Dont change central config exclude pattern in JAS scans (#623)

Author: attiasas

commands/audit/audit_test.go

@@ -381,7 +381,7 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 						SecretsScannerConfig: services.SecretsScannerConfig{
 							EnableSecretsScan: true,
-							ExcludePatterns:   []string{"*api_secrets*"},
+							ExcludePatterns:   []string{"**/*api_secrets*/**"},
 						},
 						IacScannerConfig: services.IacScannerConfig{
 							EnableIacScan: false,
@@ -441,7 +441,7 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 						SastScannerConfig: services.SastScannerConfig{
 							EnableSastScan:  true,
-							ExcludePatterns: []string{"*flask_webgoat*"},
+							ExcludePatterns: []string{"**/*flask_webgoat*/**"},
 						},
 						SecretsScannerConfig: services.SecretsScannerConfig{
 							EnableSecretsScan: false,
@@ -459,7 +459,7 @@ func TestAuditWithConfigProfile(t *testing.T) {
 			name:        "Enable only IaC scanner",
 			testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
 			configProfile: services.ConfigProfile{
-				ProfileName: "only-sast",
+				ProfileName: "only-iac",
 				Modules: []services.Module{{
 					ModuleId:     1,
 					ModuleName:   "only-iac-module",
@@ -510,7 +510,7 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 						IacScannerConfig: services.IacScannerConfig{
 							EnableIacScan:   true,
-							ExcludePatterns: []string{"*iac/gcp*"},
+							ExcludePatterns: []string{"**/*iac/gcp*/**"},
 						},
 					},
 				}},
@@ -570,11 +570,11 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 						SastScannerConfig: services.SastScannerConfig{
 							EnableSastScan:  true,
-							ExcludePatterns: []string{"*flask_webgoat*"},
+							ExcludePatterns: []string{"**/*flask_webgoat*/**"},
 						},
 						SecretsScannerConfig: services.SecretsScannerConfig{
 							EnableSecretsScan: true,
-							ExcludePatterns:   []string{"*api_secrets*"},
+							ExcludePatterns:   []string{"**/*api_secrets*/**"},
 						},
 						IacScannerConfig: services.IacScannerConfig{
 							EnableIacScan: true,

jas/applicability/applicabilitymanager.go

@@ -88,7 +88,7 @@ func newApplicabilityScanManager(directDependenciesCves, indirectDependenciesCve
 }
 
 func (asm *ApplicabilityScanManager) Run(module jfrogappsconfig.Module) (vulnerabilitiesSarifRuns []*sarif.Run, violationsSarifRuns []*sarif.Run, err error) {
-	if err = asm.createConfigFile(module, append(asm.scanner.Exclusions, asm.scanner.ScannersExclusions.ContextualAnalysisExcludePatterns...)...); err != nil {
+	if err = asm.createConfigFile(module, asm.scanner.ScannersExclusions.ContextualAnalysisExcludePatterns, asm.scanner.Exclusions...); err != nil {
 		return
 	}
 	if err = asm.runAnalyzerManager(); err != nil {
@@ -116,12 +116,12 @@ type scanConfiguration struct {
 	ScanType             string   `yaml:"scantype"`
 }
 
-func (asm *ApplicabilityScanManager) createConfigFile(module jfrogappsconfig.Module, exclusions ...string) error {
+func (asm *ApplicabilityScanManager) createConfigFile(module jfrogappsconfig.Module, centralConfigExclusions []string, exclusions ...string) error {
 	roots, err := jas.GetSourceRoots(module, nil)
 	if err != nil {
 		return err
 	}
-	excludePatterns := jas.GetExcludePatterns(module, nil, exclusions...)
+	excludePatterns := jas.GetExcludePatterns(module, nil, centralConfigExclusions, exclusions...)
 	if asm.thirdPartyScan {
 		log.Info("Including node modules folder in applicability scan")
 		excludePatterns = removeElementFromSlice(excludePatterns, utils.NodeModulesPattern)

jas/applicability/applicabilitymanager_test.go

@@ -175,7 +175,7 @@ func TestCreateConfigFile_VerifyFileWasCreated(t *testing.T) {
 
 	currWd, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)
-	err = applicabilityManager.createConfigFile(jfrogappsconfig.Module{SourceRoot: currWd})
+	err = applicabilityManager.createConfigFile(jfrogappsconfig.Module{SourceRoot: currWd}, []string{})
 	assert.NoError(t, err)
 
 	defer func() {

jas/common.go

@@ -420,37 +420,39 @@ func GetSourceRoots(module jfrogappsconfig.Module, scanner *jfrogappsconfig.Scan
 	return roots, nil
 }
 
-func GetExcludePatterns(module jfrogappsconfig.Module, scanner *jfrogappsconfig.Scanner, exclusions ...string) []string {
-	if len(exclusions) > 0 {
-		return filterUniqueAndConvertToFilesExcludePatterns(exclusions)
+func GetExcludePatterns(module jfrogappsconfig.Module, scanner *jfrogappsconfig.Scanner, centralConfigExclusions []string, cliExclusions ...string) []string {
+	uniqueExcludePatterns := datastructures.MakeSet[string]()
+	if len(cliExclusions) > 0 || len(centralConfigExclusions) > 0 {
+		// Adding exclusions from CLI requires to convert them to file exclude patterns
+		uniqueExcludePatterns.AddElements(convertToFilesExcludePatterns(cliExclusions)...)
+		// Adding exclusions from centralized config, no need to convert
+		uniqueExcludePatterns.AddElements(centralConfigExclusions...)
+		return uniqueExcludePatterns.ToSlice()
 	}
-
 	// Adding exclusions from jfrog-apps-config IF no exclusions provided from other source (flags, env vars, config profile)
-	excludePatterns := module.ExcludePatterns
+	uniqueExcludePatterns.AddElements(module.ExcludePatterns...)
 	if scanner != nil {
-		excludePatterns = append(excludePatterns, scanner.ExcludePatterns...)
+		uniqueExcludePatterns.AddElements(scanner.ExcludePatterns...)
 	}
-	if len(excludePatterns) == 0 {
+	if uniqueExcludePatterns.Size() == 0 {
 		return utils.DefaultJasExcludePatterns
 	}
-	return excludePatterns
+	return uniqueExcludePatterns.ToSlice()
 }
 
 // This function convert every exclude pattern to a file exclude pattern form.
 // Checks are being made since some of the exclude patters we get here might already be in a file exclude pattern
-// Additionally, we keep patterns without duplications
-func filterUniqueAndConvertToFilesExcludePatterns(excludePatterns []string) []string {
-	uniqueExcludePatterns := datastructures.MakeSet[string]()
+func convertToFilesExcludePatterns(excludePatterns []string) (converted []string) {
 	for _, excludePattern := range excludePatterns {
 		if !strings.HasPrefix(excludePattern, "**/") {
 			excludePattern = "**/" + excludePattern
 		}
 		if !strings.HasSuffix(excludePattern, "/**") {
 			excludePattern += "/**"
 		}
-		uniqueExcludePatterns.Add(excludePattern)
+		converted = append(converted, excludePattern)
 	}
-	return uniqueExcludePatterns.ToSlice()
+	return converted
 }
 
 func CheckForSecretValidation(xrayManager *xray.XrayServicesManager, xrayVersion string, validateSecrets bool) bool {

jas/common_test.go

@@ -127,7 +127,7 @@ func TestGetExcludePatterns(t *testing.T) {
 	for _, testCase := range getExcludePatternsCases {
 		t.Run("", func(t *testing.T) {
 			scanner := testCase.scanner
-			actualExcludePatterns := GetExcludePatterns(module, scanner)
+			actualExcludePatterns := GetExcludePatterns(module, scanner, []string{})
 			if scanner == nil {
 				assert.ElementsMatch(t, module.ExcludePatterns, actualExcludePatterns)
 				return
@@ -280,7 +280,7 @@ func TestAddScoreToRunRules(t *testing.T) {
 	}
 }
 
-func TestFilterUniqueAndConvertToFilesExcludePatterns(t *testing.T) {
+func TestConvertToFilesExcludePatterns(t *testing.T) {
 	tests := []struct {
 		name            string
 		excludePatterns []string
@@ -297,7 +297,7 @@ func TestFilterUniqueAndConvertToFilesExcludePatterns(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		filteredExcludePatterns := filterUniqueAndConvertToFilesExcludePatterns(test.excludePatterns)
+		filteredExcludePatterns := convertToFilesExcludePatterns(test.excludePatterns)
 		// Sort is needed since we create the response slice from a Set (unordered)
 		slices.Sort(filteredExcludePatterns)
 		assert.EqualValues(t, test.expectedOutput, filteredExcludePatterns)

jas/iac/iacscanner.go

@@ -70,7 +70,7 @@ func newIacScanManager(scanner *jas.JasScanner, scannerTempDir string, resultsTo
 }
 
 func (iac *IacScanManager) Run(module jfrogappsconfig.Module) (vulnerabilitiesSarifRuns []*sarif.Run, violationsSarifRuns []*sarif.Run, err error) {
-	if err = iac.createConfigFile(module, append(iac.scanner.Exclusions, iac.scanner.ScannersExclusions.IacExcludePatterns...)...); err != nil {
+	if err = iac.createConfigFile(module, iac.scanner.ScannersExclusions.IacExcludePatterns, iac.scanner.Exclusions...); err != nil {
 		return
 	}
 	if err = iac.runAnalyzerManager(); err != nil {
@@ -91,7 +91,7 @@ type iacScanConfiguration struct {
 	SkippedDirs            []string `yaml:"skipped-folders"`
 }
 
-func (iac *IacScanManager) createConfigFile(module jfrogappsconfig.Module, exclusions ...string) error {
+func (iac *IacScanManager) createConfigFile(module jfrogappsconfig.Module, centralConfigExclusions []string, exclusions ...string) error {
 	roots, err := jas.GetSourceRoots(module, module.Scanners.Iac)
 	if err != nil {
 		return err
@@ -103,7 +103,7 @@ func (iac *IacScanManager) createConfigFile(module jfrogappsconfig.Module, exclu
 				Output:                 iac.resultsFileName,
 				PathToResultsToCompare: iac.resultsToCompareFileName,
 				Type:                   iacScannerType,
-				SkippedDirs:            jas.GetExcludePatterns(module, module.Scanners.Iac, exclusions...),
+				SkippedDirs:            jas.GetExcludePatterns(module, module.Scanners.Iac, centralConfigExclusions, exclusions...),
 			},
 		},
 	}

jas/iac/iacscanner_test.go

@@ -67,7 +67,7 @@ func TestIacScan_CreateConfigFile_VerifyFileWasCreated(t *testing.T) {
 
 	currWd, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)
-	err = iacScanManager.createConfigFile(jfrogappsconfig.Module{SourceRoot: currWd})
+	err = iacScanManager.createConfigFile(jfrogappsconfig.Module{SourceRoot: currWd}, []string{})
 
 	defer func() {
 		err = os.Remove(iacScanManager.configFileName)

jas/sast/sastscanner.go

@@ -69,7 +69,7 @@ func newSastScanManager(scanner *jas.JasScanner, scannerTempDir string, signedDe
 }
 
 func (ssm *SastScanManager) Run(module jfrogappsconfig.Module) (vulnerabilitiesSarifRuns []*sarif.Run, violationsSarifRuns []*sarif.Run, err error) {
-	if err = ssm.createConfigFile(module, ssm.signedDescriptions, append(ssm.scanner.Exclusions, ssm.scanner.ScannersExclusions.SastExcludePatterns...)...); err != nil {
+	if err = ssm.createConfigFile(module, ssm.signedDescriptions, ssm.scanner.ScannersExclusions.SastExcludePatterns, ssm.scanner.Exclusions...); err != nil {
 		return
 	}
 	if err = ssm.runAnalyzerManager(filepath.Dir(ssm.scanner.AnalyzerManager.AnalyzerManagerFullPath)); err != nil {
@@ -104,7 +104,7 @@ type sastParameters struct {
 	SignedDescriptions bool `yaml:"signed_descriptions,omitempty"`
 }
 
-func (ssm *SastScanManager) createConfigFile(module jfrogappsconfig.Module, signedDescriptions bool, exclusions ...string) error {
+func (ssm *SastScanManager) createConfigFile(module jfrogappsconfig.Module, signedDescriptions bool, centralConfigExclusions []string, exclusions ...string) error {
 	sastScanner := module.Scanners.Sast
 	if sastScanner == nil {
 		sastScanner = &jfrogappsconfig.SastScanner{}
@@ -125,7 +125,7 @@ func (ssm *SastScanManager) createConfigFile(module jfrogappsconfig.Module, sign
 				SastParameters: sastParameters{
 					SignedDescriptions: signedDescriptions,
 				},
-				ExcludePatterns: jas.GetExcludePatterns(module, &sastScanner.Scanner, exclusions...),
+				ExcludePatterns: jas.GetExcludePatterns(module, &sastScanner.Scanner, centralConfigExclusions, exclusions...),
 				UserRules:       ssm.sastRules,
 			},
 		},

jas/secrets/secretsscanner.go

@@ -75,7 +75,7 @@ func newSecretsScanManager(scanner *jas.JasScanner, scanType SecretsScanType, sc
 }
 
 func (ssm *SecretScanManager) Run(module jfrogappsconfig.Module) (vulnerabilitiesSarifRuns []*sarif.Run, violationsSarifRuns []*sarif.Run, err error) {
-	if err = ssm.createConfigFile(module, append(ssm.scanner.Exclusions, ssm.scanner.ScannersExclusions.SecretsExcludePatterns...)...); err != nil {
+	if err = ssm.createConfigFile(module, ssm.scanner.ScannersExclusions.SecretsExcludePatterns, ssm.scanner.Exclusions...); err != nil {
 		return
 	}
 	if err = ssm.runAnalyzerManager(); err != nil {
@@ -96,7 +96,7 @@ type secretsScanConfiguration struct {
 	SkippedDirs            []string `yaml:"skipped-folders"`
 }
 
-func (s *SecretScanManager) createConfigFile(module jfrogappsconfig.Module, exclusions ...string) error {
+func (s *SecretScanManager) createConfigFile(module jfrogappsconfig.Module, centralConfigExclusions []string, exclusions ...string) error {
 	roots, err := jas.GetSourceRoots(module, module.Scanners.Secrets)
 	if err != nil {
 		return err
@@ -108,7 +108,7 @@ func (s *SecretScanManager) createConfigFile(module jfrogappsconfig.Module, excl
 				Output:                 s.resultsFileName,
 				PathToResultsToCompare: s.resultsToCompareFileName,
 				Type:                   string(s.scanType),
-				SkippedDirs:            jas.GetExcludePatterns(module, module.Scanners.Secrets, exclusions...),
+				SkippedDirs:            jas.GetExcludePatterns(module, module.Scanners.Secrets, centralConfigExclusions, exclusions...),
 			},
 		},
 	}

jas/secrets/secretsscanner_test.go

@@ -62,7 +62,7 @@ func TestSecretsScan_CreateConfigFile_VerifyFileWasCreated(t *testing.T) {
 
 	currWd, err := coreutils.GetWorkingDirectory()
 	assert.NoError(t, err)
-	err = secretScanManager.createConfigFile(jfrogappsconfig.Module{SourceRoot: currWd})
+	err = secretScanManager.createConfigFile(jfrogappsconfig.Module{SourceRoot: currWd}, []string{})
 	assert.NoError(t, err)
 
 	defer func() {