Merge branch 'jfrog:main' into fix-audit-command-usage-of-exclusions-flag

Author: kerenr-jfrog

commands/audit/audit.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	jfrogappsconfig "github.com/jfrog/jfrog-apps-config/go"
+	"github.com/jfrog/jfrog-cli-core/v2/common/format"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	"github.com/jfrog/jfrog-cli-security/commands/audit/sca"
@@ -303,6 +304,7 @@ func downloadAnalyzerManagerAndRunScanners(auditParallelRunner *utils.SecurityPa
 			DirectDependencies:          auditParams.DirectDependencies(),
 			ThirdPartyApplicabilityScan: auditParams.thirdPartyApplicabilityScan,
 			ApplicableScanType:          applicability.ApplicabilityScannerType,
+			SignedDescriptions:          auditParams.OutputFormat() == format.Sarif,
 			ScanResults:                 scan,
 			TargetOutputDir:             auditParams.scanResultsOutputDir,
 		}

go.mod

@@ -10,8 +10,8 @@ require (
 	github.com/jfrog/froggit-go v1.16.2
 	github.com/jfrog/gofrog v1.7.6
 	github.com/jfrog/jfrog-apps-config v1.0.1
-	github.com/jfrog/jfrog-cli-core/v2 v2.56.3
-	github.com/jfrog/jfrog-client-go v1.47.2
+	github.com/jfrog/jfrog-cli-core/v2 v2.56.4
+	github.com/jfrog/jfrog-client-go v1.47.3
 	github.com/magiconair/properties v1.8.7
 	github.com/owenrumney/go-sarif/v2 v2.3.0
 	github.com/stretchr/testify v1.9.0

go.sum

@@ -130,10 +130,10 @@ github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s=
 github.com/jfrog/gofrog v1.7.6/go.mod h1:ntr1txqNOZtHplmaNd7rS4f8jpA5Apx8em70oYEe7+4=
 github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY=
 github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
-github.com/jfrog/jfrog-cli-core/v2 v2.56.3 h1:9ZZ7TGpobk4XShPzrHkRGfpYzs1w0rg7Hqtfg51iNRg=
-github.com/jfrog/jfrog-cli-core/v2 v2.56.3/go.mod h1:xL9b2DrH5FemiTuk2bfUBfbQYC/RvpBkPxxV6XxssXs=
-github.com/jfrog/jfrog-client-go v1.47.2 h1:Lu+2n4EU+MzNfotV1VOvF/ZQIWsQJg11Z4YSVhumFy0=
-github.com/jfrog/jfrog-client-go v1.47.2/go.mod h1:fx2fq5XwZ7e2pzpBB9pXsP8+ZdKLB8g+A6fjGU6F2XI=
+github.com/jfrog/jfrog-cli-core/v2 v2.56.4 h1:LqByz2FmVTDQm/u2xGeTL6O8Hs9JadaTj3QMpel9ZwY=
+github.com/jfrog/jfrog-cli-core/v2 v2.56.4/go.mod h1:AwQ9WuOA64g3torX9K5kP0xFAAbchfRInhZwbufoW+Q=
+github.com/jfrog/jfrog-client-go v1.47.3 h1:99/JSSgU0rvnM2zWYos2n+Gz1IYLCUoIorE4Xco+Dew=
+github.com/jfrog/jfrog-client-go v1.47.3/go.mod h1:NepfaidmK/xiKsVC+0Ur9sANOqL6io8Y7pSaCau7J6o=
 github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=
 github.com/k0kubun/pp v3.0.1+incompatible/go.mod h1:GWse8YhT0p8pT4ir3ZgBbfZild3tgzSScAn6HmfYukg=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=

jas/analyzermanager.go

@@ -24,7 +24,7 @@ import (
 const (
 	ApplicabilityFeatureId                    = "contextual_analysis"
 	AnalyzerManagerZipName                    = "analyzerManager.zip"
-	defaultAnalyzerManagerVersion             = "1.9.7"
+	defaultAnalyzerManagerVersion             = "1.9.9"
 	analyzerManagerDownloadPath               = "xsc-gen-exe-analyzer-manager-local/v1"
 	analyzerManagerDirName                    = "analyzerManager"
 	analyzerManagerExecutableName             = "analyzerManager"

jas/runner/jasrunner.go

@@ -32,11 +32,14 @@ type JasRunnerParams struct {
 
 	ScansToPreform []utils.SubScanType
 
+	// Secret scan flags
 	SecretsScanType secrets.SecretsScanType
-
+	// Contextual Analysis scan flags
+	ApplicableScanType          applicability.ApplicabilityScanType
 	DirectDependencies          *[]string
 	ThirdPartyApplicabilityScan bool
-	ApplicableScanType          applicability.ApplicabilityScanType
+	// SAST scan flags
+	SignedDescriptions bool
 
 	ScanResults     *results.TargetResults
 	TargetOutputDir string
@@ -68,7 +71,7 @@ func AddJasScannersTasks(params JasRunnerParams) (err error) {
 	if err = addJasScanTaskForModuleIfNeeded(params, utils.IacScan, runIacScan(params.Runner, params.Scanner, params.ScanResults.JasResults, params.Module, params.TargetOutputDir)); err != nil {
 		return
 	}
-	return addJasScanTaskForModuleIfNeeded(params, utils.SastScan, runSastScan(params.Runner, params.Scanner, params.ScanResults.JasResults, params.Module, params.TargetOutputDir))
+	return addJasScanTaskForModuleIfNeeded(params, utils.SastScan, runSastScan(params.Runner, params.Scanner, params.ScanResults.JasResults, params.Module, params.TargetOutputDir, params.SignedDescriptions))
 }
 
 func addJasScanTaskForModuleIfNeeded(params JasRunnerParams, subScan utils.SubScanType, task parallel.TaskFunc) (err error) {
@@ -157,12 +160,12 @@ func runIacScan(securityParallelRunner *utils.SecurityParallelRunner, scanner *j
 }
 
 func runSastScan(securityParallelRunner *utils.SecurityParallelRunner, scanner *jas.JasScanner, extendedScanResults *results.JasScansResults,
-	module jfrogappsconfig.Module, scansOutputDir string) parallel.TaskFunc {
+	module jfrogappsconfig.Module, scansOutputDir string, signedDescriptions bool) parallel.TaskFunc {
 	return func(threadId int) (err error) {
 		defer func() {
 			securityParallelRunner.JasScannersWg.Done()
 		}()
-		results, err := sast.RunSastScan(scanner, module, threadId)
+		results, err := sast.RunSastScan(scanner, module, signedDescriptions, threadId)
 		if err != nil {
 			return fmt.Errorf("%s %s", clientutils.GetLogMsgPrefix(threadId, false), err.Error())
 		}

jas/sast/sastscanner.go

@@ -23,16 +23,17 @@ const (
 type SastScanManager struct {
 	sastScannerResults []*sarif.Run
 	scanner            *jas.JasScanner
+	signedDescriptions bool
 	configFileName     string
 	resultsFileName    string
 }
 
-func RunSastScan(scanner *jas.JasScanner, module jfrogappsconfig.Module, threadId int) (results []*sarif.Run, err error) {
+func RunSastScan(scanner *jas.JasScanner, module jfrogappsconfig.Module, signedDescriptions bool, threadId int) (results []*sarif.Run, err error) {
 	var scannerTempDir string
 	if scannerTempDir, err = jas.CreateScannerTempDirectory(scanner, jasutils.Sast.String()); err != nil {
 		return
 	}
-	sastScanManager := newSastScanManager(scanner, scannerTempDir)
+	sastScanManager := newSastScanManager(scanner, scannerTempDir, signedDescriptions)
 	log.Info(clientutils.GetLogMsgPrefix(threadId, false) + "Running SAST scan...")
 	if err = sastScanManager.scanner.Run(sastScanManager, module); err != nil {
 		err = jas.ParseAnalyzerManagerError(jasutils.Sast, err)
@@ -45,16 +46,17 @@ func RunSastScan(scanner *jas.JasScanner, module jfrogappsconfig.Module, threadI
 	return
 }
 
-func newSastScanManager(scanner *jas.JasScanner, scannerTempDir string) (manager *SastScanManager) {
+func newSastScanManager(scanner *jas.JasScanner, scannerTempDir string, signedDescriptions bool) (manager *SastScanManager) {
 	return &SastScanManager{
 		sastScannerResults: []*sarif.Run{},
 		scanner:            scanner,
+		signedDescriptions: signedDescriptions,
 		configFileName:     filepath.Join(scannerTempDir, "config.yaml"),
 		resultsFileName:    filepath.Join(scannerTempDir, "results.sarif")}
 }
 
 func (ssm *SastScanManager) Run(module jfrogappsconfig.Module) (err error) {
-	if err = ssm.createConfigFile(module, ssm.scanner.Exclusions...); err != nil {
+	if err = ssm.createConfigFile(module, ssm.signedDescriptions, ssm.scanner.Exclusions...); err != nil {
 		return
 	}
 	if err = ssm.runAnalyzerManager(filepath.Dir(ssm.scanner.AnalyzerManager.AnalyzerManagerFullPath)); err != nil {
@@ -74,14 +76,19 @@ type sastScanConfig struct {
 }
 
 type scanConfiguration struct {
-	Roots           []string `yaml:"roots,omitempty"`
-	Type            string   `yaml:"type,omitempty"`
-	Language        string   `yaml:"language,omitempty"`
-	ExcludePatterns []string `yaml:"exclude_patterns,omitempty"`
-	ExcludedRules   []string `yaml:"excluded-rules,omitempty"`
+	Roots           []string       `yaml:"roots,omitempty"`
+	Type            string         `yaml:"type,omitempty"`
+	Language        string         `yaml:"language,omitempty"`
+	ExcludePatterns []string       `yaml:"exclude_patterns,omitempty"`
+	ExcludedRules   []string       `yaml:"excluded-rules,omitempty"`
+	SastParameters  sastParameters `yaml:"sast_parameters,omitempty"`
 }
 
-func (ssm *SastScanManager) createConfigFile(module jfrogappsconfig.Module, exclusions ...string) error {
+type sastParameters struct {
+	SignedDescriptions bool `yaml:"signed_descriptions,omitempty"`
+}
+
+func (ssm *SastScanManager) createConfigFile(module jfrogappsconfig.Module, signedDescriptions bool, exclusions ...string) error {
 	sastScanner := module.Scanners.Sast
 	if sastScanner == nil {
 		sastScanner = &jfrogappsconfig.SastScanner{}
@@ -93,10 +100,13 @@ func (ssm *SastScanManager) createConfigFile(module jfrogappsconfig.Module, excl
 	configFileContent := sastScanConfig{
 		Scans: []scanConfiguration{
 			{
-				Type:            sastScannerType,
-				Roots:           roots,
-				Language:        sastScanner.Language,
-				ExcludedRules:   sastScanner.ExcludedRules,
+				Type:          sastScannerType,
+				Roots:         roots,
+				Language:      sastScanner.Language,
+				ExcludedRules: sastScanner.ExcludedRules,
+				SastParameters: sastParameters{
+					SignedDescriptions: signedDescriptions,
+				},
 				ExcludePatterns: jas.GetExcludePatterns(module, &sastScanner.Scanner, exclusions...),
 			},
 		},

jas/sast/sastscanner_test.go

@@ -17,11 +17,12 @@ func TestNewSastScanManager(t *testing.T) {
 	jfrogAppsConfigForTest, err := jas.CreateJFrogAppsConfig([]string{"currentDir"})
 	assert.NoError(t, err)
 	// Act
-	sastScanManager := newSastScanManager(scanner, "temoDirPath")
+	sastScanManager := newSastScanManager(scanner, "temoDirPath", true)
 
 	// Assert
 	if assert.NotNil(t, sastScanManager) {
 		assert.NotEmpty(t, sastScanManager.configFileName)
+		assert.True(t, sastScanManager.signedDescriptions)
 		assert.NotEmpty(t, sastScanManager.resultsFileName)
 		assert.NotEmpty(t, jfrogAppsConfigForTest.Modules[0].SourceRoot)
 		assert.Equal(t, &jas.FakeServerDetails, sastScanManager.scanner.ServerDetails)
@@ -35,7 +36,7 @@ func TestSastParseResults_EmptyResults(t *testing.T) {
 	assert.NoError(t, err)
 
 	// Arrange
-	sastScanManager := newSastScanManager(scanner, "temoDirPath")
+	sastScanManager := newSastScanManager(scanner, "temoDirPath", true)
 	sastScanManager.resultsFileName = filepath.Join(jas.GetTestDataPath(), "sast-scan", "no-violations.sarif")
 
 	// Act
@@ -57,7 +58,7 @@ func TestSastParseResults_ResultsContainIacViolations(t *testing.T) {
 	jfrogAppsConfigForTest, err := jas.CreateJFrogAppsConfig([]string{})
 	assert.NoError(t, err)
 	// Arrange
-	sastScanManager := newSastScanManager(scanner, "temoDirPath")
+	sastScanManager := newSastScanManager(scanner, "temoDirPath", false)
 	sastScanManager.resultsFileName = filepath.Join(jas.GetTestDataPath(), "sast-scan", "contains-sast-violations.sarif")
 
 	// Act

tests/testdata/other/sast-scan/contains-sast-violations.sarif

@@ -3,7 +3,7 @@
         {
             "tool": {
                 "driver": {
-                    "name": "USAF",
+                    "name": "🐸 JFrog SAST",
                     "rules": [
                         {
                             "id": "python-command-injection",

tests/testdata/other/sast-scan/no-violations.sarif

@@ -3,7 +3,7 @@
         {
             "tool": {
                 "driver": {
-                    "name": "USAF",
+                    "name": "🐸 JFrog SAST",
                     "rules": []
                 }
             },

tests/testdata/output/audit/audit_results.json

@@ -2204,7 +2204,7 @@
             "tool": {
               "driver": {
                 "informationUri": "https://docs.jfrog-applications.jfrog.io/jfrog-security-features/sast",
-                "name": "USAF",
+                "name": "🐸 JFrog SAST",
                 "rules": [
                   {
                     "id": "js-express-without-helmet",