Merge remote-tracking branch 'upstream/dev' into one_home_to_rule_all_tests

Author: attiasas

cli/docs/flags.go

@@ -109,6 +109,7 @@ const (
 	MinSeverity         = "min-severity"
 	FixableOnly         = "fixable-only"
 	Rescan              = "rescan"
+	TriggerScanRetries  = "trigger-scan-retries"
 	Vuln                = "vuln"
 	buildPrefix         = "build-"
 	BuildVuln           = buildPrefix + Vuln
@@ -160,7 +161,7 @@ var commandFlags = map[string][]string{
 		url, user, password, accessToken, ServerId, Threads, InsecureTls,
 	},
 	BuildScan: {
-		url, user, password, accessToken, ServerId, scanProjectKey, BuildVuln, OutputFormat, Fail, ExtendedTable, Rescan, InsecureTls,
+		url, user, password, accessToken, ServerId, scanProjectKey, BuildVuln, OutputFormat, Fail, ExtendedTable, Rescan, InsecureTls, TriggerScanRetries,
 	},
 	DockerScan: {
 		url, xrayUrl, user, password, accessToken, ServerId, scanProjectKey, Watches, RepoPath, Licenses, Sbom, OutputFormat, Fail, ExtendedTable, BypassArchiveLimits, MinSeverity, FixableOnly, ScanVuln, SecretValidation, InsecureTls,
@@ -255,6 +256,7 @@ var flagsMap = map[string]components.Flag{
 	MinSeverity:         components.NewStringFlag(MinSeverity, "Set the minimum severity of issues to display. Acceptable values: Low, Medium, High, or Critical."),
 	FixableOnly:         components.NewBoolFlag(FixableOnly, "Set to true if you wish to display issues that have a fix version only."),
 	Rescan:              components.NewBoolFlag(Rescan, "Set to true when scanning an already successfully scanned build, for example after adding an ignore rule."),
+	TriggerScanRetries:  components.NewStringFlag(TriggerScanRetries, "Number of retries for triggering the build scan in Xray in case of failure.", components.WithIntDefaultValue(12)), // 5 seconds * 12 = 1 minute
 	BuildVuln:           components.NewBoolFlag(Vuln, "Set to true if you'd like to receive all vulnerabilities, regardless of the policy configured in Xray. Ignored if provided 'format' is 'sarif'."),
 	ScanVuln:            components.NewBoolFlag(Vuln, "Set to true if you'd like to receive all vulnerabilities, regardless of the policy configured in Xray."),
 	InsecureTls:         components.NewBoolFlag(InsecureTls, "Set to true to skip TLS certificates verification."),

cli/scancommands.go

@@ -356,11 +356,16 @@ func BuildScan(c *components.Context) error {
 	if err != nil {
 		return err
 	}
+	fetchRetries, err := c.GetIntFlagValue(flags.TriggerScanRetries)
+	if err != nil {
+		return err
+	}
 	buildScanCmd := scan.NewBuildScanCommand().
 		SetServerDetails(serverDetails).
 		// Sarif shouldn't include the additional all-vulnerabilities info that received by adding the vuln flag
 		SetIncludeVulnerabilities(getProject(c) == "" || (format != outputFormat.Sarif && c.GetBoolFlagValue(flags.Vuln))).
 		SetFailBuild(c.GetBoolFlagValue(flags.Fail)).
+		SetTriggerScanRetries(fetchRetries).
 		SetBuildConfiguration(buildConfiguration).
 		SetOutputFormat(format).
 		SetPrintExtendedTable(c.GetBoolFlagValue(flags.ExtendedTable)).

commands/scan/buildscan.go

@@ -32,6 +32,7 @@ type BuildScanCommand struct {
 	failBuild              bool
 	printExtendedTable     bool
 	rescan                 bool
+	triggerRetries         int
 }
 
 func NewBuildScanCommand() *BuildScanCommand {
@@ -77,6 +78,11 @@ func (bsc *BuildScanCommand) SetRescan(rescan bool) *BuildScanCommand {
 	return bsc
 }
 
+func (bsc *BuildScanCommand) SetTriggerScanRetries(triggerRetries int) *BuildScanCommand {
+	bsc.triggerRetries = triggerRetries
+	return bsc
+}
+
 // Scan published builds with Xray
 func (bsc *BuildScanCommand) Run() (err error) {
 	xrayManager, xrayVersion, err := xrayutils.CreateXrayServiceManagerAndGetVersion(bsc.serverDetails, xrayutils.WithScopedProjectKey(bsc.buildConfiguration.GetProject()))
@@ -120,7 +126,7 @@ func (bsc *BuildScanCommand) Run() (err error) {
 }
 
 func (bsc *BuildScanCommand) runBuildScanAndPrintResults(xrayManager *xray.XrayServicesManager, xrayVersion string, params services.XrayBuildParams) (isFailBuildResponse bool, err error) {
-	buildScanResults, noFailBuildPolicy, err := xrayManager.BuildScan(params, bsc.includeVulnerabilities)
+	buildScanResults, noFailBuildPolicy, err := xrayManager.BuildScan(params, bsc.includeVulnerabilities, bsc.triggerRetries)
 	if err != nil {
 		return false, err
 	}

go.mod

@@ -11,13 +11,13 @@ require (
 	github.com/gookit/color v1.6.0
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-plugin v1.6.3
-	github.com/jfrog/build-info-go v1.12.0
+	github.com/jfrog/build-info-go v1.12.1
 	github.com/jfrog/froggit-go v1.20.4
 	github.com/jfrog/gofrog v1.7.6
 	github.com/jfrog/jfrog-apps-config v1.0.1
 	github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec
 	github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451
-	github.com/jfrog/jfrog-client-go v1.55.1-0.20251023073119-78f187c9afbf
+	github.com/jfrog/jfrog-client-go v1.55.1-0.20251030113529-d87ecf28ffb6
 	github.com/magiconair/properties v1.8.10
 	github.com/owenrumney/go-sarif/v3 v3.2.3
 	github.com/package-url/packageurl-go v0.1.3
@@ -48,7 +48,7 @@ require (
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fatih/color v1.16.0 // indirect
-	github.com/forPelevin/gomoji v1.4.0 // indirect
+	github.com/forPelevin/gomoji v1.4.1 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/gfleury/go-bitbucket-v1 v0.0.0-20230825095122-9bc1711434ab // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
@@ -124,7 +124,8 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-// replace github.com/jfrog/jfrog-client-go => github.com/attiasas/jfrog-client-go master
+// attiasas:retry_build_scan
+replace github.com/jfrog/jfrog-client-go => github.com/attiasas/jfrog-client-go v0.0.0-20251030094108-376296f968cc
 
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 master
 

go.sum

@@ -21,6 +21,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
+github.com/attiasas/jfrog-client-go v0.0.0-20251030094108-376296f968cc h1:AJQueJft8TFJ7s46cr8saEFGfcJEDAxUJ/rhkCnWsP0=
+github.com/attiasas/jfrog-client-go v0.0.0-20251030094108-376296f968cc/go.mod h1:wsMEtoyAu/1bARUHxFdmgz83g96ml7ZWcFioIPiuz/U=
 github.com/beevik/etree v1.4.0 h1:oz1UedHRepuY3p4N5OjE0nK1WLCqtzHf25bxplKOHLs=
 github.com/beevik/etree v1.4.0/go.mod h1:cyWiXwGoasx60gHvtnEh5x8+uIjUVnjWqBvEnhnqKDA=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
@@ -61,8 +63,8 @@ github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FM
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
-github.com/forPelevin/gomoji v1.4.0 h1:RwrT+GimxEtFnGqq4ep1upwR54J5FP84aVAYJA+p8BQ=
-github.com/forPelevin/gomoji v1.4.0/go.mod h1:mM6GtmCgpoQP2usDArc6GjbXrti5+FffolyQfGgPboQ=
+github.com/forPelevin/gomoji v1.4.1 h1:7U+Bl8o6RV/dOQz7coQFWj/jX6Ram6/cWFOuFDEPEUo=
+github.com/forPelevin/gomoji v1.4.1/go.mod h1:mM6GtmCgpoQP2usDArc6GjbXrti5+FffolyQfGgPboQ=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
@@ -128,8 +130,8 @@ github.com/jedib0t/go-pretty/v6 v6.6.8 h1:JnnzQeRz2bACBobIaa/r+nqjvws4yEhcmaZ4n1
 github.com/jedib0t/go-pretty/v6 v6.6.8/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU=
 github.com/jfrog/archiver/v3 v3.6.1 h1:LOxnkw9pOn45DzCbZNFV6K0+6dCsQ0L8mR3ZcujO5eI=
 github.com/jfrog/archiver/v3 v3.6.1/go.mod h1:VgR+3WZS4N+i9FaDwLZbq+jeU4B4zctXL+gL4EMzfLw=
-github.com/jfrog/build-info-go v1.12.0 h1:/abBQdIxrkYjOwO79sIL0p+XPnMCCtKhiWToHKXXqHg=
-github.com/jfrog/build-info-go v1.12.0/go.mod h1:szdz9+WzB7+7PGnILLUgyY+OF5qD5geBT7UGNIxibyw=
+github.com/jfrog/build-info-go v1.12.1 h1:pXyx2F3MzrdbLPhYU8om+RHl87yEDYW+UwAUw3f40fQ=
+github.com/jfrog/build-info-go v1.12.1/go.mod h1:szdz9+WzB7+7PGnILLUgyY+OF5qD5geBT7UGNIxibyw=
 github.com/jfrog/froggit-go v1.20.4 h1:N9XkNV00HNjpI8p6xXlF9DrWmvE9hz3z2XRDAYJDweQ=
 github.com/jfrog/froggit-go v1.20.4/go.mod h1:obSG1SlsWjktkuqmKtpq7MNTTL63e0ot+ucTnlOMV88=
 github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s=
@@ -140,8 +142,6 @@ github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec h1:i
 github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec/go.mod h1:JE/35+kU8cBET4I4iuNcVBvhm8SF64DAmGgtHRzf5Do=
 github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451 h1:Q0PY8VSOVsfvXzKiUnn+Rv7Ynf901QW6Wn1CbWpHBD0=
 github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451/go.mod h1:UOeOwEEmRIi57cRwghN5OBVoqkJieYQQfLpeqw8Yv38=
-github.com/jfrog/jfrog-client-go v1.55.1-0.20251023073119-78f187c9afbf h1:Ld+lGdCauixqWbkwK+wJn3QbPPBRgY35KgY+MxgrgCg=
-github.com/jfrog/jfrog-client-go v1.55.1-0.20251023073119-78f187c9afbf/go.mod h1:jrODQbAbCt97F24d/0bYpqpdc0PFMuBxNJOTfTdW+Fk=
 github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
 github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo=
 github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=

jas/common.go

@@ -236,6 +236,7 @@ func processSarifRuns(sarifRuns []*sarif.Run, wd string, informationUrlSuffix st
 		sarifRun.Results = excludeSuppressResults(sarifRun.Results)
 		sarifRun.Results = excludeMinSeverityResults(sarifRun.Results, minSeverity)
 	}
+	sarifutils.ConvertRunsPathsToRelative(sarifRuns...)
 }
 
 func fillMissingRequiredDriverInformation(defaultJasInformationUri, defaultVersion string, run *sarif.Run) {

jas/common_test.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/owenrumney/go-sarif/v3/pkg/report/v210/sarif"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"golang.org/x/exp/slices"
 
 	jfrogAppsConfig "github.com/jfrog/jfrog-apps-config/go"
@@ -19,6 +20,7 @@ import (
 	"github.com/jfrog/jfrog-cli-security/utils/formats/sarifutils"
 	"github.com/jfrog/jfrog-cli-security/utils/jasutils"
 	"github.com/jfrog/jfrog-cli-security/utils/results"
+	"github.com/jfrog/jfrog-cli-security/utils/severityutils"
 	"github.com/jfrog/jfrog-cli-security/utils/techutils"
 )
 
@@ -593,3 +595,48 @@ func TestGetResultsToCompare(t *testing.T) {
 		})
 	}
 }
+
+func TestProcessSarifRuns(t *testing.T) {
+	wd, err := os.Getwd()
+	assert.NoError(t, err)
+
+	// Create dummy SARIF report.
+	dummyReport := sarif.NewReport()
+	dummyReport.AddRun(sarifutils.CreateRunWithDummyResults(
+		// Result below the minimum severity.
+		sarifutils.CreateResultWithOneLocation(fmt.Sprintf("file://%s", filepath.Join(wd, "file1")), 0, 1, 2, 3, "snippet", "rule1", "note"),
+		// Suppressed result.
+		sarifutils.CreateResultWithOneLocation(fmt.Sprintf("file://%s", filepath.Join(wd, "file3")), 0, 0, 0, 0, "snippet", "rule1", "warning").WithSuppressions([]*sarif.Suppression{sarif.NewSuppression()}),
+		// Valid result.
+		sarifutils.CreateResultWithOneLocation(fmt.Sprintf("file://%s", filepath.Join(wd, "dir", "file2")), 0, 0, 0, 0, "snippet", "rule1", "error"),
+	))
+
+	processSarifRuns(dummyReport.Runs, wd, "docs URL", severityutils.High)
+	run := dummyReport.Runs[0]
+
+	// Check Invocation added.
+	require.NotNil(t, run.Invocations)
+	require.Len(t, run.Invocations, 1)
+	require.NotNil(t, run.Invocations[0].WorkingDirectory)
+	require.NotNil(t, run.Invocations[0].WorkingDirectory.URI)
+	require.Equal(t, *run.Invocations[0].WorkingDirectory.URI, utils.ToURI(wd))
+
+	// Check driver info.
+	driver := run.Tool.Driver
+	require.NotNil(t, driver)
+	require.NotNil(t, driver.Version)
+	require.NotEmpty(t, *driver.Version)
+	require.NotNil(t, driver.InformationURI)
+	require.NotEmpty(t, *driver.InformationURI)
+
+	// Check severity level mapping.
+	require.Len(t, driver.Rules, 1)
+	rule := driver.Rules[0]
+	require.Equal(t, "8.9", sarifutils.GetRuleProperty(severityutils.SarifSeverityRuleProperty, rule))
+
+	// Check minimum severity and suppression filtering.
+	require.Len(t, run.Results, 1)
+	// Check file paths are relative and with / separators.
+	result := run.Results[0]
+	require.Equal(t, "dir/file2", sarifutils.GetLocationFileName(result.Locations[0]))
+}

sca/bom/buildinfo/technologies/gem/gem_test.go

@@ -12,7 +12,7 @@ import (
 	"github.com/jfrog/jfrog-cli-security/utils"
 )
 
-var expectedUniqueDeps = []string{"rubygems://puma:5.6.9", "rubygems://nio4r:2.7.4"}
+var expectedUniqueDeps = []string{"rubygems://puma:5.6.9", "rubygems://nio4r:2.7.5"}
 
 var expectedResult = &xrayUtils.GraphNode{
 	Id: "root",
@@ -21,7 +21,7 @@ var expectedResult = &xrayUtils.GraphNode{
 			Id: "rubygems://puma:5.6.9",
 			Nodes: []*xrayUtils.GraphNode{
 				{
-					Id:    "rubygems://nio4r:2.7.4",
+					Id:    "rubygems://nio4r:2.7.5",
 					Nodes: []*xrayUtils.GraphNode{},
 				},
 			},
@@ -52,15 +52,15 @@ func TestBuildDependencyTree(t *testing.T) {
 }
 
 // expectedUniqueDeps should be defined
-// expectedUniqueDeps := []string{"rubygems://puma:5.6.9", "rubygems://nio4r:2.7.4"}
+// expectedUniqueDeps := []string{"rubygems://puma:5.6.9", "rubygems://nio4r:2.7.5"}
 func TestCalculateUniqueDeps(t *testing.T) {
 	var input = &xrayUtils.GraphNode{
 		Nodes: []*xrayUtils.GraphNode{
 			{
 				Id: "rubygems://puma:5.6.9",
 				Nodes: []*xrayUtils.GraphNode{
 					{
-						Id:    "rubygems://nio4r:2.7.4",
+						Id:    "rubygems://nio4r:2.7.5",
 						Nodes: []*xrayUtils.GraphNode{},
 					},
 				},

sca/bom/buildinfo/technologies/pnpm/pnpm_test.go

@@ -43,7 +43,7 @@ func TestBuildDependencyTreeLimitedDepth(t *testing.T) {
 			name:      "With transitive dependencies",
 			treeDepth: "1",
 			expectedUniqueDeps: []string{
-				"npm://axios:1.12.2",
+				"npm://axios:1.13.1",
 				"npm://balaganjs:1.0.0",
 				"npm://yargs:13.3.0",
 				"npm://zen-website:1.0.0",
@@ -53,7 +53,7 @@ func TestBuildDependencyTreeLimitedDepth(t *testing.T) {
 				Nodes: []*xrayUtils.GraphNode{
 					{
 						Id:    "npm://balaganjs:1.0.0",
-						Nodes: []*xrayUtils.GraphNode{{Id: "npm://axios:1.12.2"}, {Id: "npm://yargs:13.3.0"}},
+						Nodes: []*xrayUtils.GraphNode{{Id: "npm://axios:1.13.1"}, {Id: "npm://yargs:13.3.0"}},
 					},
 				},
 			},

tests/testdata/output/audit/audit_simple_json.json

@@ -10,7 +10,7 @@
           "name": "lodash",
           "version": "4.17.0",
           "location": {
-            "file": "Users/user/project-with-issues/package.json"
+            "file": "package.json"
           }
         }
       ],
@@ -58,7 +58,7 @@
           "name": "lodash",
           "version": "4.17.0",
           "location": {
-            "file": "Users/user/project-with-issues/package.json"
+            "file": "package.json"
           }
         }
       ],
@@ -110,7 +110,7 @@
           "name": "lodash",
           "version": "4.17.0",
           "location": {
-            "file": "Users/user/project-with-issues/package.json"
+            "file": "package.json"
           }
         }
       ],
@@ -170,7 +170,7 @@
           "name": "lodash",
           "version": "4.17.0",
           "location": {
-            "file": "Users/user/project-with-issues/package.json"
+            "file": "package.json"
           }
         }
       ],
@@ -216,7 +216,7 @@
           "name": "jake",
           "version": "10.8.7",
           "location": {
-            "file": "Users/user/project-with-issues/package.json"
+            "file": "package.json"
           }
         }
       ],
@@ -299,7 +299,7 @@
           "name": "lodash",
           "version": "4.17.0",
           "location": {
-            "file": "Users/user/project-with-issues/package.json"
+            "file": "package.json"
           }
         }
       ],
@@ -349,7 +349,7 @@
           "name": "jake",
           "version": "10.8.7",
           "location": {
-            "file": "Users/user/project-with-issues/package.json"
+            "file": "package.json"
           }
         }
       ],
@@ -425,7 +425,7 @@
           "name": "lodash",
           "version": "4.17.0",
           "location": {
-            "file": "Users/user/project-with-issues/package.json"
+            "file": "package.json"
           }
         }
       ],
@@ -449,7 +449,7 @@
           "name": "lodash",
           "version": "4.17.0",
           "location": {
-            "file": "Users/user/project-with-issues/package.json"
+            "file": "package.json"
           }
         }
       ],