Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add descriptor to results #73

Draft
wants to merge 17 commits into
base: dev
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions artifactory_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@ import (

biutils "github.com/jfrog/build-info-go/utils"

"github.com/jfrog/jfrog-cli-security/jas"
securityTests "github.com/jfrog/jfrog-cli-security/tests"
securityTestUtils "github.com/jfrog/jfrog-cli-security/tests/utils"
"github.com/jfrog/jfrog-cli-security/utils"

"github.com/jfrog/jfrog-cli-core/v2/artifactory/commands/generic"
commonCommands "github.com/jfrog/jfrog-cli-core/v2/common/commands"
Expand Down Expand Up @@ -221,13 +221,13 @@ func TestDownloadAnalyzerManagerIfNeeded(t *testing.T) {
defer setEnvCallBack()

// Download
err := utils.DownloadAnalyzerManagerIfNeeded(0)
err := jas.DownloadAnalyzerManagerIfNeeded(0)
assert.NoError(t, err)

// Validate Analyzer manager app & checksum.sh2 file exist
path, err := utils.GetAnalyzerManagerDirAbsolutePath()
path, err := jas.GetAnalyzerManagerDirAbsolutePath()
assert.NoError(t, err)
amPath := filepath.Join(path, utils.GetAnalyzerManagerExecutableName())
amPath := filepath.Join(path, jas.GetAnalyzerManagerExecutableName())
exists, err := fileutils.IsFileExists(amPath, false)
assert.NoError(t, err)
assert.True(t, exists)
Expand All @@ -242,7 +242,7 @@ func TestDownloadAnalyzerManagerIfNeeded(t *testing.T) {
// Validate no second download occurred
firstFileStat, err := os.Stat(amPath)
assert.NoError(t, err)
err = utils.DownloadAnalyzerManagerIfNeeded(0)
err = jas.DownloadAnalyzerManagerIfNeeded(0)
assert.NoError(t, err)
secondFileStat, err := os.Stat(amPath)
assert.NoError(t, err)
Expand Down
41 changes: 3 additions & 38 deletions audit_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,9 @@ package main
import (
"encoding/json"
"fmt"
"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
"github.com/jfrog/jfrog-cli-security/formats"
"github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-cli-security/utils/formats"
xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
xscservices "github.com/jfrog/jfrog-client-go/xsc/services"

"os"
"os/exec"
"path/filepath"
Expand All @@ -21,9 +19,9 @@ import (
"github.com/jfrog/jfrog-cli-core/v2/common/format"
coreTests "github.com/jfrog/jfrog-cli-core/v2/utils/tests"

"github.com/jfrog/jfrog-cli-security/scangraph"
securityTests "github.com/jfrog/jfrog-cli-security/tests"
securityTestUtils "github.com/jfrog/jfrog-cli-security/tests/utils"
"github.com/jfrog/jfrog-cli-security/utils/xray/scangraph"
clientTests "github.com/jfrog/jfrog-client-go/utils/tests"
"github.com/jfrog/jfrog-client-go/xray/services"
)
Expand Down Expand Up @@ -526,39 +524,6 @@ func TestXrayRecursiveScan(t *testing.T) {
assert.Len(t, results, 2)
}

func TestXscAnalyticsForAudit(t *testing.T) {
securityTestUtils.InitSecurityTest(t, scangraph.GraphScanMinXrayVersion)
securityTestUtils.ValidateXscVersion(t, xscservices.AnalyticsMetricsMinXscVersion)
reportUsageCallBack := clientTests.SetEnvWithCallbackAndAssert(t, coreutils.ReportUsage, "true")
defer reportUsageCallBack()
// Scan npm project and verify that analytics general event were sent to XSC.
output := testAuditNpm(t, string(format.SimpleJson))
validateAnalyticsBasicEvent(t, output)
}

func validateAnalyticsBasicEvent(t *testing.T, output string) {
// Get MSI.
var results formats.SimpleJsonResults
err := json.Unmarshal([]byte(output), &results)
assert.NoError(t, err)

// Verify analytics metrics.
am := utils.NewAnalyticsMetricsService(securityTests.XscDetails)
assert.NotNil(t, am)
assert.NotEmpty(t, results.MultiScanId)
event, err := am.GetGeneralEvent(results.MultiScanId)
assert.NoError(t, err)

// Event creation and addition information.
assert.Equal(t, xscservices.CliProduct, event.Product)
assert.Equal(t, xscservices.CliEventType, event.EventType)
assert.NotEmpty(t, event.AnalyzerManagerVersion)
assert.NotEmpty(t, event.EventStatus)
// The information that was added after updating the event with the scan's results.
assert.NotEmpty(t, event.TotalScanDuration)
assert.True(t, event.TotalFindings > 0)
}

func TestAuditOnEmptyProject(t *testing.T) {
securityTestUtils.InitSecurityTest(t, scangraph.GraphScanMinXrayVersion)
tempDirPath, createTempDirCallback := coreTests.CreateTempDirWithCallbackAndAssert(t)
Expand Down
4 changes: 2 additions & 2 deletions buildscripts/download-jars.sh
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,5 @@ GRADLE_DEP_TREE_VERSION="3.0.2"
# Changing this version also requires a change in mavenDepTreeVersion within utils/java/mvn.go.
MAVEN_DEP_TREE_VERSION="1.1.1"

curl -fL https://releases.jfrog.io/artifactory/oss-release-local/com/jfrog/gradle-dep-tree/${GRADLE_DEP_TREE_VERSION}/gradle-dep-tree-${GRADLE_DEP_TREE_VERSION}.jar -o commands/audit/sca/java/resources/gradle-dep-tree.jar
curl -fL https://releases.jfrog.io/artifactory/oss-release-local/com/jfrog/maven-dep-tree/${MAVEN_DEP_TREE_VERSION}/maven-dep-tree-${MAVEN_DEP_TREE_VERSION}.jar -o commands/audit/sca/java/resources/maven-dep-tree.jar
curl -fL https://releases.jfrog.io/artifactory/oss-release-local/com/jfrog/gradle-dep-tree/${GRADLE_DEP_TREE_VERSION}/gradle-dep-tree-${GRADLE_DEP_TREE_VERSION}.jar -o technologies/java/resources/gradle-dep-tree.jar
curl -fL https://releases.jfrog.io/artifactory/oss-release-local/com/jfrog/maven-dep-tree/${MAVEN_DEP_TREE_VERSION}/maven-dep-tree-${MAVEN_DEP_TREE_VERSION}.jar -o techonologies/java/resources/maven-dep-tree.jar
46 changes: 46 additions & 0 deletions cli/appcommands.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
package cli

import (
commandsCommon "github.com/jfrog/jfrog-cli-core/v2/common/commands"
"github.com/jfrog/jfrog-cli-core/v2/plugins/components"
"github.com/jfrog/jfrog-cli-security/commands/app/detect"

flags "github.com/jfrog/jfrog-cli-security/cli/docs"
)

func getAppsCommands() []components.Command {
return []components.Command{
{
Name: "detect",
Flags: flags.GetCommandFlags(flags.Detect),
Description: "Detect the application security scan profile.",
Hidden: true,
Action: DetectCmd,
},
{
Name: "dependencies",
Flags: flags.GetCommandFlags(flags.Dependencies),
Description: "Get the application dependencies.",
Hidden: true,
Action: DependenciesCmd,
},
// {
// Name: "install",
// Flags: flags.GetCommandFlags(flags.Install),
// Description: "Install the application with supported package managers, apply curation if needed.",
// Hidden: true,
// Action: InstallCmd,
// },
}
}

func DetectCmd(c *components.Context) error {

serverDetails, err := createServerDetailsWithConfigOffer(c)
if err != nil {
return err
}
getScanProfileCmd := detect.NewDetectAppsCommand(serverDetails)

return commandsCommon.Exec(getScanProfileCmd)
}
7 changes: 7 additions & 0 deletions cli/cli.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,12 @@ func GetJfrogCliSecurityApp() components.App {
Commands: getXrayNameSpaceCommands(),
Category: "Command Namespaces",
})
app.Subcommands = append(app.Subcommands, components.Namespace{
Name: "app",
Description: "Application commands detect information about the user application.",
Hidden: true,
Commands: getAppsCommands(),
Category: "Command Namespaces",
})
return app
}
13 changes: 12 additions & 1 deletion cli/docs/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"github.com/jfrog/jfrog-cli-core/v2/common/cliutils"
pluginsCommon "github.com/jfrog/jfrog-cli-core/v2/plugins/common"
"github.com/jfrog/jfrog-cli-core/v2/plugins/components"
"github.com/jfrog/jfrog-cli-security/commands/audit/sca"
"github.com/jfrog/jfrog-cli-security/commands/scans/audit/sca"
"github.com/jfrog/jfrog-cli-security/commands/xray/offlineupdate"
)

Expand Down Expand Up @@ -107,6 +107,9 @@ const (
CurationOutput = "curation-format"
)

// TODO: create a func that gets all the flags that are used in: CreateServerDetailsFromFlags (from core)
// -> set them in every cmd that uses it (make sure with password stdin flag first in audit that is not defined in here but in method)

// Mapping between security commands (key) and their flags (key).
var commandFlags = map[string][]string{
XrCurl: {ServerId},
Expand Down Expand Up @@ -150,6 +153,14 @@ var commandFlags = map[string][]string{
},
}

func getAuditFlags() []string {
return []string{
url, user, password, accessToken, ServerId, InsecureTls, Project, Watches, RepoPath, Licenses, OutputFormat, ExcludeTestDeps,
useWrapperAudit, DepType, RequirementsFile, Fail, ExtendedTable, WorkingDirs, ExclusionsAudit, Mvn, Gradle, Npm,
Pnpm, Yarn, Go, Nuget, Pip, Pipenv, Poetry, MinSeverity, FixableOnly, ThirdPartyContextualAnalysis, Threads,
}
}

// Security Flag keys mapped to their corresponding components.Flag definition.
var flagsMap = map[string]components.Flag{
// Common commands flags
Expand Down
32 changes: 18 additions & 14 deletions cli/scancommands.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,11 @@ package cli

import (
"fmt"
"github.com/jfrog/jfrog-cli-core/v2/utils/usage"
"os"
"strings"

"github.com/jfrog/jfrog-cli-core/v2/utils/usage"

"github.com/jfrog/jfrog-cli-core/v2/common/cliutils"
commandsCommon "github.com/jfrog/jfrog-cli-core/v2/common/commands"
outputFormat "github.com/jfrog/jfrog-cli-core/v2/common/format"
Expand All @@ -26,11 +27,14 @@ import (
dockerScanDocs "github.com/jfrog/jfrog-cli-security/cli/docs/scan/dockerscan"
scanDocs "github.com/jfrog/jfrog-cli-security/cli/docs/scan/scan"

"github.com/jfrog/jfrog-cli-security/commands/audit"
"github.com/jfrog/jfrog-cli-security/commands/curation"
"github.com/jfrog/jfrog-cli-security/commands/scan"
"github.com/jfrog/jfrog-cli-security/utils"
// appConfig "github.com/jfrog/jfrog-cli-security/commands/app/config"
"github.com/jfrog/jfrog-cli-security/commands/scans/audit"
"github.com/jfrog/jfrog-cli-security/commands/scans/binaryscan"
"github.com/jfrog/jfrog-cli-security/commands/scans/buildscan"
"github.com/jfrog/jfrog-cli-security/commands/scans/curation"
"github.com/jfrog/jfrog-cli-security/utils/severityutils"
"github.com/jfrog/jfrog-cli-security/utils/techutils"
"github.com/jfrog/jfrog-cli-security/utils/xsc"
)

const auditScanCategory = "Audit & Scan"
Expand Down Expand Up @@ -185,11 +189,11 @@ func ScanCmd(c *components.Context) error {
return err
}
pluginsCommon.FixWinPathsForFileSystemSourcedCmds(specFile, c)
minSeverity, err := utils.GetSeveritiesFormat(c.GetStringFlagValue(flags.MinSeverity))
minSeverity, err := severityutils.ParseSeverity(c.GetStringFlagValue(flags.MinSeverity), false)
if err != nil {
return err
}
scanCmd := scan.NewScanCommand().
scanCmd := binaryscan.NewScanCommand().
SetServerDetails(serverDetails).
SetThreads(threads).
SetSpec(specFile).
Expand Down Expand Up @@ -295,7 +299,7 @@ func BuildScan(c *components.Context) error {
if err != nil {
return err
}
buildScanCmd := scan.NewBuildScanCommand().
buildScanCmd := buildscan.NewBuildScanCommand().
SetServerDetails(serverDetails).
SetFailBuild(c.GetBoolFlagValue(flags.Fail)).
SetBuildConfiguration(buildConfiguration).
Expand Down Expand Up @@ -352,7 +356,7 @@ func reportErrorIfExists(err error, auditCmd *audit.AuditCommand) {
log.Debug(fmt.Sprintf("failed to get server details for error report: %q", innerError))
return
}
if reportError := utils.ReportError(serverDetails, err, "cli"); reportError != nil {
if reportError := xsc.ReportError(serverDetails, err, "cli"); reportError != nil {
log.Debug("failed to report error log:" + reportError.Error())
}
}
Expand All @@ -371,19 +375,19 @@ func createAuditCmd(c *components.Context) (*audit.AuditCommand, error) {
if err != nil {
return nil, err
}
minSeverity, err := utils.GetSeveritiesFormat(c.GetStringFlagValue(flags.MinSeverity))
minSeverity, err := severityutils.ParseSeverity(c.GetStringFlagValue(flags.MinSeverity), false)
if err != nil {
return nil, err
}
auditCmd.SetAnalyticsMetricsService(utils.NewAnalyticsMetricsService(serverDetails))
auditCmd.SetAnalyticsMetricsService(xsc.NewAnalyticsMetricsService(serverDetails))

auditCmd.SetTargetRepoPath(addTrailingSlashToRepoPathIfNeeded(c)).
SetProject(c.GetStringFlagValue(flags.Project)).
SetIncludeVulnerabilities(shouldIncludeVulnerabilities(c)).
SetIncludeLicenses(c.GetBoolFlagValue(flags.Licenses)).
SetFail(c.GetBoolFlagValue(flags.Fail)).
SetPrintExtendedTable(c.GetBoolFlagValue(flags.ExtendedTable)).
SetMinSeverityFilter(minSeverity).
SetMinSeverityFilter(minSeverity.String()).
SetFixableOnly(c.GetBoolFlagValue(flags.FixableOnly)).
SetThirdPartyApplicabilityScan(c.GetBoolFlagValue(flags.ThirdPartyContextualAnalysis))

Expand Down Expand Up @@ -482,12 +486,12 @@ func DockerScan(c *components.Context, image string) error {
if err != nil {
return err
}
containerScanCommand := scan.NewDockerScanCommand()
containerScanCommand := binaryscan.NewDockerScanCommand()
format, err := outputFormat.GetOutputFormat(c.GetStringFlagValue(flags.OutputFormat))
if err != nil {
return err
}
minSeverity, err := utils.GetSeveritiesFormat(c.GetStringFlagValue(flags.MinSeverity))
minSeverity, err := severityutils.ParseSeverity(c.GetStringFlagValue(flags.MinSeverity), false)
if err != nil {
return err
}
Expand Down
80 changes: 80 additions & 0 deletions commands/app/dependencies/dependencies.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
package dependencies

import (
"fmt"
"os"

"github.com/jfrog/jfrog-cli-core/v2/utils/config"
"github.com/jfrog/jfrog-cli-security/utils/configs"
"github.com/jfrog/jfrog-client-go/utils/errorutils"
// "github.com/jfrog/jfrog-client-go/utils/log"
)

type DetectDependenciesParams struct {
Target *configs.ScanTarget
TargetConfig *configs.TargetTechConfig
}

type BuildDependencyTreeParams struct {
// General params
Descriptors []string `json:"descriptors,omitempty"`
IsInstalled bool `json:"isInstalled,omitempty"`
// Artifactory server details as a resolution repository target
ServerDetails *config.ServerDetails
Repository string `json:"artifactoryRepository,omitempty"`
// Curation params
ApplyCuration bool `json:"applyCuration,omitempty"`
CurationCacheFolder string `json:"curationCacheFolder,omitempty"`
// Specific package manager params
UseWrapper bool `json:"useWrapper,omitempty"`
CustomPipDependenciesFilePath string `json:"customPipDependenciesFilePath,omitempty"`
}

type DetectDependenciesCommand struct {
TargetConfig *configs.DetectTechParams



serverDetails *config.ServerDetails
params *DetectDependenciesParams


}

func NewDetectDependenciesCommand() *DetectDependenciesCommand {
return &DetectDependenciesCommand{}
}

func (ddCmd *DetectDependenciesCommand) CommandName() string {
return "dependencies"
}

func (ddCmd *DetectDependenciesCommand) ServerDetails() (*config.ServerDetails, error) {
return ddCmd.serverDetails, nil
}

func (ddCmd *DetectDependenciesCommand) Run() (err error) {
currentWorkingDir, err := os.Getwd()
if err != nil {
return errorutils.CheckError(err)
}
if err := os.Chdir(ddCmd.params.Target.Target); err != nil {
return errorutils.CheckError(err)
}
defer func() {
err = errorutils.CheckError(os.Chdir(currentWorkingDir))
}()
if treeResult.FlatTree == nil || len(treeResult.FlatTree.Nodes) == 0 {
return nil, errorutils.CheckErrorf("no dependencies were found. Please try to build your project and re-run the audit command")
}
}

func RunDetectTargetDependencies(target *configs.ScanTarget ,params *DetectDependenciesParams) (err error) {

treeResult, techErr := GetTechDependencyTree(params.AuditBasicParams, scan.Technology)
if techErr != nil {
return nil, fmt.Errorf("failed while building '%s' dependency tree:\n%s", scan.Technology, techErr.Error())
}

return nil
}
Loading
Loading