Merge remote-tracking branch 'upstream/dev' into one_home_to_rule_all_tests

attiasas · attiasas · commit c18c6cc4a7fe · 2025-11-05T11:42:04.000+02:00
diff --git a/cli/docs/flags.go b/cli/docs/flags.go
@@ -56,6 +56,9 @@ const (
 	Sast      = "sast"
 	Secrets   = "secrets"
 	WithoutCA = "without-contextual-analysis"
+
+	// Sast related flags
+	AddSastRules = "add-sast-rules"
 )
 
 const (
@@ -171,7 +174,7 @@ var commandFlags = map[string][]string{
 		useWrapperAudit, DepType, RequirementsFile, Fail, ExtendedTable, WorkingDirs, ExclusionsAudit, Mvn, Gradle, Npm,
 		Pnpm, Yarn, Go, Swift, Cocoapods, Nuget, Pip, Pipenv, Poetry, MinSeverity, FixableOnly, ThirdPartyContextualAnalysis, Threads,
 		Sca, Iac, Sast, Secrets, WithoutCA, ScanVuln, SecretValidation, OutputDir, SkipAutoInstall, AllowPartialResults, MaxTreeDepth,
-		StaticSca, XrayLibPluginBinaryCustomPath, AnalyzerManagerCustomPath,
+		StaticSca, XrayLibPluginBinaryCustomPath, AnalyzerManagerCustomPath, AddSastRules,
 	},
 	UploadCdx: {
 		UploadRepoPath, uploadProjectKey,
@@ -187,7 +190,7 @@ var commandFlags = map[string][]string{
 		// Output params
 		Licenses, OutputFormat, ExtendedTable, OutputDir,
 		// Scan Logic params
-		StaticSca, XrayLibPluginBinaryCustomPath, AnalyzerManagerCustomPath,
+		StaticSca, XrayLibPluginBinaryCustomPath, AnalyzerManagerCustomPath, AddSastRules,
 	},
 	CurationAudit: {
 		CurationOutput, WorkingDirs, Threads, RequirementsFile, InsecureTls, useWrapperAudit,
@@ -307,6 +310,8 @@ var flagsMap = map[string]components.Flag{
 	WithoutCA:                     components.NewBoolFlag(WithoutCA, fmt.Sprintf("Selective scanners mode: Disable Contextual Analysis scanner after SCA. Relevant only with --%s flag.", Sca)),
 	SecretValidation:              components.NewBoolFlag(SecretValidation, fmt.Sprintf("Selective scanners mode: Triggers token validation on found secrets. Relevant only with --%s flag.", Secrets)),
 
+	AddSastRules: components.NewStringFlag(AddSastRules, "Incorporate any additional SAST rules (in JSON format, with absolute path) into this local scan."),
+
 	// Git flags
 	InputFile:       components.NewStringFlag(InputFile, "Path to an input file in YAML format contains multiple git providers. With this option, all other scm flags will be ignored and only git servers mentioned in the file will be examined.."),
 	ScmType:         components.NewStringFlag(ScmType, fmt.Sprintf("SCM type. Possible values are: %s.", contributors.NewScmType().GetValidScmTypeString()), components.SetMandatory()),
diff --git a/cli/scancommands.go b/cli/scancommands.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"slices"
 	"strings"
 
 	buildInfoUtils "github.com/jfrog/build-info-go/utils"
@@ -27,11 +28,13 @@ import (
 	dockerScanDocs "github.com/jfrog/jfrog-cli-security/cli/docs/scan/dockerscan"
 	scanDocs "github.com/jfrog/jfrog-cli-security/cli/docs/scan/scan"
 	uploadCdxDocs "github.com/jfrog/jfrog-cli-security/cli/docs/upload"
+	"github.com/jfrog/jfrog-cli-security/utils"
 
 	"github.com/jfrog/jfrog-cli-security/commands/enrich"
 	"github.com/jfrog/jfrog-cli-security/commands/source_mcp"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/indexer"
 	"github.com/jfrog/jfrog-cli-security/utils/xray"
+	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
 	"github.com/urfave/cli"
 
@@ -412,6 +415,21 @@ func AuditCmd(c *components.Context) error {
 		auditCmd.SetScansToPerform(subScans)
 	}
 
+	// Validate that there is a sast scan before setting the sast rules
+	if sastRulesFile := c.GetStringFlagValue(flags.AddSastRules); sastRulesFile != "" {
+		// Check if file exists
+		if exists, err := fileutils.IsFileExists(sastRulesFile, false); err != nil || !exists {
+			return pluginsCommon.PrintHelpAndReturnError(fmt.Sprintf("file '%s' does not exist: %s", sastRulesFile, err.Error()), c)
+		}
+
+		// Validate scan is performed
+		if len(auditCmd.ScansToPerform()) > 0 && !slices.Contains(auditCmd.ScansToPerform(), utils.SastScan) {
+			return pluginsCommon.PrintHelpAndReturnError(fmt.Sprintf("flag '--%s' can only be used with '--%s'", flags.AddSastRules, flags.Sast), c)
+		}
+
+		auditCmd.SetSastRules(sastRulesFile)
+	}
+
 	threads, err := pluginsCommon.GetThreadsCount(c)
 	if err != nil {
 		return err
diff --git a/commands/audit/audit.go b/commands/audit/audit.go
@@ -625,6 +625,7 @@ func createJasScansTask(auditParallelRunner *utils.SecurityParallelRunner, scanR
 				ThirdPartyApplicabilityScan: auditParams.thirdPartyApplicabilityScan,
 				ApplicableScanType:          applicability.ApplicabilityScannerType,
 				SignedDescriptions:          getSignedDescriptions(auditParams.OutputFormat()),
+				SastRules:                   auditParams.SastRules(),
 				ScanResults:                 targetResult,
 				TargetOutputDir:             auditParams.scanResultsOutputDir,
 				AllowPartialResults:         auditParams.AllowPartialResults(),
diff --git a/commands/audit/auditparams.go b/commands/audit/auditparams.go
@@ -35,6 +35,7 @@ type AuditParams struct {
 	bomGenerator                    bom.SbomGenerator
 	customBomGenBinaryPath          string
 	scaScanStrategy                 scan.SbomScanStrategy
+	sastRules                       string
 	// Diff mode, scan only the files affected by the diff.
 	diffMode         bool
 	filesToScan      []string
@@ -100,6 +101,15 @@ func (params *AuditParams) CustomAnalyzerManagerBinaryPath() string {
 	return params.customAnalyzerManagerBinaryPath
 }
 
+func (params *AuditParams) SetSastRules(sastRules string) *AuditParams {
+	params.sastRules = sastRules
+	return params
+}
+
+func (params *AuditParams) SastRules() string {
+	return params.sastRules
+}
+
 func (params *AuditParams) SetScaScanStrategy(scaScanStrategy scan.SbomScanStrategy) *AuditParams {
 	params.scaScanStrategy = scaScanStrategy
 	return params
diff --git a/go.mod b/go.mod
@@ -2,6 +2,9 @@ module github.com/jfrog/jfrog-cli-security
 
 go 1.24.6
 
+// TODO: update xray-scan lib to latest version that supports CycloneDX v0.9.3 (not yet released)
+replace github.com/CycloneDX/cyclonedx-go => github.com/CycloneDX/cyclonedx-go v0.9.2
+
 require (
 	github.com/CycloneDX/cyclonedx-go v0.9.3
 	github.com/beevik/etree v1.4.0
@@ -17,7 +20,7 @@ require (
 	github.com/jfrog/jfrog-apps-config v1.0.1
 	github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec
 	github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451
-	github.com/jfrog/jfrog-client-go v1.55.1-0.20251030113529-d87ecf28ffb6
+	github.com/jfrog/jfrog-client-go v1.55.1-0.20251103081126-15edfe03d6e5
 	github.com/magiconair/properties v1.8.10
 	github.com/owenrumney/go-sarif/v3 v3.2.3
 	github.com/package-url/packageurl-go v0.1.3
@@ -124,13 +127,12 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-// attiasas:retry_build_scan
-replace github.com/jfrog/jfrog-client-go => github.com/attiasas/jfrog-client-go v0.0.0-20251030094108-376296f968cc
+// replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go master
 
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 master
 
-//replace github.com/jfrog/jfrog-cli-artifactory => github.com/fluxxBot/jfrog-cli-artifactory v0.0.0-20251017061455-6a03988302bf
+//replace github.com/jfrog/jfrog-cli-artifactory => github.com/jfrog/jfrog-cli-artifactory main
 
-// replace github.com/jfrog/build-info-go => github.com/attiasas/build-info-go dev
+// replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go dev
 
 // replace github.com/jfrog/froggit-go => github.com/jfrog/froggit-go master
diff --git a/go.sum b/go.sum
@@ -4,8 +4,8 @@ dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
-github.com/CycloneDX/cyclonedx-go v0.9.3 h1:Pyk/lwavPz7AaZNvugKFkdWOm93MzaIyWmBwmBo3aUI=
-github.com/CycloneDX/cyclonedx-go v0.9.3/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6SbM2ZuMIgq86Jg=
+github.com/CycloneDX/cyclonedx-go v0.9.2 h1:688QHn2X/5nRezKe2ueIVCt+NRqf7fl3AVQk+vaFcIo=
+github.com/CycloneDX/cyclonedx-go v0.9.2/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6SbM2ZuMIgq86Jg=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
@@ -21,6 +21,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
+github.com/attiasas/jfrog-client-go v0.0.0-20251027091559-b3d20c0c4c64 h1:Cn41pu2bfTjWq18sm/GgLJCkSZUtgKZM6CeIjuUmw7E=
+github.com/attiasas/jfrog-client-go v0.0.0-20251027091559-b3d20c0c4c64/go.mod h1:7E859kSn1CaF9A2LH/zAXNPO6bGViNoJ0yqEJYwCu0E=
 github.com/attiasas/jfrog-client-go v0.0.0-20251030094108-376296f968cc h1:AJQueJft8TFJ7s46cr8saEFGfcJEDAxUJ/rhkCnWsP0=
 github.com/attiasas/jfrog-client-go v0.0.0-20251030094108-376296f968cc/go.mod h1:wsMEtoyAu/1bARUHxFdmgz83g96ml7ZWcFioIPiuz/U=
 github.com/beevik/etree v1.4.0 h1:oz1UedHRepuY3p4N5OjE0nK1WLCqtzHf25bxplKOHLs=
@@ -142,6 +144,8 @@ github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec h1:i
 github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec/go.mod h1:JE/35+kU8cBET4I4iuNcVBvhm8SF64DAmGgtHRzf5Do=
 github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451 h1:Q0PY8VSOVsfvXzKiUnn+Rv7Ynf901QW6Wn1CbWpHBD0=
 github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251023084247-a56afca52451/go.mod h1:UOeOwEEmRIi57cRwghN5OBVoqkJieYQQfLpeqw8Yv38=
+github.com/jfrog/jfrog-client-go v1.55.1-0.20251103081126-15edfe03d6e5 h1:vjWXoDEkxpTkO9qRiqeFaB2jNpWWtTcINQ8eZ4RbO5o=
+github.com/jfrog/jfrog-client-go v1.55.1-0.20251103081126-15edfe03d6e5/go.mod h1:wsMEtoyAu/1bARUHxFdmgz83g96ml7ZWcFioIPiuz/U=
 github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
 github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo=
 github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=
diff --git a/jas/analyzermanager.go b/jas/analyzermanager.go
@@ -23,7 +23,7 @@ import (
 const (
 	ApplicabilityFeatureId                    = "contextual_analysis"
 	AnalyzerManagerZipName                    = "analyzerManager.zip"
-	defaultAnalyzerManagerVersion             = "1.23.9"
+	defaultAnalyzerManagerVersion             = "1.24.0"
 	analyzerManagerDownloadPath               = "xsc-gen-exe-analyzer-manager-local/v1"
 	analyzerManagerDirName                    = "analyzerManager"
 	analyzerManagerExecutableName             = "analyzerManager"
diff --git a/jas/runner/jasrunner.go b/jas/runner/jasrunner.go
@@ -43,6 +43,7 @@ type JasRunnerParams struct {
 	ThirdPartyApplicabilityScan bool
 	// SAST scan flags
 	SignedDescriptions bool
+	SastRules          string
 	// Outputs
 	ScanResults     *results.TargetResults
 	TargetOutputDir string
@@ -177,7 +178,7 @@ func runSastScan(params *JasRunnerParams) parallel.TaskFunc {
 		defer func() {
 			params.Runner.JasScannersWg.Done()
 		}()
-		vulnerabilitiesResults, violationsResults, err := sast.RunSastScan(params.Scanner, params.Module, params.SignedDescriptions, threadId, getSourceRunsToCompare(params, jasutils.Sast)...)
+		vulnerabilitiesResults, violationsResults, err := sast.RunSastScan(params.Scanner, params.Module, params.SignedDescriptions, params.SastRules, threadId, getSourceRunsToCompare(params, jasutils.Sast)...)
 		params.Runner.ResultsMu.Lock()
 		defer params.Runner.ResultsMu.Unlock()
 		// We first add the scan results and only then check for errors, so we can store the exit code in order to report it in the end
diff --git a/jas/sast/sastscanner.go b/jas/sast/sastscanner.go
@@ -24,18 +24,19 @@ const (
 type SastScanManager struct {
 	scanner            *jas.JasScanner
 	signedDescriptions bool
+	sastRules          string
 
 	resultsToCompareFileName string
 	configFileName           string
 	resultsFileName          string
 }
 
-func RunSastScan(scanner *jas.JasScanner, module jfrogappsconfig.Module, signedDescriptions bool, threadId int, resultsToCompare ...*sarif.Run) (vulnerabilitiesResults []*sarif.Run, violationsResults []*sarif.Run, err error) {
+func RunSastScan(scanner *jas.JasScanner, module jfrogappsconfig.Module, signedDescriptions bool, sastRules string, threadId int, resultsToCompare ...*sarif.Run) (vulnerabilitiesResults []*sarif.Run, violationsResults []*sarif.Run, err error) {
 	var scannerTempDir string
 	if scannerTempDir, err = jas.CreateScannerTempDirectory(scanner, jasutils.Sast.String(), threadId); err != nil {
 		return
 	}
-	sastScanManager, err := newSastScanManager(scanner, scannerTempDir, signedDescriptions, resultsToCompare...)
+	sastScanManager, err := newSastScanManager(scanner, scannerTempDir, signedDescriptions, sastRules, resultsToCompare...)
 	if err != nil {
 		return
 	}
@@ -47,10 +48,11 @@ func RunSastScan(scanner *jas.JasScanner, module jfrogappsconfig.Module, signedD
 	return
 }
 
-func newSastScanManager(scanner *jas.JasScanner, scannerTempDir string, signedDescriptions bool, resultsToCompare ...*sarif.Run) (manager *SastScanManager, err error) {
+func newSastScanManager(scanner *jas.JasScanner, scannerTempDir string, signedDescriptions bool, sastRules string, resultsToCompare ...*sarif.Run) (manager *SastScanManager, err error) {
 	manager = &SastScanManager{
 		scanner:            scanner,
 		signedDescriptions: signedDescriptions,
+		sastRules:          sastRules,
 		configFileName:     filepath.Join(scannerTempDir, "config.yaml"),
 		resultsFileName:    filepath.Join(scannerTempDir, "results.sarif"),
 	}
@@ -94,6 +96,7 @@ type scanConfiguration struct {
 	ExcludePatterns        []string       `yaml:"exclude_patterns,omitempty"`
 	ExcludedRules          []string       `yaml:"excluded-rules,omitempty"`
 	SastParameters         sastParameters `yaml:"sast_parameters,omitempty"`
+	UserRules              string         `yaml:"user_rules,omitempty"`
 }
 
 type sastParameters struct {
@@ -122,6 +125,7 @@ func (ssm *SastScanManager) createConfigFile(module jfrogappsconfig.Module, sign
 					SignedDescriptions: signedDescriptions,
 				},
 				ExcludePatterns: jas.GetExcludePatterns(module, &sastScanner.Scanner, exclusions...),
+				UserRules:       ssm.sastRules,
 			},
 		},
 	}
diff --git a/jas/sast/sastscanner_test.go b/jas/sast/sastscanner_test.go
@@ -23,7 +23,7 @@ func TestNewSastScanManager(t *testing.T) {
 	jfrogAppsConfigForTest, err := jas.CreateJFrogAppsConfig([]string{"currentDir"})
 	assert.NoError(t, err)
 	// Act
-	sastScanManager, err := newSastScanManager(scanner, "temoDirPath", true)
+	sastScanManager, err := newSastScanManager(scanner, "temoDirPath", true, "")
 	assert.NoError(t, err)
 
 	// Assert
@@ -33,6 +33,7 @@ func TestNewSastScanManager(t *testing.T) {
 		assert.NotEmpty(t, sastScanManager.resultsFileName)
 		assert.NotEmpty(t, jfrogAppsConfigForTest.Modules[0].SourceRoot)
 		assert.Equal(t, &jas.FakeServerDetails, sastScanManager.scanner.ServerDetails)
+		assert.Empty(t, sastScanManager.sastRules)
 	}
 }
 
@@ -46,7 +47,7 @@ func TestNewSastScanManagerWithFilesToCompare(t *testing.T) {
 	scannerTempDir, err := jas.CreateScannerTempDirectory(scanner, jasutils.Secrets.String(), 0)
 	require.NoError(t, err)
 
-	sastScanManager, err := newSastScanManager(scanner, scannerTempDir, false, sarifutils.CreateRunWithDummyResults(sarifutils.CreateDummyResult("test-markdown", "test-msg", "test-rule-id", "note")))
+	sastScanManager, err := newSastScanManager(scanner, scannerTempDir, false, "", sarifutils.CreateRunWithDummyResults(sarifutils.CreateDummyResult("test-markdown", "test-msg", "test-rule-id", "note")))
 	require.NoError(t, err)
 
 	// Check if path value exists and file is created
@@ -61,7 +62,7 @@ func TestSastParseResults_EmptyResults(t *testing.T) {
 	assert.NoError(t, err)
 
 	// Arrange
-	sastScanManager, err := newSastScanManager(scanner, "temoDirPath", true)
+	sastScanManager, err := newSastScanManager(scanner, "temoDirPath", true, "")
 	assert.NoError(t, err)
 	sastScanManager.resultsFileName = filepath.Join(jas.GetTestDataPath(), "sast-scan", "no-violations.sarif")
 
@@ -84,7 +85,7 @@ func TestSastParseResults_ResultsContainIacViolations(t *testing.T) {
 	jfrogAppsConfigForTest, err := jas.CreateJFrogAppsConfig([]string{})
 	assert.NoError(t, err)
 	// Arrange
-	sastScanManager, err := newSastScanManager(scanner, "temoDirPath", false)
+	sastScanManager, err := newSastScanManager(scanner, "temoDirPath", false, "")
 	assert.NoError(t, err)
 	sastScanManager.resultsFileName = filepath.Join(jas.GetTestDataPath(), "sast-scan", "contains-sast-violations.sarif")
 
@@ -186,3 +187,20 @@ func TestGroupResultsByLocation(t *testing.T) {
 		assert.ElementsMatch(t, test.expectedOutput.Results, test.run.Results)
 	}
 }
+
+func TestSastRules(t *testing.T) {
+	scanner, cleanUp := jas.InitJasTest(t)
+	defer cleanUp()
+	tempDir, cleanUpTempDir := coreTests.CreateTempDirWithCallbackAndAssert(t)
+	defer cleanUpTempDir()
+
+	scanner.TempDir = tempDir
+	scannerTempDir, err := jas.CreateScannerTempDirectory(scanner, jasutils.Sast.String(), 0)
+	require.NoError(t, err)
+
+	sastScanManager, err := newSastScanManager(scanner, scannerTempDir, false, "test-rules.json")
+	require.NoError(t, err)
+	assert.Equal(t, "test-rules.json", sastScanManager.sastRules)
+	assert.Equal(t, filepath.Join(scannerTempDir, "config.yaml"), sastScanManager.configFileName)
+	assert.Equal(t, filepath.Join(scannerTempDir, "results.sarif"), sastScanManager.resultsFileName)
+}
diff --git a/sca/scan/enrich/runner.go b/sca/scan/enrich/runner.go
@@ -12,6 +12,8 @@ import (
 
 	"github.com/jfrog/jfrog-cli-security/sca/scan"
 	"github.com/jfrog/jfrog-cli-security/utils/catalog"
+	"github.com/jfrog/jfrog-cli-security/utils/xray"
+	"github.com/jfrog/jfrog-cli-security/utils/xray/remediation"
 )
 
 type EnrichScanStrategy struct {
@@ -58,6 +60,20 @@ func (ess *EnrichScanStrategy) SbomEnrichTask(target *cyclonedx.BOM) (enriched *
 		return nil, []services.Violation{}, fmt.Errorf("failed to create catalog service manager: %w", err)
 	}
 	enriched, err = catalogManager.Enrich(target)
+	if err != nil {
+		return nil, []services.Violation{}, fmt.Errorf("failed to enrich SBOM: %w", err)
+	}
+	log.Debug("SBOM enrichment completed successfully")
+	// Fixed versions are not returned from the enrich API, next we need to enrich with remediation API.
+	xrayManager, err := xray.CreateXrayServiceManager(ess.serverDetails, xray.WithScopedProjectKey(ess.projectKey))
+	if err != nil {
+		return nil, []services.Violation{}, fmt.Errorf("failed to create Xray service manager: %w", err)
+	}
+	err = remediation.AttachFixedVersionsToVulnerabilities(xrayManager, enriched)
+	if err != nil {
+		return nil, []services.Violation{}, fmt.Errorf("failed to attach fixed versions to vulnerabilities: %w", err)
+	}
+	log.Debug("SBOM remediation enrichment completed successfully")
 	return
 }
 
diff --git a/utils/formats/cdxutils/cyclonedxutils.go b/utils/formats/cdxutils/cyclonedxutils.go
@@ -450,20 +450,42 @@ func CreateScaImpactedAffects(impactedPackageComponent cyclonedx.Component, fixe
 		Range: &[]cyclonedx.AffectedVersions{},
 	}
 	// Affected version
-	*affect.Range = append(*affect.Range, cyclonedx.AffectedVersions{
+	AppendAffectedVersionsIfNotExists(&affect, cyclonedx.AffectedVersions{
 		Version: impactedPackageVersion,
 		Status:  cyclonedx.VulnerabilityStatusAffected,
 	})
 	// Fixed versions
 	for _, fixedVersion := range fixedVersions {
-		*affect.Range = append(*affect.Range, cyclonedx.AffectedVersions{
+		AppendAffectedVersionsIfNotExists(&affect, cyclonedx.AffectedVersions{
 			Version: fixedVersion,
 			Status:  cyclonedx.VulnerabilityStatusNotAffected,
 		})
 	}
 	return
 }
 
+func AppendAffectedVersionsIfNotExists(affect *cyclonedx.Affects, affectedVersions ...cyclonedx.AffectedVersions) {
+	if affect.Range == nil {
+		affect.Range = &[]cyclonedx.AffectedVersions{}
+	}
+	// Validate that the affected version does not already exist in the affected versions
+	for _, newAffectedVersion := range affectedVersions {
+		if newAffectedVersion.Version == "" {
+			continue
+		}
+		exists := false
+		for _, existingAffectedVersion := range *affect.Range {
+			if existingAffectedVersion.Version == newAffectedVersion.Version {
+				exists = true
+				break
+			}
+		}
+		if !exists {
+			*affect.Range = append(*affect.Range, newAffectedVersion)
+		}
+	}
+}
+
 type CdxVulnerabilityParams struct {
 	Ref         string
 	ID          string
diff --git a/utils/results/common.go b/utils/results/common.go
diff --git a/utils/results/common_test.go b/utils/results/common_test.go
diff --git a/utils/xray/remediation/cdxremediation.go b/utils/xray/remediation/cdxremediation.go
diff --git a/utils/xray/remediation/cdxremediation_test.go b/utils/xray/remediation/cdxremediation_test.go
