Add option to skip auto fix in Frogbot scan repository (#751)

jfrog · Sep 15, 2024 · 5402418 · 5402418
1 parent 70e1046
commit 5402418
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 1 deletion.
diff --git a/scanrepository/scanrepository.go b/scanrepository/scanrepository.go
@@ -176,7 +176,9 @@ func (cfp *ScanRepositoryCmd) scanAndFixProject(repository *utils.Repository) er
 		}
 		vulnerabilitiesByPathMap[fullPathWd] = currPathVulnerabilities
 	}
-	if fixNeeded {
+	if repository.DetectionOnly {
+		log.Info(fmt.Sprintf("This command is running in detection mode only. To enable automatic fixing of issues, set the '%s' environment variable to 'false'.", utils.DetectionOnlyEnv))
+	} else if fixNeeded {
 		return cfp.fixVulnerablePackages(repository, vulnerabilitiesByPathMap)
 	}
 	return nil

diff --git a/utils/consts.go b/utils/consts.go
@@ -60,6 +60,7 @@ const (
 	DepsRepoEnv                        = "JF_DEPS_REPO"
 	MinSeverityEnv                     = "JF_MIN_SEVERITY"
 	FixableOnlyEnv                     = "JF_FIXABLE_ONLY"
+	DetectionOnlyEnv                   = "JF_SKIP_AUTOFIX"
 	AllowedLicensesEnv                 = "JF_ALLOWED_LICENSES"
 	WatchesDelimiter                   = ","
 

diff --git a/utils/params.go b/utils/params.go
@@ -132,6 +132,7 @@ func (p *Project) setDefaultsIfNeeded() error {
 type Scan struct {
 	IncludeAllVulnerabilities       bool      `yaml:"includeAllVulnerabilities,omitempty"`
 	FixableOnly                     bool      `yaml:"fixableOnly,omitempty"`
+	DetectionOnly                   bool      `yaml:"skipAutoFix,omitempty"`
 	FailOnSecurityIssues            *bool     `yaml:"failOnSecurityIssues,omitempty"`
 	AvoidPreviousPrCommentsDeletion bool      `yaml:"avoidPreviousPrCommentsDeletion,omitempty"`
 	MinSeverity                     string    `yaml:"minSeverity,omitempty"`
@@ -193,6 +194,11 @@ func (s *Scan) setDefaultsIfNeeded() (err error) {
 			return
 		}
 	}
+	if !s.DetectionOnly {
+		if s.DetectionOnly, err = getBoolEnv(DetectionOnlyEnv, false); err != nil {
+			return
+		}
+	}
 	if s.FailOnSecurityIssues == nil {
 		var failOnSecurityIssues bool
 		if failOnSecurityIssues, err = getBoolEnv(FailOnSecurityIssuesEnv, true); err != nil {

diff --git a/utils/params_test.go b/utils/params_test.go
@@ -166,6 +166,7 @@ func TestExtractAndAssertRepoParams(t *testing.T) {
 		GitEmailAuthorEnv:    "myemail@jfrog.com",
 		MinSeverityEnv:       "high",
 		FixableOnlyEnv:       "true",
+		DetectionOnlyEnv:     "true",
 		AllowedLicensesEnv:   "MIT, Apache-2.0, ISC",
 		AvoidExtraMessages:   "true",
 	})
@@ -195,6 +196,7 @@ func TestExtractAndAssertRepoParams(t *testing.T) {
 		assert.Equal(t, "this is my branch {BRANCH_NAME_HASH}", templates.branchNameTemplate)
 		assert.Equal(t, "High", repo.MinSeverity)
 		assert.True(t, repo.FixableOnly)
+		assert.True(t, repo.DetectionOnly)
 		assert.Equal(t, true, repo.AggregateFixes)
 		assert.Equal(t, "myemail@jfrog.com", repo.EmailAuthor)
 		assert.Equal(t, "build 1323", repo.PullRequestCommentTitle)
@@ -347,6 +349,7 @@ func TestGenerateConfigAggregatorFromEnv(t *testing.T) {
 		FailOnSecurityIssuesEnv:            "false",
 		MinSeverityEnv:                     "medium",
 		FixableOnlyEnv:                     "true",
+		DetectionOnlyEnv:                   "true",
 		AllowedLicensesEnv:                 "MIT, Apache-2.0",
 		AvoidExtraMessages:                 "true",
 		PullRequestCommentTitleEnv:         "build 1323",
@@ -389,6 +392,7 @@ func validateBuildRepoAggregator(t *testing.T, repo *Repository, gitParams *Git,
 	assert.Equal(t, false, *repo.FailOnSecurityIssues)
 	assert.Equal(t, "Medium", repo.MinSeverity)
 	assert.Equal(t, true, repo.FixableOnly)
+	assert.Equal(t, true, repo.DetectionOnly)
 	assert.ElementsMatch(t, []string{"MIT", "Apache-2.0"}, repo.AllowedLicenses)
 	assert.Equal(t, gitParams.RepoOwner, repo.RepoOwner)
 	assert.Equal(t, gitParams.Token, repo.Token)