Fix build failure logic to consider applied policies rules (jfrog#501)

Author: eranturgeman

commands/audit/audit.go

@@ -240,7 +240,12 @@ func ProcessResultsAndOutput(auditResults *results.SecurityCommandResults, outpu
 		return
 	}
 	// Only in case Xray's context was given (!auditCmd.IncludeVulnerabilities), and the user asked to fail the build accordingly, do so.
-	if failBuild && auditResults.HasViolationContext() && results.CheckIfFailBuild(auditResults.GetScaScansXrayResults()) {
+	shouldFailBuildByPolicy, err := results.CheckIfFailBuild(auditResults)
+	if err != nil {
+		return fmt.Errorf("failed to check if the build should fail: %w", err)
+	}
+
+	if failBuild && auditResults.HasViolationContext() && shouldFailBuildByPolicy {
 		err = results.NewFailBuildError()
 	}
 	return

commands/scan/scan.go

@@ -248,10 +248,13 @@ func (scanCmd *ScanCommand) RunAndRecordResults(cmdType utils.CommandType, recor
 	}
 	// We consider failing the build only when --fail=true. If a user had provided --fail=false, we don't fail the build even when fail-build rules are applied.
 	// If violation context was provided, we need to check all existing violations for fail-build rules.
-	if scanCmd.fail && scanCmd.resultsContext.HasViolationContext() {
-		if results.CheckIfFailBuild(cmdResults.GetScaScansXrayResults()) {
-			return results.NewFailBuildError()
-		}
+	shouldFailBuildByPolicy, err := results.CheckIfFailBuild(cmdResults)
+	if err != nil {
+		return fmt.Errorf("failed to check if build should fail: %w", err)
+	}
+
+	if scanCmd.fail && scanCmd.resultsContext.HasViolationContext() && shouldFailBuildByPolicy {
+		return results.NewFailBuildError()
 	}
 	log.Info("Scan completed successfully.")
 	return nil

utils/results/common.go

@@ -53,18 +53,106 @@ func NewFailBuildError() error {
 	return coreutils.CliError{ExitCode: coreutils.ExitCodeVulnerableBuild, ErrorMsg: "One or more of the detected violations are configured to fail the build that including them"}
 }
 
-// In case one (or more) of the violations contains the field FailBuild set to true, CliError with exit code 3 will be returned.
-func CheckIfFailBuild(results []services.ScanResponse) bool {
-	for _, result := range results {
-		for _, violation := range result.Violations {
-			if violation.FailBuild {
+// This func iterates every violation and checks if there is a violation that should fail the build.
+// The build should be failed if there exists at least one violation in any target that holds the following conditions:
+// 1) The violation is set to fail the build by FailBuild or FailPr
+// 2) The violation has applicability status other than 'NotApplicable' OR the violation has 'NotApplicable' status and is not set to skip-non-applicable
+func CheckIfFailBuild(auditResults *SecurityCommandResults) (bool, error) {
+	for _, target := range auditResults.Targets {
+		shouldFailBuild := false
+		// We first check if JasResults exist so we can extract CA results and consider Applicability status when checking if the build should fail.
+		if target.JasResults == nil {
+			shouldFailBuild = checkIfFailBuildWithoutConsideringApplicability(target)
+		} else {
+			// If JasResults are not empty we check old and new violation while considering Applicability status and Skip-not-applicable policy rule.
+			if err := checkIfFailBuildConsideringApplicability(target, auditResults.EntitledForJas, &shouldFailBuild); err != nil {
+				return false, fmt.Errorf("failed to check if build should fail for target %s: %w", target.ScanTarget.Target, err)
+			}
+		}
+		if shouldFailBuild {
+			// If we found a violation that should fail the build, we return true.
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func checkIfFailBuildConsideringApplicability(target *TargetResults, entitledForJas bool, shouldFailBuild *bool) error {
+	jasApplicabilityResults := target.JasResults.GetApplicabilityScanResults()
+
+	// Get new violations from the target
+	newViolations := target.ScaResults.Violations
+
+	// Here we iterate the new violation results and check if any of them should fail the build.
+	_, _, err := ForEachScanGraphViolation(
+		target.ScanTarget,
+		newViolations,
+		entitledForJas,
+		jasApplicabilityResults,
+		checkIfShouldFailBuildAccordingToPolicy(shouldFailBuild),
+		nil,
+		nil)
+	if err != nil {
+		return err
+	}
+
+	// Here we iterate the deprecated violation results to check if any of them should fail the build.
+	// TODO remove this part once the DeprecatedXrayResults are completely removed and no longer in use
+	for _, result := range target.ScaResults.DeprecatedXrayResults {
+		deprecatedViolations := result.Scan.Violations
+		_, _, err = ForEachScanGraphViolation(
+			target.ScanTarget,
+			deprecatedViolations,
+			entitledForJas,
+			jasApplicabilityResults,
+			checkIfShouldFailBuildAccordingToPolicy(shouldFailBuild),
+			nil,
+			nil)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func checkIfFailBuildWithoutConsideringApplicability(target *TargetResults) bool {
+	for _, newViolation := range target.ScaResults.Violations {
+		if newViolation.FailBuild || newViolation.FailPr {
+			return true
+		}
+	}
+
+	// TODO remove this for loop once the DeprecatedXrayResults are completely removed and no longer in use
+	for _, scanResponse := range target.GetScaScansXrayResults() {
+		for _, oldViolation := range scanResponse.Violations {
+			if oldViolation.FailBuild || oldViolation.FailPr {
 				return true
 			}
 		}
 	}
 	return false
 }
 
+func checkIfShouldFailBuildAccordingToPolicy(shouldFailBuild *bool) func(violation services.Violation, cves []formats.CveRow, applicabilityStatus jasutils.ApplicabilityStatus, severity severityutils.Severity, impactedPackagesId string, fixedVersion []string, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) (err error) {
+	return func(violation services.Violation, cves []formats.CveRow, applicabilityStatus jasutils.ApplicabilityStatus, severity severityutils.Severity, impactedPackagesId string, fixedVersion []string, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) (err error) {
+		if !violation.FailBuild && !violation.FailPr {
+			// If the violation is not set to fail the build we simply return
+			return nil
+		}
+		// If the violation is set to fail the build, we check if the violation has NotApplicable status and is set to skip-non-applicable.
+		// If the violation is NotApplicable and is set to skip-non-applicable, we don't fail the build.
+		// If the violation has any other status OR has NotApplicable status but is not set to skip-not-applicable, we fail the build.
+		var shouldSkip bool
+		if shouldSkip, err = shouldSkipNotApplicable(violation, applicabilityStatus); err != nil {
+			return err
+		}
+		if !shouldSkip {
+			*shouldFailBuild = true
+		}
+		return nil
+	}
+}
+
 type ParseScanGraphVulnerabilityFunc func(vulnerability services.Vulnerability, cves []formats.CveRow, applicabilityStatus jasutils.ApplicabilityStatus, severity severityutils.Severity, impactedPackagesId string, fixedVersion []string, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) error
 type ParseScanGraphViolationFunc func(violation services.Violation, cves []formats.CveRow, applicabilityStatus jasutils.ApplicabilityStatus, severity severityutils.Severity, impactedPackagesId string, fixedVersion []string, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) error
 type ParseLicenseFunc func(license services.License, impactedPackagesId string, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) error

utils/results/common_test.go

@@ -24,21 +24,227 @@ import (
 
 func TestViolationFailBuild(t *testing.T) {
 	components := map[string]services.Component{"gav://antparent:ant:1.6.5": {}}
+
 	tests := []struct {
-		violations    []services.Violation
-		expectedError bool
+		name           string
+		auditResults   *SecurityCommandResults
+		expectedResult bool
 	}{
-		{[]services.Violation{{Components: components, FailBuild: false}, {Components: components, FailBuild: false}, {Components: components, FailBuild: false}}, false},
-		{[]services.Violation{{Components: components, FailBuild: false}, {Components: components, FailBuild: true}, {Components: components, FailBuild: false}}, true},
-		{[]services.Violation{{Components: components, FailBuild: true}, {Components: components, FailBuild: true}, {Components: components, FailBuild: true}}, true},
+		{
+			name:           "non-applicable violations with FailBuild & no skip-non-applicable in ScaResults.Violations - build should fail",
+			auditResults:   createSecurityCommandResultsForFailBuildTest(true, true, utils.NewBoolPtr(false)),
+			expectedResult: true,
+		},
+		{
+			name:           "non-applicable violations with FailBuild & skip-non-applicable in ScaResults.Violations - build should not fail",
+			auditResults:   createSecurityCommandResultsForFailBuildTest(true, true, utils.NewBoolPtr(true)),
+			expectedResult: false,
+		},
+		{
+			name:           "non-applicable violations with FailBuild & no skip-non-applicable in DeprecatedXrayResults - build should fail",
+			auditResults:   createSecurityCommandResultsForFailBuildTest(false, true, utils.NewBoolPtr(false)),
+			expectedResult: true,
+		},
+		{
+			name:           "non-applicable violations with FailBuild & skip-non-applicable in DeprecatedXrayResults - build should not fail",
+			auditResults:   createSecurityCommandResultsForFailBuildTest(false, true, utils.NewBoolPtr(true)),
+			expectedResult: false,
+		},
+		{
+			name:           "no applicability results, violations with FailBuild in DeprecatedXrayResults - build should fail",
+			auditResults:   createSecurityCommandResultsForFailBuildTest(false, false, nil),
+			expectedResult: true,
+		},
+		{
+			name:           "no applicability results, violations with FailBuild in ScaResults.Violations - build should fail",
+			auditResults:   createSecurityCommandResultsForFailBuildTest(true, false, nil),
+			expectedResult: true,
+		},
+		{
+			name: "multiple targets - first target should not fail, second target should fail",
+			auditResults: &SecurityCommandResults{
+				EntitledForJas: true,
+				Targets: []*TargetResults{
+					{
+						// First target - should not fail
+						ScanTarget: ScanTarget{Target: "test-target-1"},
+						ScaResults: &ScaScanResults{
+							Violations: []services.Violation{
+								{
+									// Violation 1: FailBuild & FailPr set to false - should not fail
+									Components:    components,
+									ViolationType: utils.ViolationTypeSecurity.String(),
+									FailBuild:     false,
+									FailPr:        false,
+									Cves:          []services.Cve{{Id: "CVE-2024-1111"}},
+									Severity:      "High",
+								},
+								{
+									// Violation 2: FailBuild=true, notApplicable, skip-not-applicable - should not fail
+									Components:    components,
+									ViolationType: utils.ViolationTypeSecurity.String(),
+									FailBuild:     true,
+									Policies:      []services.Policy{{SkipNotApplicable: true}},
+									Cves:          []services.Cve{{Id: "CVE-2024-2222"}},
+									Severity:      "High",
+								},
+							},
+						},
+						JasResults: &JasScansResults{
+							ApplicabilityScanResults: []ScanResult[[]*sarif.Run]{
+								{
+									Scan: []*sarif.Run{
+										{
+											Tool: &sarif.Tool{
+												Driver: &sarif.ToolComponent{
+													Rules: []*sarif.ReportingDescriptor{
+														{
+															ID: utils.NewStringPtr(jasutils.CveToApplicabilityRuleId("CVE-2024-2222")),
+															Properties: &sarif.PropertyBag{
+																Properties: map[string]interface{}{
+																	jasutils.ApplicabilitySarifPropertyKey: "not_applicable",
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+					{
+						// Second target - should fail
+						ScanTarget: ScanTarget{Target: "test-target-2"},
+						ScaResults: &ScaScanResults{
+							Violations: []services.Violation{
+								{
+									// Violation 1: FailBuild=true, notApplicable, NOT skip-not-applicable - should fail
+									Components:    components,
+									ViolationType: utils.ViolationTypeSecurity.String(),
+									FailBuild:     true,
+									Policies:      []services.Policy{{SkipNotApplicable: false}},
+									Cves:          []services.Cve{{Id: "CVE-2024-3333"}},
+									Severity:      "High",
+								},
+								{
+									// Violation 2: FailBuild & FailPr set to false - should not fail
+									Components:    components,
+									ViolationType: utils.ViolationTypeSecurity.String(),
+									FailBuild:     false,
+									FailPr:        false,
+									Cves:          []services.Cve{{Id: "CVE-2024-4444"}},
+									Severity:      "High",
+								},
+							},
+						},
+						JasResults: &JasScansResults{
+							ApplicabilityScanResults: []ScanResult[[]*sarif.Run]{
+								{
+									Scan: []*sarif.Run{
+										{
+											Tool: &sarif.Tool{
+												Driver: &sarif.ToolComponent{
+													Rules: []*sarif.ReportingDescriptor{
+														{
+															ID: utils.NewStringPtr(jasutils.CveToApplicabilityRuleId("CVE-2024-3333")),
+															Properties: &sarif.PropertyBag{
+																Properties: map[string]interface{}{
+																	jasutils.ApplicabilitySarifPropertyKey: "not_applicable",
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expectedResult: true, // Should fail because second target has a violation that should fail
+		},
 	}
 
 	for _, test := range tests {
-		var err error
-		if CheckIfFailBuild([]services.ScanResponse{{Violations: test.violations}}) {
-			err = NewFailBuildError()
+		t.Run(test.name, func(t *testing.T) {
+			shouldFailBuild, err := CheckIfFailBuild(test.auditResults)
+			assert.NoError(t, err)
+			assert.Equal(t, test.expectedResult, shouldFailBuild)
+		})
+	}
+}
+
+func createSecurityCommandResultsForFailBuildTest(useNewViolations bool, hasJasResults bool, skipNotApplicable *bool) *SecurityCommandResults {
+	components := map[string]services.Component{"gav://antparent:ant:1.6.5": {}}
+	cveId := "CVE-2024-1234"
+
+	target := &TargetResults{
+		ScanTarget: ScanTarget{Target: "test-target"},
+		ScaResults: &ScaScanResults{},
+	}
+
+	violation := services.Violation{
+		Components:    components,
+		ViolationType: utils.ViolationTypeSecurity.String(),
+		FailBuild:     true,
+		Cves:          []services.Cve{{Id: cveId}},
+		Severity:      "High",
+	}
+
+	if skipNotApplicable != nil {
+		violation.Policies = []services.Policy{{SkipNotApplicable: *skipNotApplicable}}
+	}
+
+	if useNewViolations {
+		target.ScaResults.Violations = []services.Violation{violation}
+	} else {
+		target.ScaResults.DeprecatedXrayResults = []ScanResult[services.ScanResponse]{
+			{
+				Scan: services.ScanResponse{
+					Violations: []services.Violation{violation},
+				},
+			},
+		}
+	}
+
+	if hasJasResults {
+		target.JasResults = &JasScansResults{
+			ApplicabilityScanResults: []ScanResult[[]*sarif.Run]{
+				{
+					Scan: []*sarif.Run{
+						{
+							Tool: &sarif.Tool{
+								Driver: &sarif.ToolComponent{
+									Rules: []*sarif.ReportingDescriptor{
+										{
+											ID: utils.NewStringPtr(jasutils.CveToApplicabilityRuleId(cveId)),
+											Properties: &sarif.PropertyBag{
+												Properties: map[string]interface{}{
+													jasutils.ApplicabilitySarifPropertyKey: "not_applicable",
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
 		}
-		assert.Equal(t, test.expectedError, err != nil)
+	} else {
+		target.JasResults = nil
+	}
+
+	return &SecurityCommandResults{
+		EntitledForJas: true,
+		Targets:        []*TargetResults{target},
 	}
 }