Skip to content

Enrich SBOM strategy #478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
attiasas merged 219 commits into from
Jul 7, 2025
Merged

Enrich SBOM strategy #478

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
219 commits
Select commit Hold shift + click to select a range
cfad408
Move Sca buildinfo logic to technologies package
attiasas Jun 3, 2025
00bcad9
fix breaking changes
attiasas Jun 3, 2025
7c94bc1
Start removing AuditParams from BomGeneration
attiasas Jun 3, 2025
67214e4
Start moving bom logic to buildinfobom file
attiasas Jun 3, 2025
cd62d2c
clean after logic move
attiasas Jun 3, 2025
88c6409
Move test to right place
attiasas Jun 3, 2025
f6335ce
Replace AuditParams with BuildInfoBomGeneratorParams
attiasas Jun 3, 2025
942f2f7
fix breaking changes
attiasas Jun 4, 2025
f7365b9
add jfrog-ignore
attiasas Jun 4, 2025
9a0c26a
fix static tests
attiasas Jun 4, 2025
cf860e9
clean
attiasas Jun 4, 2025
69284a5
fix tests
attiasas Jun 4, 2025
9940c37
fix more path broken tests
attiasas Jun 4, 2025
7404da9
fix last failing tests
attiasas Jun 4, 2025
2f2f8b9
Merge remote-tracking branch 'upstream/dev' into move_buildinfo_sca
attiasas Jun 12, 2025
0cd72bb
remove old Sbom struct in results
attiasas Jun 12, 2025
129c63e
remove unused JasPackageScanType attributes and vals
attiasas Jun 12, 2025
57bef1c
remove old struct and replace with cyclonedx lib, comment all related…
attiasas Jun 12, 2025
b1bdb36
Merge remote-tracking branch 'upstream/dev' into sbom_with_cdx
attiasas Jun 12, 2025
3b929ba
add new empty methods, adjust tests to them
attiasas Jun 12, 2025
7348b4c
Add PackageUrl lib and techutils for cdx conversion
attiasas Jun 12, 2025
3b6f617
fix purl tests
attiasas Jun 12, 2025
c0fc6b1
Add diff calculation with cdx and fix related tests
attiasas Jun 12, 2025
150a976
Implement Tree to Cdx for source and binary with tests
attiasas Jun 15, 2025
6177413
add cdx utils
attiasas Jun 15, 2025
f2e62fc
rename for-each method for looping results
attiasas Jun 15, 2025
4e34736
rename handlers and add for-each sbom component
attiasas Jun 15, 2025
3317abf
use for-each sbom component in table format and implement the method
attiasas Jun 15, 2025
e3125b8
implement cdx utils for for-each sbom component
attiasas Jun 15, 2025
7412c05
add tests for cdx utils
attiasas Jun 15, 2025
bbe919c
parse sbom table rows
attiasas Jun 15, 2025
ab37b52
clean
attiasas Jun 15, 2025
af33dec
fix go.mod
attiasas Jun 15, 2025
0ee7248
fix static tests
attiasas Jun 15, 2025
c0a787c
fix static tests
attiasas Jun 15, 2025
b802ad7
Add SbomGenerator interface
attiasas Jun 15, 2025
3d1d145
add params to PrepareGenerator and implement the interface as BuildIn…
attiasas Jun 15, 2025
77661a2
get dynamic logic from CLI input to params. move params conversion as…
attiasas Jun 15, 2025
18fd51a
prepare BOM generator in audit
attiasas Jun 15, 2025
5ada683
Merge remote-tracking branch 'upstream/dev' into sbom_with_cdx
attiasas Jun 16, 2025
e087423
Merge remote-tracking branch 'origin/sbom_with_cdx' into sbom_generat…
attiasas Jun 16, 2025
19712b8
add option to dump cdx content to file
attiasas Jun 16, 2025
cbfd55d
move appsConfigModule to be attribute of target and infer multiModule…
attiasas Jun 16, 2025
3757ea1
Encapsulate logic in parallel runner
attiasas Jun 16, 2025
217b402
Add Bom to Tree conversion for dependencies
attiasas Jun 16, 2025
8f1d07d
add cdx utils
attiasas Jun 16, 2025
84c8f72
create Sbom Gen unified func to use with the interface
attiasas Jun 16, 2025
6687dd5
implement Sbom Gen interface for build-info (install) the current def…
attiasas Jun 16, 2025
0884354
separate bom-gen stage from sca-scan stage and use SBOM for deps
attiasas Jun 16, 2025
7718534
fix static tests
attiasas Jun 16, 2025
f98d988
fix tests
attiasas Jun 16, 2025
5ba9daf
add new tests for cdx utils
attiasas Jun 16, 2025
4aaf70c
add new tests for common
attiasas Jun 17, 2025
b2dbfe0
fix tests
attiasas Jun 17, 2025
e87ab43
fix more tests
attiasas Jun 17, 2025
048fa68
fix more tests
attiasas Jun 17, 2025
cda5d05
Sbom Scan Strategy
attiasas Jun 17, 2025
afc6264
update interface
attiasas Jun 17, 2025
5b7dda5
remove thread id in scan res count log and add to log in dump methods
attiasas Jun 18, 2025
e113bea
log bom component count from buildinfo if uniqueDepsWithType
attiasas Jun 18, 2025
d1ba913
done implementing usage of SbomScanStrategy interface
attiasas Jun 18, 2025
35fd958
create empty implementation of the interface for scan graph
attiasas Jun 18, 2025
6e96073
integrate the interface to audit logic
attiasas Jun 18, 2025
3d09d61
implement diff with interfaces and cdx
attiasas Jun 18, 2025
a477133
implement scan graph interface for source code
attiasas Jun 19, 2025
4458958
add direct dep and cve extraction for CA in Audit
attiasas Jun 19, 2025
e58c64b
CR changes
attiasas Jun 19, 2025
d70d01c
Merge remote-tracking branch 'origin/sbom_with_cdx' into sbom_generat…
attiasas Jun 19, 2025
5b03d22
Merge remote-tracking branch 'upstream/dev' into sbom_generator_inter…
attiasas Jun 19, 2025
cd7826a
add default values to Purl ref or xrayCompId if not provided
attiasas Jun 21, 2025
369cab0
add clean-up to bom gen interface
attiasas Jun 21, 2025
9843c20
log fix and pass Scan type
attiasas Jun 21, 2025
316d434
move location of downloadindexer logic
attiasas Jun 21, 2025
3a4d738
detect component relation in SBOM make sure if component exists but n…
attiasas Jun 21, 2025
60eb1d8
add bom to binary component tree conversion
attiasas Jun 21, 2025
56aa3bb
implement BomGenerator for indexer
attiasas Jun 21, 2025
5b1ed4a
integrate BomGenerator in binary scan
attiasas Jun 21, 2025
114b86e
handle cleanup error in scan cmd
attiasas Jun 21, 2025
87d7407
fix flaky test
attiasas Jun 21, 2025
f07adee
remove new flow from sca until docker is supported
attiasas Jun 21, 2025
4cd5f88
Merge remote-tracking branch 'origin/sbom_generator_interface' into s…
attiasas Jun 21, 2025
d88585d
add log for windows test
attiasas Jun 22, 2025
7487d4b
remove log for windows test
attiasas Jun 22, 2025
4813938
try get relative with filepath to fix tests
attiasas Jun 22, 2025
4569e46
change log to debug
attiasas Jun 22, 2025
b6197cb
renames
attiasas Jun 22, 2025
cdb5147
remove old scarunner code and move its tests to the right place
attiasas Jun 22, 2025
d63ffea
log better when no bom detected in buildinfo
attiasas Jun 22, 2025
d44f399
add scan strategy to scan and refactor JAS scan type detection
attiasas Jun 22, 2025
a072edd
inject strategy to all places and tests
attiasas Jun 22, 2025
2f6cb57
try fix tests
attiasas Jun 22, 2025
fa20021
try to fix tests
attiasas Jun 22, 2025
c342b3f
fix tests
attiasas Jun 22, 2025
a5570d8
add todo for binary scan when interface will be used
attiasas Jun 22, 2025
7a9726e
add new flow only cdx with empty func
attiasas Jun 22, 2025
9533cdf
add to convertor new flow with empty impl
attiasas Jun 22, 2025
481e555
fix tests
attiasas Jun 22, 2025
a3eadd3
change common parsing interface to parse Id and not split attributes
attiasas Jun 22, 2025
dc34887
move xray tool name to utils
attiasas Jun 22, 2025
bc4337f
add severity utils for cdx
attiasas Jun 22, 2025
e8c00ae
add cdx utils to convert scan response to enriched cdx
attiasas Jun 22, 2025
0bef163
implement ScanResponseToSbom
attiasas Jun 22, 2025
d1a29ee
add conversion with new interface method
attiasas Jun 22, 2025
abf0e21
implement parsing from new flow in simple-json
attiasas Jun 22, 2025
c3fbbb6
return package type if unknown
attiasas Jun 22, 2025
810d75b
implement parsing from new flow in table
attiasas Jun 22, 2025
182fcf2
get cve for CA in new flow
attiasas Jun 22, 2025
34b2046
implement parsing license in simple-json
attiasas Jun 22, 2025
028fcd6
implement parsing violations in simple-json
attiasas Jun 22, 2025
7585088
fix Search to return mutable reference
attiasas Jun 22, 2025
840abc1
pass include license in audit
attiasas Jun 22, 2025
655e31e
clean
attiasas Jun 22, 2025
3b0b89c
implement parsing cdx in summary
attiasas Jun 22, 2025
f0b3e9a
implement parsing cdx in sarif
attiasas Jun 22, 2025
d2d0fb9
flx spell
attiasas Jun 22, 2025
c819940
CR changes
attiasas Jun 22, 2025
69f5c4d
fix tests
attiasas Jun 22, 2025
976962f
Merge remote-tracking branch 'origin/sbom_generator_interface' into s…
attiasas Jun 22, 2025
258fb36
start fixing tests
attiasas Jun 22, 2025
634105d
Add CycloneDx Output Format for command results
attiasas Jun 22, 2025
9a17d00
fix output file names on windows
attiasas Jun 22, 2025
d4a0bc6
fix rating search and some tests
attiasas Jun 23, 2025
12c538d
fix bom to flat test
attiasas Jun 23, 2025
3f23bbe
fix tests
attiasas Jun 23, 2025
75cc7fd
CR changes
attiasas Jun 23, 2025
1c9a6dc
Merge remote-tracking branch 'upstream/dev' into sbom_generator_inter…
attiasas Jun 23, 2025
32b257e
Merge remote-tracking branch 'origin/sbom_generator_interface' into s…
attiasas Jun 23, 2025
a8bb905
Merge remote-tracking branch 'origin/sca_scan_interface' into cyclone…
attiasas Jun 23, 2025
ec0d05a
Add empty CycloneDx parser
attiasas Jun 23, 2025
b84fea5
save raw result and output results to output and only print raw to lo…
attiasas Jun 23, 2025
b2cfa47
add cdx format to result writer
attiasas Jun 23, 2025
f220b35
extract direct or indirect cve from cdx
attiasas Jun 23, 2025
952a3a7
add logs for debug ubuntu test
attiasas Jun 23, 2025
8f91ca7
Merge remote-tracking branch 'origin/sca_scan_interface' into cyclone…
attiasas Jun 23, 2025
b3a7adf
Implement cdx parser RESET
attiasas Jun 23, 2025
68db249
parse targets to metadata
attiasas Jun 23, 2025
7e55927
move sarif property parsing to sarifutils
attiasas Jun 23, 2025
bb320a5
add iac parsing
attiasas Jun 23, 2025
fd297ce
parse Sbom unrelated to SCA, update flags
attiasas Jun 23, 2025
fc1d48f
add Sbom parsing
attiasas Jun 23, 2025
6db2797
add sast parsing
attiasas Jun 23, 2025
0bb04c6
Merge remote-tracking branch 'upstream/dev' into sca_scan_interface
attiasas Jun 23, 2025
83f0389
fix static
attiasas Jun 23, 2025
136a4f1
fix exclude logic, add tests
attiasas Jun 23, 2025
6cd0d37
new flow only if not scan graph
attiasas Jun 23, 2025
ae4851a
fix new flow bug
attiasas Jun 23, 2025
c8ff4f2
fix bug - inject indexer if conditional upload
attiasas Jun 23, 2025
4a4c215
try to fix win tests
attiasas Jun 23, 2025
fb76b4f
parse bom metadata
attiasas Jun 24, 2025
de2f0ea
Merge remote-tracking branch 'origin/sca_scan_interface' into cyclone…
attiasas Jun 24, 2025
beb001f
format and update dep
attiasas Jun 24, 2025
deb3736
violations not supported
attiasas Jun 24, 2025
8a334c0
add secrets parsing
attiasas Jun 24, 2025
9325c3b
parse new flow CVE and CA
attiasas Jun 24, 2025
1e5f663
parse old flow CVE and CA
attiasas Jun 24, 2025
d05d9c9
parse old flow license
attiasas Jun 24, 2025
55ba468
fix relative and target path handling to show relative in all places …
attiasas Jun 24, 2025
441e8be
refactor to utils
attiasas Jun 24, 2025
12ebce7
add options to New func
attiasas Jun 24, 2025
3adbe28
Merge remote-tracking branch 'upstream/dev' into sca_scan_interface
attiasas Jun 25, 2025
8f68c01
fix option handling in interfaces
attiasas Jun 25, 2025
2d49b4e
add descriptors param to build info
attiasas Jun 25, 2025
1658968
update has findings in sca results
attiasas Jun 25, 2025
d5c80af
fix static
attiasas Jun 25, 2025
c5ae213
fix relative and path handling in commands
attiasas Jun 25, 2025
a79cc7d
Merge remote-tracking branch 'origin/sca_scan_interface' into cyclone…
attiasas Jun 25, 2025
b1c45af
dont scan if nothing to scan
attiasas Jun 25, 2025
0ac1d1e
add cdx validations
attiasas Jun 25, 2025
baa6b2d
add integration tests for cdx
attiasas Jun 25, 2025
a564261
format
attiasas Jun 25, 2025
bd3476d
fix test to binary
attiasas Jun 25, 2025
168cc15
Merge remote-tracking branch 'upstream/dev' into sca_scan_interface
attiasas Jun 25, 2025
2704cfb
Merge remote-tracking branch 'origin/sca_scan_interface' into cyclone…
attiasas Jun 25, 2025
14bf41a
make sure no SCA if no components or deps
attiasas Jun 25, 2025
f192a36
format
attiasas Jun 25, 2025
ec2613c
Merge remote-tracking branch 'origin/sca_scan_interface' into cyclone…
attiasas Jun 25, 2025
a735af3
fix static
attiasas Jun 26, 2025
3dad354
CR review
attiasas Jun 26, 2025
8170daa
Merge remote-tracking branch 'origin/sca_scan_interface' into cyclone…
attiasas Jun 26, 2025
91f1380
fix break after merge
attiasas Jun 26, 2025
91a23d8
Add Enrich BOM SCA Scan Strategy
attiasas Jun 26, 2025
897165c
create empty interface impl
attiasas Jun 27, 2025
1af0012
Implement enrich strategy and use in audit
attiasas Jun 28, 2025
cbfae0a
update deps
attiasas Jun 28, 2025
326d477
fix tests
attiasas Jun 28, 2025
aee13ef
fix tests
attiasas Jun 28, 2025
685a92b
sort affects to eliminate flaky test
attiasas Jun 28, 2025
122bafc
Merge remote-tracking branch 'origin/cyclonedx_output_format' into en…
attiasas Jun 28, 2025
c1450c3
CR changes
attiasas Jun 29, 2025
8f54a06
Merge remote-tracking branch 'upstream/dev' into sca_scan_interface
attiasas Jun 29, 2025
55574cb
Merge remote-tracking branch 'origin/sca_scan_interface' into cyclone…
attiasas Jun 29, 2025
b6f2457
fix flaky tests
attiasas Jun 29, 2025
e5579ee
Merge remote-tracking branch 'upstream/dev' into sca_scan_interface
attiasas Jun 29, 2025
f937ef7
Merge remote-tracking branch 'origin/sca_scan_interface' into cyclone…
attiasas Jun 29, 2025
7d5392d
Merge remote-tracking branch 'origin/cyclonedx_output_format' into en…
attiasas Jun 29, 2025
51436f1
Merge remote-tracking branch 'upstream/dev' into cyclonedx_output_format
attiasas Jun 30, 2025
425fc80
Merge remote-tracking branch 'upstream/dev' into cyclonedx_output_format
attiasas Jun 30, 2025
920aa8b
Merge remote-tracking branch 'upstream/dev' into enrich_sbom_strategy
attiasas Jun 30, 2025
1d94ecd
CR changes
attiasas Jul 1, 2025
6561af5
Merge remote-tracking branch 'upstream/dev' into cyclonedx_output_format
attiasas Jul 1, 2025
47a5448
Merge remote-tracking branch 'origin/cyclonedx_output_format' into en…
attiasas Jul 1, 2025
cca9dc1
fix tests
attiasas Jul 1, 2025
272ef67
fix some tests
attiasas Jul 1, 2025
16cf0b4
Merge remote-tracking branch 'upstream/dev' into cyclonedx_output_format
attiasas Jul 1, 2025
b39b9c4
try to fix tests
attiasas Jul 1, 2025
c1f69e5
fix flaky old tests
attiasas Jul 1, 2025
7417c16
try to fix scans_test tests in windows
attiasas Jul 1, 2025
9a80f34
try to fix TestConvertResults
attiasas Jul 1, 2025
3cc8b05
try to fix TestPatchRunsToPassIngestionRules
attiasas Jul 1, 2025
7a8b4a1
Merge remote-tracking branch 'upstream/dev' into cyclonedx_output_format
attiasas Jul 2, 2025
9f59b53
Merge remote-tracking branch 'origin/cyclonedx_output_format' into en…
attiasas Jul 2, 2025
11f35ba
fix after merge
attiasas Jul 2, 2025
a1d07cb
fix static
attiasas Jul 2, 2025
f2eee54
Merge remote-tracking branch 'origin/cyclonedx_output_format' into en…
attiasas Jul 2, 2025
3f8d4c5
Merge remote-tracking branch 'upstream/dev' into enrich_sbom_strategy
attiasas Jul 2, 2025
89517f7
fix after merge
attiasas Jul 2, 2025
331378a
remove changes after merge
attiasas Jul 2, 2025
abe9323
add comment to strategy
attiasas Jul 3, 2025
dc3e1ae
Update deps
attiasas Jul 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions cli/utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"github.com/jfrog/jfrog-cli-security/sca/bom"
"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo"
"github.com/jfrog/jfrog-cli-security/sca/scan"
"github.com/jfrog/jfrog-cli-security/sca/scan/enrich"
"github.com/jfrog/jfrog-cli-security/sca/scan/scangraph"

flags "github.com/jfrog/jfrog-cli-security/cli/docs"
Expand Down Expand Up @@ -106,6 +107,11 @@ func splitByCommaAndTrim(paramValue string) (res []string) {
return
}

func getScanDynamicLogic(_ *components.Context) (bom.SbomGenerator, scan.SbomScanStrategy) {
return buildinfo.NewBuildInfoBomGenerator(), scangraph.NewScanGraphStrategy()
func getScanDynamicLogic(c *components.Context) (bom.SbomGenerator, scan.SbomScanStrategy) {
var bomGenerator bom.SbomGenerator = buildinfo.NewBuildInfoBomGenerator()
var scanStrategy scan.SbomScanStrategy = scangraph.NewScanGraphStrategy()
if c.GetBoolFlagValue("new-sca") {
scanStrategy = enrich.NewEnrichScanStrategy()
}
return bomGenerator, scanStrategy
}
43 changes: 34 additions & 9 deletions commands/audit/audit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"github.com/jfrog/jfrog-cli-security/utils/results/output"
"github.com/jfrog/jfrog-cli-security/utils/techutils"

"github.com/jfrog/jfrog-cli-security/sca/scan/enrich"
scanGraphStrategy "github.com/jfrog/jfrog-cli-security/sca/scan/scangraph"
"github.com/jfrog/jfrog-cli-security/utils/xsc"
"golang.org/x/exp/slices"
Expand Down Expand Up @@ -261,26 +262,50 @@ func prepareToScan(params *AuditParams) (cmdResults *results.SecurityCommandResu
if cmdResults = initAuditCmdResults(params); cmdResults.GeneralError != nil {
return
}
// Initialize the BOM generator
buildParams, err := params.ToBuildInfoBomGenParams()
bomGenOptions, scanOptions, err := getScanLogicOptions(params)
if err != nil {
return results.NewCommandResults(utils.SourceCode).AddGeneralError(fmt.Errorf("failed to create build info params: %s", err.Error()), false)
return cmdResults.AddGeneralError(fmt.Errorf("failed to get scan logic options: %s", err.Error()), false)
}
if err = params.bomGenerator.WithOptions(buildinfo.WithParams(buildParams)).PrepareGenerator(); err != nil {
// Initialize the BOM generator
if err = params.bomGenerator.WithOptions(bomGenOptions...).PrepareGenerator(); err != nil {
return cmdResults.AddGeneralError(fmt.Errorf("failed to prepare the BOM generator: %s", err.Error()), false)
}
// Initialize the SCA scan strategy
scanGraphParams, err := params.ToXrayScanGraphParams()
if err != nil {
return cmdResults.AddGeneralError(fmt.Errorf("failed to create scan graph params: %s", err.Error()), false)
}
if err = params.scaScanStrategy.WithOptions(scanGraphStrategy.WithParams(scanGraphParams)).PrepareStrategy(); err != nil {
if err = params.scaScanStrategy.WithOptions(scanOptions...).PrepareStrategy(); err != nil {
return cmdResults.AddGeneralError(fmt.Errorf("failed to prepare the SCA scan strategy: %s", err.Error()), false)
}
populateScanTargets(cmdResults, params)
return
}

func getScanLogicOptions(params *AuditParams) (bomGenOptions []bom.SbomGeneratorOption, scanOptions []scan.SbomScanOption, err error) {
// Bom Generators Options
buildParams, err := params.ToBuildInfoBomGenParams()
if err != nil {
return nil, nil, fmt.Errorf("failed to create build info params: %w", err)
}
bomGenOptions = []bom.SbomGeneratorOption{
// Build Info Bom Generator Options
buildinfo.WithParams(buildParams),
}
// Scan Strategies Options
scanGraphParams, err := params.ToXrayScanGraphParams()
if err != nil {
return nil, nil, fmt.Errorf("failed to create scan graph params: %w", err)
}
serverDetails, err := params.ServerDetails()
if err != nil {
return nil, nil, fmt.Errorf("failed to get server details: %w", err)
}
scanOptions = []scan.SbomScanOption{
// Xray Scan Graph Strategy Options
scanGraphStrategy.WithParams(scanGraphParams),
// Catalog Enrich Strategy Options
enrich.WithParams(serverDetails, params.resultsContext.ProjectKey),
}
return bomGenOptions, scanOptions, nil
}

func initAuditCmdResults(params *AuditParams) (cmdResults *results.SecurityCommandResults) {
cmdResults = results.NewCommandResults(utils.SourceCode)
// Initialize general information
Expand Down
2 changes: 1 addition & 1 deletion commands/upload/uploadcdx_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ func TestValidateInputFile(t *testing.T) {
assert.NoError(t, utils.SaveCdxContentToFile(validCdxFilePath, cdx))
// create a file with not valid extension
noCdxExtensionFile := filepath.Join(tempDirPath, "invalid_results.json")
assert.NoError(t, utils.DumpContentToFile([]byte("This is not a valid CycloneDX file."), tempDirPath, "invalid_results", "", -1))
assert.NoError(t, utils.DumpContentToFile([]byte("This is not a valid CycloneDX file."), tempDirPath, "invalid_results", ".json", -1))

tests := []struct {
name string
Expand Down
4 changes: 2 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,9 +115,9 @@ require (
gopkg.in/warnings.v0 v0.1.2 // indirect
)

replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20250629142537-bb24db402fe1
replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20250707095624-7062538a0961

replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20250702103155-efd0c6adf4f5
replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20250707105555-807262eb0f88

replace github.com/jfrog/jfrog-cli-artifactory => github.com/jfrog/jfrog-cli-artifactory v0.3.3-0.20250623095509-b3fe2c4681ad

Expand Down
8 changes: 4 additions & 4 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,10 +126,10 @@ github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYL
github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
github.com/jfrog/jfrog-cli-artifactory v0.3.3-0.20250623095509-b3fe2c4681ad h1:cnbcCK0VTHdLdmmv/9fYTRjuR1ewrYBW/S87pVE+d+s=
github.com/jfrog/jfrog-cli-artifactory v0.3.3-0.20250623095509-b3fe2c4681ad/go.mod h1:hnXaevmDyQpyhpH5kwDufIjUUXXuKs54i+AX2CEywKE=
github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20250702103155-efd0c6adf4f5 h1:+tbqR721+c91RrwcQkvye9RkvbDfH3W1LDU5juo0sNw=
github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20250702103155-efd0c6adf4f5/go.mod h1:BkDHfCVecjcRNC+aqmHtTrKe+/K8MyjzmHYe5rER5Yg=
github.com/jfrog/jfrog-client-go v1.28.1-0.20250629142537-bb24db402fe1 h1:0t6dQHoalUDNVrfZujD3iCmDGLDl+ndHclFkmONSpq0=
github.com/jfrog/jfrog-client-go v1.28.1-0.20250629142537-bb24db402fe1/go.mod h1:1v0eih4thdPA4clBo9TuvAMT25sGDr1IQJ81DXQ/lBY=
github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20250707105555-807262eb0f88 h1:OAhG6yUBIEKYW66Oe++8S8K6wsOgHhyr0/SEUkkF6oQ=
github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20250707105555-807262eb0f88/go.mod h1:wzsMWhIJJgaZMi4CJk1uE7cZqw9AMI/ijw2Bb8UQjF0=
github.com/jfrog/jfrog-client-go v1.28.1-0.20250707095624-7062538a0961 h1:JI3qV665s4RlvQ3K4t7yXJ8hqvfFF4TVRwmaOF4zCls=
github.com/jfrog/jfrog-client-go v1.28.1-0.20250707095624-7062538a0961/go.mod h1:1v0eih4thdPA4clBo9TuvAMT25sGDr1IQJ81DXQ/lBY=
github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=
github.com/k0kubun/pp v3.0.1+incompatible/go.mod h1:GWse8YhT0p8pT4ir3ZgBbfZild3tgzSScAn6HmfYukg=
github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
Expand Down
66 changes: 66 additions & 0 deletions sca/scan/enrich/runner.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
package enrich

import (
"errors"
"fmt"

"github.com/CycloneDX/cyclonedx-go"

"github.com/jfrog/jfrog-cli-core/v2/utils/config"
"github.com/jfrog/jfrog-client-go/utils/log"
"github.com/jfrog/jfrog-client-go/xray/services"

"github.com/jfrog/jfrog-cli-security/sca/scan"
"github.com/jfrog/jfrog-cli-security/utils/catalog"
)

type EnrichScanStrategy struct {
serverDetails *config.ServerDetails
projectKey string
}

func NewEnrichScanStrategy() *EnrichScanStrategy {
return &EnrichScanStrategy{}
}

func WithParams(serverDetails *config.ServerDetails, projectKey string) scan.SbomScanOption {
return func(sss scan.SbomScanStrategy) {
if ess, ok := sss.(*EnrichScanStrategy); ok {
ess.serverDetails = serverDetails
ess.projectKey = projectKey
}
}
}

func (ess *EnrichScanStrategy) WithOptions(options ...scan.SbomScanOption) scan.SbomScanStrategy {
for _, option := range options {
option(ess)
}
return ess
}

func (ess *EnrichScanStrategy) PrepareStrategy() (err error) {
catalogManager, err := catalog.CreateCatalogServiceManager(ess.serverDetails, catalog.WithScopedProjectKey(ess.projectKey))
if err != nil {
return fmt.Errorf("failed to create catalog service manager: %w", err)
}
catalogVersion, err := catalogManager.GetVersion()
if err != nil {
return fmt.Errorf("failed to get catalog version: %w", err)
}
log.Debug(fmt.Sprintf("Catalog version: %s", catalogVersion))
return
}

func (ess *EnrichScanStrategy) SbomEnrichTask(target *cyclonedx.BOM) (enriched *cyclonedx.BOM, violations []services.Violation, err error) {
catalogManager, err := catalog.CreateCatalogServiceManager(ess.serverDetails, catalog.WithScopedProjectKey(ess.projectKey))
if err != nil {
return nil, []services.Violation{}, fmt.Errorf("failed to create catalog service manager: %w", err)
}
enriched, err = catalogManager.Enrich(target)
return
}

func (ess *EnrichScanStrategy) DeprecatedScanTask(target *cyclonedx.BOM) (techResults services.ScanResponse, err error) {
return services.ScanResponse{}, errors.New("EnrichScanStrategy does not support DeprecatedScanTask")
}
1 change: 1 addition & 0 deletions sca/scan/scascan.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ type SbomScanStrategy interface {
// TODO: This method is deprecated and only used for backward compatibility until the new BOM can contain all the information scanResponse contains.
// Missing attributes:
// - ExtendedInformation (JfrogResearchInformation): ShortDescription, FullDescription, frogResearchSeverityReasons, Remediation
// - Binary (Docker) indexer attributes (needed for Scan Graph)
DeprecatedScanTask(target *cyclonedx.BOM) (services.ScanResponse, error)
// Perform a Scan on the given SBOM and return the enriched CycloneDX BOM and calculated violations. (Violations will be moved at the future to the end of command)
SbomEnrichTask(target *cyclonedx.BOM) (*cyclonedx.BOM, []services.Violation, error)
Expand Down
45 changes: 45 additions & 0 deletions utils/catalog/catalogmanager.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
package catalog

import (
"github.com/jfrog/jfrog-cli-core/v2/utils/config"
"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
"github.com/jfrog/jfrog-client-go/catalog"
clientconfig "github.com/jfrog/jfrog-client-go/config"
)

// Options for creating an Catalog service manager.
type CatalogManagerOption func(f *catalog.CatalogServicesManager)

// Global reference to the project key, used for API endpoints that require it for authentication
func WithScopedProjectKey(projectKey string) CatalogManagerOption {
return func(f *catalog.CatalogServicesManager) {
f.SetProjectKey(projectKey)
}
}

func CreateCatalogServiceManager(serverDetails *config.ServerDetails, options ...CatalogManagerOption) (manager *catalog.CatalogServicesManager, err error) {
certsPath, err := coreutils.GetJfrogCertsDir()
if err != nil {
return
}
catalogDetails, err := serverDetails.CreateCatalogAuthConfig()
if err != nil {
return
}
serviceConfig, err := clientconfig.NewConfigBuilder().
SetServiceDetails(catalogDetails).
SetCertificatesPath(certsPath).
SetInsecureTls(serverDetails.InsecureTls).
Build()
if err != nil {
return
}
manager, err = catalog.New(serviceConfig)
if err != nil {
return nil, err
}
for _, option := range options {
option(manager)
}
return
}
Loading