Skip to content

Support all attributes in Central Configs#670

Open
attiasas wants to merge 49 commits into
jfrog:devfrom
attiasas:pass_wd_to_xray_lib
Open

Support all attributes in Central Configs#670
attiasas wants to merge 49 commits into
jfrog:devfrom
attiasas:pass_wd_to_xray_lib

Conversation

@attiasas
Copy link
Copy Markdown
Collaborator

@attiasas attiasas commented Feb 12, 2026
edited
Loading

feat(audit): config-profile scan targets, include/exclude, and xray-lib working dirs

Depends on:

Analyzer-Manager minimum version: 1.33.0

Summary

Aligns audit, git audit, SCA (Xray-Lib), and JAS scanners with JFrog Platform config profiles: per-target include/exclude patterns, scanner enablement, secret validation, partial results, and custom analyzer download paths. Passes resolved include directories and exclusions into Xray-Lib instead of global ignore patterns, and refactors scan execution around an enriched ScanTarget model.

Changes

  • Audit / scan orchestration (commands/audit/, commands/scan/, commands/git/audit/): target discovery via GetTargetsInfo; populate ScanTarget with include/exclude and central-config modules; honor config-profile scanner toggles and allow_partial_results; wire custom releases repo for Xray-Lib plugin download.
  • Xray-Lib BOM (sca/bom/xrayplugin/): pass IncludeDirs and per-target SCA exclusions to the plugin; remove WithTotalTargets / WithIgnorePatterns; support WithCentralRemoteReleasesDetails for profile-driven dependency downloads.
  • JAS scanners (jas/, jas/runner/): run against results.ScanTarget (include roots, profile exclusions); consolidate config-profile skip logic; fix SARIF invocation working directory to reflect scan target, not analyzer-manager temp dir; per-target secret validation via IsSecretValidationActive.
  • Results model (utils/results/): ScanTarget gains Include, Exclude, Technologies[], CentralConfigModules; skippable GeneralErrors / TargetErrors for partial results; helpers for central-config scan requests and exclusions; expanded unit tests.
  • Path / exclusion utilities (utils/paths.go, utils/techutils.go): pattern handling for include/exclude during recursive scans.
  • Git audit (commands/git/audit/): fetch config profile by clone URL; hidden --use-config-profile flag (default true); validate single-module profile constraints.
  • CLI (cli/docs/flags.go, cli/gitcommands.go): expose WorkingDirs on audit; add hidden use-config-profile.
  • Output / parsers (utils/results/conversion/, utils/results/output/): adapt to multi-technology targets and updated error shapes.
  • Dependencies (go.mod, go.sum): bump jfrog-client-go and jfrog-cli-artifactory.

Notes

  • Behavioral / API shifts: single Technology on ScanTarget replaced by Technologies[]; GeneralError replaced by GeneralErrors (SkippableError); JAS ScannerCmd adds target-based Run with DeprecatedRun for legacy jfrog-apps-config modules.
  • Git audit config profile is limited to one module with path_from_root: "." (enforced in verifyConfigProfile).
  • In the new flow, jfrog-apps-config.yml is deprecated – flags, env vars, or central JFrog Platform config should be used instead.
  • The old graph-based flow is untouched and still loads jfrog-apps-config as before.

@attiasas attiasas added the ignore for release Automatically generated release notes label Feb 12, 2026
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Feb 12, 2026
@github-actions github-actions Bot removed the safe to test Approve running integration tests on a pull request label Feb 12, 2026
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Feb 17, 2026
@github-actions github-actions Bot removed the safe to test Approve running integration tests on a pull request label Feb 17, 2026
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Feb 19, 2026
eranturgeman
eranturgeman reviewed May 7, 2026
View reviewed changes
Comment thread utils/results/results.go
eranturgeman
eranturgeman reviewed May 7, 2026
View reviewed changes
Comment thread utils/results/common.go Outdated
relative := utils.GetRelativePath(potential.Target, sourceBasePath)
log.Debug(fmt.Sprintf("Comparing target %s, relative: '%s'", potential.String(), relative))
if technology != techutils.NoTech && potential.Technology != technology {
if len(technologies) > 0 && !utils.ElementsEqual[techutils.Technology](potential.Technologies, technologies) {
Copy link
Copy Markdown
Contributor

@eranturgeman eranturgeman May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe not something we want to address but maybe worth noting- if a new tech is added in a PR (new module or something) we will find no match. this is a edge case but maybe worth a comment

eranturgeman
eranturgeman reviewed May 7, 2026
View reviewed changes
Comment thread utils/paths.go
eranturgeman
eranturgeman reviewed May 7, 2026
View reviewed changes
Comment thread commands/audit/audit.go Outdated
eranturgeman
eranturgeman reviewed May 7, 2026
View reviewed changes
Comment thread jas/applicability/applicabilitymanager.go Outdated
eranturgeman
eranturgeman reviewed May 7, 2026
View reviewed changes
Comment thread jas/iac/iacscanner.go Outdated
eranturgeman
eranturgeman reviewed May 7, 2026
View reviewed changes
Comment thread jas/sast/sastscanner.go Outdated
eranturgeman
eranturgeman reviewed May 7, 2026
View reviewed changes
Comment thread jas/secrets/secretsscanner.go Outdated
eranturgeman
eranturgeman reviewed May 7, 2026
View reviewed changes
Comment thread jas/common.go Outdated
eranturgeman
eranturgeman reviewed May 7, 2026
View reviewed changes
Comment thread jas/common_test.go
eranturgeman
eranturgeman reviewed May 7, 2026
View reviewed changes
Comment thread sca/bom/bomgenerator.go
eranturgeman
eranturgeman reviewed May 7, 2026
View reviewed changes
Comment thread sca/bom/bomgenerator.go
eranturgeman
eranturgeman reviewed May 10, 2026
View reviewed changes
Comment thread sca/scan/scascan.go
log.Debug(fmt.Sprintf("%sSkipping SCA for %s as requested by input...", logPrefix, params.ScanResults.Target))
return false, nil
}
if params.ScanResults == nil {
Copy link
Copy Markdown
Contributor

@eranturgeman eranturgeman May 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see this check existed before, but I dont think it is really a possible usecase. we can leave it for safety though

eranturgeman
eranturgeman reviewed May 10, 2026
View reviewed changes
Comment thread utils/results/conversion/simplejsonparser/simplejsonparser_test.go
}

func TestPrepareSimpleJsonVulnerabilities_Technology(t *testing.T) {
testCases := []struct {
Copy link
Copy Markdown
Contributor

@eranturgeman eranturgeman May 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe add another testcase with multi-rows and different technologies?

eranturgeman
eranturgeman reviewed May 10, 2026
View reviewed changes
Comment thread jas/applicability/applicabilitymanager.go
eranturgeman
eranturgeman reviewed May 10, 2026
View reviewed changes
Comment thread jas/iac/iacscanner.go
eranturgeman
eranturgeman reviewed May 10, 2026
View reviewed changes
Comment thread jas/sast/sastscanner.go
eranturgeman
eranturgeman reviewed May 10, 2026
View reviewed changes
Comment thread utils/utils_test.go
eranturgeman
eranturgeman reviewed May 10, 2026
View reviewed changes
Comment thread utils/utils.go
eranturgeman
eranturgeman reviewed May 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@eranturgeman eranturgeman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! see my comments

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 17, 2026

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 1 issues
Scan Category Status Security Issues
Software Composition Analysis ✅ Done Not Found
Contextual Analysis ✅ Done -
Static Application Security Testing (SAST) ✅ Done
1 Issues Found 1 Low
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 17, 2026 

os.ReadFile(strings.TrimSpace(path))

at sca/bom/buildinfo/technologies/java/deptreemanager.go (line 109)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(outputFilePath) (at sca/bom/buildinfo/technologies/java/gradle.go line 187)

↘️ outputFileContent (at sca/bom/buildinfo/technologies/java/gradle.go line 187)

↘️ `func (gdt *gradleDepTreeManager) execGradleDepTree(depTreeDir string) (outputFileContent []byte, err error) {

gradleExecPath, err := build.GetGradleExecPath(gdt.useWrapper)
if err != nil {
	err = errorutils.CheckError(err)
	return
}
outputFilePath := filepath.Join(depTreeDir, gradleDepTreeOutputFile)
tasks := []string{
	"clean",
	"generateDepTrees", "-I", filepath.Join(depTreeDir, gradleDepTreeInitFile),
	"-q",
	gradleNoCacheFlag,
	fmt.Sprintf("-Dcom.jfrog.depsTreeOutputFile=%s", outputFilePath),
	"-Dcom.jfrog.includeAllBuildFiles=true",
	fmt.Sprintf("-Dcom.jfrog.includeIncludedBuilds=%t", gdt.useIncludedBuilds)}

// Add curation audit mode for pass-through functionality if this is a curation command
if gdt.isCurationCmd {
	tasks = append(tasks, "-Dcom.jfrog.curationAuditMode=true")
}

if output, err := buildGradleExecCommand(gradleExecPath, gdt.useWrapper, tasks).CombinedOutput(); err != nil {
	return nil, errorutils.CheckErrorf("error running gradle-dep-tree: %s\n%s", err.Error(), string(output))
}
defer func() {
	err = errors.Join(err, errorutils.CheckError(os.Remove(outputFilePath)))
}()
outputFileContent, err = os.ReadFile(outputFilePath)
err = errorutils.CheckError(err)
return

}` (at sca/bom/buildinfo/technologies/java/gradle.go line 159)

↘️ (outputFileContent []byte, err error) (at sca/bom/buildinfo/technologies/java/gradle.go line 159)

↘️ gdt.execGradleDepTree(depTreeDir) (at sca/bom/buildinfo/technologies/java/gradle.go line 96)

↘️ output (at sca/bom/buildinfo/technologies/java/gradle.go line 96)

↘️ output (at sca/bom/buildinfo/technologies/java/gradle.go line 100)

↘️ string(output) (at sca/bom/buildinfo/technologies/java/gradle.go line 100)

↘️ return string(output), nil (at sca/bom/buildinfo/technologies/java/gradle.go line 100)

↘️ (string, error) (at sca/bom/buildinfo/technologies/java/gradle.go line 79)

↘️ manager.runGradleDepTree() (at sca/bom/buildinfo/technologies/java/deptreemanager_test.go line 57)

↘️ outputFileContent (at sca/bom/buildinfo/technologies/java/deptreemanager_test.go line 57)

↘️ outputFileContent (at sca/bom/buildinfo/technologies/java/deptreemanager_test.go line 59)

↘️ outputFilePaths (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 56)

↘️ outputFilePaths (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 57)

↘️ jsonFilePaths (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 95)

↘️ jsonFilePaths (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 96)

↘️ strings.TrimSpace(jsonFilePaths) (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 96)

↘️ strings.Split(strings.TrimSpace(jsonFilePaths), "\n") (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 96)

↘️ outputFilePaths (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 98)

↘️ path (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 98)

↘️ path (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 99)

↘️ path (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 108)

↘️ path (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 109)

↘️ strings.TrimSpace(path) (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 109)

↘️ os.ReadFile(strings.TrimSpace(path)) (at sca/bom/buildinfo/technologies/java/deptreemanager.go line 109)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eranturgeman eranturgeman eranturgeman left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

improvement Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@attiasas @eranturgeman