Diff scan (jfrog#389)

Author: attiasas

commands/audit/audit.go

@@ -296,19 +296,23 @@ func RunJasScans(auditParallelRunner *utils.SecurityParallelRunner, auditParams
 		return
 	}
 	auditParallelRunner.ResultsMu.Lock()
-	jasScanner, err = jas.CreateJasScanner(
-		serverDetails,
-		scanResults.SecretValidation,
-		auditParams.minSeverityFilter,
-		jas.GetAnalyzerManagerXscEnvVars(
-			auditParams.GetMultiScanId(),
-			utils.GetGitRepoUrlKey(auditParams.resultsContext.GitRepoHttpsCloneUrl),
-			auditParams.resultsContext.ProjectKey,
-			auditParams.resultsContext.Watches,
-			scanResults.GetTechnologies()...,
+	scannerOptions := []jas.JasScannerOption{
+		jas.WithEnvVars(
+			scanResults.SecretValidation,
+			jas.GetDiffScanTypeValue(auditParams.diffMode, auditParams.resultsToCompare),
+			jas.GetAnalyzerManagerXscEnvVars(
+				auditParams.GetMultiScanId(),
+				utils.GetGitRepoUrlKey(auditParams.resultsContext.GitRepoHttpsCloneUrl),
+				auditParams.resultsContext.ProjectKey,
+				auditParams.resultsContext.Watches,
+				scanResults.GetTechnologies()...,
+			),
 		),
-		auditParams.Exclusions()...,
-	)
+		jas.WithMinSeverity(auditParams.minSeverityFilter),
+		jas.WithExclusions(auditParams.Exclusions()...),
+		jas.WithResultsToCompare(auditParams.resultsToCompare),
+	}
+	jasScanner, err = jas.NewJasScanner(serverDetails, scannerOptions...)
 	jas.UpdateJasScannerWithExcludePatternsFromProfile(jasScanner, auditParams.AuditBasicParams.GetConfigProfile())
 
 	auditParallelRunner.ResultsMu.Unlock()
@@ -353,6 +357,7 @@ func createJasScansTasks(auditParallelRunner *utils.SecurityParallelRunner, scan
 				Module:                      *module,
 				ConfigProfile:               auditParams.AuditBasicParams.GetConfigProfile(),
 				ScansToPerform:              auditParams.ScansToPerform(),
+				SourceResultsToCompare:      scanner.GetResultsToCompare(utils.GetRelativePath(targetResult.Target, scanResults.GetCommonParentPath())),
 				SecretsScanType:             secrets.SecretsScannerType,
 				DirectDependencies:          auditParams.DirectDependencies(),
 				ThirdPartyApplicabilityScan: auditParams.thirdPartyApplicabilityScan,

commands/audit/audit_test.go

@@ -2,17 +2,16 @@ package audit
 
 import (
 	"fmt"
-	"net/http"
-	"path/filepath"
-	"sort"
-	"strings"
-	"testing"
-
 	commonCommands "github.com/jfrog/jfrog-cli-core/v2/common/commands"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	configTests "github.com/jfrog/jfrog-cli-security/tests"
 	securityTestUtils "github.com/jfrog/jfrog-cli-security/tests/utils"
 	clientTests "github.com/jfrog/jfrog-client-go/utils/tests"
+	"net/http"
+	"path/filepath"
+	"sort"
+	"strings"
+	"testing"
 
 	"github.com/stretchr/testify/assert"
 
@@ -598,7 +597,7 @@ func TestAuditWithConfigProfile(t *testing.T) {
 
 	for _, testcase := range testcases {
 		t.Run(testcase.name, func(t *testing.T) {
-			mockServer, serverDetails := validations.XrayServer(t, validations.MockServerParams{XrayVersion: utils.EntitlementsMinVersion, XscVersion: services.ConfigProfileMinXscVersion})
+			mockServer, serverDetails, _ := validations.XrayServer(t, validations.MockServerParams{XrayVersion: utils.EntitlementsMinVersion, XscVersion: services.ConfigProfileMinXscVersion})
 			defer mockServer.Close()
 
 			tempDirPath, createTempDirCallback := coreTests.CreateTempDirWithCallbackAndAssert(t)
@@ -649,7 +648,7 @@ func TestAuditWithConfigProfile(t *testing.T) {
 
 // This test tests audit flow when providing --output-dir flag
 func TestAuditWithScansOutputDir(t *testing.T) {
-	mockServer, serverDetails := validations.XrayServer(t, validations.MockServerParams{XrayVersion: utils.EntitlementsMinVersion})
+	mockServer, serverDetails, _ := validations.XrayServer(t, validations.MockServerParams{XrayVersion: utils.EntitlementsMinVersion})
 	defer mockServer.Close()
 
 	outputDirPath, removeOutputDirCallback := coreTests.CreateTempDirWithCallbackAndAssert(t)
@@ -919,7 +918,7 @@ func TestCreateResultsContext(t *testing.T) {
 		}
 		for _, testCase := range testCases {
 			t.Run(fmt.Sprintf("%s - %s", test.name, testCase.name), func(t *testing.T) {
-				mockServer, serverDetails := validations.XrayServer(t, validations.MockServerParams{XrayVersion: test.xrayVersion, ReturnMockPlatformWatches: test.expectedPlatformWatches})
+				mockServer, serverDetails, _ := validations.XrayServer(t, validations.MockServerParams{XrayVersion: test.xrayVersion, ReturnMockPlatformWatches: test.expectedPlatformWatches})
 				defer mockServer.Close()
 				context := CreateAuditResultsContext(serverDetails, test.xrayVersion, testCase.watches, testCase.artifactoryRepoPath, testCase.jfrogProjectKey, testCase.httpCloneUrl, testCase.includeVulnerabilities, testCase.includeLicenses, testCase.includeSbom)
 				assert.Equal(t, testCase.expectedArtifactoryRepoPath, context.RepoPath)
@@ -933,3 +932,89 @@ func TestCreateResultsContext(t *testing.T) {
 		}
 	}
 }
+
+func TestAudit_DiffScanFlow(t *testing.T) {
+	testDirPath := filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas")
+	tempDirPath, createTempDirCallback := coreTests.CreateTempDirWithCallbackAndAssert(t)
+	defer createTempDirCallback()
+	assert.NoError(t, biutils.CopyDir(testDirPath, tempDirPath, true, nil))
+
+	testCases := []struct {
+		name                  string
+		resultsToCompare      *results.SecurityCommandResults
+		expectedApiCallsCount map[string]int
+	}{
+		{
+			name:                  "No results to compare, no api scan calls",
+			expectedApiCallsCount: map[string]int{},
+		},
+		{
+			name: "with results to compare, api scan calls",
+			resultsToCompare: &results.SecurityCommandResults{
+				Targets: []*results.TargetResults{
+					{
+						ScanTarget: results.ScanTarget{
+							Target:     tempDirPath,
+							Technology: techutils.Pip,
+						},
+						Sbom: results.Sbom{
+							Components: []results.SbomEntry{
+								{
+									Component: "werkzeug",
+									Version:   "1.0.2",
+									Type:      "Python",
+									XrayType:  "pypi",
+								},
+								{
+									Component: "pyyaml",
+									Version:   "5.2",
+									Type:      "Python",
+									XrayType:  "pypi",
+								},
+								{
+									Component: "wasabi",
+									Version:   "1.1.3",
+									Type:      "Python",
+									XrayType:  "pypi",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedApiCallsCount: map[string]int{
+				validations.GraphScanPostAPI: 1,
+				validations.GraphScanGetAPI:  1,
+			},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			testParams := validations.MockServerParams{
+				XrayVersion: utils.EntitlementsMinVersion,
+				XscVersion:  services.ConfigProfileMinXscVersion,
+			}
+			mockServer, serverDetails, apiCallsCount := validations.XrayServer(t, testParams)
+			defer mockServer.Close()
+
+			auditBasicParams := (&utils.AuditBasicParams{}).
+				SetServerDetails(serverDetails).
+				SetXrayVersion(utils.EntitlementsMinVersion).
+				SetXscVersion(services.ConfigProfileMinXscVersion).
+				SetOutputFormat(format.SimpleJson).
+				SetUseJas(false)
+
+			auditParams := NewAuditParams().
+				SetWorkingDirs([]string{tempDirPath}).
+				SetMultiScanId(validations.TestMsi).
+				SetGraphBasicParams(auditBasicParams).
+				SetResultsContext(results.ResultContext{IncludeVulnerabilities: true}).
+				SetDiffMode(true).
+				SetResultsToCompare(tc.resultsToCompare)
+
+			auditResults := RunAudit(auditParams)
+			assert.NoError(t, auditResults.GetErrors())
+			assert.Equal(t, tc.expectedApiCallsCount, *apiCallsCount)
+		})
+	}
+}

commands/audit/auditparams.go

@@ -23,6 +23,10 @@ type AuditParams struct {
 	threads                     int
 	scanResultsOutputDir        string
 	startTime                   time.Time
+	// Diff mode, scan only the files affected by the diff.
+	diffMode         bool
+	filesToScan      []string
+	resultsToCompare *results.SecurityCommandResults
 }
 
 func NewAuditParams() *AuditParams {
@@ -126,3 +130,30 @@ func (params *AuditParams) createXrayGraphScanParams() *services.XrayGraphScanPa
 		ScanType:               services.Dependency,
 	}
 }
+
+func (params *AuditParams) SetFilesToScan(filesToScan []string) *AuditParams {
+	params.filesToScan = filesToScan
+	return params
+}
+
+func (params *AuditParams) FilesToScan() []string {
+	return params.filesToScan
+}
+
+func (params *AuditParams) SetResultsToCompare(resultsToCompare *results.SecurityCommandResults) *AuditParams {
+	params.resultsToCompare = resultsToCompare
+	return params
+}
+
+func (params *AuditParams) ResultsToCompare() *results.SecurityCommandResults {
+	return params.resultsToCompare
+}
+
+func (params *AuditParams) SetDiffMode(diffMode bool) *AuditParams {
+	params.diffMode = diffMode
+	return params
+}
+
+func (params *AuditParams) DiffMode() bool {
+	return params.diffMode
+}

commands/audit/scarunner.go

@@ -4,10 +4,9 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/jfrog/jfrog-cli-security/commands/audit/sca/swift"
-
 	biutils "github.com/jfrog/build-info-go/utils"
 	"github.com/jfrog/jfrog-cli-security/commands/audit/sca/conan"
+	"github.com/jfrog/jfrog-cli-security/commands/audit/sca/swift"
 	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
 	"golang.org/x/exp/slices"
 
@@ -99,9 +98,26 @@ func buildDepTreeAndRunScaScan(auditParallelRunner *utils.SecurityParallelRunner
 			_ = targetResult.AddTargetError(fmt.Errorf("failed to build dependency tree: %s", bdtErr.Error()), auditParams.AllowPartialResults())
 			continue
 		}
+		if auditParams.diffMode {
+			if auditParams.resultsToCompare == nil {
+				// First scan, no diff to compare
+				log.Debug(fmt.Sprintf("Diff scan - calculated dependencies tree for target %s, skipping scan part", targetResult.Target))
+				continue
+			} else if treeResult, bdtErr = getDiffDependencyTree(targetResult, results.SearchTargetResultsByPath(utils.GetRelativePath(targetResult.Target, cmdResults.GetCommonParentPath()), auditParams.resultsToCompare), treeResult.FullDepTrees...); bdtErr != nil {
+				_ = targetResult.AddTargetError(fmt.Errorf("failed to build diff dependency tree in source branch: %s", bdtErr.Error()), auditParams.AllowPartialResults())
+				continue
+			}
+		}
+		if treeResult.FlatTree == nil || len(treeResult.FlatTree.Nodes) == 0 {
+			// No dependencies were found. We don't want to run the scan in this case.
+			log.Debug(fmt.Sprintf("No dependencies were found in target %s. Skipping SCA", targetResult.Target))
+			continue
+		}
+		if err := logDeps(treeResult.FlatTree); err != nil {
+			log.Warn("Failed to log dependencies tree: " + err.Error())
+		}
 		// Create sca scan task
 		auditParallelRunner.ScaScansWg.Add(1)
-		// defer auditParallelRunner.ScaScansWg.Done()
 		_, taskErr := auditParallelRunner.Runner.AddTaskWithError(executeScaScanTask(auditParallelRunner, serverDetails, auditParams, targetResult, treeResult), func(err error) {
 			_ = targetResult.AddTargetError(fmt.Errorf("failed to execute SCA scan: %s", err.Error()), auditParams.AllowPartialResults())
 		})
@@ -133,7 +149,7 @@ func executeScaScanTask(auditParallelRunner *utils.SecurityParallelRunner, serve
 		auditParallelRunner.ResultsMu.Lock()
 		defer auditParallelRunner.ResultsMu.Unlock()
 		// We add the results before checking for errors, so we can display the results even if an error occurred.
-		scan.NewScaScanResults(sca.GetScaScansStatusCode(xrayErr, scanResults...), results.DepTreeToSbom(treeResult.FullDepTrees), scanResults...).IsMultipleRootProject = clientutils.Pointer(len(treeResult.FullDepTrees) > 1)
+		scan.NewScaScanResults(sca.GetScaScansStatusCode(xrayErr, scanResults...), scanResults...).IsMultipleRootProject = clientutils.Pointer(len(treeResult.FullDepTrees) > 1)
 		addThirdPartyDependenciesToParams(auditParams, scan.Technology, treeResult.FlatTree, treeResult.FullDepTrees)
 
 		if xrayErr != nil {
@@ -277,10 +293,10 @@ func GetTechDependencyTree(params xrayutils.AuditParams, artifactoryServerDetail
 	}
 	log.Debug(fmt.Sprintf("Created '%s' dependency tree with %d nodes. Elapsed time: %.1f seconds.", tech.ToFormal(), len(uniqueDeps), time.Since(startTime).Seconds()))
 	if len(uniqDepsWithTypes) > 0 {
-		depTreeResult.FlatTree, err = createFlatTreeWithTypes(uniqDepsWithTypes)
+		depTreeResult.FlatTree = createFlatTreeWithTypes(uniqDepsWithTypes)
 		return
 	}
-	depTreeResult.FlatTree, err = createFlatTree(uniqueDeps)
+	depTreeResult.FlatTree = createFlatTree(uniqueDeps)
 	return
 }
 
@@ -331,10 +347,7 @@ func SetResolutionRepoInAuditParamsIfExists(params utils.AuditParams, tech techu
 	return
 }
 
-func createFlatTreeWithTypes(uniqueDeps map[string]*xray.DepTreeNode) (*xrayCmdUtils.GraphNode, error) {
-	if err := logDeps(uniqueDeps); err != nil {
-		return nil, err
-	}
+func createFlatTreeWithTypes(uniqueDeps map[string]*xray.DepTreeNode) *xrayCmdUtils.GraphNode {
 	var uniqueNodes []*xrayCmdUtils.GraphNode
 	for uniqueDep, nodeAttr := range uniqueDeps {
 		node := &xrayCmdUtils.GraphNode{Id: uniqueDep}
@@ -344,26 +357,31 @@ func createFlatTreeWithTypes(uniqueDeps map[string]*xray.DepTreeNode) (*xrayCmdU
 		}
 		uniqueNodes = append(uniqueNodes, node)
 	}
-	return &xrayCmdUtils.GraphNode{Id: "root", Nodes: uniqueNodes}, nil
+	return &xrayCmdUtils.GraphNode{Id: "root", Nodes: uniqueNodes}
 }
 
-func createFlatTree(uniqueDeps []string) (*xrayCmdUtils.GraphNode, error) {
-	if err := logDeps(uniqueDeps); err != nil {
-		return nil, err
-	}
+func createFlatTree(uniqueDeps []string) *xrayCmdUtils.GraphNode {
 	uniqueNodes := []*xrayCmdUtils.GraphNode{}
 	for _, uniqueDep := range uniqueDeps {
 		uniqueNodes = append(uniqueNodes, &xrayCmdUtils.GraphNode{Id: uniqueDep})
 	}
-	return &xrayCmdUtils.GraphNode{Id: "root", Nodes: uniqueNodes}, nil
+	return &xrayCmdUtils.GraphNode{Id: "root", Nodes: uniqueNodes}
+}
+
+func flatTreeToStringList(flatTree *xrayCmdUtils.GraphNode) []string {
+	var uniqueNodes []string
+	for _, node := range flatTree.Nodes {
+		uniqueNodes = append(uniqueNodes, node.Id)
+	}
+	return uniqueNodes
 }
 
-func logDeps(uniqueDeps any) (err error) {
+func logDeps(flatTree *xrayCmdUtils.GraphNode) (err error) {
 	if log.GetLogger().GetLogLevel() != log.DEBUG {
 		// Avoid printing and marshaling if not on DEBUG mode.
 		return
 	}
-	jsonList, err := json.Marshal(uniqueDeps)
+	jsonList, err := json.Marshal(flatTreeToStringList(flatTree))
 	if errorutils.CheckError(err) != nil {
 		return err
 	}
@@ -388,6 +406,7 @@ func buildDependencyTree(scan *results.TargetResults, params *AuditParams) (*Dep
 	if treeResult.FlatTree == nil || len(treeResult.FlatTree.Nodes) == 0 {
 		return nil, errorutils.CheckErrorf("no dependencies were found. Please try to build your project and re-run the audit command")
 	}
+	scan.SetSbom(results.DepTreeToSbom(treeResult.FullDepTrees))
 	return &treeResult, nil
 }
 
@@ -402,3 +421,29 @@ func dumpScanResponseToFileIfNeeded(results []services.ScanResponse, scanResults
 	}
 	return utils.DumpContentToFile(fileContent, scanResultsOutputDir, scanType.String())
 }
+
+// Collect dependencies exists in target and not in resultsToCompare
+func getDiffDependencyTree(scanResults *results.TargetResults, resultsToCompare *results.TargetResults, fullDepTrees ...*xrayCmdUtils.GraphNode) (*DependencyTreeResult, error) {
+	if resultsToCompare == nil {
+		return nil, fmt.Errorf("failed to get diff dependency tree: no results to compare")
+	}
+	log.Debug(fmt.Sprintf("Comparing %s SBOM with %s to get diff", scanResults.Target, resultsToCompare.Target))
+	// Compare the dependency trees
+	filterDepsMap := datastructures.MakeSet[string]()
+	for _, component := range resultsToCompare.Sbom.Components {
+		filterDepsMap.Add(techutils.ToXrayComponentId(component.XrayType, component.Component, component.Version))
+	}
+	addedDepsMap := datastructures.MakeSet[string]()
+	for _, component := range scanResults.Sbom.Components {
+		componentId := techutils.ToXrayComponentId(component.XrayType, component.Component, component.Version)
+		if exists := filterDepsMap.Exists(componentId); !exists {
+			// Dependency in scan results but not in results to compare
+			addedDepsMap.Add(componentId)
+		}
+	}
+	diffDepTree := DependencyTreeResult{
+		FlatTree:     createFlatTree(addedDepsMap.ToSlice()),
+		FullDepTrees: fullDepTrees,
+	}
+	return &diffDepTree, nil
+}