Remidiation static sca (jfrog#590)

attiasas · web-flow · commit 898cae80671f · 2025-11-04T16:51:33.000+02:00
diff --git a/go.mod b/go.mod
@@ -2,6 +2,9 @@ module github.com/jfrog/jfrog-cli-security
 
 go 1.24.6
 
+// TODO: update xray-scan lib to latest version that supports CycloneDX v0.9.3 (not yet released)
+replace github.com/CycloneDX/cyclonedx-go => github.com/CycloneDX/cyclonedx-go v0.9.2
+
 require (
 	github.com/CycloneDX/cyclonedx-go v0.9.3
 	github.com/beevik/etree v1.4.0
@@ -17,7 +20,7 @@ require (
 	github.com/jfrog/jfrog-apps-config v1.0.1
 	github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec
 	github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451
-	github.com/jfrog/jfrog-client-go v1.55.1-0.20251030113529-d87ecf28ffb6
+	github.com/jfrog/jfrog-client-go v1.55.1-0.20251103081126-15edfe03d6e5
 	github.com/magiconair/properties v1.8.10
 	github.com/owenrumney/go-sarif/v3 v3.2.3
 	github.com/package-url/packageurl-go v0.1.3
@@ -124,13 +127,12 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-// attiasas:retry_build_scan
-replace github.com/jfrog/jfrog-client-go => github.com/attiasas/jfrog-client-go v0.0.0-20251030094108-376296f968cc
+// replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go master
 
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 master
 
-//replace github.com/jfrog/jfrog-cli-artifactory => github.com/fluxxBot/jfrog-cli-artifactory v0.0.0-20251017061455-6a03988302bf
+//replace github.com/jfrog/jfrog-cli-artifactory => github.com/jfrog/jfrog-cli-artifactory main
 
-// replace github.com/jfrog/build-info-go => github.com/attiasas/build-info-go dev
+// replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go dev
 
 // replace github.com/jfrog/froggit-go => github.com/jfrog/froggit-go master
diff --git a/go.sum b/go.sum
@@ -4,8 +4,8 @@ dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
-github.com/CycloneDX/cyclonedx-go v0.9.3 h1:Pyk/lwavPz7AaZNvugKFkdWOm93MzaIyWmBwmBo3aUI=
-github.com/CycloneDX/cyclonedx-go v0.9.3/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6SbM2ZuMIgq86Jg=
+github.com/CycloneDX/cyclonedx-go v0.9.2 h1:688QHn2X/5nRezKe2ueIVCt+NRqf7fl3AVQk+vaFcIo=
+github.com/CycloneDX/cyclonedx-go v0.9.2/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6SbM2ZuMIgq86Jg=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
@@ -21,6 +21,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
+github.com/attiasas/jfrog-client-go v0.0.0-20251027091559-b3d20c0c4c64 h1:Cn41pu2bfTjWq18sm/GgLJCkSZUtgKZM6CeIjuUmw7E=
+github.com/attiasas/jfrog-client-go v0.0.0-20251027091559-b3d20c0c4c64/go.mod h1:7E859kSn1CaF9A2LH/zAXNPO6bGViNoJ0yqEJYwCu0E=
 github.com/attiasas/jfrog-client-go v0.0.0-20251030094108-376296f968cc h1:AJQueJft8TFJ7s46cr8saEFGfcJEDAxUJ/rhkCnWsP0=
 github.com/attiasas/jfrog-client-go v0.0.0-20251030094108-376296f968cc/go.mod h1:wsMEtoyAu/1bARUHxFdmgz83g96ml7ZWcFioIPiuz/U=
 github.com/beevik/etree v1.4.0 h1:oz1UedHRepuY3p4N5OjE0nK1WLCqtzHf25bxplKOHLs=
@@ -142,6 +144,8 @@ github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec h1:i
 github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec/go.mod h1:JE/35+kU8cBET4I4iuNcVBvhm8SF64DAmGgtHRzf5Do=
 github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451 h1:Q0PY8VSOVsfvXzKiUnn+Rv7Ynf901QW6Wn1CbWpHBD0=
 github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451/go.mod h1:UOeOwEEmRIi57cRwghN5OBVoqkJieYQQfLpeqw8Yv38=
+github.com/jfrog/jfrog-client-go v1.55.1-0.20251103081126-15edfe03d6e5 h1:vjWXoDEkxpTkO9qRiqeFaB2jNpWWtTcINQ8eZ4RbO5o=
+github.com/jfrog/jfrog-client-go v1.55.1-0.20251103081126-15edfe03d6e5/go.mod h1:wsMEtoyAu/1bARUHxFdmgz83g96ml7ZWcFioIPiuz/U=
 github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
 github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo=
 github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=
diff --git a/sca/scan/enrich/runner.go b/sca/scan/enrich/runner.go
@@ -12,6 +12,8 @@ import (
 
 	"github.com/jfrog/jfrog-cli-security/sca/scan"
 	"github.com/jfrog/jfrog-cli-security/utils/catalog"
+	"github.com/jfrog/jfrog-cli-security/utils/xray"
+	"github.com/jfrog/jfrog-cli-security/utils/xray/remediation"
 )
 
 type EnrichScanStrategy struct {
@@ -58,6 +60,20 @@ func (ess *EnrichScanStrategy) SbomEnrichTask(target *cyclonedx.BOM) (enriched *
 		return nil, []services.Violation{}, fmt.Errorf("failed to create catalog service manager: %w", err)
 	}
 	enriched, err = catalogManager.Enrich(target)
+	if err != nil {
+		return nil, []services.Violation{}, fmt.Errorf("failed to enrich SBOM: %w", err)
+	}
+	log.Debug("SBOM enrichment completed successfully")
+	// Fixed versions are not returned from the enrich API, next we need to enrich with remediation API.
+	xrayManager, err := xray.CreateXrayServiceManager(ess.serverDetails, xray.WithScopedProjectKey(ess.projectKey))
+	if err != nil {
+		return nil, []services.Violation{}, fmt.Errorf("failed to create Xray service manager: %w", err)
+	}
+	err = remediation.AttachFixedVersionsToVulnerabilities(xrayManager, enriched)
+	if err != nil {
+		return nil, []services.Violation{}, fmt.Errorf("failed to attach fixed versions to vulnerabilities: %w", err)
+	}
+	log.Debug("SBOM remediation enrichment completed successfully")
 	return
 }
 
diff --git a/utils/formats/cdxutils/cyclonedxutils.go b/utils/formats/cdxutils/cyclonedxutils.go
@@ -450,20 +450,42 @@ func CreateScaImpactedAffects(impactedPackageComponent cyclonedx.Component, fixe
 		Range: &[]cyclonedx.AffectedVersions{},
 	}
 	// Affected version
-	*affect.Range = append(*affect.Range, cyclonedx.AffectedVersions{
+	AppendAffectedVersionsIfNotExists(&affect, cyclonedx.AffectedVersions{
 		Version: impactedPackageVersion,
 		Status:  cyclonedx.VulnerabilityStatusAffected,
 	})
 	// Fixed versions
 	for _, fixedVersion := range fixedVersions {
-		*affect.Range = append(*affect.Range, cyclonedx.AffectedVersions{
+		AppendAffectedVersionsIfNotExists(&affect, cyclonedx.AffectedVersions{
 			Version: fixedVersion,
 			Status:  cyclonedx.VulnerabilityStatusNotAffected,
 		})
 	}
 	return
 }
 
+func AppendAffectedVersionsIfNotExists(affect *cyclonedx.Affects, affectedVersions ...cyclonedx.AffectedVersions) {
+	if affect.Range == nil {
+		affect.Range = &[]cyclonedx.AffectedVersions{}
+	}
+	// Validate that the affected version does not already exist in the affected versions
+	for _, newAffectedVersion := range affectedVersions {
+		if newAffectedVersion.Version == "" {
+			continue
+		}
+		exists := false
+		for _, existingAffectedVersion := range *affect.Range {
+			if existingAffectedVersion.Version == newAffectedVersion.Version {
+				exists = true
+				break
+			}
+		}
+		if !exists {
+			*affect.Range = append(*affect.Range, newAffectedVersion)
+		}
+	}
+}
+
 type CdxVulnerabilityParams struct {
 	Ref         string
 	ID          string
diff --git a/utils/xray/remediation/cdxremediation.go b/utils/xray/remediation/cdxremediation.go
@@ -0,0 +1,83 @@
+package remediation
+
+import (
+	"fmt"
+
+	"github.com/CycloneDX/cyclonedx-go"
+
+	"github.com/jfrog/jfrog-client-go/utils/log"
+	"github.com/jfrog/jfrog-client-go/xray"
+	"github.com/jfrog/jfrog-client-go/xray/services/utils"
+
+	"github.com/jfrog/jfrog-cli-security/utils/formats/cdxutils"
+)
+
+func AttachFixedVersionsToVulnerabilities(xrayManager *xray.XrayServicesManager, bom *cyclonedx.BOM) error {
+	if bom.Vulnerabilities == nil || len(*bom.Vulnerabilities) == 0 {
+		log.Debug("No vulnerabilities found in the SBOM, skipping attaching fixed versions")
+		return nil
+	}
+	// Remediate the CVE by forcing the transitive dependency to a specific fix-version
+	remediationOptions, err := xrayManager.RemediationByCve(bom)
+	if err != nil {
+		return fmt.Errorf("failed to get remediation options from Xray: %w", err)
+	}
+	log.Verbose(fmt.Sprintf("Remediation options received from Xray: %+v", remediationOptions))
+	for _, vulnerability := range *bom.Vulnerabilities {
+		matchVulnerabilityToRemediationOptions(bom, &vulnerability, remediationOptions)
+	}
+	return nil
+}
+
+func matchVulnerabilityToRemediationOptions(bom *cyclonedx.BOM, vulnerability *cyclonedx.Vulnerability, remediationOptions utils.CveRemediationResponse) {
+	if vulnerability.Affects == nil || len(*vulnerability.Affects) == 0 {
+		log.Debug("No affected components found for vulnerability " + vulnerability.ID + ", skipping attaching fixed versions")
+		return
+	}
+	if cveRemediationOptions, found := remediationOptions[vulnerability.ID]; found {
+		for i, affect := range *vulnerability.Affects {
+			// Lets find the remediation for this specific component
+			affectComponent := cdxutils.SearchComponentByRef(bom.Components, affect.Ref)
+			if affectComponent == nil {
+				log.Debug("Affected component " + affect.Ref + " not found in BOM components, skipping attaching fixed versions for vulnerability " + vulnerability.ID)
+				continue
+			}
+			// Convert remediation steps to fixed versions affected versions
+			for _, step := range getAffectComponentCveRemediationStepsByFixedVersion(vulnerability.ID, *affectComponent, cveRemediationOptions) {
+				cdxutils.AppendAffectedVersionsIfNotExists(&affect, cyclonedx.AffectedVersions{
+					Version: step.UpgradeTo.Version,
+					Status:  cyclonedx.VulnerabilityStatusNotAffected,
+				})
+			}
+			(*vulnerability.Affects)[i] = affect
+		}
+	} else {
+		log.Debug("No remediation options found for vulnerability " + vulnerability.ID)
+	}
+}
+
+func getAffectComponentCveRemediationStepsByFixedVersion(cve string, component cyclonedx.Component, cveRemediationOptions []utils.Option) (steps []utils.OptionStep) {
+	for _, cveRemediationOption := range cveRemediationOptions {
+		if cveRemediationOption.Type != utils.InLock {
+			// We only want InLock remediation type (forcing the actual component to a specific fix version)
+			continue
+		}
+		for _, step := range cveRemediationOption.Steps {
+			if step.StepType == utils.NoFixVersion {
+				log.Debug(fmt.Sprintf("No fix version available for component '%s' in vulnerability '%s'", component.Name, cve))
+				continue
+			} else if step.StepType == utils.PackageNotFound {
+				log.Debug(fmt.Sprintf("Component '%s' not found in catalog for vulnerability '%s'", component.Name, cve))
+				continue
+			}
+			// We only want FixVersion step type
+			if step.StepType == utils.FixVersion && step.PkgVersion.Name == component.Name && step.PkgVersion.Version == component.Version {
+				steps = append(steps, step)
+			}
+		}
+	}
+	if len(steps) == 0 {
+		log.Debug(fmt.Sprintf("No remediation steps by forcing fixed version found for component '%s' in vulnerability '%s'", component.Name, cve))
+	}
+	return
+}
diff --git a/utils/xray/remediation/cdxremediation_test.go b/utils/xray/remediation/cdxremediation_test.go
