Fix locations (evidences) for all components (jfrog#659)

Author: attiasas

sca/bom/buildinfo/technologies/pnpm/pnpm_test.go

@@ -43,7 +43,7 @@ func TestBuildDependencyTreeLimitedDepth(t *testing.T) {
 			name:      "With transitive dependencies",
 			treeDepth: "1",
 			expectedUniqueDeps: []string{
-				"npm://axios:1.13.4",
+				"npm://axios:1.13.5",
 				"npm://balaganjs:1.0.0",
 				"npm://yargs:13.3.0",
 				"npm://zen-website:1.0.0",
@@ -53,7 +53,7 @@ func TestBuildDependencyTreeLimitedDepth(t *testing.T) {
 				Nodes: []*xrayUtils.GraphNode{
 					{
 						Id:    "npm://balaganjs:1.0.0",
-						Nodes: []*xrayUtils.GraphNode{{Id: "npm://axios:1.13.4"}, {Id: "npm://yargs:13.3.0"}},
+						Nodes: []*xrayUtils.GraphNode{{Id: "npm://axios:1.13.5"}, {Id: "npm://yargs:13.3.0"}},
 					},
 				},
 			},

tests/utils/test_utils.go

@@ -189,26 +189,35 @@ func convertScaSimpleJsonPathsForOS(potentialComponents *[]formats.ComponentRow,
 	if potentialComponents != nil {
 		components := *potentialComponents
 		for i := range components {
-			if components[i].Location != nil {
-				components[i].Location.File = filepath.FromSlash(components[i].Location.File)
+			if components[i].PreferredLocation != nil {
+				components[i].PreferredLocation.File = filepath.FromSlash(components[i].PreferredLocation.File)
+			}
+			for j := range components[i].Evidences {
+				components[i].Evidences[j].File = filepath.FromSlash(components[i].Evidences[j].File)
 			}
 		}
 	}
 	if potentialImpactPaths != nil {
 		impactPaths := *potentialImpactPaths
 		for i := range impactPaths {
 			for j := range impactPaths[i] {
-				if impactPaths[i][j].Location != nil {
-					impactPaths[i][j].Location.File = filepath.FromSlash(impactPaths[i][j].Location.File)
+				if impactPaths[i][j].PreferredLocation != nil {
+					impactPaths[i][j].PreferredLocation.File = filepath.FromSlash(impactPaths[i][j].PreferredLocation.File)
+				}
+				for k := range impactPaths[i][j].Evidences {
+					impactPaths[i][j].Evidences[k].File = filepath.FromSlash(impactPaths[i][j].Evidences[k].File)
 				}
 			}
 		}
 	}
 	if potentialImpactedDependencyDetails != nil {
 		impactedDependencyDetails := *potentialImpactedDependencyDetails
 		for i := range impactedDependencyDetails.Components {
-			if impactedDependencyDetails.Components[i].Location != nil {
-				impactedDependencyDetails.Components[i].Location.File = filepath.FromSlash(impactedDependencyDetails.Components[i].Location.File)
+			if impactedDependencyDetails.Components[i].PreferredLocation != nil {
+				impactedDependencyDetails.Components[i].PreferredLocation.File = filepath.FromSlash(impactedDependencyDetails.Components[i].PreferredLocation.File)
+			}
+			for j := range impactedDependencyDetails.Components[i].Evidences {
+				impactedDependencyDetails.Components[i].Evidences[j].File = filepath.FromSlash(impactedDependencyDetails.Components[i].Evidences[j].File)
 			}
 		}
 	}

tests/validations/test_validate_simple_json.go

@@ -226,11 +226,14 @@ func validateComponentRows(t *testing.T, issueId string, exactMatch bool, expect
 
 func validateComponentRow(t *testing.T, issueId string, exactMatch bool, expected, actual formats.ComponentRow) {
 	ValidateContent(t, exactMatch,
-		PointerValidation[formats.Location]{Expected: expected.Location, Actual: actual.Location, Msg: fmt.Sprintf("IssueId %s: Component %s:%s Location mismatch", issueId, expected.Name, expected.Version)},
+		PointerValidation[formats.Location]{Expected: expected.PreferredLocation, Actual: actual.PreferredLocation, Msg: fmt.Sprintf("IssueId %s: Component %s:%s Location mismatch", issueId, expected.Name, expected.Version)},
 	)
-	if expected.Location != nil {
-		ValidateContent(t, exactMatch, StringValidation{Expected: expected.Location.File, Actual: actual.Location.File, Msg: fmt.Sprintf("IssueId %s: Component %s:%s Location.File mismatch", issueId, expected.Name, expected.Version)})
+	if expected.PreferredLocation != nil {
+		ValidateContent(t, exactMatch, StringValidation{Expected: expected.PreferredLocation.File, Actual: actual.PreferredLocation.File, Msg: fmt.Sprintf("IssueId %s: Component %s:%s Location.File mismatch", issueId, expected.Name, expected.Version)})
 	}
+	ValidateContent(t, exactMatch,
+		ListValidation[formats.Location]{Expected: expected.Evidences, Actual: actual.Evidences, Msg: fmt.Sprintf("IssueId %s: Component %s:%s Evidences mismatch", issueId, expected.Name, expected.Version)},
+	)
 }
 
 func getComponent(name, version string, content []formats.ComponentRow) *formats.ComponentRow {

utils/formats/simplejsonapi.go

@@ -138,10 +138,13 @@ func (l Location) ToString() string {
 }
 
 type ComponentRow struct {
-	Id       string    `json:"id,omitempty"`
-	Name     string    `json:"name"`
-	Version  string    `json:"version"`
-	Location *Location `json:"location,omitempty"`
+	Id      string `json:"id,omitempty"`
+	Name    string `json:"name"`
+	Version string `json:"version"`
+	// Shown the preferred location of the component from the evidences.
+	PreferredLocation *Location `json:"location,omitempty"`
+	// Evidences is a list of locations that the component was found in.
+	Evidences []Location `json:"evidences,omitempty"`
 }
 
 type CveRow struct {

utils/results/common.go

@@ -258,10 +258,10 @@ func getDirectComponentsAndImpactPaths(target string, impactPaths [][]services.I
 		if _, exist := componentsMap[componentId]; !exist {
 			compName, compVersion, _ := techutils.SplitComponentIdRaw(componentId)
 			componentsMap[componentId] = formats.ComponentRow{
-				Id:       componentId,
-				Name:     compName,
-				Version:  compVersion,
-				Location: getComponentLocation(impactPath[impactPathIndex].FullPath, target),
+				Id:                componentId,
+				Name:              compName,
+				Version:           compVersion,
+				PreferredLocation: getComponentLocation(impactPath[impactPathIndex].FullPath, target),
 			}
 		}
 
@@ -270,10 +270,10 @@ func getDirectComponentsAndImpactPaths(target string, impactPaths [][]services.I
 		for _, pathNode := range impactPath {
 			nodeCompName, nodeCompVersion, _ := techutils.SplitComponentIdRaw(pathNode.ComponentId)
 			compImpactPathRows = append(compImpactPathRows, formats.ComponentRow{
-				Id:       pathNode.ComponentId,
-				Name:     nodeCompName,
-				Version:  nodeCompVersion,
-				Location: getComponentLocation(pathNode.FullPath),
+				Id:                pathNode.ComponentId,
+				Name:              nodeCompName,
+				Version:           nodeCompVersion,
+				PreferredLocation: getComponentLocation(pathNode.FullPath),
 			})
 		}
 		impactPathsRows = append(impactPathsRows, compImpactPathRows)
@@ -292,10 +292,10 @@ func BuildImpactPath(affectedComponent cyclonedx.Component, components []cyclone
 		impactedPath := buildImpactPathForComponent(parent, componentAppearances, components, dependencies...)
 		// Add the affected component at the end of the impact path
 		impactedPath = append(impactedPath, formats.ComponentRow{
-			Id:       affectedComponent.BOMRef,
-			Name:     affectedComponent.Name,
-			Version:  affectedComponent.Version,
-			Location: CdxEvidenceToLocation(affectedComponent),
+			Id:        affectedComponent.BOMRef,
+			Name:      affectedComponent.Name,
+			Version:   affectedComponent.Version,
+			Evidences: CdxEvidencesToLocations(affectedComponent),
 		})
 		// Add the impact path to the list of impact paths
 		impactPathsRows = append(impactPathsRows, impactedPath)
@@ -308,10 +308,10 @@ func buildImpactPathForComponent(component cyclonedx.Component, componentAppeara
 	// Build the impact path for the component
 	impactPath = []formats.ComponentRow{
 		{
-			Id:       component.BOMRef,
-			Name:     component.Name,
-			Version:  component.Version,
-			Location: CdxEvidenceToLocation(component),
+			Id:        component.BOMRef,
+			Name:      component.Name,
+			Version:   component.Version,
+			Evidences: CdxEvidencesToLocations(component),
 		},
 	}
 	// Add the parent components to the impact path
@@ -1383,10 +1383,10 @@ func ExtractComponentDirectComponentsInBOM(bom *cyclonedx.BOM, component cyclone
 	if relation := cdxutils.GetComponentRelation(bom, component.BOMRef, true); relation == cdxutils.RootRelation || relation == cdxutils.DirectRelation {
 		// The component is a root or direct dependency, no parents to extract, return the component itself
 		directComponents = append(directComponents, formats.ComponentRow{
-			Id:       component.BOMRef,
-			Name:     component.Name,
-			Version:  component.Version,
-			Location: CdxEvidenceToLocation(component),
+			Id:        component.BOMRef,
+			Name:      component.Name,
+			Version:   component.Version,
+			Evidences: CdxEvidencesToLocations(component),
 		})
 		return
 	}
@@ -1403,19 +1403,50 @@ func ExtractComponentDirectComponentsInBOM(bom *cyclonedx.BOM, component cyclone
 	return
 }
 
-func CdxEvidenceToLocation(component cyclonedx.Component) (location *formats.Location) {
+func CdxEvidencesToPreferredLocation(component cyclonedx.Component) (location *formats.Location) {
 	if component.Evidence == nil || component.Evidence.Occurrences == nil || len(*component.Evidence.Occurrences) == 0 {
 		return nil
 	}
+	if len(*component.Evidence.Occurrences) == 1 {
+		return &formats.Location{
+			File: (*component.Evidence.Occurrences)[0].Location,
+		}
+	}
+	// We need to pick the preferred location from the evidences (we prefer descriptors over lock files)
+	for _, occurrence := range *component.Evidence.Occurrences {
+		if techutils.IsTechnologyDescriptor(occurrence.Location) != techutils.NoTech {
+			return &formats.Location{
+				File: occurrence.Location,
+			}
+		}
+	}
 	// We take the first location as the main location
-	if len(*component.Evidence.Occurrences) > 1 {
-		log.Debug(fmt.Sprintf("Multiple locations found for component %s evidence, using the first one as location", component.Name))
+	log.Debug(fmt.Sprintf("Multiple locations found for component %s evidence, using the first one as location", component.Name))
+	return &formats.Location{
+		File: (*component.Evidence.Occurrences)[0].Location,
+	}
+}
+
+func CdxEvidencesToLocations(component cyclonedx.Component) (evidences []formats.Location) {
+	if component.Evidence == nil || component.Evidence.Occurrences == nil || len(*component.Evidence.Occurrences) == 0 {
+		return nil
+	}
+	for _, occurrence := range *component.Evidence.Occurrences {
+		evidences = append(evidences, formats.Location{File: occurrence.Location})
+	}
+	return
+}
+
+func GetBestLocation(component formats.ComponentRow) string {
+	if component.PreferredLocation != nil {
+		return strings.TrimSpace(component.PreferredLocation.File)
 	}
-	loc := (*component.Evidence.Occurrences)[0]
-	location = &formats.Location{
-		File: loc.Location,
+	for _, evidence := range component.Evidences {
+		if strings.TrimSpace(evidence.File) != "" {
+			return strings.TrimSpace(evidence.File)
+		}
 	}
-	return location
+	return ""
 }
 
 func CdxVulnToCveRows(vulnerability cyclonedx.Vulnerability, applicability *formats.Applicability) (cveRows []formats.CveRow) {

utils/results/common_test.go

@@ -613,16 +613,16 @@ func TestGetDirectComponents(t *testing.T) {
 			name:                        "one direct component with target",
 			target:                      filepath.Join("root", "dir", "file"),
 			impactPaths:                 [][]services.ImpactPathNode{{services.ImpactPathNode{ComponentId: "gav://jfrog:pack1:1.2.3"}, services.ImpactPathNode{ComponentId: "gav://jfrog:pack2:1.2.3"}}},
-			expectedDirectComponentRows: []formats.ComponentRow{{Id: "gav://jfrog:pack2:1.2.3", Name: "jfrog:pack2", Version: "1.2.3", Location: &formats.Location{File: filepath.Join("root", "dir", "file")}}},
+			expectedDirectComponentRows: []formats.ComponentRow{{Id: "gav://jfrog:pack2:1.2.3", Name: "jfrog:pack2", Version: "1.2.3", PreferredLocation: &formats.Location{File: filepath.Join("root", "dir", "file")}}},
 			expectedConvImpactPaths:     [][]formats.ComponentRow{{{Id: "gav://jfrog:pack1:1.2.3", Name: "jfrog:pack1", Version: "1.2.3"}, {Id: "gav://jfrog:pack2:1.2.3", Name: "jfrog:pack2", Version: "1.2.3"}}},
 		},
 		{
 			name:        "multiple direct components",
 			target:      filepath.Join("root", "dir", "file"),
 			impactPaths: [][]services.ImpactPathNode{{services.ImpactPathNode{ComponentId: "gav://jfrog:pack1:1.2.3"}, services.ImpactPathNode{ComponentId: "gav://jfrog:pack21:1.2.3"}, services.ImpactPathNode{ComponentId: "gav://jfrog:pack3:1.2.3"}}, {services.ImpactPathNode{ComponentId: "gav://jfrog:pack1:1.2.3"}, services.ImpactPathNode{ComponentId: "gav://jfrog:pack22:1.2.3"}, services.ImpactPathNode{ComponentId: "gav://jfrog:pack3:1.2.3"}}},
 			expectedDirectComponentRows: []formats.ComponentRow{
-				{Id: "gav://jfrog:pack21:1.2.3", Name: "jfrog:pack21", Version: "1.2.3", Location: &formats.Location{File: filepath.Join("root", "dir", "file")}},
-				{Id: "gav://jfrog:pack22:1.2.3", Name: "jfrog:pack22", Version: "1.2.3", Location: &formats.Location{File: filepath.Join("root", "dir", "file")}},
+				{Id: "gav://jfrog:pack21:1.2.3", Name: "jfrog:pack21", Version: "1.2.3", PreferredLocation: &formats.Location{File: filepath.Join("root", "dir", "file")}},
+				{Id: "gav://jfrog:pack22:1.2.3", Name: "jfrog:pack22", Version: "1.2.3", PreferredLocation: &formats.Location{File: filepath.Join("root", "dir", "file")}},
 			},
 			expectedConvImpactPaths: [][]formats.ComponentRow{{{Id: "gav://jfrog:pack1:1.2.3", Name: "jfrog:pack1", Version: "1.2.3"}, {Id: "gav://jfrog:pack21:1.2.3", Name: "jfrog:pack21", Version: "1.2.3"}, {Id: "gav://jfrog:pack3:1.2.3", Name: "jfrog:pack3", Version: "1.2.3"}}, {{Id: "gav://jfrog:pack1:1.2.3", Name: "jfrog:pack1", Version: "1.2.3"}, {Id: "gav://jfrog:pack22:1.2.3", Name: "jfrog:pack22", Version: "1.2.3"}, {Id: "gav://jfrog:pack3:1.2.3", Name: "jfrog:pack3", Version: "1.2.3"}}},
 		},
@@ -800,7 +800,7 @@ func TestExtractComponentDirectComponentsInBOM(t *testing.T) {
 			},
 			impactPaths: [][]formats.ComponentRow{{{Id: "root", Name: "Root Component", Version: "1.0.0"}, {Id: "direct1", Name: "Direct 1", Version: "2.0.0"}}},
 			expectedDirects: []formats.ComponentRow{
-				{Id: "direct1", Name: "Direct 1", Version: "2.0.0", Location: &formats.Location{File: "package.json"}},
+				{Id: "direct1", Name: "Direct 1", Version: "2.0.0", Evidences: []formats.Location{{File: "package.json"}}},
 			},
 		},
 		{
@@ -2869,3 +2869,109 @@ func TestExtractCdxDependenciesCves(t *testing.T) {
 		})
 	}
 }
+
+func TestGetBestLocation(t *testing.T) {
+	tests := []struct {
+		name      string
+		component formats.ComponentRow
+		expected  string
+	}{
+		{
+			name: "Component with no location",
+		},
+		{
+			name:      "Component with preferred location",
+			component: formats.ComponentRow{PreferredLocation: &formats.Location{File: "package.json"}},
+			expected:  "package.json",
+		},
+		{
+			name:      "Component with evidences (npm)",
+			component: formats.ComponentRow{Evidences: []formats.Location{{File: "package.json"}, {File: "package-lock.json"}}},
+			expected:  "package.json",
+		},
+		{
+			name:      "Component with evidences (pip)",
+			component: formats.ComponentRow{Evidences: []formats.Location{{File: "requirements.txt"}, {File: "requirements.lock"}}},
+			expected:  "requirements.txt",
+		},
+		{
+			name:      "Component with preferred location and evidences",
+			component: formats.ComponentRow{PreferredLocation: &formats.Location{File: "package.json"}, Evidences: []formats.Location{{File: "package-lock.json"}}},
+			expected:  "package.json",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			assert.Equal(t, test.expected, GetBestLocation(test.component))
+		})
+	}
+}
+
+func TestCdxEvidencesToPreferredLocation(t *testing.T) {
+	tests := []struct {
+		name      string
+		component cyclonedx.Component
+		expected  *formats.Location
+	}{
+		{
+			name:      "Component with no location",
+			component: cyclonedx.Component{Evidence: &cyclonedx.Evidence{Occurrences: &[]cyclonedx.EvidenceOccurrence{{Location: "package.json"}}}},
+			expected:  &formats.Location{File: "package.json"},
+		},
+		{
+			name:      "Component with preferred location",
+			component: cyclonedx.Component{Evidence: &cyclonedx.Evidence{Occurrences: &[]cyclonedx.EvidenceOccurrence{{Location: "package.json"}}}},
+			expected:  &formats.Location{File: "package.json"},
+		},
+		{
+			name:      "Component with evidences (npm)",
+			component: cyclonedx.Component{Evidence: &cyclonedx.Evidence{Occurrences: &[]cyclonedx.EvidenceOccurrence{{Location: "package.json"}, {Location: "package-lock.json"}}}},
+			expected:  &formats.Location{File: "package.json"},
+		},
+		{
+			name:      "Component with evidences (pip)",
+			component: cyclonedx.Component{Evidence: &cyclonedx.Evidence{Occurrences: &[]cyclonedx.EvidenceOccurrence{{Location: "requirements.txt"}, {Location: "requirements.lock"}}}},
+			expected:  &formats.Location{File: "requirements.txt"},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			assert.Equal(t, test.expected, CdxEvidencesToPreferredLocation(test.component))
+		})
+	}
+}
+
+func TestCdxEvidencesToLocations(t *testing.T) {
+	tests := []struct {
+		name      string
+		component cyclonedx.Component
+		expected  []formats.Location
+	}{
+		{
+			name: "Component with no location",
+		},
+		{
+			name:      "Component with preferred location",
+			component: cyclonedx.Component{Evidence: &cyclonedx.Evidence{Occurrences: &[]cyclonedx.EvidenceOccurrence{{Location: "package.json"}}}},
+			expected:  []formats.Location{{File: "package.json"}},
+		},
+		{
+			name:      "Component with evidences (npm)",
+			component: cyclonedx.Component{Evidence: &cyclonedx.Evidence{Occurrences: &[]cyclonedx.EvidenceOccurrence{{Location: "package.json"}, {Location: "package-lock.json"}}}},
+			expected:  []formats.Location{{File: "package.json"}, {File: "package-lock.json"}},
+		},
+		{
+			name:      "Component with evidences (pip)",
+			component: cyclonedx.Component{Evidence: &cyclonedx.Evidence{Occurrences: &[]cyclonedx.EvidenceOccurrence{{Location: "requirements.txt"}, {Location: "requirements.lock"}}}},
+			expected:  []formats.Location{{File: "requirements.txt"}, {File: "requirements.lock"}},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			assert.Equal(t, test.expected, CdxEvidencesToLocations(test.component))
+		})
+	}
+}