Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JFrog Advanced Security - Secrets & IaC scans #788

Merged
merged 70 commits into from
Jun 13, 2023
Merged

JFrog Advanced Security - Secrets & IaC scans #788

merged 70 commits into from
Jun 13, 2023

Conversation

orto17
Copy link
Contributor

@orto17 orto17 commented May 21, 2023
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • All static analysis checks passed.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.

This PR includes the following:

  1. Jas flow now contains three scans: applicability, secrets & Iac.
  2. Final output include three tabels: xray vulnerabilities/violations, secrets & Iac.
  3. The three scan will be executed as part of the audit command, and will be executed one after the other.
  4. If user is not entitled for jas scan, jas results will not be printed.
  5. If analyzer manager is not supporting one of the jas scans - the unsupported scan will be skipped, and execution continue as normal.

Output examples - table:
image

image

Output examples - simple-json:
image

image

orto17 added 30 commits April 3, 2023 13:44
@orto17
applicabilityscanner.go
88c3f7b
@orto17
added app scan results to run audit
fd8ab72
@orto17
added applicability result column to table
8a465b4
@orto17
analyzer manager executer
67f0f9d
@orto17
ConvertToApplicableTableValue
66cdf20
@orto17
omit empty column implementation, second sort
8b6f0a1
@orto17
with violations cves results
9ebb80b
@orto17
technologies eligible for applicability scan
108e4ea
@orto17
with dependency tree, fixed result writer test
7d9ed21
@orto17
unit tests
8bedfb3
@orto17
all unit tests for app scanner
2401d3f
@orto17
updates after static analysis
8b3400f
@orto17
with real path to analyzer manager, tests fixed
9bfdf3a
@orto17
TestApplicabilityScanManager_ShouldRun_AllConditionsMet
c12b402
@orto17
Merge remote-tracking branch 'upstream/dev' into Applicable-vulnerabi…
41e5884 
…lity-column

# Conflicts:
#	xray/commands/audit/generic/auditmanager.go
#	xray/commands/scan/buildscan.go
#	xray/formats/conversion.go
#	xray/formats/table.go
#	xray/utils/resultstable.go
#	xray/utils/resultstable_test.go
#	xray/utils/resultwriter.go
@orto17
Smallfixes after review
2c29b86
@orto17
analyzer manager set env variables
32ea54d
@orto17
handle error code 31 from am
bb54ab7
@orto17
secret scanner, print table
d9fe0aa
@orto17
changes after Tal review
5b735e6
@orto17
tech eligible for scan fix
0ca272d
@orto17
secret scanner improvements
fb035ed
@orto17
secret scanner improvements
182cb41
@orto17
Merge branch 'Applicable-vulnerability-column' into secrets-scanner
eb108f8 
# Conflicts:
#	xray/commands/audit/generic/jas/applicabilityscanner.go
#	xray/commands/audit/generic/jas/generic.go
@orto17
secret scanner improvements
dc67147
@orto17
tryExtractRelativePath
3a9d2d6
@orto17
severity column design
2629f3d
@orto17
table improvements, tests
6864666
@orto17
added secrets to non table output
1682570
@orto17
iac scanner
4ffe8bb
@eyalbe4 eyalbe4 added the new feature Automatically generated release notes label Jun 6, 2023
eyalbe4
eyalbe4 requested changes Jun 6, 2023
View reviewed changes
Copy link
Contributor

@eyalbe4 eyalbe4 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't finished going over the entire code yet, but I'm releasing what I have so far. Feel free to go ahead and implement my comments.

In addition to my inline comments:
Only commands should be under the commands or commands/audit package. Therefore, the ApplicabilityScanManager, IacScanManager, jasmanager.go and SecretScanManager should move to a new package named jas under jfrog-cli-core/xray/audit.

xray/commands/audit/applicabilitymanager.go Show resolved Hide resolved
xray/commands/audit/applicabilitymanager.go Outdated Show resolved Hide resolved
xray/commands/audit/applicabilitymanager.go Show resolved Hide resolved
xray/commands/audit/applicabilitymanager.go Outdated Show resolved Hide resolved
xray/commands/audit/iacscanner.go Outdated Show resolved Hide resolved
xray/commands/audit/applicabilitymanager.go Outdated Show resolved Hide resolved
xray/commands/audit/applicabilitymanager.go Outdated Show resolved Hide resolved
xray/commands/audit/applicabilitymanager_test.go Outdated Show resolved Hide resolved
@orto17
Merge remote-tracking branch 'upstream/dev' into secrets-scanner
537f7b2 
# Conflicts:
#	xray/utils/analyzermanager.go
#	xray/utils/resultwriter.go
@orto17 orto17 requested a review from eyalbe4 June 7, 2023 13:50
@eyalbe4 eyalbe4 changed the title JAS Secrets & Iac Scans JFrog Advanced Security - Secrets & Iac Scans Jun 7, 2023
@eyalbe4 eyalbe4 changed the title JFrog Advanced Security - Secrets & Iac Scans JFrog Advanced Security - Secrets & IaC Scans Jun 7, 2023
@eyalbe4 eyalbe4 changed the title JFrog Advanced Security - Secrets & IaC Scans JFrog Advanced Security - Secrets & IaC scans Jun 7, 2023
eyalbe4
eyalbe4 requested changes Jun 11, 2023
View reviewed changes
xray/audit/jas/applicabilitymanager.go Outdated Show resolved Hide resolved
xray/audit/jas/iacscanner.go Outdated Show resolved Hide resolved
xray/audit/jas/secretsscanner.go Outdated Show resolved Hide resolved
xray/audit/jas/applicabilitymanager.go Outdated Show resolved Hide resolved
xray/audit/jas/applicabilitymanager_test.go Outdated Show resolved Hide resolved
xray/audit/jas/secretsscanner_test.go Outdated Show resolved Hide resolved
xray/utils/analyzermanager.go Outdated Show resolved Hide resolved
xray/utils/analyzermanager.go Show resolved Hide resolved
xray/utils/resultwriter.go Outdated Show resolved Hide resolved
xray/utils/resultwriter.go Outdated Show resolved Hide resolved
@orto17 orto17 requested a review from eyalbe4 June 12, 2023 12:27
@eyalbe4 eyalbe4 merged commit ce1271d into jfrog:dev Jun 13, 2023
1 check failed
@p-linnane p-linnane mentioned this pull request Jun 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@talarian1 talarian1 Awaiting requested review from talarian1

@eyalbe4 eyalbe4 Awaiting requested review from eyalbe4

Assignees
No one assigned
Labels
new feature Automatically generated release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@orto17 @eyalbe4