Merge branch 'dev' into moveoutdockertest

eranturgeman · web-flow · commit c83248882d97 · 2025-10-19T08:53:33.000+03:00
diff --git a/.github/actions/install-and-setup/action.yml b/.github/actions/install-and-setup/action.yml
@@ -102,3 +102,11 @@ runs:
         branch: swift-6.1-release
         tag: 6.1-RELEASE
       if: ${{ inputs.install-swift == 'true' && runner.os == 'Windows'}}
+
+    # Ensure Java 11 remains active after all installations (Swift setup might override it)
+    - name: Force Java 11 on Windows
+      if: runner.os == 'Windows'
+      shell: powershell
+      run: |
+        echo "JAVA_HOME=$env:JAVA_HOME_11_X64" >> $env:GITHUB_ENV
+        echo "$env:JAVA_HOME_11_X64\bin" >> $env:GITHUB_PATH
diff --git a/buildscripts/download-jars.sh b/buildscripts/download-jars.sh
@@ -7,9 +7,9 @@
 # https://github.com/jfrog/maven-dep-tree
 
 # Once you have updated the versions mentioned below, please execute this script from the root directory of the jfrog-cli-core to ensure the JAR files are updated.
-GRADLE_DEP_TREE_VERSION="3.0.4"
+GRADLE_DEP_TREE_VERSION="3.1.0"
 # Changing this version also requires a change in mavenDepTreeVersion within utils/java/mvn.go.
-MAVEN_DEP_TREE_VERSION="1.1.3"
+MAVEN_DEP_TREE_VERSION="1.1.5"
 
 curl -fL https://releases.jfrog.io/artifactory/oss-release-local/com/jfrog/gradle-dep-tree/${GRADLE_DEP_TREE_VERSION}/gradle-dep-tree-${GRADLE_DEP_TREE_VERSION}.jar -o sca/bom/buildinfo/technologies/java/resources/gradle-dep-tree.jar
 curl -fL https://releases.jfrog.io/artifactory/oss-release-local/com/jfrog/maven-dep-tree/${MAVEN_DEP_TREE_VERSION}/maven-dep-tree-${MAVEN_DEP_TREE_VERSION}.jar -o sca/bom/buildinfo/technologies/java/resources/maven-dep-tree.jar
diff --git a/commands/curation/curationaudit_test.go b/commands/curation/curationaudit_test.go
@@ -16,6 +16,7 @@ import (
 	"sync"
 	"testing"
 
+	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo/technologies/java"
 	"github.com/jfrog/jfrog-cli-security/utils/formats"
 
 	biutils "github.com/jfrog/build-info-go/utils"
@@ -833,7 +834,7 @@ func getTestCasesForDoCurationAudit() []testCase {
 				curationCache, err := utils.GetCurationCacheFolderByTech(techutils.Maven)
 				require.NoError(t, err)
 				cleanUpTestDirChange()
-				return []string{"com.jfrog:maven-dep-tree:tree", "-DdepsTreeOutputFile=output", "-Dmaven.repo.local=" + curationCache}
+				return []string{"com.jfrog:maven-dep-tree:" + java.GetMavenDepTreeVersion() + ":tree", "-DdepsTreeOutputFile=output", "-Dmaven.repo.local=" + curationCache}
 			},
 			expectedBuildRequest: map[string]bool{
 				"/api/curation/audit/maven-remote/org/webjars/npm/underscore/1.13.6/underscore-1.13.6.pom": false,
diff --git a/jas/analyzermanager.go b/jas/analyzermanager.go
@@ -23,7 +23,7 @@ import (
 const (
 	ApplicabilityFeatureId                    = "contextual_analysis"
 	AnalyzerManagerZipName                    = "analyzerManager.zip"
-	defaultAnalyzerManagerVersion             = "1.23.3"
+	defaultAnalyzerManagerVersion             = "1.23.9"
 	analyzerManagerDownloadPath               = "xsc-gen-exe-analyzer-manager-local/v1"
 	analyzerManagerDirName                    = "analyzerManager"
 	analyzerManagerExecutableName             = "analyzerManager"
diff --git a/jfrog-security b/jfrog-security
diff --git a/sca/bom/buildinfo/technologies/java/deptreemanager_test.go b/sca/bom/buildinfo/technologies/java/deptreemanager_test.go
@@ -50,7 +50,10 @@ func TestGetGradleGraphFromDepTree(t *testing.T) {
 		"org.slf4j:slf4j-api:1.4.2",
 	}
 
-	manager := &gradleDepTreeManager{DepTreeManager{}}
+	manager := &gradleDepTreeManager{
+		DepTreeManager: DepTreeManager{},
+		isCurationCmd:  false,
+	}
 	outputFileContent, err := manager.runGradleDepTree()
 	assert.NoError(t, err)
 	depTree, uniqueDeps, err := getGraphFromDepTree(outputFileContent)
@@ -64,3 +67,20 @@ func TestGetGradleGraphFromDepTree(t *testing.T) {
 		assert.Equal(t, len(depChild), len(dependency.Nodes))
 	}
 }
+
+func TestGetGradleGraphFromDepTreeWithCuration(t *testing.T) {
+	tempDirPath, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("projects", "package-managers", "gradle", "gradle"))
+	defer cleanUp()
+	assert.NoError(t, os.Chmod(filepath.Join(tempDirPath, "gradlew"), 0700))
+
+	manager := &gradleDepTreeManager{
+		DepTreeManager: DepTreeManager{},
+		isCurationCmd:  true,
+	}
+	outputFileContent, err := manager.runGradleDepTree()
+	assert.NoError(t, err)
+	depTree, uniqueDeps, err := getGraphFromDepTree(outputFileContent)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, depTree)
+	assert.NotEmpty(t, uniqueDeps)
+}
diff --git a/sca/bom/buildinfo/technologies/java/gradle.go b/sca/bom/buildinfo/technologies/java/gradle.go
@@ -57,10 +57,14 @@ var gradleDepTreeJar []byte
 
 type gradleDepTreeManager struct {
 	DepTreeManager
+	isCurationCmd bool
 }
 
 func buildGradleDependencyTree(params *DepTreeParams) (dependencyTree []*xrayUtils.GraphNode, uniqueDeps map[string]*xray.DepTreeNode, err error) {
-	manager := &gradleDepTreeManager{DepTreeManager: NewDepTreeManager(params)}
+	manager := &gradleDepTreeManager{
+		DepTreeManager: NewDepTreeManager(params),
+		isCurationCmd:  params.IsCurationCmd,
+	}
 	outputFileContent, err := manager.runGradleDepTree()
 	if err != nil {
 		return
@@ -160,6 +164,12 @@ func (gdt *gradleDepTreeManager) execGradleDepTree(depTreeDir string) (outputFil
 		gradleNoCacheFlag,
 		fmt.Sprintf("-Dcom.jfrog.depsTreeOutputFile=%s", outputFilePath),
 		"-Dcom.jfrog.includeAllBuildFiles=true"}
+
+	// Add curation audit mode for pass-through functionality if this is a curation command
+	if gdt.isCurationCmd {
+		tasks = append(tasks, "-Dcom.jfrog.curationAuditMode=true")
+	}
+
 	log.Info("Running gradle deps tree command:", gradleExecPath, strings.Join(tasks, " "))
 	if output, err := exec.Command(gradleExecPath, tasks...).CombinedOutput(); err != nil {
 		return nil, errorutils.CheckErrorf("error running gradle-dep-tree: %s\n%s", err.Error(), string(output))
diff --git a/sca/bom/buildinfo/technologies/java/gradle_test.go b/sca/bom/buildinfo/technologies/java/gradle_test.go
@@ -229,3 +229,31 @@ func TestConstructReleasesRemoteRepo(t *testing.T) {
 		}()
 	}
 }
+
+func TestGradleCurationAuditMode(t *testing.T) {
+	// Test that curation audit mode flag is added when IsCurationCmd is true
+	params := &DepTreeParams{
+		IsCurationCmd: true,
+	}
+
+	manager := &gradleDepTreeManager{
+		DepTreeManager: NewDepTreeManager(params),
+		isCurationCmd:  params.IsCurationCmd,
+	}
+
+	// Verify that the manager has the curation flag set
+	assert.True(t, manager.isCurationCmd, "isCurationCmd should be true for curation commands")
+
+	// Test with non-curation command
+	paramsNonCuration := &DepTreeParams{
+		IsCurationCmd: false,
+	}
+
+	managerNonCuration := &gradleDepTreeManager{
+		DepTreeManager: NewDepTreeManager(paramsNonCuration),
+		isCurationCmd:  paramsNonCuration.IsCurationCmd,
+	}
+
+	// Verify that the manager does not have the curation flag set
+	assert.False(t, managerNonCuration.isCurationCmd, "isCurationCmd should be false for non-curation commands")
+}
diff --git a/sca/bom/buildinfo/technologies/java/mvn.go b/sca/bom/buildinfo/technologies/java/mvn.go
@@ -28,7 +28,7 @@ const (
 	mavenDepTreeJarFile    = "maven-dep-tree.jar"
 	mavenDepTreeOutputFile = "mavendeptree.out"
 	// Changing this version also requires a change in MAVEN_DEP_TREE_VERSION within buildscripts/download_jars.sh
-	mavenDepTreeVersion = "1.1.3"
+	mavenDepTreeVersion = "1.1.5"
 	settingsXmlFile     = "settings.xml"
 )
 
@@ -124,6 +124,10 @@ func GetMavenPluginInstallationGoals(pluginPath string) []string {
 	return []string{"org.apache.maven.plugins:maven-install-plugin:3.1.1:install-file", "-Dfile=" + pluginPath, "-B"}
 }
 
+func GetMavenDepTreeVersion() string {
+	return mavenDepTreeVersion
+}
+
 func (mdt *MavenDepTreeManager) execMavenDepTree(depTreeExecDir string) (string, error) {
 	if mdt.cmdName == Tree {
 		return mdt.runTreeCmd(depTreeExecDir)
diff --git a/sca/bom/buildinfo/technologies/java/resources/gradle-dep-tree.jar b/sca/bom/buildinfo/technologies/java/resources/gradle-dep-tree.jar
diff --git a/sca/bom/buildinfo/technologies/java/resources/maven-dep-tree.jar b/sca/bom/buildinfo/technologies/java/resources/maven-dep-tree.jar
diff --git a/tests/testdata/projects/package-managers/gradle/gradle-example-config/gradle/wrapper/gradle-wrapper.properties b/tests/testdata/projects/package-managers/gradle/gradle-example-config/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-5.6.4-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
diff --git a/utils/results/common.go b/utils/results/common.go
@@ -1103,10 +1103,12 @@ func getDataFromNode(node *xrayUtils.GraphNode, parsed *datastructures.Set[strin
 }
 
 func getNodeDirectDependencies(node *xrayUtils.GraphNode) (dependencies *[]string) {
-	dependencies = &[]string{}
+	depSet := datastructures.MakeSet[string]()
 	for _, dep := range node.Nodes {
-		*dependencies = append(*dependencies, techutils.XrayComponentIdToCdxComponentRef(dep.Id))
+		depSet.Add(techutils.XrayComponentIdToCdxComponentRef(dep.Id))
 	}
+	dependencies = &[]string{}
+	*dependencies = depSet.ToSlice()
 	return
 }
 
diff --git a/utils/results/common_test.go b/utils/results/common_test.go
@@ -1310,7 +1310,7 @@ func TestDepTreeToSbom(t *testing.T) {
 			expectedDependencies: &[]cyclonedx.Dependency{
 				{
 					Ref:          "npm:root:1.0.0",
-					Dependencies: &[]string{"npm:A:1.0.1", "npm:D:2.0.0", "npm:B:1.0.0"},
+					Dependencies: &[]string{"npm:A:1.0.1", "npm:B:1.0.0", "npm:D:2.0.0"},
 				},
 				{
 					Ref:          "npm:A:1.0.1",
@@ -1456,6 +1456,13 @@ func TestDepTreeToSbom(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			components, dependencies := DepsTreeToSbom(test.depTrees...)
+			if dependencies != nil {
+				for i := range *dependencies {
+					if (*dependencies)[i].Dependencies != nil {
+						sort.Strings(*(*dependencies)[i].Dependencies)
+					}
+				}
+			}
 			assert.Equal(t, test.expectedComponents, components)
 			assert.Equal(t, test.expectedDependencies, dependencies)
 		})
