pull dev

jfrog · Sep 4, 2023 · 688e693 · 688e693
2 parents ccb508c + 49b48ba
commit 688e693
Show file tree

Hide file tree

Showing 30 changed files with 1,995 additions and 744 deletions.
diff --git a/go.mod b/go.mod
@@ -94,7 +94,7 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-replace github.com/jfrog/jfrog-client-go => github.com/eyaldelarea/jfrog-client-go v1.28.4-0.20230903070657-5e95ddc4e0e1
+replace github.com/jfrog/jfrog-client-go => github.com/eyaldelarea/jfrog-client-go v1.28.4-0.20230904072239-1e6715ddfa46
 
 replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230831151231-e5e7bd035ddc
 

diff --git a/go.sum b/go.sum
@@ -100,8 +100,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/eyaldelarea/jfrog-client-go v1.28.4-0.20230903070657-5e95ddc4e0e1 h1:X/ltOWcM0+dhYQ0XRJjsNkEzzDXaGC+DLZGov6Z7t3E=
-github.com/eyaldelarea/jfrog-client-go v1.28.4-0.20230903070657-5e95ddc4e0e1/go.mod h1:uUnMrqHX7Xi+OCaZEE4b3BtsmGeOSCB7XqaEWVXEH/E=
+github.com/eyaldelarea/jfrog-client-go v1.28.4-0.20230904072239-1e6715ddfa46 h1:9IqNDt2xaBhzyFXILsC5xaKQZUDT6Rx5UmStDtpTPTE=
+github.com/eyaldelarea/jfrog-client-go v1.28.4-0.20230904072239-1e6715ddfa46/go.mod h1:uUnMrqHX7Xi+OCaZEE4b3BtsmGeOSCB7XqaEWVXEH/E=
 github.com/forPelevin/gomoji v1.1.8 h1:JElzDdt0TyiUlecy6PfITDL6eGvIaxqYH1V52zrd0qQ=
 github.com/forPelevin/gomoji v1.1.8/go.mod h1:8+Z3KNGkdslmeGZBC3tCrwMrcPy5GRzAD+gL9NAwMXg=
 github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY=

diff --git a/xray/audit/jas/applicabilitymanager.go b/xray/audit/jas/applicabilitymanager.go
@@ -1,6 +1,9 @@
 package jas
 
 import (
+	"path/filepath"
+	"strings"
+
 	"github.com/jfrog/gofrog/datastructures"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	"github.com/jfrog/jfrog-cli-core/v2/xray/utils"
@@ -10,7 +13,6 @@ import (
 	"github.com/owenrumney/go-sarif/v2/sarif"
 	"golang.org/x/exp/maps"
 	"golang.org/x/exp/slices"
-	"strings"
 )
 
 const (
@@ -28,7 +30,7 @@ const (
 // bool: true if the user is entitled to the applicability scan, false otherwise.
 // error: An error object (if any).
 func getApplicabilityScanResults(xrayResults []scan.ScanResponse, directDependencies []string,
-	scannedTechnologies []coreutils.Technology, scanner *AdvancedSecurityScanner) (results map[string]string, err error) {
+	scannedTechnologies []coreutils.Technology, scanner *AdvancedSecurityScanner) (results map[string]utils.ApplicabilityStatus, err error) {
 	applicabilityScanManager := newApplicabilityScanManager(xrayResults, directDependencies, scanner)
 	if !applicabilityScanManager.shouldRunApplicabilityScan(scannedTechnologies) {
 		log.Debug("The technologies that have been scanned are currently not supported for contextual analysis scanning, or we couldn't find any vulnerable direct dependencies. Skipping....")
@@ -43,16 +45,16 @@ func getApplicabilityScanResults(xrayResults []scan.ScanResponse, directDependen
 }
 
 type ApplicabilityScanManager struct {
-	applicabilityScanResults map[string]string
-	directDependenciesCves   *datastructures.Set[string]
+	applicabilityScanResults map[string]utils.ApplicabilityStatus
+	directDependenciesCves   []string
 	xrayResults              []scan.ScanResponse
 	scanner                  *AdvancedSecurityScanner
 }
 
 func newApplicabilityScanManager(xrayScanResults []scan.ScanResponse, directDependencies []string, scanner *AdvancedSecurityScanner) (manager *ApplicabilityScanManager) {
 	directDependenciesCves := extractDirectDependenciesCvesFromScan(xrayScanResults, directDependencies)
 	return &ApplicabilityScanManager{
-		applicabilityScanResults: map[string]string{},
+		applicabilityScanResults: map[string]utils.ApplicabilityStatus{},
 		directDependenciesCves:   directDependenciesCves,
 		xrayResults:              xrayScanResults,
 		scanner:                  scanner,
@@ -61,7 +63,7 @@ func newApplicabilityScanManager(xrayScanResults []scan.ScanResponse, directDepe
 
 // This function gets a list of xray scan responses that contain direct and indirect vulnerabilities and returns only direct
 // vulnerabilities of the scanned project, ignoring indirect vulnerabilities
-func extractDirectDependenciesCvesFromScan(xrayScanResults []scan.ScanResponse, directDependencies []string) *datastructures.Set[string] {
+func extractDirectDependenciesCvesFromScan(xrayScanResults []scan.ScanResponse, directDependencies []string) []string {
 	directsCves := datastructures.MakeSet[string]()
 	for _, scanResult := range xrayScanResults {
 		for _, vulnerability := range scanResult.Vulnerabilities {
@@ -84,7 +86,7 @@ func extractDirectDependenciesCvesFromScan(xrayScanResults []scan.ScanResponse,
 		}
 	}
 
-	return directsCves
+	return directsCves.ToSlice()
 }
 
 func isDirectComponents(components []string, directDependencies []string) bool {
@@ -108,16 +110,18 @@ func (a *ApplicabilityScanManager) Run(wd string) (err error) {
 	if err = a.runAnalyzerManager(); err != nil {
 		return
 	}
-	var workingDirResults map[string]string
-	workingDirResults, err = a.getScanResults()
+	var workingDirResults map[string]utils.ApplicabilityStatus
+	if workingDirResults, err = a.getScanResults(); err != nil {
+		return
+	}
 	for cve, result := range workingDirResults {
 		a.applicabilityScanResults[cve] = result
 	}
 	return
 }
 
 func (a *ApplicabilityScanManager) directDependenciesExist() bool {
-	return a.directDependenciesCves.Size() > 0
+	return len(a.directDependenciesCves) > 0
 }
 
 func (a *ApplicabilityScanManager) shouldRunApplicabilityScan(technologies []coreutils.Technology) bool {
@@ -145,7 +149,7 @@ func (a *ApplicabilityScanManager) createConfigFile(workingDir string) error {
 				Output:       a.scanner.resultsFileName,
 				Type:         applicabilityScanType,
 				GrepDisable:  false,
-				CveWhitelist: a.directDependenciesCves.ToSlice(),
+				CveWhitelist: a.directDependenciesCves,
 				SkippedDirs:  skippedDirs,
 			},
 		},
@@ -156,40 +160,39 @@ func (a *ApplicabilityScanManager) createConfigFile(workingDir string) error {
 // Runs the analyzerManager app and returns a boolean to indicate whether the user is entitled for
 // advance security feature
 func (a *ApplicabilityScanManager) runAnalyzerManager() error {
-	return a.scanner.analyzerManager.Exec(a.scanner.configFileName, applicabilityScanCommand, a.scanner.serverDetails)
+	return a.scanner.analyzerManager.Exec(a.scanner.configFileName, applicabilityScanCommand, filepath.Dir(a.scanner.analyzerManager.AnalyzerManagerFullPath), a.scanner.serverDetails)
 }
 
-func (a *ApplicabilityScanManager) getScanResults() (map[string]string, error) {
-	report, err := sarif.Open(a.scanner.resultsFileName)
-	if errorutils.CheckError(err) != nil {
-		return nil, err
-	}
-	var fullVulnerabilitiesList []*sarif.Result
-	if len(report.Runs) > 0 {
-		fullVulnerabilitiesList = report.Runs[0].Results
+func (a *ApplicabilityScanManager) getScanResults() (applicabilityResults map[string]utils.ApplicabilityStatus, err error) {
+	applicabilityResults = make(map[string]utils.ApplicabilityStatus, len(a.directDependenciesCves))
+	for _, cve := range a.directDependenciesCves {
+		applicabilityResults[cve] = utils.ApplicabilityUndetermined
 	}
 
-	applicabilityScanResults := make(map[string]string)
-	for _, cve := range a.directDependenciesCves.ToSlice() {
-		applicabilityScanResults[cve] = utils.ApplicabilityUndeterminedStringValue
+	report, err := sarif.Open(a.scanner.resultsFileName)
+	if errorutils.CheckError(err) != nil || len(report.Runs) == 0 {
+		return
 	}
-
-	for _, vulnerability := range fullVulnerabilitiesList {
-		applicableVulnerabilityName := getVulnerabilityName(*vulnerability.RuleID)
-		if isVulnerabilityApplicable(vulnerability) {
-			applicabilityScanResults[applicableVulnerabilityName] = utils.ApplicableStringValue
-		} else {
-			applicabilityScanResults[applicableVulnerabilityName] = utils.NotApplicableStringValue
+	// Applicability results contains one run only
+	for _, sarifResult := range report.Runs[0].Results {
+		cve := getCveFromRuleId(*sarifResult.RuleID)
+		if _, exists := applicabilityResults[cve]; !exists {
+			err = errorutils.CheckErrorf("received unexpected CVE: '%s' from RuleID: '%s' that does not exists on the requested CVEs list", cve, *sarifResult.RuleID)
+			return
 		}
+		applicabilityResults[cve] = resultKindToApplicabilityStatus(sarifResult.Kind)
 	}
-	return applicabilityScanResults, nil
+	return
 }
 
 // Gets a result of one CVE from the scanner, and returns true if the CVE is applicable, false otherwise
-func isVulnerabilityApplicable(result *sarif.Result) bool {
-	return !(result.Kind != nil && *result.Kind == "pass")
+func resultKindToApplicabilityStatus(kind *string) utils.ApplicabilityStatus {
+	if !(kind != nil && *kind == "pass") {
+		return utils.Applicable
+	}
+	return utils.NotApplicable
 }
 
-func getVulnerabilityName(sarifRuleId string) string {
+func getCveFromRuleId(sarifRuleId string) string {
 	return strings.TrimPrefix(sarifRuleId, "applic_")
 }