Malicious code scanner

Author: barv-jfrog

commands/maliciousscan/maliciousscan.go

@@ -3,18 +3,16 @@ package maliciousscan
 import (
 	"errors"
 	"fmt"
-	"os/exec"
 	"path/filepath"
 	"strings"
 
-	clientutils "github.com/jfrog/jfrog-client-go/utils"
-
 	"github.com/jfrog/jfrog-cli-core/v2/common/format"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	"github.com/jfrog/jfrog-cli-security/jas"
-	"github.com/jfrog/jfrog-cli-security/jas/runner"
+	"github.com/jfrog/jfrog-cli-security/jas/maliciouscode"
 	"github.com/jfrog/jfrog-cli-security/utils"
+	"github.com/jfrog/jfrog-cli-security/utils/jasutils"
 	"github.com/jfrog/jfrog-cli-security/utils/results"
 	"github.com/jfrog/jfrog-cli-security/utils/results/output"
 	"github.com/jfrog/jfrog-cli-security/utils/severityutils"
@@ -81,17 +79,6 @@ func NewMaliciousScanCommand() *MaliciousScanCommand {
 }
 
 func (cmd *MaliciousScanCommand) Run() (err error) {
-	defer func() {
-		if err != nil {
-			var e *exec.ExitError
-			if errors.As(err, &e) {
-				if e.ExitCode() != coreutils.ExitCodeVulnerableBuild.Code {
-					err = errors.New("Malicious scan command failed. " + err.Error())
-				}
-			}
-		}
-	}()
-
 	xrayVersion, entitledForJas, workingDirs, err := cmd.validateAndPrepare()
 	if err != nil {
 		return err
@@ -109,12 +96,6 @@ func (cmd *MaliciousScanCommand) Run() (err error) {
 		return err
 	}
 
-	if cmd.progress != nil {
-		if err = cmd.progress.Quit(); err != nil {
-			return err
-		}
-	}
-
 	return cmd.outputResults(cmdResults)
 }
 
@@ -199,52 +180,41 @@ func (cmd *MaliciousScanCommand) setAnalyzerManagerPath(scanner *jas.JasScanner)
 		}
 	} else {
 		scanner.AnalyzerManager.AnalyzerManagerFullPath = cmd.customAnalyzerManagerPath
-		log.Debug(clientutils.GetLogMsgPrefix(0, false) + "using custom analyzer manager binary path")
+		log.Debug("using custom analyzer manager binary path")
 	}
 	return nil
 }
 
 func (cmd *MaliciousScanCommand) runMaliciousScans(cmdResults *results.SecurityCommandResults, scanner *jas.JasScanner) error {
 	jasScanProducerConsumer := utils.NewSecurityParallelRunner(cmd.threads)
-
-	serverDetails, err := cmd.ServerDetails()
-	if err != nil {
-		return err
-	}
-
 	jasScanProducerConsumer.JasWg.Add(1)
 	createMaliciousScansTask := func(threadId int) (generalError error) {
 		defer func() {
 			jasScanProducerConsumer.JasWg.Done()
 		}()
 		for _, targetResult := range cmdResults.Targets {
-			if targetResult.AppsConfigModule == nil {
-				_ = targetResult.AddTargetError(fmt.Errorf("can't find module for path %s", targetResult.Target), false)
-				continue
-			}
-			appsConfigModule := *targetResult.AppsConfigModule
-			jasParams := runner.JasRunnerParams{
-				Runner:         &jasScanProducerConsumer,
-				ServerDetails:  serverDetails,
-				Scanner:        scanner,
-				Module:         appsConfigModule,
-				ScansToPerform: []utils.SubScanType{utils.MaliciousCodeScan},
-				ScanResults:    targetResult,
-				TargetCount:    len(cmdResults.Targets),
-			}
-
-			if generalError = runner.AddJasScannersTasks(jasParams); generalError != nil {
-				_ = targetResult.AddTargetError(fmt.Errorf("failed to add malicious scan task: %w", generalError), false)
-				generalError = nil
+			vulnerabilitiesResults, err := maliciouscode.RunMaliciousScan(
+				scanner,
+				maliciouscode.MaliciousScannerType,
+				targetResult.Target,
+				len(cmdResults.Targets),
+				threadId,
+			)
+			jasScanProducerConsumer.ResultsMu.Lock()
+			// Malicious code scans only return vulnerabilities, not violations
+			targetResult.AddJasScanResults(jasutils.MaliciousCode, vulnerabilitiesResults, nil, jas.GetAnalyzerManagerExitCode(err))
+			jasScanProducerConsumer.ResultsMu.Unlock()
+			if err = jas.ParseAnalyzerManagerError(jasutils.MaliciousCode, err); err != nil {
+				_ = targetResult.AddTargetError(fmt.Errorf("failed to run malicious scan: %w", err), false)
 			}
 		}
 		return
 	}
 
 	if _, addTaskErr := jasScanProducerConsumer.Runner.AddTaskWithError(createMaliciousScansTask, func(taskErr error) {
-		cmdResults.AddGeneralError(fmt.Errorf("failed while adding JAS scan tasks: %s", taskErr.Error()), false)
+		cmdResults.AddGeneralError(fmt.Errorf("failed while adding malicious scan tasks: %s", taskErr.Error()), false)
 	}); addTaskErr != nil {
-		return fmt.Errorf("failed to create JAS task: %w", addTaskErr)
+		return fmt.Errorf("failed to create malicious scan task: %w", addTaskErr)
 	}
 
 	jasScanProducerConsumer.Start()
@@ -295,16 +265,6 @@ func populateScanTargets(cmdResults *results.SecurityCommandResults, workingDirs
 		return
 	}
 
-	jfrogAppsConfig, err := jas.CreateJFrogAppsConfig(cmdResults.GetTargetsPaths())
-	if err != nil {
-		cmdResults.AddGeneralError(fmt.Errorf("failed to create JFrogAppsConfig: %w", err), false)
-		return
-	}
-
-	for _, targetResult := range cmdResults.Targets {
-		targetResult.AppsConfigModule = jas.GetModule(targetResult.Target, jfrogAppsConfig)
-	}
-
 	logScanTargetsInfo(cmdResults)
 }
 

go.mod

@@ -11,20 +11,20 @@ require (
 	github.com/gookit/color v1.6.0
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-plugin v1.6.3
-	github.com/jfrog/build-info-go v1.12.5-0.20251209031413-f5f0e93dc8db
+	github.com/jfrog/build-info-go v1.12.5-0.20251209171349-eb030db986f9
 	github.com/jfrog/froggit-go v1.20.4
 	github.com/jfrog/gofrog v1.7.6
 	github.com/jfrog/jfrog-apps-config v1.0.1
-	github.com/jfrog/jfrog-cli-artifactory v0.7.3-0.20251021143342-49bab7f38cec
+	github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251218044417-5113b260e416
 	github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251125083543-e689762c4ff0
-	github.com/jfrog/jfrog-client-go v1.55.1-0.20251216111654-54d67e0c03ac
+	github.com/jfrog/jfrog-client-go v1.55.1-0.20251217134720-582451986897
 	github.com/magiconair/properties v1.8.10
 	github.com/owenrumney/go-sarif/v3 v3.2.3
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/stretchr/testify v1.11.1
 	github.com/urfave/cli v1.22.17
 	github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74
-	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
+	golang.org/x/exp v0.0.0-20251125195548-87e1e737ad39
 	golang.org/x/sync v0.18.0
 	golang.org/x/text v0.31.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -41,10 +41,16 @@ require (
 	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/c-bata/go-prompt v0.2.6 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
+	github.com/clipperhouse/stringish v0.1.1 // indirect
+	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
-	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
+	github.com/cyphar/filepath-securejoin v0.6.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/docker/cli v29.0.3+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fatih/color v1.16.0 // indirect
@@ -59,30 +65,34 @@ require (
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v1.0.0 // indirect
+	github.com/google/go-containerregistry v0.20.7 // indirect
 	github.com/google/go-github/v74 v74.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/grokify/mogo v0.64.12 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jedib0t/go-pretty/v6 v6.6.8 // indirect
+	github.com/jedib0t/go-pretty/v6 v6.7.5 // indirect
 	github.com/jfrog/archiver/v3 v3.6.1 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/compress v1.18.1 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/ktrysmt/go-bitbucket v0.9.80 // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
-	github.com/mattn/go-tty v0.0.3 // indirect
+	github.com/mattn/go-runewidth v0.0.19 // indirect
+	github.com/mattn/go-tty v0.0.7 // indirect
 	github.com/microsoft/azure-devops-go-api/azuredevops/v7 v7.1.0 // indirect
 	github.com/minio/sha256-simd v1.0.1 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/nwaples/rardecode v1.1.3 // indirect
 	github.com/oklog/run v1.0.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pierrec/lz4/v4 v4.1.22 // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
@@ -91,16 +101,17 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sagikazarmark/locafero v0.11.0 // indirect
+	github.com/sagikazarmark/locafero v0.12.0 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
-	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
 	github.com/spf13/afero v1.15.0 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/spf13/viper v1.21.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/ulikunitz/xz v0.5.15 // indirect
+	github.com/vbatts/tar-split v0.12.2 // indirect
 	github.com/vbauerster/mpb/v8 v8.10.2 // indirect
 	github.com/xanzy/go-gitlab v0.110.0 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
@@ -111,20 +122,20 @@ require (
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/mod v0.30.0 // indirect
 	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/oauth2 v0.31.0 // indirect
+	golang.org/x/oauth2 v0.33.0 // indirect
 	golang.org/x/sys v0.38.0 // indirect
 	golang.org/x/term v0.37.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8 // indirect
-	google.golang.org/grpc v1.67.3 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
+	google.golang.org/grpc v1.72.1 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.55.1-0.20251216111654-54d67e0c03ac
+// replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go master
 
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 master
 
@@ -133,5 +144,3 @@ replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.
 // replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go dev
 
 // replace github.com/jfrog/froggit-go => github.com/jfrog/froggit-go master
-
-replace github.com/jfrog/jfrog-apps-config => github.com/barv-jfrog/jfrog-apps-config v0.0.0-20250128142442-6fd49006bb85