Fix breaking changes after security PR (#746)

jfrog · Sep 4, 2024 · c1a62b7 · c1a62b7
1 parent 6dbb10a
commit c1a62b7
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 100 deletions.
diff --git a/go.mod b/go.mod
@@ -119,7 +119,8 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-// replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security dev
+// attiasas:dockerscan_sarif_imp
+replace github.com/jfrog/jfrog-cli-security => github.com/attiasas/jfrog-cli-security v0.0.0-20240904115644-bb15ff25795e
 
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev
 

diff --git a/go.sum b/go.sum
@@ -633,6 +633,8 @@ github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
+github.com/attiasas/jfrog-cli-security v0.0.0-20240904115644-bb15ff25795e h1:6gfhwBjKr/MghP7ZwPFR1pvqg7mb//PdE5mCMk3vu/M=
+github.com/attiasas/jfrog-cli-security v0.0.0-20240904115644-bb15ff25795e/go.mod h1:4eztJ+gBb7Xtq/TtnOvIodBOMZutPIAZOuLxqHWXrOo=
 github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
@@ -901,8 +903,6 @@ github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYL
 github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
 github.com/jfrog/jfrog-cli-core/v2 v2.55.6 h1:3tQuEdYgS2q7fkrrSG66OnO0S998FXGaY9BVsxSLst4=
 github.com/jfrog/jfrog-cli-core/v2 v2.55.6/go.mod h1:DPO5BfWAeOByahFMMy+PcjmbPlcyoRy7Bf2C5sGKVi0=
-github.com/jfrog/jfrog-cli-security v1.7.2 h1:Kvabj/6LhM+WEb6woIqqbv2VmIj69IFwz859Sys1Tgs=
-github.com/jfrog/jfrog-cli-security v1.7.2/go.mod h1:4eztJ+gBb7Xtq/TtnOvIodBOMZutPIAZOuLxqHWXrOo=
 github.com/jfrog/jfrog-client-go v1.46.1 h1:ExqOF8ClOG9LO3vbm6jTIwQHHhprbu8lxB2RrM6mMI0=
 github.com/jfrog/jfrog-client-go v1.46.1/go.mod h1:UCu2JNBfMp9rypEmCL84DCooG79xWIHVadZQR3Ab+BQ=
 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA=

diff --git a/utils/utils.go b/utils/utils.go
@@ -13,7 +13,6 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/jfrog/frogbot/v2/utils/outputwriter"
 	"github.com/jfrog/froggit-go/vcsclient"
 	"github.com/jfrog/gofrog/version"
 	"github.com/jfrog/jfrog-cli-core/v2/common/commands"
@@ -27,7 +26,6 @@ import (
 	"github.com/jfrog/jfrog-client-go/utils/errorutils"
 	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
-	"github.com/owenrumney/go-sarif/v2/sarif"
 )
 
 const (
@@ -47,9 +45,6 @@ const (
 	skipBuildToolDependencyMsg     = "Skipping vulnerable package %s since it is not defined in your package descriptor file. " +
 		"Update %s version to %s to fix this vulnerability."
 	JfrogHomeDirEnv = "JFROG_CLI_HOME_DIR"
-
-	// Sarif run output tool annotator
-	sarifToolName = "JFrog Frogbot"
 )
 
 var (
@@ -238,56 +233,12 @@ func UploadSarifResultsToGithubSecurityTab(scanResults *xrayutils.Results, repo
 	return nil
 }
 
-func prepareRunsForGithubReport(runs []*sarif.Run) []*sarif.Run {
-	for _, run := range runs {
-		for _, rule := range run.Tool.Driver.Rules {
-			// Github security tab can display markdown content on Help attribute and not description
-			if rule.Help == nil && rule.FullDescription != nil {
-				rule.Help = rule.FullDescription
-			}
-		}
-		// Github security tab can't accept results without locations, remove them
-		results := []*sarif.Result{}
-		for _, result := range run.Results {
-			if len(result.Locations) == 0 {
-				continue
-			}
-			results = append(results, result)
-		}
-		run.Results = results
-	}
-	convertToRelativePath(runs)
-	// If we upload to Github security tab multiple runs, it will only display the last run as active issues.
-	// Combine all runs into one run with multiple invocations, so the Github security tab will display all the results as not resolved.
-	combined := sarif.NewRunWithInformationURI(sarifToolName, outputwriter.FrogbotRepoUrl)
-	sarifutils.AggregateMultipleRunsIntoSingle(runs, combined)
-	return []*sarif.Run{combined}
-}
-
-func convertToRelativePath(runs []*sarif.Run) {
-	for _, run := range runs {
-		for _, result := range run.Results {
-			for _, location := range result.Locations {
-				sarifutils.SetLocationFileName(location, sarifutils.GetRelativeLocationFileName(location, run.Invocations))
-			}
-			for _, flows := range result.CodeFlows {
-				for _, flow := range flows.ThreadFlows {
-					for _, location := range flow.Locations {
-						sarifutils.SetLocationFileName(location.Location, sarifutils.GetRelativeLocationFileName(location.Location, run.Invocations))
-					}
-				}
-			}
-		}
-	}
-}
-
 func GenerateFrogbotSarifReport(extendedResults *xrayutils.Results, isMultipleRoots bool, allowedLicenses []string) (string, error) {
-	sarifReport, err := xrayutils.GenereateSarifReportFromResults(extendedResults, isMultipleRoots, false, allowedLicenses)
+	sarifReport, err := xrayutils.GenerateSarifReportFromResults(extendedResults, isMultipleRoots, false, allowedLicenses)
 	if err != nil {
 		return "", err
 	}
-	sarifReport.Runs = prepareRunsForGithubReport(sarifReport.Runs)
-	return sarifutils.ConvertSarifReportToString(sarifReport)
+	return xrayutils.WriteSarifResultsAsString(sarifReport, false)
 }
 
 func DownloadRepoToTempDir(client vcsclient.VcsClient, repoOwner, repoName, branch string) (wd string, cleanup func() error, err error) {

diff --git a/utils/utils_test.go b/utils/utils_test.go
@@ -9,9 +9,7 @@ import (
 	"github.com/jfrog/frogbot/v2/utils/outputwriter"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-security/formats"
-	"github.com/jfrog/jfrog-cli-security/formats/sarifutils"
 	"github.com/jfrog/jfrog-cli-security/utils/techutils"
-	"github.com/owenrumney/go-sarif/v2/sarif"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -378,50 +376,6 @@ func TestTechArrayToString(t *testing.T) {
 	}
 }
 
-func TestPrepareRunsForGithubReport(t *testing.T) {
-	testCases := []struct {
-		run            *sarif.Run
-		expectedOutput *sarif.Run
-	}{
-		{
-			run:            sarifutils.CreateRunWithDummyResults(),
-			expectedOutput: sarif.NewRunWithInformationURI(sarifToolName, outputwriter.FrogbotRepoUrl),
-		},
-		{
-			run: sarif.NewRunWithInformationURI("other tool", "other url").WithResults([]*sarif.Result{
-				sarifutils.CreateResultWithOneLocation("file://root/dir/file", 0, 0, 0, 0, "snippet", "rule", "level"),
-			}).WithInvocations([]*sarif.Invocation{sarif.NewInvocation().WithWorkingDirectory(sarif.NewSimpleArtifactLocation("root/dir"))}),
-			expectedOutput: sarif.NewRunWithInformationURI(sarifToolName, outputwriter.FrogbotRepoUrl).WithResults([]*sarif.Result{
-				sarifutils.CreateResultWithOneLocation("file", 0, 0, 0, 0, "snippet", "rule", "level"),
-			}).WithInvocations([]*sarif.Invocation{sarif.NewInvocation().WithWorkingDirectory(sarif.NewSimpleArtifactLocation("root/dir"))}),
-		},
-		{
-			run: sarif.NewRunWithInformationURI("other tool", "other url").WithResults([]*sarif.Result{
-				sarifutils.CreateResultWithLocations("findings", "rule", "level",
-					sarifutils.CreateLocation("file://root/dir/file", 0, 0, 0, 0, "snippet"),
-					sarifutils.CreateLocation("file://root/dir/dir2/file2", 1, 1, 1, 1, "snippet2"),
-				).WithCodeFlows([]*sarif.CodeFlow{sarifutils.CreateCodeFlow(sarifutils.CreateThreadFlow(
-					sarifutils.CreateLocation("file://root/dir/other/file", 2, 2, 2, 2, "other"),
-					sarifutils.CreateLocation("file://root/dir/file", 0, 0, 0, 0, "snippet"),
-				))}),
-			}).WithInvocations([]*sarif.Invocation{sarif.NewInvocation().WithWorkingDirectory(sarif.NewSimpleArtifactLocation("root/dir"))}),
-			expectedOutput: sarif.NewRunWithInformationURI(sarifToolName, outputwriter.FrogbotRepoUrl).WithResults([]*sarif.Result{
-				sarifutils.CreateResultWithLocations("findings", "rule", "level",
-					sarifutils.CreateLocation("file", 0, 0, 0, 0, "snippet"),
-					sarifutils.CreateLocation("dir2/file2", 1, 1, 1, 1, "snippet2"),
-				).WithCodeFlows([]*sarif.CodeFlow{sarifutils.CreateCodeFlow(sarifutils.CreateThreadFlow(
-					sarifutils.CreateLocation("other/file", 2, 2, 2, 2, "other"),
-					sarifutils.CreateLocation("file", 0, 0, 0, 0, "snippet"),
-				))}),
-			}).WithInvocations([]*sarif.Invocation{sarif.NewInvocation().WithWorkingDirectory(sarif.NewSimpleArtifactLocation("root/dir"))}),
-		},
-	}
-	for _, tc := range testCases {
-
-		assert.Equal(t, tc.expectedOutput, prepareRunsForGithubReport([]*sarif.Run{tc.run})[0])
-	}
-}
-
 func TestIsUrlAccessible(t *testing.T) {
 	testCases := []struct {
 		name           string