From d1631e3e5294242e81d3b1cbcd6551b02a6f57d5 Mon Sep 17 00:00:00 2001
From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com>
Date: Wed, 13 Sep 2023 19:39:17 +0300
Subject: [PATCH] Show Xray ID instead of CVEs if empty in vulnerabilities
description (#495)
---
go.mod | 4 ++--
go.sum | 8 ++++----
scanpullrequest/scanpullrequest_test.go | 7 ++++---
utils/outputwriter/outputwriter.go | 8 ++++----
utils/outputwriter/simplifiedoutput.go | 2 +-
utils/outputwriter/standardoutput.go | 2 +-
6 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/go.mod b/go.mod
index 7e79f21c6..a6135f2bf 100644
--- a/go.mod
+++ b/go.mod
@@ -9,8 +9,8 @@ require (
github.com/jfrog/build-info-go v1.9.10
github.com/jfrog/froggit-go v1.14.1
github.com/jfrog/gofrog v1.3.0
- github.com/jfrog/jfrog-cli-core/v2 v2.42.0
- github.com/jfrog/jfrog-client-go v1.32.1
+ github.com/jfrog/jfrog-cli-core/v2 v2.43.0
+ github.com/jfrog/jfrog-client-go v1.32.2
github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible
github.com/owenrumney/go-sarif/v2 v2.2.0
github.com/stretchr/testify v1.8.4
diff --git a/go.sum b/go.sum
index 35220bb65..df23aba65 100644
--- a/go.sum
+++ b/go.sum
@@ -884,10 +884,10 @@ github.com/jfrog/froggit-go v1.14.1 h1:cmQUHvmoTDnEihh3IyPgGgjkUsIYiRo9M1YpDfPHf
github.com/jfrog/froggit-go v1.14.1/go.mod h1:0jRAaZZusaFFnITosmx6CA60SKryuoaCasJyUrP/c1s=
github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk=
github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0=
-github.com/jfrog/jfrog-cli-core/v2 v2.42.0 h1:bwSYjdwLSNNwVB0PDZyQ8HYC7LL+2hInQ1I69UIwSO8=
-github.com/jfrog/jfrog-cli-core/v2 v2.42.0/go.mod h1:HCMfdtCy2B81EF8YiQlsfbG3CsLk/VeqoWGNYoSUz8Q=
-github.com/jfrog/jfrog-client-go v1.32.1 h1:RQmuPSLsF5222vZJzwkgHSZMMJF83ExS7SwIvh4P+H8=
-github.com/jfrog/jfrog-client-go v1.32.1/go.mod h1:362+oa7uTTYurzBs1L0dmUTlLo7uhpAU/pwM5Zb9clg=
+github.com/jfrog/jfrog-cli-core/v2 v2.43.0 h1:euo1CjZcpMdWkFUQ3zffRPfCR1zXhLD6TE/lfexV99o=
+github.com/jfrog/jfrog-cli-core/v2 v2.43.0/go.mod h1:NWqT0ZnAvEdjaXGp64POvRV35TJ2R/c0W45UmrXQonk=
+github.com/jfrog/jfrog-client-go v1.32.2 h1:t0ceWCtFri+xsa0D2ESqD/itcovlxBXCky1A1MJ4P2I=
+github.com/jfrog/jfrog-client-go v1.32.2/go.mod h1:UewnwkIf/77HzBgwCPzOHZCK6V/Nw5/JwdzN/tRb4aU=
github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA=
github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible/go.mod h1:1c7szIrayyPPB/987hsnvNzLushdWf4o/79s3P08L8A=
github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
diff --git a/scanpullrequest/scanpullrequest_test.go b/scanpullrequest/scanpullrequest_test.go
index c5967308d..cb9ce14d8 100644
--- a/scanpullrequest/scanpullrequest_test.go
+++ b/scanpullrequest/scanpullrequest_test.go
@@ -420,7 +420,8 @@ func TestCreatePullRequestMessage(t *testing.T) {
Version: "v0.21.0",
},
},
- Cves: []formats.CveRow{{Id: "CVE-2022-24450"}},
+ IssueId: "XRAY-122345",
+ Cves: []formats.CveRow{{}},
},
{
Severity: "High",
@@ -454,12 +455,12 @@ func TestCreatePullRequestMessage(t *testing.T) {
writerOutput.SetJasOutputFlags(true, true)
message := createPullRequestMessage(vulnerabilities, nil, nil, writerOutput)
- expectedMessage := "\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n## 📦 Vulnerable Dependencies \n\n### ✍️ Summary\n\n\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.1] | CVE-2022-24450 |\n| 
High | Undetermined | github.com/mholt/archiver/v3:v3.5.1 | github.com/mholt/archiver/v3:v3.5.1 | - | - |\n| 
Medium | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.3] | CVE-2022-26652 |\n\n
\n\n## 👇 Details\n\n\n [ CVE-2022-24450 ] github.com/nats-io/nats-streaming-server v0.21.0
\n
\n\n\n \n\n\n\n github.com/mholt/archiver/v3 v3.5.1
\n
\n\n\n \n\n\n\n [ CVE-2022-26652 ] github.com/nats-io/nats-streaming-server v0.21.0
\n
\n\n\n \n\n\n---\n\n\n[🐸 JFrog Frogbot](https://github.com/jfrog/frogbot#readme)\n\n
"
+ expectedMessage := "\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n## 📦 Vulnerable Dependencies \n\n### ✍️ Summary\n\n\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.1] | - |\n| 
High | Undetermined | github.com/mholt/archiver/v3:v3.5.1 | github.com/mholt/archiver/v3:v3.5.1 | - | - |\n| 
Medium | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.3] | CVE-2022-26652 |\n\n
\n\n## 👇 Details\n\n\n [ XRAY-122345 ] github.com/nats-io/nats-streaming-server v0.21.0
\n
\n\n\n \n\n\n\n github.com/mholt/archiver/v3 v3.5.1
\n
\n\n\n \n\n\n\n [ CVE-2022-26652 ] github.com/nats-io/nats-streaming-server v0.21.0
\n
\n\n\n \n\n\n---\n\n\n[🐸 JFrog Frogbot](https://github.com/jfrog/frogbot#readme)\n\n
"
assert.Equal(t, expectedMessage, message)
writerOutput.SetVcsProvider(vcsutils.GitLab)
message = createPullRequestMessage(vulnerabilities, nil, nil, writerOutput)
- expectedMessage = "\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n## 📦 Vulnerable Dependencies \n\n### ✍️ Summary\n\n\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.1] | CVE-2022-24450 |\n| 
High | Undetermined | github.com/mholt/archiver/v3:v3.5.1 | github.com/mholt/archiver/v3:v3.5.1 | - | - |\n| 
Medium | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.3] | CVE-2022-26652 |\n\n
\n\n## 👇 Details\n\n\n [ CVE-2022-24450 ] github.com/nats-io/nats-streaming-server v0.21.0
\n
\n\n\n \n\n\n\n github.com/mholt/archiver/v3 v3.5.1
\n
\n\n\n \n\n\n\n [ CVE-2022-26652 ] github.com/nats-io/nats-streaming-server v0.21.0
\n
\n\n\n \n\n\n---\n\n\n[🐸 JFrog Frogbot](https://github.com/jfrog/frogbot#readme)\n\n
"
+ expectedMessage = "\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n## 📦 Vulnerable Dependencies \n\n### ✍️ Summary\n\n\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.1] | - |\n| 
High | Undetermined | github.com/mholt/archiver/v3:v3.5.1 | github.com/mholt/archiver/v3:v3.5.1 | - | - |\n| 
Medium | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.3] | CVE-2022-26652 |\n\n
\n\n## 👇 Details\n\n\n [ XRAY-122345 ] github.com/nats-io/nats-streaming-server v0.21.0
\n
\n\n\n \n\n\n\n github.com/mholt/archiver/v3 v3.5.1
\n
\n\n\n \n\n\n\n [ CVE-2022-26652 ] github.com/nats-io/nats-streaming-server v0.21.0
\n
\n\n\n \n\n\n---\n\n\n[🐸 JFrog Frogbot](https://github.com/jfrog/frogbot#readme)\n\n
"
assert.Equal(t, expectedMessage, message)
}
diff --git a/utils/outputwriter/outputwriter.go b/utils/outputwriter/outputwriter.go
index 2e33232bd..a9f68b561 100644
--- a/utils/outputwriter/outputwriter.go
+++ b/utils/outputwriter/outputwriter.go
@@ -233,10 +233,10 @@ func GetTableRowsFixedVersions(row formats.VulnerabilityOrViolationRow, writer O
return strings.TrimSuffix(fixedVersions, writer.Separator())
}
-func getVulnerabilityCvesPrefix(cveRows []formats.CveRow) string {
- if len(cveRows) == 0 {
+func getVulnerabilityDescriptionIdentifier(cveRows []formats.CveRow, xrayId string) string {
+ identifier := xrayutils.GetIssueIdentifier(cveRows, xrayId)
+ if identifier == "" {
return ""
}
- cves := convertCveRowsToCveIds(cveRows, ", ")
- return fmt.Sprintf("[ %s ] ", cves)
+ return fmt.Sprintf("[ %s ] ", identifier)
}
diff --git a/utils/outputwriter/simplifiedoutput.go b/utils/outputwriter/simplifiedoutput.go
index 8be40d37d..00ee05536 100644
--- a/utils/outputwriter/simplifiedoutput.go
+++ b/utils/outputwriter/simplifiedoutput.go
@@ -103,7 +103,7 @@ func (smo *SimplifiedOutput) VulnerabilitiesContent(vulnerabilities []formats.Vu
%s
`,
- getVulnerabilityCvesPrefix(vulnerabilities[i].Cves),
+ getVulnerabilityDescriptionIdentifier(vulnerabilities[i].Cves, vulnerabilities[i].IssueId),
vulnerabilities[i].ImpactedDependencyName,
vulnerabilities[i].ImpactedDependencyVersion,
createVulnerabilityDescription(&vulnerabilities[i])))
diff --git a/utils/outputwriter/standardoutput.go b/utils/outputwriter/standardoutput.go
index 08deb762f..9ee439501 100644
--- a/utils/outputwriter/standardoutput.go
+++ b/utils/outputwriter/standardoutput.go
@@ -115,7 +115,7 @@ func (so *StandardOutput) VulnerabilitiesContent(vulnerabilities []formats.Vulne
`,
- getVulnerabilityCvesPrefix(vulnerabilities[i].Cves),
+ getVulnerabilityDescriptionIdentifier(vulnerabilities[i].Cves, vulnerabilities[i].IssueId),
vulnerabilities[i].ImpactedDependencyName,
vulnerabilities[i].ImpactedDependencyVersion,
createVulnerabilityDescription(&vulnerabilities[i])))