From 716425ac2f02825c2cc098e28a42987d76d903f1 Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 25 Dec 2025 10:12:59 +0200 Subject: [PATCH 1/3] Limit full tree size when converting from BOM --- utils/results/common.go | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/utils/results/common.go b/utils/results/common.go index 6e049b3ca..feeaefdc7 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -33,6 +33,9 @@ const ( DirectDependencyPathLength = 2 nodeModules = "node_modules" + // MaxUniqueAppearances defines the maximum number of times a dependency can appear in a dependency tree. + MaxUniqueAppearances = 10 + // #LC-LC LocationIdTemplate = "%s#L%dC%d-L%dC%d" // Applicability properties for cdx @@ -1024,10 +1027,11 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc // No dependencies or components in the SBOM, return an empty slice return } + dependencyAppearances := map[string]int8{} for _, rootEntry := range cdxutils.GetRootDependenciesEntries(sbom, false) { // Create a new GraphNode with ref as the ID, when populating the tree we need to use the ref as the ID currentTree := &xrayUtils.GraphNode{Id: rootEntry.Ref} - populateDepsNodeDataFromBom(currentTree, sbom.Dependencies) + populateDepsNodeDataFromBom(currentTree, sbom.Dependencies, dependencyAppearances) fullDependencyTrees = append(fullDependencyTrees, currentTree) } // Translate refs to Purl/Xray IDs @@ -1037,9 +1041,10 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc return } -func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency) { - if node == nil || node.NodeHasLoop() { - // If the node is nil or has a loop, return +func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency, dependencyAppearances map[string]int8) { + dependencyAppearances[node.Id]++ + if node == nil || dependencyAppearances[node.Id] >= MaxUniqueAppearances || node.NodeHasLoop() { + // If the node is nil or has a loop or appeared too many times, stop the recursion return } for _, dep := range cdxutils.GetDirectDependencies(dependencies, node.Id) { @@ -1047,7 +1052,7 @@ func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cycl // Add the dependency to the current node node.Nodes = append(node.Nodes, depNode) // Recursively populate the node data - populateDepsNodeDataFromBom(depNode, dependencies) + populateDepsNodeDataFromBom(depNode, dependencies, dependencyAppearances) } } From 44b09e78fda69db7ecd02e5dc0d7b07670209157 Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 25 Dec 2025 10:20:36 +0200 Subject: [PATCH 2/3] fix static --- utils/results/common.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/utils/results/common.go b/utils/results/common.go index feeaefdc7..5cd34e72d 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -1042,9 +1042,12 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc } func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency, dependencyAppearances map[string]int8) { + if node == nil { + return + } dependencyAppearances[node.Id]++ - if node == nil || dependencyAppearances[node.Id] >= MaxUniqueAppearances || node.NodeHasLoop() { - // If the node is nil or has a loop or appeared too many times, stop the recursion + if dependencyAppearances[node.Id] >= MaxUniqueAppearances || node.NodeHasLoop() { + // If the node has a loop or appeared too many times, stop the recursion return } for _, dep := range cdxutils.GetDirectDependencies(dependencies, node.Id) { From 8c6bf71eea75667e576497e577d92d50b67c4bb9 Mon Sep 17 00:00:00 2001 From: attiasas Date: Mon, 29 Dec 2025 09:55:55 +0200 Subject: [PATCH 3/3] remove log finished content before output print --- cli/gitcommands.go | 1 - cli/scancommands.go | 1 - commands/audit/audit.go | 2 +- commands/git/audit/gitaudit.go | 1 + 4 files changed, 2 insertions(+), 3 deletions(-) diff --git a/cli/gitcommands.go b/cli/gitcommands.go index 6fb8b80c3..bf515b4e0 100644 --- a/cli/gitcommands.go +++ b/cli/gitcommands.go @@ -99,7 +99,6 @@ func GitAuditCmd(c *components.Context) error { gitAuditCmd.SetUploadCdxResults(uploadResults).SetRtResultRepository(c.GetStringFlagValue(flags.UploadRtRepoPath)) // Run the command with progress bar if needed, Reporting error if Xsc service is enabled err = reportErrorIfExists(xrayVersion, xscVersion, serverDetails, gitAuditCmd.GetProjectKey(), progressbar.ExecWithProgress(gitAuditCmd)) - log.Info("####### jf git audit Scan Finished #######") return err } diff --git a/cli/scancommands.go b/cli/scancommands.go index 0e134abdb..d2e29071b 100644 --- a/cli/scancommands.go +++ b/cli/scancommands.go @@ -433,7 +433,6 @@ func AuditCmd(c *components.Context) error { auditCmd.SetThreads(threads) // Reporting error if Xsc service is enabled err = reportErrorIfExists(xrayVersion, xscVersion, serverDetails, auditCmd.GetProjectKey(), progressbar.ExecWithProgress(auditCmd)) - log.Info("####### jf audit Scan Finished #######") return err } diff --git a/commands/audit/audit.go b/commands/audit/audit.go index 683c8cca3..96efc80e9 100644 --- a/commands/audit/audit.go +++ b/commands/audit/audit.go @@ -242,7 +242,7 @@ func (auditCmd *AuditCommand) Run() (err error) { return errors.Join(err, auditResults.GetErrors()) } } - + log.Info("####### jf audit Scan Finished #######") return OutputResultsAndCmdError(auditResults, auditCmd.getResultWriter(auditResults), auditCmd.Fail) } diff --git a/commands/git/audit/gitaudit.go b/commands/git/audit/gitaudit.go index 060a9e496..d5692ae37 100644 --- a/commands/git/audit/gitaudit.go +++ b/commands/git/audit/gitaudit.go @@ -62,6 +62,7 @@ func (gaCmd *GitAuditCommand) Run() (err error) { return errors.Join(err, auditResults.GetErrors()) } } + log.Info("####### jf git audit Scan Finished #######") return sourceAudit.OutputResultsAndCmdError(auditResults, gaCmd.getResultWriter(auditResults), gaCmd.failBuild) }