Merge branch 'dev' of https://github.com/jfrog/jfrog-cli-security into update-dependencies-for-1.20.0

Author: eranturgeman

sca/bom/buildinfo/technologies/python/python.go

@@ -36,7 +36,7 @@ const (
 )
 
 func BuildDependencyTree(params technologies.BuildInfoBomGeneratorParams, technology techutils.Technology) (dependencyTree []*clientutils.GraphNode, uniqueDeps []string, downloadUrls map[string]string, err error) {
-	dependenciesGraph, directDependenciesList, pipUrls, errGetTree := getDependencies(params, technology)
+	rootDetected, dependenciesGraph, directDependenciesList, pipUrls, errGetTree := getDependencies(params, technology)
 	if errGetTree != nil {
 		err = errGetTree
 		return
@@ -52,16 +52,40 @@ func BuildDependencyTree(params technologies.BuildInfoBomGeneratorParams, techno
 		populatePythonDependencyTree(directDependency, dependenciesGraph, uniqueDepsSet)
 		directDependencies = append(directDependencies, directDependency)
 	}
-	root := &clientutils.GraphNode{
-		Id:    "root",
-		Nodes: directDependencies,
-	}
-	dependencyTree = []*clientutils.GraphNode{root}
+	dependencyTree = getRootNodes(directDependencies, rootDetected)
 	uniqueDeps = uniqueDepsSet.ToSlice()
 	return
 }
 
-func getDependencies(params technologies.BuildInfoBomGeneratorParams, technology techutils.Technology) (dependenciesGraph map[string][]string, directDependencies []string, pipUrls map[string]string, err error) {
+func getRootNodes(directDependencies []*clientutils.GraphNode, rootDetected bool) (roots []*clientutils.GraphNode) {
+	if !rootDetected {
+		return []*clientutils.GraphNode{{
+			Id:    "root",
+			Nodes: directDependencies,
+		}}
+	}
+	// root was detected. in Pip, the pip version is also detected as root component.
+	// In this case, we need to append the pip node to the actual roots.
+	roots = []*clientutils.GraphNode{}
+	var pipNode *clientutils.GraphNode
+	// Search if pip is one of the direct dependencies.
+	for _, dep := range directDependencies {
+		if strings.HasPrefix(dep.Id, PythonPackageTypeIdentifier+techutils.Pip.String()+":") {
+			pipNode = dep
+		} else {
+			roots = append(roots, dep)
+		}
+	}
+	if pipNode != nil {
+		// Append pip node to actual roots.
+		for _, root := range roots {
+			root.Nodes = append(root.Nodes, pipNode)
+		}
+	}
+	return
+}
+
+func getDependencies(params technologies.BuildInfoBomGeneratorParams, technology techutils.Technology) (rootDetected bool, dependenciesGraph map[string][]string, directDependencies []string, pipUrls map[string]string, err error) {
 	wd, err := os.Getwd()
 	if errorutils.CheckError(err) != nil {
 		return
@@ -95,7 +119,7 @@ func getDependencies(params technologies.BuildInfoBomGeneratorParams, technology
 	pythonTool := pythonutils.PythonTool(technology)
 	if technology == techutils.Pipenv || !params.SkipAutoInstall {
 		var restoreEnv func() error
-		restoreEnv, err = runPythonInstall(params, pythonTool)
+		rootDetected, restoreEnv, err = runPythonInstall(params, pythonTool)
 		defer func() {
 			err = errors.Join(err, restoreEnv())
 		}()
@@ -180,7 +204,7 @@ type pypiMetaData struct {
 	Version string `json:"version"`
 }
 
-func runPythonInstall(params technologies.BuildInfoBomGeneratorParams, tool pythonutils.PythonTool) (restoreEnv func() error, err error) {
+func runPythonInstall(params technologies.BuildInfoBomGeneratorParams, tool pythonutils.PythonTool) (rootDetected bool, restoreEnv func() error, err error) {
 	switch tool {
 	case pythonutils.Pip:
 		return installPipDeps(params)
@@ -192,28 +216,28 @@ func runPythonInstall(params technologies.BuildInfoBomGeneratorParams, tool pyth
 	return
 }
 
-func installPoetryDeps(params technologies.BuildInfoBomGeneratorParams) (restoreEnv func() error, err error) {
+func installPoetryDeps(params technologies.BuildInfoBomGeneratorParams) (rootDetected bool, restoreEnv func() error, err error) {
 	restoreEnv = func() error {
 		return nil
 	}
 	if params.DependenciesRepository != "" {
 		rtUrl, username, password, err := artifactoryutils.GetPypiRepoUrlWithCredentials(params.ServerDetails, params.DependenciesRepository, false)
 		if err != nil {
-			return restoreEnv, err
+			return false, restoreEnv, err
 		}
 		if password != "" {
 			err = artifactoryutils.ConfigPoetryRepo(rtUrl.Scheme+"://"+rtUrl.Host+rtUrl.Path, username, password, params.DependenciesRepository)
 			if err != nil {
-				return restoreEnv, err
+				return false, restoreEnv, err
 			}
 		}
 	}
 	// Run 'poetry install'
 	_, err = executeCommand("poetry", "install")
-	return restoreEnv, err
+	return false, restoreEnv, err
 }
 
-func installPipenvDeps(params technologies.BuildInfoBomGeneratorParams) (restoreEnv func() error, err error) {
+func installPipenvDeps(params technologies.BuildInfoBomGeneratorParams) (rootDetected bool, restoreEnv func() error, err error) {
 	// Set virtualenv path to venv dir
 	err = os.Setenv("WORKON_HOME", ".jfrog")
 	if err != nil {
@@ -223,14 +247,14 @@ func installPipenvDeps(params technologies.BuildInfoBomGeneratorParams) (restore
 		return os.Unsetenv("WORKON_HOME")
 	}
 	if params.DependenciesRepository != "" {
-		return restoreEnv, runPipenvInstallFromRemoteRegistry(params.ServerDetails, params.DependenciesRepository)
+		return false, restoreEnv, runPipenvInstallFromRemoteRegistry(params.ServerDetails, params.DependenciesRepository)
 	}
 	// Run 'pipenv install -d'
 	_, err = executeCommand("pipenv", "install", "-d")
-	return restoreEnv, err
+	return false, restoreEnv, err
 }
 
-func installPipDeps(params technologies.BuildInfoBomGeneratorParams) (restoreEnv func() error, err error) {
+func installPipDeps(params technologies.BuildInfoBomGeneratorParams) (setupFileUsed bool, restoreEnv func() error, err error) {
 	restoreEnv, err = SetPipVirtualEnvPath()
 	if err != nil {
 		return
@@ -256,7 +280,7 @@ func installPipDeps(params technologies.BuildInfoBomGeneratorParams) (restoreEnv
 		}
 		reportFileName = pythonReportFile
 	}
-
+	setupFileUsed = params.PipRequirementsFile == ""
 	pipInstallArgs := getPipInstallArgs(params.PipRequirementsFile, remoteUrl, curationCachePip, reportFileName, params.InstallCommandArgs...)
 	var reqErr error
 	_, err = executeCommand("python", pipInstallArgs...)
@@ -269,6 +293,7 @@ func installPipDeps(params technologies.BuildInfoBomGeneratorParams) (restoreEnv
 		} else {
 			err = nil
 		}
+		setupFileUsed = false
 	}
 	if err != nil || reqErr != nil {
 		if msgToUser := technologies.GetMsgToUserForCurationBlock(params.IsCurationCmd, techutils.Pip, errors.Join(err, reqErr).Error()); msgToUser != "" {

sca/bom/buildinfo/technologies/python/python_test.go

@@ -32,13 +32,13 @@ func TestBuildPipDependencyListSetuppy(t *testing.T) {
 	assert.Contains(t, uniqueDeps, PythonPackageTypeIdentifier+"ptyprocess:0.7.0")
 	assert.Contains(t, uniqueDeps, PythonPackageTypeIdentifier+"pip-example:1.2.3")
 	assert.Len(t, rootNode, 1)
+	// Test direct dependency
+	tests.GetAndAssertNode(t, rootNode, "pip-example:1.2.3")
 	if len(rootNode) > 0 {
 		assert.NotEmpty(t, rootNode[0].Nodes)
 		if rootNode[0].Nodes != nil {
-			// Test direct dependency
-			directDepNode := tests.GetAndAssertNode(t, rootNode[0].Nodes, "pip-example:1.2.3")
 			// Test child module
-			childNode := tests.GetAndAssertNode(t, directDepNode.Nodes, "pexpect:4.8.0")
+			childNode := tests.GetAndAssertNode(t, rootNode[0].Nodes, "pexpect:4.8.0")
 			// Test sub child module
 			tests.GetAndAssertNode(t, childNode.Nodes, "ptyprocess:0.7.0")
 		}
@@ -69,11 +69,10 @@ func TestBuildPipDependencyListSetuppyForCuration(t *testing.T) {
 	assert.Contains(t, uniqueDeps, PythonPackageTypeIdentifier+"ptyprocess:0.7.0")
 	assert.Contains(t, uniqueDeps, PythonPackageTypeIdentifier+"pip-example:1.2.3")
 	assert.Len(t, rootNode, 1)
+	tests.GetAndAssertNode(t, rootNode, "pip-example:1.2.3")
 	if assert.NotNil(t, rootNode[0].Nodes) && assert.NotEmpty(t, rootNode[0].Nodes) {
-		// Test direct dependency
-		directDepNode := tests.GetAndAssertNode(t, rootNode[0].Nodes, "pip-example:1.2.3")
 		// Test child module
-		childNode := tests.GetAndAssertNode(t, directDepNode.Nodes, "pexpect:4.8.0")
+		childNode := tests.GetAndAssertNode(t, rootNode[0].Nodes, "pexpect:4.8.0")
 		// Test sub child module
 		tests.GetAndAssertNode(t, childNode.Nodes, "ptyprocess:0.7.0")
 
@@ -201,31 +200,36 @@ func TestBuildDependencyTreeWhenInstallForbidden(t *testing.T) {
 		testDir                          string
 		technology                       techutils.Technology
 		installBeforeFetchingInitialDeps bool
+		rootDetected                     bool
 	}{
 		// pip
 		{
 			name:                             "pip: project not installed | install forbidden",
 			testDir:                          filepath.Join("projects", "package-managers", "python", "pip", "pip", "requirementsproject"),
 			technology:                       techutils.Pip,
 			installBeforeFetchingInitialDeps: false,
+			rootDetected:                     false,
 		},
 		{
 			name:                             "pip: project installed before dep tree construction| install forbidden",
 			testDir:                          filepath.Join("projects", "package-managers", "python", "pip", "pip", "requirementsproject"),
 			technology:                       techutils.Pip,
 			installBeforeFetchingInitialDeps: true,
+			rootDetected:                     false,
 		},
 		{
 			name:                             "poetry: project not installed | install forbidden",
 			testDir:                          filepath.Join("projects", "package-managers", "python", "poetry", "poetry"),
 			technology:                       techutils.Poetry,
 			installBeforeFetchingInitialDeps: false,
+			rootDetected:                     false,
 		},
 		{
 			name:                             "poetry: project installed before dep tree construction| install forbidden",
 			testDir:                          filepath.Join("projects", "package-managers", "python", "poetry", "poetry"),
 			technology:                       techutils.Poetry,
 			installBeforeFetchingInitialDeps: true,
+			rootDetected:                     false,
 		},
 	}
 
@@ -253,11 +257,12 @@ func TestBuildDependencyTreeWhenInstallForbidden(t *testing.T) {
 			}
 
 			if test.installBeforeFetchingInitialDeps {
-				restoreEnv, err := runPythonInstall(params, pythonutils.PythonTool(test.technology))
+				rootDetected, restoreEnv, err := runPythonInstall(params, pythonutils.PythonTool(test.technology))
 				defer func() {
 					assert.NoError(t, restoreEnv(), "restoring env after setting "+test.technology+" virtual env creation failed")
 				}()
 				require.NoError(t, err)
+				assert.Equal(t, test.rootDetected, rootDetected, "Root detection mismatch for "+test.technology+" technology")
 			}
 
 			// Checking dependencies before BuildDependencyTree

sca/bom/scang/plugin/plugin.go

@@ -29,7 +29,7 @@ const (
 	scangPluginRtRepository       = "scang/v1"
 
 	scangPluginDirName        = "scang"
-	ScangPluginExecutableName = "scangplugin"
+	ScangPluginExecutableName = "xray-scan-plugin"
 	pluginName                = "scang"
 
 	scangPluginMagicCookieKey = "SCANG_PLUGIN_MAGIC_COOKIE"

tests/validations/test_validate_cyclonedx.go

@@ -59,7 +59,7 @@ func countSbomComponents(content *cyclonedx.BOM) (sbomComponents, rootComponents
 				}
 			}
 		}
-		relation := cdxutils.GetComponentRelation(content, component.BOMRef)
+		relation := cdxutils.GetComponentRelation(content, component.BOMRef, true)
 		if relation == cdxutils.UnknownRelation {
 			continue
 		}

utils/formats/cdxutils/cyclonedxutils.go

@@ -90,7 +90,7 @@ func SearchDependencyEntry(dependencies *[]cyclonedx.Dependency, ref string) *cy
 	return nil
 }
 
-func GetComponentRelation(bom *cyclonedx.BOM, componentRef string) ComponentRelation {
+func GetComponentRelation(bom *cyclonedx.BOM, componentRef string, skipDefaultRoot bool) ComponentRelation {
 	if bom == nil || bom.Components == nil {
 		return UnknownRelation
 	}
@@ -105,7 +105,7 @@ func GetComponentRelation(bom *cyclonedx.BOM, componentRef string) ComponentRela
 	}
 	parents := SearchParents(componentRef, *bom.Components, dependencies...)
 	// Calculate the root components
-	for _, root := range GetRootDependenciesEntries(bom, true) {
+	for _, root := range GetRootDependenciesEntries(bom, skipDefaultRoot) {
 		if root.Ref == componentRef {
 			// The component is a root
 			return RootRelation
@@ -283,7 +283,7 @@ func Exclude(bom cyclonedx.BOM, componentsToExclude ...cyclonedx.Component) (fil
 	}
 	filteredSbom = &bom
 	for _, compToExclude := range componentsToExclude {
-		if matchedBomComp := SearchComponentByRef(bom.Components, compToExclude.BOMRef); matchedBomComp == nil || GetComponentRelation(&bom, matchedBomComp.BOMRef) == RootRelation {
+		if matchedBomComp := SearchComponentByRef(bom.Components, compToExclude.BOMRef); matchedBomComp == nil || GetComponentRelation(&bom, matchedBomComp.BOMRef, false) == RootRelation {
 			// If not a match or Root component, skip it
 			continue
 		}

utils/formats/cdxutils/cyclonedxutils_test.go

@@ -388,7 +388,7 @@ func TestGetComponentRelation(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := GetComponentRelation(tt.bom, tt.componentRef)
+			result := GetComponentRelation(tt.bom, tt.componentRef, true)
 			assert.Equal(t, tt.expected, result, "Expected component relation does not match")
 		})
 	}

utils/results/common.go

@@ -286,7 +286,7 @@ func ForEachSbomComponent(bom *cyclonedx.BOM, handler ParseSbomComponentFunc) (e
 		if err := handler(
 			component,
 			cdxutils.SearchDependencyEntry(bom.Dependencies, component.BOMRef),
-			cdxutils.GetComponentRelation(bom, component.BOMRef),
+			cdxutils.GetComponentRelation(bom, component.BOMRef, true),
 		); err != nil {
 			return err
 		}
@@ -859,7 +859,7 @@ func ExtractCdxDependenciesCves(bom *cyclonedx.BOM) (directCves []string, indire
 			continue
 		}
 		for _, affectedComponent := range *vulnerability.Affects {
-			relation := cdxutils.GetComponentRelation(bom, affectedComponent.Ref)
+			relation := cdxutils.GetComponentRelation(bom, affectedComponent.Ref, true)
 			if relation == cdxutils.TransitiveRelation {
 				indirectCvesSet.Add(vulnerability.BOMRef)
 			} else {