 
 import (
+	"strconv"
 	"strings"
 )
 
@@ -145,7 +146,7 @@ func ConvertToSecretsTableRow(rows []SourceCodeRow) (tableRows []secretsTableRow
 		tableRows = append(tableRows, secretsTableRow{
 			severity:   rows[i].Severity,
 			file:       rows[i].File,
-			lineColumn: rows[i].LineColumn,
+			lineColumn: (strconv.Itoa(rows[i].StartLine) + ":" + strconv.Itoa(rows[i].StartColumn)),
 			text:       rows[i].Snippet,
 		})
 	}
@@ -157,7 +158,7 @@ func ConvertToIacTableRow(rows []SourceCodeRow) (tableRows []iacTableRow) {
 		tableRows = append(tableRows, iacTableRow{
 			severity:   rows[i].Severity,
 			file:       rows[i].File,
-			lineColumn: rows[i].LineColumn,
+			lineColumn: (strconv.Itoa(rows[i].StartLine) + ":" + strconv.Itoa(rows[i].StartColumn)),
 			text:       rows[i].Snippet,
 		})
 	}
@@ -169,7 +170,7 @@ func ConvertToSastTableRow(rows []SourceCodeRow) (tableRows []sastTableRow) {
 		tableRows = append(tableRows, sastTableRow{
 			severity:   rows[i].Severity,
 			file:       rows[i].File,
-			lineColumn: rows[i].LineColumn,
+			lineColumn: (strconv.Itoa(rows[i].StartLine) + ":" + strconv.Itoa(rows[i].StartColumn)),
 			text:       rows[i].Snippet,
 		})
 	}

diff --git a/xray/formats/simplejsonapi.go b/xray/formats/simplejsonapi.go
@@ -77,15 +77,20 @@ type OperationalRiskViolationRow struct {
 type SourceCodeRow struct {
 	Severity         string `json:"severity"`
 	SeverityNumValue int    `json:"-"` // For sorting
-	SourceCodeLocationRow
-	Type     string                    `json:"type"`
-	CodeFlow [][]SourceCodeLocationRow `json:"codeFlow,omitempty"`
+	Location
+	Type               string       `json:"type"`
+	Finding            string       `json:"finding,omitempty"`
+	ScannerDescription string       `json:"scannerDescription,omitempty"`
+	CodeFlow           [][]Location `json:"codeFlow,omitempty"`
 }
 
-type SourceCodeLocationRow struct {
-	File       string `json:"file"`
-	LineColumn string `json:"lineColumn"`
-	Snippet    string `json:"snippet"`
+type Location struct {
+	File        string `json:"file"`
+	StartLine   int    `json:"startLine,omitempty"`
+	StartColumn int    `json:"startColumn,omitempty"`
+	EndLine     int    `json:"endLine,omitempty"`
+	EndColumn   int    `json:"endColumn,omitempty"`
+	Snippet     string `json:"snippet,omitempty"`
 }
 
 type ComponentRow struct {
@@ -101,13 +106,13 @@ type CveRow struct {
 }
 
 type Applicability struct {
-	Status             bool       `json:"status"`
+	Status             string     `json:"status"`
 	ScannerDescription string     `json:"scannerDescription,omitempty"`
 	Evidence           []Evidence `json:"evidence,omitempty"`
 }
 
 type Evidence struct {
-	SourceCodeLocationRow
+	Location
 	Reason string `json:"reason,omitempty"`
 }
 

diff --git a/xray/utils/analyzermanager.go b/xray/utils/analyzermanager.go
@@ -8,6 +8,7 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
+	"strings"
 
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
@@ -98,7 +99,7 @@ func (am *AnalyzerManager) Exec(configFile, scanCommand, workingDir string, serv
 
 func (am *AnalyzerManager) ExecWithOutputFile(configFile, scanCommand, workingDir, outputFile string, serverDetails *config.ServerDetails) (err error) {
 	if err = SetAnalyzerManagerEnvVariables(serverDetails); err != nil {
-		return err
+		return
 	}
 	var cmd *exec.Cmd
 	if len(outputFile) > 0 {
@@ -116,8 +117,11 @@ func (am *AnalyzerManager) ExecWithOutputFile(configFile, scanCommand, workingDi
 		}
 	}()
 	cmd.Dir = workingDir
-	err = cmd.Run()
-	return errorutils.CheckError(err)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		err = errorutils.CheckErrorf("running %q in directory: %q failed: %s - %s", strings.Join(cmd.Args, " "), workingDir, err.Error(), string(output))
+	}
+	return
 }
 
 func GetAnalyzerManagerDownloadPath() (string, error) {

diff --git a/xray/utils/resultstable.go b/xray/utils/resultstable.go
@@ -89,8 +89,10 @@ func prepareViolations(violations []services.Violation, extendedResults *Extende
 		case "security":
 			cves := convertCves(violation.Cves)
 			applicableValue := getApplicableCveValue(extendedResults, cves)
-			for _, cve := range cves {
-				cve.Applicability = getCveApplicability(cve, extendedResults.ApplicabilityScanResults)
+			if extendedResults.EntitledForJas {
+				for i := range cves {
+					cves[i].Applicability = getCveApplicability(cves[i], extendedResults.ApplicabilityScanResults)
+				}
 			}
 			currSeverity := GetSeverity(violation.Severity, applicableValue)
 			jfrogResearchInfo := convertJfrogResearchInformation(violation.ExtendedInformation)
@@ -209,8 +211,10 @@ func prepareVulnerabilities(vulnerabilities []services.Vulnerability, extendedRe
 		}
 		cves := convertCves(vulnerability.Cves)
 		applicableValue := getApplicableCveValue(extendedResults, cves)
-		for _, cve := range cves {
-			cve.Applicability = getCveApplicability(cve, extendedResults.ApplicabilityScanResults)
+		if extendedResults.EntitledForJas {
+			for i := range cves {
+				cves[i].Applicability = getCveApplicability(cves[i], extendedResults.ApplicabilityScanResults)
+			}
 		}
 		currSeverity := GetSeverity(vulnerability.Severity, applicableValue)
 		jfrogResearchInfo := convertJfrogResearchInformation(vulnerability.ExtendedInformation)
@@ -304,11 +308,15 @@ func prepareSecrets(secrets []*sarif.Run, isTable bool) []formats.SourceCodeRow
 				secretsRows = append(secretsRows,
 					formats.SourceCodeRow{
 						Severity:         currSeverity.printableTitle(isTable),
+						Finding:          GetResultMsgText(secret),
 						SeverityNumValue: currSeverity.numValue,
-						SourceCodeLocationRow: formats.SourceCodeLocationRow{
-							File:       GetLocationFileName(location),
-							LineColumn: GetStartLocationInFile(location),
-							Snippet:    GetLocationSnippet(location),
+						Location: formats.Location{
+							File:        GetLocationFileName(location),
+							StartLine:   GetLocationStartLine(location),
+							StartColumn: GetLocationStartColumn(location),
+							EndLine:     GetLocationEndLine(location),
+							EndColumn:   GetLocationEndColumn(location),
+							Snippet:     GetLocationSnippet(location),
 						},
 						Type: *secret.RuleID,
 					},
@@ -343,16 +351,25 @@ func prepareIacs(iacs []*sarif.Run, isTable bool) []formats.SourceCodeRow {
 	var iacRows []formats.SourceCodeRow
 	for _, iacRun := range iacs {
 		for _, iac := range iacRun.Results {
+			scannerDescription := ""
+			if rule, err := iacRun.GetRuleById(*iac.RuleID); err == nil {
+				scannerDescription = GetRuleFullDescription(rule)
+			}
 			currSeverity := GetSeverity(GetResultSeverity(iac), Applicable)
 			for _, location := range iac.Locations {
 				iacRows = append(iacRows,
 					formats.SourceCodeRow{
-						Severity:         currSeverity.printableTitle(isTable),
-						SeverityNumValue: currSeverity.numValue,
-						SourceCodeLocationRow: formats.SourceCodeLocationRow{
-							File:       GetLocationFileName(location),
-							LineColumn: GetStartLocationInFile(location),
-							Snippet:    GetResultMsgText(iac),
+						Severity:           currSeverity.printableTitle(isTable),
+						Finding:            GetResultMsgText(iac),
+						ScannerDescription: scannerDescription,
+						SeverityNumValue:   currSeverity.numValue,
+						Location: formats.Location{
+							File:        GetLocationFileName(location),
+							StartLine:   GetLocationStartLine(location),
+							StartColumn: GetLocationStartColumn(location),
+							EndLine:     GetLocationEndLine(location),
+							EndColumn:   GetLocationEndColumn(location),
+							Snippet:     GetLocationSnippet(location),
 						},
 						Type: *iac.RuleID,
 					},
@@ -386,18 +403,26 @@ func prepareSast(sasts []*sarif.Run, isTable bool) []formats.SourceCodeRow {
 	var sastRows []formats.SourceCodeRow
 	for _, sastRun := range sasts {
 		for _, sast := range sastRun.Results {
+			scannerDescription := ""
+			if rule, err := sastRun.GetRuleById(*sast.RuleID); err == nil {
+				scannerDescription = GetRuleFullDescription(rule)
+			}
 			currSeverity := GetSeverity(GetResultSeverity(sast), Applicable)
-
 			flows := toSourceCodeCodeFlowRow(sast.CodeFlows, isTable)
 			for _, location := range sast.Locations {
 				sastRows = append(sastRows,
 					formats.SourceCodeRow{
-						Severity:         currSeverity.printableTitle(isTable),
-						SeverityNumValue: currSeverity.numValue,
-						SourceCodeLocationRow: formats.SourceCodeLocationRow{
-							File:       GetLocationFileName(location),
-							LineColumn: GetStartLocationInFile(location),
-							Snippet:    GetResultMsgText(sast),
+						Severity:           currSeverity.printableTitle(isTable),
+						Finding:            GetResultMsgText(sast),
+						ScannerDescription: scannerDescription,
+						SeverityNumValue:   currSeverity.numValue,
+						Location: formats.Location{
+							File:        GetLocationFileName(location),
+							StartLine:   GetLocationStartLine(location),
+							StartColumn: GetLocationStartColumn(location),
+							EndLine:     GetLocationEndLine(location),
+							EndColumn:   GetLocationEndColumn(location),
+							Snippet:     GetLocationSnippet(location),
 						},
 						Type:     *sast.RuleID,
 						CodeFlow: flows,
@@ -414,19 +439,22 @@ func prepareSast(sasts []*sarif.Run, isTable bool) []formats.SourceCodeRow {
 	return sastRows
 }
 
-func toSourceCodeCodeFlowRow(flows []*sarif.CodeFlow, isTable bool) (flowRows [][]formats.SourceCodeLocationRow) {
+func toSourceCodeCodeFlowRow(flows []*sarif.CodeFlow, isTable bool) (flowRows [][]formats.Location) {
 	if isTable {
 		// Not displaying in table
 		return
 	}
 	for _, codeFlow := range flows {
 		for _, stackTrace := range codeFlow.ThreadFlows {
-			rowFlow := []formats.SourceCodeLocationRow{}
+			rowFlow := []formats.Location{}
 			for _, stackTraceEntry := range stackTrace.Locations {
-				rowFlow = append(rowFlow, formats.SourceCodeLocationRow{
-					File:       GetLocationFileName(stackTraceEntry.Location),
-					LineColumn: GetStartLocationInFile(stackTraceEntry.Location),
-					Snippet:    GetLocationSnippet(stackTraceEntry.Location),
+				rowFlow = append(rowFlow, formats.Location{
+					File:        GetLocationFileName(stackTraceEntry.Location),
+					StartLine:   GetLocationStartLine(stackTraceEntry.Location),
+					StartColumn: GetLocationStartColumn(stackTraceEntry.Location),
+					EndLine:     GetLocationEndLine(stackTraceEntry.Location),
+					EndColumn:   GetLocationEndColumn(stackTraceEntry.Location),
+					Snippet:     GetLocationSnippet(stackTraceEntry.Location),
 				})
 			}
 			flowRows = append(flowRows, rowFlow)
@@ -910,13 +938,13 @@ func getApplicableCveValue(extendedResults *ExtendedScanResults, xrayCves []form
 	finalApplicableValue := NotApplicable
 	for _, applicabilityRun := range extendedResults.ApplicabilityScanResults {
 		for _, cve := range xrayCves {
-			relatedResults := GetResultsByRuleId(applicabilityRun, GetRuleIdFromCveId(cve.Id))
+			relatedResults := GetResultsByRuleId(applicabilityRun, CveToApplicabilityRuleId(cve.Id))
 			if len(relatedResults) == 0 {
 				finalApplicableValue = ApplicabilityUndetermined
 			}
 			for _, relatedResult := range relatedResults {
 				cveExistsInResult = true
-				if isApplicableResult(relatedResult) {
+				if IsApplicableResult(relatedResult) {
 					return Applicable
 				}
 			}
@@ -928,37 +956,42 @@ func getApplicableCveValue(extendedResults *ExtendedScanResults, xrayCves []form
 	return ApplicabilityUndetermined
 }
 
-func getCveApplicability(cve formats.CveRow, applicabilityScanResults []*sarif.Run) (applicability *formats.Applicability) {
-	if len(applicabilityScanResults) == 0 {
-		return nil
-	}
+func getCveApplicability(cve formats.CveRow, applicabilityScanResults []*sarif.Run) *formats.Applicability {
+	applicability := &formats.Applicability{Status: string(ApplicabilityUndetermined)}
 	for _, applicabilityRun := range applicabilityScanResults {
-		description := ""
-		if relatedRule, _ := applicabilityRun.GetRuleById(GetRuleIdFromCveId(cve.Id)); relatedRule != nil {
-			description = GetRuleFullDescription(relatedRule)
-		}
-		relatedResult, _ := applicabilityRun.GetResultByRuleId(GetRuleIdFromCveId(cve.Id))
-		if relatedResult == nil {
+		foundResult, _ := applicabilityRun.GetResultByRuleId(CveToApplicabilityRuleId(cve.Id))
+		if foundResult == nil {
 			continue
 		}
-		// Set applicable details
-		applicability = &formats.Applicability{
-			Status:             isApplicableResult(relatedResult),
-			ScannerDescription: description,
+		applicability = &formats.Applicability{}
+		if IsApplicableResult(foundResult) {
+			applicability.Status = string(Applicable)
+		} else {
+			applicability.Status = string(NotApplicable)
 		}
+
+		foundRule, _ := applicabilityRun.GetRuleById(CveToApplicabilityRuleId(cve.Id))
+		if foundRule != nil {
+			applicability.ScannerDescription = GetRuleFullDescription(foundRule)
+		}
+
 		// Add new evidences from locations
-		for _, location := range relatedResult.Locations {
+		for _, location := range foundResult.Locations {
 			applicability.Evidence = append(applicability.Evidence, formats.Evidence{
-				SourceCodeLocationRow: formats.SourceCodeLocationRow{
-					File:       GetLocationFileName(location),
-					LineColumn: GetStartLocationInFile(location),
-					Snippet:    GetLocationSnippet(location),
+				Location: formats.Location{
+					File:        GetLocationFileName(location),
+					StartLine:   GetLocationStartLine(location),
+					StartColumn: GetLocationStartColumn(location),
+					EndLine:     GetLocationEndLine(location),
+					EndColumn:   GetLocationEndColumn(location),
+					Snippet:     GetLocationSnippet(location),
 				},
-				Reason: GetResultMsgText(relatedResult),
+				Reason: GetResultMsgText(foundResult),
 			})
 		}
+		break
 	}
-	return
+	return applicability
 }
 
 func printApplicableCveValue(applicableValue ApplicabilityStatus, isTable bool) string {

diff --git a/xray/utils/resultstable_test.go b/xray/utils/resultstable_test.go
@@ -462,7 +462,7 @@ func TestGetApplicableCveValue(t *testing.T) {
 			},
 			cves:           []services.Cve{{Id: "testCve2"}},
 			expectedResult: Applicable,
-			expectedCves:   []formats.CveRow{{Id: "testCve2", Applicability: &formats.Applicability{Status: true}}},
+			expectedCves:   []formats.CveRow{{Id: "testCve2", Applicability: &formats.Applicability{Status: string(Applicable)}}},
 		},
 		{
 			scanResults: &ExtendedScanResults{
@@ -490,7 +490,7 @@ func TestGetApplicableCveValue(t *testing.T) {
 			},
 			cves:           []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}},
 			expectedResult: NotApplicable,
-			expectedCves:   []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: false}}, {Id: "testCve2", Applicability: &formats.Applicability{Status: false}}},
+			expectedCves:   []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: string(NotApplicable)}}, {Id: "testCve2", Applicability: &formats.Applicability{Status: string(NotApplicable)}}},
 		},
 		{
 			scanResults: &ExtendedScanResults{
@@ -504,7 +504,7 @@ func TestGetApplicableCveValue(t *testing.T) {
 			},
 			cves:           []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}},
 			expectedResult: Applicable,
-			expectedCves:   []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: false}}, {Id: "testCve2", Applicability: &formats.Applicability{Status: true}}},
+			expectedCves:   []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: string(NotApplicable)}}, {Id: "testCve2", Applicability: &formats.Applicability{Status: string(Applicable)}}},
 		},
 		{
 			scanResults: &ExtendedScanResults{
@@ -514,7 +514,7 @@ func TestGetApplicableCveValue(t *testing.T) {
 				EntitledForJas: true},
 			cves:           []services.Cve{{Id: "testCve1"}, {Id: "testCve2"}},
 			expectedResult: ApplicabilityUndetermined,
-			expectedCves:   []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: false}}, {Id: "testCve2"}},
+			expectedCves:   []formats.CveRow{{Id: "testCve1", Applicability: &formats.Applicability{Status: string(NotApplicable)}}, {Id: "testCve2"}},
 		},
 	}