Skip to content

Add Force specific tech in static sca #655

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
attiasas wants to merge 1 commit into
base: dev
Choose a base branch
from
+137 −22
Open

Add Force specific tech in static sca #655

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions commands/audit/audit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,7 @@ func getScanLogicOptions(params *AuditParams) (bomGenOptions []bom.SbomGenerator
xrayplugin.WithTotalTargets(len(params.workingDirs)),
xrayplugin.WithBinaryPath(params.CustomBomGenBinaryPath()),
xrayplugin.WithIgnorePatterns(params.Exclusions()),
xrayplugin.WithSpecificTechnologies(params.Technologies()),
}
// Scan Strategies Options
scanGraphParams, err := params.ToXrayScanGraphParams()
Expand Down
2 changes: 0 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,6 @@ require (
github.com/spf13/viper v1.21.0 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/ulikunitz/xz v0.5.15 // indirect
github.com/urfave/cli/v2 v2.27.7 // indirect
github.com/vbatts/tar-split v0.12.2 // indirect
github.com/vbauerster/mpb/v8 v8.10.2 // indirect
github.com/xanzy/go-gitlab v0.110.0 // indirect
Expand All @@ -121,7 +120,6 @@ require (
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/crypto v0.45.0 // indirect
golang.org/x/mod v0.30.0 // indirect
Expand Down
15 changes: 0 additions & 15 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,11 +146,6 @@ github.com/jedib0t/go-pretty/v6 v6.7.5 h1:9dJSWTJnsXJVVAbvxIFxeHf/JxoJd7GUl5o3Uz
github.com/jedib0t/go-pretty/v6 v6.7.5/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU=
github.com/jfrog/archiver/v3 v3.6.1 h1:LOxnkw9pOn45DzCbZNFV6K0+6dCsQ0L8mR3ZcujO5eI=
github.com/jfrog/archiver/v3 v3.6.1/go.mod h1:VgR+3WZS4N+i9FaDwLZbq+jeU4B4zctXL+gL4EMzfLw=
github.com/jfrog/build-info-go v1.12.5-0.20251209171349-eb030db986f9 h1:CL7lp7Y7srwQ1vy1btX66t4wbztzEGQbqi/9tdEz7xk=
github.com/jfrog/build-info-go v1.12.5-0.20251209171349-eb030db986f9/go.mod h1:9W4U440fdTHwW1HiB/R0VQvz/5q8ZHsms9MWcq+JrdY=
github.com/jfrog/build-info-go v1.13.0/go.mod h1:+OCtMb22/D+u7Wne5lzkjJjaWr0LRZcHlDwTH86Mpwo=
github.com/jfrog/build-info-go v1.13.1-0.20260106203543-03b99793ca5a/go.mod h1:+OCtMb22/D+u7Wne5lzkjJjaWr0LRZcHlDwTH86Mpwo=
github.com/jfrog/build-info-go v1.13.1-0.20260119231731-3cc4a0771bbd/go.mod h1:+OCtMb22/D+u7Wne5lzkjJjaWr0LRZcHlDwTH86Mpwo=
github.com/jfrog/build-info-go v1.13.1-0.20260120103048-d7f367bfa36e h1:STiWjuLtlEFR1H3kSKw6vDGhGdtUmV6O+ljPfrQ14sI=
github.com/jfrog/build-info-go v1.13.1-0.20260120103048-d7f367bfa36e/go.mod h1:+OCtMb22/D+u7Wne5lzkjJjaWr0LRZcHlDwTH86Mpwo=
github.com/jfrog/froggit-go v1.20.6 h1:Xp7+LlEh0m1KGrQstb+u0aGfjRUtv1eh9xQBV3571jQ=
Expand All @@ -159,16 +154,10 @@ github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s=
github.com/jfrog/gofrog v1.7.6/go.mod h1:ntr1txqNOZtHplmaNd7rS4f8jpA5Apx8em70oYEe7+4=
github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY=
github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251211075913-35ebcd308e93 h1:rpkJZN0TigpAGY/bfgmLO4nwhyhkr0gkBTLz/0B5zS8=
github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251211075913-35ebcd308e93/go.mod h1:7cCaRhXorlbyXZgiW5bplCExFxlnROaG21K12d8inpQ=
github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260120063955-c654c159290e h1:F/VQ7UJ4jaEr9tLJ8jLfy4BF4Obhhd0pWu007SBSHt8=
github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260120063955-c654c159290e/go.mod h1:LbhCULfa/eIPSXNgQ5Xw8BIZRmJ0qfF2I4sPa7AHXkY=
github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251210085744-f8481d179ac5 h1:GYE67ubwl+ZRw3CcXFUi49EwwQp6k+qS8sX0QuHDHO8=
github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251210085744-f8481d179ac5/go.mod h1:BMoGi2rG0udCCeaghqlNgiW3fTmT+TNnfTnBoWFYgcg=
github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260112010739-87fc7275623c h1:K9anqOZ7ASxlsijsl9u4jh92wqqIvJA4kTYfXrcOmJA=
github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260112010739-87fc7275623c/go.mod h1:+Hnaikp/xCSPD/q7txxRy4Zc0wzjW/usrCSf+6uONSQ=
github.com/jfrog/jfrog-client-go v1.55.1-0.20251217080430-c92b763b7465 h1:Ff3BlNPndrAfa1xFI/ORFzfWTxQxF0buWG61PEJwd3U=
github.com/jfrog/jfrog-client-go v1.55.1-0.20251217080430-c92b763b7465/go.mod h1:WQ5Y+oKYyHFAlCbHN925bWhnShTd2ruxZ6YTpb76fpU=
github.com/jfrog/jfrog-client-go v1.55.1-0.20260120055025-12f25e12798a h1:tbHqd+9SJB6pMJn9aXkD4aMYfwsKwah5kuhZV6Q+e88=
github.com/jfrog/jfrog-client-go v1.55.1-0.20260120055025-12f25e12798a/go.mod h1:sCE06+GngPoyrGO0c+vmhgMoVSP83UMNiZnIuNPzU8U=
github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
Expand Down Expand Up @@ -310,8 +299,6 @@ github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
github.com/urfave/cli v1.22.17 h1:SYzXoiPfQjHBbkYxbew5prZHS1TOLT3ierW8SYLqtVQ=
github.com/urfave/cli v1.22.17/go.mod h1:b0ht0aqgH/6pBYzzxURyrM4xXNgsoT/n2ZzwQiEhNVo=
github.com/urfave/cli/v2 v2.27.7 h1:bH59vdhbjLv3LAvIu6gd0usJHgoTTPhCFib8qqOwXYU=
github.com/urfave/cli/v2 v2.27.7/go.mod h1:CyNAG/xg+iAOg0N4MPGZqVmv2rCoP267496AOXUZjA4=
github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4=
github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
github.com/vbauerster/mpb/v8 v8.10.2 h1:2uBykSHAYHekE11YvJhKxYmLATKHAGorZwFlyNw4hHM=
Expand All @@ -333,8 +320,6 @@ github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofm
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 h1:FnBeRrxr7OU4VvAzt5X7s6266i6cSVkkFPS0TuXWbIg=
github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
Expand Down
127 changes: 122 additions & 5 deletions sca/bom/xrayplugin/plugin/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,132 @@
package plugin

import (
"github.com/jfrog/gofrog/datastructures"
"github.com/jfrog/jfrog-cli-security/utils/techutils"
)

// Config holds the configuration for Xray plugin library options.
type Config struct {
// The BOMRef of the scanned target, will be used at the Metadata and considered the Root.
BomRef string `json:"bom-ref,omitempty"`
BomRef string `json:"bom-ref,omitempty" yaml:"bom-ref,omitempty"`
// The component type of the target ("application" / "library" / "file"...), will be used at the Metadata component.
Type string `json:"type,omitempty"`
Type string `json:"type,omitempty" yaml:"type,omitempty"`
// The name of the target, will be used at the Metadata component.
Name string `json:"name,omitempty"`
Name string `json:"name,omitempty" yaml:"name,omitempty"`
// [Optional] The logging level for the scan process. if not set will get from environment variable or default to "info".
LogLevel string `json:"logLevel,omitempty" yaml:"logLevel,omitempty"`
// [Optional] The version of the target, will be used at the Metadata component.
Version string `json:"version,omitempty"`
Version string `json:"version,omitempty" yaml:"version,omitempty"`
// [Optional] Patterns (git ignore like) to ignore when scanning the target.
IgnorePatterns []string `json:"ignorePatterns,omitempty"`
IgnorePatterns []string `json:"ignorePatterns,omitempty" yaml:"ignorePatterns,omitempty"`
// [Optional] Scan passes to customize the scanning process.
ScanPasses []ScanPass `json:"passes,omitempty" yaml:"passes,omitempty"`
// [Optional] JFrog connection parameters for enhanced scanning capabilities.
JfrogConnection *JfrogConnectionParams `json:"jfrogConnection,omitempty" yaml:"jfrogConnection,omitempty"`
}

// ScanPass defines a single scan pass with specific engines
type ScanPass struct {
Name string `json:"name" yaml:"name"`
Extractors []string `json:"extractors,omitempty" yaml:"extractors,omitempty"`
Lookups []string `json:"lookups,omitempty" yaml:"lookups,omitempty"`
Aggregators []string `json:"aggregators,omitempty" yaml:"aggregators,omitempty"`
}

type JfrogConnectionParams struct {
Url string `json:"url" yaml:"url"`
AccessToken string `json:"token,omitempty" yaml:"token,omitempty"`
}

// TechEngines defines the extractors and aggregators for each technology
type TechEngines struct {
Extractors []string
Aggregators []string
}

// techToEnginesMap maps Technology to its corresponding extractors and aggregators
var techToEnginesMap = map[techutils.Technology]TechEngines{
techutils.Maven: {
Extractors: []string{"maven"},
Aggregators: []string{"maven"},
},
techutils.Gradle: {
Extractors: []string{"gradle", "gradle-lockfile"},
Aggregators: []string{"maven"},
},
techutils.Npm: {
Extractors: []string{"npm"},
Aggregators: []string{"npm"},
},
techutils.Yarn: {
Extractors: []string{"yarn"},
Aggregators: []string{"npm"},
},
techutils.Pnpm: {
Extractors: []string{"pnpm"},
Aggregators: []string{"npm"},
},
techutils.Go: {
Extractors: []string{"golang"},
Aggregators: []string{"golang"},
},
techutils.Pip: {
Extractors: []string{"pypi", "python-root"},
Aggregators: []string{"pypi"},
},
techutils.Pipenv: {
Extractors: []string{"pypi", "python-root"},
Aggregators: []string{"pypi"},
},
techutils.Poetry: {
Extractors: []string{"pyproject-toml", "python-root"},
Aggregators: []string{"pypi"},
},
techutils.Nuget: {
Extractors: []string{"nuget"},
Aggregators: []string{"nuget"},
},
techutils.Dotnet: {
Extractors: []string{"nuget"},
Aggregators: []string{"nuget"},
},
techutils.Conan: {
Extractors: []string{"conan"},
Aggregators: []string{"conan"},
},
techutils.Gem: {
Extractors: []string{"gems"},
Aggregators: []string{"gem"},
},
}

// TechToPasses generates a single scan pass with extractors and aggregators for the given technologies
func TechToPasses(technologies []techutils.Technology) []ScanPass {
if len(technologies) == 0 {

return nil
}
extractorSet := datastructures.MakeSet[string]()
aggregatorSet := datastructures.MakeSet[string]()
for _, tech := range technologies {
if engines, ok := techToEnginesMap[tech]; ok {
for _, extractor := range engines.Extractors {
extractorSet.Add(extractor)
}
for _, aggregator := range engines.Aggregators {
aggregatorSet.Add(aggregator)
}
}
}
// If no engines were found for the provided technologies, return nil
if extractorSet.Size() == 0 && aggregatorSet.Size() == 0 {
return nil
}
return []ScanPass{
{
Name: "Tech Specific Pass",
Extractors: extractorSet.ToSlice(),
Aggregators: aggregatorSet.ToSlice(),
},
}
}
14 changes: 14 additions & 0 deletions sca/bom/xrayplugin/xraylibbom.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,15 @@ import (
"github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-cli-security/utils/formats/cdxutils"
"github.com/jfrog/jfrog-cli-security/utils/results"
"github.com/jfrog/jfrog-cli-security/utils/techutils"
"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
"github.com/jfrog/jfrog-client-go/utils/log"
)

type XrayLibBomGenerator struct {
binaryPath string
ignorePatterns []string
specificTechs []techutils.Technology
totalTargets int
}

Expand All @@ -33,6 +35,17 @@ func WithTotalTargets(totalTargets int) bom.SbomGeneratorOption {
}
}

func WithSpecificTechnologies(technologies []string) bom.SbomGeneratorOption {
return func(sg bom.SbomGenerator) {
if sbg, ok := sg.(*XrayLibBomGenerator); ok {
sbg.specificTechs = make([]techutils.Technology, 0, len(technologies))
for _, tech := range technologies {
sbg.specificTechs = append(sbg.specificTechs, techutils.Technology(tech))
}
}
}
}

func WithBinaryPath(binaryPath string) bom.SbomGeneratorOption {
return func(sg bom.SbomGenerator) {
if sbg, ok := sg.(*XrayLibBomGenerator); ok {
Expand Down Expand Up @@ -114,6 +127,7 @@ func (sbg *XrayLibBomGenerator) executeScanner(xrayLibBinary string, target resu
Type: string(cyclonedx.ComponentTypeFile),
Name: target.Target,
IgnorePatterns: sbg.ignorePatterns,
ScanPasses: plugin.TechToPasses(sbg.specificTechs),
}
if scanConfigStr, err := utils.GetAsJsonString(scanConfig, false, true); err == nil {
log.Debug(fmt.Sprintf("Scan configuration: %s", scanConfigStr))
Expand Down
Loading