Merge branch 'jas-violations-support' of https://github.com/eranturgeman/jfrog-cli-security into skip-not-applicable-cves

Author: eranturgeman

audit_test.go

@@ -439,24 +439,21 @@ func TestAuditWithConfigProfile(t *testing.T) {
 			summary, err := conversion.NewCommandResultsConvertor(conversion.ResultConvertParams{IncludeVulnerabilities: true}).ConvertToSummary(auditResults)
 			assert.NoError(t, err)
 
-			var ScaResultsCount int
+			var scaResultsCount int
 			// When checking Applicability results with ExactResultsMatch = true, the sum of all statuses should equal total Sca results amount. Else, we check the provided Sca issues amount
 			if testcase.expectedCaApplicable > 0 || testcase.expectedCaNotApplicable > 0 || testcase.expectedCaNotCovered > 0 || testcase.expectedCaUndetermined > 0 {
-				ScaResultsCount = testcase.expectedCaApplicable + testcase.expectedCaNotApplicable + testcase.expectedCaNotCovered + testcase.expectedCaUndetermined
+				scaResultsCount = testcase.expectedCaApplicable + testcase.expectedCaNotApplicable + testcase.expectedCaNotCovered + testcase.expectedCaUndetermined
 			} else {
-				ScaResultsCount = testcase.expectedScaIssues
+				scaResultsCount = testcase.expectedScaIssues
 			}
 			validations.ValidateCommandSummaryOutput(t, validations.ValidationParams{
-				Actual:                       summary,
-				ExactResultsMatch:            true,
-				Vulnerabilities:              testcase.expectedSastIssues + testcase.expectedSecretsIssues + testcase.expectedIacIssues + ScaResultsCount,
-				SastVulnerabilities:          testcase.expectedSastIssues,
-				SecretsVulnerabilities:       testcase.expectedSecretsIssues,
-				IacVulnerabilities:           testcase.expectedIacIssues,
-				ApplicableVulnerabilities:    testcase.expectedCaApplicable,
-				NotApplicableVulnerabilities: testcase.expectedCaNotApplicable,
-				NotCoveredVulnerabilities:    testcase.expectedCaNotCovered,
-				UndeterminedVulnerabilities:  testcase.expectedCaUndetermined,
+				Actual:            summary,
+				ExactResultsMatch: true,
+				Total:             &validations.TotalCount{Vulnerabilities: testcase.expectedSastIssues + testcase.expectedSecretsIssues + testcase.expectedIacIssues + scaResultsCount},
+				Vulnerabilities: &validations.VulnerabilityCount{
+					ValidateScan:                &validations.ScanCount{Sca: scaResultsCount, Sast: testcase.expectedSastIssues, Secrets: testcase.expectedSecretsIssues, Iac: testcase.expectedIacIssues},
+					ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{Applicable: testcase.expectedCaApplicable, NotApplicable: testcase.expectedCaNotApplicable, NotCovered: testcase.expectedCaNotCovered, Undetermined: testcase.expectedCaUndetermined},
+				},
 			})
 		})
 	}

commands/audit/audit_test.go

@@ -45,18 +45,15 @@ func TestXrayBinaryScanJson(t *testing.T) {
 	integration.InitScanTest(t, scangraph.GraphScanMinXrayVersion)
 	output := testXrayBinaryScan(t, string(format.Json), false)
 	validations.VerifyJsonResults(t, output, validations.ValidationParams{
-		Vulnerabilities: 1,
-		Licenses:        1,
+		Total: &validations.TotalCount{Licenses: 1, Vulnerabilities: 1},
 	})
 }
 
 func TestXrayBinaryScanSimpleJson(t *testing.T) {
 	integration.InitScanTest(t, scangraph.GraphScanMinXrayVersion)
 	output := testXrayBinaryScan(t, string(format.SimpleJson), true)
 	validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{
-		Vulnerabilities:       1,
-		ScaSecurityViolations: 1,
-		Licenses:              1,
+		Total: &validations.TotalCount{Licenses: 1, Vulnerabilities: 1, Violations: 1},
 	})
 }
 
@@ -66,8 +63,7 @@ func TestXrayBinaryScanJsonWithProgress(t *testing.T) {
 	defer callback()
 	output := testXrayBinaryScan(t, string(format.Json), false)
 	validations.VerifyJsonResults(t, output, validations.ValidationParams{
-		Vulnerabilities: 1,
-		Licenses:        1,
+		Total: &validations.TotalCount{Licenses: 1, Vulnerabilities: 1},
 	})
 }
 
@@ -77,9 +73,7 @@ func TestXrayBinaryScanSimpleJsonWithProgress(t *testing.T) {
 	defer callback()
 	output := testXrayBinaryScan(t, string(format.SimpleJson), true)
 	validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{
-		Vulnerabilities:       1,
-		ScaSecurityViolations: 1,
-		Licenses:              1,
+		Total: &validations.TotalCount{Licenses: 1, Vulnerabilities: 1, Violations: 1},
 	})
 }
 
@@ -110,8 +104,7 @@ func TestXrayBinaryScanWithBypassArchiveLimits(t *testing.T) {
 	scanArgs = append(scanArgs, "--bypass-archive-limits")
 	output := securityTests.PlatformCli.RunCliCmdWithOutput(t, scanArgs...)
 	validations.VerifyJsonResults(t, output, validations.ValidationParams{
-		Vulnerabilities: 1,
-		Licenses:        1,
+		Total: &validations.TotalCount{Licenses: 1, Vulnerabilities: 1},
 	})
 }
 
@@ -172,9 +165,11 @@ func runDockerScan(t *testing.T, testCli *coreTests.JfrogCli, imageName, watchNa
 		output := testCli.WithoutCredentials().RunCliCmdWithOutput(t, cmdArgs...)
 		if assert.NotEmpty(t, output) {
 			if validateSecrets {
-				validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{InactiveVulnerabilities: minInactives})
+				validations.VerifySimpleJsonResults(t, output, validations.ValidationParams{
+					Vulnerabilities: &validations.VulnerabilityCount{ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{Inactive: minInactives}},
+				})
 			} else {
-				validations.VerifyJsonResults(t, output, validations.ValidationParams{Vulnerabilities: minVulnerabilities, Licenses: minLicenses})
+				validations.VerifyJsonResults(t, output, validations.ValidationParams{Total: &validations.TotalCount{Vulnerabilities: minVulnerabilities, Licenses: minLicenses}})
 			}
 		}
 		// Run docker scan on image with watch
@@ -184,7 +179,7 @@ func runDockerScan(t *testing.T, testCli *coreTests.JfrogCli, imageName, watchNa
 		cmdArgs = append(cmdArgs, "--watches="+watchName)
 		output = testCli.WithoutCredentials().RunCliCmdWithOutput(t, cmdArgs...)
 		if assert.NotEmpty(t, output) {
-			validations.VerifyJsonResults(t, output, validations.ValidationParams{ScaSecurityViolations: minViolations})
+			validations.VerifyJsonResults(t, output, validations.ValidationParams{Total: &validations.TotalCount{Violations: minViolations}})
 		}
 	}
 }

scans_test.go

@@ -50,14 +50,18 @@ func GetResultIssueId(result *sarif.Result) (issueId string) {
 	return
 }
 
-func GetRuleCWE(rule *sarif.ReportingDescriptor) (cwe string) {
+func GetRuleCWE(rule *sarif.ReportingDescriptor) (cwe []string) {
 	if rule == nil || rule.DefaultConfiguration == nil || rule.DefaultConfiguration.Parameters == nil || rule.DefaultConfiguration.Parameters.Properties == nil {
 		// No CWE property
 		return
 	}
 	if cweProperty, ok := rule.DefaultConfiguration.Parameters.Properties[CWEPropertyKey]; ok {
 		if cweValue, ok := cweProperty.(string); ok {
-			return cweValue
+			split := strings.Split(cweValue, ",")
+			for _, policy := range split {
+				cwe = append(cwe, strings.TrimSpace(policy))
+			}
+			return
 		}
 	}
 	return

utils/formats/sarifutils/sarifutils.go

@@ -100,7 +100,7 @@ type SourceCodeRow struct {
 	Location
 	RuleId             string         `json:"ruleId"`
 	IssueId            string         `json:"issueId"`
-	CWE                string         `json:"cwe,omitempty"`
+	CWE                []string       `json:"cwe,omitempty"`
 	Finding            string         `json:"finding,omitempty"`
 	Fingerprint        string         `json:"fingerprint,omitempty"`
 	Applicability      *Applicability `json:"applicability,omitempty"`

utils/formats/simplejsonapi.go

@@ -32,46 +32,43 @@ func getAuditValidationParams() validations.ValidationParams {
 	return validations.ValidationParams{
 		ExactResultsMatch: true,
 
-		Vulnerabilities:              19,
-		ApplicableVulnerabilities:    1,
-		NotApplicableVulnerabilities: 7,
-		NotCoveredVulnerabilities:    4,
-		SastVulnerabilities:          4,
-		SecretsVulnerabilities:       3,
-
-		Violations:              7,
-		ScaSecurityViolations:   5,
-		ApplicableViolations:    1,
-		NotApplicableViolations: 4,
-		SastViolations:          1,
-		SecretsViolations:       1,
+		Total: &validations.TotalCount{Vulnerabilities: 19, Violations: 7},
+
+		Vulnerabilities: &validations.VulnerabilityCount{
+			ValidateScan:                &validations.ScanCount{Sca: 12, Sast: 4, Secrets: 3},
+			ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{Applicable: 1, NotApplicable: 7, NotCovered: 4},
+		},
+
+		Violations: &validations.ViolationCount{
+			ValidateScan:                &validations.ScanCount{Sca: 5, Sast: 1, Secrets: 1},
+			ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{Applicable: 1, NotApplicable: 4},
+		},
 	}
 }
 
 // For Summary we count unique CVE finding (issueId), for SARIF and SimpleJson we count all findings (pair of issueId+impactedComponent)
 // We have in the result 2 CVE with 2 impacted components each
 func getDockerScanValidationParams(unique bool) validations.ValidationParams {
 	params := validations.ValidationParams{
-		ExactResultsMatch:      true,
-		SecretsVulnerabilities: 3,
-
-		Violations:             3,
-		ScaSecurityViolations:  1,
-		UndeterminedViolations: 1,
-		SecretsViolations:      2,
+		ExactResultsMatch: true,
+		Total:             &validations.TotalCount{Violations: 3},
+		Violations: &validations.ViolationCount{
+			ValidateScan:                &validations.ScanCount{Sca: 1, Secrets: 2},
+			ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{Undetermined: 1},
+		},
 	}
 	if unique {
-		params.Vulnerabilities = 11
-		params.ApplicableVulnerabilities = 3
-		params.NotApplicableVulnerabilities = 3
-		params.NotCoveredVulnerabilities = 1
-		params.UndeterminedVulnerabilities = 1
+		params.Total.Vulnerabilities = 11
+		params.Vulnerabilities = &validations.VulnerabilityCount{
+			ValidateScan:                &validations.ScanCount{Sca: 8, Secrets: 3},
+			ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{Applicable: 3, NotApplicable: 3, NotCovered: 1, Undetermined: 1},
+		}
 	} else {
-		params.Vulnerabilities = 14
-		params.ApplicableVulnerabilities = 5
-		params.NotApplicableVulnerabilities = 4
-		params.NotCoveredVulnerabilities = 1
-		params.UndeterminedVulnerabilities = 1
+		params.Total.Vulnerabilities = 14
+		params.Vulnerabilities = &validations.VulnerabilityCount{
+			ValidateScan:                &validations.ScanCount{Sca: 11, Secrets: 3},
+			ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{Applicable: 5, NotApplicable: 4, NotCovered: 1, Undetermined: 1},
+		}
 	}
 	return params
 }

utils/results/conversion/convertor_test.go

@@ -12,6 +12,7 @@ import (
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-security/utils/results"
 	"github.com/jfrog/jfrog-client-go/artifactory"
+	"github.com/jfrog/jfrog-client-go/xray/services"
 	xscutils "github.com/jfrog/jfrog-client-go/xsc/services/utils"
 	"github.com/owenrumney/go-sarif/v2/sarif"
 	"github.com/stretchr/testify/assert"
@@ -166,3 +167,14 @@ func XrayServer(t *testing.T, params MockServerParams) (*httptest.Server, *confi
 func NewMockJasRuns(runs ...*sarif.Run) []results.ScanResult[[]*sarif.Run] {
 	return []results.ScanResult[[]*sarif.Run]{{Scan: runs}}
 }
+
+func NewMockScaResults(responses ...services.ScanResponse) (converted []results.ScanResult[services.ScanResponse]) {
+	for _, response := range responses {
+		status := 0
+		if response.ScannedStatus == "Failed" {
+			status = 1
+		}
+		converted = append(converted, results.ScanResult[services.ScanResponse]{Scan: response, StatusCode: status})
+	}
+	return
+}