Malicious code scanner #296
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
attiasas
requested changes
Feb 4, 2025
utils/formats/simplejsonapi.go
Outdated
Comment on lines
25
to
26
| MaliciousVulnerabilities []SourceCodeRow `json:"malicious_code"` | ||
| MaliciousViolations []SourceCodeRow `json:"maliciousViolations"` |
There was a problem hiding this comment.
Suggested change
| MaliciousVulnerabilities []SourceCodeRow `json:"malicious_code"` | |
| MaliciousViolations []SourceCodeRow `json:"maliciousViolations"` | |
| MaliciousVulnerabilities []SourceCodeRow `json:"maliciousCode"` | |
| MaliciousViolations []SourceCodeRow `json:"maliciousViolations"` |
make sure the formats are the same...
Comment on lines
164
to
170
| if sjc.current == nil { | ||
| return results.ErrResetConvertor | ||
| } | ||
| maliciousSimpleJson, err := PrepareSimpleJsonJasIssues(sjc.entitledForJas, sjc.pretty, results.ScanResultsToRuns(maliciousFindings)...) | ||
| if err != nil || len(maliciousSimpleJson) == 0 { | ||
| return | ||
| } |
There was a problem hiding this comment.
Suggested change
| if sjc.current == nil { | |
| return results.ErrResetConvertor | |
| } | |
| maliciousSimpleJson, err := PrepareSimpleJsonJasIssues(sjc.entitledForJas, sjc.pretty, results.ScanResultsToRuns(maliciousFindings)...) | |
| if err != nil || len(maliciousSimpleJson) == 0 { | |
| return | |
| } | |
| if sjc.current == nil { | |
| return results.ErrResetConvertor | |
| } | |
| for i := range maliciousFindings { | |
| if shouldUpdateStatus(sjc.current.Statuses.MaliciousStatusCode, &maliciousFindings[i].StatusCode) { | |
| sjc.current.Statuses.MaliciousStatusCode = &maliciousFindings[i].StatusCode | |
| } | |
| } | |
| maliciousSimpleJson, err := PrepareSimpleJsonJasIssues(sjc.entitledForJas, sjc.pretty, results.ScanResultsToRuns(maliciousFindings)...) | |
| if err != nil || len(maliciousSimpleJson) == 0 { | |
| return | |
| } |
Add this scan to the status attributes so we can use it in all other places to display the command information
go.mod
Outdated
| @@ -114,7 +114,7 @@ require ( | |||
| gopkg.in/warnings.v0 v0.1.2 // indirect | |||
| ) | |||
|
|
|||
| replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20250126110945-81abbdde452f | |||
| replace github.com/jfrog/jfrog-client-go => ../jfrog-client-go | |||
There was a problem hiding this comment.
for remote push, while developing, make sure you are pointing to a valid branch.
This is expceting the code to be in the machine locally.
jas/runner/jasrunner.go
Outdated
| if generalError = addJasScanTaskForModuleIfNeeded(params, utils.ContextualAnalysisScan, runContextualScan(params.Runner, params.Scanner, params.ScanResults, params.Module, params.DirectDependencies, params.ThirdPartyApplicabilityScan, params.ApplicableScanType, params.TargetOutputDir)); generalError != nil { | ||
| return | ||
| } | ||
| //if generalError = addJasScanTaskForModuleIfNeeded(params, utils.ContextualAnalysisScan, runContextualScan(params.Runner, params.Scanner, params.ScanResults, params.Module, params.DirectDependencies, params.ThirdPartyApplicabilityScan, params.ApplicableScanType, params.TargetOutputDir)); generalError != nil { |
There was a problem hiding this comment.
don't forget to uncomment when done
barv-jfrog
added
the
safe to test
github-actions
bot
removed
the
safe to test
attiasas
requested changes
Mar 4, 2025
There was a problem hiding this comment.
Nice, take a look at my comments, in addition:
- fix failed tests
- add description to the PR details, make sure to explain the type of scan and add screen shots so the users can understand and reference to.
- Add integration tests at audit_test.go that runs and validate a malicious issues on a project
| { | ||
| "tool": { | ||
| "driver": { | ||
| "name": "JFrog Terraform scanner", |
There was a problem hiding this comment.
Suggested change
| "name": "JFrog Terraform scanner", | |
| "name": "JFrog Malicious Code scanner", |
| @@ -102,6 +108,8 @@ func addJasScanTaskForModuleIfNeeded(params JasRunnerParams, subScan utils.SubSc | |||
| enabled = params.ConfigProfile.Modules[0].ScanConfig.IacScannerConfig.EnableIacScan | |||
| case jasutils.Applicability: | |||
| enabled = params.ConfigProfile.Modules[0].ScanConfig.EnableContextualAnalysisScan | |||
| case jasutils.MaliciousCode: | |||
| enabled = params.ConfigProfile.Modules[0].ScanConfig.MaliciousScannerConfig.EnableMaliciousScan | |||
There was a problem hiding this comment.
did we also added this to the config at the platform?
barv-jfrog
added
the
safe to test
github-actions
bot
removed
the
safe to test
barv-jfrog
added
the
safe to test
github-actions
bot
removed
the
safe to test
barv-jfrog
added
the
safe to test
github-actions
bot
removed
the
safe to test
barv-jfrog
added
the
safe to test
github-actions
bot
removed
the
safe to test
barv-jfrog
added
the
safe to test
github-actions
bot
removed
the
safe to test
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
devbranch.go vet ./....go fmt ./....depends on:
Description:
New malicious scanners which check for malicious code on the source code. For example, models such as pickle may contain malicious code in their code, so now jf audit can scan this pickles and show in a table what is the malicious code.
Example: