Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit - Always run Applicability Scan if CVE discovered #37

Merged
merged 10 commits into from
Apr 15, 2024
Merged

Audit - Always run Applicability Scan if CVE discovered #37

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
504988e
Always run Applicability Scan if CVE discovered
attiasas Mar 12, 2024
541aaef
fix static
attiasas Mar 12, 2024
ebc6bff
remove not relevant tests
attiasas Mar 12, 2024
9daaa11
Merge remote-tracking branch 'upstream/dev' into remove_ca_not_support
attiasas Apr 2, 2024
94eaa42
update dep
attiasas Apr 2, 2024
ed41936
remove dep
attiasas Apr 15, 2024
af2041e
Merge remote-tracking branch 'upstream/dev' into remove_ca_not_support
attiasas Apr 15, 2024
afc4aae
Merge remote-tracking branch 'upstream/dev' into remove_ca_not_support
attiasas Apr 15, 2024
a55b0c5
Merge remote-tracking branch 'upstream/dev' into remove_ca_not_support
attiasas Apr 15, 2024
a495eac
Update dependencies
attiasas Apr 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 2 additions & 6 deletions commands/audit/jas/applicability/applicabilitymanager.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,8 @@ type ApplicabilityScanManager struct {
func RunApplicabilityScan(xrayResults []services.ScanResponse, directDependencies []string,
scannedTechnologies []coreutils.Technology, scanner *jas.JasScanner, thirdPartyContextualAnalysis bool) (results []*sarif.Run, err error) {
applicabilityScanManager := newApplicabilityScanManager(xrayResults, directDependencies, scanner, thirdPartyContextualAnalysis)
if !applicabilityScanManager.shouldRunApplicabilityScan(scannedTechnologies) {
log.Debug("The technologies that have been scanned are currently not supported for contextual analysis scanning, or we couldn't find any vulnerable dependencies. Skipping....")
if !applicabilityScanManager.cvesExists() {
log.Debug("We couldn't find any vulnerable dependencies. Skipping....")
return
}
if err = applicabilityScanManager.scanner.Run(applicabilityScanManager); err != nil {
Expand Down Expand Up @@ -132,10 +132,6 @@ func (asm *ApplicabilityScanManager) Run(module jfrogappsconfig.Module) (err err
return
}

func (asm *ApplicabilityScanManager) shouldRunApplicabilityScan(technologies []coreutils.Technology) bool {
return asm.cvesExists() && coreutils.ContainsApplicabilityScannableTech(technologies)
}

func (asm *ApplicabilityScanManager) cvesExists() bool {
return len(asm.indirectDependenciesCves) > 0 || len(asm.directDependenciesCves) > 0
}
Expand Down
23 changes: 0 additions & 23 deletions commands/audit/jas/applicability/applicabilitymanager_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,29 +153,6 @@ func TestNewApplicabilityScanManager_VulnerabilitiesDontExist(t *testing.T) {
}
}

func TestApplicabilityScanManager_ShouldRun_TechnologiesNotEligibleForScan(t *testing.T) {
scanner, cleanUp := jas.InitJasTest(t)
defer cleanUp()

results, err := RunApplicabilityScan(jas.FakeBasicXrayResults, mockDirectDependencies, []coreutils.Technology{coreutils.Nuget, coreutils.Go}, scanner, false)

// Assert
assert.Nil(t, results)
assert.NoError(t, err)
}

func TestApplicabilityScanManager_ShouldRun_ScanResultsAreEmpty(t *testing.T) {
// Arrange
scanner, cleanUp := jas.InitJasTest(t)
defer cleanUp()

applicabilityManager := newApplicabilityScanManager(nil, mockDirectDependencies, scanner, false)

// Assert
eligible := applicabilityManager.shouldRunApplicabilityScan([]coreutils.Technology{coreutils.Nuget})
assert.False(t, eligible)
}

func TestExtractXrayDirectViolations(t *testing.T) {
var xrayResponseForDirectViolationsTest = []services.ScanResponse{
{
Expand Down
4 changes: 2 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ go 1.21
require (
github.com/gookit/color v1.5.4
github.com/jfrog/build-info-go v1.9.23
github.com/jfrog/gofrog v1.6.0
github.com/jfrog/gofrog v1.6.3
github.com/jfrog/jfrog-apps-config v1.0.1
github.com/jfrog/jfrog-cli-core/v2 v2.48.1
github.com/jfrog/jfrog-client-go v1.37.1
Expand Down Expand Up @@ -98,7 +98,7 @@ require (
gopkg.in/warnings.v0 v0.1.2 // indirect
)

replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20240303093859-ebce750e0f45
replace github.com/jfrog/jfrog-cli-core/v2 => github.com/attiasas/jfrog-cli-core/v2 v2.0.0-20240312124144-242e12416341

replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20240222155638-e55c7d7acbee

Expand Down
8 changes: 4 additions & 4 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuW
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
github.com/attiasas/jfrog-cli-core/v2 v2.0.0-20240312124144-242e12416341 h1:ScAJxa0TdgwZu+jtoQSnkCJ+N2k7D6WwDn+mYE71VKE=
github.com/attiasas/jfrog-cli-core/v2 v2.0.0-20240312124144-242e12416341/go.mod h1:fTnA9KjwuMEWnqAFPPoLc6IzvYxD8SorqawESk74fP8=
github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
Expand Down Expand Up @@ -98,12 +100,10 @@ github.com/jfrog/archiver/v3 v3.6.0 h1:OVZ50vudkIQmKMgA8mmFF9S0gA47lcag22N13iV3F
github.com/jfrog/archiver/v3 v3.6.0/go.mod h1:fCAof46C3rAXgZurS8kNRNdSVMKBbZs+bNNhPYxLldI=
github.com/jfrog/build-info-go v1.8.9-0.20240225113943-096bf22ca54c h1:M1QiuCYGCYN1IiGyxogrLzfetYGkkhE2pgDh5K4Wo9A=
github.com/jfrog/build-info-go v1.8.9-0.20240225113943-096bf22ca54c/go.mod h1:QHcKuesY4MrBVBuEwwBz4uIsX6mwYuMEDV09ng4AvAU=
github.com/jfrog/gofrog v1.6.0 h1:jOwb37nHY2PnxePNFJ6e6279Pgkr3di05SbQQw47Mq8=
github.com/jfrog/gofrog v1.6.0/go.mod h1:SZ1EPJUruxrVGndOzHd+LTiwWYKMlHqhKD+eu+v5Hqg=
github.com/jfrog/gofrog v1.6.3 h1:F7He0+75HcgCe6SGTSHLFCBDxiE2Ja0tekvvcktW6wc=
github.com/jfrog/gofrog v1.6.3/go.mod h1:SZ1EPJUruxrVGndOzHd+LTiwWYKMlHqhKD+eu+v5Hqg=
github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY=
github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20240303093859-ebce750e0f45 h1:KeP2+7KcZHWZ24FPdW3yLfzXI/O6U9KdUzgvGi58PGo=
github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20240303093859-ebce750e0f45/go.mod h1:aE5kYuqiZxu6hHkAQm34BvtGjLR8rk0/PUWpl4u5g0Q=
github.com/jfrog/jfrog-client-go v1.28.1-0.20240222155638-e55c7d7acbee h1:IrM+wE8WmsSm95vpYSEYle2mPAOVn1FrRTeScSNxgrw=
github.com/jfrog/jfrog-client-go v1.28.1-0.20240222155638-e55c7d7acbee/go.mod h1:jcZYTyo9H4GtZ6eAYIfKm1ulxeTbshcBBA+YUbWlHNc=
github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
Expand Down
Loading