Add Xray Source Control Service (#940)

go.mod

@@ -14,7 +14,7 @@ require (
  github.com/jedib0t/go-pretty/v6 v6.4.7
  github.com/jfrog/build-info-go v1.9.10
  github.com/jfrog/gofrog v1.3.0
- github.com/jfrog/jfrog-client-go v1.31.6
+ github.com/jfrog/jfrog-client-go v1.32.1
  github.com/magiconair/properties v1.8.7
  github.com/manifoldco/promptui v0.9.0
  github.com/owenrumney/go-sarif/v2 v2.2.0
@@ -93,8 +93,6 @@ require (
  gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20230910192358-6994626b2069
-
 // replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38
 
 // replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27

go.sum

@@ -198,8 +198,8 @@ github.com/jfrog/build-info-go v1.9.10 h1:uXnDLVxpqxoAMpXcki00QaBB+M2BoGMMpHODPk
 github.com/jfrog/build-info-go v1.9.10/go.mod h1:ujJ8XQZMdT2tMkLSMJNyDd1pCY+duwHdjV+9or9FLIg=
 github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk=
 github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0=
-github.com/jfrog/jfrog-client-go v1.28.1-0.20230910192358-6994626b2069 h1:vk+P6jK4Zv8+F44ZnRxXUPT14BQxjJtNKdpGdemci7A=
-github.com/jfrog/jfrog-client-go v1.28.1-0.20230910192358-6994626b2069/go.mod h1:362+oa7uTTYurzBs1L0dmUTlLo7uhpAU/pwM5Zb9clg=
+github.com/jfrog/jfrog-client-go v1.32.1 h1:RQmuPSLsF5222vZJzwkgHSZMMJF83ExS7SwIvh4P+H8=
+github.com/jfrog/jfrog-client-go v1.32.1/go.mod h1:362+oa7uTTYurzBs1L0dmUTlLo7uhpAU/pwM5Zb9clg=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=

xray/commands/audit/audit.go

@@ -158,8 +158,7 @@ func RunAudit(auditParams *AuditParams) (results *Results, err error) {
  return
  }
  var xrayManager *xray.XrayServicesManager
- xrayManager, auditParams.xrayVersion, err = xrayutils.CreateXrayServiceManagerAndGetVersion(serverDetails)
- if err != nil {
+ if xrayManager, auditParams.xrayVersion, err = xrayutils.CreateXrayServiceManagerAndGetVersion(serverDetails); err != nil {
  return
  }
  if err = clientutils.ValidateMinimumVersion(clientutils.Xray, auditParams.xrayVersion, scangraph.GraphScanMinXrayVersion); err != nil {
@@ -187,7 +186,7 @@ func RunAudit(auditParams *AuditParams) (results *Results, err error) {
 
  // Run scanners only if the user is entitled for Advanced Security
  if results.ExtendedScanResults.EntitledForJas {
- results.JasError = runJasScannersAndSetResults(results.ExtendedScanResults, auditParams.DirectDependencies(), serverDetails, auditParams.workingDirs, auditParams.Progress())
+ results.JasError = runJasScannersAndSetResults(results.ExtendedScanResults, auditParams.DirectDependencies(), serverDetails, auditParams.workingDirs, auditParams.Progress(), auditParams.xrayGraphScanParams.MultiScanId)
  }
  return
 }

xray/commands/audit/jas/common.go

@@ -41,7 +41,7 @@ type JasScanner struct {
  ScannerDirCleanupFunc func() error
 }
 
-func NewJasScanner(workingDirs []string, serverDetails *config.ServerDetails) (scanner *JasScanner, err error) {
+func NewJasScanner(workingDirs []string, serverDetails *config.ServerDetails, multiScanId string) (scanner *JasScanner, err error) {
  scanner = &JasScanner{}
  if scanner.AnalyzerManager.AnalyzerManagerFullPath, err = utils.GetAnalyzerManagerExecutable(); err != nil {
  return
@@ -57,6 +57,7 @@ func NewJasScanner(workingDirs []string, serverDetails *config.ServerDetails) (s
  scanner.ConfigFileName = filepath.Join(tempDir, "config.yaml")
  scanner.ResultsFileName = filepath.Join(tempDir, "results.sarif")
  scanner.WorkingDirs, err = coreutils.GetFullPathsWorkingDirs(workingDirs)
+ scanner.AnalyzerManager.MultiScanId = multiScanId
  return
 }
 
@@ -181,7 +182,7 @@ var FakeBasicXrayResults = []services.ScanResponse{
 
 func InitJasTest(t *testing.T, workingDirs ...string) (*JasScanner, func()) {
  assert.NoError(t, rtutils.DownloadAnalyzerManagerIfNeeded())
- scanner, err := NewJasScanner(workingDirs, &FakeServerDetails)
+ scanner, err := NewJasScanner(workingDirs, &FakeServerDetails, "")
  assert.NoError(t, err)
  return scanner, func() {
  assert.NoError(t, scanner.ScannerDirCleanupFunc())

xray/commands/audit/jasrunner.go

@@ -14,12 +14,12 @@ import (
 )
 
 func runJasScannersAndSetResults(scanResults *utils.ExtendedScanResults, directDependencies []string,
- serverDetails *config.ServerDetails, workingDirs []string, progress io.ProgressMgr) (err error) {
+ serverDetails *config.ServerDetails, workingDirs []string, progress io.ProgressMgr, multiScanId string) (err error) {
  if serverDetails == nil || len(serverDetails.Url) == 0 {
  log.Warn("To include 'Advanced Security' scan as part of the audit output, please run the 'jf c add' command before running this command.")
  return
  }
- scanner, err := jas.NewJasScanner(workingDirs, serverDetails)
+ scanner, err := jas.NewJasScanner(workingDirs, serverDetails, multiScanId)
  if err != nil {
  return
  }

xray/commands/audit/jasrunner_test.go

@@ -22,22 +22,22 @@ func TestGetExtendedScanResults_AnalyzerManagerDoesntExist(t *testing.T) {
  assert.NoError(t, os.Unsetenv(coreutils.HomeDir))
  }()
  scanResults := &utils.ExtendedScanResults{XrayResults: jas.FakeBasicXrayResults, ScannedTechnologies: []coreutils.Technology{coreutils.Yarn}}
- err = runJasScannersAndSetResults(scanResults, []string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, &jas.FakeServerDetails, nil, nil)
+ err = runJasScannersAndSetResults(scanResults, []string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, &jas.FakeServerDetails, nil, nil, "")
  // Expect error:
  assert.Error(t, err)
 }
 
 func TestGetExtendedScanResults_ServerNotValid(t *testing.T) {
  scanResults := &utils.ExtendedScanResults{XrayResults: jas.FakeBasicXrayResults, ScannedTechnologies: []coreutils.Technology{coreutils.Pip}}
- err := runJasScannersAndSetResults(scanResults, []string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, nil, nil, nil)
+ err := runJasScannersAndSetResults(scanResults, []string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, nil, nil, nil, "")
  assert.NoError(t, err)
 }
 
 func TestGetExtendedScanResults_AnalyzerManagerReturnsError(t *testing.T) {
  mockDirectDependencies := []string{"issueId_2_direct_dependency", "issueId_1_direct_dependency"}
  assert.NoError(t, rtutils.DownloadAnalyzerManagerIfNeeded())
  scanResults := &utils.ExtendedScanResults{XrayResults: jas.FakeBasicXrayResults, ScannedTechnologies: []coreutils.Technology{coreutils.Yarn}}
- err := runJasScannersAndSetResults(scanResults, mockDirectDependencies, &jas.FakeServerDetails, nil, nil)
+ err := runJasScannersAndSetResults(scanResults, mockDirectDependencies, &jas.FakeServerDetails, nil, nil, "")
 
  // Expect error:
  assert.ErrorContains(t, err, "failed to run Applicability scan")

xray/commands/audit/sca/common.go

@@ -52,6 +52,10 @@ func populateXrayDependencyTree(currNode *xrayUtils.GraphNode, treeHelper map[st
 
 func RunXrayDependenciesTreeScanGraph(dependencyTree *xrayUtils.GraphNode, progress ioUtils.ProgressMgr, technology coreutils.Technology, scanGraphParams *scangraph.ScanGraphParams) (results []services.ScanResponse, err error) {
  scanGraphParams.XrayGraphScanParams().DependenciesGraph = dependencyTree
+ xscGitInfoContext := scanGraphParams.XrayGraphScanParams().XscGitInfoContext
+ if xscGitInfoContext != nil {
+ xscGitInfoContext.Technologies = []string{technology.ToString()}
+ }
  scanMessage := fmt.Sprintf("Scanning %d %s dependencies", len(dependencyTree.Nodes), technology)
  if progress != nil {
  progress.SetHeadlineMsg(scanMessage)

xray/scangraph/scangraph.go

@@ -24,11 +24,20 @@ func RunScanGraphAndGetResults(params *ScanGraphParams) (*services.ScanResponse,
  // Remove scan type param if Xray version is under the minimum supported version
  params.xrayGraphScanParams.ScanType = ""
  }
+
+ if params.xrayGraphScanParams.XscGitInfoContext != nil {
+ if params.xrayGraphScanParams.XscVersion, err = xrayManager.XscEnabled(); err != nil {
+ return nil, err
+ }
+ }
+
  scanId, err := xrayManager.ScanGraph(*params.xrayGraphScanParams)
  if err != nil {
  return nil, err
  }
- scanResult, err := xrayManager.GetScanGraphResults(scanId, params.XrayGraphScanParams().IncludeVulnerabilities, params.XrayGraphScanParams().IncludeLicenses)
+
+ xscEnabled := params.xrayGraphScanParams.XscVersion != ""
+ scanResult, err := xrayManager.GetScanGraphResults(scanId, params.XrayGraphScanParams().IncludeVulnerabilities, params.XrayGraphScanParams().IncludeLicenses, xscEnabled)
  if err != nil {
  return nil, err
  }

xray/utils/analyzermanager.go

@@ -89,13 +89,14 @@ func (e *ExtendedScanResults) getXrayScanResults() []services.ScanResponse {
 
 type AnalyzerManager struct {
  AnalyzerManagerFullPath string
+ MultiScanId string
 }
 
 func (am *AnalyzerManager) Exec(configFile, scanCommand, workingDir string, serverDetails *config.ServerDetails) (err error) {
  if err = SetAnalyzerManagerEnvVariables(serverDetails); err != nil {
  return err
  }
- cmd := exec.Command(am.AnalyzerManagerFullPath, scanCommand, configFile)
+ cmd := exec.Command(am.AnalyzerManagerFullPath, scanCommand, configFile, am.MultiScanId)
  defer func() {
  if !cmd.ProcessState.Exited() {
  if killProcessError := cmd.Process.Kill(); errorutils.CheckError(killProcessError) != nil {