Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Xray SCA scan - always show results with location on Sarif output #1021

Merged
merged 4 commits into from
Nov 8, 2023
Merged

Xray SCA scan - always show results with location on Sarif output #1021

merged 4 commits into from
Nov 8, 2023

Conversation

attiasas
Copy link
Contributor

@attiasas attiasas commented Nov 8, 2023
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • All static analysis checks passed.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.

For all Xray SCA scans (audit, docker scan...) with Sarif format output:

If location can't be determined show location with default value: Package Descriptor

  • Fixes Github integration validation

Before:

{
          "ruleId": "CVE-2023-5363_debian:bookworm:openssl_3.0.11-1~deb12u1",
          "ruleIndex": 43,
          "level": "none",
          "message": {
            "text": "[CVE-2023-5363] sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar"
          }
}

After:

{
          "ruleId": "CVE-2023-5363_debian:bookworm:openssl_3.0.11-1~deb12u1",
          "ruleIndex": 43,
          "level": "none",
          "message": {
            "text": "[CVE-2023-5363] sha256__6cd9f01fb9e511a9e611c6592d62412c0fead4b2b09dc3de7fbf6b50a8df0eed.tar"
          },
         "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "Package Descriptor"
                }
              }
            }
          ]
}

@attiasas attiasas added the bug Something isn't working label Nov 8, 2023
@attiasas attiasas requested a review from yahavi November 8, 2023 15:22
@attiasas attiasas marked this pull request as ready for review November 8, 2023 15:22
@attiasas attiasas mentioned this pull request Nov 8, 2023
Open
yahavi
yahavi approved these changes Nov 8, 2023
View reviewed changes
Copy link
Member

@yahavi yahavi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Well done @attiasas!

@attiasas attiasas merged commit bf4b1ea into jfrog:dev Nov 8, 2023
7 of 8 checks passed
This was linked to issues Nov 8, 2023
jfrog-cli 2.50.2 - SARIF file Missing physicalLocation.artifactLocation.uri jfrog/jfrog-cli#2270
Open
Add Locations to the Docker scan results on Sarif output jfrog/jfrog-cli#2292
Open
@BrewTestBot BrewTestBot mentioned this pull request Nov 9, 2023
Merged
gailazar300 pushed a commit to gailazar300/jfrog-cli-core that referenced this pull request Nov 23, 2023
@attiasas @gailazar300
Xray SCA scan - always show results with location on Sarif output (jf…
3ef3bad 
…rog#1021)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yahavi yahavi yahavi approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@attiasas @yahavi