Merge remote-tracking branch 'upstream/dev' into add-exclude-flag-to-…

…publish

# Conflicts:
#	go.mod
#	go.sum

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/jedib0t/go-pretty/v6 v6.4.6
 	github.com/jfrog/build-info-go v1.9.6
 	github.com/jfrog/gofrog v1.3.0
-	github.com/jfrog/jfrog-client-go v1.31.0
+	github.com/jfrog/jfrog-client-go v1.31.1
 	github.com/magiconair/properties v1.8.7
 	github.com/manifoldco/promptui v0.9.0
 	github.com/owenrumney/go-sarif/v2 v2.1.3

go.sum

@@ -198,6 +198,8 @@ github.com/jfrog/build-info-go v1.9.6 h1:lCJ2j5uXAlJsSwDe5J8WD7Co1f/hUlZvMfwfb5A
 github.com/jfrog/build-info-go v1.9.6/go.mod h1:GbuFS+viHCKZYx9nWHYu7ab1DgQkFdtVN3BJPUNb2D4=
 github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk=
 github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0=
+github.com/jfrog/jfrog-client-go v1.31.1 h1:lmunA5ZpRsrWTXgEGvnvVPIfwEqB3gn6+eVNpV2VBzU=
+github.com/jfrog/jfrog-client-go v1.31.1/go.mod h1:qEJxoe68sUtqHJ1YhXv/7pKYP/9p1D5tJrruzJKYeoI=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=

utils/coreutils/tableutils.go

@@ -28,6 +28,7 @@ var DefaultMaxColWidth = 25
 // In case the struct you want to print contains a field that is a slice of other structs,
 // you can print it in the table too with the 'embed-table' tag which can be set on slices of structs only.
 // Fields with the 'extended' tag will be printed iff the 'printExtended' bool input is true.
+// You can merge cells horizontally with the 'auto-merge' tag, it will merge cells with the same value.
 //
 // Example:
 // These are the structs Customer and Product:
@@ -91,6 +92,36 @@ var DefaultMaxColWidth = 25
 // ┌─────────────────────────┐
 // │ No customers were found │
 // └─────────────────────────┘
+//
+// Example(auto-merge):
+// These are the structs Customer:
+//
+//	type Customer struct {
+//	    name     string    `col-name:"Name" auto-merge:"true"`
+//	    age       string   `col-name:"Age" auto-merge:"true"`
+//	    title     string   `col-name:"Product Title" auto-merge:"true"`
+//	    CatNumber string   `col-name:"Product\nCatalog #" auto-merge:"true"`
+//	    Color     string   `col-name:"Color" extended:"true" auto-merge:"true"`
+//	}
+//
+//  customersSlice := []Customer{
+//	    {name: "Gai", age: "350", title: "SpiderFrog Shirt - Medium", CatNumber: "123456", Color: "Green"},
+//      {name: "Gai", age: "350", title: "Floral Bottle", CatNumber: "147585", Color: "Blue"},
+//	    {name: "Noah", age: "21", title: "Pouch", CatNumber: "456789", Color: "Red"},
+// }
+//
+// Customers
+// ┌──────┬─────┬───────────────────────────┬───────────┐
+// │ NAME │ AGE │ PRODUCT TITLE             │ PRODUCT   │
+// │      │     │                           │ CATALOG # │
+// ├──────┼─────┼───────────────────────────┼───────────┤
+// │ Gai  │ 350 │ SpiderFrog Shirt - Medium │ 123456    │
+// │      │     ├───────────────────────────┼───────────┤
+// │      │     │ Floral Bottle             │ 147585    │
+// ├──────┼─────┼───────────────────────────┼───────────┤
+// │ Noah │ 21  │ Pouch                     │ 456789    │
+// └──────┴─────┴───────────────────────────┴───────────┘
+
 func PrintTable(rows interface{}, title string, emptyTableMessage string, printExtended bool) (err error) {
 	tableWriter, err := PrepareTable(rows, emptyTableMessage, printExtended)
 	if err != nil || tableWriter == nil {
@@ -140,6 +171,7 @@ func PrepareTable(rows interface{}, emptyTableMessage string, printExtended bool
 		columnName, columnNameExist := field.Tag.Lookup("col-name")
 		embedTable, embedTableExist := field.Tag.Lookup("embed-table")
 		extended, extendedExist := field.Tag.Lookup("extended")
+		_, autoMerge := field.Tag.Lookup("auto-merge")
 		_, omitEmptyColumn := field.Tag.Lookup("omitempty")
 		if !printExtended && extendedExist && extended == "true" {
 			continue
@@ -161,7 +193,7 @@ func PrepareTable(rows interface{}, emptyTableMessage string, printExtended bool
 		} else {
 			columnsNames = append(columnsNames, columnName)
 			fieldsProperties = append(fieldsProperties, fieldProperties{index: i})
-			columnConfigs = append(columnConfigs, table.ColumnConfig{Name: columnName})
+			columnConfigs = append(columnConfigs, table.ColumnConfig{Name: columnName, AutoMerge: autoMerge})
 		}
 	}
 	tableWriter.AppendHeader(columnsNames)

xray/audit/jas/applicabilitymanager.go

@@ -51,7 +51,7 @@ func getApplicabilityScanResults(results []services.ScanResponse, dependencyTree
 		}
 	}()
 	if !applicabilityScanManager.eligibleForApplicabilityScan() {
-		log.Debug("The conditions for running the applicability scan are not met. Skipping the execution of the Analyzer Manager")
+		log.Debug("The conditions for running the applicability scan are not met. Skipping...")
 		return nil, false, nil
 	}
 	if err = applicabilityScanManager.run(); err != nil {
@@ -191,6 +191,7 @@ func (a *ApplicabilityScanManager) run() (err error) {
 	if !a.directDependenciesExist() {
 		return nil
 	}
+	log.Info("Running applicability scanning for the identified vulnerable dependencies...")
 	if err = a.createConfigFile(); err != nil {
 		return
 	}

xray/audit/jas/iacscanner.go

@@ -8,6 +8,7 @@ import (
 	"github.com/jfrog/jfrog-cli-core/v2/xray/utils"
 	"github.com/jfrog/jfrog-client-go/utils/errorutils"
 	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
+	"github.com/jfrog/jfrog-client-go/utils/log"
 	"github.com/owenrumney/go-sarif/v2/sarif"
 	"gopkg.in/yaml.v2"
 	"os"
@@ -48,12 +49,16 @@ func getIacScanResults(serverDetails *config.ServerDetails, analyzerManager util
 			err = errors.Join(err, cleanupFunc())
 		}
 	}()
+	log.Info("Running IaC scanning...")
 	if err = iacScanManager.run(); err != nil {
 		if utils.IsNotEntitledError(err) || utils.IsUnsupportedCommandError(err) {
 			return nil, false, nil
 		}
 		return nil, true, fmt.Errorf(iacScanFailureMessage, err.Error())
 	}
+	if len(iacScanManager.iacScannerResults) > 0 {
+		log.Info("Found", len(iacScanManager.iacScannerResults), "IaC vulnerabilities")
+	}
 	return iacScanManager.iacScannerResults, true, nil
 }
 

xray/audit/jas/secretsscanner.go

@@ -8,6 +8,7 @@ import (
 	"github.com/jfrog/jfrog-cli-core/v2/xray/utils"
 	"github.com/jfrog/jfrog-client-go/utils/errorutils"
 	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
+	"github.com/jfrog/jfrog-client-go/utils/log"
 	"github.com/owenrumney/go-sarif/v2/sarif"
 	"gopkg.in/yaml.v2"
 	"os"
@@ -49,12 +50,16 @@ func getSecretsScanResults(serverDetails *config.ServerDetails, analyzerManager
 			err = errors.Join(err, cleanupFunc())
 		}
 	}()
+	log.Info("Running secrets scanning...")
 	if err = secretScanManager.run(); err != nil {
 		if utils.IsNotEntitledError(err) || utils.IsUnsupportedCommandError(err) {
 			return nil, false, nil
 		}
 		return nil, true, fmt.Errorf(secScanFailureMessage, err.Error())
 	}
+	if len(secretScanManager.secretsScannerResults) > 0 {
+		log.Info(len(secretScanManager.secretsScannerResults), "secrets were found")
+	}
 	return secretScanManager.secretsScannerResults, true, nil
 }
 

xray/audit/java/gradle.go

@@ -102,21 +102,20 @@ func (dtp *depTreeManager) appendDependenciesPaths(jsonDepTree []byte, fileName
 	return nil
 }
 
-func buildGradleDependencyTree(useWrapper bool, server *config.ServerDetails, depsRepo, releasesRepo string) (dependencyTree []*xrayUtils.GraphNode, err error) {
-	if (server != nil && server.IsEmpty()) || depsRepo == "" {
-		depsRepo, server, err = getGradleConfig()
+func buildGradleDependencyTree(params *DependencyTreeParams) (dependencyTree []*xrayUtils.GraphNode, err error) {
+	manager := &depTreeManager{useWrapper: params.UseWrapper}
+	if params.IgnoreConfigFile {
+		// In case we don't need to use the gradle config file,
+		// use the server and depsRepo values that were usually given from Frogbot
+		manager.depsRepo = params.DepsRepo
+		manager.server = params.Server
+	} else {
+		manager.depsRepo, manager.server, err = getGradleConfig()
 		if err != nil {
 			return
 		}
 	}
 
-	manager := &depTreeManager{
-		server:       server,
-		releasesRepo: releasesRepo,
-		depsRepo:     depsRepo,
-		useWrapper:   useWrapper,
-	}
-
 	outputFileContent, err := manager.runGradleDepTree()
 	if err != nil {
 		return nil, err
@@ -131,10 +130,7 @@ func (dtp *depTreeManager) runGradleDepTree() (outputFileContent []byte, err err
 		return
 	}
 	defer func() {
-		e := fileutils.RemoveTempDir(depTreeDir)
-		if err == nil {
-			err = e
-		}
+		err = errors.Join(err, fileutils.RemoveTempDir(depTreeDir))
 	}()
 
 	if dtp.useWrapper {
@@ -152,23 +148,20 @@ func (dtp *depTreeManager) createDepTreeScriptAndGetDir() (tmpDir string, err er
 	if err != nil {
 		return
 	}
-	if dtp.server != nil {
-		dtp.releasesRepo, dtp.depsRepo, err = getRemoteRepos(dtp.releasesRepo, dtp.depsRepo, dtp.server)
-		if err != nil {
-			return
-		}
+	dtp.releasesRepo, dtp.depsRepo, err = getRemoteRepos(dtp.depsRepo, dtp.server)
+	if err != nil {
+		return
 	}
 	depTreeInitScript := fmt.Sprintf(depTreeInitScript, dtp.releasesRepo, dtp.depsRepo)
 	return tmpDir, errorutils.CheckError(os.WriteFile(filepath.Join(tmpDir, depTreeInitFile), []byte(depTreeInitScript), 0666))
 }
 
 // getRemoteRepos constructs the sections of Artifactory's remote repositories in the gradle-dep-tree init script.
-// releasesRepoName - name of the remote repository that proxies https://releases.jfrog.io
 // depsRemoteRepo - name of the remote repository that proxies the dependencies server, e.g. maven central.
 // server - the Artifactory server details on which the repositories reside in.
 // Returns the constructed sections.
-func getRemoteRepos(releasesRepo, depsRepo string, server *config.ServerDetails) (string, string, error) {
-	constructedReleasesRepo, err := constructReleasesRemoteRepo(releasesRepo, server)
+func getRemoteRepos(depsRepo string, server *config.ServerDetails) (string, string, error) {
+	constructedReleasesRepo, err := constructReleasesRemoteRepo()
 	if err != nil {
 		return "", "", err
 	}
@@ -180,21 +173,20 @@ func getRemoteRepos(releasesRepo, depsRepo string, server *config.ServerDetails)
 	return constructedReleasesRepo, constructedDepsRepo, nil
 }
 
-func constructReleasesRemoteRepo(releasesRepo string, server *config.ServerDetails) (string, error) {
-	releasesServer := server
-	if releasesRepo == "" {
-		// Try to get releases repository from the environment variable
-		serverId, repoName, err := coreutils.GetServerIdAndRepo(coreutils.ReleasesRemoteEnv)
-		if err != nil || serverId == "" || repoName == "" {
-			return "", err
-		}
-		releasesServer, err = config.GetSpecificConfig(serverId, false, true)
-		if err != nil {
-			return "", err
-		}
-		releasesRepo = repoName
+func constructReleasesRemoteRepo() (string, error) {
+	// Try to retrieve the serverID and remote repository that proxies https://releases.jfrog.io, from the environment variable
+	serverId, repoName, err := coreutils.GetServerIdAndRepo(coreutils.ReleasesRemoteEnv)
+	if err != nil || serverId == "" || repoName == "" {
+		return "", err
 	}
-	releasesPath := fmt.Sprintf("%s/%s", releasesRepo, remoteDepTreePath)
+
+	releasesServer, err := config.GetSpecificConfig(serverId, false, true)
+	if err != nil {
+		return "", err
+	}
+
+	releasesPath := fmt.Sprintf("%s/%s", repoName, remoteDepTreePath)
+	log.Debug("The `gradledeptree` will be resolved from", repoName)
 	return getDepTreeArtifactoryRepository(releasesPath, releasesServer)
 }
 
@@ -263,7 +255,7 @@ func populateGradleDependencyTree(currNode *xrayUtils.GraphNode, currNodeChildre
 }
 
 func getDepTreeArtifactoryRepository(remoteRepo string, server *config.ServerDetails) (string, error) {
-	if remoteRepo == "" {
+	if remoteRepo == "" || server.IsEmpty() {
 		return "", nil
 	}
 	pass := server.Password
@@ -283,6 +275,7 @@ func getDepTreeArtifactoryRepository(remoteRepo string, server *config.ServerDet
 		}
 		return "", errors.New(errString)
 	}
+	log.Debug("The project dependencies will be resolved from", server.ArtifactoryUrl, "from the", remoteRepo, "repository")
 	return fmt.Sprintf(artifactoryRepository,
 		strings.TrimSuffix(server.ArtifactoryUrl, "/"),
 		remoteRepo,

xray/audit/java/gradle_test.go

@@ -23,7 +23,7 @@ func TestGradleTreesWithoutConfig(t *testing.T) {
 	assert.NoError(t, os.Chmod(filepath.Join(tempDirPath, "gradlew"), 0700))
 
 	// Run getModulesDependencyTrees
-	modulesDependencyTrees, err := buildGradleDependencyTree(false, nil, "", "")
+	modulesDependencyTrees, err := buildGradleDependencyTree(&DependencyTreeParams{})
 	if assert.NoError(t, err) && assert.NotNil(t, modulesDependencyTrees) {
 		assert.Len(t, modulesDependencyTrees, 5)
 		// Check module
@@ -46,7 +46,7 @@ func TestGradleTreesWithConfig(t *testing.T) {
 	assert.NoError(t, os.Chmod(filepath.Join(tempDirPath, "gradlew"), 0700))
 
 	// Run getModulesDependencyTrees
-	modulesDependencyTrees, err := buildGradleDependencyTree(true, nil, "", "")
+	modulesDependencyTrees, err := buildGradleDependencyTree(&DependencyTreeParams{UseWrapper: true})
 	if assert.NoError(t, err) && assert.NotNil(t, modulesDependencyTrees) {
 		assert.Len(t, modulesDependencyTrees, 5)
 
@@ -70,7 +70,7 @@ func TestGradleTreesExcludeTestDeps(t *testing.T) {
 	assert.NoError(t, os.Chmod(filepath.Join(tempDirPath, "gradlew"), 0700))
 
 	// Run getModulesDependencyTrees
-	modulesDependencyTrees, err := buildGradleDependencyTree(true, nil, "", "")
+	modulesDependencyTrees, err := buildGradleDependencyTree(&DependencyTreeParams{UseWrapper: true})
 	if assert.NoError(t, err) && assert.NotNil(t, modulesDependencyTrees) {
 		assert.Len(t, modulesDependencyTrees, 5)
 
@@ -213,22 +213,15 @@ func TestCreateDepTreeScript(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, fmt.Sprintf(depTreeInitScript, "", ""), string(content))
 	manager.depsRepo = "deps-repo"
-	manager.releasesRepo = "release-repo"
 	manager.server = &config.ServerDetails{
+		Url:            "https://myartifactory.com/",
 		ArtifactoryUrl: "https://myartifactory.com/artifactory",
 		AccessToken:    "my-access-token",
 	}
 	tmpDir, err = manager.createDepTreeScriptAndGetDir()
 	assert.NoError(t, err)
 	expectedInitScript := `initscript {
     repositories { 
-		maven {
-			url "https://myartifactory.com/artifactory/release-repo/artifactory/oss-release-local"
-			credentials {
-				username = ''
-				password = 'my-access-token'
-			}
-		}
 		mavenCentral()
     }
     dependencies {
@@ -264,21 +257,14 @@ func TestConstructReleasesRemoteRepo(t *testing.T) {
 	err := config.SaveServersConf([]*config.ServerDetails{serverDetails})
 	assert.NoError(t, err)
 	defer cleanUp()
-	server := &config.ServerDetails{
-		ArtifactoryUrl: "https://myartifactory.com/artifactory",
-		User:           "myuser",
-		Password:       "mypass",
-	}
 	testCases := []struct {
-		releasesRepo string
 		envVar       string
 		expectedRepo string
 		expectedErr  error
 	}{
-		{releasesRepo: "", envVar: "", expectedRepo: "", expectedErr: nil},
-		{releasesRepo: "", envVar: "test/repo1", expectedRepo: "\n\t\tmaven {\n\t\t\turl \"https://domain.com/artifactory/repo1/artifactory/oss-release-local\"\n\t\t\tcredentials {\n\t\t\t\tusername = 'user'\n\t\t\t\tpassword = 'pass'\n\t\t\t}\n\t\t}", expectedErr: nil},
-		{releasesRepo: "", envVar: "notexist/repo1", expectedRepo: "", expectedErr: errors.New("Server ID 'notexist' does not exist.")},
-		{releasesRepo: "repo2", envVar: "", expectedRepo: "\n\t\tmaven {\n\t\t\turl \"https://myartifactory.com/artifactory/repo2/artifactory/oss-release-local\"\n\t\t\tcredentials {\n\t\t\t\tusername = 'myuser'\n\t\t\t\tpassword = 'mypass'\n\t\t\t}\n\t\t}", expectedErr: nil},
+		{envVar: "", expectedRepo: "", expectedErr: nil},
+		{envVar: "test/repo1", expectedRepo: "\n\t\tmaven {\n\t\t\turl \"https://domain.com/artifactory/repo1/artifactory/oss-release-local\"\n\t\t\tcredentials {\n\t\t\t\tusername = 'user'\n\t\t\t\tpassword = 'pass'\n\t\t\t}\n\t\t}", expectedErr: nil},
+		{envVar: "notexist/repo1", expectedRepo: "", expectedErr: errors.New("Server ID 'notexist' does not exist.")},
 	}
 
 	for _, tc := range testCases {
@@ -289,7 +275,7 @@ func TestConstructReleasesRemoteRepo(t *testing.T) {
 				// Reset the environment variable after each test case
 				assert.NoError(t, os.Unsetenv(coreutils.ReleasesRemoteEnv))
 			}()
-			actualRepo, actualErr := constructReleasesRemoteRepo(tc.releasesRepo, server)
+			actualRepo, actualErr := constructReleasesRemoteRepo()
 			assert.Equal(t, tc.expectedRepo, actualRepo)
 			assert.Equal(t, tc.expectedErr, actualErr)
 		}()

xray/audit/java/javautils.go

@@ -23,10 +23,8 @@ type DependencyTreeParams struct {
 	IgnoreConfigFile bool
 	ExcludeTestDeps  bool
 	UseWrapper       bool
-	JavaProps        map[string]any
 	Server           *config.ServerDetails
 	DepsRepo         string
-	ReleasesRepo     string
 }
 
 func createBuildConfiguration(buildName string) (*artifactoryUtils.BuildConfiguration, func() error) {
@@ -133,17 +131,9 @@ func hasLoop(idsAdded []string, idToAdd string) bool {
 
 func BuildDependencyTree(params *DependencyTreeParams) (modules []*xrayUtils.GraphNode, err error) {
 	if params.Tool == coreutils.Maven {
-		return buildMvnDependencyTree(params.InsecureTls, params.IgnoreConfigFile, params.UseWrapper, params.JavaProps)
+		return buildMvnDependencyTree(params)
 	}
-	server := &config.ServerDetails{}
-	depsRepo := ""
-	releaseRepo := ""
-	if params.IgnoreConfigFile {
-		server = params.Server
-		depsRepo = params.DepsRepo
-		releaseRepo = params.ReleasesRepo
-	}
-	return buildGradleDependencyTree(params.UseWrapper, server, depsRepo, releaseRepo)
+	return buildGradleDependencyTree(params)
 }
 
 type dependencyMultimap struct {