Malicious code scanner

Author: barv-jfrog

cli/docs/maliciousscan/help.go

@@ -5,7 +5,7 @@ import (
 )
 
 func GetDescription() string {
-	return "Scan malicious models (pickle files, etc.) located in the working directory with AnalyzerManager."
+	return "[Beta] Scan malicious models (pickle files, etc.) located in the working directory."
 }
 
 func GetArguments() []components.Argument {

commands/maliciousscan/maliciousscan.go

@@ -7,6 +7,8 @@ import (
 	"path/filepath"
 	"strings"
 
+	clientutils "github.com/jfrog/jfrog-client-go/utils"
+
 	"github.com/jfrog/jfrog-cli-core/v2/common/format"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
@@ -90,72 +92,119 @@ func (cmd *MaliciousScanCommand) Run() (err error) {
 		}
 	}()
 
-	xrayManager, xrayVersion, err := xray.CreateXrayServiceManagerAndGetVersion(cmd.serverDetails)
+	xrayVersion, entitledForJas, workingDirs, err := cmd.validateAndPrepare()
 	if err != nil {
 		return err
 	}
 
-	entitledForJas, err := jas.IsEntitledForJas(xrayManager, xrayVersion)
+	cmdResults := cmd.initializeCommandResults(xrayVersion, entitledForJas)
+	populateScanTargets(cmdResults, workingDirs)
+
+	scanner, err := cmd.createJasScanner()
 	if err != nil {
 		return err
 	}
+
+	if err = cmd.runMaliciousScans(cmdResults, scanner); err != nil {
+		return err
+	}
+
+	if cmd.progress != nil {
+		if err = cmd.progress.Quit(); err != nil {
+			return err
+		}
+	}
+
+	return cmd.outputResults(cmdResults)
+}
+
+func (cmd *MaliciousScanCommand) validateAndPrepare() (xrayVersion string, entitledForJas bool, workingDirs []string, err error) {
+	xrayManager, xrayVersion, err := xray.CreateXrayServiceManagerAndGetVersion(cmd.serverDetails)
+	if err != nil {
+		return "", false, nil, err
+	}
+
+	entitledForJas, err = jas.IsEntitledForJas(xrayManager, xrayVersion)
+	if err != nil {
+		return "", false, nil, err
+	}
 	if !entitledForJas {
-		return errors.New("JAS (Advanced Security) feature is not entitled")
+		return "", false, nil, errors.New("JAS (Advanced Security) feature is not entitled")
 	}
 
 	log.Info("JFrog Xray version is:", xrayVersion)
 
 	if err = jas.DownloadAnalyzerManagerIfNeeded(0); err != nil {
-		return fmt.Errorf("failed to download Analyzer Manager: %w", err)
+		return "", false, nil, fmt.Errorf("failed to download Analyzer Manager: %w", err)
 	}
 
-	workingDirs, err := coreutils.GetFullPathsWorkingDirs(cmd.workingDirs)
+	workingDirs, err = coreutils.GetFullPathsWorkingDirs(cmd.workingDirs)
 	if err != nil {
-		return err
+		return "", false, nil, err
 	}
 	logScanPaths(workingDirs)
 
+	return xrayVersion, entitledForJas, workingDirs, nil
+}
+
+func (cmd *MaliciousScanCommand) initializeCommandResults(xrayVersion string, entitledForJas bool) *results.SecurityCommandResults {
 	cmdResults := results.NewCommandResults(utils.SourceCode)
 	cmdResults.SetXrayVersion(xrayVersion)
 	cmdResults.SetEntitledForJas(entitledForJas)
 	cmdResults.SetResultsContext(results.ResultContext{
 		IncludeVulnerabilities: true,
 	})
+	return cmdResults
+}
 
-	populateScanTargets(cmdResults, workingDirs)
-
+func (cmd *MaliciousScanCommand) createJasScanner() (*jas.JasScanner, error) {
 	scannerOptions := []jas.JasScannerOption{
 		jas.WithEnvVars(
-			false, // validateSecrets not relevant for malicious scan
+			false,
 			jas.NotDiffScanEnvValue,
 			jas.GetAnalyzerManagerXscEnvVars(
-				"",  // msi
-				"",  // gitRepoUrl
-				"",  // projectKey
-				nil, // watches
+				"",
+				"",
+				"",
+				nil,
 			),
 		),
 		jas.WithMinSeverity(cmd.minSeverityFilter),
 	}
 
 	scanner, err := jas.NewJasScanner(cmd.serverDetails, scannerOptions...)
 	if err != nil {
-		return fmt.Errorf("failed to create JAS scanner: %w", err)
+		return nil, fmt.Errorf("failed to create JAS scanner: %w", err)
 	}
 	if scanner == nil {
-		return errors.New("JAS scanner was not created")
+		return nil, errors.New("JAS scanner was not created")
 	}
 
-	if cmd.customAnalyzerManagerPath != "" {
-		scanner.AnalyzerManager.AnalyzerManagerFullPath = cmd.customAnalyzerManagerPath
-	} else {
-		if scanner.AnalyzerManager.AnalyzerManagerFullPath, err = jas.GetAnalyzerManagerExecutable(); err != nil {
-			return fmt.Errorf("failed to set analyzer manager executable path: %w", err)
-		}
+	if err = cmd.setAnalyzerManagerPath(scanner); err != nil {
+		return nil, err
 	}
 
 	log.Debug(fmt.Sprintf("Using analyzer manager executable at: %s", scanner.AnalyzerManager.AnalyzerManagerFullPath))
+	return scanner, nil
+}
+
+func (cmd *MaliciousScanCommand) setAnalyzerManagerPath(scanner *jas.JasScanner) error {
+	if cmd.customAnalyzerManagerPath == "" {
+		if err := jas.DownloadAnalyzerManagerIfNeeded(0); err != nil {
+			return fmt.Errorf("failed to download analyzer manager: %s", err.Error())
+		}
+		var err error
+		if scanner.AnalyzerManager.AnalyzerManagerFullPath, err = jas.GetAnalyzerManagerExecutable(); err != nil {
+			return fmt.Errorf("failed to set analyzer manager executable path: %s", err.Error())
+		}
+	} else {
+		scanner.AnalyzerManager.AnalyzerManagerFullPath = cmd.customAnalyzerManagerPath
+		log.Debug(clientutils.GetLogMsgPrefix(0, false) + "using custom analyzer manager binary path")
+	}
+	return nil
+}
 
+func (cmd *MaliciousScanCommand) runMaliciousScans(cmdResults *results.SecurityCommandResults, scanner *jas.JasScanner) error {
 	jasScanProducerConsumer := utils.NewSecurityParallelRunner(cmd.threads)
 
 	serverDetails, err := cmd.ServerDetails()
@@ -199,14 +248,11 @@ func (cmd *MaliciousScanCommand) Run() (err error) {
 	}
 
 	jasScanProducerConsumer.Start()
+	return nil
+}
 
-	if cmd.progress != nil {
-		if err = cmd.progress.Quit(); err != nil {
-			return err
-		}
-	}
-
-	if err = output.NewResultsWriter(cmdResults).
+func (cmd *MaliciousScanCommand) outputResults(cmdResults *results.SecurityCommandResults) error {
+	if err := output.NewResultsWriter(cmdResults).
 		SetOutputFormat(cmd.outputFormat).
 		SetPlatformUrl(cmd.serverDetails.Url).
 		SetPrintExtendedTable(false).
@@ -216,7 +262,7 @@ func (cmd *MaliciousScanCommand) Run() (err error) {
 		return errors.Join(err, cmdResults.GetErrors())
 	}
 
-	if err = cmdResults.GetErrors(); err != nil {
+	if err := cmdResults.GetErrors(); err != nil {
 		return err
 	}
 
@@ -229,10 +275,10 @@ func logScanPaths(workingDirs []string) {
 		return
 	}
 	if len(workingDirs) == 1 {
-		log.Info("Scanning path:", workingDirs[0])
+		log.Debug("Scanning path:", workingDirs[0])
 		return
 	}
-	log.Info("Scanning paths:", strings.Join(workingDirs, ", "))
+	log.Debug("Scanning paths:", strings.Join(workingDirs, ", "))
 }
 
 func populateScanTargets(cmdResults *results.SecurityCommandResults, workingDirs []string) {
@@ -244,17 +290,8 @@ func populateScanTargets(cmdResults *results.SecurityCommandResults, workingDirs
 		cmdResults.NewScanResults(results.ScanTarget{Target: requestedDirectory, Name: filepath.Base(requestedDirectory)})
 	}
 
-	if len(workingDirs) == 0 {
-		currentDir, err := coreutils.GetWorkingDirectory()
-		if err != nil {
-			cmdResults.AddGeneralError(fmt.Errorf("failed to get current working directory: %w", err), false)
-			return
-		}
-		cmdResults.NewScanResults(results.ScanTarget{Target: currentDir, Name: filepath.Base(currentDir)})
-	}
-
 	if len(cmdResults.Targets) == 0 {
-		log.Warn("No scan targets were detected. Proceeding with empty scan...")
+		log.Warn("No scan targets were detected.")
 		return
 	}
 

go.mod

@@ -135,7 +135,7 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-replace github.com/jfrog/jfrog-client-go => github.com/barv-jfrog/jfrog-client-go v0.0.0-20251201141602-632626d6c959
+replace github.com/jfrog/jfrog-client-go => github.com/barv-jfrog/jfrog-client-go v0.0.0-20251215101028-5969e0b31b56
 
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 master
 

go.sum

@@ -23,8 +23,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/barv-jfrog/jfrog-apps-config v0.0.0-20250128142442-6fd49006bb85 h1:kNdHaJdeD1QBQ0czgrfKqrcND3T+6dInSI8s23lW4Cw=
 github.com/barv-jfrog/jfrog-apps-config v0.0.0-20250128142442-6fd49006bb85/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
-github.com/barv-jfrog/jfrog-client-go v0.0.0-20251201141602-632626d6c959 h1:Wr8RuVIeQVPyhxpT2oonIBaWZVuzP6zTqJ3ruys5ihs=
-github.com/barv-jfrog/jfrog-client-go v0.0.0-20251201141602-632626d6c959/go.mod h1:ureS+L3wNs0qYUBSwH8C9PjwnraTX9ibZu7JkaqjO/E=
+github.com/barv-jfrog/jfrog-client-go v0.0.0-20251215101028-5969e0b31b56 h1:Mz0F8nWUBTwzJ3ZXuitvXcYBrO7Q43RrofFdm8CBEyo=
+github.com/barv-jfrog/jfrog-client-go v0.0.0-20251215101028-5969e0b31b56/go.mod h1:WQ5Y+oKYyHFAlCbHN925bWhnShTd2ruxZ6YTpb76fpU=
 github.com/beevik/etree v1.6.0 h1:u8Kwy8pp9D9XeITj2Z0XtA5qqZEmtJtuXZRQi+j03eE=
 github.com/beevik/etree v1.6.0/go.mod h1:bh4zJxiIr62SOf9pRzN7UUYaEDa9HEKafK25+sLc0Gc=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
@@ -156,14 +156,10 @@ github.com/jfrog/froggit-go v1.20.6 h1:Xp7+LlEh0m1KGrQstb+u0aGfjRUtv1eh9xQBV3571
 github.com/jfrog/froggit-go v1.20.6/go.mod h1:obSG1SlsWjktkuqmKtpq7MNTTL63e0ot+ucTnlOMV88=
 github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s=
 github.com/jfrog/gofrog v1.7.6/go.mod h1:ntr1txqNOZtHplmaNd7rS4f8jpA5Apx8em70oYEe7+4=
-github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY=
-github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
 github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251211075913-35ebcd308e93 h1:rpkJZN0TigpAGY/bfgmLO4nwhyhkr0gkBTLz/0B5zS8=
 github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251211075913-35ebcd308e93/go.mod h1:7cCaRhXorlbyXZgiW5bplCExFxlnROaG21K12d8inpQ=
 github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251210085744-f8481d179ac5 h1:GYE67ubwl+ZRw3CcXFUi49EwwQp6k+qS8sX0QuHDHO8=
 github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251210085744-f8481d179ac5/go.mod h1:BMoGi2rG0udCCeaghqlNgiW3fTmT+TNnfTnBoWFYgcg=
-github.com/jfrog/jfrog-client-go v1.55.1-0.20251211124639-306f15dbcf29 h1:u+FMai2cImOJExJ1Ehe8JsrpAXmPyRaDXwM60wV3bPA=
-github.com/jfrog/jfrog-client-go v1.55.1-0.20251211124639-306f15dbcf29/go.mod h1:WQ5Y+oKYyHFAlCbHN925bWhnShTd2ruxZ6YTpb76fpU=
 github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
 github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo=
 github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=

jas/maliciouscode/maliciouscodescanner.go

@@ -15,6 +15,7 @@ import (
 
 const (
 	maliciousScanCommand = "mal"
+	malDocsUrlSuffix     = ""
 
 	MaliciousScannerType MaliciousScanType = "malicious-scan" // #nosec
 )
@@ -73,7 +74,7 @@ func (mal *MaliciousScanManager) Run(module jfrogappsconfig.Module) (vulnerabili
 	if err = mal.runAnalyzerManager(); err != nil {
 		return
 	}
-	return jas.ReadJasScanRunsFromFile(mal.resultsFileName, module.SourceRoot, "", mal.scanner.MinSeverity)
+	return jas.ReadJasScanRunsFromFile(mal.resultsFileName, module.SourceRoot, malDocsUrlSuffix, mal.scanner.MinSeverity)
 }
 
 type maliciousScanConfig struct {

jas/maliciouscode/maliciouscodescanner_test.go

@@ -101,7 +101,7 @@ func TestParseResults_EmptyResults(t *testing.T) {
 	maliciousScanManager.resultsFileName = filepath.Join(jas.GetTestDataPath(), "malicious-scan", "no-malicious.sarif")
 
 	// Act
-	vulnerabilitiesResults, _, err := jas.ReadJasScanRunsFromFile(maliciousScanManager.resultsFileName, jfrogAppsConfigForTest.Modules[0].SourceRoot, "", scanner.MinSeverity)
+	vulnerabilitiesResults, _, err := jas.ReadJasScanRunsFromFile(maliciousScanManager.resultsFileName, jfrogAppsConfigForTest.Modules[0].SourceRoot, malDocsUrlSuffix, scanner.MinSeverity)
 
 	// Assert
 	if assert.NoError(t, err) && assert.NotNil(t, vulnerabilitiesResults) {
@@ -122,7 +122,7 @@ func TestParseResults_ResultsContainMalicious(t *testing.T) {
 	maliciousScanManager.resultsFileName = filepath.Join(jas.GetTestDataPath(), "malicious-scan", "contain-malicious.sarif")
 
 	// Act
-	vulnerabilitiesResults, _, err := jas.ReadJasScanRunsFromFile(maliciousScanManager.resultsFileName, jfrogAppsConfigForTest.Modules[0].SourceRoot, "", severityutils.Medium)
+	vulnerabilitiesResults, _, err := jas.ReadJasScanRunsFromFile(maliciousScanManager.resultsFileName, jfrogAppsConfigForTest.Modules[0].SourceRoot, malDocsUrlSuffix, severityutils.Medium)
 
 	// Assert
 	if assert.NoError(t, err) && assert.NotNil(t, vulnerabilitiesResults) {

jas/runner/jasrunner.go

@@ -73,9 +73,11 @@ func AddJasScannersTasks(params JasRunnerParams) error {
 		errorsCollection = errors.Join(errorsCollection, generalError)
 	}
 
-	if generalError := addJasScanTaskForModuleIfNeeded(params, utils.MaliciousCodeScan, runMaliciousScan(&params)); generalError != nil {
-		// Scan task addition failure should not impact the other scanners tasks addition, therefore we accumulate the errors and return the overall error at the end.
-		errorsCollection = errors.Join(errorsCollection, generalError)
+	if slices.Contains(params.ScansToPerform, utils.MaliciousCodeScan) {
+		if generalError := addJasScanTaskForModuleIfNeeded(params, utils.MaliciousCodeScan, runMaliciousScan(&params)); generalError != nil {
+			// Scan task addition failure should not impact the other scanners tasks addition, therefore we accumulate the errors and return the overall error at the end.
+			errorsCollection = errors.Join(errorsCollection, generalError)
+		}
 	}
 
 	if !runAllScanners {