Exclude JAS Scan Flag #836

orto17 · 2023-06-25T07:37:08Z

All tests passed. If this feature is not already covered by the tests, I added new tests.
All static analysis checks passed.
This pull request is on the dev branch.
I used gofmt for formatting the code before submitting the pull request.

This PR contains the following:

A new flag for the audit command hat will allow the user to force a skip on a certain Jas scan.
Each scan that will appear in the flag will be skipped, and analyzer manager will not be executed for this scan.
The user will be able to include more than one scanner to skip, for example: -exclude-scan=contextual_analysis;secrets

yahavi

Looks good @orto17!
Please consider my inline comments.

yahavi · 2023-06-28T08:53:34Z

xray/audit/jas/iacscanner.go

@@ -48,6 +48,9 @@ func getIacScanResults(serverDetails *config.ServerDetails, analyzerManager util
 			err = errors.Join(err, cleanupFunc())
 		}
 	}()
+	if utils.ExcludeScan(scannersToExclude, iacScanCommand) {
+		return nil, false, nil


Let's add a debug level log that the IaC scan is skipped

yahavi · 2023-06-28T10:01:17Z

xray/audit/jas/jasmanager.go

 	analyzerManagerExecuter utils.AnalyzerManagerInterface = &utils.AnalyzerManager{}
 	skippedDirs                                            = []string{"**/*test*/**", "**/*venv*/**", "**/*node_modules*/**", "**/*target*/**"}
+	scannersToExclude                                      = []string{}


This comment is not related to this PR, but is more general -
Please prefer not to use global variables. Instead, the recommended way is to use a new JasManager struct.

One design pattern is to pass a pointer of the struct when needed to each one of the scanners.
Another design pattern is to use inheritance/decoration, whereby every scanner contains the JasManager struct.

yahavi · 2023-06-28T10:03:36Z

xray/audit/jas/jasmanager.go

@@ -39,6 +41,7 @@ func GetExtendedScanResults(xrayResults []services.ScanResponse, dependencyTrees
 	if err = utils.CreateAnalyzerManagerLogDir(); err != nil {
 		return nil, err
 	}
+	scannersToExclude = strings.Split(excludeScan, ";")


Let's also trim strings to allow for example: --exclude-scan=contextual_analysis; secrets

yahavi · 2023-06-28T10:41:52Z

xray/audit/jas/secretsscanner.go

@@ -49,6 +50,9 @@ func getSecretsScanResults(serverDetails *config.ServerDetails, analyzerManager
 			err = errors.Join(err, cleanupFunc())
 		}
 	}()
+	if utils.ExcludeScan(scannersToExclude, secretsFeatureName) {
+		return nil, false, nil


Let's add a debug level log that the secret scan is skipped

yahavi · 2023-06-28T10:43:39Z

xray/utils/analyzermanager.go

+	for _, s := range scansToBeExcluded {
+		if s == scan {
+			return true
+		}
+	}
+	return false


Can be inlined:

Suggested change

for _, s := range scansToBeExcluded {

if s == scan {

return true

}

}

return false

return slices.Contains(scansToBeExcluded, scan)

exclude scanner flag

15c5feb

orto17 had a problem deploying to frogbot June 25, 2023 07:37 — with GitHub Actions Failure

yahavi requested review from yahavi and talarian1 June 25, 2023 07:48

yahavi requested changes Jun 28, 2023

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Exclude JAS Scan Flag #836

Exclude JAS Scan Flag #836

orto17 commented Jun 25, 2023

yahavi left a comment

yahavi Jun 28, 2023

yahavi Jun 28, 2023

yahavi Jun 28, 2023

yahavi Jun 28, 2023

yahavi Jun 28, 2023

Exclude JAS Scan Flag #836

Are you sure you want to change the base?

Exclude JAS Scan Flag #836

Conversation

orto17 commented Jun 25, 2023

yahavi left a comment

Choose a reason for hiding this comment

yahavi Jun 28, 2023

Choose a reason for hiding this comment

yahavi Jun 28, 2023

Choose a reason for hiding this comment

yahavi Jun 28, 2023

Choose a reason for hiding this comment

yahavi Jun 28, 2023

Choose a reason for hiding this comment

yahavi Jun 28, 2023

Choose a reason for hiding this comment