Merge branch 'dev' of https://github.com/jfrog/jfrog-cli-security into config-profile-with-repo-api-integration

Author: eranturgeman

cli/docs/flags.go

@@ -2,9 +2,10 @@ package docs
 
 import (
 	"fmt"
-	"github.com/jfrog/jfrog-cli-security/commands/git"
 	"strings"
 
+	"github.com/jfrog/jfrog-cli-security/commands/git"
+
 	"github.com/jfrog/jfrog-cli-core/v2/common/cliutils"
 	pluginsCommon "github.com/jfrog/jfrog-cli-core/v2/plugins/common"
 	"github.com/jfrog/jfrog-cli-core/v2/plugins/components"
@@ -114,6 +115,7 @@ const (
 	useWrapperAudit              = auditPrefix + UseWrapper
 	ExcludeTestDeps              = "exclude-test-deps"
 	DepType                      = "dep-type"
+	MaxTreeDepth                 = "max-tree-depth"
 	ThirdPartyContextualAnalysis = "third-party-contextual-analysis"
 	RequirementsFile             = "requirements-file"
 	WorkingDirs                  = "working-dirs"
@@ -240,17 +242,18 @@ var flagsMap = map[string]components.Flag{
 		"List of exclusions separated by semicolons, utilized to skip sub-projects from undergoing an audit. These exclusions may incorporate the * and ? wildcards.",
 		components.WithStrDefaultValue(strings.Join(utils.DefaultScaExcludePatterns, ";")),
 	),
-	Mvn:     components.NewBoolFlag(Mvn, "Set to true to request audit for a Maven project."),
-	Gradle:  components.NewBoolFlag(Gradle, "Set to true to request audit for a Gradle project."),
-	Npm:     components.NewBoolFlag(Npm, "Set to true to request audit for a npm project."),
-	Pnpm:    components.NewBoolFlag(Pnpm, "Set to true to request audit for a Pnpm project."),
-	Yarn:    components.NewBoolFlag(Yarn, "Set to true to request audit for a Yarn project."),
-	Nuget:   components.NewBoolFlag(Nuget, "Set to true to request audit for a .NET project."),
-	Pip:     components.NewBoolFlag(Pip, "Set to true to request audit for a Pip project."),
-	Pipenv:  components.NewBoolFlag(Pipenv, "Set to true to request audit for a Pipenv project."),
-	Poetry:  components.NewBoolFlag(Poetry, "Set to true to request audit for a Poetry project."),
-	Go:      components.NewBoolFlag(Go, "Set to true to request audit for a Go project."),
-	DepType: components.NewStringFlag(DepType, "[npm] Defines npm dependencies type. Possible values are: all, devOnly and prodOnly."),
+	Mvn:          components.NewBoolFlag(Mvn, "Set to true to request audit for a Maven project."),
+	Gradle:       components.NewBoolFlag(Gradle, "Set to true to request audit for a Gradle project."),
+	Npm:          components.NewBoolFlag(Npm, "Set to true to request audit for a npm project."),
+	Pnpm:         components.NewBoolFlag(Pnpm, "Set to true to request audit for a Pnpm project."),
+	Yarn:         components.NewBoolFlag(Yarn, "Set to true to request audit for a Yarn project."),
+	Nuget:        components.NewBoolFlag(Nuget, "Set to true to request audit for a .NET project."),
+	Pip:          components.NewBoolFlag(Pip, "Set to true to request audit for a Pip project."),
+	Pipenv:       components.NewBoolFlag(Pipenv, "Set to true to request audit for a Pipenv project."),
+	Poetry:       components.NewBoolFlag(Poetry, "Set to true to request audit for a Poetry project."),
+	Go:           components.NewBoolFlag(Go, "Set to true to request audit for a Go project."),
+	DepType:      components.NewStringFlag(DepType, "[npm] Defines npm dependencies type. Possible values are: all, devOnly and prodOnly."),
+	MaxTreeDepth: components.NewStringFlag(MaxTreeDepth, "[pnpm] Max depth of the generated dependencies tree for SCA scan.", components.WithStrDefaultValue("Infinity")),
 	ThirdPartyContextualAnalysis: components.NewBoolFlag(
 		ThirdPartyContextualAnalysis,
 		"[npm] when set, the Contextual Analysis scan also uses the code of the project dependencies to determine the applicability of the vulnerability.",

cli/scancommands.go

@@ -206,7 +206,7 @@ func ScanCmd(c *components.Context) error {
 	if err != nil {
 		return err
 	}
-	xrayVersion, xscVersion, err := GetJfrogServicesVersion(serverDetails)
+	xrayVersion, xscVersion, err := xsc.GetJfrogServicesVersion(serverDetails)
 	if err != nil {
 		return err
 	}
@@ -453,7 +453,7 @@ func CreateAuditCmd(c *components.Context) (string, string, *coreConfig.ServerDe
 	if err != nil {
 		return "", "", nil, nil, err
 	}
-	xrayVersion, xscVersion, err := GetJfrogServicesVersion(serverDetails)
+	xrayVersion, xscVersion, err := xsc.GetJfrogServicesVersion(serverDetails)
 	if err != nil {
 		return "", "", nil, nil, err
 	}
@@ -500,6 +500,7 @@ func CreateAuditCmd(c *components.Context) (string, string, *coreConfig.ServerDe
 		SetInsecureTls(c.GetBoolFlagValue(flags.InsecureTls)).
 		SetNpmScope(c.GetStringFlagValue(flags.DepType)).
 		SetPipRequirementsFile(c.GetStringFlagValue(flags.RequirementsFile)).
+		SetMaxTreeDepth(c.GetStringFlagValue(flags.MaxTreeDepth)).
 		SetExclusions(pluginsCommon.GetStringsArrFlagValue(c, flags.Exclusions))
 	return xrayVersion, xscVersion, serverDetails, auditCmd, err
 }
@@ -713,7 +714,7 @@ func DockerScan(c *components.Context, image string) error {
 	if err != nil {
 		return err
 	}
-	xrayVersion, xscVersion, err := GetJfrogServicesVersion(serverDetails)
+	xrayVersion, xscVersion, err := xsc.GetJfrogServicesVersion(serverDetails)
 	if err != nil {
 		return err
 	}
@@ -747,26 +748,3 @@ func DockerScan(c *components.Context, image string) error {
 	}
 	return progressbar.ExecWithProgress(containerScanCommand)
 }
-
-func GetJfrogServicesVersion(serverDetails *coreConfig.ServerDetails) (xrayVersion, xscVersion string, err error) {
-	xrayManager, err := xray.CreateXrayServiceManager(serverDetails)
-	if err != nil {
-		return
-	}
-	xrayVersion, err = xrayManager.GetVersion()
-	if err != nil {
-		return
-	}
-	log.Debug("Xray version: " + xrayVersion)
-	xscService, err := xsc.CreateXscService(xrayVersion, serverDetails)
-	if err != nil {
-		return
-	}
-	xscVersion, e := xscService.GetVersion()
-	if e != nil {
-		log.Debug("Using Xray: " + e.Error())
-		return
-	}
-	log.Debug("XSC version: " + xscVersion)
-	return
-}

commands/audit/sca/pnpm/pnpm.go

@@ -10,9 +10,6 @@ import (
 	"github.com/jfrog/gofrog/datastructures"
 	"github.com/jfrog/gofrog/io"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
-	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
-
 	"github.com/jfrog/jfrog-cli-security/commands/audit/sca"
 	"github.com/jfrog/jfrog-cli-security/commands/audit/sca/npm"
 	"github.com/jfrog/jfrog-cli-security/utils"
@@ -21,6 +18,7 @@ import (
 	"github.com/jfrog/jfrog-client-go/utils/errorutils"
 	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
+	"golang.org/x/exp/maps"
 
 	biutils "github.com/jfrog/build-info-go/utils"
 	xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
@@ -123,13 +121,17 @@ func installProjectIfNeeded(pnpmExecPath, workingDir string) (dirForDependencies
 		err = fmt.Errorf("failed copying project to temp dir: %w", err)
 		return
 	}
-	err = getPnpmCmd(pnpmExecPath, dirForDependenciesCalculation, "install", npm.IgnoreScriptsFlag).GetCmd().Run()
+	output, err := getPnpmCmd(pnpmExecPath, dirForDependenciesCalculation, "install", npm.IgnoreScriptsFlag).GetCmd().CombinedOutput()
+	if err != nil {
+		err = fmt.Errorf("failed to install project: %w\n%s", err, string(output))
+	}
 	return
 }
 
 // Run 'pnpm ls ...' command (project must be installed) and parse the returned result to create a dependencies trees for the projects.
 func calculateDependencies(executablePath, workingDir string, params utils.AuditParams) (dependencyTrees []*xrayUtils.GraphNode, uniqueDeps []string, err error) {
-	lsArgs := append([]string{"--depth", "Infinity", "--json", "--long"}, params.Args()...)
+	lsArgs := append([]string{"--depth", params.MaxTreeDepth(), "--json", "--long"}, params.Args()...)
+	log.Debug("Running Pnpm ls command with args:", lsArgs)
 	npmLsCmdContent, err := getPnpmCmd(executablePath, workingDir, "ls", lsArgs...).RunWithOutput()
 	if err != nil {
 		return
@@ -163,13 +165,13 @@ func createProjectDependenciesTree(project pnpmLsProject) map[string]xray.DepTre
 	for depName, dependency := range project.Dependencies {
 		directDependency := getDependencyId(depName, dependency.Version)
 		directDependencies = append(directDependencies, directDependency)
-		appendTransitiveDependencies(directDependency, dependency.Dependencies, treeMap)
+		appendTransitiveDependencies(directDependency, dependency.Dependencies, &treeMap)
 	}
 	// Handle dev-dependencies
 	for depName, dependency := range project.DevDependencies {
 		directDependency := getDependencyId(depName, dependency.Version)
 		directDependencies = append(directDependencies, directDependency)
-		appendTransitiveDependencies(directDependency, dependency.Dependencies, treeMap)
+		appendTransitiveDependencies(directDependency, dependency.Dependencies, &treeMap)
 	}
 	if len(directDependencies) > 0 {
 		treeMap[getDependencyId(project.Name, project.Version)] = xray.DepTreeNode{Children: directDependencies}
@@ -182,21 +184,15 @@ func getDependencyId(depName, version string) string {
 	return techutils.Npm.GetPackageTypeId() + depName + ":" + version
 }
 
-func appendTransitiveDependencies(parent string, dependencies map[string]pnpmLsDependency, result map[string]xray.DepTreeNode) {
+func appendTransitiveDependencies(parent string, dependencies map[string]pnpmLsDependency, result *map[string]xray.DepTreeNode) {
 	for depName, dependency := range dependencies {
 		dependencyId := getDependencyId(depName, dependency.Version)
-		if node, ok := result[parent]; ok {
-			node.Children = appendUniqueChild(node.Children, dependencyId)
+		if node, ok := (*result)[parent]; ok {
+			node.Children = append(node.Children, dependencyId)
+			(*result)[parent] = node
 		} else {
-			result[parent] = xray.DepTreeNode{Children: []string{dependencyId}}
+			(*result)[parent] = xray.DepTreeNode{Children: []string{dependencyId}}
 		}
 		appendTransitiveDependencies(dependencyId, dependency.Dependencies, result)
 	}
 }
-
-func appendUniqueChild(children []string, candidateDependency string) []string {
-	if slices.Contains(children, candidateDependency) {
-		return children
-	}
-	return append(children, candidateDependency)
-}

commands/audit/sca/pnpm/pnpm_test.go

@@ -1,11 +1,13 @@
 package pnpm
 
 import (
-	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
-	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
 	"path/filepath"
+	"sort"
 	"testing"
 
+	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
+	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -16,6 +18,70 @@ import (
 	"github.com/jfrog/jfrog-cli-security/utils"
 )
 
+func TestBuildDependencyTreeLimitedDepth(t *testing.T) {
+	// Create and change directory to test workspace
+	_, cleanUp := sca.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "npm", "npm-big-tree"))
+	defer cleanUp()
+	testCases := []struct {
+		name               string
+		treeDepth          string
+		expectedUniqueDeps []string
+		expectedTree       *xrayUtils.GraphNode
+	}{
+		{
+			name:      "Only direct dependencies",
+			treeDepth: "0",
+			expectedUniqueDeps: []string{
+				"npm://zen-website:1.0.0",
+				"npm://balaganjs:1.0.0",
+			},
+			expectedTree: &xrayUtils.GraphNode{
+				Id:    "npm://zen-website:1.0.0",
+				Nodes: []*xrayUtils.GraphNode{{Id: "npm://balaganjs:1.0.0"}},
+			},
+		},
+		{
+			name:      "With transitive dependencies",
+			treeDepth: "1",
+			expectedUniqueDeps: []string{
+				"npm://axios:1.7.9",
+				"npm://balaganjs:1.0.0",
+				"npm://yargs:13.3.0",
+				"npm://zen-website:1.0.0",
+			},
+			expectedTree: &xrayUtils.GraphNode{
+				Id: "npm://zen-website:1.0.0",
+				Nodes: []*xrayUtils.GraphNode{
+					{
+						Id:    "npm://balaganjs:1.0.0",
+						Nodes: []*xrayUtils.GraphNode{{Id: "npm://axios:1.7.9"}, {Id: "npm://yargs:13.3.0"}},
+					},
+				},
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			// Build dependency tree
+			params := &utils.AuditBasicParams{}
+			rootNode, uniqueDeps, err := BuildDependencyTree(params.SetMaxTreeDepth(testCase.treeDepth))
+			require.NoError(t, err)
+			sort.Slice(uniqueDeps, func(i, j int) bool {
+				return uniqueDeps[i] < uniqueDeps[j]
+			})
+			// Validations
+			assert.ElementsMatch(t, uniqueDeps, testCase.expectedUniqueDeps, "First is actual, Second is Expected")
+			if assert.Len(t, rootNode, 1) {
+				assert.Equal(t, rootNode[0].Id, testCase.expectedTree.Id)
+				if !tests.CompareTree(testCase.expectedTree, rootNode[0]) {
+					t.Error("expected:", testCase.expectedTree.Nodes, "got:", rootNode[0].Nodes)
+				}
+			}
+		})
+	}
+}
+
 func TestBuildDependencyTree(t *testing.T) {
 	// Create and change directory to test workspace
 	_, cleanUp := sca.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "npm", "npm-no-lock"))

commands/enrich/enrich.go

@@ -1,10 +1,10 @@
 package enrich
 
 import (
-	"encoding/json"
 	"encoding/xml"
 	"errors"
 	"fmt"
+	"github.com/jfrog/jfrog-cli-security/utils/results/output"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -17,7 +17,6 @@ import (
 	"github.com/jfrog/jfrog-cli-security/commands/enrich/enrichgraph"
 	"github.com/jfrog/jfrog-cli-security/utils"
 	"github.com/jfrog/jfrog-cli-security/utils/results"
-	"github.com/jfrog/jfrog-cli-security/utils/results/output"
 	"github.com/jfrog/jfrog-cli-security/utils/techutils"
 	"github.com/jfrog/jfrog-cli-security/utils/xray"
 	"github.com/jfrog/jfrog-client-go/artifactory/services/fspatterns"
@@ -27,6 +26,7 @@ import (
 	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
 	"github.com/jfrog/jfrog-client-go/xray/services"
+	orderedJson "github.com/virtuald/go-ordered-json"
 )
 
 type FileContext func(string) parallel.TaskFunc
@@ -75,8 +75,8 @@ func AppendVulnsToJson(cmdResults *results.SecurityCommandResults) error {
 	if err != nil {
 		return fmt.Errorf("error reading file: %s", err.Error())
 	}
-	var data map[string]interface{}
-	err = json.Unmarshal(fileContent, &data)
+	var data orderedJson.OrderedObject
+	err = orderedJson.Unmarshal(fileContent, &data)
 	if err != nil {
 		return fmt.Errorf("error parsing JSON: %s", err.Error())
 	}
@@ -93,7 +93,7 @@ func AppendVulnsToJson(cmdResults *results.SecurityCommandResults) error {
 			vulnerabilities = append(vulnerabilities, vulnerability)
 		}
 	}
-	data["vulnerabilities"] = vulnerabilities
+	data = append(data, orderedJson.Member{Key: "vulnerabilities", Value: vulnerabilities})
 	return output.PrintJson(data)
 }
 

commands/scan/scan.go

@@ -25,6 +25,7 @@ import (
 	"github.com/jfrog/jfrog-cli-security/utils/techutils"
 	"github.com/jfrog/jfrog-cli-security/utils/xray"
 	"github.com/jfrog/jfrog-cli-security/utils/xray/scangraph"
+	"github.com/jfrog/jfrog-cli-security/utils/xsc"
 	xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
 	"golang.org/x/sync/errgroup"
 
@@ -625,5 +626,9 @@ func directDepsListFromVulnerabilities(scanResult ...services.ScanResponse) *[]s
 }
 
 func ConditionalUploadDefaultScanFunc(serverDetails *config.ServerDetails, fileSpec *spec.SpecFiles, threads int, scanOutputFormat format.OutputFormat) error {
-	return NewScanCommand().SetServerDetails(serverDetails).SetSpec(fileSpec).SetThreads(threads).SetOutputFormat(scanOutputFormat).SetFail(true).SetPrintExtendedTable(false).Run()
+	xrayVersion, xscVersion, err := xsc.GetJfrogServicesVersion(serverDetails)
+	if err != nil {
+		return err
+	}
+	return NewScanCommand().SetServerDetails(serverDetails).SetXrayVersion(xrayVersion).SetXscVersion(xscVersion).SetSpec(fileSpec).SetThreads(threads).SetOutputFormat(scanOutputFormat).SetFail(true).SetPrintExtendedTable(false).Run()
 }

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/owenrumney/go-sarif/v2 v2.3.0
 	github.com/stretchr/testify v1.9.0
 	github.com/urfave/cli v1.22.16
+	github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74
 	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f
 	golang.org/x/sync v0.10.0
 	golang.org/x/text v0.21.0

go.sum

@@ -257,6 +257,8 @@ github.com/urfave/cli v1.22.16 h1:MH0k6uJxdwdeWQTwhSO42Pwr4YLrNLwBtg1MRgTqPdQ=
 github.com/urfave/cli v1.22.16/go.mod h1:EeJR6BKodywf4zciqrdw6hpCPk68JO9z5LazXZMn5Po=
 github.com/vbauerster/mpb/v8 v8.8.3 h1:dTOByGoqwaTJYPubhVz3lO5O6MK553XVgUo33LdnNsQ=
 github.com/vbauerster/mpb/v8 v8.8.3/go.mod h1:JfCCrtcMsJwP6ZwMn9e5LMnNyp3TVNpUWWkN+nd4EWk=
+github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74 h1:JwtAtbp7r/7QSyGz8mKUbYJBg2+6Cd7OjM8o/GNOcVo=
+github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74/go.mod h1:RmMWU37GKR2s6pgrIEB4ixgpVCt/cf7dnJv3fuH1J1c=
 github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
 github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
 github.com/xanzy/go-gitlab v0.110.0 h1:hsFIFp01v/0D0sdUXoZfRk6CROzZbHQplk6NzKSFKhc=

jas/analyzermanager.go

@@ -24,7 +24,7 @@ import (
 const (
 	ApplicabilityFeatureId                    = "contextual_analysis"
 	AnalyzerManagerZipName                    = "analyzerManager.zip"
-	defaultAnalyzerManagerVersion             = "1.12.0"
+	defaultAnalyzerManagerVersion             = "1.12.2"
 	analyzerManagerDownloadPath               = "xsc-gen-exe-analyzer-manager-local/v1"
 	analyzerManagerDirName                    = "analyzerManager"
 	analyzerManagerExecutableName             = "analyzerManager"

tests/testdata/projects/package-managers/npm/npm-big-tree/package.json

@@ -0,0 +1,20 @@
+{
+    "name": "zen-website",
+    "version": "1.0.0",
+    "description": "",
+    "main": "index.js",
+    "publishConfig": {
+      "registry": "http://artifactory-unified.soleng-us.jfrog.team/artifactory/api/npm/npm/"
+    },
+    "scripts": {
+      "dev": "nodemon ./index.js",
+      "ui": "browser-sync start --config bs-config.js"
+    },
+    "keywords": [],
+    "author": "",
+    "license": "ISC",
+    "dependencies": {
+      "balaganjs": "1.0.0"
+    }
+  }
+