remove comments and unused code

Author: attiasas

commands/upload/uploadcdx.go

@@ -5,6 +5,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	clientUtils "github.com/jfrog/jfrog-client-go/utils"
 	ioUtils "github.com/jfrog/jfrog-client-go/utils/io"
 	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
@@ -175,7 +176,7 @@ func createRepositoryIfNeededAndUploadFile(filePath string, serverDetails *confi
 	log.Debug(fmt.Sprintf("Uploading scan results to %s", scanResultsRepository))
 	// target repo is <repository name>/<repository path>, If the target path ends with a slash, the path is assumed to be a folder.
 	// Else it is assumed to be a file. so we add a slash to the end of the repo to indicate that it is a folder.
-	uploaded, err := artifactory.UploadArtifactsByPattern(filePath, serverDetails, artifactory.AddSuffixSlashIfNeeded(scanResultsRepository), relatedProjectKey)
+	uploaded, err := artifactory.UploadArtifactsByPattern(filePath, serverDetails, clientUtils.AddTrailingSlashIfNeeded(scanResultsRepository), relatedProjectKey)
 	if err != nil {
 		return "", fmt.Errorf("failed to upload file %s to repository %s: %w", filePath, scanResultsRepository, err)
 	}

policy/local/localconvertor.go

@@ -7,7 +7,6 @@ import (
 
 	"github.com/CycloneDX/cyclonedx-go"
 	"github.com/jfrog/gofrog/datastructures"
-	// "github.com/jfrog/gofrog/log"
 	"github.com/jfrog/jfrog-cli-security/policy"
 	"github.com/jfrog/jfrog-cli-security/utils/formats"
 	"github.com/jfrog/jfrog-cli-security/utils/formats/cdxutils"
@@ -357,128 +356,3 @@ func ForEachScanGraphViolation(target results.ScanTarget, descriptors []string,
 	watches = watchesSet.ToSlice()
 	return
 }
-
-// This func iterates every violation and checks if there is a violation that should fail the build.
-// The build should be failed if there exists at least one violation in any target that holds the following conditions:
-// 1) The violation is set to fail the build by FailBuild or FailPr
-// 2) The violation has applicability status other than 'NotApplicable' OR the violation has 'NotApplicable' status and is not set to skip-non-applicable
-// func CheckIfFailBuild(auditResults *results.SecurityCommandResults) (bool, error) {
-// 	for _, target := range auditResults.Targets {
-// 		shouldFailBuild := false
-// 		// We first check if JasResults exist so we can extract CA results and consider Applicability status when checking if the build should fail.
-// 		if target.JasResults == nil {
-// 			shouldFailBuild = checkIfFailBuildWithoutConsideringApplicability(target)
-// 		} else {
-// 			// If JasResults are not empty we check old and new violation while considering Applicability status and Skip-not-applicable policy rule.
-// 			if err := checkIfFailBuildConsideringApplicability(target, auditResults.EntitledForJas, &shouldFailBuild); err != nil {
-// 				return false, fmt.Errorf("failed to check if build should fail for target %s: %w", target.ScanTarget.Target, err)
-// 			}
-// 		}
-// 		if shouldFailBuild {
-// 			// If we found a violation that should fail the build, we return true.
-// 			return true, nil
-// 		}
-// 	}
-// 	return false, nil
-// }
-
-// func checkIfFailBuildConsideringApplicability(target *results.TargetResults, entitledForJas bool, shouldFailBuild *bool) error {
-// 	jasApplicabilityResults := target.JasResults.GetApplicabilityScanResults()
-
-// 	if target.ScaResults == nil {
-// 		return nil
-// 	}
-// 	// Get new violations from the target
-// 	// newViolations := target.ScaResults.Violations
-
-// 	// // Here we iterate the new violation results and check if any of them should fail the build.
-// 	// _, _, err := ForEachScanGraphViolation(
-// 	// 	target.ScanTarget,
-// 	// 	[]string{},
-// 	// 	newViolations,
-// 	// 	entitledForJas,
-// 	// 	jasApplicabilityResults,
-// 	// 	checkIfShouldFailBuildAccordingToPolicy(shouldFailBuild),
-// 	// 	nil,
-// 	// 	nil)
-// 	// if err != nil {
-// 	// 	return err
-// 	// }
-
-// 	// Here we iterate the deprecated violation results to check if any of them should fail the build.
-// 	// TODO remove this part once the DeprecatedXrayResults are completely removed and no longer in use
-// 	for _, result := range target.ScaResults.DeprecatedXrayResults {
-// 		deprecatedViolations := result.Scan.Violations
-// 		_, _, err := ForEachScanGraphViolation(
-// 			target.ScanTarget,
-// 			[]string{},
-// 			deprecatedViolations,
-// 			entitledForJas,
-// 			jasApplicabilityResults,
-// 			checkIfShouldFailBuildAccordingToPolicy(shouldFailBuild),
-// 			nil,
-// 			nil)
-// 		if err != nil {
-// 			return err
-// 		}
-// 	}
-// 	return nil
-// }
-
-// func checkIfFailBuildWithoutConsideringApplicability(target *results.TargetResults) bool {
-// 	if target.ScaResults == nil {
-// 		return false
-// 	}
-// 	// for _, newViolation := range target.ScaResults.Violations {
-// 	// 	if newViolation.FailBuild || newViolation.FailPr {
-// 	// 		return true
-// 	// 	}
-// 	// }
-// 	// TODO remove this for loop once the DeprecatedXrayResults are completely removed and no longer in use
-// 	for _, scanResponse := range target.GetScaScansXrayResults() {
-// 		for _, oldViolation := range scanResponse.Violations {
-// 			if oldViolation.FailBuild || oldViolation.FailPr {
-// 				return true
-// 			}
-// 		}
-// 	}
-// 	return false
-// }
-
-// func checkIfShouldFailBuildAccordingToPolicy(shouldFailBuild *bool) func(violation services.Violation, cves []formats.CveRow, applicabilityStatus jasutils.ApplicabilityStatus, severity severityutils.Severity, impactedPackagesId string, fixedVersion []string, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) (err error) {
-// 	return func(violation services.Violation, cves []formats.CveRow, applicabilityStatus jasutils.ApplicabilityStatus, severity severityutils.Severity, impactedPackagesId string, fixedVersion []string, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) (err error) {
-// 		if !violation.FailBuild && !violation.FailPr {
-// 			// If the violation is not set to fail the build we simply return
-// 			return nil
-// 		}
-// 		// If the violation is set to fail the build, we check if the violation has NotApplicable status and is set to skip-non-applicable.
-// 		// If the violation is NotApplicable and is set to skip-non-applicable, we don't fail the build.
-// 		// If the violation has any other status OR has NotApplicable status but is not set to skip-not-applicable, we fail the build.
-// 		var shouldSkip bool
-// 		if shouldSkip, err = shouldSkipNotApplicable(violation, applicabilityStatus); err != nil {
-// 			return err
-// 		}
-// 		if !shouldSkip {
-// 			*shouldFailBuild = true
-// 		}
-// 		return nil
-// 	}
-// }
-
-// Checks if the violation's applicability status is NotApplicable and if all of its policies states that non-applicable CVEs should be skipped
-// func shouldSkipNotApplicable(violation services.Violation, applicabilityStatus jasutils.ApplicabilityStatus) (bool, error) {
-// 	if applicabilityStatus != jasutils.NotApplicable {
-// 		return false, nil
-// 	}
-
-// 	if len(violation.Policies) == 0 {
-// 		return false, errors.New("a violation with no policies was provided")
-// 	}
-
-// 	for _, policy := range violation.Policies {
-// 		if !policy.SkipNotApplicable {
-// 			return false, nil
-// 		}
-// 	}
-// 	return true, nil
-// }

utils/artifactory/artifactoryutils.go

@@ -107,13 +107,6 @@ func getArtifactsPaths(repo string, reader *content.ContentReader) (paths []stri
 	return
 }
 
-func AddSuffixSlashIfNeeded(path string) string {
-	if path != "" && !strings.HasSuffix(path, "/") {
-		path += "/"
-	}
-	return path
-}
-
 func IsRepoExists(repoKey string, serverDetails *config.ServerDetails) (exists bool, err error) {
 	if repoKey == "" || serverDetails == nil {
 		return false, errors.New("repository key and server details must be provided")

utils/formats/violationutils/violations.go

@@ -189,19 +189,17 @@ type JasViolation struct {
 
 type ScaViolation struct {
 	Violation
-	ImpactedComponent cyclonedx.Component `json:"impacted_component"`
-	// TODO:
-	DirectComponents []formats.ComponentRow   `json:"direct_components,omitempty"`
-	ImpactPaths      [][]formats.ComponentRow `json:"impact_paths,omitempty"`
+	ImpactedComponent cyclonedx.Component      `json:"impacted_component"`
+	DirectComponents  []formats.ComponentRow   `json:"direct_components,omitempty"`
+	ImpactPaths       [][]formats.ComponentRow `json:"impact_paths,omitempty"`
 }
 
 type CveViolation struct {
 	ScaViolation
 	CveVulnerability   cyclonedx.Vulnerability
-	ContextualAnalysis *formats.Applicability `json:"contextual_analysis,omitempty"`
-	// TODO:
-	FixedVersions *[]cyclonedx.AffectedVersions `json:"fixed_versions,omitempty"`
-	// TODO: remove after information displayed in cyclonedx.Vulnerability
+	ContextualAnalysis *formats.Applicability        `json:"contextual_analysis,omitempty"`
+	FixedVersions      *[]cyclonedx.AffectedVersions `json:"fixed_versions,omitempty"`
+	// TODO: remove comment after information displayed in cyclonedx.Vulnerability
 	JfrogResearchInformation *formats.JfrogResearchInformation `json:"jfrogResearchInformation,omitempty"`
 }
 

utils/results/conversion/sarifparser/sarifparser.go

@@ -200,17 +200,6 @@ func (sc *CmdResultsSarifConverter) validateBeforeParse() (err error) {
 
 func (sc *CmdResultsSarifConverter) DeprecatedParseScaVulnerabilities(descriptors []string, scaResponse results.ScanResult[services.ScanResponse], applicableScan ...results.ScanResult[[]*sarif.Run]) (err error) {
 	return sc.parseScaVulnerabilities(sc.currentTargetConvertedRuns.currentTarget, descriptors, scaResponse, applicableScan...)
-
-	// if violations {
-	// 	if err = sc.parseScaViolations(target, descriptors, scaResponse, applicableScan...); err != nil {
-	// 		return
-	// 	}
-	// 	return
-	// }
-	// if err = sc.parseScaVulnerabilities(target, descriptors, scaResponse, applicableScan...); err != nil {
-	// 	return
-	// }
-	// return
 }
 
 func (sc *CmdResultsSarifConverter) ParseViolations(violationsScanResults results.ScanResult[violationutils.Violations]) (err error) {
@@ -305,127 +294,6 @@ func (sc *CmdResultsSarifConverter) ParseViolations(violationsScanResults result
 	return
 }
 
-// func parseCveViolation() {
-
-// }
-
-// func (sc *CmdResultsSarifConverter) parseScaViolations(target results.ScanTarget, descriptors []string, scanResponse results.ScanResult[services.ScanResponse], applicableScan ...results.ScanResult[[]*sarif.Run]) (err error) {
-// 	if err = sc.validateBeforeParse(); err != nil {
-// 		return
-// 	}
-// 	if sc.currentTargetConvertedRuns.scaCurrentRun == nil {
-// 		sc.currentTargetConvertedRuns.scaCurrentRun = sc.createScaRun(target, len(sc.currentErrors))
-// 	}
-// 	// Parse violations
-// 	sarifResults, sarifRules, err := PrepareSarifScaViolations(sc.currentCmdType, target, descriptors, scanResponse.Scan.Violations, sc.entitledForJas, results.ScanResultsToRuns(applicableScan)...)
-// 	if err != nil || len(sarifRules) == 0 || len(sarifResults) == 0 {
-// 		return
-// 	}
-// 	sc.addScaResultsToCurrentRun(sarifRules, sarifResults...)
-// 	return
-// }
-
-// func PrepareSarifScaViolations(cmdType utils.CommandType, target results.ScanTarget, descriptors []string, violations []services.Violation, entitledForJas bool, applicabilityRuns ...*sarif.Run) ([]*sarif.Result, map[string]*sarif.ReportingDescriptor, error) {
-// 	sarifResults := []*sarif.Result{}
-// 	rules := map[string]*sarif.ReportingDescriptor{}
-// 	_, _, err := local.ForEachScanGraphViolation(
-// 		target,
-// 		descriptors,
-// 		violations,
-// 		entitledForJas,
-// 		applicabilityRuns,
-// 		addSarifScaSecurityViolation(cmdType, &sarifResults, &rules),
-// 		addSarifScaLicenseViolation(cmdType, &sarifResults, &rules),
-// 		// Operational risks violations are not supported in Sarif format
-// 		nil,
-// 	)
-// 	return sarifResults, rules, err
-// }
-
-// func addSarifScaSecurityViolation(cmdType utils.CommandType, sarifResults *[]*sarif.Result, rules *map[string]*sarif.ReportingDescriptor) local.ParseScanGraphViolationFunc {
-// 	return func(violation services.Violation, cves []formats.CveRow, applicabilityStatus jasutils.ApplicabilityStatus, severity severityutils.Severity, impactedPackagesId string, fixedVersions []string, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) error {
-// 		maxCveScore, err := results.FindMaxCVEScore(severity, applicabilityStatus, cves)
-// 		if err != nil {
-// 			return err
-// 		}
-// 		markdownDescription, err := getScaIssueMarkdownDescription(directComponents, maxCveScore, applicabilityStatus, fixedVersions)
-// 		if err != nil {
-// 			return err
-// 		}
-// 		impactedPackagesName, impactedPackagesVersion, _ := techutils.SplitComponentId(impactedPackagesId)
-// 		currentResults, currentRule := parseScaToSarifFormat(scaParseParams{
-// 			CmdType:                 cmdType,
-// 			IssueId:                 violation.IssueId,
-// 			Watch:                   violation.WatchName,
-// 			Summary:                 violation.Summary,
-// 			MarkdownDescription:     markdownDescription,
-// 			CveScore:                maxCveScore,
-// 			GenerateTitleFunc:       getScaSecurityViolationSarifHeadline,
-// 			Cves:                    cves,
-// 			Severity:                severity,
-// 			ApplicabilityStatus:     applicabilityStatus,
-// 			ImpactedPackagesName:    impactedPackagesName,
-// 			ImpactedPackagesVersion: impactedPackagesVersion,
-// 			FixedVersions:           fixedVersions,
-// 			DirectComponents:        directComponents,
-// 			ImpactPaths:             impactPaths,
-// 			Violation: &violationContext{
-// 				Watch:    violation.WatchName,
-// 				Policies: results.ConvertPolicesToString(violation.Policies),
-// 			},
-// 		})
-// 		cveImpactedComponentRuleId := results.GetScaIssueId(impactedPackagesName, impactedPackagesVersion, results.GetIssueIdentifier(cves, violation.IssueId, "_"))
-// 		if _, ok := (*rules)[cveImpactedComponentRuleId]; !ok {
-// 			// New Rule
-// 			(*rules)[cveImpactedComponentRuleId] = currentRule
-// 		}
-// 		*sarifResults = append(*sarifResults, currentResults...)
-// 		return nil
-// 	}
-// }
-
-// func addSarifScaLicenseViolation(cmdType utils.CommandType, sarifResults *[]*sarif.Result, rules *map[string]*sarif.ReportingDescriptor) local.ParseScanGraphViolationFunc {
-// 	return func(violation services.Violation, cves []formats.CveRow, applicabilityStatus jasutils.ApplicabilityStatus, severity severityutils.Severity, impactedPackagesId string, fixedVersions []string, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) error {
-// 		maxCveScore, err := results.FindMaxCVEScore(severity, applicabilityStatus, cves)
-// 		if err != nil {
-// 			return err
-// 		}
-// 		impactedPackagesName, impactedPackagesVersion, _ := techutils.SplitComponentId(impactedPackagesId)
-// 		markdownDescription, err := getScaLicenseViolationMarkdown(impactedPackagesName, impactedPackagesVersion, violation.LicenseKey, directComponents)
-// 		if err != nil {
-// 			return err
-// 		}
-// 		currentResults, currentRule := parseScaToSarifFormat(scaParseParams{
-// 			CmdType:                 cmdType,
-// 			Watch:                   violation.WatchName,
-// 			IssueId:                 violation.LicenseKey,
-// 			Summary:                 getLicenseViolationSummary(impactedPackagesName, impactedPackagesVersion, violation.LicenseKey),
-// 			MarkdownDescription:     markdownDescription,
-// 			CveScore:                maxCveScore,
-// 			GenerateTitleFunc:       getXrayLicenseSarifHeadline,
-// 			Cves:                    cves,
-// 			Severity:                severity,
-// 			ApplicabilityStatus:     applicabilityStatus,
-// 			ImpactedPackagesName:    impactedPackagesName,
-// 			ImpactedPackagesVersion: impactedPackagesVersion,
-// 			FixedVersions:           fixedVersions,
-// 			DirectComponents:        directComponents,
-// 			ImpactPaths:             impactPaths,
-// 			Violation: &violationutils.Violation{
-// 				Watch:    violation.WatchName,
-// 				Policies: results.ConvertPolicesToString(violation.Policies),
-// 			},
-// 		})
-// 		cveImpactedComponentRuleId := results.GetScaIssueId(impactedPackagesName, impactedPackagesVersion, results.GetIssueIdentifier(cves, violation.LicenseKey, "_"))
-// 		if _, ok := (*rules)[cveImpactedComponentRuleId]; !ok {
-// 			// New Rule
-// 			(*rules)[cveImpactedComponentRuleId] = currentRule
-// 		}
-// 		*sarifResults = append(*sarifResults, currentResults...)
-// 		return nil
-// 	}
-// }
-
 func (sc *CmdResultsSarifConverter) parseScaVulnerabilities(target results.ScanTarget, descriptors []string, scanResponse results.ScanResult[services.ScanResponse], applicableScan ...results.ScanResult[[]*sarif.Run]) (err error) {
 	if err = sc.validateBeforeParse(); err != nil {
 		return
@@ -923,27 +791,6 @@ func patchSarifRuns(params PatchSarifParams, runs ...*sarif.Run) []*sarif.Run {
 	return patchedRuns
 }
 
-// func patchRunsToPassIngestionRules(baseJfrogUrl string, cmdType utils.CommandType, subScanType utils.SubScanType, patchBinaryPaths, isViolations bool, target results.ScanTarget, runs ...*sarif.Run) []*sarif.Run {
-// 	patchedRuns := []*sarif.Run{}
-// 	// Patch changes may alter the original run, so we will create a new run for each
-// 	for _, run := range runs {
-// 		patched := sarifutils.CopyRun(run)
-// 		// Since we run in temp directories files should be relative
-// 		// Patch by converting the file paths to relative paths according to the invocations
-// 		convertPaths(cmdType, subScanType, patched)
-// 		if cmdType.IsTargetBinary() && subScanType == utils.SecretsScan {
-// 			// Patch the tool name in case of binary scan
-// 			sarifutils.SetRunToolName(BinarySecretScannerToolName, patched)
-// 		}
-// 		if patched.Tool.Driver != nil {
-// 			patched.Tool.Driver.Rules = patchRules(baseJfrogUrl, cmdType, subScanType, isViolations, patched.Tool.Driver.Rules...)
-// 		}
-// 		patched.Results = patchResults(cmdType, subScanType, patchBinaryPaths, isViolations, target, patched, patched.Results...)
-// 		patchedRuns = append(patchedRuns, patched)
-// 	}
-// 	return patchedRuns
-// }
-
 func patchPaths(params PatchSarifParams, runs ...*sarif.Run) {
 	if !params.ConvertPaths {
 		return
@@ -978,20 +825,6 @@ func pathTool(params PatchSarifParams, runs ...*sarif.Run) {
 	}
 }
 
-// func convertPaths(commandType utils.CommandType, subScanType utils.SubScanType, runs ...*sarif.Run) {
-// 	// Convert base on invocation for source code
-// 	sarifutils.ConvertRunsPathsToRelative(runs...)
-// 	if !(commandType == utils.DockerImage && subScanType == utils.SecretsScan) {
-// 		return
-// 	}
-// 	for _, run := range runs {
-// 		for _, result := range run.Results {
-// 			// For Docker secret scan, patch the logical location if not exists
-// 			patchDockerSecretLocations(result)
-// 		}
-// 	}
-// }
-
 // Patch the URI to be the file path from sha<number>/<hash>/
 // Extract the layer from the location URI, adds it as a logical location kind "layer"
 func patchDockerSecretLocations(result *sarif.Result) {