From 5402418111e3c04628a2f2a2cf6bd2eb029414e3 Mon Sep 17 00:00:00 2001 From: Assaf Attias <49212512+attiasas@users.noreply.github.com> Date: Sun, 15 Sep 2024 17:00:34 +0300 Subject: [PATCH] Add option to skip auto fix in Frogbot scan repository (#751) --- scanrepository/scanrepository.go | 4 +++- utils/consts.go | 1 + utils/params.go | 6 ++++++ utils/params_test.go | 4 ++++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/scanrepository/scanrepository.go b/scanrepository/scanrepository.go index 0abaa2873..8cf0183f9 100644 --- a/scanrepository/scanrepository.go +++ b/scanrepository/scanrepository.go @@ -176,7 +176,9 @@ func (cfp *ScanRepositoryCmd) scanAndFixProject(repository *utils.Repository) er } vulnerabilitiesByPathMap[fullPathWd] = currPathVulnerabilities } - if fixNeeded { + if repository.DetectionOnly { + log.Info(fmt.Sprintf("This command is running in detection mode only. To enable automatic fixing of issues, set the '%s' environment variable to 'false'.", utils.DetectionOnlyEnv)) + } else if fixNeeded { return cfp.fixVulnerablePackages(repository, vulnerabilitiesByPathMap) } return nil diff --git a/utils/consts.go b/utils/consts.go index 529a2c62e..4e1e005f9 100644 --- a/utils/consts.go +++ b/utils/consts.go @@ -60,6 +60,7 @@ const ( DepsRepoEnv = "JF_DEPS_REPO" MinSeverityEnv = "JF_MIN_SEVERITY" FixableOnlyEnv = "JF_FIXABLE_ONLY" + DetectionOnlyEnv = "JF_SKIP_AUTOFIX" AllowedLicensesEnv = "JF_ALLOWED_LICENSES" WatchesDelimiter = "," diff --git a/utils/params.go b/utils/params.go index 02fa1190c..689b9edca 100644 --- a/utils/params.go +++ b/utils/params.go @@ -132,6 +132,7 @@ func (p *Project) setDefaultsIfNeeded() error { type Scan struct { IncludeAllVulnerabilities bool `yaml:"includeAllVulnerabilities,omitempty"` FixableOnly bool `yaml:"fixableOnly,omitempty"` + DetectionOnly bool `yaml:"skipAutoFix,omitempty"` FailOnSecurityIssues *bool `yaml:"failOnSecurityIssues,omitempty"` AvoidPreviousPrCommentsDeletion bool `yaml:"avoidPreviousPrCommentsDeletion,omitempty"` MinSeverity string `yaml:"minSeverity,omitempty"` @@ -193,6 +194,11 @@ func (s *Scan) setDefaultsIfNeeded() (err error) { return } } + if !s.DetectionOnly { + if s.DetectionOnly, err = getBoolEnv(DetectionOnlyEnv, false); err != nil { + return + } + } if s.FailOnSecurityIssues == nil { var failOnSecurityIssues bool if failOnSecurityIssues, err = getBoolEnv(FailOnSecurityIssuesEnv, true); err != nil { diff --git a/utils/params_test.go b/utils/params_test.go index e3db1ef0a..456e7437d 100644 --- a/utils/params_test.go +++ b/utils/params_test.go @@ -166,6 +166,7 @@ func TestExtractAndAssertRepoParams(t *testing.T) { GitEmailAuthorEnv: "myemail@jfrog.com", MinSeverityEnv: "high", FixableOnlyEnv: "true", + DetectionOnlyEnv: "true", AllowedLicensesEnv: "MIT, Apache-2.0, ISC", AvoidExtraMessages: "true", }) @@ -195,6 +196,7 @@ func TestExtractAndAssertRepoParams(t *testing.T) { assert.Equal(t, "this is my branch {BRANCH_NAME_HASH}", templates.branchNameTemplate) assert.Equal(t, "High", repo.MinSeverity) assert.True(t, repo.FixableOnly) + assert.True(t, repo.DetectionOnly) assert.Equal(t, true, repo.AggregateFixes) assert.Equal(t, "myemail@jfrog.com", repo.EmailAuthor) assert.Equal(t, "build 1323", repo.PullRequestCommentTitle) @@ -347,6 +349,7 @@ func TestGenerateConfigAggregatorFromEnv(t *testing.T) { FailOnSecurityIssuesEnv: "false", MinSeverityEnv: "medium", FixableOnlyEnv: "true", + DetectionOnlyEnv: "true", AllowedLicensesEnv: "MIT, Apache-2.0", AvoidExtraMessages: "true", PullRequestCommentTitleEnv: "build 1323", @@ -389,6 +392,7 @@ func validateBuildRepoAggregator(t *testing.T, repo *Repository, gitParams *Git, assert.Equal(t, false, *repo.FailOnSecurityIssues) assert.Equal(t, "Medium", repo.MinSeverity) assert.Equal(t, true, repo.FixableOnly) + assert.Equal(t, true, repo.DetectionOnly) assert.ElementsMatch(t, []string{"MIT", "Apache-2.0"}, repo.AllowedLicenses) assert.Equal(t, gitParams.RepoOwner, repo.RepoOwner) assert.Equal(t, gitParams.Token, repo.Token)