Skip to content

Support parsing SCA issues without components #758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
attiasas merged 19 commits into from
Jun 3, 2026
+1,015 −150
Merged

Support parsing SCA issues without components #758

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
70b3e3f
Support parsing SCA issues without components
attiasas May 20, 2026
8aa5eb1
remove todo
attiasas May 20, 2026
4d20e67
Fix static and parse violations without
attiasas May 25, 2026
680499a
Merge remote-tracking branch 'upstream/dev' into show_no_component_is…
attiasas May 25, 2026
55d600c
fix issues
attiasas May 25, 2026
c3e9573
fix ForEachScaBomVulnerability
attiasas May 25, 2026
eeda6d8
Merge remote-tracking branch 'upstream/dev' into show_no_component_is…
attiasas May 27, 2026
43d9769
add ForEachScaBomVulnerability tests
attiasas May 27, 2026
8036373
add policy enforcer tests
attiasas May 27, 2026
d429f22
add other tests
attiasas May 27, 2026
e322c56
Merge remote-tracking branch 'upstream/dev' into show_no_component_is…
attiasas May 31, 2026
e7e562c
CR changes and tests
attiasas Jun 1, 2026
24c1cb6
fix tests
attiasas Jun 2, 2026
6c9b630
Try to fix dario flaky issue
attiasas Jun 3, 2026
03887dc
Try to lock go-git/v5 v5.19.0
attiasas Jun 3, 2026
f20b1f6
Try to remove proxy
attiasas Jun 3, 2026
58ae042
fix tests
attiasas Jun 3, 2026
4409911
Fix parsing mutations following 2 consecutive parsing
attiasas Jun 3, 2026
a68774a
fix unit tests pnpm
attiasas Jun 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions .github/workflows/embedded-jar-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,6 @@ on:
jobs:
test:
runs-on: ubuntu-latest
env:
GOPROXY: direct
steps:
- uses: actions/checkout@v5

Expand Down
1 change: 0 additions & 1 deletion .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ concurrency:

# Environment variables shared across all jobs.
env:
GOPROXY: direct
GO_COMMON_TEST_ARGS: "-v github.com/jfrog/jfrog-cli-security --race --timeout 40m --jfrog.url=${{ secrets.PLATFORM_URL }} --jfrog.adminToken=${{ secrets.PLATFORM_ADMIN_TOKEN }} --test.containerRegistry=${{ secrets.CONTAINER_REGISTRY }}"
GRADLE_OPTS: -Dorg.gradle.daemon=false
CI: true
Expand Down
2 changes: 1 addition & 1 deletion artifactory_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ func TestDependencyResolutionFromArtifactory(t *testing.T) {
for _, testCase := range testCases {
t.Run(testCase.projectType.String(), func(t *testing.T) {
if testCase.skipMsg != "" {
securityTestUtils.SkipTestIfDurationNotPassed(t, "01-04-2026", 60, testCase.skipMsg)
securityTestUtils.SkipTestIfDurationNotPassed(t, "01-06-2026", 60, testCase.skipMsg)
}
testSingleTechDependencyResolution(t, testCase.testProjectPath, testCase.resolveRepoName, testCase.cacheRepoName, testCase.projectType)
})
Expand Down
4 changes: 2 additions & 2 deletions audit_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1116,8 +1116,8 @@ func TestAuditNewScaCycloneDxGradle(t *testing.T) {
assert.NoError(t, err)
validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
ExactResultsMatch: true,
Total: &validations.TotalCount{Vulnerabilities: 11, BomComponents: 7 + 1, Licenses: 3},
SbomComponents: &validations.SbomCount{Direct: 7, Root: 1},
Total: &validations.TotalCount{Vulnerabilities: 11, BomComponents: 6 + 1, Licenses: 3},
SbomComponents: &validations.SbomCount{Direct: 6, Root: 1},
Vulnerabilities: &validations.VulnerabilityCount{
ValidateScan: &validations.ScanCount{Sca: 11},
ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 5, NotApplicable: 1, MissingContext: 5},
Expand Down
4 changes: 4 additions & 0 deletions commands/audit/audit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -809,6 +809,10 @@ func runParallelAuditScans(cmdResults *results.SecurityCommandResults, auditPara
if auditParams.BomGenerator() != nil {
cmdResults.AddGeneralError(auditParams.BomGenerator().CleanUp(), false)
}
// Merge contextual-analysis evidence into the canonical enriched SBOM.
if e := cmdResults.FinalizeEnrichedSbomsWithApplicability(); e != nil {
cmdResults.AddGeneralError(fmt.Errorf("failed to finalize enriched SBOMs with applicability: %s", e.Error()), false)
}
}).Start()
}

Expand Down
8 changes: 4 additions & 4 deletions git_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,8 +307,8 @@ func TestGitAuditJasSkipNotApplicableCvesViolations(t *testing.T) {
xrayVersion, xscVersion, "",
validations.ValidationParams{
Violations: &validations.ViolationCount{
ValidateScan: &validations.ScanCount{Sca: 20, Sast: 2, Secrets: 2},
ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotApplicable: 14, NotCovered: 6, Inactive: 2},
ValidateScan: &validations.ScanCount{Sca: 19, Sast: 2, Secrets: 2},
ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotApplicable: 15, NotCovered: 4, Inactive: 2},
},
ExactResultsMatch: true,
},
Expand Down Expand Up @@ -342,8 +342,8 @@ func TestGitAuditJasSkipNotApplicableCvesViolations(t *testing.T) {
xrayVersion, xscVersion, "",
validations.ValidationParams{
Violations: &validations.ViolationCount{
ValidateScan: &validations.ScanCount{Sca: 6, Sast: 2, Secrets: 2},
ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 6, Inactive: 2},
ValidateScan: &validations.ScanCount{Sca: 4, Sast: 2, Secrets: 2},
ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 4, Inactive: 2},
},
ExactResultsMatch: true,
},
Expand Down
8 changes: 4 additions & 4 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ module github.com/jfrog/jfrog-cli-security

go 1.26.3

replace github.com/CycloneDX/cyclonedx-go => github.com/CycloneDX/cyclonedx-go v0.10.0

require (
github.com/CycloneDX/cyclonedx-go v0.11.0
github.com/beevik/etree v1.6.0
Expand All @@ -15,8 +17,8 @@ require (
github.com/jfrog/froggit-go v1.22.0
github.com/jfrog/gofrog v1.7.6
github.com/jfrog/jfrog-apps-config v1.0.1
github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260528073225-e2d59f90c8c6
github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260528061115-b41c87af0194
github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260603051001-7fc8a5fa0aaf
github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260601130310-8d52a530da18
github.com/jfrog/jfrog-client-go v1.55.1-0.20260528115006-6ca9682a3255
github.com/magiconair/properties v1.8.10
github.com/owenrumney/go-sarif/v3 v3.2.3
Expand Down Expand Up @@ -153,8 +155,6 @@ require (

// replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go master

replace github.com/CycloneDX/cyclonedx-go => github.com/CycloneDX/cyclonedx-go v0.10.0

// replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 master

//replace github.com/jfrog/jfrog-cli-artifactory => github.com/jfrog/jfrog-cli-artifactory main
Expand Down
8 changes: 4 additions & 4 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,10 +169,10 @@ github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s=
github.com/jfrog/gofrog v1.7.6/go.mod h1:ntr1txqNOZtHplmaNd7rS4f8jpA5Apx8em70oYEe7+4=
github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY=
github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260528073225-e2d59f90c8c6 h1:E2oWXSoOPzBvrh+SL4IrlmnddasBQinjPSbFfKwhIYg=
github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260528073225-e2d59f90c8c6/go.mod h1:GQEGVW3wT1XPykXNsEiPQrF8/+01JvDVcGGYb5vqJuE=
github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260528061115-b41c87af0194 h1:cwppCKLitT0XBqYGQimW00qyx1ej88sY+rIjXAWNvAU=
github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260528061115-b41c87af0194/go.mod h1:9R90mhbczGXwW5EGlDs7F08ejQU/xdoDhYHMvzBiqgE=
github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260603051001-7fc8a5fa0aaf h1:NZWLCXpZul76hLarV4QYt35mxtcHo/xakMomNfIIdls=
github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260603051001-7fc8a5fa0aaf/go.mod h1:GQEGVW3wT1XPykXNsEiPQrF8/+01JvDVcGGYb5vqJuE=
github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260601130310-8d52a530da18 h1:tPv7XscDFAZaijVwMQNb+HmuucUMYQdjuA5frdGzhF0=
github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260601130310-8d52a530da18/go.mod h1:9R90mhbczGXwW5EGlDs7F08ejQU/xdoDhYHMvzBiqgE=
github.com/jfrog/jfrog-client-go v1.55.1-0.20260528115006-6ca9682a3255 h1:CIOMO1Hj5N6PaIu7sJZ9bPowcibkcaWDulM2R6LHO9o=
github.com/jfrog/jfrog-client-go v1.55.1-0.20260528115006-6ca9682a3255/go.mod h1:FHpjN1nTDoj96xd6obe27EOgGErqzU0rQgC96L3Ch9E=
github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
Expand Down
Loading
Loading