Docker scan JAS support, dumb copy with broken imports jfrog#4

commands/audit/audit.go

@@ -5,15 +5,14 @@ import (
 	"os"
 
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
-	"github.com/jfrog/jfrog-cli-security/scangraph"
-	"github.com/jfrog/jfrog-cli-security/utils"
+	"github.com/jfrog/jfrog-cli-core/v2/utils/dependencies"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/scangraph"
 	clientutils "github.com/jfrog/jfrog-client-go/utils"
-	"github.com/jfrog/jfrog-client-go/utils/log"
 	"github.com/jfrog/jfrog-client-go/xray"
 	"github.com/jfrog/jfrog-client-go/xray/services"
 	"golang.org/x/sync/errgroup"
 
-	xrayutils "github.com/jfrog/jfrog-cli-security/utils"
+	xrayutils "github.com/jfrog/jfrog-cli-core/v2/xray/utils"
 )
 
 type AuditCommand struct {
@@ -83,8 +82,6 @@ func (auditCmd *AuditCommand) CreateXrayGraphScanParams() *services.XrayGraphSca
 }
 
 func (auditCmd *AuditCommand) Run() (err error) {
-	// If no workingDirs were provided by the user, we apply a recursive scan on the root repository
-	isRecursiveScan := len(auditCmd.workingDirs) == 0
 	workingDirs, err := coreutils.GetFullPathsWorkingDirs(auditCmd.workingDirs)
 	if err != nil {
 		return
@@ -96,8 +93,7 @@ func (auditCmd *AuditCommand) Run() (err error) {
 		SetFixableOnly(auditCmd.fixableOnly).
 		SetGraphBasicParams(auditCmd.AuditBasicParams).
 		SetThirdPartyApplicabilityScan(auditCmd.thirdPartyApplicabilityScan).
-		SetExclusions(auditCmd.exclusions).
-		SetIsRecursiveScan(isRecursiveScan)
+		SetExclusions(auditCmd.exclusions)
 	auditResults, err := RunAudit(auditParams)
 	if err != nil {
 		return
@@ -160,15 +156,15 @@ func RunAudit(auditParams *AuditParams) (results *xrayutils.Results, err error)
 		return
 	}
 	results.XrayVersion = auditParams.xrayVersion
-	results.ExtendedScanResults.EntitledForJas, err = isEntitledForJas(xrayManager, auditParams.xrayVersion)
+	results.ExtendedScanResults.EntitledForJas, err = xrayutils.IsEntitledForJas(xrayManager, auditParams.xrayVersion)
 	if err != nil {
 		return
 	}
 
 	errGroup := new(errgroup.Group)
 	if results.ExtendedScanResults.EntitledForJas {
 		// Download (if needed) the analyzer manager in a background routine.
-		errGroup.Go(utils.DownloadAnalyzerManagerIfNeeded)
+		errGroup.Go(dependencies.DownloadAnalyzerManagerIfNeeded)
 	}
 
 	// The sca scan doesn't require the analyzer manager, so it can run separately from the analyzer manager download routine.
@@ -185,12 +181,3 @@ func RunAudit(auditParams *AuditParams) (results *xrayutils.Results, err error)
 	}
 	return
 }
-
-func isEntitledForJas(xrayManager *xray.XrayServicesManager, xrayVersion string) (entitled bool, err error) {
-	if e := clientutils.ValidateMinimumVersion(clientutils.Xray, xrayVersion, xrayutils.EntitlementsMinVersion); e != nil {
-		log.Debug(e)
-		return
-	}
-	entitled, err = xrayManager.IsEntitled(xrayutils.ApplicabilityFeatureId)
-	return
-}

commands/audit/jas/applicability/applicabilitymanager.go

@@ -4,11 +4,11 @@ import (
 	"path/filepath"
 
 	jfrogappsconfig "github.com/jfrog/jfrog-apps-config/go"
-	"github.com/jfrog/jfrog-cli-security/commands/audit/jas"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas"
 
 	"github.com/jfrog/gofrog/datastructures"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
-	"github.com/jfrog/jfrog-cli-security/utils"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/utils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
 	"github.com/jfrog/jfrog-client-go/xray/services"
 	"github.com/owenrumney/go-sarif/v2/sarif"
@@ -17,9 +17,10 @@ import (
 )
 
 const (
-	applicabilityScanType      = "analyze-applicability"
-	applicabilityScanCommand   = "ca"
-	applicabilityDocsUrlSuffix = "contextual-analysis"
+	applicabilityScanType           = "analyze-applicability"
+	applicabilityScanCommand        = "ca"
+	applicabilityDocsUrlSuffix      = "contextual-analysis"
+	applicabilityDockerScanScanType = "analyze-applicability-docker-scan"
 )
 
 type ApplicabilityScanManager struct {
@@ -29,6 +30,7 @@ type ApplicabilityScanManager struct {
 	xrayResults              []services.ScanResponse
 	scanner                  *jas.JasScanner
 	thirdPartyScan           bool
+	commandType              string
 }
 
 // The getApplicabilityScanResults function runs the applicability scan flow, which includes the following steps:
@@ -55,6 +57,37 @@ func RunApplicabilityScan(xrayResults []services.ScanResponse, directDependencie
 	return
 }
 
+// The getApplicabilityScanResults function runs the applicability scan flow, which includes the following steps:
+// Creating an ApplicabilityScanManager object.
+// Checking if the scanned project is eligible for applicability scan.
+// Running the analyzer manager executable.
+// Parsing the analyzer manager results.
+// Return values:
+// map[string]string: A map containing the applicability result of each XRAY CVE.
+// bool: true if the user is entitled to the applicability scan, false otherwise.
+// error: An error object (if any).
+func RunApplicabilityWithScanCves(xrayResults []services.ScanResponse, cveList []string,
+	scannedTechnologies []coreutils.Technology, scanner *jas.JasScanner) (results []*sarif.Run, err error) {
+	applicabilityScanManager := newApplicabilityScanManagerCves(xrayResults, cveList, scanner)
+	if err = applicabilityScanManager.scanner.Run(applicabilityScanManager); err != nil {
+		err = utils.ParseAnalyzerManagerError(utils.Applicability, err)
+		return
+	}
+	results = applicabilityScanManager.applicabilityScanResults
+	return
+}
+
+func newApplicabilityScanManagerCves(xrayScanResults []services.ScanResponse, cveList []string, scanner *jas.JasScanner) (manager *ApplicabilityScanManager) {
+	return &ApplicabilityScanManager{
+		applicabilityScanResults: []*sarif.Run{},
+		directDependenciesCves:   cveList,
+		xrayResults:              xrayScanResults,
+		scanner:                  scanner,
+		thirdPartyScan:           false,
+		commandType:              applicabilityDockerScanScanType,
+	}
+}
+
 func newApplicabilityScanManager(xrayScanResults []services.ScanResponse, directDependencies []string, scanner *jas.JasScanner, thirdPartyScan bool) (manager *ApplicabilityScanManager) {
 	directDependenciesCves, indirectDependenciesCves := extractDependenciesCvesFromScan(xrayScanResults, directDependencies)
 	return &ApplicabilityScanManager{
@@ -64,6 +97,7 @@ func newApplicabilityScanManager(xrayScanResults []services.ScanResponse, direct
 		xrayResults:              xrayScanResults,
 		scanner:                  scanner,
 		thirdPartyScan:           thirdPartyScan,
+		commandType:              applicabilityScanType,
 	}
 }
 
@@ -152,6 +186,7 @@ type scanConfiguration struct {
 	CveWhitelist         []string `yaml:"cve-whitelist"`
 	IndirectCveWhitelist []string `yaml:"indirect-cve-whitelist"`
 	SkippedDirs          []string `yaml:"skipped-folders"`
+	ScanType             string   `yaml:"scantype"`
 }
 
 func (asm *ApplicabilityScanManager) createConfigFile(module jfrogappsconfig.Module) error {
@@ -169,7 +204,7 @@ func (asm *ApplicabilityScanManager) createConfigFile(module jfrogappsconfig.Mod
 			{
 				Roots:                roots,
 				Output:               asm.scanner.ResultsFileName,
-				Type:                 applicabilityScanType,
+				Type:                 asm.commandType,
 				GrepDisable:          false,
 				CveWhitelist:         asm.directDependenciesCves,
 				IndirectCveWhitelist: asm.indirectDependenciesCves,

commands/audit/jas/secrets/secretsscanner.go

@@ -5,21 +5,23 @@ import (
 	"strings"
 
 	jfrogappsconfig "github.com/jfrog/jfrog-apps-config/go"
-	"github.com/jfrog/jfrog-cli-security/commands/audit/jas"
-	"github.com/jfrog/jfrog-cli-security/utils"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/utils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
 	"github.com/owenrumney/go-sarif/v2/sarif"
 )
 
 const (
-	secretsScanCommand   = "sec"
-	secretsScannerType   = "secrets-scan"
-	secretsDocsUrlSuffix = "secrets"
+	secretsScanCommand           = "sec"
+	SecretsScannerType           = "secrets-scan"        // #nosec
+	SecretsScannerDockerScanType = "secrets-docker-scan" // #nosec
+	secretsDocsUrlSuffix         = "secrets"
 )
 
 type SecretScanManager struct {
 	secretsScannerResults []*sarif.Run
 	scanner               *jas.JasScanner
+	scanType              string
 }
 
 // The getSecretsScanResults function runs the secrets scan flow, which includes the following steps:
@@ -29,8 +31,8 @@ type SecretScanManager struct {
 // Return values:
 // []utils.IacOrSecretResult: a list of the secrets that were found.
 // error: An error object (if any).
-func RunSecretsScan(scanner *jas.JasScanner) (results []*sarif.Run, err error) {
-	secretScanManager := newSecretsScanManager(scanner)
+func RunSecretsScan(scanner *jas.JasScanner, scanType string) (results []*sarif.Run, err error) {
+	secretScanManager := newSecretsScanManager(scanner, scanType)
 	log.Info("Running secrets scanning...")
 	if err = secretScanManager.scanner.Run(secretScanManager); err != nil {
 		err = utils.ParseAnalyzerManagerError(utils.Secrets, err)
@@ -43,10 +45,11 @@ func RunSecretsScan(scanner *jas.JasScanner) (results []*sarif.Run, err error) {
 	return
 }
 
-func newSecretsScanManager(scanner *jas.JasScanner) (manager *SecretScanManager) {
+func newSecretsScanManager(scanner *jas.JasScanner, scanType string) (manager *SecretScanManager) {
 	return &SecretScanManager{
 		secretsScannerResults: []*sarif.Run{},
 		scanner:               scanner,
+		scanType:              scanType,
 	}
 }
 
@@ -89,7 +92,7 @@ func (s *SecretScanManager) createConfigFile(module jfrogappsconfig.Module) erro
 			{
 				Roots:       roots,
 				Output:      s.scanner.ResultsFileName,
-				Type:        secretsScannerType,
+				Type:        s.scanType,
 				SkippedDirs: jas.GetExcludePatterns(module, module.Scanners.Secrets),
 			},
 		},

commands/audit/jasrunner.go

@@ -2,13 +2,14 @@ package audit
 
 import (
 	"errors"
+
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
-	"github.com/jfrog/jfrog-cli-security/commands/audit/jas"
-	"github.com/jfrog/jfrog-cli-security/commands/audit/jas/applicability"
-	"github.com/jfrog/jfrog-cli-security/commands/audit/jas/iac"
-	"github.com/jfrog/jfrog-cli-security/commands/audit/jas/sast"
-	"github.com/jfrog/jfrog-cli-security/commands/audit/jas/secrets"
-	"github.com/jfrog/jfrog-cli-security/utils"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas/applicability"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas/iac"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas/sast"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas/secrets"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/utils"
 	"github.com/jfrog/jfrog-client-go/utils/io"
 	"github.com/jfrog/jfrog-client-go/utils/log"
 )
@@ -41,7 +42,7 @@ func runJasScannersAndSetResults(scanResults *utils.Results, directDependencies
 	if progress != nil {
 		progress.SetHeadlineMsg("Running secrets scanning")
 	}
-	scanResults.ExtendedScanResults.SecretsScanResults, err = secrets.RunSecretsScan(scanner)
+	scanResults.ExtendedScanResults.SecretsScanResults, err = secrets.RunSecretsScan(scanner, secrets.SecretsScannerType)
 	if err != nil {
 		return
 	}

commands/scan/jasrunner_cves.go

@@ -0,0 +1,45 @@
+package scan
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas/applicability"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas/secrets"
+
+	"github.com/jfrog/jfrog-cli-core/v2/xray/utils"
+	"github.com/jfrog/jfrog-client-go/utils/log"
+)
+
+func runJasScannersAndSetResults(scanResults *utils.Results, cveList []string,
+	serverDetails *config.ServerDetails, workingDirs []string) (err error) {
+
+	if serverDetails == nil || len(serverDetails.Url) == 0 {
+		log.Warn("To include 'Advanced Security' scan as part of the audit output, please run the 'jf c add' command before running this command.")
+		return
+	}
+	multiScanId := "" // Also empty for audit
+	scanner, err := jas.NewJasScanner(workingDirs, serverDetails, multiScanId)
+	if err != nil {
+		return
+	}
+
+	defer func() {
+		cleanup := scanner.ScannerDirCleanupFunc
+		err = errors.Join(err, cleanup())
+	}()
+
+	scanResults.ExtendedScanResults.ApplicabilityScanResults, err = applicability.RunApplicabilityWithScanCves(scanResults.GetScaScansXrayResults(), cveList, scanResults.GetScaScannedTechnologies(), scanner)
+	if err != nil {
+		fmt.Println("there was an error:", err)
+		return
+	}
+
+	scanResults.ExtendedScanResults.SecretsScanResults, err = secrets.RunSecretsScan(scanner, secrets.SecretsScannerDockerScanType)
+	if err != nil {
+		return
+	}
+	return
+}

commands/scan/scan.go

@@ -10,17 +10,20 @@ import (
 	"regexp"
 	"strings"
 
-	"github.com/jfrog/jfrog-cli-security/scangraph"
+	"golang.org/x/exp/slices"
+
+	rtutils "github.com/jfrog/jfrog-cli-core/v2/artifactory/utils"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/scangraph"
 	xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
+	"golang.org/x/sync/errgroup"
 
 	"github.com/jfrog/gofrog/parallel"
 	"github.com/jfrog/jfrog-cli-core/v2/common/format"
-	outputFormat "github.com/jfrog/jfrog-cli-core/v2/common/format"
 	"github.com/jfrog/jfrog-cli-core/v2/common/spec"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
-	"github.com/jfrog/jfrog-cli-security/formats"
-	xrutils "github.com/jfrog/jfrog-cli-security/utils"
+	"github.com/jfrog/jfrog-cli-core/v2/xray/formats"
+	xrutils "github.com/jfrog/jfrog-cli-core/v2/xray/utils"
 	"github.com/jfrog/jfrog-client-go/artifactory/services/fspatterns"
 	clientutils "github.com/jfrog/jfrog-client-go/utils"
 	"github.com/jfrog/jfrog-client-go/utils/errorutils"
@@ -46,7 +49,7 @@ type ScanCommand struct {
 	// The location of the downloaded Xray indexer binary on the local file system.
 	indexerPath            string
 	indexerTempDir         string
-	outputFormat           outputFormat.OutputFormat
+	outputFormat           format.OutputFormat
 	projectKey             string
 	minSeverityFilter      string
 	watches                []string
@@ -78,7 +81,7 @@ func (scanCmd *ScanCommand) SetThreads(threads int) *ScanCommand {
 	return scanCmd
 }
 
-func (scanCmd *ScanCommand) SetOutputFormat(format outputFormat.OutputFormat) *ScanCommand {
+func (scanCmd *ScanCommand) SetOutputFormat(format format.OutputFormat) *ScanCommand {
 	scanCmd.outputFormat = format
 	return scanCmd
 }
@@ -249,6 +252,23 @@ func (scanCmd *ScanCommand) Run() (err error) {
 	scanResults.XrayVersion = xrayVersion
 	scanResults.ScaResults = []xrutils.ScaScanResult{{XrayResults: flatResults}}
 
+	scanResults.ExtendedScanResults.EntitledForJas, err = xrutils.IsEntitledForJas(xrayManager, xrayVersion)
+	errGroup := new(errgroup.Group)
+	if scanResults.ExtendedScanResults.EntitledForJas {
+		// Download (if needed) the analyzer manager in a background routine.
+		errGroup.Go(rtutils.DownloadAnalyzerManagerIfNeeded)
+	}
+	// Wait for the Download of the AnalyzerManager to complete.
+	if err = errGroup.Wait(); err != nil {
+		err = errors.New("failed while trying to get Analyzer Manager: " + err.Error())
+	}
+
+	if scanResults.ExtendedScanResults.EntitledForJas {
+		cveList := cveListFromVulnerabilities(flatResults)
+		workingDirs := []string{scanCmd.spec.Files[0].Pattern}
+		scanResults.JasError = runJasScannersAndSetResults(scanResults, cveList, scanCmd.serverDetails, workingDirs)
+	}
+
 	if err = xrutils.NewResultsWriter(scanResults).
 		SetOutputFormat(scanCmd.outputFormat).
 		SetIncludeVulnerabilities(scanCmd.includeVulnerabilities).
@@ -454,6 +474,20 @@ func appendErrorSlice(scanErrors []formats.SimpleJsonError, errorsToAdd [][]form
 	return scanErrors
 }
 
-func ConditionalUploadDefaultScanFunc(serverDetails *config.ServerDetails, fileSpec *spec.SpecFiles, threads int, scanOutputFormat format.OutputFormat) error {
-	return NewScanCommand().SetServerDetails(serverDetails).SetSpec(fileSpec).SetThreads(threads).SetOutputFormat(scanOutputFormat).SetFail(true).SetPrintExtendedTable(false).Run()
+func cveListFromVulnerabilities(flatResults []services.ScanResponse) []string {
+	var cveList []string
+	var technologiesList []string
+	for _, result := range flatResults {
+		for _, vulnerability := range result.Vulnerabilities {
+			for _, cve := range vulnerability.Cves {
+				if !slices.Contains(cveList, cve.Id) && (cve.Id != "") {
+					cveList = append(cveList, cve.Id)
+				}
+			}
+			if !slices.Contains(technologiesList, vulnerability.Technology) && (vulnerability.Technology != "") {
+				technologiesList = append(technologiesList, vulnerability.Technology)
+			}
+		}
+	}
+	return cveList
 }