Dont change central config exclude pattern in JAS scans

Author: attiasas

jas/applicability/applicabilitymanager.go

@@ -88,7 +88,7 @@ func newApplicabilityScanManager(directDependenciesCves, indirectDependenciesCve
 }
 
 func (asm *ApplicabilityScanManager) Run(module jfrogappsconfig.Module) (vulnerabilitiesSarifRuns []*sarif.Run, violationsSarifRuns []*sarif.Run, err error) {
-	if err = asm.createConfigFile(module, append(asm.scanner.Exclusions, asm.scanner.ScannersExclusions.ContextualAnalysisExcludePatterns...)...); err != nil {
+	if err = asm.createConfigFile(module, asm.scanner.ScannersExclusions.ContextualAnalysisExcludePatterns, asm.scanner.Exclusions...); err != nil {
 		return
 	}
 	if err = asm.runAnalyzerManager(); err != nil {
@@ -116,12 +116,12 @@ type scanConfiguration struct {
 	ScanType             string   `yaml:"scantype"`
 }
 
-func (asm *ApplicabilityScanManager) createConfigFile(module jfrogappsconfig.Module, exclusions ...string) error {
+func (asm *ApplicabilityScanManager) createConfigFile(module jfrogappsconfig.Module, centralConfigExclusions []string, exclusions ...string) error {
 	roots, err := jas.GetSourceRoots(module, nil)
 	if err != nil {
 		return err
 	}
-	excludePatterns := jas.GetExcludePatterns(module, nil, exclusions...)
+	excludePatterns := jas.GetExcludePatterns(module, nil, centralConfigExclusions, exclusions...)
 	if asm.thirdPartyScan {
 		log.Info("Including node modules folder in applicability scan")
 		excludePatterns = removeElementFromSlice(excludePatterns, utils.NodeModulesPattern)

jas/applicability/applicabilitymanager_test.go

@@ -175,7 +175,7 @@ func TestCreateConfigFile_VerifyFileWasCreated(t *testing.T) {
 
 	currWd, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)
-	err = applicabilityManager.createConfigFile(jfrogappsconfig.Module{SourceRoot: currWd})
+	err = applicabilityManager.createConfigFile(jfrogappsconfig.Module{SourceRoot: currWd}, []string{})
 	assert.NoError(t, err)
 
 	defer func() {

jas/common.go

@@ -420,20 +420,24 @@ func GetSourceRoots(module jfrogappsconfig.Module, scanner *jfrogappsconfig.Scan
 	return roots, nil
 }
 
-func GetExcludePatterns(module jfrogappsconfig.Module, scanner *jfrogappsconfig.Scanner, exclusions ...string) []string {
-	if len(exclusions) > 0 {
-		return filterUniqueAndConvertToFilesExcludePatterns(exclusions)
+func GetExcludePatterns(module jfrogappsconfig.Module, scanner *jfrogappsconfig.Scanner, centralConfigExclusions []string, cliExclusions ...string) []string {
+	uniqueExcludePatterns := datastructures.MakeSet[string]()
+	if len(cliExclusions) > 0 || len(centralConfigExclusions) > 0 {
+		// Adding exclusions from CLI requires to convert them to file exclude patterns
+		uniqueExcludePatterns.AddElements(convertToFilesExcludePatterns(cliExclusions)...)
+		// Adding exclusions from centralized config, no need to convert
+		uniqueExcludePatterns.AddElements(centralConfigExclusions...)
+		return uniqueExcludePatterns.ToSlice()
 	}
-
 	// Adding exclusions from jfrog-apps-config IF no exclusions provided from other source (flags, env vars, config profile)
-	excludePatterns := module.ExcludePatterns
+	uniqueExcludePatterns.AddElements(module.ExcludePatterns...)
 	if scanner != nil {
-		excludePatterns = append(excludePatterns, scanner.ExcludePatterns...)
+		uniqueExcludePatterns.AddElements(scanner.ExcludePatterns...)
 	}
-	if len(excludePatterns) == 0 {
+	if uniqueExcludePatterns.Size() == 0 {
 		return utils.DefaultJasExcludePatterns
 	}
-	return excludePatterns
+	return uniqueExcludePatterns.ToSlice()
 }
 
 // This function convert every exclude pattern to a file exclude pattern form.
@@ -453,6 +457,21 @@ func filterUniqueAndConvertToFilesExcludePatterns(excludePatterns []string) []st
 	return uniqueExcludePatterns.ToSlice()
 }
 
+// This function convert every exclude pattern to a file exclude pattern form.
+// Checks are being made since some of the exclude patters we get here might already be in a file exclude pattern
+func convertToFilesExcludePatterns(excludePatterns []string) (converted []string) {
+	for _, excludePattern := range excludePatterns {
+		if !strings.HasPrefix(excludePattern, "**/") {
+			excludePattern = "**/" + excludePattern
+		}
+		if !strings.HasSuffix(excludePattern, "/**") {
+			excludePattern += "/**"
+		}
+		converted = append(converted, excludePattern)
+	}
+	return converted
+}
+
 func CheckForSecretValidation(xrayManager *xray.XrayServicesManager, xrayVersion string, validateSecrets bool) bool {
 	dynamicTokenVersionMismatchErr := goclientutils.ValidateMinimumVersion(goclientutils.Xray, xrayVersion, jasutils.DynamicTokenValidationMinXrayVersion)
 	if dynamicTokenVersionMismatchErr != nil {

jas/common_test.go

@@ -127,7 +127,7 @@ func TestGetExcludePatterns(t *testing.T) {
 	for _, testCase := range getExcludePatternsCases {
 		t.Run("", func(t *testing.T) {
 			scanner := testCase.scanner
-			actualExcludePatterns := GetExcludePatterns(module, scanner)
+			actualExcludePatterns := GetExcludePatterns(module, scanner, []string{})
 			if scanner == nil {
 				assert.ElementsMatch(t, module.ExcludePatterns, actualExcludePatterns)
 				return

jas/iac/iacscanner.go

@@ -70,7 +70,7 @@ func newIacScanManager(scanner *jas.JasScanner, scannerTempDir string, resultsTo
 }
 
 func (iac *IacScanManager) Run(module jfrogappsconfig.Module) (vulnerabilitiesSarifRuns []*sarif.Run, violationsSarifRuns []*sarif.Run, err error) {
-	if err = iac.createConfigFile(module, append(iac.scanner.Exclusions, iac.scanner.ScannersExclusions.IacExcludePatterns...)...); err != nil {
+	if err = iac.createConfigFile(module, iac.scanner.ScannersExclusions.IacExcludePatterns, iac.scanner.Exclusions...); err != nil {
 		return
 	}
 	if err = iac.runAnalyzerManager(); err != nil {
@@ -91,7 +91,7 @@ type iacScanConfiguration struct {
 	SkippedDirs            []string `yaml:"skipped-folders"`
 }
 
-func (iac *IacScanManager) createConfigFile(module jfrogappsconfig.Module, exclusions ...string) error {
+func (iac *IacScanManager) createConfigFile(module jfrogappsconfig.Module, centralConfigExclusions []string, exclusions ...string) error {
 	roots, err := jas.GetSourceRoots(module, module.Scanners.Iac)
 	if err != nil {
 		return err
@@ -103,7 +103,7 @@ func (iac *IacScanManager) createConfigFile(module jfrogappsconfig.Module, exclu
 				Output:                 iac.resultsFileName,
 				PathToResultsToCompare: iac.resultsToCompareFileName,
 				Type:                   iacScannerType,
-				SkippedDirs:            jas.GetExcludePatterns(module, module.Scanners.Iac, exclusions...),
+				SkippedDirs:            jas.GetExcludePatterns(module, module.Scanners.Iac, centralConfigExclusions, exclusions...),
 			},
 		},
 	}

jas/iac/iacscanner_test.go

@@ -67,7 +67,7 @@ func TestIacScan_CreateConfigFile_VerifyFileWasCreated(t *testing.T) {
 
 	currWd, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)
-	err = iacScanManager.createConfigFile(jfrogappsconfig.Module{SourceRoot: currWd})
+	err = iacScanManager.createConfigFile(jfrogappsconfig.Module{SourceRoot: currWd}, []string{})
 
 	defer func() {
 		err = os.Remove(iacScanManager.configFileName)

jas/sast/sastscanner.go

@@ -69,7 +69,7 @@ func newSastScanManager(scanner *jas.JasScanner, scannerTempDir string, signedDe
 }
 
 func (ssm *SastScanManager) Run(module jfrogappsconfig.Module) (vulnerabilitiesSarifRuns []*sarif.Run, violationsSarifRuns []*sarif.Run, err error) {
-	if err = ssm.createConfigFile(module, ssm.signedDescriptions, append(ssm.scanner.Exclusions, ssm.scanner.ScannersExclusions.SastExcludePatterns...)...); err != nil {
+	if err = ssm.createConfigFile(module, ssm.signedDescriptions, ssm.scanner.ScannersExclusions.SastExcludePatterns, ssm.scanner.Exclusions...); err != nil {
 		return
 	}
 	if err = ssm.runAnalyzerManager(filepath.Dir(ssm.scanner.AnalyzerManager.AnalyzerManagerFullPath)); err != nil {
@@ -104,7 +104,7 @@ type sastParameters struct {
 	SignedDescriptions bool `yaml:"signed_descriptions,omitempty"`
 }
 
-func (ssm *SastScanManager) createConfigFile(module jfrogappsconfig.Module, signedDescriptions bool, exclusions ...string) error {
+func (ssm *SastScanManager) createConfigFile(module jfrogappsconfig.Module, signedDescriptions bool, centralConfigExclusions []string, exclusions ...string) error {
 	sastScanner := module.Scanners.Sast
 	if sastScanner == nil {
 		sastScanner = &jfrogappsconfig.SastScanner{}
@@ -125,7 +125,7 @@ func (ssm *SastScanManager) createConfigFile(module jfrogappsconfig.Module, sign
 				SastParameters: sastParameters{
 					SignedDescriptions: signedDescriptions,
 				},
-				ExcludePatterns: jas.GetExcludePatterns(module, &sastScanner.Scanner, exclusions...),
+				ExcludePatterns: jas.GetExcludePatterns(module, &sastScanner.Scanner, centralConfigExclusions, exclusions...),
 				UserRules:       ssm.sastRules,
 			},
 		},

jas/secrets/secretsscanner.go

@@ -75,7 +75,7 @@ func newSecretsScanManager(scanner *jas.JasScanner, scanType SecretsScanType, sc
 }
 
 func (ssm *SecretScanManager) Run(module jfrogappsconfig.Module) (vulnerabilitiesSarifRuns []*sarif.Run, violationsSarifRuns []*sarif.Run, err error) {
-	if err = ssm.createConfigFile(module, append(ssm.scanner.Exclusions, ssm.scanner.ScannersExclusions.SecretsExcludePatterns...)...); err != nil {
+	if err = ssm.createConfigFile(module, ssm.scanner.ScannersExclusions.SecretsExcludePatterns, ssm.scanner.Exclusions...); err != nil {
 		return
 	}
 	if err = ssm.runAnalyzerManager(); err != nil {
@@ -96,7 +96,7 @@ type secretsScanConfiguration struct {
 	SkippedDirs            []string `yaml:"skipped-folders"`
 }
 
-func (s *SecretScanManager) createConfigFile(module jfrogappsconfig.Module, exclusions ...string) error {
+func (s *SecretScanManager) createConfigFile(module jfrogappsconfig.Module, centralConfigExclusions []string, exclusions ...string) error {
 	roots, err := jas.GetSourceRoots(module, module.Scanners.Secrets)
 	if err != nil {
 		return err
@@ -108,7 +108,7 @@ func (s *SecretScanManager) createConfigFile(module jfrogappsconfig.Module, excl
 				Output:                 s.resultsFileName,
 				PathToResultsToCompare: s.resultsToCompareFileName,
 				Type:                   string(s.scanType),
-				SkippedDirs:            jas.GetExcludePatterns(module, module.Scanners.Secrets, exclusions...),
+				SkippedDirs:            jas.GetExcludePatterns(module, module.Scanners.Secrets, centralConfigExclusions, exclusions...),
 			},
 		},
 	}

jas/secrets/secretsscanner_test.go

@@ -62,7 +62,7 @@ func TestSecretsScan_CreateConfigFile_VerifyFileWasCreated(t *testing.T) {
 
 	currWd, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)
-	err = secretScanManager.createConfigFile(jfrogappsconfig.Module{SourceRoot: currWd})
+	err = secretScanManager.createConfigFile(jfrogappsconfig.Module{SourceRoot: currWd}, []string{})
 	assert.NoError(t, err)
 
 	defer func() {