Merge branch 'dev' into docker-curation-supprot

Author: basel1322

artifactory_test.go

@@ -119,7 +119,7 @@ func TestDependencyResolutionFromArtifactory(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.projectType.String(), func(t *testing.T) {
 			if testCase.skipMsg != "" {
-				securityTestUtils.SkipTestIfDurationNotPassed(t, "22-11-2025", 30, testCase.skipMsg)
+				securityTestUtils.SkipTestIfDurationNotPassed(t, "22-12-2025", 30, testCase.skipMsg)
 			}
 			testSingleTechDependencyResolution(t, testCase.testProjectPath, testCase.resolveRepoName, testCase.cacheRepoName, testCase.projectType)
 		})

cli/docs/flags.go

@@ -25,6 +25,7 @@ const (
 	GitCountContributors = "count-contributors"
 	Enrich               = "sbom-enrich"
 	UploadCdx            = "upload-cdx"
+	MaliciousScan        = "malicious-scan"
 
 	// TODO: Deprecated commands (remove at next CLI major version)
 	AuditMvn    = "audit-maven"
@@ -129,6 +130,7 @@ const (
 	ScanVuln            = scanPrefix + Vuln
 	SecretValidation    = "validate-secrets"
 	StaticSca           = "static-sca"
+	malProjectKey       = Project
 	scanProjectKey      = scanPrefix + Project
 	uploadProjectKey    = UploadCdx + "-" + Project
 
@@ -176,6 +178,9 @@ var commandFlags = map[string][]string{
 	Enrich: {
 		Url, XrayUrl, user, password, accessToken, ServerId, Threads, InsecureTls,
 	},
+	MaliciousScan: {
+		Url, XrayUrl, user, password, accessToken, ServerId, Threads, InsecureTls, OutputFormat, MinSeverity, AnalyzerManagerCustomPath, WorkingDirs, malProjectKey,
+	},
 	BuildScan: {
 		Url, XrayUrl, user, password, accessToken, ServerId, scanProjectKey, BuildVuln, OutputFormat, Fail, ExtendedTable, Rescan, InsecureTls, TriggerScanRetries,
 	},
@@ -237,11 +242,11 @@ var commandFlags = map[string][]string{
 var flagsMap = map[string]components.Flag{
 	// Common commands flags
 	ServerId:    components.NewStringFlag(ServerId, "Server ID configured using the config command."),
-	Url:         components.NewStringFlag(Url, "JFrog URL."),
-	XrayUrl:     components.NewStringFlag(XrayUrl, "JFrog Xray URL."),
-	user:        components.NewStringFlag(user, "JFrog username."),
-	password:    components.NewStringFlag(password, "JFrog password."),
-	accessToken: components.NewStringFlag(accessToken, "JFrog access token."),
+	Url:         components.NewStringFlag(Url, "Specifies the URL of the JFrog platform."),
+	XrayUrl:     components.NewStringFlag(XrayUrl, "Specifies the URL of your Xray server."),
+	user:        components.NewStringFlag(user, "Specifies the user name of your JFrog platform."),
+	password:    components.NewStringFlag(password, "Specifies the user password of your JFrog platform."),
+	accessToken: components.NewStringFlag(accessToken, "Specifies the access token of your JFrog platform."),
 	Threads:     components.NewStringFlag(Threads, "The number of parallel threads used to scan the source code project.", components.WithIntDefaultValue(cliutils.Threads)),
 	// Xray flags
 	LicenseId: components.NewStringFlag(LicenseId, "Xray license ID.", components.SetMandatory(), components.WithHelpValue("Xray license ID")),
@@ -257,6 +262,7 @@ var flagsMap = map[string]components.Flag{
 	scanRegexp:       components.NewBoolFlag(RegexpFlag, "Set to true to use a regular expression instead of wildcards expression to collect files to scan."),
 	scanAnt:          components.NewBoolFlag(AntFlag, "Set to true to use an ant pattern instead of wildcards expression to collect files to scan."),
 	scanProjectKey:   components.NewStringFlag(Project, "JFrog project key, to enable Xray to determine security violations accordingly. The command accepts this option only if the --repo-path and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities."),
+	malProjectKey:    components.NewStringFlag(Project, "JFrog project key"),
 	uploadProjectKey: components.NewStringFlag(Project, "JFrog project key to upload the file to."),
 	Watches:          components.NewStringFlag(Watches, "Comma-separated list of Xray watches to determine violations. Supported violations are CVEs, operational risk, and Licenses. Incompatible with --project and --repo-path."),
 	RepoPath:         components.NewStringFlag(RepoPath, "Artifactory repository path, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities."),

cli/docs/maliciousscan/help.go

@@ -0,0 +1,13 @@
+package maliciousscan
+
+import (
+	"github.com/jfrog/jfrog-cli-core/v2/plugins/components"
+)
+
+func GetDescription() string {
+	return "[Beta] Scan malicious models (pickle files, etc.) located in the working directory."
+}
+
+func GetArguments() []components.Argument {
+	return []components.Argument{}
+}

cli/scancommands.go

@@ -21,6 +21,7 @@ import (
 	flags "github.com/jfrog/jfrog-cli-security/cli/docs"
 	auditSpecificDocs "github.com/jfrog/jfrog-cli-security/cli/docs/auditspecific"
 	enrichDocs "github.com/jfrog/jfrog-cli-security/cli/docs/enrich"
+	maliciousScanDocs "github.com/jfrog/jfrog-cli-security/cli/docs/maliciousscan"
 	mcpDocs "github.com/jfrog/jfrog-cli-security/cli/docs/mcp"
 	auditDocs "github.com/jfrog/jfrog-cli-security/cli/docs/scan/audit"
 	buildScanDocs "github.com/jfrog/jfrog-cli-security/cli/docs/scan/buildscan"
@@ -40,6 +41,7 @@ import (
 
 	"github.com/jfrog/jfrog-cli-security/commands/audit"
 	"github.com/jfrog/jfrog-cli-security/commands/curation"
+	"github.com/jfrog/jfrog-cli-security/commands/maliciousscan"
 	"github.com/jfrog/jfrog-cli-security/commands/scan"
 	"github.com/jfrog/jfrog-cli-security/commands/upload"
 
@@ -72,6 +74,15 @@ func getAuditAndScansCommands() []components.Command {
 			Category:    securityCategory,
 			Action:      EnrichCmd,
 		},
+		{
+			Name:        "malicious-scan",
+			Aliases:     []string{"ms"},
+			Flags:       flags.GetCommandFlags(flags.MaliciousScan),
+			Description: maliciousScanDocs.GetDescription(),
+			Arguments:   maliciousScanDocs.GetArguments(),
+			Category:    securityCategory,
+			Action:      MaliciousScanCmd,
+		},
 		{
 			Name:        "build-scan",
 			Aliases:     []string{"bs"},
@@ -230,6 +241,43 @@ func EnrichCmd(c *components.Context) error {
 	return commandsCommon.Exec(EnrichCmd)
 }
 
+func MaliciousScanCmd(c *components.Context) error {
+	serverDetails, err := CreateServerDetailsFromFlags(c)
+	if err != nil {
+		return err
+	}
+	if err = validateConnectionInputs(serverDetails); err != nil {
+		return err
+	}
+	format, err := outputFormat.GetOutputFormat(c.GetStringFlagValue(flags.OutputFormat))
+	if err != nil {
+		return err
+	}
+	threads, err := pluginsCommon.GetThreadsCount(c)
+	if err != nil {
+		return err
+	}
+	minSeverity, err := getMinimumSeverity(c)
+	if err != nil {
+		return err
+	}
+	workingDirs := []string{}
+	if c.GetStringFlagValue(flags.WorkingDirs) != "" {
+		workingDirs = splitByCommaAndTrim(c.GetStringFlagValue(flags.WorkingDirs))
+	}
+	maliciousScanCmd := maliciousscan.NewMaliciousScanCommand().
+		SetServerDetails(serverDetails).
+		SetWorkingDirs(workingDirs).
+		SetThreads(threads).
+		SetOutputFormat(format).
+		SetMinSeverityFilter(minSeverity).
+		SetProject(getProject(c))
+	if c.IsFlagSet(flags.AnalyzerManagerCustomPath) {
+		maliciousScanCmd.SetCustomAnalyzerManagerPath(c.GetStringFlagValue(flags.AnalyzerManagerCustomPath))
+	}
+	return commandsCommon.Exec(maliciousScanCmd)
+}
+
 func ScanCmd(c *components.Context) error {
 	if len(c.Arguments) == 0 && !c.IsFlagSet(flags.SpecFlag) {
 		return pluginsCommon.PrintHelpAndReturnError("providing either a <source pattern> argument or the 'spec' option is mandatory", c)

commands/audit/audit_test.go

@@ -261,7 +261,6 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 					},
 				}},
-				IsDefault: false,
 			},
 			expectedScaIssues: 15,
 		},
@@ -293,7 +292,6 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 					},
 				}},
-				IsDefault: false,
 			},
 			expectedScaIssues: 0,
 		},
@@ -324,7 +322,6 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 					},
 				}},
-				IsDefault: false,
 			},
 			expectedCaNotCovered: 15,
 		},
@@ -356,7 +353,6 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 					},
 				}},
-				IsDefault: false,
 			},
 			expectedSecretsIssues: 16,
 		},
@@ -381,14 +377,13 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 						SecretsScannerConfig: services.SecretsScannerConfig{
 							EnableSecretsScan: true,
-							ExcludePatterns:   []string{"*api_secrets*"},
+							ExcludePatterns:   []string{"**/*api_secrets*/**"},
 						},
 						IacScannerConfig: services.IacScannerConfig{
 							EnableIacScan: false,
 						},
 					},
 				}},
-				IsDefault: false,
 			},
 			expectedSecretsIssues: 7,
 		},
@@ -419,7 +414,6 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 					},
 				}},
-				IsDefault: false,
 			},
 			expectedSastIssues: 4,
 		},
@@ -441,7 +435,7 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 						SastScannerConfig: services.SastScannerConfig{
 							EnableSastScan:  true,
-							ExcludePatterns: []string{"*flask_webgoat*"},
+							ExcludePatterns: []string{"**/*flask_webgoat*/**"},
 						},
 						SecretsScannerConfig: services.SecretsScannerConfig{
 							EnableSecretsScan: false,
@@ -451,15 +445,14 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 					},
 				}},
-				IsDefault: false,
 			},
 			expectedSastIssues: 0,
 		},
 		{
 			name:        "Enable only IaC scanner",
 			testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
 			configProfile: services.ConfigProfile{
-				ProfileName: "only-sast",
+				ProfileName: "only-iac",
 				Modules: []services.Module{{
 					ModuleId:     1,
 					ModuleName:   "only-iac-module",
@@ -482,7 +475,6 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 					},
 				}},
-				IsDefault: false,
 			},
 			expectedIacIssues: 9,
 		},
@@ -510,11 +502,10 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 						IacScannerConfig: services.IacScannerConfig{
 							EnableIacScan:   true,
-							ExcludePatterns: []string{"*iac/gcp*"},
+							ExcludePatterns: []string{"**/*iac/gcp*/**"},
 						},
 					},
 				}},
-				IsDefault: false,
 			},
 			expectedIacIssues: 0,
 		},
@@ -545,7 +536,6 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 					},
 				}},
-				IsDefault: false,
 			},
 			expectedSastIssues:    4,
 			expectedSecretsIssues: 16,
@@ -570,18 +560,17 @@ func TestAuditWithConfigProfile(t *testing.T) {
 						},
 						SastScannerConfig: services.SastScannerConfig{
 							EnableSastScan:  true,
-							ExcludePatterns: []string{"*flask_webgoat*"},
+							ExcludePatterns: []string{"**/*flask_webgoat*/**"},
 						},
 						SecretsScannerConfig: services.SecretsScannerConfig{
 							EnableSecretsScan: true,
-							ExcludePatterns:   []string{"*api_secrets*"},
+							ExcludePatterns:   []string{"**/*api_secrets*/**"},
 						},
 						IacScannerConfig: services.IacScannerConfig{
 							EnableIacScan: true,
 						},
 					},
 				}},
-				IsDefault: false,
 			},
 			expectedSastIssues:    0,
 			expectedSecretsIssues: 7,