Skip to content

Add --format flag support to create-evidence#54

Merged
mnsboev merged 2 commits into
jfrog:mainfrom
ehl-jf:JGC-479-format-flag
May 7, 2026
Merged

Add --format flag support to create-evidence#54
mnsboev merged 2 commits into
jfrog:mainfrom
ehl-jf:JGC-479-format-flag

Conversation

@ehl-jf
Copy link
Copy Markdown
Contributor

@ehl-jf ehl-jf commented May 4, 2026
edited
Loading

Pull Request Template

Description

Adds a --format flag (json | table) to the create-evidence command, so the result of an evidence creation can be rendered in a structured form on stdout. This brings create-evidence in line with the output-format pattern used by other JFrog CLI commands and makes it easier to consume the response programmatically (JSON) or read it interactively (table).

When --format is omitted, the command's existing output is unchanged.

Related Issue

https://jfrog-int.atlassian.net/browse/JGC-479

Testing

  • Tests added/updated
  • All tests pass locally

Unit tests cover the JSON and table renderers, including multi-response output and handling of an unsupported format.

Checklist

  • PR description is clear and concise, and it includes the proposed solution/fix
  • Code follows project style guidelines
  • Documentation updated (if applicable)

@ehl-jf ehl-jf force-pushed the JGC-479-format-flag branch from ff09ef8 to 0df2f83 Compare May 5, 2026 07:27
@ehl-jf ehl-jf changed the title JGC-479 - Add --format flag support to create-evidence Add --format flag support to create-evidence May 5, 2026
@mnsboev mnsboev mentioned this pull request May 7, 2026
Merged
4 tasks
@mnsboev mnsboev added safe to test Trusted reviewer approves running SaaS E2E on this PR improvement General improvements to the codebase labels May 7, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 7, 2026

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 2 issues
Scan Category Status Security Issues
Software Composition Analysis ✅ Done Not Found
Contextual Analysis ✅ Done -
Static Application Security Testing (SAST) ✅ Done
2 Issues Found 2 Low
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 7, 2026 

key

at evidence/create/create_base.go (line 321)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("../..", tt.keyPath)) (at evidence/create/create_base_test.go line 194)

↘️ keyContent (at evidence/create/create_base_test.go line 194)

↘️ keyContent (at evidence/create/create_base_test.go line 196)

↘️ string(keyContent) (at evidence/create/create_base_test.go line 196)

↘️ createAndSignEnvelope(tt.payloadJson, string(keyContent), tt.keyId) (at evidence/create/create_base_test.go line 196)

↘️ key (at evidence/create/create_base.go line 317)

↘️ key (at evidence/create/create_base.go line 321)

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 7, 2026 

key

at evidence/create/create_base.go (line 323)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Untrusted stored input used in file paths, allowing access to unintended files.
Full description

Vulnerability Details
Rule ID: go-stored-path-traversal

Overview

Stored Path Traversal is a type of vulnerability that arises when user-controlled
input, such as file names or paths, is stored by the application and later used
without proper validation or sanitization to perform file operations. This can
allow an attacker to traverse directories and access or overwrite sensitive files
on the filesystem, potentially compromising the security and integrity of the
application or system.

Vulnerable example

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = 12")
    row.Scan(&filePath)
    http.ServeFile(w, r, filePath)
}

In this example, the serveFile function serves a file based on the file query
parameter provided by the user. However, in a real-world scenario, the filePath
variable might be retrieved from a stored source, such as a database or configuration
file, instead of being directly obtained from the request URL. The vulnerability
arises if the stored filePath is not properly validated or sanitized before being
used to serve files. Attackers could manipulate the stored filePath to perform
directory traversal attacks, potentially accessing sensitive files outside the
intended directory structure.

Remediation

To mitigate stored path traversal vulnerabilities, it is essential to validate
and sanitize user-controlled input before using it to construct file paths or
perform file operations. In this example, we can validate the file name to ensure
it does not contain directory traversal sequences before serving the file.

func serveFile(w http.ResponseWriter, r *http.Request) {
    row := db.QueryRow("SELECT file_path FROM files WHERE id = ?", r.URL.Query().Get("id"))
    row.Scan(&filePath)
+    // Validate file path to prevent directory traversal
+    if strings.Contains(filePath, "..") {
+        http.Error(w, "Invalid file path", http.StatusBadRequest)
+        return
+    }
    http.ServeFile(w, r, filePath)
}
Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("../..", tt.keyPath)) (at evidence/create/create_base_test.go line 194)

↘️ keyContent (at evidence/create/create_base_test.go line 194)

↘️ keyContent (at evidence/create/create_base_test.go line 196)

↘️ string(keyContent) (at evidence/create/create_base_test.go line 196)

↘️ createAndSignEnvelope(tt.payloadJson, string(keyContent), tt.keyId) (at evidence/create/create_base_test.go line 196)

↘️ key (at evidence/create/create_base.go line 317)

↘️ key (at evidence/create/create_base.go line 323)

mnsboev
mnsboev approved these changes May 7, 2026
View reviewed changes
Comment thread evidence/cli/command/command_cli.go
Comment thread evidence/cli/command/command_cli_test.go Outdated
@ehl-jf @claude
JGC-479 - Use assert.JSONEq for JSON output tests
0dfbaa7 
Replaces Contains-based assertions in printCreateEvidenceResponse JSON
tests with full-payload JSONEq comparisons, per PR review feedback.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot removed the safe to test Trusted reviewer approves running SaaS E2E on this PR label May 7, 2026
@mnsboev mnsboev added the safe to test Trusted reviewer approves running SaaS E2E on this PR label May 7, 2026
@mnsboev mnsboev merged commit 21c6dd5 into jfrog:main May 7, 2026
15 of 16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mnsboev mnsboev mnsboev approved these changes

+2 more reviewers

@vitaliil-jfrog vitaliil-jfrog vitaliil-jfrog approved these changes

@christophermiJfrog christophermiJfrog christophermiJfrog approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

improvement General improvements to the codebase safe to test Trusted reviewer approves running SaaS E2E on this PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ehl-jf @mnsboev @vitaliil-jfrog @christophermiJfrog