Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -129,14 +129,16 @@ require (
gopkg.in/yaml.v3 v3.0.1 // indirect
)

// replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security dev
//orto:missconfiguration-service
replace github.com/jfrog/jfrog-cli-security => github.com/orto17/jfrog-cli-security v0.0.0-20260616102058-ea6b4c628c96

// replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev

// replace github.com/jfrog/jfrog-cli-artifactory => github.com/jfrog/jfrog-cli-artifactory main

// replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go dev

// replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go master
//orto:missconfiguration-service
replace github.com/jfrog/jfrog-client-go => github.com/orto17/jfrog-client-go v0.0.0-20260601083500-656c0e8d801d

// replace github.com/jfrog/froggit-go => github.com/jfrog/froggit-go master
9 changes: 5 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -150,10 +150,6 @@ github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260528123948-61478692b94e h1:q
github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260528123948-61478692b94e/go.mod h1:GQEGVW3wT1XPykXNsEiPQrF8/+01JvDVcGGYb5vqJuE=
github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260528061115-b41c87af0194 h1:cwppCKLitT0XBqYGQimW00qyx1ej88sY+rIjXAWNvAU=
github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260528061115-b41c87af0194/go.mod h1:9R90mhbczGXwW5EGlDs7F08ejQU/xdoDhYHMvzBiqgE=
github.com/jfrog/jfrog-cli-security v1.29.3 h1:cIoDn5NkhmrVANUr22H2IVwYjqeFTA+e61lb4qE+8X8=
github.com/jfrog/jfrog-cli-security v1.29.3/go.mod h1:wTdl1sSLyq+TzOPnncxBBhqCKEqF2kp9l86k+Y5E3mM=
github.com/jfrog/jfrog-client-go v1.55.1-0.20260528115006-6ca9682a3255 h1:CIOMO1Hj5N6PaIu7sJZ9bPowcibkcaWDulM2R6LHO9o=
github.com/jfrog/jfrog-client-go v1.55.1-0.20260528115006-6ca9682a3255/go.mod h1:FHpjN1nTDoj96xd6obe27EOgGErqzU0rQgC96L3Ch9E=
github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo=
github.com/kevinburke/ssh_config v1.6.0 h1:J1FBfmuVosPHf5GRdltRLhPJtJpTlMdKTBjRgTaQBFY=
Expand Down Expand Up @@ -211,6 +207,11 @@ github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
github.com/orto17/jfrog-cli-security v0.0.0-20260616085217-c971fe434253 h1:WuiE3pYkkZKWNJ7+HZJTAXezS6snVAnmrITCWa3kqJM=
github.com/orto17/jfrog-cli-security v0.0.0-20260616085217-c971fe434253/go.mod h1:hGz5P+VN0rt7Qoo9lRhjgY3+NCam7hG99BHMJ7Cp8l4=
github.com/orto17/jfrog-cli-security v0.0.0-20260616102058-ea6b4c628c96/go.mod h1:hGz5P+VN0rt7Qoo9lRhjgY3+NCam7hG99BHMJ7Cp8l4=
github.com/orto17/jfrog-client-go v0.0.0-20260601083500-656c0e8d801d h1:rrT1bx+DqF4SrKHtsy0lx/mnSvSsRzYx9DLZhDmGsDM=
github.com/orto17/jfrog-client-go v0.0.0-20260601083500-656c0e8d801d/go.mod h1:FHpjN1nTDoj96xd6obe27EOgGErqzU0rQgC96L3Ch9E=
github.com/owenrumney/go-sarif/v3 v3.2.3 h1:n6mdX5ugKwCrZInvBsf6WumXmpAe3mbmQXgkXlIq34U=
github.com/owenrumney/go-sarif/v3 v3.2.3/go.mod h1:1bV7t8SZg7pX41spaDkEUs8/yEjzk9JapztMoX1XNjg=
github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs=
Expand Down
20 changes: 19 additions & 1 deletion scanpullrequest/scanpullrequest.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@ import (
"context"
"errors"
"fmt"
"github.com/jfrog/gofrog/datastructures"
"os"
"path/filepath"
"strings"

"github.com/jfrog/gofrog/datastructures"

"github.com/jfrog/froggit-go/vcsclient"
"github.com/jfrog/jfrog-cli-security/utils/formats"
"github.com/jfrog/jfrog-cli-security/utils/jasutils"
Expand Down Expand Up @@ -193,6 +194,7 @@ func filterFailedResultsIfScannersFailuresAreAllowed(targetResults, sourceResult
filterScaResultsIfScanFailed(targetSourceResultsPair.target, targetSourceResultsPair.source)
filterJasResultsIfScanFailed(targetSourceResultsPair.target, targetSourceResultsPair.source, results.CmdStepContextualAnalysis)
filterJasResultsIfScanFailed(targetSourceResultsPair.target, targetSourceResultsPair.source, results.CmdStepSecrets)
filterJasResultsIfScanFailed(targetSourceResultsPair.target, targetSourceResultsPair.source, results.CmdStepServices)
filterJasResultsIfScanFailed(targetSourceResultsPair.target, targetSourceResultsPair.source, results.CmdStepIaC)
filterJasResultsIfScanFailed(targetSourceResultsPair.target, targetSourceResultsPair.source, results.CmdStepSast)
}
Expand All @@ -202,6 +204,7 @@ func filterFailedResultsIfScannersFailuresAreAllowed(targetResults, sourceResult
filterScaResultsIfScanFailed(targetSourceResultsPair.target, targetSourceResultsPair.source)
filterJasResultsIfScanFailed(targetSourceResultsPair.target, targetSourceResultsPair.source, results.CmdStepContextualAnalysis)
filterJasResultsIfScanFailed(targetSourceResultsPair.target, targetSourceResultsPair.source, results.CmdStepSecrets)
filterJasResultsIfScanFailed(targetSourceResultsPair.target, targetSourceResultsPair.source, results.CmdStepServices)
filterJasResultsIfScanFailed(targetSourceResultsPair.target, targetSourceResultsPair.source, results.CmdStepIaC)
filterJasResultsIfScanFailed(targetSourceResultsPair.target, targetSourceResultsPair.source, results.CmdStepSast)
}
Expand All @@ -211,6 +214,7 @@ func filterFailedResultsIfScannersFailuresAreAllowed(targetResults, sourceResult
filterScaResultsIfScanFailed(nil, sourceResult)
filterJasResultsIfScanFailed(nil, sourceResult, results.CmdStepContextualAnalysis)
filterJasResultsIfScanFailed(nil, sourceResult, results.CmdStepSecrets)
filterJasResultsIfScanFailed(nil, sourceResult, results.CmdStepServices)
filterJasResultsIfScanFailed(nil, sourceResult, results.CmdStepIaC)
filterJasResultsIfScanFailed(nil, sourceResult, results.CmdStepSast)
}
Expand Down Expand Up @@ -254,6 +258,12 @@ func filterSpecificScannersViolationsIfScanFailed(sourceResults *results.Securit
sourceResults.Violations.Secrets = nil
}

if (sourceStatusCodes.ServicesScanStatusCode != nil && *sourceStatusCodes.ServicesScanStatusCode != 0) ||
(targetStatusCodes.ServicesScanStatusCode != nil && *targetStatusCodes.ServicesScanStatusCode != 0) {
log.Debug(fmt.Sprintf(violationsFilteringErrorMessage, results.CmdStepServices))
sourceResults.Violations.Services = nil
}

if (sourceStatusCodes.IacScanStatusCode != nil && *sourceStatusCodes.IacScanStatusCode != 0) ||
(targetStatusCodes.IacScanStatusCode != nil && *targetStatusCodes.IacScanStatusCode != 0) {
log.Debug(fmt.Sprintf(violationsFilteringErrorMessage, results.CmdStepIaC))
Expand Down Expand Up @@ -352,6 +362,10 @@ func filterJasResultsIfScanFailed(targetResult, sourceResult *results.TargetResu
if sourceResult.JasResults != nil {
sourceResult.JasResults.JasVulnerabilities.SecretsScanResults = nil
}
case results.CmdStepServices:
if sourceResult.JasResults != nil {
sourceResult.JasResults.JasVulnerabilities.ServicesScanResults = nil
}
case results.CmdStepIaC:
if sourceResult.JasResults != nil {
sourceResult.JasResults.JasVulnerabilities.IacScanResults = nil
Expand Down Expand Up @@ -443,6 +457,9 @@ func scanResultsToIssuesCollection(scanResults *results.SecurityCommandResults,
SecretsVulnerabilities: simpleJsonResults.SecretsVulnerabilities,
SecretsViolations: simpleJsonResults.SecretsViolations,

ServicesVulnerabilities: simpleJsonResults.ServicesVulnerabilities,
ServicesViolations: simpleJsonResults.ServicesViolations,

SastVulnerabilities: simpleJsonResults.SastVulnerabilities,
SastViolations: simpleJsonResults.SastViolations,
}
Expand Down Expand Up @@ -478,6 +495,7 @@ func getScanStatus(cmdResults ...formats.SimpleJsonResults) formats.ScanStatus {
statuses.ScaStatusCode = getWorstScanStatus(statuses.ScaStatusCode, sourceResults.Statuses.ScaStatusCode)
statuses.IacStatusCode = getWorstScanStatus(statuses.IacStatusCode, sourceResults.Statuses.IacStatusCode)
statuses.SecretsStatusCode = getWorstScanStatus(statuses.SecretsStatusCode, sourceResults.Statuses.SecretsStatusCode)
statuses.ServicesStatusCode = getWorstScanStatus(statuses.ServicesStatusCode, sourceResults.Statuses.ServicesStatusCode)
statuses.SastStatusCode = getWorstScanStatus(statuses.SastStatusCode, sourceResults.Statuses.SastStatusCode)
statuses.ApplicabilityStatusCode = getWorstScanStatus(statuses.ApplicabilityStatusCode, sourceResults.Statuses.ApplicabilityStatusCode)
}
Expand Down
40 changes: 40 additions & 0 deletions scanpullrequest/scanpullrequest_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ func TestScanResultsToIssuesCollection(t *testing.T) {
ContextualAnalysisStatusCode: securityutils.NewIntPtr(0),
IacScanStatusCode: securityutils.NewIntPtr(0),
SecretsScanStatusCode: securityutils.NewIntPtr(0),
ServicesScanStatusCode: securityutils.NewIntPtr(0),
SastScanStatusCode: securityutils.NewIntPtr(0),
},
ScanTarget: results.ScanTarget{Target: "dummy"},
Expand Down Expand Up @@ -121,6 +122,21 @@ func TestScanResultsToIssuesCollection(t *testing.T) {
),
),
},
ServicesScanResults: func() []*sarif.Run {
serviceRule := sarif.NewRule("service-rule")
serviceResult := sarifutils.CreateResultWithProperties(
"Exposed service endpoint", "service-rule",
severityutils.SeverityToSarifSeverityLevel(severityutils.High).String(),
map[string]string{
sarifutils.CWEPropertyKey: "CWE-918",
sarifutils.OutcomesPropertyKey: "publicly-exposed",
},
sarifutils.CreateLocation("service.yaml", 3, 4, 5, 6, "port: 8080"),
)
serviceRun := sarifutils.CreateRunWithDummyResults(serviceResult)
serviceRun.Tool.Driver.Rules = []*sarif.ReportingDescriptor{serviceRule}
return []*sarif.Run{serviceRun}
}(),
},
},
}}}
Expand Down Expand Up @@ -208,6 +224,28 @@ func TestScanResultsToIssuesCollection(t *testing.T) {
},
},
},
ServicesVulnerabilities: []formats.SourceCodeRow{
{
SeverityDetails: formats.SeverityDetails{
Severity: "High",
SeverityNumValue: 31,
},
Finding: "Exposed service endpoint",
Outcomes: "publicly-exposed",
ScannerInfo: formats.ScannerInfo{
RuleId: "service-rule",
Cwe: []string{"CWE-918"},
},
Location: formats.Location{
File: "service.yaml",
StartLine: 3,
StartColumn: 4,
EndLine: 5,
EndColumn: 6,
Snippet: "port: 8080",
},
},
},
}

issuesRows, err := scanResultsToIssuesCollection(auditResults)
Expand All @@ -217,6 +255,7 @@ func TestScanResultsToIssuesCollection(t *testing.T) {
assert.ElementsMatch(t, expectedOutput.IacVulnerabilities, issuesRows.IacVulnerabilities)
assert.ElementsMatch(t, expectedOutput.SecretsVulnerabilities, issuesRows.SecretsVulnerabilities)
assert.ElementsMatch(t, expectedOutput.SastVulnerabilities, issuesRows.SastVulnerabilities)
assert.ElementsMatch(t, expectedOutput.ServicesVulnerabilities, issuesRows.ServicesVulnerabilities)
assert.ElementsMatch(t, expectedOutput.LicensesViolations, issuesRows.LicensesViolations)
}
}
Expand Down Expand Up @@ -1333,6 +1372,7 @@ func TestIsScanFailedInSourceOrTarget(t *testing.T) {
}

func preparePullRequestTest(t *testing.T, projectName string) (utils.Repository, vcsclient.VcsClient, func()) {
utils.SkipIfNoJFrogEnv(t)
params, restoreEnv := utils.VerifyEnv(t)

// Set test-specific environment variables
Expand Down
11 changes: 6 additions & 5 deletions scanrepository/scanrepository_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ import (
"encoding/json"
"errors"
"fmt"
services2 "github.com/jfrog/jfrog-client-go/xsc/services"
"io"
"net/http"
"net/http/httptest"
Expand All @@ -15,6 +14,8 @@ import (
"strings"
"testing"

services2 "github.com/jfrog/jfrog-client-go/xsc/services"

"github.com/CycloneDX/cyclonedx-go"
"github.com/go-git/go-git/v5/plumbing"
"github.com/go-git/go-git/v5/plumbing/protocol/packp"
Expand Down Expand Up @@ -499,7 +500,7 @@ func TestCreateVulnerabilitiesMap(t *testing.T) {
ResultsMetaData: results.ResultsMetaData{
ResultContext: results.ResultContext{IncludeVulnerabilities: true}},
Targets: []*results.TargetResults{{
ScanTarget: results.ScanTarget{Target: "target1", Technologies: []techutils.Technology{techutils.Npm}},
ScanTarget: results.ScanTarget{Target: "target1", Technology: techutils.Npm},
ScaResults: &results.ScaScanResults{
Sbom: loadTestSBOM(t, "sbom_with_vulnerabilities.json"),
},
Expand All @@ -521,7 +522,7 @@ func TestCreateVulnerabilitiesMap(t *testing.T) {
ResultsMetaData: results.ResultsMetaData{
ResultContext: results.ResultContext{IncludeVulnerabilities: true}},
Targets: []*results.TargetResults{{
ScanTarget: results.ScanTarget{Target: "target1", Technologies: []techutils.Technology{techutils.Npm}},
ScanTarget: results.ScanTarget{Target: "target1", Technology: techutils.Npm},
ScaResults: &results.ScaScanResults{
Sbom: loadTestSBOM(t, "sbom_multiple_vulns_same_pkg.json"),
},
Expand All @@ -541,7 +542,7 @@ func TestCreateVulnerabilitiesMap(t *testing.T) {
ResultsMetaData: results.ResultsMetaData{
ResultContext: results.ResultContext{IncludeVulnerabilities: true}},
Targets: []*results.TargetResults{{
ScanTarget: results.ScanTarget{Target: "target1", Technologies: []techutils.Technology{techutils.Npm}},
ScanTarget: results.ScanTarget{Target: "target1", Technology: techutils.Npm},
ScaResults: &results.ScaScanResults{
Sbom: loadTestSBOM(t, "sbom_no_fix_version.json"),
},
Expand All @@ -561,7 +562,7 @@ func TestCreateVulnerabilitiesMap(t *testing.T) {
ResultsMetaData: results.ResultsMetaData{
ResultContext: results.ResultContext{Watches: []string{"w1"}}},
Targets: []*results.TargetResults{{
ScanTarget: results.ScanTarget{Target: "target1", Technologies: []techutils.Technology{techutils.Npm}},
ScanTarget: results.ScanTarget{Target: "target1", Technology: techutils.Npm},
}},
Violations: &violationutils.Violations{
Sca: []violationutils.CveViolation{
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@


---
## 🔌 Services Vulnerability

---
| Severity | CWE | Outcomes | Finding |
| :---------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: |
| High | CWE-918 | publicly-exposed | Exposed service endpoint |


---
### Full description

---



---
### Vulnerability Details

---
| | |
| --------------------- | :-----------------------------------: |
| **CWE:** | CWE-918 |
| **Rule ID:** | service-rule |
| **CWE:** | CWE-918 |

Services scanner description

Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@

## 🔌 Services Vulnerability
<div align='center'>

| Severity | CWE | Outcomes | Finding |
| :---------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: |
| ![high](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)<br> High | CWE-918 | publicly-exposed | Exposed service endpoint |

</div>


<details><summary><b>Full description</b></summary>

### Vulnerability Details
| | |
| --------------------- | :-----------------------------------: |
| **CWE:** | CWE-918 |
| **Rule ID:** | service-rule |
| **CWE:** | CWE-918 |

Services scanner description

<br></details>
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@


---
## 🔌 Services Violation

---
| Severity | ID | CWE | Outcomes | Finding | Watch Name | Policies |
| :---------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: |
| Critical | services-violation-id | CWE-200 | misconfigured-port | Misconfigured service port | services-watch | policy1 |


---
### Full description

---



---
### Violation Details

---
| | |
| --------------------- | :-----------------------------------: |
| **CWE:** | CWE-200 |
| **Rule ID:** | service-rule |
| **CWE:** | CWE-200 |

Services scanner description

Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@

## 🔌 Services Violation
<div align='center'>

| Severity | ID | CWE | Outcomes | Finding | Watch Name | Policies |
| :---------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: |
| ![critical](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableCriticalSeverity.png)<br>Critical | services-violation-id | CWE-200 | misconfigured-port | Misconfigured service port | services-watch | policy1 |

</div>


<details><summary><b>Full description</b></summary>

### Violation Details
| | |
| --------------------- | :-----------------------------------: |
| **CWE:** | CWE-200 |
| **Rule ID:** | service-rule |
| **CWE:** | CWE-200 |

Services scanner description

<br></details>
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,5 @@
| **Contextual Analysis** | ✅ Done | - |
| **Static Application Security Testing (SAST)** | ✅ Done | 4 Issues Found: 🔴 3 High, 🟡 1 Low |
| **Secrets** | ✅ Done | - |
| **Services** | ℹ️ Not Scanned | - |
| **Infrastructure as Code (IaC)** | ℹ️ Not Scanned | - |
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,5 @@
| **Contextual Analysis** | ✅ Done | - |
| **Static Application Security Testing (SAST)** | ✅ Done | <details><summary><b>4 Issues Found</b></summary><img src="https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/smallHigh.svg" alt=""/> 3 High<br><img src="https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/smallLow.svg" alt=""/> 1 Low<br></details> |
| **Secrets** | ✅ Done | - |
| **Services** | ℹ️ Not Scanned | - |
| **Infrastructure as Code (IaC)** | ℹ️ Not Scanned | - |
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,5 @@
| **Contextual Analysis** | ✅ Done | - |
| **Static Application Security Testing (SAST)** | ✅ Done | 3 Issues Found: 🔴 2 High, 🟡 1 Low |
| **Secrets** | ✅ Done | - |
| **Services** | ℹ️ Not Scanned | - |
| **Infrastructure as Code (IaC)** | ℹ️ Not Scanned | - |
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,5 @@
| **Contextual Analysis** | ✅ Done | - |
| **Static Application Security Testing (SAST)** | ✅ Done | <details><summary><b>3 Issues Found</b></summary><img src="https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/smallHigh.svg" alt=""/> 2 High<br><img src="https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/smallLow.svg" alt=""/> 1 Low<br></details> |
| **Secrets** | ✅ Done | - |
| **Services** | ℹ️ Not Scanned | - |
| **Infrastructure as Code (IaC)** | ℹ️ Not Scanned | - |
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,5 @@
| **Contextual Analysis** | ✅ Done | - |
| **Static Application Security Testing (SAST)** | ✅ Done | 1 Issues Found: 🔴 1 High |
| **Secrets** | ✅ Done | - |
| **Services** | ℹ️ Not Scanned | - |
| **Infrastructure as Code (IaC)** | ℹ️ Not Scanned | - |
Loading
Loading