Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor commands output formats #96

Open
wants to merge 74 commits into
base: dev
Choose a base branch
from
Open

Refactor commands output formats #96

wants to merge 74 commits into from

Conversation

attiasas
Copy link
Contributor

@attiasas attiasas commented Jun 30, 2024
edited
Loading

  • The pull request is targeting the dev branch.
  • The code has been validated to compile successfully by running go vet ./....
  • The code has been formatted properly using go fmt ./....
  • All static analysis checks passed.
  • All tests have passed. If this feature is not already covered by the tests, new tests have been added.
  • All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

Move all Results and outputs to their inner package, organize currently available code and renames to fit better.

Before:

image

After:

image

Move detection out of SCA to run first thing in audit

  • Allows to sync information from local jfrog-apps-config.
  • Prepare to remove config detection to separate command.
  • Prepare to remove dependency collection to separate command.

Change Results object to ScanCommandResults

  • Prepare the infrastructure to separate different sca children-targets in a single scan target
    image

Separate converting ScanCommandResults to different output formats and printing the output.

  • output package - Write the results in a specific format as an output string.
  • conversion package - Parse the ScanCommandResults object to convert it to different formats that we are supporting.

Make implementing a new output format (by introducing an interface) easier, and maintain the currently supported.

  • Reduce code duplications
  • Easy to see what we support
  • Easy to implement new formats / integrate new scans and results
    image

General validation improvments for results structs

  • Easy to support and maintain
  • Adds more tests
  • Exact/Partial match options (for unit + integration tests)
  • Easy to read what is tested
  • Refactor validations to its own package
    image

@attiasas attiasas added the ignore for release Automatically generated release notes label Jun 30, 2024
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Jul 10, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Jul 10, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Sep 9, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 9, 2024

👍 Frogbot scanned this pull request and did not find any new security issues.

eranturgeman
eranturgeman reviewed Sep 12, 2024
View reviewed changes
commands/audit/audit_test.go
@@ -125,27 +297,15 @@ func TestAuditWithConfigProfile(t *testing.T) {
chdirCallback := clientTests.ChangeDirWithCallback(t, baseWd, tempDirPath)
defer chdirCallback()

auditParams.SetWorkingDirs([]string{tempDirPath}).SetIsRecursiveScan(true)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is it necessary here? wouldn't it detect it alone without setting the working dirs?
Also, defining working dirs and recursive scan is different from what our flow does

eranturgeman
eranturgeman reviewed Sep 12, 2024
View reviewed changes
utils/results/output/securityJobSummary.go
@@ -187,11 +199,17 @@ func RecordSarifOutput(cmdResults *Results) (err error) {
log.Info("Results can be uploaded to Github security tab automatically by upgrading your JFrog subscription.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know it is not a change of yours but this condition doesn't seems right, as it is always evaluated to false:
!extended && !commandsummary.StaticMarkdownConfig.IsExtendedSummary()
(extended is set to 'true' just before checking the condition)

eranturgeman
eranturgeman reviewed Sep 12, 2024
View reviewed changes
jas/runner/jasrunner.go
Runner *utils.SecurityParallelRunner
ServerDetails *config.ServerDetails
Scanner *jas.JasScanner

Copy link
Contributor

@eranturgeman eranturgeman Sep 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

Remove all new lines from the struct

eranturgeman
eranturgeman reviewed Sep 12, 2024
View reviewed changes
jas/runner/jasrunner.go
if len(scansToPreform) > 0 && !slices.Contains(scansToPreform, utils.ContextualAnalysisScan) {
log.Debug("Skipping contextual analysis scan as requested by input...")
return err
func addJasScanTaskForModuleIfNeeded(params JasRunnerParams, subScan utils.SubScanType, task parallel.TaskFunc) (err error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love how you re-wrote it, but we said this is the prioritization:

  1. flags
  2. config profile
  3. jfrog apps config

it seems like we ignore the flags here that we can get from audit. Lets discuss it

eranturgeman
eranturgeman reviewed Sep 12, 2024
View reviewed changes
tests/testdata/output/dockerscan/docker_sarif.json Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this file is empty. can we delete?

eranturgeman
eranturgeman reviewed Sep 12, 2024
View reviewed changes
tests/testdata/output/dockerscan/docker_simple_json.json Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this file is empty. can we delete?

eranturgeman
eranturgeman reviewed Sep 12, 2024
View reviewed changes
utils/formats/sarifutils/sarifutils.go
@@ -65,6 +65,51 @@ func ReadScanRunsFromFile(fileName string) (sarifRuns []*sarif.Run, err error) {
return
}

func CopyResult(result *sarif.Result) *sarif.Result {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this functions doesn't seems to be used

eranturgeman
eranturgeman reviewed Sep 12, 2024
View reviewed changes
utils/formats/sarifutils/sarifutils.go
return nil
}

func GetRuleFullDescription(rule *sarif.ReportingDescriptor) string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

duplicated
see GetRuleFullDescriptionText

eranturgeman
eranturgeman reviewed Sep 12, 2024
View reviewed changes
utils/formats/sarifutils/sarifutils.go
return ""
}

func GetRuleShortDescription(rule *sarif.ReportingDescriptor) string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

duplicate
see GetRuleShortDescriptionText

eranturgeman
eranturgeman reviewed Sep 12, 2024
View reviewed changes
utils/results/conversion/sarifparser/sarifparser.go
location.PhysicalLocation = sarifutils.NewPhysicalLocation(patchedLocation)
}
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a return statement is missing in this funciton

eranturgeman
eranturgeman reviewed Sep 15, 2024
View reviewed changes
utils/validations/test_validate_sarif.go
}

func isPotentialSimilarResults(expected, actual *sarif.Result) bool {
return sarifutils.GetResultRuleId(actual) == sarifutils.GetResultRuleId(expected) && sarifutils.GetResultMsgText(actual) == sarifutils.GetResultMsgText(expected) && sarifutils.GetResultProperty(sarifparser.WatchSarifPropertyKey, actual) == sarifutils.GetResultProperty(sarifparser.WatchSarifPropertyKey, expected)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we compare by message? A text message is more likely to change in compare to ID or a property that we obtain
if you think it is not likely to break often we can leave it like that (or if it is absolutely necessary)

@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Sep 15, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Sep 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eranturgeman eranturgeman eranturgeman requested changes

@hadarshjfrog hadarshjfrog hadarshjfrog left review comments

@orz25 orz25 Awaiting requested review from orz25

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
ignore for release Automatically generated release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@attiasas @eranturgeman @hadarshjfrog