Skip to content

Commit

Permalink
Enable all scanners enablement/disablement through config profile (#235)
Browse files Browse the repository at this point in the history
  • Loading branch information
@eranturgeman
eranturgeman authored Nov 18, 2024
1 parent bb72551 commit bce7437
Show file tree
Hide file tree
Showing 4 changed files with 164 additions and 27 deletions.
168 changes: 148 additions & 20 deletions commands/audit/audit_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -218,76 +218,188 @@ func TestDetectScansToPreform(t *testing.T) {
// Note: Currently, if a config profile is provided, the scan will use the profile's settings, IGNORING jfrog-apps-config if exists.
func TestAuditWithConfigProfile(t *testing.T) {
testcases := []struct {
name string
configProfile services.ConfigProfile
expectedSastIssues int
expectedSecretsIssues int
name string
testDirPath string
configProfile services.ConfigProfile
expectedScaIssues int
expectedCaApplicable int
expectedCaUndetermined int
expectedCaNotCovered int
expectedCaNotApplicable int
expectedSastIssues int
expectedSecretsIssues int
expectedIacIssues int
}{
{
name: "Enable only secrets scanner",
name: "Enable Sca scanner",
testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
configProfile: services.ConfigProfile{
ProfileName: "Sca only",
Modules: []services.Module{{
ModuleId: 1,
ModuleName: "only-sca-module",
PathFromRoot: ".",
ScanConfig: services.ScanConfig{
EnableScaScan: true,
EnableContextualAnalysisScan: false,
SastScannerConfig: services.SastScannerConfig{
EnableSastScan: false,
},
SecretsScannerConfig: services.SecretsScannerConfig{
EnableSecretsScan: false,
},
IacScannerConfig: services.IacScannerConfig{
EnableIacScan: false,
},
},
}},
IsDefault: false,
},
expectedScaIssues: 15,
},
{
name: "Enable Sca and Applicability scanners",
testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
configProfile: services.ConfigProfile{
ProfileName: "Sca&Applicability",
Modules: []services.Module{{
ModuleId: 1,
ModuleName: "sca-and-applicability",
PathFromRoot: ".",
ScanConfig: services.ScanConfig{
EnableScaScan: true,
EnableContextualAnalysisScan: true,
SastScannerConfig: services.SastScannerConfig{
EnableSastScan: false,
},
SecretsScannerConfig: services.SecretsScannerConfig{
EnableSecretsScan: false,
},
IacScannerConfig: services.IacScannerConfig{
EnableIacScan: false,
},
},
}},
IsDefault: false,
},
expectedCaApplicable: 3,
expectedCaUndetermined: 6,
expectedCaNotCovered: 4,
expectedCaNotApplicable: 2,
},
{
name: "Enable only secrets scanner",
testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
configProfile: services.ConfigProfile{
ProfileName: "only-secrets",
Modules: []services.Module{{
ModuleId: 1,
ModuleName: "only-secrets-module",
PathFromRoot: ".",
ScanConfig: services.ScanConfig{
EnableScaScan: false,
EnableContextualAnalysisScan: false,
SastScannerConfig: services.SastScannerConfig{
EnableSastScan: false,
},
SecretsScannerConfig: services.SecretsScannerConfig{
EnableSecretsScan: true,
},
IacScannerConfig: services.IacScannerConfig{
EnableIacScan: false,
},
},
}},
IsDefault: false,
},
expectedSastIssues: 0,
expectedSecretsIssues: 16,
},
{
name: "Enable only sast scanner",
name: "Enable only sast scanner",
testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
configProfile: services.ConfigProfile{
ProfileName: "only-sast",
Modules: []services.Module{{
ModuleId: 1,
ModuleName: "only-sast-module",
PathFromRoot: ".",
ScanConfig: services.ScanConfig{
EnableScaScan: false,
EnableContextualAnalysisScan: false,
SastScannerConfig: services.SastScannerConfig{
EnableSastScan: true,
},
SecretsScannerConfig: services.SecretsScannerConfig{
EnableSecretsScan: false,
},
IacScannerConfig: services.IacScannerConfig{
EnableIacScan: false,
},
},
}},
IsDefault: false,
},
expectedSastIssues: 1,
expectedSecretsIssues: 0,
expectedSastIssues: 1,
},
{
name: "Enable secrets and sast",
name: "Enable only IaC scanner",
testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
configProfile: services.ConfigProfile{
ProfileName: "secrets&sast",
ProfileName: "only-sast",
Modules: []services.Module{{
ModuleId: 1,
ModuleName: "secrets&sast-module",
ModuleName: "only-iac-module",
PathFromRoot: ".",
ScanConfig: services.ScanConfig{
EnableScaScan: false,
EnableContextualAnalysisScan: false,
SastScannerConfig: services.SastScannerConfig{
EnableSastScan: false,
},
SecretsScannerConfig: services.SecretsScannerConfig{
EnableSecretsScan: false,
},
IacScannerConfig: services.IacScannerConfig{
EnableIacScan: true,
},
},
}},
IsDefault: false,
},
expectedIacIssues: 9,
},
{
name: "Enable All Scanners",
testDirPath: filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas"),
configProfile: services.ConfigProfile{
ProfileName: "all-jas-scanners",
Modules: []services.Module{{
ModuleId: 1,
ModuleName: "all-jas-module",
PathFromRoot: ".",
ScanConfig: services.ScanConfig{
EnableScaScan: true,
EnableContextualAnalysisScan: true,
SastScannerConfig: services.SastScannerConfig{
EnableSastScan: true,
},
SecretsScannerConfig: services.SecretsScannerConfig{
EnableSecretsScan: true,
},
IacScannerConfig: services.IacScannerConfig{
EnableIacScan: true,
},
},
}},
IsDefault: false,
},
expectedSastIssues: 1,
expectedSecretsIssues: 16,
expectedSastIssues: 1,
expectedSecretsIssues: 16,
expectedIacIssues: 9,
expectedCaApplicable: 3,
expectedCaUndetermined: 6,
expectedCaNotCovered: 4,
expectedCaNotApplicable: 2,
},
}

Expand All @@ -298,8 +410,7 @@ func TestAuditWithConfigProfile(t *testing.T) {

tempDirPath, createTempDirCallback := coreTests.CreateTempDirWithCallbackAndAssert(t)
defer createTempDirCallback()
testDirPath := filepath.Join("..", "..", "tests", "testdata", "projects", "jas", "jas")
assert.NoError(t, biutils.CopyDir(testDirPath, tempDirPath, true, nil))
assert.NoError(t, biutils.CopyDir(testcase.testDirPath, tempDirPath, true, nil))

auditBasicParams := (&utils.AuditBasicParams{}).
SetServerDetails(serverDetails).
Expand All @@ -316,18 +427,35 @@ func TestAuditWithConfigProfile(t *testing.T) {
ScanType: scanservices.Dependency,
IncludeVulnerabilities: true,
XscVersion: services.ConfigProfileMinXscVersion,
MultiScanId: "random-msi",
MultiScanId: validations.TestMsi,
})

auditParams.SetWorkingDirs([]string{tempDirPath}).SetIsRecursiveScan(true)
auditResults := RunAudit(auditParams)
assert.NoError(t, auditResults.GetErrors())

// Currently, the only supported scanners are Secrets and Sast, therefore if a config profile is utilized - all other scanners are disabled.
summary, err := conversion.NewCommandResultsConvertor(conversion.ResultConvertParams{IncludeVulnerabilities: true, HasViolationContext: true}).ConvertToSummary(auditResults)
assert.NoError(t, err)
// Validate Sast and Secrets have the expected number of issues and that Iac and Sca did not run
validations.ValidateCommandSummaryOutput(t, validations.ValidationParams{Actual: summary, ExactResultsMatch: true, Sast: testcase.expectedSastIssues, Secrets: testcase.expectedSecretsIssues, Vulnerabilities: testcase.expectedSastIssues + testcase.expectedSecretsIssues})

var ScaResultsCount int
// When checking Applicability results with ExactResultsMatch = true, the sum of all statuses should equal total Sca results amount. Else, we check the provided Sca issues amount
if testcase.expectedCaApplicable > 0 || testcase.expectedCaNotApplicable > 0 || testcase.expectedCaNotCovered > 0 || testcase.expectedCaUndetermined > 0 {
ScaResultsCount = testcase.expectedCaApplicable + testcase.expectedCaNotApplicable + testcase.expectedCaNotCovered + testcase.expectedCaUndetermined
} else {
ScaResultsCount = testcase.expectedScaIssues
}
validations.ValidateCommandSummaryOutput(t, validations.ValidationParams{
Actual: summary,
ExactResultsMatch: true,
Vulnerabilities: testcase.expectedSastIssues + testcase.expectedSecretsIssues + testcase.expectedIacIssues + ScaResultsCount,
Sast: testcase.expectedSastIssues,
Secrets: testcase.expectedSecretsIssues,
Iac: testcase.expectedIacIssues,
Applicable: testcase.expectedCaApplicable,
NotApplicable: testcase.expectedCaNotApplicable,
NotCovered: testcase.expectedCaNotCovered,
Undetermined: testcase.expectedCaUndetermined,
})
})
}
}
Expand Down
10 changes: 8 additions & 2 deletions commands/audit/scarunner.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,14 @@ func buildDepTreeAndRunScaScan(auditParallelRunner *utils.SecurityParallelRunner
return
}
if auditParams.configProfile != nil {
log.Debug("Skipping SCA scan as a configuration profile is being utilized and currently only Secrets and Sast scanners are supported when utilizing a configuration profile")
return
if len(auditParams.configProfile.Modules) < 1 {
// Verify Modules are not nil and contain at least one modules
return fmt.Errorf("config profile %s has no modules. A config profile must contain at least one modules", auditParams.configProfile.ProfileName)
}
if !auditParams.configProfile.Modules[0].ScanConfig.EnableScaScan {
log.Debug(fmt.Sprintf("Skipping SCA scan as requested by '%s' config profile...", auditParams.configProfile.ProfileName))
return
}
}
// Prepare
currentWorkingDir, generalError := os.Getwd()
Expand Down
10 changes: 6 additions & 4 deletions jas/runner/jasrunner.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,10 @@ func addJasScanTaskForModuleIfNeeded(params JasRunnerParams, subScan utils.SubSc
if params.ConfigProfile != nil {
// This code section is related to CentralizedConfig integration in CI Next.
log.Debug(fmt.Sprintf("Using config profile '%s' to determine whether to run %s scan...", params.ConfigProfile.ProfileName, jasType))
if len(params.ConfigProfile.Modules) < 1 {
// Verify Modules are not nil and contain at least one modules
return fmt.Errorf("config profile %s has no modules. A config profile must contain at least one modules", params.ConfigProfile.ProfileName)
}
// Currently, if config profile exists, the only possible scanners to run are: Secrets, Sast
enabled := false
switch jasType {
Expand All @@ -95,11 +99,9 @@ func addJasScanTaskForModuleIfNeeded(params JasRunnerParams, subScan utils.SubSc
case jasutils.Sast:
enabled = params.ConfigProfile.Modules[0].ScanConfig.SastScannerConfig.EnableSastScan
case jasutils.IaC:
log.Debug("Skipping Iac scan as it is not currently supported with a config profile...")
return
enabled = params.ConfigProfile.Modules[0].ScanConfig.IacScannerConfig.EnableIacScan
case jasutils.Applicability:
log.Debug("Skipping Contextual Analysis scan as it is not currently supported with a config profile...")
return
enabled = params.ConfigProfile.Modules[0].ScanConfig.EnableContextualAnalysisScan
}
if enabled {
generalError = addModuleJasScanTask(jasType, params.Runner, task, params.ScanResults, params.AllowPartialResults)
Expand Down
3 changes: 2 additions & 1 deletion utils/validations/test_mocks.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,8 @@ func XrayServer(t *testing.T, xrayVersion string) (*httptest.Server, *config.Ser
}
}
}
if strings.HasPrefix(r.RequestURI, "/xray/api/v1/scan/graph") {
// Scan graph with Xray or Xsc
if strings.Contains(r.RequestURI, "/scan/graph") {
if r.Method == http.MethodPost {
w.WriteHeader(http.StatusCreated)
_, err := w.Write([]byte(fmt.Sprintf(`{"scan_id" : "%s"}`, TestScaScanId)))
Expand Down

0 comments on commit bce7437

Please sign in to comment.