From 8586de701ccd6dfcbd842f86e567864a71abf861 Mon Sep 17 00:00:00 2001 From: Leonardo Fontes Date: Tue, 8 Oct 2024 14:52:50 +0100 Subject: [PATCH 1/9] Fix scs default trigger and update scan config to evaluate scs license --- internal/commands/scan.go | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/internal/commands/scan.go b/internal/commands/scan.go index d1d429779..58f7281a2 100644 --- a/internal/commands/scan.go +++ b/internal/commands/scan.go @@ -106,6 +106,8 @@ const ( ScsSecretDetectionType = "secret-detection" ScsRepoRequiredMsg = "SCS scan failed to start: Scorecard scan is missing required flags, please include in the ast-cli arguments: " + "--scs-repo-url your_repo_url --scs-repo-token your_repo_token" + ScsRepoWarningMsg = "SCS scan warning: Unable to start Scorecard scan due to missing required flags, please include in the ast-cli arguments: " + + "--scs-repo-url your_repo_url --scs-repo-token your_repo_token" ) var ( @@ -781,7 +783,7 @@ func setupScanTypeProjectAndConfig( configArr = append(configArr, containersConfig) } - var SCSConfig, scsErr = addSCSScan(cmd, resubmitConfig, userAllowedEngines[commonParams.EnterpriseSecretsType]) + var SCSConfig, scsErr = addSCSScan(cmd, resubmitConfig, userAllowedEngines[commonParams.EnterpriseSecretsType], userAllowedEngines[commonParams.ScsType]) if scsErr != nil { return scsErr } else if SCSConfig != nil { @@ -993,7 +995,7 @@ func createResubmitConfig(resubmitConfig []wrappers.Config, scsRepoToken, scsRep } return scsConfig } -func addSCSScan(cmd *cobra.Command, resubmitConfig []wrappers.Config, hasEnterpriseSecretsLicense bool) (map[string]interface{}, error) { +func addSCSScan(cmd *cobra.Command, resubmitConfig []wrappers.Config, hasEnterpriseSecretsLicense bool, hasScsLicense bool) (map[string]interface{}, error) { if scanTypeEnabled(commonParams.ScsType) || scanTypeEnabled(commonParams.MicroEnginesType) { scsConfig := wrappers.SCSConfig{} SCSMapConfig := make(map[string]interface{}) @@ -1007,37 +1009,43 @@ func addSCSScan(cmd *cobra.Command, resubmitConfig []wrappers.Config, hasEnterpr SCSMapConfig[resultsMapValue] = &scsConfig return SCSMapConfig, nil } + + scsSecretDetectionSelected := false + scsScoreCardSelected := false + if SCSEngines != "" { SCSEnginesTypes := strings.Split(SCSEngines, ",") for _, engineType := range SCSEnginesTypes { engineType = strings.TrimSpace(engineType) switch engineType { case ScsSecretDetectionType: - if hasEnterpriseSecretsLicense { - scsConfig.Twoms = trueString - } + scsSecretDetectionSelected = true case ScsScoreCardType: - scsConfig.Scorecard = trueString + scsScoreCardSelected = true } } } else { - scsConfig.Scorecard = trueString - if hasEnterpriseSecretsLicense { - scsConfig.Twoms = trueString - } + scsSecretDetectionSelected = true + scsScoreCardSelected = true + } + + if scsSecretDetectionSelected && hasEnterpriseSecretsLicense { + scsConfig.Twoms = trueString } - if scsConfig.Scorecard == trueString { + if scsScoreCardSelected && hasScsLicense { if scsRepoToken != "" && scsRepoURL != "" { + scsConfig.Scorecard = trueString scsConfig.RepoToken = scsRepoToken scsConfig.RepoURL = strings.ToLower(scsRepoURL) } else { if userScanTypes == "" { - fmt.Println(ScsRepoRequiredMsg) - return nil, nil + fmt.Println(ScsRepoWarningMsg) + } else { + return nil, errors.Errorf(ScsRepoRequiredMsg) } - return nil, errors.Errorf(ScsRepoRequiredMsg) } } + SCSMapConfig[resultsMapValue] = &scsConfig return SCSMapConfig, nil } From 4e0244dde5964670d456a6e190da34dfaebdbd84 Mon Sep 17 00:00:00 2001 From: Leonardo Fontes Date: Tue, 8 Oct 2024 15:26:27 +0100 Subject: [PATCH 2/9] Update secret detection license logic --- internal/commands/scan.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/commands/scan.go b/internal/commands/scan.go index 3ef316bcb..0a712cf27 100644 --- a/internal/commands/scan.go +++ b/internal/commands/scan.go @@ -1029,7 +1029,7 @@ func addSCSScan(cmd *cobra.Command, resubmitConfig []wrappers.Config, hasEnterpr scsScoreCardSelected = true } - if scsSecretDetectionSelected && hasEnterpriseSecretsLicense { + if scsSecretDetectionSelected && hasScsLicense && hasEnterpriseSecretsLicense { scsConfig.Twoms = trueString } if scsScoreCardSelected && hasScsLicense { From 995b0bf2f6c6b36e04be521256270373498090bd Mon Sep 17 00:00:00 2001 From: Leonardo Fontes Date: Tue, 8 Oct 2024 17:03:51 +0100 Subject: [PATCH 3/9] Added extra validation step to not run scs scan when both scs engines are not enabled --- internal/commands/scan.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/commands/scan.go b/internal/commands/scan.go index 0a712cf27..5f6d3620f 100644 --- a/internal/commands/scan.go +++ b/internal/commands/scan.go @@ -1045,6 +1045,9 @@ func addSCSScan(cmd *cobra.Command, resubmitConfig []wrappers.Config, hasEnterpr } } } + if scsConfig.Scorecard != trueString && scsConfig.Twoms != trueString { + return nil, nil + } SCSMapConfig[resultsMapValue] = &scsConfig return SCSMapConfig, nil From 458fee01ad93f01fea9a56c053d41645748710f3 Mon Sep 17 00:00:00 2001 From: Leonardo Fontes Date: Tue, 8 Oct 2024 17:38:01 +0100 Subject: [PATCH 4/9] Updated tests --- internal/commands/scan_test.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/internal/commands/scan_test.go b/internal/commands/scan_test.go index 0a56790c0..31838b128 100644 --- a/internal/commands/scan_test.go +++ b/internal/commands/scan_test.go @@ -689,7 +689,7 @@ func TestAddSCSScan_ResubmitWithOutScorecardFlags_ShouldPass(t *testing.T) { }, } - result, _ := addSCSScan(cmdCommand, resubmitConfig, true) + result, _ := addSCSScan(cmdCommand, resubmitConfig, true, true) expectedConfig := wrappers.SCSConfig{ Twoms: trueString, @@ -730,7 +730,7 @@ func TestAddSCSScan_ResubmitWithScorecardFlags_ShouldPass(t *testing.T) { }, } - result, _ := addSCSScan(cmdCommand, resubmitConfig, true) + result, _ := addSCSScan(cmdCommand, resubmitConfig, true, true) expectedConfig := wrappers.SCSConfig{ Twoms: "true", @@ -906,7 +906,7 @@ func TestCreateScan_WithSCSSecretDetectionAndScorecard_scsMapHasBoth(t *testing. _ = cmdCommand.Flags().Set(commonParams.SCSRepoTokenFlag, dummyToken) _ = cmdCommand.Flags().Set(commonParams.SCSRepoURLFlag, dummyRepo) - result, _ := addSCSScan(cmdCommand, resubmitConfig, true) + result, _ := addSCSScan(cmdCommand, resubmitConfig, true, true) scsConfig := wrappers.SCSConfig{ Twoms: "true", @@ -934,7 +934,7 @@ func TestCreateScan_WithoutSCSSecretDetection_scsMapNoSecretDetection(t *testing _ = cmdCommand.Execute() _ = cmdCommand.Flags().Set(commonParams.SCSEnginesFlag, "secret-detection") - result, _ := addSCSScan(cmdCommand, resubmitConfig, false) + result, _ := addSCSScan(cmdCommand, resubmitConfig, false, true) scsConfig := wrappers.SCSConfig{ Twoms: "", @@ -959,7 +959,7 @@ func TestCreateScan_WithSCSSecretDetection_scsMapHasSecretDetection(t *testing.T _ = cmdCommand.Execute() _ = cmdCommand.Flags().Set(commonParams.SCSEnginesFlag, "secret-detection") - result, _ := addSCSScan(cmdCommand, resubmitConfig, true) + result, _ := addSCSScan(cmdCommand, resubmitConfig, true, true) scsConfig := wrappers.SCSConfig{ Twoms: "true", From 9cff064d0551fe365a185745430d324d2745ef35 Mon Sep 17 00:00:00 2001 From: Leonardo Fontes Date: Tue, 8 Oct 2024 18:10:31 +0100 Subject: [PATCH 5/9] Revert scs license parameter --- internal/commands/scan.go | 8 ++++---- internal/commands/scan_test.go | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/internal/commands/scan.go b/internal/commands/scan.go index 5f6d3620f..885b2588c 100644 --- a/internal/commands/scan.go +++ b/internal/commands/scan.go @@ -783,7 +783,7 @@ func setupScanTypeProjectAndConfig( configArr = append(configArr, containersConfig) } - var SCSConfig, scsErr = addSCSScan(cmd, resubmitConfig, userAllowedEngines[commonParams.EnterpriseSecretsType], userAllowedEngines[commonParams.ScsType]) + var SCSConfig, scsErr = addSCSScan(cmd, resubmitConfig, userAllowedEngines[commonParams.EnterpriseSecretsType]) if scsErr != nil { return scsErr } else if SCSConfig != nil { @@ -995,7 +995,7 @@ func createResubmitConfig(resubmitConfig []wrappers.Config, scsRepoToken, scsRep } return scsConfig } -func addSCSScan(cmd *cobra.Command, resubmitConfig []wrappers.Config, hasEnterpriseSecretsLicense bool, hasScsLicense bool) (map[string]interface{}, error) { +func addSCSScan(cmd *cobra.Command, resubmitConfig []wrappers.Config, hasEnterpriseSecretsLicense bool) (map[string]interface{}, error) { if scanTypeEnabled(commonParams.ScsType) || scanTypeEnabled(commonParams.MicroEnginesType) { scsConfig := wrappers.SCSConfig{} SCSMapConfig := make(map[string]interface{}) @@ -1029,10 +1029,10 @@ func addSCSScan(cmd *cobra.Command, resubmitConfig []wrappers.Config, hasEnterpr scsScoreCardSelected = true } - if scsSecretDetectionSelected && hasScsLicense && hasEnterpriseSecretsLicense { + if scsSecretDetectionSelected && hasEnterpriseSecretsLicense { scsConfig.Twoms = trueString } - if scsScoreCardSelected && hasScsLicense { + if scsScoreCardSelected { if scsRepoToken != "" && scsRepoURL != "" { scsConfig.Scorecard = trueString scsConfig.RepoToken = scsRepoToken diff --git a/internal/commands/scan_test.go b/internal/commands/scan_test.go index 31838b128..0a56790c0 100644 --- a/internal/commands/scan_test.go +++ b/internal/commands/scan_test.go @@ -689,7 +689,7 @@ func TestAddSCSScan_ResubmitWithOutScorecardFlags_ShouldPass(t *testing.T) { }, } - result, _ := addSCSScan(cmdCommand, resubmitConfig, true, true) + result, _ := addSCSScan(cmdCommand, resubmitConfig, true) expectedConfig := wrappers.SCSConfig{ Twoms: trueString, @@ -730,7 +730,7 @@ func TestAddSCSScan_ResubmitWithScorecardFlags_ShouldPass(t *testing.T) { }, } - result, _ := addSCSScan(cmdCommand, resubmitConfig, true, true) + result, _ := addSCSScan(cmdCommand, resubmitConfig, true) expectedConfig := wrappers.SCSConfig{ Twoms: "true", @@ -906,7 +906,7 @@ func TestCreateScan_WithSCSSecretDetectionAndScorecard_scsMapHasBoth(t *testing. _ = cmdCommand.Flags().Set(commonParams.SCSRepoTokenFlag, dummyToken) _ = cmdCommand.Flags().Set(commonParams.SCSRepoURLFlag, dummyRepo) - result, _ := addSCSScan(cmdCommand, resubmitConfig, true, true) + result, _ := addSCSScan(cmdCommand, resubmitConfig, true) scsConfig := wrappers.SCSConfig{ Twoms: "true", @@ -934,7 +934,7 @@ func TestCreateScan_WithoutSCSSecretDetection_scsMapNoSecretDetection(t *testing _ = cmdCommand.Execute() _ = cmdCommand.Flags().Set(commonParams.SCSEnginesFlag, "secret-detection") - result, _ := addSCSScan(cmdCommand, resubmitConfig, false, true) + result, _ := addSCSScan(cmdCommand, resubmitConfig, false) scsConfig := wrappers.SCSConfig{ Twoms: "", @@ -959,7 +959,7 @@ func TestCreateScan_WithSCSSecretDetection_scsMapHasSecretDetection(t *testing.T _ = cmdCommand.Execute() _ = cmdCommand.Flags().Set(commonParams.SCSEnginesFlag, "secret-detection") - result, _ := addSCSScan(cmdCommand, resubmitConfig, true, true) + result, _ := addSCSScan(cmdCommand, resubmitConfig, true) scsConfig := wrappers.SCSConfig{ Twoms: "true", From 2655782bc5ea3a160457a187f2bc51daaefd9e78 Mon Sep 17 00:00:00 2001 From: Leonardo Fontes Date: Wed, 9 Oct 2024 16:37:22 +0100 Subject: [PATCH 6/9] Updated unit and integration tests --- internal/commands/scan_test.go | 11 +++++++++-- test/integration/scan_test.go | 11 +++++++---- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/internal/commands/scan_test.go b/internal/commands/scan_test.go index 0a56790c0..0659433ae 100644 --- a/internal/commands/scan_test.go +++ b/internal/commands/scan_test.go @@ -931,13 +931,20 @@ func TestCreateScan_WithoutSCSSecretDetection_scsMapNoSecretDetection(t *testing Long: `Scan a project`, } cmdCommand.PersistentFlags().String(commonParams.SCSEnginesFlag, "", "SCS Engine flag") + cmdCommand.PersistentFlags().String(commonParams.SCSRepoTokenFlag, "", "GitHub token to be used with SCS engines") + cmdCommand.PersistentFlags().String(commonParams.SCSRepoURLFlag, "", "GitHub url to be used with SCS engines") _ = cmdCommand.Execute() - _ = cmdCommand.Flags().Set(commonParams.SCSEnginesFlag, "secret-detection") + _ = cmdCommand.Flags().Set(commonParams.SCSEnginesFlag, "secret-detection,scorecard") + _ = cmdCommand.Flags().Set(commonParams.SCSRepoTokenFlag, dummyToken) + _ = cmdCommand.Flags().Set(commonParams.SCSRepoURLFlag, dummyRepo) result, _ := addSCSScan(cmdCommand, resubmitConfig, false) scsConfig := wrappers.SCSConfig{ - Twoms: "", + Twoms: "", + Scorecard: "true", + RepoURL: dummyRepo, + RepoToken: dummyToken, } scsMapConfig := make(map[string]interface{}) scsMapConfig[resultsMapType] = commonParams.MicroEnginesType diff --git a/test/integration/scan_test.go b/test/integration/scan_test.go index 7a03786b1..a8aacfcf9 100644 --- a/test/integration/scan_test.go +++ b/test/integration/scan_test.go @@ -1744,7 +1744,7 @@ func TestCreateScan_WithTypeScs_Success(t *testing.T) { executeCmdWithTimeOutNilAssertion(t, "SCS scan must complete successfully", 4*time.Minute, args...) } -func TestCreateScan_WithNoScanTypesFlag_SuccessAndScsNotScanned(t *testing.T) { +func TestCreateScan_WithNoScanTypesScsFlagsNotPresent_SuccessAndScsScannedWithoutScorecard(t *testing.T) { _, projectName := getRootProject(t) args := []string{ @@ -1752,11 +1752,14 @@ func TestCreateScan_WithNoScanTypesFlag_SuccessAndScsNotScanned(t *testing.T) { flag(params.ProjectName), projectName, flag(params.SourcesFlag), Zip, flag(params.BranchFlag), "main", - flag(params.SCSRepoTokenFlag), scsRepoToken, } - output := executeCmdWithTimeOutNilAssertion(t, "Scan must complete successfully if no scan-types specified, even if missing scs-repo flags", timeout, args...) - assert.Assert(t, !strings.Contains(output.String(), params.ScsType), "Scs scan must not run if all required flags are not provided") + patternWithoutScorecard := `Scorecard[-\s]+\|` + + output := executeCmdWithTimeOutNilAssertion(t, "Scan must complete successfully without scorecard if no scan-types specified and with missing scs-repo flags", timeout, args...) + assert.Assert(t, strings.Contains(output.String(), commands.ScsRepoWarningMsg), "Should give warning about missing scs-repo flags") + assert.Assert(t, strings.Contains(output.String(), params.ScsType), "Scs scan should run") + assert.Regexp(t, patternWithoutScorecard, output.String(), "Scorecard should not run if all required flags are not provided") } func TestCreateScan_WithNoScanTypesFlagButScsFlagsPresent_SuccessAndScsScanned(t *testing.T) { From 928e35b34ae586127d2dfd26f05a21093dea0ca4 Mon Sep 17 00:00:00 2001 From: Leonardo Fontes Date: Wed, 9 Oct 2024 17:01:19 +0100 Subject: [PATCH 7/9] Updated integration test --- test/integration/scan_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/integration/scan_test.go b/test/integration/scan_test.go index a8aacfcf9..a5fdfce26 100644 --- a/test/integration/scan_test.go +++ b/test/integration/scan_test.go @@ -1754,12 +1754,12 @@ func TestCreateScan_WithNoScanTypesScsFlagsNotPresent_SuccessAndScsScannedWithou flag(params.BranchFlag), "main", } - patternWithoutScorecard := `Scorecard[-\s]+\|` + withoutScorecard := `| Scorecard - - - - - - |` - output := executeCmdWithTimeOutNilAssertion(t, "Scan must complete successfully without scorecard if no scan-types specified and with missing scs-repo flags", timeout, args...) + output := executeCmdWithTimeOutNilAssertion(t, "Scan must complete successfully if no scan-types specified and with missing scs-repo flags", timeout, args...) assert.Assert(t, strings.Contains(output.String(), commands.ScsRepoWarningMsg), "Should give warning about missing scs-repo flags") assert.Assert(t, strings.Contains(output.String(), params.ScsType), "Scs scan should run") - assert.Regexp(t, patternWithoutScorecard, output.String(), "Scorecard should not run if all required flags are not provided") + assert.Assert(t, strings.Contains(output.String(), withoutScorecard), "Scorecard should not run") } func TestCreateScan_WithNoScanTypesFlagButScsFlagsPresent_SuccessAndScsScanned(t *testing.T) { From bc0eb1ee472c4a5ca06f084201a924772d779f72 Mon Sep 17 00:00:00 2001 From: Leonardo Fontes Date: Wed, 9 Oct 2024 18:06:56 +0100 Subject: [PATCH 8/9] Updated integration test 2 --- test/integration/scan_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/integration/scan_test.go b/test/integration/scan_test.go index a5fdfce26..0df0fabd0 100644 --- a/test/integration/scan_test.go +++ b/test/integration/scan_test.go @@ -1754,10 +1754,9 @@ func TestCreateScan_WithNoScanTypesScsFlagsNotPresent_SuccessAndScsScannedWithou flag(params.BranchFlag), "main", } - withoutScorecard := `| Scorecard - - - - - - |` + withoutScorecard := "| Scorecard - - - - - - |" output := executeCmdWithTimeOutNilAssertion(t, "Scan must complete successfully if no scan-types specified and with missing scs-repo flags", timeout, args...) - assert.Assert(t, strings.Contains(output.String(), commands.ScsRepoWarningMsg), "Should give warning about missing scs-repo flags") assert.Assert(t, strings.Contains(output.String(), params.ScsType), "Scs scan should run") assert.Assert(t, strings.Contains(output.String(), withoutScorecard), "Scorecard should not run") } From 10c53f9c807790ad06573be4033e408c1ddcba88 Mon Sep 17 00:00:00 2001 From: Leonardo Fontes Date: Thu, 10 Oct 2024 10:00:28 +0100 Subject: [PATCH 9/9] Updated integration test 3 --- test/integration/scan_test.go | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/test/integration/scan_test.go b/test/integration/scan_test.go index 0df0fabd0..b01834551 100644 --- a/test/integration/scan_test.go +++ b/test/integration/scan_test.go @@ -1744,7 +1744,7 @@ func TestCreateScan_WithTypeScs_Success(t *testing.T) { executeCmdWithTimeOutNilAssertion(t, "SCS scan must complete successfully", 4*time.Minute, args...) } -func TestCreateScan_WithNoScanTypesScsFlagsNotPresent_SuccessAndScsScannedWithoutScorecard(t *testing.T) { +func TestCreateScan_WithNoScanTypesAndScsFlagsNotPresent_SuccessAndScsScanned(t *testing.T) { _, projectName := getRootProject(t) args := []string{ @@ -1754,11 +1754,8 @@ func TestCreateScan_WithNoScanTypesScsFlagsNotPresent_SuccessAndScsScannedWithou flag(params.BranchFlag), "main", } - withoutScorecard := "| Scorecard - - - - - - |" - output := executeCmdWithTimeOutNilAssertion(t, "Scan must complete successfully if no scan-types specified and with missing scs-repo flags", timeout, args...) - assert.Assert(t, strings.Contains(output.String(), params.ScsType), "Scs scan should run") - assert.Assert(t, strings.Contains(output.String(), withoutScorecard), "Scorecard should not run") + assert.Assert(t, strings.Contains(output.String(), params.ScsType), "SCS scan should run") } func TestCreateScan_WithNoScanTypesFlagButScsFlagsPresent_SuccessAndScsScanned(t *testing.T) {