Merge remote-tracking branch 'upstream/dev' into static_sca_violations_remediations

Author: attiasas

buildscripts/download-jars.sh

@@ -7,7 +7,7 @@
 # https://github.com/jfrog/maven-dep-tree
 
 # Once you have updated the versions mentioned below, please execute this script from the root directory of the jfrog-cli-core to ensure the JAR files are updated.
-GRADLE_DEP_TREE_VERSION="3.0.4"
+GRADLE_DEP_TREE_VERSION="3.1.0"
 # Changing this version also requires a change in mavenDepTreeVersion within utils/java/mvn.go.
 MAVEN_DEP_TREE_VERSION="1.1.5"
 

cli/gitcommands.go

@@ -92,7 +92,7 @@ func GitAuditCmd(c *components.Context) error {
 	gitAuditCmd.SetViolationGenerator(violationGenerator)
 	gitAuditCmd.SetUploadCdxResults(uploadResults).SetRtResultRepository(c.GetStringFlagValue(flags.UploadRtRepoPath))
 	// Run the command with progress bar if needed, Reporting error if Xsc service is enabled
-	err = reportErrorIfExists(xrayVersion, xscVersion, serverDetails, progressbar.ExecWithProgress(gitAuditCmd))
+	err = reportErrorIfExists(xrayVersion, xscVersion, serverDetails, gitAuditCmd.GetProjectKey(), progressbar.ExecWithProgress(gitAuditCmd))
 	log.Info("####### jf git audit Scan Finished #######")
 	return err
 }

cli/scancommands.go

@@ -415,7 +415,7 @@ func AuditCmd(c *components.Context) error {
 	}
 	auditCmd.SetThreads(threads)
 	// Reporting error if Xsc service is enabled
-	err = reportErrorIfExists(xrayVersion, xscVersion, serverDetails, progressbar.ExecWithProgress(auditCmd))
+	err = reportErrorIfExists(xrayVersion, xscVersion, serverDetails, auditCmd.GetProjectKey(), progressbar.ExecWithProgress(auditCmd))
 	log.Info("####### jf audit Scan Finished #######")
 	return err
 }
@@ -509,7 +509,7 @@ func AuditSpecificCmd(c *components.Context, technology techutils.Technology) er
 	technologies := []string{string(technology)}
 	auditCmd.SetTechnologies(technologies)
 	// Reporting error if Xsc service is enabled
-	return reportErrorIfExists(xrayVersion, xscVersion, serverDetails, progressbar.ExecWithProgress(auditCmd))
+	return reportErrorIfExists(xrayVersion, xscVersion, serverDetails, auditCmd.GetProjectKey(), progressbar.ExecWithProgress(auditCmd))
 }
 
 func CurationCmd(c *components.Context) error {

cli/utils.go

@@ -106,11 +106,11 @@ func shouldAddSubScan(subScan utils.SubScanType, c *components.Context) bool {
 		(subScan == utils.ContextualAnalysisScan && c.GetBoolFlagValue(flags.Sca) && !c.GetBoolFlagValue(flags.WithoutCA)) || (subScan == utils.SecretTokenValidationScan && c.GetBoolFlagValue(flags.Secrets) && c.GetBoolFlagValue(flags.SecretValidation))
 }
 
-func reportErrorIfExists(xrayVersion, xscVersion string, serverDetails *coreConfig.ServerDetails, err error) error {
+func reportErrorIfExists(xrayVersion, xscVersion string, serverDetails *coreConfig.ServerDetails, projectKey string, err error) error {
 	if err == nil || !usage.ShouldReportUsage() {
 		return err
 	}
-	if reportError := xsc.ReportError(xrayVersion, xscVersion, serverDetails, err, "cli"); reportError != nil {
+	if reportError := xsc.ReportError(xrayVersion, xscVersion, serverDetails, err, "cli", projectKey); reportError != nil {
 		log.Debug("failed to report error log:" + reportError.Error())
 	}
 	return err

commands/audit/audit.go

@@ -76,6 +76,10 @@ func (auditCmd *AuditCommand) SetProject(project string) *AuditCommand {
 	return auditCmd
 }
 
+func (auditCmd *AuditCommand) GetProjectKey() string {
+	return auditCmd.projectKey
+}
+
 func (auditCmd *AuditCommand) SetTargetRepoPath(repoPath string) *AuditCommand {
 	auditCmd.targetRepoPath = repoPath
 	return auditCmd
@@ -131,7 +135,7 @@ func CreateAuditResultsContext(serverDetails *config.ServerDetails, xrayVersion
 		return
 	}
 	// Get the defined and active watches from the platform.
-	manager, err := xsc.CreateXscService(serverDetails)
+	manager, err := xsc.CreateXscService(serverDetails, xrayutils.WithScopedProjectKey(projectKey))
 	if err != nil {
 		log.Warn(fmt.Sprintf("Failed to create Xray services manager: %s", err.Error()))
 		return
@@ -197,6 +201,7 @@ func (auditCmd *AuditCommand) Run() (err error) {
 		auditCmd.GetXscVersion(),
 		serverDetails,
 		xsc.CreateAnalyticsEvent(xscservices.CliProduct, xscservices.CliEventType, serverDetails),
+		auditCmd.projectKey,
 	)
 
 	auditParams := NewAuditParams().

commands/git/audit/gitaudit.go

@@ -120,6 +120,7 @@ func RunGitAudit(params GitAuditParams) (scanResults *results.SecurityCommandRes
 		params.xscVersion,
 		params.serverDetails,
 		event,
+		params.GetProjectKey(),
 	)
 	params.multiScanId = multiScanId
 	params.startTime = startTime

commands/git/audit/gitauditparams.go

@@ -63,6 +63,10 @@ func (gap *GitAuditParams) SetProjectKey(project string) *GitAuditParams {
 	return gap
 }
 
+func (gap *GitAuditParams) GetProjectKey() string {
+	return gap.resultsContext.ProjectKey
+}
+
 func (gap *GitAuditParams) SetFailBuild(failBuild bool) *GitAuditParams {
 	gap.failBuild = failBuild
 	return gap

commands/scan/dockerscan.go

@@ -78,6 +78,7 @@ func (dsc *DockerScanCommand) Run() (err error) {
 		dsc.xscVersion,
 		dsc.serverDetails,
 		xsc.CreateAnalyticsEvent(xscservices.CliProduct, xscservices.CliEventType, dsc.serverDetails),
+		dsc.resultsContext.ProjectKey,
 	)
 
 	dsc.SetSpec(spec.NewBuilder().

go.mod

@@ -2,42 +2,45 @@ module github.com/jfrog/jfrog-cli-security
 
 go 1.24.6
 
+// TODO: remove after Xray-Lib new version is released
+replace github.com/CycloneDX/cyclonedx-go => github.com/CycloneDX/cyclonedx-go v0.9.2
+
 require (
-	github.com/CycloneDX/cyclonedx-go v0.9.2
+	github.com/CycloneDX/cyclonedx-go v0.9.3
 	github.com/beevik/etree v1.4.0
-	github.com/go-git/go-git/v5 v5.16.2
+	github.com/go-git/go-git/v5 v5.16.3
 	github.com/google/go-github/v56 v56.0.0
 	github.com/google/uuid v1.6.0
 	github.com/gookit/color v1.6.0
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-plugin v1.6.3
-	github.com/jfrog/build-info-go v1.11.0
-	github.com/jfrog/froggit-go v1.20.3
+	github.com/jfrog/build-info-go v1.12.0
+	github.com/jfrog/froggit-go v1.20.4
 	github.com/jfrog/gofrog v1.7.6
 	github.com/jfrog/jfrog-apps-config v1.0.1
-	github.com/jfrog/jfrog-cli-artifactory v0.7.2
-	github.com/jfrog/jfrog-cli-core/v2 v2.60.0
-	github.com/jfrog/jfrog-client-go v1.55.0
+	github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec
+	github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451
+	github.com/jfrog/jfrog-client-go v1.55.1-0.20251023073119-78f187c9afbf
 	github.com/magiconair/properties v1.8.10
 	github.com/owenrumney/go-sarif/v3 v3.2.3
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/stretchr/testify v1.11.1
 	github.com/urfave/cli v1.22.17
 	github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74
-	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394
-	golang.org/x/sync v0.16.0
-	golang.org/x/text v0.28.0
+	golang.org/x/exp v0.0.0-20250911091902-df9299821621
+	golang.org/x/sync v0.17.0
+	golang.org/x/text v0.30.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/ProtonMail/go-crypto v1.1.6 // indirect
+	github.com/ProtonMail/go-crypto v1.3.0 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
-	github.com/andybalholm/brotli v1.1.1 // indirect
+	github.com/andybalholm/brotli v1.2.0 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/c-bata/go-prompt v0.2.6 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
@@ -48,7 +51,7 @@ require (
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fatih/color v1.16.0 // indirect
-	github.com/forPelevin/gomoji v1.3.1 // indirect
+	github.com/forPelevin/gomoji v1.4.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/gfleury/go-bitbucket-v1 v0.0.0-20230825095122-9bc1711434ab // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
@@ -70,7 +73,7 @@ require (
 	github.com/jfrog/archiver/v3 v3.6.1 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/ktrysmt/go-bitbucket v0.9.80 // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
@@ -100,7 +103,7 @@ require (
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/spf13/viper v1.21.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/ulikunitz/xz v0.5.14 // indirect
+	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/vbauerster/mpb/v8 v8.10.2 // indirect
 	github.com/xanzy/go-gitlab v0.110.0 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
@@ -110,26 +113,26 @@ require (
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.38.0 // indirect
-	golang.org/x/mod v0.26.0 // indirect
-	golang.org/x/net v0.40.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
+	golang.org/x/crypto v0.43.0 // indirect
+	golang.org/x/mod v0.28.0 // indirect
+	golang.org/x/net v0.45.0 // indirect
+	golang.org/x/oauth2 v0.31.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/term v0.36.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8 // indirect
 	google.golang.org/grpc v1.67.3 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
 // attiasas:xray_get_violations_api
-replace github.com/jfrog/jfrog-client-go => github.com/attiasas/jfrog-client-go v0.0.0-20250916121001-bf30b1660ad0
+replace github.com/jfrog/jfrog-client-go => github.com/attiasas/jfrog-client-go v0.0.0-20251023125440-f42e01cfd9d7
 
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 master
 
-// replace github.com/jfrog/jfrog-cli-artifactory => github.com/jfrog/jfrog-cli-artifactory main
+//replace github.com/jfrog/jfrog-cli-artifactory => github.com/fluxxBot/jfrog-cli-artifactory v0.0.0-20251017061455-6a03988302bf
 
 // replace github.com/jfrog/build-info-go => github.com/attiasas/build-info-go dev