Merge remote-tracking branch 'upstream/master' into jfrog-apps-config

.github/workflows/release.yml

@@ -27,7 +27,7 @@ jobs:
         run: npm run lint
 
       - name: Update version
-        run: echo ${{ github.event.release.tag_name }} | cut -c 11- | xargs npm version
+        run: echo ${{ github.event.release.tag_name }} | xargs npm version
 
       # Publish to marketplaces
       - name: Publish to VS marketplace

.github/workflows/test.yml

@@ -58,9 +58,6 @@ jobs:
         with:
           node-version: ${{ matrix.node }}
           check-latest: true
-
-      - name: Rebuild native modules
-        run: npm rebuild
 
       - name: Tests on macOS, Windows
         env:

.vscodeignore

@@ -3,7 +3,6 @@
 out/test/**
 src/**
 node_modules/**
-!node_modules/keytar
 .gitignore
 **/tsconfig.json
 **/tslint.json

README.md

@@ -24,8 +24,10 @@
     - [General](#general)
     - [Software Composition Analysis (SCA)](#software-composition-analysis)
     - [CVE Research and Enrichment](#cve-research-and-enrichment)
+    - [Static Application Security Testing (SAST)](#static-application-security-testing-sast)
     - [Vulnerability Contextual Analysis](#vulnerability-contextual-analysis)
     - [Secrets Detection](#secrets-detection)
+    - [Infrastructure as Code (IaC) Scan](#infrastructure-as-code-iac-scan) 
 - [The CI View](#the-ci-view)
     - [How Does It Work?](#how-does-it-work)
     - [Setting Up Your CI Pipeline](#setting-up-your-ci-pipeline)
@@ -80,10 +82,15 @@ Check out what our research team is up to and stay updated on newly discovered i
 
 <details>
   <summary>Vulnerability Contextual Analysis</summary>
-Uses the code context to eliminate false positive reports on vulnerable dependencies that are not applicable to the code. 
+Uses the code context to eliminate false positive reports on vulnerable dependencies that are not applicable to the code.
 Vulnerability Contextual Analysis is currently supported for Python, Java and JavaScript code.
 </details>
 
+<details>
+  <summary>Static Application Security Testing (SAST)</summary>
+Provides fast and accurate security-focused engines that detect zero-day security vulnerabilities on your source code sensitive operations, while minimizing false positives.
+</details>
+
 <details>
   <summary>Secrets Detection</summary>
 Prevents the exposure of keys or credentials that are stored in your source code.
@@ -107,12 +114,13 @@ The extension also applies [JFrog File Spec JSON schema](https://raw.githubuserc
 #### 🛡️ Supported Packages
 | Features                                             | [Go](#go-projects) | [Maven](#maven-projects) | [npm](#npm-projects) | [Yarn v1](#yarn-v1-projects) | [Pypi](#pypi-projects) | [.NET](#net-projects) | [Terraform](#-infrastructure-as-code-(iac)-Scan) |
 |---------------------------------------------------|:----:|:------:|:-------:|:----:|:--------:|:-------:|:-------:|
-| [SCA](#-software-composition-analysis-sca)                                               |  ✅  |   ✅   |   ✅    |  ✅  |    ✅    |   ✅    |   ❌    |
-| [Upgrade vulnerable dependencies to fixed versions](#updating-dependencies) |  ✅  |   ✅   |   ✅    |  ✅  |    ✅    |   ✅    |   ❌    |
-| [Vulnerability Contextual Analysis](#-vulnerability-contextual-analysis)                               |  ❌  |    ✅   |   ✅    |  ✅  |    ✅    |   ❌    |   ❌    |
-| [Secrets Detection](#-secrets-detection)                          |  ✅  |   ✅   |   ✅    |  ✅  |    ✅    |   ✅    |✅    |
+| [SCA](#software-composition-analysis-sca)                                               |  ✅  |   ✅   |   ✅    |  ✅  |    ✅    |   ✅    |   ❌    |
+| [Upgrade vulnerable dependencies to fixed versions](#upgrade-vulnerable-dependencies-to-fixed-versions) |  ✅  |   ✅   |   ✅    |  ✅  |    ✅    |   ✅    |   ❌    |
+| [Vulnerability Contextual Analysis](#vulnerability-contextual-analysis)                               |  ❌  |    ✅   |   ✅    |  ✅  |    ✅    |   ❌    |   ❌    |
+| [Static Application Security Testing (SAST)](#static-application-security-testing-sast)                               |  ❌  |    ✅   |   ✅    |  ✅  |    ✅    |   ❌    |   ❌    |
+| [Secrets Detection](#secrets-detection)                          |  ✅  |   ✅   |   ✅    |  ✅  |    ✅    |   ✅    |✅    |
 | [Exclude dev dependencies](#exclude-development-dependencies-during-scan)                          |  ❌  |   ❌   |   ✅    |  ❌  |    ❌    |   ❌    |   ❌    |
-| [Infrastructure as Code (IaC) Scan](#-infrastructure-as-code-(iac)-Scan)                          |  ❌  |   ❌   |   ❌    |  ❌  |    ❌    |   ❌    |   ✅     |
+| [Infrastructure as Code (IaC) Scan](#infrastructure-as-code-iac-scan)                          |  ❌  |   ❌   |   ❌    |  ❌  |    ❌    |   ❌    |   ✅     |
 
 ## Getting Started
 
@@ -254,9 +262,6 @@ Clicking on a CVE in the list will open the location with the issue in the edito
 ![Impact_Graph](resources/readme/preview/impactGraph.png)
 ![Public_Resources](resources/readme/preview/publicDetails.png)
 
-Update a vulnerable direct dependency to a fixed version directly from the vulnerable location at the editor using quick fix
-![Set_Fixed_Version](resources/readme/preview/updateQuickFix.png)
-
 When Xray watches are enabled and a vulnerability is detected, a closed eye icon will appear next to the vulnerability line in the JFrog extension. By clicking on this icon, you can initiate the process of creating an [Ignore Rule](https://www.jfrog.com/confluence/display/JFROG/Ignore+Rules) in Xray.
 ![Ignore_Rule](resources/readme/preview/ignoreRule.png)
 
@@ -282,6 +287,24 @@ Xray automatically validates some high and very high impact vulnerabilities, suc
 
 ![Contextual_Analysis](resources/readme/preview/contextualDetails.png)
 
+### Upgrade vulnerable dependencies to fixed versions
+Update a vulnerable direct dependency to a fixed version directly from the vulnerable location at the editor using quick fix
+![Set_Fixed_Version](resources/readme/preview/updateQuickFix.png)
+
+### Static Application Security Testing (SAST)
+> **_NOTE:_**  Static Application Security Testing (SAST) requires Xray version 3.66.5 or above and Enterprise X / Enterprise+ subscription with Advanced DevSecOps.
+
+JFrog SAST scans mainly for specific sensitive operations (DB queries, OS commands, outgoing connection destinations, etc) that can be controlled by an external attacker without proper sanitation injections such as: SQL injections, Command injections, Code injections and SSRF.
+It also detects cases when certain APIs (encryption, cryptographic signing, file operations, etc.) are used with parameters or under circumstances that render the API use unsafe.
+
+SAST findings are presented in a way that will help you easily locate the vulnerable data flow in your code. The data is represented within an easy-to-use interface that enables you to track each vulnerability in the code and provides the following information per vulnerability:
+
+* **Data Flow Analysis**: Provides information on the overall code flow and the different entry points of the vulnerability up to the execution point of the vulnerability. At JFrog we understand the developers need to see the entire picture of their code, rather than just providing the specific vulnerability found in the code. With Data Analysis Flow you will be able to follow the entire lifecycle of the vulnerability.
+* **Fix Steps**: To help you fix the security issues, the JFrog security team provides you with detailed fixes and mitigation options for the vulnerabilities. Xray empowers you to make smart choices when creating the mitigation plan and choosing the paths with the highest return on investment.
+Along with the JFrog severity given, you can make informed decisions on what vulnerabilities are a priority to fix. For example, vulnerabilities with low JFrog security severity are considered less risky, as it would be very unlikely to exploit them in the real world, or the impact of the exploitation is low.
+
+![SAST](resources/readme/preview/sast.png)
+
 ### Secrets Detection
 > **_NOTE:_**  Secrets Detection requires Xray version 3.66.5 or above and Enterprise X / Enterprise+ subscription with Advanced DevSecOps.