Publish Scan Results to Gitlab Dashboards (#1268)

* save results in gitlab format

* with tests

* static analysis fix

* with applicability status

* update Identifier column with cve id

* reachable column

* with cwe

* fixed format issues

* with reachability field

* with reachability field

* fix Reachabe field

* test fix

* after cr

* after cr

* after cr

* after cr

Author: orto17

scanrepository/scanrepository.go

@@ -4,12 +4,13 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"github.com/jfrog/frogbot/v2/packageupdaters"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 
+	"github.com/jfrog/frogbot/v2/packageupdaters"
+
 	"github.com/go-git/go-git/v5"
 	biutils "github.com/jfrog/build-info-go/utils"
 
@@ -153,9 +154,10 @@ func (sr *ScanRepositoryCmd) scanAndFixBranch(repository *utils.Repository) (tot
 	}()
 	totalFindings = getTotalFindingsFromScanResults(scanResults)
 	sr.uploadResultsToGithubDashboardsIfNeeded(repository, scanResults)
+	sr.uploadGitLabScanResultsIfNeeded(repository, scanResults)
 
 	if !repository.Params.FrogbotConfig.CreateAutoFixPr {
-		log.Info(fmt.Sprintf("This command is running in detection mode only. To enable automatic fixing of issues, set the '%s' flag under the repository's coniguration settings in Jfrog platform", createAutoFixPrConfigNameInProfile))
+		log.Info(fmt.Sprintf("This command is running in detection mode only. To enable automatic fixing of issues, set the '%s' flag under the repository's configuration settings in Jfrog platform", createAutoFixPrConfigNameInProfile))
 		return totalFindings, nil
 	}
 
@@ -185,6 +187,16 @@ func getTotalFindingsFromScanResults(scanResults *results.SecurityCommandResults
 	return findingCount
 }
 
+func (sr *ScanRepositoryCmd) uploadGitLabScanResultsIfNeeded(repository *utils.Repository, scanResults *results.SecurityCommandResults) {
+	if repository.Params.Git.GitProvider != vcsutils.GitLab || repository.Params.Git.GitlabScanResultsOutputDir == "" {
+		return
+	}
+	log.Debug(fmt.Sprintf("Trying to save scan results to directory: %s", repository.Params.Git.GitlabScanResultsOutputDir))
+	if writeErr := utils.WriteScanResultsToGitlabDir(repository.Params.Git.GitlabScanResultsOutputDir, scanResults, sr.scanDetails.StartTime); writeErr != nil {
+		log.Warn(fmt.Sprintf("Failed to write scan results to directory: %s", writeErr.Error()))
+	}
+}
+
 func (sr *ScanRepositoryCmd) uploadResultsToGithubDashboardsIfNeeded(repository *utils.Repository, scanResults *results.SecurityCommandResults) {
 	if repository.Params.Git.GitProvider.String() == vcsutils.GitHub.String() {
 		// Uploads Sarif results to GitHub in order to view the scan in the code scanning UI

utils/consts.go

@@ -43,10 +43,11 @@ const (
 	GitDependencyGraphSubmissionEnv = "JF_UPLOAD_SBOM_TO_VCS"
 
 	//#nosec G101 -- False positive - no hardcoded credentials.
-	GitTokenEnv         = "JF_GIT_TOKEN"
-	GitBaseBranchEnv    = "JF_GIT_BASE_BRANCH"
-	GitPullRequestIDEnv = "JF_GIT_PULL_REQUEST_ID"
-	GitApiEndpointEnv   = "JF_GIT_API_ENDPOINT"
+	GitTokenEnv                   = "JF_GIT_TOKEN"
+	GitBaseBranchEnv              = "JF_GIT_BASE_BRANCH"
+	GitPullRequestIDEnv           = "JF_GIT_PULL_REQUEST_ID"
+	GitApiEndpointEnv             = "JF_GIT_API_ENDPOINT"
+	GitlabScanResultsOutputDirEnv = "JF_SCAN_RESULTS_OUTPUT_DIR"
 
 	// Placeholders for templates
 	PackagePlaceHolder    = "{IMPACTED_PACKAGE}"

utils/getconfiguration.go

@@ -69,12 +69,13 @@ func (jp *JFrogPlatform) setJfProjectKeyIfExists() (err error) {
 type Git struct {
 	GitProvider vcsutils.VcsProvider
 	vcsclient.VcsInfo
-	RepoOwner          string
-	RepoName           string
-	Branches           []string
-	PullRequestDetails vcsclient.PullRequestInfo
-	RepositoryCloneUrl string
-	UploadSbomToVcs    *bool
+	RepoOwner                  string
+	RepoName                   string
+	Branches                   []string
+	PullRequestDetails         vcsclient.PullRequestInfo
+	RepositoryCloneUrl         string
+	UploadSbomToVcs            *bool
+	GitlabScanResultsOutputDir string
 }
 
 func (g *Git) GetRepositoryHttpsCloneUrl(gitClient vcsclient.VcsClient) (string, error) {
@@ -96,6 +97,7 @@ func (g *Git) setDefaultsIfNeeded(gitParamsFromEnv *Git, commandName string) (er
 	g.VcsInfo = gitParamsFromEnv.VcsInfo
 	g.PullRequestDetails = gitParamsFromEnv.PullRequestDetails
 	g.RepoName = gitParamsFromEnv.RepoName
+	g.GitlabScanResultsOutputDir = gitParamsFromEnv.GitlabScanResultsOutputDir
 
 	if commandName == ScanPullRequest {
 		if gitParamsFromEnv.PullRequestDetails.ID == 0 {
@@ -428,6 +430,8 @@ func extractGitParamsFromEnvs() (*Git, error) {
 		gitEnvParams.PullRequestDetails = vcsclient.PullRequestInfo{ID: int64(convertedPrId)}
 	}
 
+	gitEnvParams.GitlabScanResultsOutputDir = getTrimmedEnv(GitlabScanResultsOutputDirEnv)
+
 	return gitEnvParams, nil
 }
 

utils/gitlabreport/cyclonedx_gitlab_reachability.go

@@ -0,0 +1,223 @@
+package gitlabreport
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/CycloneDX/cyclonedx-go"
+	"github.com/jfrog/jfrog-cli-security/utils/formats"
+	"github.com/jfrog/jfrog-cli-security/utils/formats/cdxutils"
+	"github.com/jfrog/jfrog-cli-security/utils/jasutils"
+	"github.com/jfrog/jfrog-cli-security/utils/results"
+	"github.com/jfrog/jfrog-cli-security/utils/results/conversion"
+	"github.com/jfrog/jfrog-client-go/utils/log"
+)
+
+// GitLab documents native "Reachable" (Yes / Not Found / Not Available) from CycloneDX
+// component properties, not from gl-dependency-scanning-report.json details.
+// See: https://docs.gitlab.com/development/sec/cyclonedx_property_taxonomy/
+const (
+	gitlabMetaSchemaVersionProp           = "gitlab:meta:schema_version"
+	gitlabDependencyScanningInputFilePath = "gitlab:dependency_scanning:input_file:path"
+	gitlabDependencyScanningReachability  = "gitlab:dependency_scanning_component:reachability"
+	gitlabReachabilityInUse               = "in_use"
+	gitlabReachabilityNotFound            = "not_found"
+)
+
+// reachRank orders contextual-analysis outcomes for merging multiple findings on one dependency.
+type reachRank int
+
+const (
+	reachNone reachRank = iota
+	reachNotFound
+	reachInUse
+)
+
+// EnrichCycloneDXBOMForGitLabReachability adds GitLab CycloneDX properties so the Security UI
+// "Reachable" field reflects JFrog contextual analysis: Applicable → in_use, other assessed → not_found,
+// no applicability data → omitted (shows as "Not Available").
+func EnrichCycloneDXBOMForGitLabReachability(bom *cyclonedx.BOM, scanResults *results.SecurityCommandResults) {
+	if bom == nil || scanResults == nil {
+		return
+	}
+	if bom.Metadata == nil {
+		bom.Metadata = &cyclonedx.Metadata{}
+	}
+	bom.Metadata.Properties = cdxutils.AppendProperties(bom.Metadata.Properties, cyclonedx.Property{
+		Name:  gitlabMetaSchemaVersionProp,
+		Value: "1",
+	})
+
+	convertor := conversion.NewCommandResultsConvertor(conversion.ResultConvertParams{
+		IncludeVulnerabilities: true,
+		HasViolationContext:    scanResults.HasViolationContext(),
+	})
+	simpleJSON, err := convertor.ConvertToSimpleJson(scanResults)
+	if err != nil {
+		log.Warn(fmt.Sprintf("GitLab reachability: skipping CycloneDX enrichment, simple JSON conversion failed: %v", err))
+		return
+	}
+
+	depInfo := make(map[string]*depReachInfo)
+	for i := range simpleJSON.Vulnerabilities {
+		mergeRowReachability(depInfo, &simpleJSON.Vulnerabilities[i])
+	}
+	for i := range simpleJSON.SecurityViolations {
+		mergeRowReachability(depInfo, &simpleJSON.SecurityViolations[i])
+	}
+
+	// When the whole scan uses one lockfile (typical), set it on metadata too so GitLab can
+	// correlate SBOM reachability with dependency-scanning findings (per taxonomy).
+	if f := uniqueInputFileFromDepInfo(depInfo); f != "" {
+		bom.Metadata.Properties = cdxutils.AppendProperties(bom.Metadata.Properties, cyclonedx.Property{
+			Name:  gitlabDependencyScanningInputFilePath,
+			Value: f,
+		})
+	}
+
+	if bom.Metadata.Component != nil {
+		walkComponentTree(bom.Metadata.Component, depInfo)
+	}
+	walkComponentSlice(bom.Components, depInfo)
+}
+
+type depReachInfo struct {
+	rank      reachRank
+	inputFile string
+}
+
+// uniqueInputFileFromDepInfo returns the single lock/manifest file shared by all assessed dependencies,
+// or empty if there are zero or more than one (multiple lockfiles: do not guess metadata-level path).
+func uniqueInputFileFromDepInfo(depInfo map[string]*depReachInfo) string {
+	seen := make(map[string]struct{})
+	for _, info := range depInfo {
+		if info == nil || info.rank <= reachNone {
+			continue
+		}
+		if f := strings.TrimSpace(info.inputFile); f != "" {
+			seen[f] = struct{}{}
+		}
+	}
+	if len(seen) == 1 {
+		for f := range seen {
+			return f
+		}
+	}
+	return ""
+}
+
+func mergeRowReachability(depInfo map[string]*depReachInfo, v *formats.VulnerabilityOrViolationRow) {
+	r, ok := gitlabReachabilityRankForRow(v)
+	if !ok {
+		return
+	}
+	name := strings.TrimSpace(v.ImpactedDependencyName)
+	if name == "" {
+		return
+	}
+	key := dependencyReachabilityKey(name, strings.TrimSpace(v.ImpactedDependencyVersion))
+	inFile := rowPreferredInputFile(v)
+	cur := depInfo[key]
+	if cur == nil {
+		cur = &depReachInfo{}
+		depInfo[key] = cur
+	}
+	if r > cur.rank {
+		cur.rank = r
+		if inFile != "" {
+			cur.inputFile = inFile
+		}
+	} else if r == cur.rank && cur.inputFile == "" && inFile != "" {
+		cur.inputFile = inFile
+	}
+}
+
+func rowPreferredInputFile(v *formats.VulnerabilityOrViolationRow) string {
+	for _, comp := range v.Components {
+		if comp.PreferredLocation != nil {
+			if f := strings.TrimSpace(comp.PreferredLocation.File); f != "" {
+				return f
+			}
+		}
+		for _, ev := range comp.Evidences {
+			if f := strings.TrimSpace(ev.File); f != "" {
+				return f
+			}
+		}
+	}
+	return strings.TrimSpace(manifestFileForTechnology(v.Technology))
+}
+
+func dependencyReachabilityKey(name, version string) string {
+	return name + "\x00" + version
+}
+
+func gitlabReachabilityRankForRow(v *formats.VulnerabilityOrViolationRow) (reachRank, bool) {
+	switch rowFinalApplicabilityStatus(v) {
+	case jasutils.NotScanned:
+		return reachNone, false
+	case jasutils.Applicable:
+		return reachInUse, true
+	default:
+		return reachNotFound, true
+	}
+}
+
+func walkComponentSlice(list *[]cyclonedx.Component, depInfo map[string]*depReachInfo) {
+	if list == nil {
+		return
+	}
+	for i := range *list {
+		walkComponentTree(&(*list)[i], depInfo)
+	}
+}
+
+func walkComponentTree(c *cyclonedx.Component, depInfo map[string]*depReachInfo) {
+	if c == nil {
+		return
+	}
+	if idx := strings.Index(c.PackageURL, "?"); idx != -1 {
+		c.PackageURL = c.PackageURL[:idx]
+	}
+	if info := bestReachInfoForComponent(c, depInfo); info != nil && info.rank > reachNone {
+		if info.inputFile != "" {
+			c.Properties = cdxutils.AppendProperties(c.Properties, cyclonedx.Property{
+				Name:  gitlabDependencyScanningInputFilePath,
+				Value: info.inputFile,
+			})
+		}
+		val := gitlabReachabilityNotFound
+		if info.rank == reachInUse {
+			val = gitlabReachabilityInUse
+		}
+		c.Properties = cdxutils.AppendProperties(c.Properties, cyclonedx.Property{
+			Name:  gitlabDependencyScanningReachability,
+			Value: val,
+		})
+	}
+	walkComponentSlice(c.Components, depInfo)
+}
+
+func bestReachInfoForComponent(c *cyclonedx.Component, depInfo map[string]*depReachInfo) *depReachInfo {
+	var best *depReachInfo
+	for _, key := range componentDependencyMatchKeys(c) {
+		if cur := depInfo[key]; cur != nil && (best == nil || cur.rank > best.rank) {
+			best = cur
+		}
+	}
+	return best
+}
+
+func componentDependencyMatchKeys(c *cyclonedx.Component) []string {
+	name := strings.TrimSpace(c.Name)
+	ver := strings.TrimSpace(c.Version)
+	if name == "" {
+		return nil
+	}
+	var keys []string
+	if g := strings.TrimSpace(c.Group); g != "" {
+		keys = append(keys, dependencyReachabilityKey(g+":"+name, ver))
+	}
+	keys = append(keys, dependencyReachabilityKey(name, ver))
+	return keys
+}