Fix breaking changes in remediation API (#616)

attiasas · web-flow · commit 135b0b52f648 · 2025-12-11T15:37:41.000+02:00
diff --git a/cli/docs/flags.go b/cli/docs/flags.go
@@ -173,7 +173,7 @@ var commandFlags = map[string][]string{
 		binarySca, binarySecrets, binaryWithoutCA, SecretValidation,
 	},
 	Enrich: {
-		Url, user, password, accessToken, ServerId, Threads, InsecureTls,
+		Url, XrayUrl, user, password, accessToken, ServerId, Threads, InsecureTls,
 	},
 	BuildScan: {
 		Url, XrayUrl, user, password, accessToken, ServerId, scanProjectKey, BuildVuln, OutputFormat, Fail, ExtendedTable, Rescan, InsecureTls, TriggerScanRetries,
diff --git a/go.mod b/go.mod
@@ -12,12 +12,12 @@ require (
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-plugin v1.6.3
 	github.com/jfrog/build-info-go v1.12.5-0.20251209171349-eb030db986f9
-	github.com/jfrog/froggit-go v1.20.4
+	github.com/jfrog/froggit-go v1.20.6
 	github.com/jfrog/gofrog v1.7.6
 	github.com/jfrog/jfrog-apps-config v1.0.1
-	github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251210120128-176c677fed4c
-	github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251125083543-e689762c4ff0
-	github.com/jfrog/jfrog-client-go v1.55.1-0.20251209090954-d6b1c70d3a5e
+	github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251211075913-35ebcd308e93
+	github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251210085744-f8481d179ac5
+	github.com/jfrog/jfrog-client-go v1.55.1-0.20251211124639-306f15dbcf29
 	github.com/magiconair/properties v1.8.10
 	github.com/owenrumney/go-sarif/v3 v3.2.3
 	github.com/package-url/packageurl-go v0.1.3
diff --git a/go.sum b/go.sum
@@ -148,18 +148,18 @@ github.com/jfrog/archiver/v3 v3.6.1 h1:LOxnkw9pOn45DzCbZNFV6K0+6dCsQ0L8mR3ZcujO5
 github.com/jfrog/archiver/v3 v3.6.1/go.mod h1:VgR+3WZS4N+i9FaDwLZbq+jeU4B4zctXL+gL4EMzfLw=
 github.com/jfrog/build-info-go v1.12.5-0.20251209171349-eb030db986f9 h1:CL7lp7Y7srwQ1vy1btX66t4wbztzEGQbqi/9tdEz7xk=
 github.com/jfrog/build-info-go v1.12.5-0.20251209171349-eb030db986f9/go.mod h1:9W4U440fdTHwW1HiB/R0VQvz/5q8ZHsms9MWcq+JrdY=
-github.com/jfrog/froggit-go v1.20.4 h1:N9XkNV00HNjpI8p6xXlF9DrWmvE9hz3z2XRDAYJDweQ=
-github.com/jfrog/froggit-go v1.20.4/go.mod h1:obSG1SlsWjktkuqmKtpq7MNTTL63e0ot+ucTnlOMV88=
+github.com/jfrog/froggit-go v1.20.6 h1:Xp7+LlEh0m1KGrQstb+u0aGfjRUtv1eh9xQBV3571jQ=
+github.com/jfrog/froggit-go v1.20.6/go.mod h1:obSG1SlsWjktkuqmKtpq7MNTTL63e0ot+ucTnlOMV88=
 github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s=
 github.com/jfrog/gofrog v1.7.6/go.mod h1:ntr1txqNOZtHplmaNd7rS4f8jpA5Apx8em70oYEe7+4=
 github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY=
 github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
-github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251210120128-176c677fed4c h1:uMs18TfF/472CsaoI3HAsvyo9B8ChFh855BdicqoT4c=
-github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251210120128-176c677fed4c/go.mod h1:7cCaRhXorlbyXZgiW5bplCExFxlnROaG21K12d8inpQ=
-github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251125083543-e689762c4ff0 h1:EsasTBE5i2MyCESS/icZxKIlObpGiOyW9K67MAaEWco=
-github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251125083543-e689762c4ff0/go.mod h1:d9aADumiyjCBvZLffp8wldvP9XFHxcvk2PoOSUYms2g=
-github.com/jfrog/jfrog-client-go v1.55.1-0.20251209090954-d6b1c70d3a5e h1:9le3a99UGdBHZXv7vZ7aqxLyBpwMq+sbTWiOaI9pwCU=
-github.com/jfrog/jfrog-client-go v1.55.1-0.20251209090954-d6b1c70d3a5e/go.mod h1:WQ5Y+oKYyHFAlCbHN925bWhnShTd2ruxZ6YTpb76fpU=
+github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251211075913-35ebcd308e93 h1:rpkJZN0TigpAGY/bfgmLO4nwhyhkr0gkBTLz/0B5zS8=
+github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251211075913-35ebcd308e93/go.mod h1:7cCaRhXorlbyXZgiW5bplCExFxlnROaG21K12d8inpQ=
+github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251210085744-f8481d179ac5 h1:GYE67ubwl+ZRw3CcXFUi49EwwQp6k+qS8sX0QuHDHO8=
+github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251210085744-f8481d179ac5/go.mod h1:BMoGi2rG0udCCeaghqlNgiW3fTmT+TNnfTnBoWFYgcg=
+github.com/jfrog/jfrog-client-go v1.55.1-0.20251211124639-306f15dbcf29 h1:u+FMai2cImOJExJ1Ehe8JsrpAXmPyRaDXwM60wV3bPA=
+github.com/jfrog/jfrog-client-go v1.55.1-0.20251211124639-306f15dbcf29/go.mod h1:WQ5Y+oKYyHFAlCbHN925bWhnShTd2ruxZ6YTpb76fpU=
 github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
 github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo=
 github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=
diff --git a/utils/results/conversion/cyclonedxparser/cyclonedxparser.go b/utils/results/conversion/cyclonedxparser/cyclonedxparser.go
@@ -334,7 +334,7 @@ func (cdc *CmdResultsCycloneDxConverter) getOrCreateFileComponent(filePathOrUri
 	return &(*cdc.bom.Components)[len(*cdc.bom.Components)-1]
 }
 
-func (cdc *CmdResultsCycloneDxConverter) getOrCreateJasIssue(ref, id, msg, description string, source *cyclonedx.Service, cwe []string, ratings []cyclonedx.VulnerabilityRating, properties ...cyclonedx.Property) (vulnerability *cyclonedx.Vulnerability) {
+func (cdc *CmdResultsCycloneDxConverter) getOrCreateJasIssue(ref, id, msg, description string, source *cyclonedx.Service, cwe []string, ratings []cyclonedx.VulnerabilityRating) (vulnerability *cyclonedx.Vulnerability) {
 	if vulnerability = cdxutils.SearchVulnerabilityByRef(&cdc.bom.BOM, ref); vulnerability != nil {
 		return
 	}
@@ -351,7 +351,7 @@ func (cdc *CmdResultsCycloneDxConverter) getOrCreateJasIssue(ref, id, msg, descr
 		CWE:         cwe,
 		Ratings:     ratings,
 	}
-	*cdc.bom.Vulnerabilities = append(*cdc.bom.Vulnerabilities, cdxutils.CreateBaseVulnerability(params, properties...))
+	*cdc.bom.Vulnerabilities = append(*cdc.bom.Vulnerabilities, cdxutils.CreateBaseVulnerability(params))
 	return &(*cdc.bom.Vulnerabilities)[len(*cdc.bom.Vulnerabilities)-1]
 }
 
diff --git a/utils/results/conversion/summaryparser/summaryparser.go b/utils/results/conversion/summaryparser/summaryparser.go
@@ -240,7 +240,7 @@ func (sc *CmdResultsSummaryConverter) ParseSecrets(secrets ...[]*sarif.Run) (err
 	if sc.currentScan.Vulnerabilities.SecretsResults == nil {
 		sc.currentScan.Vulnerabilities.SecretsResults = &formats.ResultSummary{}
 	}
-	return results.ForEachJasIssue(results.CollectRuns(secrets...), sc.entitledForJas, sc.getJasHandler(jasutils.Secrets, false))
+	return results.ForEachJasIssue(results.CollectRuns(secrets...), sc.entitledForJas, sc.getJasHandler(jasutils.Secrets))
 }
 
 func (sc *CmdResultsSummaryConverter) ParseIacs(iacs ...[]*sarif.Run) (err error) {
@@ -255,7 +255,7 @@ func (sc *CmdResultsSummaryConverter) ParseIacs(iacs ...[]*sarif.Run) (err error
 	if sc.currentScan.Vulnerabilities.IacResults == nil {
 		sc.currentScan.Vulnerabilities.IacResults = &formats.ResultSummary{}
 	}
-	return results.ForEachJasIssue(results.CollectRuns(iacs...), sc.entitledForJas, sc.getJasHandler(jasutils.IaC, false))
+	return results.ForEachJasIssue(results.CollectRuns(iacs...), sc.entitledForJas, sc.getJasHandler(jasutils.IaC))
 }
 
 func (sc *CmdResultsSummaryConverter) ParseSast(sast ...[]*sarif.Run) (err error) {
@@ -269,11 +269,11 @@ func (sc *CmdResultsSummaryConverter) ParseSast(sast ...[]*sarif.Run) (err error
 	if sc.currentScan.Vulnerabilities.SastResults == nil {
 		sc.currentScan.Vulnerabilities.SastResults = &formats.ResultSummary{}
 	}
-	return results.ForEachJasIssue(results.CollectRuns(sast...), sc.entitledForJas, sc.getJasHandler(jasutils.Sast, false))
+	return results.ForEachJasIssue(results.CollectRuns(sast...), sc.entitledForJas, sc.getJasHandler(jasutils.Sast))
 }
 
 // getJasHandler returns a handler that counts the JAS results (based on severity and CA status) for each issue it handles
-func (sc *CmdResultsSummaryConverter) getJasHandler(scanType jasutils.JasScanType, violations bool) results.ParseJasIssueFunc {
+func (sc *CmdResultsSummaryConverter) getJasHandler(scanType jasutils.JasScanType) results.ParseJasIssueFunc {
 	return func(run *sarif.Run, rule *sarif.ReportingDescriptor, severity severityutils.Severity, result *sarif.Result, location *sarif.Location) (err error) {
 		// Get the count map in the `sc.currentScan` object based on the scanType and violation
 		resultStatus := formats.NoStatus
@@ -283,23 +283,11 @@ func (sc *CmdResultsSummaryConverter) getJasHandler(scanType jasutils.JasScanTyp
 			if tokenStatus := sarifutils.GetResultPropertyTokenValidation(result); tokenStatus != "" {
 				resultStatus = tokenStatus
 			}
-			if violations {
-				count = sc.currentScan.Violations.SecretsResults
-			} else {
-				count = sc.currentScan.Vulnerabilities.SecretsResults
-			}
+			count = sc.currentScan.Vulnerabilities.SecretsResults
 		case jasutils.IaC:
-			if violations {
-				count = sc.currentScan.Violations.IacResults
-			} else {
-				count = sc.currentScan.Vulnerabilities.IacResults
-			}
+			count = sc.currentScan.Vulnerabilities.IacResults
 		case jasutils.Sast:
-			if violations {
-				count = sc.currentScan.Violations.SastResults
-			} else {
-				count = sc.currentScan.Vulnerabilities.SastResults
-			}
+			count = sc.currentScan.Vulnerabilities.SastResults
 		}
 		countJasIssues(count, location, severity, resultStatus)
 		return
diff --git a/utils/xray/remediation/cdxremediation.go b/utils/xray/remediation/cdxremediation.go
@@ -23,13 +23,15 @@ func AttachFixedVersionsToVulnerabilities(xrayManager *xray.XrayServicesManager,
 		return fmt.Errorf("failed to get remediation options from Xray: %w", err)
 	}
 	log.Verbose(fmt.Sprintf("Remediation options received from Xray: %+v", remediationOptions))
+	// Right now, we only support QuickestFixStrategy (fixing the actual component to a specific version)
+	strategy := utils.QuickestFixStrategy
 	for _, vulnerability := range *bom.Vulnerabilities {
-		matchVulnerabilityToRemediationOptions(bom, &vulnerability, remediationOptions)
+		matchVulnerabilityToRemediationOptions(bom, &vulnerability, remediationOptions, strategy)
 	}
 	return nil
 }
 
-func matchVulnerabilityToRemediationOptions(bom *cyclonedx.BOM, vulnerability *cyclonedx.Vulnerability, remediationOptions utils.CveRemediationResponse) {
+func matchVulnerabilityToRemediationOptions(bom *cyclonedx.BOM, vulnerability *cyclonedx.Vulnerability, remediationOptions utils.CveRemediationResponse, strategy utils.FixStrategy) {
 	if vulnerability.Affects == nil || len(*vulnerability.Affects) == 0 {
 		log.Debug("No affected components found for vulnerability " + vulnerability.ID + ", skipping attaching fixed versions")
 		return
@@ -43,7 +45,7 @@ func matchVulnerabilityToRemediationOptions(bom *cyclonedx.BOM, vulnerability *c
 				continue
 			}
 			// Convert remediation steps to fixed versions affected versions
-			for _, step := range getAffectComponentCveRemediationStepsByFixedVersion(vulnerability.ID, *affectComponent, cveRemediationOptions) {
+			for _, step := range getAffectComponentCveRemediationStepsByFixedVersion(vulnerability.ID, *affectComponent, cveRemediationOptions, strategy) {
 				cdxutils.AppendAffectedVersionsIfNotExists(&affect, cyclonedx.AffectedVersions{
 					Version: step.UpgradeTo.Version,
 					Status:  cyclonedx.VulnerabilityStatusNotAffected,
@@ -56,13 +58,18 @@ func matchVulnerabilityToRemediationOptions(bom *cyclonedx.BOM, vulnerability *c
 	}
 }
 
-func getAffectComponentCveRemediationStepsByFixedVersion(cve string, component cyclonedx.Component, cveRemediationOptions []utils.Option) (steps []utils.OptionStep) {
+func getAffectComponentCveRemediationStepsByFixedVersion(cve string, component cyclonedx.Component, cveRemediationOptions []utils.Option, strategy utils.FixStrategy) (steps []utils.OptionStep) {
 	for _, cveRemediationOption := range cveRemediationOptions {
 		if cveRemediationOption.Type != utils.InLock {
 			// We only want InLock remediation type (forcing the actual component to a specific fix version)
 			continue
 		}
-		for _, step := range cveRemediationOption.Steps {
+		stepsMap, found := cveRemediationOption.Steps[strategy]
+		if !found || len(stepsMap) == 0 {
+			log.Debug(fmt.Sprintf("No remediation steps found for strategy '%d' for component '%s' in vulnerability '%s'", strategy, component.Name, cve))
+			continue
+		}
+		for _, step := range stepsMap {
 			if step.StepType == utils.NoFixVersion {
 				log.Debug(fmt.Sprintf("No fix version available for component '%s' in vulnerability '%s'", component.Name, cve))
 				continue
diff --git a/utils/xray/remediation/cdxremediation_test.go b/utils/xray/remediation/cdxremediation_test.go

Original file line number	Diff line number	Diff line change
`@@ -334,7 +334,7 @@ func (cdc *CmdResultsCycloneDxConverter) getOrCreateFileComponent(filePathOrUri`
`334`	`334`	`return &(cdc.bom.Components)[len(cdc.bom.Components)-1]`
`335`	`335`	`}`
`336`	`336`
`337`		`-func (cdc CmdResultsCycloneDxConverter) getOrCreateJasIssue(ref, id, msg, description string, source cyclonedx.Service, cwe []string, ratings []cyclonedx.VulnerabilityRating, properties ...cyclonedx.Property) (vulnerability *cyclonedx.Vulnerability) {`
	`337`	`+func (cdc CmdResultsCycloneDxConverter) getOrCreateJasIssue(ref, id, msg, description string, source cyclonedx.Service, cwe []string, ratings []cyclonedx.VulnerabilityRating) (vulnerability *cyclonedx.Vulnerability) {`
`338`	`338`	`if vulnerability = cdxutils.SearchVulnerabilityByRef(&cdc.bom.BOM, ref); vulnerability != nil {`
`339`	`339`	`return`
`340`	`340`	`}`
`@@ -351,7 +351,7 @@ func (cdc *CmdResultsCycloneDxConverter) getOrCreateJasIssue(ref, id, msg, descr`
`351`	`351`	`CWE: cwe,`
`352`	`352`	`Ratings: ratings,`
`353`	`353`	`}`
`354`		`- cdc.bom.Vulnerabilities = append(cdc.bom.Vulnerabilities, cdxutils.CreateBaseVulnerability(params, properties...))`
	`354`	`+ cdc.bom.Vulnerabilities = append(cdc.bom.Vulnerabilities, cdxutils.CreateBaseVulnerability(params))`
`355`	`355`	`return &(cdc.bom.Vulnerabilities)[len(cdc.bom.Vulnerabilities)-1]`
`356`	`356`	`}`
`357`	`357`