Merge remote-tracking branch 'upstream/dev' into add_contributing

commands/audit/audit.go

@@ -89,6 +89,7 @@ func (auditCmd *AuditCommand) Run() (err error) {
 	if err != nil {
 		return
 	}
+
 	auditParams := NewAuditParams().
 		SetXrayGraphScanParams(auditCmd.CreateXrayGraphScanParams()).
 		SetWorkingDirs(workingDirs).
@@ -181,7 +182,7 @@ func RunAudit(auditParams *AuditParams) (results *xrayutils.Results, err error)
 
 	// Run scanners only if the user is entitled for Advanced Security
 	if results.ExtendedScanResults.EntitledForJas {
-		results.JasError = runJasScannersAndSetResults(results, auditParams.DirectDependencies(), serverDetails, auditParams.workingDirs, auditParams.Progress(), auditParams.xrayGraphScanParams.MultiScanId, auditParams.thirdPartyApplicabilityScan)
+		results.JasError = runJasScannersAndSetResults(results, auditParams.DirectDependencies(), serverDetails, auditParams.workingDirs, auditParams.Progress(), auditParams.thirdPartyApplicabilityScan)
 	}
 	return
 }

commands/audit/jas/common.go

@@ -49,7 +49,7 @@ type JasScanner struct {
 	ScannerDirCleanupFunc func() error
 }
 
-func NewJasScanner(workingDirs []string, serverDetails *config.ServerDetails, multiScanId string) (scanner *JasScanner, err error) {
+func NewJasScanner(workingDirs []string, serverDetails *config.ServerDetails) (scanner *JasScanner, err error) {
 	scanner = &JasScanner{}
 	if scanner.AnalyzerManager.AnalyzerManagerFullPath, err = utils.GetAnalyzerManagerExecutable(); err != nil {
 		return
@@ -65,7 +65,6 @@ func NewJasScanner(workingDirs []string, serverDetails *config.ServerDetails, mu
 	scanner.ConfigFileName = filepath.Join(tempDir, "config.yaml")
 	scanner.ResultsFileName = filepath.Join(tempDir, "results.sarif")
 	scanner.JFrogAppsConfig, err = createJFrogAppsConfig(workingDirs)
-	scanner.AnalyzerManager.MultiScanId = multiScanId
 	return
 }
 
@@ -230,7 +229,7 @@ var FakeBasicXrayResults = []services.ScanResponse{
 
 func InitJasTest(t *testing.T, workingDirs ...string) (*JasScanner, func()) {
 	assert.NoError(t, utils.DownloadAnalyzerManagerIfNeeded())
-	scanner, err := NewJasScanner(workingDirs, &FakeServerDetails, "")
+	scanner, err := NewJasScanner(workingDirs, &FakeServerDetails)
 	assert.NoError(t, err)
 	return scanner, func() {
 		assert.NoError(t, scanner.ScannerDirCleanupFunc())

commands/audit/jas/secrets/secretsscanner_test.go

@@ -123,6 +123,7 @@ func TestHideSecret(t *testing.T) {
 		{secret: "12", expectedOutput: "***"},
 		{secret: "123", expectedOutput: "***"},
 		{secret: "123456789", expectedOutput: "123************"},
+		// jfrog-ignore: test case
 		{secret: "3478hfnkjhvd848446gghgfh", expectedOutput: "347************"},
 	}
 

commands/audit/jasrunner.go

@@ -14,12 +14,12 @@ import (
 )
 
 func runJasScannersAndSetResults(scanResults *utils.Results, directDependencies []string,
-	serverDetails *config.ServerDetails, workingDirs []string, progress io.ProgressMgr, multiScanId string, thirdPartyApplicabilityScan bool) (err error) {
+	serverDetails *config.ServerDetails, workingDirs []string, progress io.ProgressMgr, thirdPartyApplicabilityScan bool) (err error) {
 	if serverDetails == nil || len(serverDetails.Url) == 0 {
 		log.Warn("To include 'Advanced Security' scan as part of the audit output, please run the 'jf c add' command before running this command.")
 		return
 	}
-	scanner, err := jas.NewJasScanner(workingDirs, serverDetails, multiScanId)
+	scanner, err := jas.NewJasScanner(workingDirs, serverDetails)
 	if err != nil {
 		return
 	}

commands/audit/jasrunner_test.go

@@ -22,22 +22,22 @@ func TestGetExtendedScanResults_AnalyzerManagerDoesntExist(t *testing.T) {
 		assert.NoError(t, os.Unsetenv(coreutils.HomeDir))
 	}()
 	scanResults := &utils.Results{ScaResults: []utils.ScaScanResult{{Technology: coreutils.Yarn, XrayResults: jas.FakeBasicXrayResults}}, ExtendedScanResults: &utils.ExtendedScanResults{}}
-	err = runJasScannersAndSetResults(scanResults, []string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, &jas.FakeServerDetails, nil, nil, "", false)
+	err = runJasScannersAndSetResults(scanResults, []string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, &jas.FakeServerDetails, nil, nil, false)
 	// Expect error:
 	assert.Error(t, err)
 }
 
 func TestGetExtendedScanResults_ServerNotValid(t *testing.T) {
 	scanResults := &utils.Results{ScaResults: []utils.ScaScanResult{{Technology: coreutils.Pip, XrayResults: jas.FakeBasicXrayResults}}, ExtendedScanResults: &utils.ExtendedScanResults{}}
-	err := runJasScannersAndSetResults(scanResults, []string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, nil, nil, nil, "", false)
+	err := runJasScannersAndSetResults(scanResults, []string{"issueId_1_direct_dependency", "issueId_2_direct_dependency"}, nil, nil, nil, false)
 	assert.NoError(t, err)
 }
 
 func TestGetExtendedScanResults_AnalyzerManagerReturnsError(t *testing.T) {
 	assert.NoError(t, utils.DownloadAnalyzerManagerIfNeeded())
 
 	scanResults := &utils.Results{ScaResults: []utils.ScaScanResult{{Technology: coreutils.Yarn, XrayResults: jas.FakeBasicXrayResults}}, ExtendedScanResults: &utils.ExtendedScanResults{}}
-	err := runJasScannersAndSetResults(scanResults, []string{"issueId_2_direct_dependency", "issueId_1_direct_dependency"}, &jas.FakeServerDetails, nil, nil, "", false)
+	err := runJasScannersAndSetResults(scanResults, []string{"issueId_2_direct_dependency", "issueId_1_direct_dependency"}, &jas.FakeServerDetails, nil, nil, false)
 
 	// Expect error:
 	assert.ErrorContains(t, err, "failed to run Applicability scan")

commands/audit/sca/go/gloang_test.go

@@ -50,8 +50,8 @@ func TestBuildGoDependencyList(t *testing.T) {
 	rootNode, uniqueDeps, err := BuildDependencyTree(auditBasicParams)
 	assert.NoError(t, err)
 	assert.ElementsMatch(t, uniqueDeps, expectedUniqueDeps, "First is actual, Second is Expected")
-
-	assert.Equal(t, "https://user:[email protected]/artifactoryapi/go/test-remote|direct", os.Getenv("GOPROXY"))
+	// jfrog-ignore: test case
+	assert.Equal(t, "https://user:[email protected]/artifactory/api/go/test-remote|direct", os.Getenv("GOPROXY"))
 	assert.NotEmpty(t, rootNode)
 
 	// Check root module

commands/audit/sca/npm/npm.go

@@ -34,14 +34,14 @@ func BuildDependencyTree(params utils.AuditParams) (dependencyTrees []*xrayUtils
 
 	treeDepsParam := createTreeDepsParam(params)
 
-	restoreNpmrcFunc, err := configNpmResolutionServerIfNeeded(params)
+	clearResolutionServerFunc, err := configNpmResolutionServerIfNeeded(params)
 	if err != nil {
 		err = fmt.Errorf("failed while configuring a resolution server: %s", err.Error())
 		return
 	}
 	defer func() {
-		if restoreNpmrcFunc != nil {
-			err = errors.Join(err, restoreNpmrcFunc())
+		if clearResolutionServerFunc != nil {
+			err = errors.Join(err, clearResolutionServerFunc())
 		}
 	}()
 
@@ -62,29 +62,17 @@ func BuildDependencyTree(params utils.AuditParams) (dependencyTrees []*xrayUtils
 }
 
 // Generates a .npmrc file to configure an Artifactory server as the resolver server.
-func configNpmResolutionServerIfNeeded(params utils.AuditParams) (restoreNpmrcFunc func() error, err error) {
-	if params == nil {
-		err = fmt.Errorf("got empty params upon configuring resolution server")
+func configNpmResolutionServerIfNeeded(params utils.AuditParams) (clearResolutionServerFunc func() error, err error) {
+	// If we don't have an artifactory repo's name we don't need to configure any Artifactory server as resolution server
+	if params.DepsRepo() == "" {
 		return
 	}
 	serverDetails, err := params.ServerDetails()
-	if err != nil || serverDetails == nil {
-		return
-	}
-	depsRepo := params.DepsRepo()
-	if depsRepo == "" {
+	if err != nil {
 		return
 	}
 
-	npmCmd := npm.NewNpmCommand("install", false).SetServerDetails(serverDetails)
-	if err = npmCmd.PreparePrerequisites(depsRepo); err != nil {
-		return
-	}
-	if err = npmCmd.CreateTempNpmrc(); err != nil {
-		return
-	}
-	restoreNpmrcFunc = npmCmd.RestoreNpmrcFunc()
-	log.Info(fmt.Sprintf("Resolving dependencies from '%s' from repo '%s'", serverDetails.Url, depsRepo))
+	clearResolutionServerFunc, err = npm.SetArtifactoryAsResolutionServer(serverDetails, params.DepsRepo())
 	return
 }
 

commands/audit/scarunner.go

@@ -268,16 +268,27 @@ func SetResolutionRepoIfExists(params xrayutils.AuditParams, tech coreutils.Tech
 	log.Debug("Using resolver config from", configFilePath)
 	repoConfig, err := project.ReadResolutionOnlyConfiguration(configFilePath)
 	if err != nil {
-		err = fmt.Errorf("failed while reading %s.yaml config file: %s", tech.String(), err.Error())
-		return
+		var missingResolverErr *project.MissingResolverErr
+		if !errors.As(err, &missingResolverErr) {
+			err = fmt.Errorf("failed while reading %s.yaml config file: %s", tech.String(), err.Error())
+			return
+		}
+		// When the resolver repository is absent from the configuration file, ReadResolutionOnlyConfiguration throws an error.
+		// However, this situation isn't considered an error here as the resolver repository isn't mandatory for constructing the dependencies tree.
+		err = nil
 	}
-	details, err := repoConfig.ServerDetails()
-	if err != nil {
-		err = fmt.Errorf("failed getting server details: %s", err.Error())
-		return
+
+	// If the resolver repository doesn't exist and triggers a MissingResolverErr in ReadResolutionOnlyConfiguration, the repoConfig becomes nil. In this scenario, there is no depsRepo to set, nor is there a necessity to do so.
+	if repoConfig != nil {
+		log.Debug("Using resolver config from", configFilePath)
+		details, e := repoConfig.ServerDetails()
+		if e != nil {
+			err = fmt.Errorf("failed getting server details: %s", e.Error())
+		} else {
+			params.SetServerDetails(details)
+			params.SetDepsRepo(repoConfig.TargetRepo())
+		}
 	}
-	params.SetServerDetails(details)
-	params.SetDepsRepo(repoConfig.TargetRepo())
 	return
 }
 

go.mod

@@ -4,15 +4,15 @@ go 1.20
 
 require (
 	github.com/gookit/color v1.5.4
-	github.com/jfrog/build-info-go v1.9.20
-	github.com/jfrog/gofrog v1.5.0
+	github.com/jfrog/build-info-go v1.9.21
+	github.com/jfrog/gofrog v1.5.1
 	github.com/jfrog/jfrog-apps-config v1.0.1
-	github.com/jfrog/jfrog-cli-core/v2 v2.46.2
-	github.com/jfrog/jfrog-client-go v1.35.6
+	github.com/jfrog/jfrog-cli-core/v2 v2.47.12
+	github.com/jfrog/jfrog-client-go v1.36.1
 	github.com/magiconair/properties v1.8.7
 	github.com/owenrumney/go-sarif/v2 v2.3.0
 	github.com/stretchr/testify v1.8.4
-	golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3
+	golang.org/x/exp v0.0.0-20240119083558-1b970713d09a
 	golang.org/x/sync v0.6.0
 	golang.org/x/text v0.14.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -23,10 +23,10 @@ require (
 	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/CycloneDX/cyclonedx-go v0.7.2 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
+	github.com/ProtonMail/go-crypto v1.0.0 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
-	github.com/andybalholm/brotli v1.0.1 // indirect
+	github.com/andybalholm/brotli v1.1.0 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/c-bata/go-prompt v0.2.5 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
@@ -44,26 +44,26 @@ require (
 	github.com/gocarina/gocsv v0.0.0-20231116093920-b87c2d0e983a // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/snappy v0.0.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/uuid v1.5.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jedib0t/go-pretty/v6 v6.5.3 // indirect
-	github.com/jfrog/archiver/v3 v3.5.3 // indirect
+	github.com/jfrog/archiver/v3 v3.6.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.17.0 // indirect
+	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.3 // indirect
-	github.com/klauspost/pgzip v1.2.5 // indirect
+	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mattn/go-tty v0.0.3 // indirect
 	github.com/minio/sha256-simd v1.0.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/nwaples/rardecode v1.1.0 // indirect
+	github.com/nwaples/rardecode v1.1.3 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
-	github.com/pierrec/lz4/v4 v4.1.2 // indirect
+	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/term v1.1.0 // indirect
@@ -80,7 +80,7 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.18.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/ulikunitz/xz v0.5.9 // indirect
+	github.com/ulikunitz/xz v0.5.11 // indirect
 	github.com/urfave/cli v1.22.14 // indirect
 	github.com/vbauerster/mpb/v7 v7.5.3 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
@@ -98,4 +98,6 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20240118100957-b4e1537e91dd
+// replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev
+
+// replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go dev