Improve audit data handling (#936)

xray/commands/audit/audit.go

@@ -165,6 +165,7 @@ func RunAudit(auditParams *AuditParams) (results *Results, err error) {
 	if err = clientutils.ValidateMinimumVersion(clientutils.Xray, auditParams.xrayVersion, scangraph.GraphScanMinXrayVersion); err != nil {
 		return
 	}
+	results.ExtendedScanResults.XrayVersion = auditParams.xrayVersion
 	results.ExtendedScanResults.EntitledForJas, err = isEntitledForJas(xrayManager, auditParams.xrayVersion)
 	if err != nil {
 		return

xray/commands/audit/jas/applicability/applicabilitymanager.go

@@ -1,14 +1,13 @@
 package applicability
 
 import (
-	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas"
 	"path/filepath"
-	"strings"
+
+	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas"
 
 	"github.com/jfrog/gofrog/datastructures"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	"github.com/jfrog/jfrog-cli-core/v2/xray/utils"
-	"github.com/jfrog/jfrog-client-go/utils/errorutils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
 	"github.com/jfrog/jfrog-client-go/xray/services"
 	"github.com/owenrumney/go-sarif/v2/sarif"
@@ -22,7 +21,7 @@ const (
 )
 
 type ApplicabilityScanManager struct {
-	applicabilityScanResults map[string]utils.ApplicabilityStatus
+	applicabilityScanResults []*sarif.Run
 	directDependenciesCves   []string
 	xrayResults              []services.ScanResponse
 	scanner                  *jas.JasScanner
@@ -38,7 +37,7 @@ type ApplicabilityScanManager struct {
 // bool: true if the user is entitled to the applicability scan, false otherwise.
 // error: An error object (if any).
 func RunApplicabilityScan(xrayResults []services.ScanResponse, directDependencies []string,
-	scannedTechnologies []coreutils.Technology, scanner *jas.JasScanner) (results map[string]utils.ApplicabilityStatus, err error) {
+	scannedTechnologies []coreutils.Technology, scanner *jas.JasScanner) (results []*sarif.Run, err error) {
 	applicabilityScanManager := newApplicabilityScanManager(xrayResults, directDependencies, scanner)
 	if !applicabilityScanManager.shouldRunApplicabilityScan(scannedTechnologies) {
 		log.Debug("The technologies that have been scanned are currently not supported for contextual analysis scanning, or we couldn't find any vulnerable direct dependencies. Skipping....")
@@ -55,7 +54,7 @@ func RunApplicabilityScan(xrayResults []services.ScanResponse, directDependencie
 func newApplicabilityScanManager(xrayScanResults []services.ScanResponse, directDependencies []string, scanner *jas.JasScanner) (manager *ApplicabilityScanManager) {
 	directDependenciesCves := extractDirectDependenciesCvesFromScan(xrayScanResults, directDependencies)
 	return &ApplicabilityScanManager{
-		applicabilityScanResults: map[string]utils.ApplicabilityStatus{},
+		applicabilityScanResults: []*sarif.Run{},
 		directDependenciesCves:   directDependenciesCves,
 		xrayResults:              xrayScanResults,
 		scanner:                  scanner,
@@ -111,13 +110,11 @@ func (asm *ApplicabilityScanManager) Run(wd string) (err error) {
 	if err = asm.runAnalyzerManager(); err != nil {
 		return
 	}
-	var workingDirResults map[string]utils.ApplicabilityStatus
-	if workingDirResults, err = asm.getScanResults(); err != nil {
+	workingDirResults, err := jas.ReadJasScanRunsFromFile(asm.scanner.ResultsFileName, wd)
+	if err != nil {
 		return
 	}
-	for cve, result := range workingDirResults {
-		asm.applicabilityScanResults[cve] = result
-	}
+	asm.applicabilityScanResults = append(asm.applicabilityScanResults, workingDirResults...)
 	return
 }
 
@@ -163,37 +160,3 @@ func (asm *ApplicabilityScanManager) createConfigFile(workingDir string) error {
 func (asm *ApplicabilityScanManager) runAnalyzerManager() error {
 	return asm.scanner.AnalyzerManager.Exec(asm.scanner.ConfigFileName, applicabilityScanCommand, filepath.Dir(asm.scanner.AnalyzerManager.AnalyzerManagerFullPath), asm.scanner.ServerDetails)
 }
-
-func (asm *ApplicabilityScanManager) getScanResults() (applicabilityResults map[string]utils.ApplicabilityStatus, err error) {
-	applicabilityResults = make(map[string]utils.ApplicabilityStatus, len(asm.directDependenciesCves))
-	for _, cve := range asm.directDependenciesCves {
-		applicabilityResults[cve] = utils.ApplicabilityUndetermined
-	}
-
-	report, err := sarif.Open(asm.scanner.ResultsFileName)
-	if errorutils.CheckError(err) != nil || len(report.Runs) == 0 {
-		return
-	}
-	// Applicability results contains one run only
-	for _, sarifResult := range report.Runs[0].Results {
-		cve := getCveFromRuleId(*sarifResult.RuleID)
-		if _, exists := applicabilityResults[cve]; !exists {
-			err = errorutils.CheckErrorf("received unexpected CVE: '%s' from RuleID: '%s' that does not exists on the requested CVEs list", cve, *sarifResult.RuleID)
-			return
-		}
-		applicabilityResults[cve] = resultKindToApplicabilityStatus(sarifResult.Kind)
-	}
-	return
-}
-
-// Gets a result of one CVE from the scanner, and returns true if the CVE is applicable, false otherwise
-func resultKindToApplicabilityStatus(kind *string) utils.ApplicabilityStatus {
-	if !(kind != nil && *kind == "pass") {
-		return utils.Applicable
-	}
-	return utils.NotApplicable
-}
-
-func getCveFromRuleId(sarifRuleId string) string {
-	return strings.TrimPrefix(sarifRuleId, "applic_")
-}

xray/commands/audit/jas/applicability/applicabilitymanager_test.go

@@ -3,7 +3,6 @@ package applicability
 import (
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/jas"
-	"github.com/jfrog/jfrog-cli-core/v2/xray/utils"
 	"github.com/jfrog/jfrog-client-go/xray/services"
 	"github.com/stretchr/testify/assert"
 	"os"
@@ -276,13 +275,12 @@ func TestParseResults_EmptyResults_AllCvesShouldGetUnknown(t *testing.T) {
 	applicabilityManager.scanner.ResultsFileName = filepath.Join(jas.GetTestDataPath(), "applicability-scan", "empty-results.sarif")
 
 	// Act
-	results, err := applicabilityManager.getScanResults()
+	var err error
+	applicabilityManager.applicabilityScanResults, err = jas.ReadJasScanRunsFromFile(applicabilityManager.scanner.ResultsFileName, scanner.WorkingDirs[0])
 
-	// Assert
-	assert.NoError(t, err)
-	assert.Equal(t, 5, len(results))
-	for _, cveResult := range results {
-		assert.Equal(t, utils.ApplicabilityUndetermined, cveResult)
+	if assert.NoError(t, err) {
+		assert.Len(t, applicabilityManager.applicabilityScanResults, 1)
+		assert.Empty(t, applicabilityManager.applicabilityScanResults[0].Results)
 	}
 }
 
@@ -294,13 +292,13 @@ func TestParseResults_ApplicableCveExist(t *testing.T) {
 	applicabilityManager.scanner.ResultsFileName = filepath.Join(jas.GetTestDataPath(), "applicability-scan", "applicable-cve-results.sarif")
 
 	// Act
-	results, err := applicabilityManager.getScanResults()
+	var err error
+	applicabilityManager.applicabilityScanResults, err = jas.ReadJasScanRunsFromFile(applicabilityManager.scanner.ResultsFileName, scanner.WorkingDirs[0])
 
-	// Assert
-	assert.NoError(t, err)
-	assert.Equal(t, 5, len(results))
-	assert.Equal(t, utils.Applicable, results["testCve1"])
-	assert.Equal(t, utils.NotApplicable, results["testCve3"])
+	if assert.NoError(t, err) && assert.NotNil(t, applicabilityManager.applicabilityScanResults) {
+		assert.Len(t, applicabilityManager.applicabilityScanResults, 1)
+		assert.NotEmpty(t, applicabilityManager.applicabilityScanResults[0].Results)
+	}
 }
 
 func TestParseResults_AllCvesNotApplicable(t *testing.T) {
@@ -311,12 +309,11 @@ func TestParseResults_AllCvesNotApplicable(t *testing.T) {
 	applicabilityManager.scanner.ResultsFileName = filepath.Join(jas.GetTestDataPath(), "applicability-scan", "no-applicable-cves-results.sarif")
 
 	// Act
-	results, err := applicabilityManager.getScanResults()
+	var err error
+	applicabilityManager.applicabilityScanResults, err = jas.ReadJasScanRunsFromFile(applicabilityManager.scanner.ResultsFileName, scanner.WorkingDirs[0])
 
-	// Assert
-	assert.NoError(t, err)
-	assert.Equal(t, 5, len(results))
-	for _, cveResult := range results {
-		assert.Equal(t, utils.NotApplicable, cveResult)
+	if assert.NoError(t, err) && assert.NotNil(t, applicabilityManager.applicabilityScanResults) {
+		assert.Len(t, applicabilityManager.applicabilityScanResults, 1)
+		assert.NotEmpty(t, applicabilityManager.applicabilityScanResults[0].Results)
 	}
 }

xray/commands/audit/jas/common.go

@@ -2,6 +2,11 @@ package jas
 
 import (
 	"errors"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
 	rtutils "github.com/jfrog/jfrog-cli-core/v2/artifactory/utils"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
@@ -12,14 +17,19 @@ import (
 	"github.com/owenrumney/go-sarif/v2/sarif"
 	"github.com/stretchr/testify/assert"
 	"gopkg.in/yaml.v3"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
 )
 
 var (
 	SkippedDirs = []string{"**/*test*/**", "**/*venv*/**", "**/*node_modules*/**", "**/*target*/**"}
+
+	mapSeverityToScore = map[string]string{
+		"":         "0.0",
+		"unknown":  "0.0",
+		"low":      "3.9",
+		"medium":   "6.9",
+		"high":     "8.9",
+		"critical": "10",
+	}
 )
 
 type JasScanner struct {
@@ -88,46 +98,54 @@ func deleteJasProcessFiles(configFile string, resultFile string) error {
 	return errorutils.CheckError(err)
 }
 
-func GetSourceCodeScanResults(resultsFileName, workingDir string, scanType utils.JasScanType) (results []utils.SourceCodeScanResult, err error) {
-	// Read Sarif format results generated from the Jas scanner
-	report, err := sarif.Open(resultsFileName)
-	if errorutils.CheckError(err) != nil {
-		return nil, err
-	}
-	var sarifResults []*sarif.Result
-	if len(report.Runs) > 0 {
-		// Jas scanners returns results in a single run entry
-		sarifResults = report.Runs[0].Results
+func ReadJasScanRunsFromFile(fileName, wd string) (sarifRuns []*sarif.Run, err error) {
+	if sarifRuns, err = utils.ReadScanRunsFromFile(fileName); err != nil {
+		return
 	}
-	resultPointers := convertSarifResultsToSourceCodeScanResults(sarifResults, workingDir, scanType)
-	for _, res := range resultPointers {
-		results = append(results, *res)
+	for _, sarifRun := range sarifRuns {
+		// Jas reports has only one invocation
+		// Set the actual working directory to the invocation, not the analyzerManager directory
+		// Also used to calculate relative paths if needed with it
+		sarifRun.Invocations[0].WorkingDirectory.WithUri(wd)
+		// Process runs values
+		sarifRun.Results = excludeSuppressResults(sarifRun.Results)
+		addScoreToRunRules(sarifRun)
 	}
-	return results, nil
+	return
 }
 
-func convertSarifResultsToSourceCodeScanResults(sarifResults []*sarif.Result, workingDir string, scanType utils.JasScanType) []*utils.SourceCodeScanResult {
-	var sourceCodeScanResults []*utils.SourceCodeScanResult
+func excludeSuppressResults(sarifResults []*sarif.Result) []*sarif.Result {
+	results := []*sarif.Result{}
 	for _, sarifResult := range sarifResults {
-		// Describes a request to “suppress” a result (to exclude it from result lists)
 		if len(sarifResult.Suppressions) > 0 {
+			// Describes a request to “suppress” a result (to exclude it from result lists)
 			continue
 		}
-		// Convert
-		currentResult := utils.GetResultIfExists(sarifResult, workingDir, sourceCodeScanResults)
-		if currentResult == nil {
-			currentResult = utils.ConvertSarifResultToSourceCodeScanResult(sarifResult, workingDir)
-			// Set specific Jas scan attributes
-			if scanType == utils.Secrets {
-				currentResult.Text = hideSecret(utils.GetResultLocationSnippet(sarifResult.Locations[0]))
+		results = append(results, sarifResult)
+	}
+	return results
+}
+
+func addScoreToRunRules(sarifRun *sarif.Run) {
+	for _, sarifResult := range sarifRun.Results {
+		if rule, err := sarifRun.GetRuleById(*sarifResult.RuleID); err == nil {
+			// Add to the rule security-severity score based on results severity
+			score := convertToScore(utils.GetResultSeverity(sarifResult))
+			if score != utils.MissingCveScore {
+				if rule.Properties == nil {
+					rule.WithProperties(sarif.NewPropertyBag().Properties)
+				}
+				rule.Properties["security-severity"] = score
 			}
-			sourceCodeScanResults = append(sourceCodeScanResults, currentResult)
-		}
-		if scanType == utils.Sast {
-			currentResult.CodeFlow = append(currentResult.CodeFlow, utils.GetResultCodeFlows(sarifResult, workingDir)...)
 		}
 	}
-	return sourceCodeScanResults
+}
+
+func convertToScore(severity string) string {
+	if level, ok := mapSeverityToScore[strings.ToLower(severity)]; ok {
+		return level
+	}
+	return ""
 }
 
 func CreateScannersConfigFile(fileName string, fileContent interface{}) error {
@@ -139,13 +157,6 @@ func CreateScannersConfigFile(fileName string, fileContent interface{}) error {
 	return errorutils.CheckError(err)
 }
 
-func hideSecret(secret string) string {
-	if len(secret) <= 3 {
-		return "***"
-	}
-	return secret[:3] + strings.Repeat("*", 12)
-}
-
 var FakeServerDetails = config.ServerDetails{
 	Url:      "platformUrl",
 	Password: "password",

xray/commands/audit/jas/iac/iacscanner.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/jfrog/jfrog-cli-core/v2/xray/utils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
+	"github.com/owenrumney/go-sarif/v2/sarif"
 )
 
 const (
@@ -14,7 +15,7 @@ const (
 )
 
 type IacScanManager struct {
-	iacScannerResults []utils.SourceCodeScanResult
+	iacScannerResults []*sarif.Run
 	scanner           *jas.JasScanner
 }
 
@@ -26,23 +27,23 @@ type IacScanManager struct {
 // []utils.SourceCodeScanResult: a list of the iac violations that were found.
 // bool: true if the user is entitled to iac scan, false otherwise.
 // error: An error object (if any).
-func RunIacScan(scanner *jas.JasScanner) (results []utils.SourceCodeScanResult, err error) {
+func RunIacScan(scanner *jas.JasScanner) (results []*sarif.Run, err error) {
 	iacScanManager := newIacScanManager(scanner)
 	log.Info("Running IaC scanning...")
 	if err = iacScanManager.scanner.Run(iacScanManager); err != nil {
 		err = utils.ParseAnalyzerManagerError(utils.IaC, err)
 		return
 	}
 	if len(iacScanManager.iacScannerResults) > 0 {
-		log.Info("Found", len(iacScanManager.iacScannerResults), "IaC vulnerabilities")
+		log.Info("Found", utils.GetResultsLocationCount(iacScanManager.iacScannerResults...), "IaC vulnerabilities")
 	}
 	results = iacScanManager.iacScannerResults
 	return
 }
 
 func newIacScanManager(scanner *jas.JasScanner) (manager *IacScanManager) {
 	return &IacScanManager{
-		iacScannerResults: []utils.SourceCodeScanResult{},
+		iacScannerResults: []*sarif.Run{},
 		scanner:           scanner,
 	}
 }
@@ -55,8 +56,8 @@ func (iac *IacScanManager) Run(wd string) (err error) {
 	if err = iac.runAnalyzerManager(); err != nil {
 		return
 	}
-	var workingDirResults []utils.SourceCodeScanResult
-	if workingDirResults, err = jas.GetSourceCodeScanResults(scanner.ResultsFileName, wd, utils.IaC); err != nil {
+	workingDirResults, err := jas.ReadJasScanRunsFromFile(scanner.ResultsFileName, wd)
+	if err != nil {
 		return
 	}
 	iac.iacScannerResults = append(iac.iacScannerResults, workingDirResults...)