Added centralized config utilization in Audit for CI Next

commands/audit/audit.go

@@ -252,7 +252,7 @@ func downloadAnalyzerManagerAndRunScanners(auditParallelRunner *utils.SecurityPa
 	if err != nil {
 		return fmt.Errorf("failed to create jas scanner: %s", err.Error())
 	}
-	if err = runner.AddJasScannersTasks(auditParallelRunner, scanResults, auditParams.DirectDependencies(), serverDetails, auditParams.thirdPartyApplicabilityScan, scanner, applicability.ApplicabilityScannerType, secrets.SecretsScannerType, auditParallelRunner.AddErrorToChan, auditParams.ScansToPerform()); err != nil {
+	if err = runner.AddJasScannersTasks(auditParallelRunner, scanResults, auditParams.DirectDependencies(), serverDetails, auditParams.thirdPartyApplicabilityScan, scanner, applicability.ApplicabilityScannerType, secrets.SecretsScannerType, auditParallelRunner.AddErrorToChan, auditParams.ScansToPerform(), auditParams.configProfile); err != nil {
 		return fmt.Errorf("%s failed to run JAS scanners: %s", clientutils.GetLogMsgPrefix(threadId, false), err.Error())
 	}
 	return

commands/audit/auditparams.go

@@ -5,6 +5,7 @@ import (
 	"github.com/jfrog/jfrog-cli-security/utils/severityutils"
 	"github.com/jfrog/jfrog-cli-security/utils/xray/scangraph"
 	"github.com/jfrog/jfrog-client-go/xray/services"
+	clientservices "github.com/jfrog/jfrog-client-go/xsc/services"
 )
 
 type AuditParams struct {
@@ -19,6 +20,7 @@ type AuditParams struct {
 	// Include third party dependencies source code in the applicability scan.
 	thirdPartyApplicabilityScan bool
 	threads                     int
+	configProfile               *clientservices.ConfigProfile
 }
 
 func NewAuditParams() *AuditParams {
@@ -92,6 +94,11 @@ func (params *AuditParams) SetCommonGraphScanParams(commonParams *scangraph.Comm
 	return params
 }
 
+func (params *AuditParams) SetConfigProfile(configProfile *clientservices.ConfigProfile) *AuditParams {
+	params.configProfile = configProfile
+	return params
+}
+
 func (params *AuditParams) createXrayGraphScanParams() *services.XrayGraphScanParams {
 	return &services.XrayGraphScanParams{
 		RepoPath:               params.commonGraphScanParams.RepoPath,

commands/audit/scarunner.go

@@ -42,6 +42,11 @@ func buildDepTreeAndRunScaScan(auditParallelRunner *utils.SecurityParallelRunner
 		log.Debug("Skipping SCA scan as requested by input...")
 		return
 	}
+	if auditParams.configProfile != nil {
+		// Currently, if a configuration profile is being utilized, the only supported scanners are Secrets and Sast Scanners, therefore SCA scanner is skipped if a config profile exists
+		return
+	}
+
 	// Prepare
 	currentWorkingDir, err := os.Getwd()
 	if errorutils.CheckError(err) != nil {

commands/scan/scan.go

@@ -442,7 +442,7 @@ func (scanCmd *ScanCommand) createIndexerHandlerFunc(file *spec.File, entitledFo
 						log.Error(fmt.Sprintf("failed to create jas scanner: %s", err.Error()))
 						indexedFileErrors[threadId] = append(indexedFileErrors[threadId], formats.SimpleJsonError{FilePath: filePath, ErrorMessage: err.Error()})
 					}
-					err = runner.AddJasScannersTasks(jasFileProducerConsumer, &scanResults, &depsList, scanCmd.serverDetails, false, scanner, applicability.ApplicabilityDockerScanScanType, secrets.SecretsScannerDockerScanType, jasErrHandlerFunc, utils.GetAllSupportedScans())
+					err = runner.AddJasScannersTasks(jasFileProducerConsumer, &scanResults, &depsList, scanCmd.serverDetails, false, scanner, applicability.ApplicabilityDockerScanScanType, secrets.SecretsScannerDockerScanType, jasErrHandlerFunc, utils.GetAllSupportedScans(), nil)
 					if err != nil {
 						log.Error(fmt.Sprintf("scanning '%s' failed with error: %s", graph.Id, err.Error()))
 						indexedFileErrors[threadId] = append(indexedFileErrors[threadId], formats.SimpleJsonError{FilePath: filePath, ErrorMessage: err.Error()})

go.mod

@@ -116,7 +116,7 @@ require (
 
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev
 
-// replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go dev
+replace github.com/jfrog/jfrog-client-go => github.com/eranturgeman/jfrog-client-go v0.0.0-20240825073929-bf5dbce89d93
 
 // replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go dev
 

go.sum

@@ -709,6 +709,8 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7
 github.com/envoyproxy/protoc-gen-validate v0.6.7/go.mod h1:dyJXwwfPK2VSqiB9Klm1J6romD608Ba7Hij42vrOBCo=
 github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0++PMirau2/yoOwVac3AbF2w=
 github.com/envoyproxy/protoc-gen-validate v0.10.0/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss=
+github.com/eranturgeman/jfrog-client-go v0.0.0-20240825073929-bf5dbce89d93 h1:pxLZtggAcZdsor7ZotV0QhJrTRKZ9+Oo2TMxsnOS3E8=
+github.com/eranturgeman/jfrog-client-go v0.0.0-20240825073929-bf5dbce89d93/go.mod h1:f5Jfv+RGKVr4smOp4a4pxyBKdlpLG7R894kx2XW+w8c=
 github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w=
 github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg=
 github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
@@ -900,8 +902,6 @@ github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYL
 github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
 github.com/jfrog/jfrog-cli-core/v2 v2.55.2 h1:Pm4mY1UThSyFGklDl6O8qoJgTgH9jL3i2tor/ux+X8c=
 github.com/jfrog/jfrog-cli-core/v2 v2.55.2/go.mod h1:2/Ccqq0ayMqIuH5AAoneX0CowwdrNWQcs5aKz8iDYkE=
-github.com/jfrog/jfrog-client-go v1.44.2 h1:5t8tx6NOth6Xq24SdF3MYSd6vo0bTibW93nads2DEuY=
-github.com/jfrog/jfrog-client-go v1.44.2/go.mod h1:f5Jfv+RGKVr4smOp4a4pxyBKdlpLG7R894kx2XW+w8c=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=

jas/runner/jasrunner.go

@@ -2,7 +2,6 @@ package runner
 
 import (
 	"fmt"
-
 	"github.com/jfrog/gofrog/parallel"
 	jfrogappsconfig "github.com/jfrog/jfrog-apps-config/go"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
@@ -15,11 +14,13 @@ import (
 	"github.com/jfrog/jfrog-cli-security/utils/jasutils"
 	clientutils "github.com/jfrog/jfrog-client-go/utils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
+	"github.com/jfrog/jfrog-client-go/xsc/services"
 	"golang.org/x/exp/slices"
 )
 
 func AddJasScannersTasks(securityParallelRunner *utils.SecurityParallelRunner, scanResults *utils.Results, directDependencies *[]string,
-	serverDetails *config.ServerDetails, thirdPartyApplicabilityScan bool, scanner *jas.JasScanner, scanType applicability.ApplicabilityScanType, secretsScanType secrets.SecretsScanType, errHandlerFunc func(error), scansToPreform []utils.SubScanType) (err error) {
+	serverDetails *config.ServerDetails, thirdPartyApplicabilityScan bool, scanner *jas.JasScanner, scanType applicability.ApplicabilityScanType,
+	secretsScanType secrets.SecretsScanType, errHandlerFunc func(error), scansToPreform []utils.SubScanType, configProfile *services.ConfigProfile) (err error) {
 	if serverDetails == nil || len(serverDetails.Url) == 0 {
 		log.Warn("To include 'Advanced Security' scan as part of the audit output, please run the 'jf c add' command before running this command.")
 		return
@@ -31,34 +32,54 @@ func AddJasScannersTasks(securityParallelRunner *utils.SecurityParallelRunner, s
 	}
 	// Set environments variables for analytics in analyzers manager.
 	// Don't execute other scanners when scanning third party dependencies.
+	// Currently, if config profile exists, the only possible scanners to run are: Secrets, Sast
 	if !thirdPartyApplicabilityScan {
 		for _, module := range scanner.JFrogAppsConfig.Modules {
 			if len(scansToPreform) > 0 && !slices.Contains(scansToPreform, utils.SecretsScan) {
 				log.Debug("Skipping secrets scan as requested by input...")
+			} else if configProfile != nil {
+				// This code section is related to CentralizedConfig integration in CI Next.
+				log.Debug(fmt.Sprintf("Using config profile '%s' to determine whether to run secrets scan...", configProfile.ProfileName))
+				if configProfile.Modules[0].ScanConfig.SecretsScannerConfig.EnableSecretsScan {
+					err = addModuleJasScanTask(jfrogappsconfig.Module{}, jasutils.Secrets, securityParallelRunner, runSecretsScan(securityParallelRunner, scanner, scanResults.ExtendedScanResults, module, secretsScanType), errHandlerFunc)
+				} else {
+					log.Debug(fmt.Sprintf("Skipping secrets scan as requested by '%s' config profile...", configProfile.ProfileName))
+				}
 			} else if err = addModuleJasScanTask(module, jasutils.Secrets, securityParallelRunner, runSecretsScan(securityParallelRunner, scanner, scanResults.ExtendedScanResults, module, secretsScanType), errHandlerFunc); err != nil {
 				return
 			}
 			if runAllScanners {
-				if len(scansToPreform) > 0 && !slices.Contains(scansToPreform, utils.IacScan) {
-					log.Debug("Skipping Iac scan as requested by input...")
-				} else if err = addModuleJasScanTask(module, jasutils.IaC, securityParallelRunner, runIacScan(securityParallelRunner, scanner, scanResults.ExtendedScanResults, module), errHandlerFunc); err != nil {
-					return
+				if configProfile == nil {
+					if len(scansToPreform) > 0 && !slices.Contains(scansToPreform, utils.IacScan) {
+						log.Debug("Skipping Iac scan as requested by input...")
+					} else if err = addModuleJasScanTask(module, jasutils.IaC, securityParallelRunner, runIacScan(securityParallelRunner, scanner, scanResults.ExtendedScanResults, module), errHandlerFunc); err != nil {
+						return
+					}
 				}
 				if len(scansToPreform) > 0 && !slices.Contains(scansToPreform, utils.SastScan) {
 					log.Debug("Skipping Sast scan as requested by input...")
+				} else if configProfile != nil {
+					log.Debug(fmt.Sprintf("Using config profile '%s' to determine whether to run Sast scan...", configProfile.ProfileName))
+					if configProfile.Modules[0].ScanConfig.SastScannerConfig.EnableSastScan {
+						err = addModuleJasScanTask(jfrogappsconfig.Module{}, jasutils.Sast, securityParallelRunner, runSastScan(securityParallelRunner, scanner, scanResults.ExtendedScanResults, module), errHandlerFunc)
+					} else {
+						log.Debug(fmt.Sprintf("Skipping Sast scan as requested by '%s' config profile...", configProfile.ProfileName))
+					}
 				} else if err = addModuleJasScanTask(module, jasutils.Sast, securityParallelRunner, runSastScan(securityParallelRunner, scanner, scanResults.ExtendedScanResults, module), errHandlerFunc); err != nil {
 					return
 				}
 			}
 		}
 	}
-	if len(scansToPreform) > 0 && !slices.Contains(scansToPreform, utils.ContextualAnalysisScan) {
-		log.Debug("Skipping contextual analysis scan as requested by input...")
-		return err
-	}
-	for _, module := range scanner.JFrogAppsConfig.Modules {
-		if err = addModuleJasScanTask(module, jasutils.Applicability, securityParallelRunner, runContextualScan(securityParallelRunner, scanner, scanResults, module, directDependencies, thirdPartyApplicabilityScan, scanType), errHandlerFunc); err != nil {
-			return
+	if configProfile == nil {
+		if len(scansToPreform) > 0 && !slices.Contains(scansToPreform, utils.ContextualAnalysisScan) {
+			log.Debug("Skipping contextual analysis scan as requested by input...")
+			return err
+		}
+		for _, module := range scanner.JFrogAppsConfig.Modules {
+			if err = addModuleJasScanTask(module, jasutils.Applicability, securityParallelRunner, runContextualScan(securityParallelRunner, scanner, scanResults, module, directDependencies, thirdPartyApplicabilityScan, scanType), errHandlerFunc); err != nil {
+				return
+			}
 		}
 	}
 	return err

jas/runner/jasrunner_test.go

@@ -39,7 +39,7 @@ func TestGetExtendedScanResults_ServerNotValid(t *testing.T) {
 	scanner := &jas.JasScanner{}
 	jasScanner, err := jas.CreateJasScanner(scanner, nil, &jas.FakeServerDetails, jas.GetAnalyzerManagerXscEnvVars("", scanResults.GetScaScannedTechnologies()...))
 	assert.NoError(t, err)
-	err = AddJasScannersTasks(securityParallelRunnerForTest, scanResults, &[]string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, nil, false, jasScanner, applicability.ApplicabilityScannerType, secrets.SecretsScannerType, securityParallelRunnerForTest.AddErrorToChan, utils.GetAllSupportedScans())
+	err = AddJasScannersTasks(securityParallelRunnerForTest, scanResults, &[]string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, nil, false, jasScanner, applicability.ApplicabilityScannerType, secrets.SecretsScannerType, securityParallelRunnerForTest.AddErrorToChan, utils.GetAllSupportedScans(), nil)
 	assert.NoError(t, err)
 }
 

tests/testdata/other/configProfile/configProfileExample.json

@@ -0,0 +1,49 @@
+{
+  "profile_name": "default-profile",
+    "frogbot_config": {
+    "email_author": "[email protected]",
+    "aggregate_fixes": true,
+    "avoid_previous_pr_comments_deletion": true,
+    "branch_name_template": "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}",
+    "pr_title_template": "[🐸 Frogbot] Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}",
+    "pr_comment_title": "Frogbot notes:",
+    "commit_message_template": "Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}",
+    "show_secrets_as_pr_comment": false
+  },
+  "modules": [
+    {
+      "module_name": "default-module",
+      "path_from_root": ".",
+      "releases_repo": "nuget-remote",
+      "analyzer_manager_version": "1.8.1",
+      "additional_paths_for_module": ["lib1", "utils/lib2"],
+      "exclude_paths": ["**/.git/**", "**/*test*/**", "**/*venv*/**", "**/*node_modules*/**", "**/target/**"],
+      "scan_config": {
+        "scan_timeout": 600,
+        "exclude_pattern": "*.md",
+        "enable_sca_scan": true,
+        "enable_contextual_analysis_scan": true,
+        "sast_scanner_config": {
+          "enable_sast_scan": true
+        },
+        "secrets_scanner_config": {
+          "enable_secrets_scan": true
+        },
+        "iac_scanner_config": {
+          "enable_iac_scan": true
+        },
+        "applications_scanner_config": {
+          "enable_applications_scan": true
+        },
+        "services_scanner_config": {
+          "enable_services_scan": true
+        }
+      },
+      "protected_branches": ["main", "master"],
+      "include_exclude_mode": 0,
+      "include_exclude_pattern": "*test*",
+      "report_analytics": true
+    }
+  ],
+  "is_default": true
+}

utils/test_mocks.go

@@ -8,10 +8,14 @@ import (
 	"github.com/stretchr/testify/assert"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"testing"
 )
 
-const TestMsi = "27e175b8-e525-11ee-842b-7aa2c69b8f1f"
+const (
+	TestMsi               = "27e175b8-e525-11ee-842b-7aa2c69b8f1f"
+	TestConfigProfileName = "default-profile"
+)
 
 type restsTestHandler func(w http.ResponseWriter, r *http.Request)
 
@@ -46,6 +50,19 @@ func XscServer(t *testing.T, xscVersion string) (*httptest.Server, *config.Serve
 				}
 			}
 		}
+		if r.RequestURI == "/xsc/api/v1/profile/"+TestConfigProfileName {
+			if r.Method == http.MethodGet {
+				w.WriteHeader(http.StatusOK)
+				content, err := os.ReadFile("../../tests/testdata/other/configProfile/configProfileExample.json")
+				if err != nil {
+					return
+				}
+				_, err = w.Write(content)
+				if err != nil {
+					return
+				}
+			}
+		}
 	})
 	return serverMock, serverDetails
 }

utils/xsc/configprofile.go

@@ -0,0 +1,32 @@
+package xsc
+
+import (
+	"fmt"
+	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
+	clientutils "github.com/jfrog/jfrog-client-go/utils"
+	"github.com/jfrog/jfrog-client-go/utils/log"
+	"github.com/jfrog/jfrog-client-go/xsc/services"
+)
+
+func GetConfigProfile(serverDetails *config.ServerDetails, profileName string) (*services.ConfigProfile, error) {
+	xscManager, err := CreateXscServiceManager(serverDetails)
+	if err != nil {
+		return nil, err
+	}
+
+	xscVersion, err := xscManager.GetVersion()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get XSC service version '%s': %q", profileName, err)
+	}
+
+	if err = clientutils.ValidateMinimumVersion(clientutils.Xsc, xscVersion, services.ConfigProfileMinXscVersion); err != nil {
+		log.Info("Minimal Xsc version required to utilize config profile is '%s'. All configurations will be induced from provided Env vars and files")
+		return nil, err
+	}
+
+	configProfile, err := xscManager.GetConfigProfile(profileName)
+	if err != nil {
+		err = fmt.Errorf("failed to get config profile '%s': %q", profileName, err)
+	}
+	return configProfile, err
+}

utils/xsc/configprofile_test.go

@@ -0,0 +1,36 @@
+package xsc
+
+import (
+	"encoding/json"
+	"github.com/jfrog/jfrog-cli-security/utils"
+	"github.com/jfrog/jfrog-client-go/xsc/services"
+	"github.com/stretchr/testify/assert"
+	"os"
+	"testing"
+)
+
+func TestGetConfigProfile_ValidRequest_SuccessExpected(t *testing.T) {
+	mockServer, serverDetails := utils.XscServer(t, services.ConfigProfileMinXscVersion)
+	defer mockServer.Close()
+
+	configProfile, err := GetConfigProfile(serverDetails, utils.TestConfigProfileName)
+	assert.NoError(t, err)
+
+	profileFileContent, err := os.ReadFile("../../tests/testdata/other/configProfile/configProfileExample.json")
+	assert.NoError(t, err)
+
+	var configProfileForComparison services.ConfigProfile
+	err = json.Unmarshal(profileFileContent, &configProfileForComparison)
+	assert.NoError(t, err)
+
+	assert.Equal(t, &configProfileForComparison, configProfile)
+}
+
+func TestGetConfigProfile_TooLowXscVersion_FailureExpected(t *testing.T) {
+	mockServer, serverDetails := utils.XscServer(t, "1.0.0")
+	defer mockServer.Close()
+
+	configProfile, err := GetConfigProfile(serverDetails, utils.TestConfigProfileName)
+	assert.Error(t, err)
+	assert.Nil(t, configProfile)
+}

utils/xsc/errorreport.go

@@ -3,7 +3,9 @@ package xsc
 import (
 	"fmt"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
+	clientutils "github.com/jfrog/jfrog-client-go/utils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
+	"github.com/jfrog/jfrog-client-go/xsc"
 	"github.com/jfrog/jfrog-client-go/xsc/services"
 )
 
@@ -21,5 +23,30 @@ func ReportError(serverDetails *config.ServerDetails, errorToReport error, sourc
 		Source:    source,
 		Message:   errorToReport.Error(),
 	}
-	return SendXscLogMessageIfEnabled(errorLog, xscManager)
+	return sendXscLogMessageIfEnabled(errorLog, xscManager)
+}
+
+func sendXscLogMessageIfEnabled(errorLog *services.ExternalErrorLog, xscManager *xsc.XscServicesManager) error {
+	if !IsReportLogErrorEventPossible(xscManager) {
+		return nil
+	}
+	return xscManager.SendXscLogErrorRequest(errorLog)
+}
+
+// Determines if reporting the error is feasible.
+func IsReportLogErrorEventPossible(xscManager *xsc.XscServicesManager) bool {
+	xscVersion, err := xscManager.GetVersion()
+	if err != nil {
+		log.Debug(fmt.Sprintf("failed to check availability of Xsc service:%s\nReporting to JFrog analytics is skipped...", err.Error()))
+		return false
+	}
+	if xscVersion == "" {
+		log.Debug("Xsc service is not available. Reporting to JFrog analytics is skipped...")
+		return false
+	}
+	if err = clientutils.ValidateMinimumVersion(clientutils.Xsc, xscVersion, minXscVersionForErrorReport); err != nil {
+		log.Debug(err.Error())
+		return false
+	}
+	return true
 }