Malicious code scanner

[barv-jfrog]

• The pull request is targeting the dev branch.
• The code has been validated to compile successfully by running go vet ./....
• The code has been formatted properly using go fmt ./....
• All static analysis checks passed.
• All tests have passed. If this feature is not already covered by the tests, new tests have been added.
• Updated the Contributing page / ReadMe page / CI Workflow files if needed.
• All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

---

Description:

New malicious scanners which check for malicious code on the source code. For example, models such as pickle may contain malicious code in their code, so now jf malicious-scan can scan this pickles and show in a table what is the malicious code.

---

Example:

[attiasas]

Nice work, Check out my comments:

1. Update branch, merge dev and fix conflicts
2. Make sure tests are passing after updating the AM version and running them
3. Don't forget to merge dependent PR and update replaces before merging.
4. Update PR description

[attiasas]

you added the expected malicious code issues but you are not using it.
you need to add code to ValidateScanTypeCount as well

[barv-jfrog]

I do use it, why do I have to add to ValidateScanTypeCount?

[attiasas]

if custom path is not empty (provided) we don't need to download the AM to the default dir...
similar to audit:

if cmd.customAnalyzerManagerPath == "" {
			if generalError = jas.DownloadAnalyzerManagerIfNeeded(threadId); generalError != nil {
				return fmt.Errorf("failed to download analyzer manager: %s", generalError.Error())
			}
			if scanner.AnalyzerManager.AnalyzerManagerFullPath, generalError = jas.GetAnalyzerManagerExecutable(); generalError != nil {
				return fmt.Errorf("failed to set analyzer manager executable path: %s", generalError.Error())
			}
		} else {
			scanner.AnalyzerManager.AnalyzerManagerFullPath = cmd.customAnalyzerManagerPath
			log.Debug(clientutils.GetLogMsgPrefix(threadId, false) + "using custom analyzer manager binary path")
		}

[barv-jfrog]

ok

[attiasas]

not possiable, already has at least one value after coreutils.GetFullPathsWorkingDirs(cmd.workingDirs)

Suggested change

	if len(workingDirs) == 0 {
	currentDir, err := coreutils.GetWorkingDirectory()
	if err != nil {
	cmdResults.AddGeneralError(fmt.Errorf("failed to get current working directory: %w", err), false)
	return
	}
	cmdResults.NewScanResults(results.ScanTarget{Target: currentDir, Name: filepath.Base(currentDir)})

[barv-jfrog]

right

[attiasas]

Suggested change

	log.Warn("No scan targets were detected. Proceeding with empty scan...")
	log.Warn("No scan targets were detected.")

you are returning here....

[barv-jfrog]

Right

[attiasas]

Suggested change

	func logScanPaths(workingDirs []string) {
	if len(workingDirs) == 0 {
	return
	}
	if len(workingDirs) == 1 {
	log.Info("Scanning path:", workingDirs[0])
	return
	}
	log.Info("Scanning paths:", strings.Join(workingDirs, ", "))
	}
	func logScanPaths(workingDirs []string) {
	if len(workingDirs) == 0 {
	return
	}
	if len(workingDirs) == 1 {
	log.Debug("Scanning path:", workingDirs[0])
	return
	}
	log.Debug("Scanning paths:", strings.Join(workingDirs, ", "))
	}

I would move it to DEBUG since we already outputing targets later in Info

[barv-jfrog]

ok

[attiasas]

Check out my comments.
Also, make sure test are passing after updating the AM version with the scanner code

[attiasas]

you have: jas.GetExcludePatterns use it insead or adjust it if needed

[barv-jfrog]

How can I use it without jfrogapps module?

[attiasas]

we should add a similar flag with different description if command is not hidden

[barv-jfrog]

ok