Secrets & Infrastructure as Code scanning (#364)

Author: omerzi

.github/workflows/test.yml

@@ -60,10 +60,11 @@ jobs:
 
       # Run tests
       - name: Tests
-        run: go test ./... -v -race -timeout 0 -cover -coverprofile=covprofile -covermode=atomic
+        run: go test ./... -v -race -timeout 30m -cover -coverprofile=covprofile -covermode=atomic
         env:
           JF_URL: ${{ secrets.PLATFORM_URL }}
           JF_ACCESS_TOKEN: ${{ secrets.PLATFORM_ADMIN_TOKEN }}
+          JFROG_CLI_LOG_LEVEL: "DEBUG"
       # Generate code coverage
       - name: Send coverage
         run: |

README.md

@@ -216,21 +216,18 @@ Frogbot adds the scan results to the pull request in the following format:
 
 If no new vulnerabilities are found, Frogbot automatically adds the following comment to the pull request:
 
-[![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/noVulnerabilityBanner.png)](#-no-issues)
+[![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/noVulnerabilityBanner.png)](#-no-issues)
 
 ##### 👎 Issues were found
 
 If new vulnerabilities are found, Frogbot adds them as a comment on the pull request. For example:
 
-[![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/vulnerabilitiesBanner.png)](#-issues-were-found)
-
-|                                                SEVERITY                                                | DIRECT<br>DEPENDENCIES | DIRECT<br>DEPENDENCIES<br>VERSIONS | IMPACTED<br>DEPENDENCY<br>NAME | IMPACTED<br>DEPENDENCY<br>VERSION | FIXED<br>VERSIONS | CVE
-:------------------------------------------------------------------------------------------------------:| -- | -- | -- | -- |:-----------------:| --
-| ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/criticalSeverity.png)<br>Critical | lion-webview | v0.1.20 | ten-webpack | v4.75.0 |     [v4.76.0]     | CVE-2023-28154
-|     ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/highSeverity.png)<br>High     | magic-streaming-server | v0.21.10 | ten-webpack | v4.75.0 |     [v4.76.0]     | CVE-2023-28154  
-|     ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/highSeverity.png)<br>High     | jump-archiver | v3.5.1 | quicksilver | v5.75.0 |     [v5.76.0]     | CVE-2023-28154
-|   ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/mediumSeverity.png)<br>Medium   | expense-calculator | v6.6.0 | cve-alpha | v1.10.0 |     [v1.10.1]     | CVE-2023-28154 
-
+|                                                      SEVERITY                                                       | CONTEXTUAL ANALYSIS                  | DIRECT DEPENDENCIES                  | IMPACTED DEPENDENCY                   | FIXED VERSIONS                       |
+|:-------------------------------------------------------------------------------------------------------------------:| :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | 
+| ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableCriticalSeverity.png)<br>Critical | $\color{}{\textsf{Undetermined}}$ |vconsole:3.15.0 | vconsole:3.15.0 |  |
+|   ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableCritical.png)<br>Critical    | $\color{#3CB371}{\textsf{Not Applicable}}$ |minimist:1.2.5 | minimist:1.2.5 | [0.2.4]<br>[1.2.6] |
+|   ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)<br>    High   | $\color{#FF7377}{\textsf{Applicable}}$ |protobufjs:6.11.2 | protobufjs:6.11.2 | [6.11.3] |
+|     ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png)<br>    High      | $\color{#3CB371}{\textsf{Not Applicable}}$ |lodash:4.17.19 | lodash:4.17.19 | [4.17.21] |
 ### Scanning repositories and fixing issues
 
 Frogbot scans your Git repository and automatically opens pull requests for upgrading vulnerable dependencies to a version with a fix.
@@ -243,6 +240,10 @@ For GitHub repositories, Frogbot also adds [Security Alerts](https://docs.github
 
 ![](./images/github-code-scanning-content.png)
 
+![](./images/github-code-scanning-secrets-content.png)
+
+![](./images/github-code-scanning-iac-content.png)
+
 Frogbot uses [JFrog Xray](https://jfrog.com/xray/) for the scanning. The scanning is triggered following commits that are pushed to the repository.
 
 Supported package management tools:

action/lib/main.js

@@ -47,6 +47,7 @@ function main() {
                     break;
                 case "push":
                 case "schedule":
+                case "workflow_dispatch":
                     yield utils_1.Utils.execCreateFixPullRequests();
                     break;
                 default:

action/package-lock.json

@@ -261,7 +261,7 @@ func (cfp *CreateFixPullRequestsCmd) openFixingPullRequest(fixBranchName string,
 	pullRequestTitle := cfp.gitManager.GeneratePullRequestTitle(vulnDetails.ImpactedDependencyName, vulnDetails.FixVersion)
 	log.Debug("Creating Pull Request form:", fixBranchName, " to:", cfp.details.Branch())
 
-	prBody := cfp.OutputWriter.Content([]formats.VulnerabilityOrViolationRow{*vulnDetails.VulnerabilityOrViolationRow})
+	prBody := cfp.OutputWriter.VulnerabilitiesContent([]formats.VulnerabilityOrViolationRow{*vulnDetails.VulnerabilityOrViolationRow})
 	return cfp.details.Client().CreatePullRequest(context.Background(), cfp.details.RepoOwner, cfp.details.RepoName, fixBranchName, cfp.details.Branch(), pullRequestTitle, prBody)
 }
 
@@ -292,7 +292,7 @@ func (cfp *CreateFixPullRequestsCmd) openAggregatedPullRequest(fixBranchName str
 	}
 	if !exists {
 		log.Info("Creating Pull Request from:", fixBranchName, "to:", cfp.details.Branch())
-		prBody := cfp.OutputWriter.Content(vulnerabilities)
+		prBody := cfp.OutputWriter.VulnerabiltiesTitle(false) + "\n" + cfp.OutputWriter.VulnerabilitiesContent(vulnerabilities)
 		return cfp.details.Client().CreatePullRequest(context.Background(), cfp.details.RepoOwner, cfp.details.RepoName, fixBranchName, cfp.details.Branch(), utils.AggregatedPullRequestTitleTemplate, prBody)
 	}
 	log.Info("Pull Request branch:", fixBranchName, "has been updated")

commands/createfixpullrequests.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"github.com/jfrog/gofrog/datastructures"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -53,13 +54,13 @@ func scanPullRequest(repoConfig *utils.Repository, client vcsclient.VcsClient) e
 	}
 
 	// Audit PR code
-	vulnerabilitiesRows, err := auditPullRequest(repoConfig, client)
+	vulnerabilitiesRows, iacRows, err := auditPullRequest(repoConfig, client)
 	if err != nil {
 		return err
 	}
 
 	// Create a pull request message
-	message := createPullRequestMessage(vulnerabilitiesRows, repoConfig.OutputWriter)
+	message := createPullRequestMessage(vulnerabilitiesRows, iacRows, repoConfig.OutputWriter)
 
 	// Add comment to the pull request
 	if err = client.AddPullRequestComment(context.Background(), repoConfig.RepoOwner, repoConfig.RepoName, message, repoConfig.PullRequestID); err != nil {
@@ -73,8 +74,9 @@ func scanPullRequest(repoConfig *utils.Repository, client vcsclient.VcsClient) e
 	return err
 }
 
-func auditPullRequest(repoConfig *utils.Repository, client vcsclient.VcsClient) ([]formats.VulnerabilityOrViolationRow, error) {
+func auditPullRequest(repoConfig *utils.Repository, client vcsclient.VcsClient) ([]formats.VulnerabilityOrViolationRow, []formats.IacSecretsRow, error) {
 	var vulnerabilitiesRows []formats.VulnerabilityOrViolationRow
+	var iacRows []formats.IacSecretsRow
 	for i := range repoConfig.Projects {
 		scanDetails := utils.NewScanDetails(client, &repoConfig.Server, &repoConfig.Git).
 			SetProject(&repoConfig.Projects[i]).
@@ -84,32 +86,50 @@ func auditPullRequest(repoConfig *utils.Repository, client vcsclient.VcsClient)
 			SetFixableOnly(repoConfig.FixableOnly)
 		sourceResults, err := auditSource(scanDetails)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		repoConfig.SetEntitledForJas(sourceResults.ExtendedScanResults.EntitledForJas)
 		if repoConfig.IncludeAllVulnerabilities {
 			log.Info("Frogbot is configured to show all vulnerabilities")
 			allIssuesRows, err := getScanVulnerabilitiesRows(sourceResults)
 			if err != nil {
-				return nil, err
+				return nil, nil, err
 			}
 			vulnerabilitiesRows = append(vulnerabilitiesRows, allIssuesRows...)
+			iacRows = append(iacRows, xrayutils.PrepareIacs(sourceResults.ExtendedScanResults.IacScanResults)...)
 			continue
 		}
 		// Audit target code
 		scanDetails.SetFailOnInstallationErrors(*repoConfig.FailOnSecurityIssues).SetBranch(repoConfig.Branches[0])
 		targetResults, err := auditTarget(scanDetails)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		newIssuesRows, err := createNewIssuesRows(targetResults, sourceResults)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		vulnerabilitiesRows = append(vulnerabilitiesRows, newIssuesRows...)
+		iacRows = append(iacRows, createNewIacRows(targetResults.ExtendedScanResults.IacScanResults, sourceResults.ExtendedScanResults.IacScanResults)...)
 	}
 	log.Info("Xray scan completed")
-	return vulnerabilitiesRows, nil
+	return vulnerabilitiesRows, iacRows, nil
+}
+
+func createNewIacRows(targetIacResults, sourceIacResults []xrayutils.IacOrSecretResult) []formats.IacSecretsRow {
+	targetIacRows := xrayutils.PrepareIacs(targetIacResults)
+	sourceIacRows := xrayutils.PrepareIacs(sourceIacResults)
+	targetIacVulnerabilitiesKeys := datastructures.MakeSet[string]()
+	for _, row := range targetIacRows {
+		targetIacVulnerabilitiesKeys.Add(row.File + row.Text)
+	}
+	var addedIacVulnerabilities []formats.IacSecretsRow
+	for _, row := range sourceIacRows {
+		if !targetIacVulnerabilitiesKeys.Exists(row.File + row.Text) {
+			addedIacVulnerabilities = append(addedIacVulnerabilities, row)
+		}
+	}
+	return addedIacVulnerabilities
 }
 
 // Verify that the 'frogbot' GitHub environment was properly configured on the repository
@@ -339,9 +359,9 @@ func getUniqueID(vulnerability formats.VulnerabilityOrViolationRow) string {
 	return vulnerability.ImpactedDependencyName + vulnerability.ImpactedDependencyVersion + vulnerability.IssueId
 }
 
-func createPullRequestMessage(vulnerabilitiesRows []formats.VulnerabilityOrViolationRow, writer utils.OutputWriter) string {
-	if len(vulnerabilitiesRows) == 0 {
+func createPullRequestMessage(vulnerabilitiesRows []formats.VulnerabilityOrViolationRow, iacRows []formats.IacSecretsRow, writer utils.OutputWriter) string {
+	if len(vulnerabilitiesRows) == 0 && len(iacRows) == 0 {
 		return writer.NoVulnerabilitiesTitle() + utils.JasMsg(writer.EntitledForJas()) + writer.Footer()
 	}
-	return writer.VulnerabiltiesTitle() + writer.Content(vulnerabilitiesRows) + utils.JasMsg(writer.EntitledForJas()) + writer.Footer()
+	return writer.VulnerabiltiesTitle(true) + writer.VulnerabilitiesContent(vulnerabilitiesRows) + writer.IacContent(iacRows) + utils.JasMsg(writer.EntitledForJas()) + writer.Footer()
 }