Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'dev' into fix-race-condition-bug
Browse files Browse the repository at this point in the history
yahavi authored Nov 29, 2023
2 parents 2d43469 + c65b1db commit 220b96b
Showing 2 changed files with 61 additions and 45 deletions.
71 changes: 38 additions & 33 deletions xray/commands/audit/jas/applicability/applicabilitymanager.go
Original file line number Diff line number Diff line change
@@ -25,6 +25,7 @@ const (
type ApplicabilityScanManager struct {
applicabilityScanResults []*sarif.Run
directDependenciesCves []string
indirectDependenciesCves []string
xrayResults []services.ScanResponse
scanner *jas.JasScanner
thirdPartyScan bool
@@ -55,42 +56,48 @@ func RunApplicabilityScan(xrayResults []services.ScanResponse, directDependencie
}

func newApplicabilityScanManager(xrayScanResults []services.ScanResponse, directDependencies []string, scanner *jas.JasScanner, thirdPartyScan bool) (manager *ApplicabilityScanManager) {
directDependenciesCves := extractDirectDependenciesCvesFromScan(xrayScanResults, directDependencies)
directDependenciesCves, indirectDependenciesCves := extractDependenciesCvesFromScan(xrayScanResults, directDependencies)
return &ApplicabilityScanManager{
applicabilityScanResults: []*sarif.Run{},
directDependenciesCves: directDependenciesCves,
indirectDependenciesCves: indirectDependenciesCves,
xrayResults: xrayScanResults,
scanner: scanner,
thirdPartyScan: thirdPartyScan,
}
}

// This function gets a list of xray scan responses that contain direct and indirect vulnerabilities and returns only direct
// vulnerabilities of the scanned project, ignoring indirect vulnerabilities
func extractDirectDependenciesCvesFromScan(xrayScanResults []services.ScanResponse, directDependencies []string) []string {
directsCves := datastructures.MakeSet[string]()
func addCvesToSet(cves []services.Cve, set *datastructures.Set[string]) {
for _, cve := range cves {
if cve.Id != "" {
set.Add(cve.Id)
}
}
}

// This function gets a list of xray scan responses that contain direct and indirect vulnerabilities and returns separate
// lists of the direct and indirect CVEs
func extractDependenciesCvesFromScan(xrayScanResults []services.ScanResponse, directDependencies []string) (directCves []string, indirectCves []string) {
directCvesSet := datastructures.MakeSet[string]()
indirectCvesSet := datastructures.MakeSet[string]()
for _, scanResult := range xrayScanResults {
for _, vulnerability := range scanResult.Vulnerabilities {
if isDirectComponents(maps.Keys(vulnerability.Components), directDependencies) {
for _, cve := range vulnerability.Cves {
if cve.Id != "" {
directsCves.Add(cve.Id)
}
}
addCvesToSet(vulnerability.Cves, directCvesSet)
} else {
addCvesToSet(vulnerability.Cves, indirectCvesSet)
}
}
for _, violation := range scanResult.Violations {
if isDirectComponents(maps.Keys(violation.Components), directDependencies) {
for _, cve := range violation.Cves {
if cve.Id != "" {
directsCves.Add(cve.Id)
}
}
addCvesToSet(violation.Cves, directCvesSet)
} else {
addCvesToSet(violation.Cves, indirectCvesSet)
}
}
}

return directsCves.ToSlice()
return directCvesSet.ToSlice(), indirectCvesSet.ToSlice()
}

func isDirectComponents(components []string, directDependencies []string) bool {
@@ -125,25 +132,22 @@ func (asm *ApplicabilityScanManager) Run(module jfrogappsconfig.Module) (err err
return
}

func (asm *ApplicabilityScanManager) directDependenciesExist() bool {
return len(asm.directDependenciesCves) > 0
}

func (asm *ApplicabilityScanManager) shouldRunApplicabilityScan(technologies []coreutils.Technology) bool {
return asm.directDependenciesExist() && coreutils.ContainsApplicabilityScannableTech(technologies)
return coreutils.ContainsApplicabilityScannableTech(technologies)
}

type applicabilityScanConfig struct {
Scans []scanConfiguration `yaml:"scans"`
}

type scanConfiguration struct {
Roots []string `yaml:"roots"`
Output string `yaml:"output"`
Type string `yaml:"type"`
GrepDisable bool `yaml:"grep-disable"`
CveWhitelist []string `yaml:"cve-whitelist"`
SkippedDirs []string `yaml:"skipped-folders"`
Roots []string `yaml:"roots"`
Output string `yaml:"output"`
Type string `yaml:"type"`
GrepDisable bool `yaml:"grep-disable"`
CveWhitelist []string `yaml:"cve-whitelist"`
IndirectCveWhitelist []string `yaml:"indirect-cve-whitelist"`
SkippedDirs []string `yaml:"skipped-folders"`
}

func (asm *ApplicabilityScanManager) createConfigFile(module jfrogappsconfig.Module) error {
@@ -159,12 +163,13 @@ func (asm *ApplicabilityScanManager) createConfigFile(module jfrogappsconfig.Mod
configFileContent := applicabilityScanConfig{
Scans: []scanConfiguration{
{
Roots: roots,
Output: asm.scanner.ResultsFileName,
Type: applicabilityScanType,
GrepDisable: false,
CveWhitelist: asm.directDependenciesCves,
SkippedDirs: excludePatterns,
Roots: roots,
Output: asm.scanner.ResultsFileName,
Type: applicabilityScanType,
GrepDisable: false,
CveWhitelist: asm.directDependenciesCves,
IndirectCveWhitelist: asm.indirectDependenciesCves,
SkippedDirs: excludePatterns,
},
},
}
35 changes: 23 additions & 12 deletions xray/commands/audit/jas/applicability/applicabilitymanager_test.go
Original file line number Diff line number Diff line change
@@ -172,7 +172,7 @@ func TestApplicabilityScanManager_ShouldRun_ScanResultsAreEmpty(t *testing.T) {
applicabilityManager := newApplicabilityScanManager(nil, mockDirectDependencies, scanner, false)

// Assert
eligible := applicabilityManager.shouldRunApplicabilityScan([]coreutils.Technology{coreutils.Npm})
eligible := applicabilityManager.shouldRunApplicabilityScan([]coreutils.Technology{coreutils.Nuget})
assert.False(t, eligible)
}

@@ -188,23 +188,28 @@ func TestExtractXrayDirectViolations(t *testing.T) {
}
tests := []struct {
directDependencies []string
cvesCount int
directCvesCount int
indirectCvesCount int
}{
{directDependencies: []string{"issueId_2_direct_dependency", "issueId_1_direct_dependency"},
cvesCount: 2,
directCvesCount: 2,
indirectCvesCount: 0,
},
// Vulnerability dependency, should be ignored by function
{directDependencies: []string{"issueId_1_direct_dependency"},
cvesCount: 0,
directCvesCount: 0,
indirectCvesCount: 2,
},
{directDependencies: []string{},
cvesCount: 0,
directCvesCount: 0,
indirectCvesCount: 2,
},
}

for _, test := range tests {
cves := extractDirectDependenciesCvesFromScan(xrayResponseForDirectViolationsTest, test.directDependencies)
assert.Len(t, cves, test.cvesCount)
directCves, indirectCves := extractDependenciesCvesFromScan(xrayResponseForDirectViolationsTest, test.directDependencies)
assert.Len(t, directCves, test.directCvesCount)
assert.Len(t, indirectCves, test.indirectCvesCount)
}
}

@@ -228,23 +233,29 @@ func TestExtractXrayDirectVulnerabilities(t *testing.T) {
}
tests := []struct {
directDependencies []string
cvesCount int
directCvesCount int
indirectCvesCount int
}{
{
directDependencies: []string{"issueId_1_direct_dependency"},
cvesCount: 3,
directCvesCount: 3,
indirectCvesCount: 2,
},
{
directDependencies: []string{"issueId_2_direct_dependency"},
cvesCount: 2,
directCvesCount: 2,
indirectCvesCount: 3,
},
{directDependencies: []string{},
cvesCount: 0,
directCvesCount: 0,
indirectCvesCount: 5,
},
}

for _, test := range tests {
assert.Len(t, extractDirectDependenciesCvesFromScan(xrayResponseForDirectVulnerabilitiesTest, test.directDependencies), test.cvesCount)
directCves, indirectCves := extractDependenciesCvesFromScan(xrayResponseForDirectVulnerabilitiesTest, test.directDependencies)
assert.Len(t, directCves, test.directCvesCount)
assert.Len(t, indirectCves, test.indirectCvesCount)
}
}

0 comments on commit 220b96b

Please sign in to comment.