Pass project key to all XSC services to fix project scope token permissions bug (jfrog#593)

Author: eranturgeman

cli/gitcommands.go

@@ -87,7 +87,7 @@ func GitAuditCmd(c *components.Context) error {
 	sbomGenerator, scaScanStrategy := getScanDynamicLogic(c)
 	gitAuditCmd.SetSbomGenerator(sbomGenerator).SetScaScanStrategy(scaScanStrategy)
 	// Run the command with progress bar if needed, Reporting error if Xsc service is enabled
-	return reportErrorIfExists(xrayVersion, xscVersion, serverDetails, progressbar.ExecWithProgress(gitAuditCmd))
+	return reportErrorIfExists(xrayVersion, xscVersion, serverDetails, gitAuditCmd.GetProjectKey(), progressbar.ExecWithProgress(gitAuditCmd))
 }
 
 func GetCountContributorsParams(c *components.Context) (*contributors.CountContributorsParams, error) {

cli/scancommands.go

@@ -413,7 +413,7 @@ func AuditCmd(c *components.Context) error {
 	}
 	auditCmd.SetThreads(threads)
 	// Reporting error if Xsc service is enabled
-	return reportErrorIfExists(xrayVersion, xscVersion, serverDetails, progressbar.ExecWithProgress(auditCmd))
+	return reportErrorIfExists(xrayVersion, xscVersion, serverDetails, auditCmd.GetProjectKey(), progressbar.ExecWithProgress(auditCmd))
 }
 
 func CreateAuditCmd(c *components.Context) (string, string, *coreConfig.ServerDetails, *audit.AuditCommand, error) {
@@ -507,7 +507,7 @@ func AuditSpecificCmd(c *components.Context, technology techutils.Technology) er
 	technologies := []string{string(technology)}
 	auditCmd.SetTechnologies(technologies)
 	// Reporting error if Xsc service is enabled
-	return reportErrorIfExists(xrayVersion, xscVersion, serverDetails, progressbar.ExecWithProgress(auditCmd))
+	return reportErrorIfExists(xrayVersion, xscVersion, serverDetails, auditCmd.GetProjectKey(), progressbar.ExecWithProgress(auditCmd))
 }
 
 func CurationCmd(c *components.Context) error {

cli/utils.go

@@ -90,11 +90,11 @@ func shouldAddSubScan(subScan utils.SubScanType, c *components.Context) bool {
 		(subScan == utils.ContextualAnalysisScan && c.GetBoolFlagValue(flags.Sca) && !c.GetBoolFlagValue(flags.WithoutCA)) || (subScan == utils.SecretTokenValidationScan && c.GetBoolFlagValue(flags.Secrets) && c.GetBoolFlagValue(flags.SecretValidation))
 }
 
-func reportErrorIfExists(xrayVersion, xscVersion string, serverDetails *coreConfig.ServerDetails, err error) error {
+func reportErrorIfExists(xrayVersion, xscVersion string, serverDetails *coreConfig.ServerDetails, projectKey string, err error) error {
 	if err == nil || !usage.ShouldReportUsage() {
 		return err
 	}
-	if reportError := xsc.ReportError(xrayVersion, xscVersion, serverDetails, err, "cli"); reportError != nil {
+	if reportError := xsc.ReportError(xrayVersion, xscVersion, serverDetails, err, "cli", projectKey); reportError != nil {
 		log.Debug("failed to report error log:" + reportError.Error())
 	}
 	return err

commands/audit/audit.go

@@ -73,6 +73,10 @@ func (auditCmd *AuditCommand) SetProject(project string) *AuditCommand {
 	return auditCmd
 }
 
+func (auditCmd *AuditCommand) GetProjectKey() string {
+	return auditCmd.projectKey
+}
+
 func (auditCmd *AuditCommand) SetTargetRepoPath(repoPath string) *AuditCommand {
 	auditCmd.targetRepoPath = repoPath
 	return auditCmd
@@ -128,7 +132,7 @@ func CreateAuditResultsContext(serverDetails *config.ServerDetails, xrayVersion
 		return
 	}
 	// Get the defined and active watches from the platform.
-	manager, err := xsc.CreateXscService(serverDetails)
+	manager, err := xsc.CreateXscService(serverDetails, xrayutils.WithScopedProjectKey(projectKey))
 	if err != nil {
 		log.Warn(fmt.Sprintf("Failed to create Xray services manager: %s", err.Error()))
 		return
@@ -178,6 +182,7 @@ func (auditCmd *AuditCommand) Run() (err error) {
 		auditCmd.GetXscVersion(),
 		serverDetails,
 		xsc.CreateAnalyticsEvent(xscservices.CliProduct, xscservices.CliEventType, serverDetails),
+		auditCmd.projectKey,
 	)
 
 	auditParams := NewAuditParams().

commands/git/audit/gitaudit.go

@@ -119,6 +119,7 @@ func RunGitAudit(params GitAuditParams) (scanResults *results.SecurityCommandRes
 		params.xscVersion,
 		params.serverDetails,
 		event,
+		params.GetProjectKey(),
 	)
 	params.multiScanId = multiScanId
 	params.startTime = startTime

commands/git/audit/gitauditparams.go

@@ -57,6 +57,10 @@ func (gap *GitAuditParams) SetProjectKey(project string) *GitAuditParams {
 	return gap
 }
 
+func (gap *GitAuditParams) GetProjectKey() string {
+	return gap.resultsContext.ProjectKey
+}
+
 func (gap *GitAuditParams) SetFailBuild(failBuild bool) *GitAuditParams {
 	gap.failBuild = failBuild
 	return gap

commands/scan/dockerscan.go

@@ -78,6 +78,7 @@ func (dsc *DockerScanCommand) Run() (err error) {
 		dsc.xscVersion,
 		dsc.serverDetails,
 		xsc.CreateAnalyticsEvent(xscservices.CliProduct, xscservices.CliEventType, dsc.serverDetails),
+		dsc.resultsContext.ProjectKey,
 	)
 
 	dsc.SetSpec(spec.NewBuilder().

go.mod

@@ -12,12 +12,12 @@ require (
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-plugin v1.6.3
 	github.com/jfrog/build-info-go v1.12.0
-	github.com/jfrog/froggit-go v1.20.3
+	github.com/jfrog/froggit-go v1.20.4
 	github.com/jfrog/gofrog v1.7.6
 	github.com/jfrog/jfrog-apps-config v1.0.1
-	github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251017072454-f83a03ee98d6
-	github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251015045218-1a38c9e47097
-	github.com/jfrog/jfrog-client-go v1.55.1-0.20251015041910-ef0fe832b111
+	github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec
+	github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451
+	github.com/jfrog/jfrog-client-go v1.55.1-0.20251023073119-78f187c9afbf
 	github.com/magiconair/properties v1.8.10
 	github.com/owenrumney/go-sarif/v3 v3.2.3
 	github.com/package-url/packageurl-go v0.1.3

go.sum

@@ -130,18 +130,18 @@ github.com/jfrog/archiver/v3 v3.6.1 h1:LOxnkw9pOn45DzCbZNFV6K0+6dCsQ0L8mR3ZcujO5
 github.com/jfrog/archiver/v3 v3.6.1/go.mod h1:VgR+3WZS4N+i9FaDwLZbq+jeU4B4zctXL+gL4EMzfLw=
 github.com/jfrog/build-info-go v1.12.0 h1:/abBQdIxrkYjOwO79sIL0p+XPnMCCtKhiWToHKXXqHg=
 github.com/jfrog/build-info-go v1.12.0/go.mod h1:szdz9+WzB7+7PGnILLUgyY+OF5qD5geBT7UGNIxibyw=
-github.com/jfrog/froggit-go v1.20.3 h1:U3HHT0+AEHUVSSyQBbagQR4fLRqGqzSptPujDZuuDTk=
-github.com/jfrog/froggit-go v1.20.3/go.mod h1:obSG1SlsWjktkuqmKtpq7MNTTL63e0ot+ucTnlOMV88=
+github.com/jfrog/froggit-go v1.20.4 h1:N9XkNV00HNjpI8p6xXlF9DrWmvE9hz3z2XRDAYJDweQ=
+github.com/jfrog/froggit-go v1.20.4/go.mod h1:obSG1SlsWjktkuqmKtpq7MNTTL63e0ot+ucTnlOMV88=
 github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s=
 github.com/jfrog/gofrog v1.7.6/go.mod h1:ntr1txqNOZtHplmaNd7rS4f8jpA5Apx8em70oYEe7+4=
 github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY=
 github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
-github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251017072454-f83a03ee98d6 h1:k+L1EByW0oAjbl2GzBKpPjQ/V9HV/22WfXqR+opegnk=
-github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251017072454-f83a03ee98d6/go.mod h1:nT050Wb18tTlfcQHefyMENzFOz9Vdym6WP0Z3Nc2qHc=
-github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251015045218-1a38c9e47097 h1:+W6BPxJ0nPtlQ6l6nmypW1eEANoVPiN8HDR4kQJA8uI=
-github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251015045218-1a38c9e47097/go.mod h1:UOeOwEEmRIi57cRwghN5OBVoqkJieYQQfLpeqw8Yv38=
-github.com/jfrog/jfrog-client-go v1.55.1-0.20251015041910-ef0fe832b111 h1:IBkggQwQi7D4+vafA3f8aHSrgZ89bMdlMffmNQfjuLw=
-github.com/jfrog/jfrog-client-go v1.55.1-0.20251015041910-ef0fe832b111/go.mod h1:jrODQbAbCt97F24d/0bYpqpdc0PFMuBxNJOTfTdW+Fk=
+github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec h1:iB5bXWKvzNejqyUgqxKf8YNj+DBx1suf2r2KzI03wkU=
+github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec/go.mod h1:JE/35+kU8cBET4I4iuNcVBvhm8SF64DAmGgtHRzf5Do=
+github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451 h1:Q0PY8VSOVsfvXzKiUnn+Rv7Ynf901QW6Wn1CbWpHBD0=
+github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451/go.mod h1:UOeOwEEmRIi57cRwghN5OBVoqkJieYQQfLpeqw8Yv38=
+github.com/jfrog/jfrog-client-go v1.55.1-0.20251023073119-78f187c9afbf h1:Ld+lGdCauixqWbkwK+wJn3QbPPBRgY35KgY+MxgrgCg=
+github.com/jfrog/jfrog-client-go v1.55.1-0.20251023073119-78f187c9afbf/go.mod h1:jrODQbAbCt97F24d/0bYpqpdc0PFMuBxNJOTfTdW+Fk=
 github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
 github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo=
 github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=

utils/xsc/analyticsmetrics.go

@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/jfrog/jfrog-cli-security/utils"
+	"github.com/jfrog/jfrog-cli-security/utils/xray"
 
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
@@ -35,12 +36,12 @@ func CreateAnalyticsEvent(product xscservices.ProductName, eventType xscservices
 	return &event
 }
 
-func SendNewScanEvent(xrayVersion, xscVersion string, serviceDetails *config.ServerDetails, event *xscservices.XscAnalyticsGeneralEvent) (multiScanId string, startTime time.Time) {
+func SendNewScanEvent(xrayVersion, xscVersion string, serviceDetails *config.ServerDetails, event *xscservices.XscAnalyticsGeneralEvent, projectKey string) (multiScanId string, startTime time.Time) {
 	if !shouldReportEvents(xscVersion) {
 		log.Debug("Analytics metrics are disabled, skip sending event request to XSC")
 		return
 	}
-	xscService, err := CreateXscServiceBackwardCompatible(xrayVersion, serviceDetails)
+	xscService, err := CreateXscServiceBackwardCompatible(xrayVersion, serviceDetails, xray.WithScopedProjectKey(projectKey))
 	if err != nil {
 		log.Debug(fmt.Sprintf("failed to create xsc manager for analytics metrics service, error: %s ", err.Error()))
 		return
@@ -62,7 +63,7 @@ func SendScanEndedEvent(xrayVersion, xscVersion string, serviceDetails *config.S
 		return
 	}
 	// Generate the finalize event.
-	xscService, err := CreateXscServiceBackwardCompatible(xrayVersion, serviceDetails)
+	xscService, err := CreateXscServiceBackwardCompatible(xrayVersion, serviceDetails, xray.WithScopedProjectKey(resultsContext.ProjectKey))
 	if err != nil {
 		log.Debug(fmt.Sprintf("failed to create xsc manager for analytics metrics service, skip sending command finalize event, error: %s ", err.Error()))
 		return
@@ -131,12 +132,12 @@ func createFinalizedEvent(cmdResults *results.SecurityCommandResults) xscservice
 	return CreateFinalizedEvent(cmdResults.XrayVersion, cmdResults.MultiScanId, cmdResults.StartTime, getTotalFindings(cmdResults), &cmdResults.ResultContext, cmdResults.GetErrors())
 }
 
-func GetScanEvent(xrayVersion, xscVersion, multiScanId string, serviceDetails *config.ServerDetails) (*xscservices.XscAnalyticsGeneralEvent, error) {
+func GetScanEvent(xrayVersion, xscVersion, multiScanId string, serviceDetails *config.ServerDetails, projectKey string) (*xscservices.XscAnalyticsGeneralEvent, error) {
 	if !shouldReportEvents(xscVersion) {
 		log.Debug("Can't get general event from XSC - analytics metrics are disabled.")
 		return nil, nil
 	}
-	xscService, err := CreateXscServiceBackwardCompatible(xrayVersion, serviceDetails)
+	xscService, err := CreateXscServiceBackwardCompatible(xrayVersion, serviceDetails, xray.WithScopedProjectKey(projectKey))
 	if err != nil {
 		log.Debug(fmt.Sprintf("failed to create xsc manager for analytics metrics service, skip getting general event, error: %s ", err.Error()))
 		return nil, err