Integrating new Config Profile changes + Add support in scanners exclusions through profile (jfrog#314)

Author: eranturgeman

commands/audit/audit.go

@@ -309,6 +309,8 @@ func RunJasScans(auditParallelRunner *utils.SecurityParallelRunner, auditParams
 		),
 		auditParams.Exclusions()...,
 	)
+	jas.UpdateJasScannerWithExcludePatternsFromProfile(jasScanner, auditParams.AuditBasicParams.GetConfigProfile())
+
 	auditParallelRunner.ResultsMu.Unlock()
 	if err != nil {
 		generalError = fmt.Errorf("failed to create jas scanner: %s", err.Error())
@@ -349,7 +351,7 @@ func createJasScansTasks(auditParallelRunner *utils.SecurityParallelRunner, scan
 				ServerDetails:               serverDetails,
 				Scanner:                     scanner,
 				Module:                      *module,
-				ConfigProfile:               auditParams.configProfile,
+				ConfigProfile:               auditParams.AuditBasicParams.GetConfigProfile(),
 				ScansToPerform:              auditParams.ScansToPerform(),
 				SecretsScanType:             secrets.SecretsScannerType,
 				DirectDependencies:          auditParams.DirectDependencies(),

commands/audit/audit_test.go

@@ -241,8 +241,12 @@ func TestAuditWithConfigProfile(t *testing.T) {
 					ModuleName:   "only-sca-module",
 					PathFromRoot: ".",
 					ScanConfig: services.ScanConfig{
-						EnableScaScan:                true,
-						EnableContextualAnalysisScan: false,
+						ScaScannerConfig: services.ScaScannerConfig{
+							EnableScaScan: true,
+						},
+						ContextualAnalysisScannerConfig: services.CaScannerConfig{
+							EnableCaScan: false,
+						},
 						SastScannerConfig: services.SastScannerConfig{
 							EnableSastScan: false,
 						},
@@ -258,6 +262,38 @@ func TestAuditWithConfigProfile(t *testing.T) {
 			},
 			expectedScaIssues: 15,
 		},
+		{
+			name:        "Sca scanner enabled with exclusions",
+			testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
+			configProfile: services.ConfigProfile{
+				ProfileName: "Sca-exclude-dirs",
+				Modules: []services.Module{{
+					ModuleId:     1,
+					ModuleName:   "Sca-exclude-dirs-module",
+					PathFromRoot: ".",
+					ScanConfig: services.ScanConfig{
+						ScaScannerConfig: services.ScaScannerConfig{
+							EnableScaScan:   true,
+							ExcludePatterns: []string{"*.*"},
+						},
+						ContextualAnalysisScannerConfig: services.CaScannerConfig{
+							EnableCaScan: false,
+						},
+						SastScannerConfig: services.SastScannerConfig{
+							EnableSastScan: false,
+						},
+						SecretsScannerConfig: services.SecretsScannerConfig{
+							EnableSecretsScan: false,
+						},
+						IacScannerConfig: services.IacScannerConfig{
+							EnableIacScan: false,
+						},
+					},
+				}},
+				IsDefault: false,
+			},
+			expectedScaIssues: 0,
+		},
 		{
 			name:        "Enable Sca and Applicability scanners",
 			testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
@@ -268,8 +304,12 @@ func TestAuditWithConfigProfile(t *testing.T) {
 					ModuleName:   "sca-and-applicability",
 					PathFromRoot: ".",
 					ScanConfig: services.ScanConfig{
-						EnableScaScan:                true,
-						EnableContextualAnalysisScan: true,
+						ScaScannerConfig: services.ScaScannerConfig{
+							EnableScaScan: true,
+						},
+						ContextualAnalysisScannerConfig: services.CaScannerConfig{
+							EnableCaScan: true,
+						},
 						SastScannerConfig: services.SastScannerConfig{
 							EnableSastScan: false,
 						},
@@ -288,6 +328,7 @@ func TestAuditWithConfigProfile(t *testing.T) {
 			expectedCaNotCovered:    4,
 			expectedCaNotApplicable: 2,
 		},
+		// TODO Add testcase for Sca and Applicability with exclusions after resolving the Glob patterns issues
 		{
 			name:        "Enable only secrets scanner",
 			testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
@@ -298,8 +339,12 @@ func TestAuditWithConfigProfile(t *testing.T) {
 					ModuleName:   "only-secrets-module",
 					PathFromRoot: ".",
 					ScanConfig: services.ScanConfig{
-						EnableScaScan:                false,
-						EnableContextualAnalysisScan: false,
+						ScaScannerConfig: services.ScaScannerConfig{
+							EnableScaScan: false,
+						},
+						ContextualAnalysisScannerConfig: services.CaScannerConfig{
+							EnableCaScan: false,
+						},
 						SastScannerConfig: services.SastScannerConfig{
 							EnableSastScan: false,
 						},
@@ -316,7 +361,39 @@ func TestAuditWithConfigProfile(t *testing.T) {
 			expectedSecretsIssues: 16,
 		},
 		{
-			name:        "Enable only sast scanner",
+			name:        "Secrets scanner is enabled with exclusions",
+			testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
+			configProfile: services.ConfigProfile{
+				ProfileName: "secrets-with-exclusions",
+				Modules: []services.Module{{
+					ModuleId:     1,
+					ModuleName:   "secrets-with-exclusions-module",
+					PathFromRoot: ".",
+					ScanConfig: services.ScanConfig{
+						ScaScannerConfig: services.ScaScannerConfig{
+							EnableScaScan: false,
+						},
+						ContextualAnalysisScannerConfig: services.CaScannerConfig{
+							EnableCaScan: false,
+						},
+						SastScannerConfig: services.SastScannerConfig{
+							EnableSastScan: false,
+						},
+						SecretsScannerConfig: services.SecretsScannerConfig{
+							EnableSecretsScan: true,
+							ExcludePatterns:   []string{"*api_secrets*"},
+						},
+						IacScannerConfig: services.IacScannerConfig{
+							EnableIacScan: false,
+						},
+					},
+				}},
+				IsDefault: false,
+			},
+			expectedSecretsIssues: 7,
+		},
+		{
+			name:        "Enable only Sast scanner",
 			testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
 			configProfile: services.ConfigProfile{
 				ProfileName: "only-sast",
@@ -325,8 +402,12 @@ func TestAuditWithConfigProfile(t *testing.T) {
 					ModuleName:   "only-sast-module",
 					PathFromRoot: ".",
 					ScanConfig: services.ScanConfig{
-						EnableScaScan:                false,
-						EnableContextualAnalysisScan: false,
+						ScaScannerConfig: services.ScaScannerConfig{
+							EnableScaScan: false,
+						},
+						ContextualAnalysisScannerConfig: services.CaScannerConfig{
+							EnableCaScan: false,
+						},
 						SastScannerConfig: services.SastScannerConfig{
 							EnableSastScan: true,
 						},
@@ -342,6 +423,38 @@ func TestAuditWithConfigProfile(t *testing.T) {
 			},
 			expectedSastIssues: 3,
 		},
+		{
+			name:        "Sast scanner is enabled with exclusions",
+			testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
+			configProfile: services.ConfigProfile{
+				ProfileName: "sast-with-exclusions",
+				Modules: []services.Module{{
+					ModuleId:     1,
+					ModuleName:   "sast-with-exclusions-module",
+					PathFromRoot: ".",
+					ScanConfig: services.ScanConfig{
+						ScaScannerConfig: services.ScaScannerConfig{
+							EnableScaScan: false,
+						},
+						ContextualAnalysisScannerConfig: services.CaScannerConfig{
+							EnableCaScan: false,
+						},
+						SastScannerConfig: services.SastScannerConfig{
+							EnableSastScan:  true,
+							ExcludePatterns: []string{"*flask_webgoat*"},
+						},
+						SecretsScannerConfig: services.SecretsScannerConfig{
+							EnableSecretsScan: false,
+						},
+						IacScannerConfig: services.IacScannerConfig{
+							EnableIacScan: false,
+						},
+					},
+				}},
+				IsDefault: false,
+			},
+			expectedSastIssues: 0,
+		},
 		{
 			name:        "Enable only IaC scanner",
 			testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
@@ -352,8 +465,12 @@ func TestAuditWithConfigProfile(t *testing.T) {
 					ModuleName:   "only-iac-module",
 					PathFromRoot: ".",
 					ScanConfig: services.ScanConfig{
-						EnableScaScan:                false,
-						EnableContextualAnalysisScan: false,
+						ScaScannerConfig: services.ScaScannerConfig{
+							EnableScaScan: false,
+						},
+						ContextualAnalysisScannerConfig: services.CaScannerConfig{
+							EnableCaScan: false,
+						},
 						SastScannerConfig: services.SastScannerConfig{
 							EnableSastScan: false,
 						},
@@ -369,6 +486,38 @@ func TestAuditWithConfigProfile(t *testing.T) {
 			},
 			expectedIacIssues: 9,
 		},
+		{
+			name:        "Iac is enabled with exclusions",
+			testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
+			configProfile: services.ConfigProfile{
+				ProfileName: "iac-with-exclusions",
+				Modules: []services.Module{{
+					ModuleId:     1,
+					ModuleName:   "iac-with-exclusions-module",
+					PathFromRoot: ".",
+					ScanConfig: services.ScanConfig{
+						ScaScannerConfig: services.ScaScannerConfig{
+							EnableScaScan: false,
+						},
+						ContextualAnalysisScannerConfig: services.CaScannerConfig{
+							EnableCaScan: false,
+						},
+						SastScannerConfig: services.SastScannerConfig{
+							EnableSastScan: false,
+						},
+						SecretsScannerConfig: services.SecretsScannerConfig{
+							EnableSecretsScan: false,
+						},
+						IacScannerConfig: services.IacScannerConfig{
+							EnableIacScan:   true,
+							ExcludePatterns: []string{"*iac/gcp*"},
+						},
+					},
+				}},
+				IsDefault: false,
+			},
+			expectedIacIssues: 0,
+		},
 		{
 			name:        "Enable All Scanners",
 			testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
@@ -379,8 +528,12 @@ func TestAuditWithConfigProfile(t *testing.T) {
 					ModuleName:   "all-jas-module",
 					PathFromRoot: ".",
 					ScanConfig: services.ScanConfig{
-						EnableScaScan:                true,
-						EnableContextualAnalysisScan: true,
+						ScaScannerConfig: services.ScaScannerConfig{
+							EnableScaScan: true,
+						},
+						ContextualAnalysisScannerConfig: services.CaScannerConfig{
+							EnableCaScan: true,
+						},
 						SastScannerConfig: services.SastScannerConfig{
 							EnableSastScan: true,
 						},
@@ -402,6 +555,45 @@ func TestAuditWithConfigProfile(t *testing.T) {
 			expectedCaNotCovered:    4,
 			expectedCaNotApplicable: 2,
 		},
+		{
+			name:        "All scanners enabled but some with exclude patterns",
+			testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
+			configProfile: services.ConfigProfile{
+				ProfileName: "some-scanners-with-exclusions",
+				Modules: []services.Module{{
+					ModuleId:     1,
+					ModuleName:   "some-scanners-with-exclusions-module",
+					PathFromRoot: ".",
+					ScanConfig: services.ScanConfig{
+						ScaScannerConfig: services.ScaScannerConfig{
+							EnableScaScan: true,
+						},
+						ContextualAnalysisScannerConfig: services.CaScannerConfig{
+							EnableCaScan: true,
+						},
+						SastScannerConfig: services.SastScannerConfig{
+							EnableSastScan:  true,
+							ExcludePatterns: []string{"*flask_webgoat*"},
+						},
+						SecretsScannerConfig: services.SecretsScannerConfig{
+							EnableSecretsScan: true,
+							ExcludePatterns:   []string{"*api_secrets*"},
+						},
+						IacScannerConfig: services.IacScannerConfig{
+							EnableIacScan: true,
+						},
+					},
+				}},
+				IsDefault: false,
+			},
+			expectedSastIssues:      0,
+			expectedSecretsIssues:   7,
+			expectedIacIssues:       9,
+			expectedCaApplicable:    3,
+			expectedCaUndetermined:  6,
+			expectedCaNotCovered:    4,
+			expectedCaNotApplicable: 2,
+		},
 	}
 
 	for _, testcase := range testcases {
@@ -413,19 +605,19 @@ func TestAuditWithConfigProfile(t *testing.T) {
 			defer createTempDirCallback()
 			assert.NoError(t, biutils.CopyDir(testcase.testDirPath, tempDirPath, true, nil))
 
+			configProfile := testcase.configProfile
 			auditBasicParams := (&utils.AuditBasicParams{}).
 				SetServerDetails(serverDetails).
 				SetXrayVersion(utils.EntitlementsMinVersion).
 				SetXscVersion(services.ConfigProfileMinXscVersion).
 				SetOutputFormat(format.Table).
-				SetUseJas(true)
+				SetUseJas(true).
+				SetConfigProfile(&configProfile)
 
-			configProfile := testcase.configProfile
 			auditParams := NewAuditParams().
 				SetWorkingDirs([]string{tempDirPath}).
 				SetMultiScanId(validations.TestMsi).
 				SetGraphBasicParams(auditBasicParams).
-				SetConfigProfile(&configProfile).
 				SetResultsContext(results.ResultContext{IncludeVulnerabilities: true})
 
 			auditParams.SetWorkingDirs([]string{tempDirPath}).SetIsRecursiveScan(true)

commands/audit/auditparams.go

@@ -7,7 +7,6 @@ import (
 	"github.com/jfrog/jfrog-cli-security/utils/results"
 	"github.com/jfrog/jfrog-cli-security/utils/severityutils"
 	"github.com/jfrog/jfrog-client-go/xray/services"
-	xscservices "github.com/jfrog/jfrog-client-go/xsc/services"
 )
 
 type AuditParams struct {
@@ -22,7 +21,6 @@ type AuditParams struct {
 	// Include third party dependencies source code in the applicability scan.
 	thirdPartyApplicabilityScan bool
 	threads                     int
-	configProfile               *xscservices.ConfigProfile
 	scanResultsOutputDir        string
 	startTime                   time.Time
 }
@@ -112,11 +110,6 @@ func (params *AuditParams) SetResultsContext(resultsContext results.ResultContex
 	return params
 }
 
-func (params *AuditParams) SetConfigProfile(configProfile *xscservices.ConfigProfile) *AuditParams {
-	params.configProfile = configProfile
-	return params
-}
-
 func (params *AuditParams) SetScansResultsOutputDir(outputDir string) *AuditParams {
 	params.scanResultsOutputDir = outputDir
 	return params

commands/audit/sca/common.go

@@ -31,6 +31,10 @@ var CurationErrorMsgToUserTemplate = "Failed to retrieve the dependencies tree f
 
 func GetExcludePattern(params utils.AuditParams) string {
 	exclusions := params.Exclusions()
+	if configProfile := params.GetConfigProfile(); configProfile != nil {
+		exclusions = append(exclusions, configProfile.Modules[0].ScanConfig.ScaScannerConfig.ExcludePatterns...)
+	}
+
 	if len(exclusions) == 0 {
 		exclusions = append(exclusions, utils.DefaultScaExcludePatterns...)
 	}