\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n## 📦 Vulnerable Dependencies \n\n### ✍️ Summary\n\n\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
Critical | Not Applicable | minimist:1.2.5 | minimist:1.2.5 | [0.2.4]
[1.2.6] | CVE-2021-44906 |\n\n
\n\n## 👇 Details\n\n\n**Description:**\n[Minimist](https://github.com/substack/minimist) is a simple and very popular argument parser. It is used by more than 14 million by Mar 2022. This package developers stopped developing it since April 2020 and its community released a [newer version](https://github.com/meszaros-lajos-gyorgy/minimist-lite) supported by the community.\n\n\nAn incomplete fix for [CVE-2020-7598](https://nvd.nist.gov/vuln/detail/CVE-2020-7598) partially blocked prototype pollution attacks. Researchers discovered that it does not check for constructor functions which means they can be overridden. This behavior can be triggered easily when using it insecurely (which is the common usage). For example:\n```\nvar argv = parse(['--_.concat.constructor.prototype.y', '123']);\nt.equal((function(){}).foo, undefined);\nt.equal(argv.y, undefined);\n```\nIn this example, `prototype.y` is assigned with `123` which will be derived to every newly created object. \n\nThis vulnerability can be triggered when the attacker-controlled input is parsed using Minimist without any validation. As always with prototype pollution, the impact depends on the code that follows the attack, but denial of service is almost always guaranteed.\n**Remediation:**\n##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.\n\n\n---\n\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n## 📦 Vulnerable Dependencies\n\n### ✍️ Summary\n\n\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
Critical | Not Applicable | minimist:1.2.5 | minimist:1.2.5 | [0.2.4]
[1.2.6] | CVE-2021-44906 |\n\n
\n\n## 🔬 Research Details\n\n\n**Description:**\n[Minimist](https://github.com/substack/minimist) is a simple and very popular argument parser. It is used by more than 14 million by Mar 2022. This package developers stopped developing it since April 2020 and its community released a [newer version](https://github.com/meszaros-lajos-gyorgy/minimist-lite) supported by the community.\n\n\nAn incomplete fix for [CVE-2020-7598](https://nvd.nist.gov/vuln/detail/CVE-2020-7598) partially blocked prototype pollution attacks. Researchers discovered that it does not check for constructor functions which means they can be overridden. This behavior can be triggered easily when using it insecurely (which is the common usage). For example:\n```\nvar argv = parse(['--_.concat.constructor.prototype.y', '123']);\nt.equal((function(){}).foo, undefined);\nt.equal(argv.y, undefined);\n```\nIn this example, `prototype.y` is assigned with `123` which will be derived to every newly created object. \n\nThis vulnerability can be triggered when the attacker-controlled input is parsed using Minimist without any validation. As always with prototype pollution, the impact depends on the code that follows the attack, but denial of service is almost always guaranteed.\n**Remediation:**\n##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.\n\n\n---\n\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n---\n\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n## 📦 Vulnerable Dependencies \n\n### ✍️ Summary\n\n\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | Undetermined | pip-example:1.2.3 | pyjwt:1.7.1 | [2.4.0] | CVE-2022-29217 |\n\n
\n\n## 👇 Details\n\n\n**Description:**\n[PyJWT](https://pypi.org/project/PyJWT) is a Python implementation of the RFC 7519 standard (JSON Web Tokens). [JSON Web Tokens](https://jwt.io/) are an open, industry standard method for representing claims securely between two parties. A JWT comes with an inline signature that is meant to be verified by the receiving application. JWT supports multiple standard algorithms, and the algorithm itself is **specified in the JWT token itself**.\n\nThe PyJWT library uses the signature-verification algorithm that is specified in the JWT token (that is completely attacker-controlled), however - it requires the validating application to pass an `algorithms` kwarg that specifies the expected algorithms in order to avoid key confusion. Unfortunately - a non-default value `algorithms=jwt.algorithms.get_default_algorithms()` exists that allows all algorithms.\nThe PyJWT library also tries to mitigate key confusions in this case, by making sure that public keys are not used as an HMAC secret. For example, HMAC secrets that begin with `-----BEGIN PUBLIC KEY-----` are rejected when encoding a JWT.\n\nIt has been discovered that due to missing key-type checks, in cases where -\n1. The vulnerable application expects to receive a JWT signed with an Elliptic-Curve key (one of the algorithms `ES256`, `ES384`, `ES512`, `EdDSA`)\n2. The vulnerable application decodes the JWT token using the non-default kwarg `algorithms=jwt.algorithms.get_default_algorithms()` (or alternatively, `algorithms` contain both an HMAC-based algorithm and an EC-based algorithm)\n\nAn attacker can create an HMAC-signed (ex. `HS256`) JWT token, using the (well-known!) EC public key as the HMAC key. The validating application will accept this JWT token as a valid token.\n\nFor example, an application might have planned to validate an `EdDSA`-signed token that was generated as follows -\n```python\n# Making a good jwt token that should work by signing it with the private key\nencoded_good = jwt.encode({\"test\": 1234}, priv_key_bytes, algorithm=\"EdDSA\")\n```\nAn attacker in posession of the public key can generate an `HMAC`-signed token to confuse PyJWT - \n```python\n# Using HMAC with the public key to trick the receiver to think that the public key is a HMAC secret\nencoded_bad = jwt.encode({\"test\": 1234}, pub_key_bytes, algorithm=\"HS256\")\n```\n\nThe following vulnerable `decode` call will accept BOTH of the above tokens as valid - \n```\ndecoded = jwt.decode(encoded_good, pub_key_bytes, \nalgorithms=jwt.algorithms.get_default_algorithms())\n```\n**Remediation:**\n##### Development mitigations\n\nUse a specific algorithm instead of `jwt.algorithms.get_default_algorithms`.\nFor example, replace the following call - \n`jwt.decode(encoded_jwt, pub_key_bytes, algorithms=jwt.algorithms.get_default_algorithms())`\nWith -\n`jwt.decode(encoded_jwt, pub_key_bytes, algorithms=[\"ES256\"])`\n\n\n---\n\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n## 📦 Vulnerable Dependencies\n\n### ✍️ Summary\n\n\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | Undetermined | pip-example:1.2.3 | pyjwt:1.7.1 | [2.4.0] | CVE-2022-29217 |\n\n
\n\n## 🔬 Research Details\n\n\n**Description:**\n[PyJWT](https://pypi.org/project/PyJWT) is a Python implementation of the RFC 7519 standard (JSON Web Tokens). [JSON Web Tokens](https://jwt.io/) are an open, industry standard method for representing claims securely between two parties. A JWT comes with an inline signature that is meant to be verified by the receiving application. JWT supports multiple standard algorithms, and the algorithm itself is **specified in the JWT token itself**.\n\nThe PyJWT library uses the signature-verification algorithm that is specified in the JWT token (that is completely attacker-controlled), however - it requires the validating application to pass an `algorithms` kwarg that specifies the expected algorithms in order to avoid key confusion. Unfortunately - a non-default value `algorithms=jwt.algorithms.get_default_algorithms()` exists that allows all algorithms.\nThe PyJWT library also tries to mitigate key confusions in this case, by making sure that public keys are not used as an HMAC secret. For example, HMAC secrets that begin with `-----BEGIN PUBLIC KEY-----` are rejected when encoding a JWT.\n\nIt has been discovered that due to missing key-type checks, in cases where -\n1. The vulnerable application expects to receive a JWT signed with an Elliptic-Curve key (one of the algorithms `ES256`, `ES384`, `ES512`, `EdDSA`)\n2. The vulnerable application decodes the JWT token using the non-default kwarg `algorithms=jwt.algorithms.get_default_algorithms()` (or alternatively, `algorithms` contain both an HMAC-based algorithm and an EC-based algorithm)\n\nAn attacker can create an HMAC-signed (ex. `HS256`) JWT token, using the (well-known!) EC public key as the HMAC key. The validating application will accept this JWT token as a valid token.\n\nFor example, an application might have planned to validate an `EdDSA`-signed token that was generated as follows -\n```python\n# Making a good jwt token that should work by signing it with the private key\nencoded_good = jwt.encode({\"test\": 1234}, priv_key_bytes, algorithm=\"EdDSA\")\n```\nAn attacker in posession of the public key can generate an `HMAC`-signed token to confuse PyJWT - \n```python\n# Using HMAC with the public key to trick the receiver to think that the public key is a HMAC secret\nencoded_bad = jwt.encode({\"test\": 1234}, pub_key_bytes, algorithm=\"HS256\")\n```\n\nThe following vulnerable `decode` call will accept BOTH of the above tokens as valid - \n```\ndecoded = jwt.decode(encoded_good, pub_key_bytes, \nalgorithms=jwt.algorithms.get_default_algorithms())\n```\n**Remediation:**\n##### Development mitigations\n\nUse a specific algorithm instead of `jwt.algorithms.get_default_algorithms`.\nFor example, replace the following call - \n`jwt.decode(encoded_jwt, pub_key_bytes, algorithms=jwt.algorithms.get_default_algorithms())`\nWith -\n`jwt.decode(encoded_jwt, pub_key_bytes, algorithms=[\"ES256\"])`\n\n\n---\n\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n---\n\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n## 📦 Vulnerable Dependencies \n\n### ✍️ Summary\n\n\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.1] | - |\n| 
High | Undetermined | github.com/mholt/archiver/v3:v3.5.1 | github.com/mholt/archiver/v3:v3.5.1 | - | - |\n| 
Medium | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.3] | CVE-2022-26652 |\n\n
\n\n## 👇 Details\n\n\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n## 📦 Vulnerable Dependencies\n\n### ✍️ Summary\n\n\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.1] | - |\n| 
High | Undetermined | github.com/mholt/archiver/v3:v3.5.1 | github.com/mholt/archiver/v3:v3.5.1 | - | - |\n| 
Medium | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.3] | CVE-2022-26652 |\n\n
\n\n## 🔬 Research Details\n\n\n\n\n| LICENSE | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | \n| :---------------------: | :----------------------------------: | :-----------------------------------: | \n| Apache-2.0 | root 1.0.0
minimatch 1.2.3 | minimatch 1.2.3 |\n\n
\n\n\n---\n\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n## 📦 Vulnerable Dependencies \n\n### ✍️ Summary\n\n\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.1] | - |\n| 
High | Undetermined | github.com/mholt/archiver/v3:v3.5.1 | github.com/mholt/archiver/v3:v3.5.1 | - | - |\n| 
Medium | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.3] | CVE-2022-26652 |\n\n
\n\n## 👇 Details\n\n\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n## 📦 Vulnerable Dependencies\n\n### ✍️ Summary\n\n\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.1] | - |\n| 
High | Undetermined | github.com/mholt/archiver/v3:v3.5.1 | github.com/mholt/archiver/v3:v3.5.1 | - | - |\n| 
Medium | Undetermined | github.com/nats-io/nats-streaming-server:v0.21.0 | github.com/nats-io/nats-streaming-server:v0.21.0 | [0.24.3] | CVE-2022-26652 |\n\n
\n\n## 🔬 Research Details\n\n\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n\n## 📦 Vulnerable Dependencies \n\n### ✍️ Summary\n\n\n\n\n| SEVERITY | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | | package1:1.0.0 | 1.0.0
2.0.0 | CVE-2022-1234 |\n\n
\n\n## 👇 Details\n\n\n**Description:**\nsummary\n\n\n---\n\n\n\n**Frogbot** also supports **Contextual Analysis, Secret Detection and IaC Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/xray/) package, which isn't enabled on your system.\n\n
\n\n---\n\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n\n## 📦 Vulnerable Dependencies\n\n### ✍️ Summary\n\n\n\n\n| SEVERITY | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | | package1:1.0.0 | 1.0.0
2.0.0 | CVE-2022-1234 |\n\n
\n\n## 🔬 Research Details\n\n\n**Description:**\nsummary\n\n\n---\n\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n\n## 📦 Vulnerable Dependencies \n\n### ✍️ Summary\n\n\n\n\n| SEVERITY | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | | package1:1.0.0 | 1.0.0
2.0.0 | CVE-2022-1234 |\n| 
Critical | | package2:2.0.0 | 2.0.0
3.0.0 | CVE-2022-4321 |\n\n
\n\n## 👇 Details\n\n\n\n**Frogbot** also supports **Contextual Analysis, Secret Detection and IaC Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/xray/) package, which isn't enabled on your system.\n\n
\n\n---\n\n\n[](https://github.com/jfrog/frogbot#readme)\n\n
\n\n\n\n## 📦 Vulnerable Dependencies\n\n### ✍️ Summary\n\n\n\n\n| SEVERITY | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| 
High | | package1:1.0.0 | 1.0.0
2.0.0 | CVE-2022-1234 |\n| 
Critical | | package2:2.0.0 | 2.0.0
3.0.0 | CVE-2022-4321 |\n\n
\n\n## 🔬 Research Details\n\n
**Frogbot** also supports **Contextual Analysis, Secret Detection and IaC Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/xray/) package, which isn't enabled on your system.
diff --git a/testdata/messages/novulnerabilitiesMR.md b/testdata/messages/novulnerabilitiesMR.md
index 709385936..2f719f82e 100755
--- a/testdata/messages/novulnerabilitiesMR.md
+++ b/testdata/messages/novulnerabilitiesMR.md
@@ -5,6 +5,7 @@
+---
**Frogbot** also supports **Contextual Analysis, Secret Detection and IaC Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/xray/) package, which isn't enabled on your system.
diff --git a/testdata/scanpullrequest/expectedResponse.json b/testdata/scanpullrequest/expectedResponse.json
index 75f419f70..ded9c6bdf 100755
--- a/testdata/scanpullrequest/expectedResponse.json
+++ b/testdata/scanpullrequest/expectedResponse.json
@@ -1,3 +1,3 @@
{
- "body": "\u003cdiv align='center'\u003e\n\n[](https://github.com/jfrog/frogbot#readme)\n\n\u003c/div\u003e\n\n\n## 📦 Vulnerable Dependencies \n\n### ✍️ Summary\n\n\u003cdiv align=\"center\"\u003e\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| \u003cbr\u003eCritical | Not Applicable | minimist:1.2.5 | minimist:1.2.5 | [0.2.4]\u003cbr\u003e[1.2.6] | CVE-2021-44906 |\n\n\u003c/div\u003e\n\n## 👇 Details\n\n\n**Description:**\n[Minimist](https://github.com/substack/minimist) is a simple and very popular argument parser. It is used by more than 14 million by Mar 2022. This package developers stopped developing it since April 2020 and its community released a [newer version](https://github.com/meszaros-lajos-gyorgy/minimist-lite) supported by the community.\n\n\nAn incomplete fix for [CVE-2020-7598](https://nvd.nist.gov/vuln/detail/CVE-2020-7598) partially blocked prototype pollution attacks. Researchers discovered that it does not check for constructor functions which means they can be overridden. This behavior can be triggered easily when using it insecurely (which is the common usage). For example:\n```\nvar argv = parse(['--_.concat.constructor.prototype.y', '123']);\nt.equal((function(){}).foo, undefined);\nt.equal(argv.y, undefined);\n```\nIn this example, `prototype.y` is assigned with `123` which will be derived to every newly created object. \n\nThis vulnerability can be triggered when the attacker-controlled input is parsed using Minimist without any validation. As always with prototype pollution, the impact depends on the code that follows the attack, but denial of service is almost always guaranteed.\n**Remediation:**\n##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.\n\n\n---\n\u003cdiv align=\"center\"\u003e\n\n[🐸 JFrog Frogbot](https://github.com/jfrog/frogbot#readme)\n\n\u003c/div\u003e"
+ "body": "\u003cdiv align='center'\u003e\n\n[](https://github.com/jfrog/frogbot#readme)\n\n\u003c/div\u003e\n\n\n## 📦 Vulnerable Dependencies\n\n### ✍️ Summary\n\n\u003cdiv align=\"center\"\u003e\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| \u003cbr\u003eCritical | Not Applicable | minimist:1.2.5 | minimist:1.2.5 | [0.2.4]\u003cbr\u003e[1.2.6] | CVE-2021-44906 |\n\n\u003c/div\u003e\n\n## 🔬 Research Details\n\n\n**Description:**\n[Minimist](https://github.com/substack/minimist) is a simple and very popular argument parser. It is used by more than 14 million by Mar 2022. This package developers stopped developing it since April 2020 and its community released a [newer version](https://github.com/meszaros-lajos-gyorgy/minimist-lite) supported by the community.\n\n\nAn incomplete fix for [CVE-2020-7598](https://nvd.nist.gov/vuln/detail/CVE-2020-7598) partially blocked prototype pollution attacks. Researchers discovered that it does not check for constructor functions which means they can be overridden. This behavior can be triggered easily when using it insecurely (which is the common usage). For example:\n```\nvar argv = parse(['--_.concat.constructor.prototype.y', '123']);\nt.equal((function(){}).foo, undefined);\nt.equal(argv.y, undefined);\n```\nIn this example, `prototype.y` is assigned with `123` which will be derived to every newly created object. \n\nThis vulnerability can be triggered when the attacker-controlled input is parsed using Minimist without any validation. As always with prototype pollution, the impact depends on the code that follows the attack, but denial of service is almost always guaranteed.\n**Remediation:**\n##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.\n\n\n---\n\u003cdiv align=\"center\"\u003e\n\n[🐸 JFrog Frogbot](https://github.com/jfrog/frogbot#readme)\n\n\u003c/div\u003e"
}
\ No newline at end of file
diff --git a/testdata/scanpullrequest/expectedResponseMultiDir.json b/testdata/scanpullrequest/expectedResponseMultiDir.json
index 2c450de69..626ca5f06 100755
--- a/testdata/scanpullrequest/expectedResponseMultiDir.json
+++ b/testdata/scanpullrequest/expectedResponseMultiDir.json
@@ -1,3 +1,3 @@
{
- "body": "\u003cdiv align='center'\u003e\n\n[](https://github.com/jfrog/frogbot#readme)\n\n\u003c/div\u003e\n\n\n## 📦 Vulnerable Dependencies \n\n### ✍️ Summary\n\n\u003cdiv align=\"center\"\u003e\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| \u003cbr\u003e High | Not Applicable | minimatch:3.0.4 | minimatch:3.0.4 | [3.0.5] | CVE-2022-3517 |\n| \u003cbr\u003e High | Undetermined | pyjwt:1.7.1 | pyjwt:1.7.1 | [2.4.0] | CVE-2022-29217 |\n\n\u003c/div\u003e\n\n## 👇 Details\n\n\u003cdetails\u003e\n\u003csummary\u003e \u003cb\u003e[ CVE-2022-3517 ] minimatch 3.0.4\u003c/b\u003e \u003c/summary\u003e\n\u003cbr\u003e\n\n**Description:**\nA vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.\n\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003e \u003cb\u003e[ CVE-2022-29217 ] pyjwt 1.7.1\u003c/b\u003e \u003c/summary\u003e\n\u003cbr\u003e\n\n**Description:**\n[PyJWT](https://pypi.org/project/PyJWT) is a Python implementation of the RFC 7519 standard (JSON Web Tokens). [JSON Web Tokens](https://jwt.io/) are an open, industry standard method for representing claims securely between two parties. A JWT comes with an inline signature that is meant to be verified by the receiving application. JWT supports multiple standard algorithms, and the algorithm itself is **specified in the JWT token itself**.\n\nThe PyJWT library uses the signature-verification algorithm that is specified in the JWT token (that is completely attacker-controlled), however - it requires the validating application to pass an `algorithms` kwarg that specifies the expected algorithms in order to avoid key confusion. Unfortunately - a non-default value `algorithms=jwt.algorithms.get_default_algorithms()` exists that allows all algorithms.\nThe PyJWT library also tries to mitigate key confusions in this case, by making sure that public keys are not used as an HMAC secret. For example, HMAC secrets that begin with `-----BEGIN PUBLIC KEY-----` are rejected when encoding a JWT.\n\nIt has been discovered that due to missing key-type checks, in cases where -\n1. The vulnerable application expects to receive a JWT signed with an Elliptic-Curve key (one of the algorithms `ES256`, `ES384`, `ES512`, `EdDSA`)\n2. The vulnerable application decodes the JWT token using the non-default kwarg `algorithms=jwt.algorithms.get_default_algorithms()` (or alternatively, `algorithms` contain both an HMAC-based algorithm and an EC-based algorithm)\n\nAn attacker can create an HMAC-signed (ex. `HS256`) JWT token, using the (well-known!) EC public key as the HMAC key. The validating application will accept this JWT token as a valid token.\n\nFor example, an application might have planned to validate an `EdDSA`-signed token that was generated as follows -\n```python\n# Making a good jwt token that should work by signing it with the private key\nencoded_good = jwt.encode({\"test\": 1234}, priv_key_bytes, algorithm=\"EdDSA\")\n```\nAn attacker in posession of the public key can generate an `HMAC`-signed token to confuse PyJWT - \n```python\n# Using HMAC with the public key to trick the receiver to think that the public key is a HMAC secret\nencoded_bad = jwt.encode({\"test\": 1234}, pub_key_bytes, algorithm=\"HS256\")\n```\n\nThe following vulnerable `decode` call will accept BOTH of the above tokens as valid - \n```\ndecoded = jwt.decode(encoded_good, pub_key_bytes, \nalgorithms=jwt.algorithms.get_default_algorithms())\n```\n**Remediation:**\n##### Development mitigations\n\nUse a specific algorithm instead of `jwt.algorithms.get_default_algorithms`.\nFor example, replace the following call - \n`jwt.decode(encoded_jwt, pub_key_bytes, algorithms=jwt.algorithms.get_default_algorithms())`\nWith -\n`jwt.decode(encoded_jwt, pub_key_bytes, algorithms=[\"ES256\"])`\n\n\n\u003c/details\u003e\n\n\n---\n\u003cdiv align=\"center\"\u003e\n\n[🐸 JFrog Frogbot](https://github.com/jfrog/frogbot#readme)\n\n\u003c/div\u003e"
+ "body": "\u003cdiv align='center'\u003e\n\n[](https://github.com/jfrog/frogbot#readme)\n\n\u003c/div\u003e\n\n\n## 📦 Vulnerable Dependencies\n\n### ✍️ Summary\n\n\u003cdiv align=\"center\"\u003e\n\n| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: | \n| \u003cbr\u003e High | Not Applicable | minimatch:3.0.4 | minimatch:3.0.4 | [3.0.5] | CVE-2022-3517 |\n| \u003cbr\u003e High | Undetermined | pyjwt:1.7.1 | pyjwt:1.7.1 | [2.4.0] | CVE-2022-29217 |\n\n\u003c/div\u003e\n\n## 🔬 Research Details\n\n\u003cdetails\u003e\n\u003csummary\u003e \u003cb\u003e[ CVE-2022-3517 ] minimatch 3.0.4\u003c/b\u003e \u003c/summary\u003e\n\u003cbr\u003e\n\n**Description:**\nA vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.\n\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003e \u003cb\u003e[ CVE-2022-29217 ] pyjwt 1.7.1\u003c/b\u003e \u003c/summary\u003e\n\u003cbr\u003e\n\n**Description:**\n[PyJWT](https://pypi.org/project/PyJWT) is a Python implementation of the RFC 7519 standard (JSON Web Tokens). [JSON Web Tokens](https://jwt.io/) are an open, industry standard method for representing claims securely between two parties. A JWT comes with an inline signature that is meant to be verified by the receiving application. JWT supports multiple standard algorithms, and the algorithm itself is **specified in the JWT token itself**.\n\nThe PyJWT library uses the signature-verification algorithm that is specified in the JWT token (that is completely attacker-controlled), however - it requires the validating application to pass an `algorithms` kwarg that specifies the expected algorithms in order to avoid key confusion. Unfortunately - a non-default value `algorithms=jwt.algorithms.get_default_algorithms()` exists that allows all algorithms.\nThe PyJWT library also tries to mitigate key confusions in this case, by making sure that public keys are not used as an HMAC secret. For example, HMAC secrets that begin with `-----BEGIN PUBLIC KEY-----` are rejected when encoding a JWT.\n\nIt has been discovered that due to missing key-type checks, in cases where -\n1. The vulnerable application expects to receive a JWT signed with an Elliptic-Curve key (one of the algorithms `ES256`, `ES384`, `ES512`, `EdDSA`)\n2. The vulnerable application decodes the JWT token using the non-default kwarg `algorithms=jwt.algorithms.get_default_algorithms()` (or alternatively, `algorithms` contain both an HMAC-based algorithm and an EC-based algorithm)\n\nAn attacker can create an HMAC-signed (ex. `HS256`) JWT token, using the (well-known!) EC public key as the HMAC key. The validating application will accept this JWT token as a valid token.\n\nFor example, an application might have planned to validate an `EdDSA`-signed token that was generated as follows -\n```python\n# Making a good jwt token that should work by signing it with the private key\nencoded_good = jwt.encode({\"test\": 1234}, priv_key_bytes, algorithm=\"EdDSA\")\n```\nAn attacker in posession of the public key can generate an `HMAC`-signed token to confuse PyJWT - \n```python\n# Using HMAC with the public key to trick the receiver to think that the public key is a HMAC secret\nencoded_bad = jwt.encode({\"test\": 1234}, pub_key_bytes, algorithm=\"HS256\")\n```\n\nThe following vulnerable `decode` call will accept BOTH of the above tokens as valid - \n```\ndecoded = jwt.decode(encoded_good, pub_key_bytes, \nalgorithms=jwt.algorithms.get_default_algorithms())\n```\n**Remediation:**\n##### Development mitigations\n\nUse a specific algorithm instead of `jwt.algorithms.get_default_algorithms`.\nFor example, replace the following call - \n`jwt.decode(encoded_jwt, pub_key_bytes, algorithms=jwt.algorithms.get_default_algorithms())`\nWith -\n`jwt.decode(encoded_jwt, pub_key_bytes, algorithms=[\"ES256\"])`\n\n\n\u003c/details\u003e\n\n\n---\n\u003cdiv align=\"center\"\u003e\n\n[🐸 JFrog Frogbot](https://github.com/jfrog/frogbot#readme)\n\n\u003c/div\u003e"
}
\ No newline at end of file
diff --git a/utils/consts.go b/utils/consts.go
index 99d9195b0..7a9720a9b 100644
--- a/utils/consts.go
+++ b/utils/consts.go
@@ -52,6 +52,7 @@ const (
DepsRepoEnv = "JF_DEPS_REPO"
MinSeverityEnv = "JF_MIN_SEVERITY"
FixableOnlyEnv = "JF_FIXABLE_ONLY"
+ AllowedLicensesEnv = "JF_ALLOWED_LICENSES"
WatchesDelimiter = ","
// Email related environment variables
@@ -81,10 +82,12 @@ const (
BranchHashPlaceHolder = "${BRANCH_NAME_HASH}"
// Default naming templates
- BranchNameTemplate = "frogbot-" + PackagePlaceHolder + "-" + BranchHashPlaceHolder
- AggregatedBranchNameTemplate = "frogbot-update-" + BranchHashPlaceHolder + "-dependencies"
- CommitMessageTemplate = "Upgrade " + PackagePlaceHolder + " to " + FixVersionPlaceHolder
- PullRequestTitleTemplate = outputwriter.FrogbotTitlePrefix + " Update version of " + PackagePlaceHolder + " to " + FixVersionPlaceHolder
+ BranchNameTemplate = "frogbot-" + PackagePlaceHolder + "-" + BranchHashPlaceHolder
+ AggregatedBranchNameTemplate = "frogbot-update-" + BranchHashPlaceHolder + "-dependencies"
+ CommitMessageTemplate = "Upgrade " + PackagePlaceHolder + " to " + FixVersionPlaceHolder
+ PullRequestTitleTemplate = outputwriter.FrogbotTitlePrefix + " Update version of " + PackagePlaceHolder + " to " + FixVersionPlaceHolder
+ AggregatePullRequestTitleDefaultTemplate = outputwriter.FrogbotTitlePrefix + " Update %s dependencies"
+ AggregatePullRequestTitle = outputwriter.FrogbotTitlePrefix + " Update dependencies"
// Frogbot Git author details showed in commits
frogbotAuthorName = "JFrog-Frogbot"
frogbotAuthorEmail = "eco-system+frogbot@jfrog.com"
diff --git a/utils/depsutil.go b/utils/depsutil.go
index 6e5fe1cea..7c8ae409f 100644
--- a/utils/depsutil.go
+++ b/utils/depsutil.go
@@ -19,10 +19,10 @@ import (
type resolveDependenciesFunc func(scanSetup *ScanDetails) ([]byte, error)
var MapTechToResolvingFunc = map[string]resolveDependenciesFunc{
- coreutils.Npm.ToString(): resolveNpmDependencies,
- coreutils.Yarn.ToString(): resolveYarnDependencies,
- coreutils.Dotnet.ToString(): resolveDotnetDependencies,
- coreutils.Nuget.ToString(): resolveDotnetDependencies,
+ coreutils.Npm.String(): resolveNpmDependencies,
+ coreutils.Yarn.String(): resolveYarnDependencies,
+ coreutils.Dotnet.String(): resolveDotnetDependencies,
+ coreutils.Nuget.String(): resolveDotnetDependencies,
}
const yarnV2Version = "2.0.0"
@@ -30,28 +30,27 @@ const yarnV2Version = "2.0.0"
func resolveNpmDependencies(scanSetup *ScanDetails) (output []byte, err error) {
npmCmd := npm.NewNpmCommand(scanSetup.InstallCommandArgs[0], false).SetServerDetails(scanSetup.ServerDetails)
if err = npmCmd.PreparePrerequisites(scanSetup.DepsRepo); err != nil {
- return nil, err
+ return
}
if err = npmCmd.CreateTempNpmrc(); err != nil {
- return nil, err
+ return
}
defer func() {
restoreNpmrc := npmCmd.RestoreNpmrcFunc()
- if err == nil {
- err = restoreNpmrc()
- }
+ err = errors.Join(err, restoreNpmrc())
}()
- return exec.Command(coreutils.Npm.ToString(), scanSetup.InstallCommandArgs...).CombinedOutput()
+ output, err = exec.Command(coreutils.Npm.String(), scanSetup.InstallCommandArgs...).CombinedOutput()
+ return
}
func resolveYarnDependencies(scanSetup *ScanDetails) (output []byte, err error) {
currWd, err := coreutils.GetWorkingDirectory()
if err != nil {
- return nil, err
+ return
}
yarnExecPath, err := exec.LookPath("yarn")
if err != nil {
- return nil, err
+ return
}
executableYarnVersion, err := biUtils.GetVersion(yarnExecPath, currWd)
@@ -67,24 +66,28 @@ func resolveYarnDependencies(scanSetup *ScanDetails) (output []byte, err error)
restoreYarnrcFunc, err := rtutils.BackupFile(filepath.Join(currWd, yarn.YarnrcFileName), yarn.YarnrcBackupFileName)
if err != nil {
- return nil, err
+ return
}
registry, repoAuthIdent, err := yarn.GetYarnAuthDetails(scanSetup.ServerDetails, scanSetup.DepsRepo)
if err != nil {
- return nil, yarn.RestoreConfigurationsAndError(nil, restoreYarnrcFunc, err)
+ err = errors.Join(err, restoreYarnrcFunc())
+ return
}
backupEnvMap, err := yarn.ModifyYarnConfigurations(yarnExecPath, registry, repoAuthIdent)
if err != nil {
- return nil, yarn.RestoreConfigurationsAndError(backupEnvMap, restoreYarnrcFunc, err)
+ if len(backupEnvMap) > 0 {
+ err = errors.Join(err, yarn.RestoreConfigurationsFromBackup(backupEnvMap, restoreYarnrcFunc))
+ } else {
+ err = errors.Join(err, restoreYarnrcFunc())
+ }
+ return
}
defer func() {
- e := yarn.RestoreConfigurationsFromBackup(backupEnvMap, restoreYarnrcFunc)
- if err == nil {
- err = e
- }
+ err = errors.Join(err, yarn.RestoreConfigurationsFromBackup(backupEnvMap, restoreYarnrcFunc))
}()
- return nil, build.RunYarnCommand(yarnExecPath, currWd, scanSetup.InstallCommandArgs...)
+ err = build.RunYarnCommand(yarnExecPath, currWd, scanSetup.InstallCommandArgs...)
+ return
}
func resolveDotnetDependencies(scanSetup *ScanDetails) (output []byte, err error) {
@@ -93,10 +96,7 @@ func resolveDotnetDependencies(scanSetup *ScanDetails) (output []byte, err error
return
}
defer func() {
- e := fileutils.RemoveTempDir(wd)
- if err == nil {
- err = e
- }
+ err = errors.Join(err, fileutils.RemoveTempDir(wd))
}()
configFile, err := dotnet.InitNewConfig(wd, scanSetup.DepsRepo, scanSetup.ServerDetails, false)
if err != nil {
@@ -105,5 +105,6 @@ func resolveDotnetDependencies(scanSetup *ScanDetails) (output []byte, err error
toolType := dotnetutils.ConvertNameToToolType(scanSetup.InstallCommandName)
args := scanSetup.InstallCommandArgs
args = append(args, toolType.GetTypeFlagPrefix()+"configfile", configFile.Name())
- return exec.Command(toolType.String(), args...).CombinedOutput()
+ output, err = exec.Command(toolType.String(), args...).CombinedOutput()
+ return
}
diff --git a/utils/email.go b/utils/email.go
index 0e437dc13..286b3356f 100644
--- a/utils/email.go
+++ b/utils/email.go
@@ -25,12 +25,18 @@ type SecretsEmailDetails struct {
EmailDetails
}
-func NewSecretsEmailDetails(gitClient vcsclient.VcsClient, gitProvider vcsutils.VcsProvider,
- repoOwner, repoName, branch, pullRequestLink string,
- detectedSecrets []formats.SourceCodeRow, emailDetails EmailDetails) *SecretsEmailDetails {
- return &SecretsEmailDetails{gitClient: gitClient, gitProvider: gitProvider,
- repoOwner: repoOwner, repoName: repoName, branch: branch, pullRequestLink: pullRequestLink,
- detectedSecrets: detectedSecrets, EmailDetails: emailDetails}
+func NewSecretsEmailDetails(gitClient vcsclient.VcsClient, repoConfig *Repository, secrets []formats.SourceCodeRow) *SecretsEmailDetails {
+ secretsEmailDetails := &SecretsEmailDetails{
+ gitClient: gitClient,
+ EmailDetails: repoConfig.EmailDetails,
+ gitProvider: repoConfig.GitProvider,
+ repoOwner: repoConfig.PullRequestDetails.Source.Owner,
+ repoName: repoConfig.PullRequestDetails.Source.Repository,
+ branch: repoConfig.PullRequestDetails.Source.Name,
+ detectedSecrets: secrets,
+ pullRequestLink: repoConfig.PullRequestDetails.URL,
+ }
+ return secretsEmailDetails
}
func AlertSecretsExposed(secretsDetails *SecretsEmailDetails) (err error) {
diff --git a/utils/email_test.go b/utils/email_test.go
index 3dcc360f2..a410dd05c 100644
--- a/utils/email_test.go
+++ b/utils/email_test.go
@@ -13,12 +13,15 @@ import (
func TestGetSecretsEmailContent(t *testing.T) {
secrets := []formats.SourceCodeRow{
- {Severity: "High",
+ {
+ SeverityDetails: formats.SeverityDetails{Severity: "High"},
Location: formats.Location{
File: "/config.yaml", StartLine: 12, StartColumn: 30, Snippet: "pass*****"},
},
- {Severity: "Medium", Location: formats.Location{
- File: "/server-conf.json", StartLine: 15, StartColumn: 20, Snippet: "pass*****"}},
+ {
+ SeverityDetails: formats.SeverityDetails{Severity: "Medium"},
+ Location: formats.Location{
+ File: "/server-conf.json", StartLine: 15, StartColumn: 20, Snippet: "pass*****"}},
}
// Test for results including the "Pull Request" keyword
expected := "\n\n\n\n
Frogbot Secret Detection\n \n\n\n\t
\n\t\tThe following potential exposed secrets in your
pull request have been detected by
Frogbot\n\t\t
\n\t\t
\n \n \n | FILE | \n LINE:COLUMN | \n SECRET | \n
\n \n \n \n\t\t\t\t\n\t\t\t\t\t| /config.yaml | \n\t\t\t\t\t 12:30 | \n\t\t\t\t\t pass***** | \n\t\t\t\t
\n\t\t\t\t\n\t\t\t\t\t| /server-conf.json | \n\t\t\t\t\t 15:20 | \n\t\t\t\t\t pass***** | \n\t\t\t\t
\n \n
\n\t\t\n\t
\n\n"
diff --git a/utils/git.go b/utils/git.go
index 77b3d711c..835f79c09 100644
--- a/utils/git.go
+++ b/utils/git.go
@@ -7,11 +7,11 @@ import (
"github.com/go-git/go-git/v5/plumbing/protocol/packp/capability"
"github.com/go-git/go-git/v5/plumbing/transport"
"github.com/go-git/go-git/v5/plumbing/transport/client"
- "github.com/jfrog/frogbot/utils/outputwriter"
"github.com/jfrog/froggit-go/vcsutils"
"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
"net/http"
+ "regexp"
"strings"
"time"
@@ -29,6 +29,10 @@ const (
// Timout is seconds for the git operations performed by the go-git client.
goGitTimeoutSeconds = 120
+
+ // Separators used to convert technologies array into string
+ fixBranchTechSeparator = "-"
+ pullRequestTitleTechSeparator = ","
)
type GitManager struct {
@@ -323,10 +327,11 @@ func (gm *GitManager) GenerateCommitMessage(impactedPackage string, fixVersion s
return formatStringWithPlaceHolders(template, impactedPackage, fixVersion, "", true)
}
-func (gm *GitManager) GenerateAggregatedCommitMessage(tech coreutils.Technology) string {
+func (gm *GitManager) GenerateAggregatedCommitMessage(tech []coreutils.Technology) string {
template := gm.customTemplates.commitMessageTemplate
if template == "" {
- template = outputwriter.GetAggregatedPullRequestTitle(tech)
+ // In aggregated mode, commit message and PR title are the same.
+ template = gm.GenerateAggregatedPullRequestTitle(tech)
}
return formatStringWithPlaceHolders(template, "", "", "", true)
}
@@ -372,14 +377,32 @@ func (gm *GitManager) GeneratePullRequestTitle(impactedPackage string, version s
return formatStringWithPlaceHolders(template, impactedPackage, version, "", true)
}
+func (gm *GitManager) GenerateAggregatedPullRequestTitle(tech []coreutils.Technology) string {
+ template := gm.getPullRequestTitleTemplate(tech)
+ // If no technologies are provided, return the template as-is
+ if len(tech) == 0 {
+ return normalizeWhitespaces(strings.ReplaceAll(template, "%s", ""))
+ }
+ return fmt.Sprintf(template, techArrayToString(tech, pullRequestTitleTechSeparator))
+}
+
+func (gm *GitManager) getPullRequestTitleTemplate(tech []coreutils.Technology) string {
+ // Check if a custom template is available
+ if customTemplate := gm.customTemplates.pullRequestTitleTemplate; customTemplate != "" {
+ return parseCustomTemplate(customTemplate, tech)
+ }
+ // If no custom template, use the default template
+ return AggregatePullRequestTitleDefaultTemplate
+}
+
// GenerateAggregatedFixBranchName Generating a consistent branch name to enable branch updates
// and to ensure that there is only one Frogbot branch in aggregated mode.
-func (gm *GitManager) GenerateAggregatedFixBranchName(tech coreutils.Technology) (fixBranchName string, err error) {
+func (gm *GitManager) GenerateAggregatedFixBranchName(tech []coreutils.Technology) (fixBranchName string, err error) {
branchFormat := gm.customTemplates.branchNameTemplate
if branchFormat == "" {
branchFormat = AggregatedBranchNameTemplate
}
- return formatStringWithPlaceHolders(branchFormat, "", "", tech.ToString(), false), nil
+ return formatStringWithPlaceHolders(branchFormat, "", "", techArrayToString(tech, fixBranchTechSeparator), false), nil
}
// dryRunClone clones an existing repository from our testdata folder into the destination folder for testing purposes.
@@ -431,7 +454,22 @@ func setGoGitCustomClient() {
customClient := &http.Client{
Timeout: goGitTimeoutSeconds * time.Second,
}
-
client.InstallProtocol("http", githttp.NewClient(customClient))
client.InstallProtocol("https", githttp.NewClient(customClient))
}
+
+// Clean user template from input strings and add suffix.
+func parseCustomTemplate(customTemplate string, tech []coreutils.Technology) string {
+ trimSpace := strings.TrimSpace(customTemplate)
+ // Find any input format strings
+ re := regexp.MustCompile(`%[sdvTtqwxXbcdoUxfeEgGp]`)
+ // Replace all matching substrings with an empty string
+ result := re.ReplaceAllString(trimSpace, "")
+ // Remove any middle spaces
+ result = strings.Join(strings.Fields(result), " ")
+ var suffix string
+ if len(tech) > 0 {
+ suffix = " - %s Dependencies"
+ }
+ return normalizeWhitespaces(result) + suffix
+}
diff --git a/utils/git_test.go b/utils/git_test.go
index 8ff6d6aa4..45f513791 100644
--- a/utils/git_test.go
+++ b/utils/git_test.go
@@ -5,7 +5,6 @@ import (
"github.com/go-git/go-git/v5"
"github.com/go-git/go-git/v5/config"
"github.com/go-git/go-git/v5/plumbing/object"
- "github.com/jfrog/frogbot/utils/outputwriter"
"github.com/jfrog/froggit-go/vcsutils"
"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
@@ -133,19 +132,19 @@ func TestGitManager_GenerateAggregatedFixBranchName(t *testing.T) {
desc string
}{
{
- expected: "frogbot-update-go-dependencies",
+ expected: "frogbot-update-Go-dependencies",
desc: "No template",
gitManager: GitManager{},
},
{
- expected: "[feature]-go",
+ expected: "[feature]-Go",
desc: "Custom template hash only",
gitManager: GitManager{customTemplates: CustomTemplates{branchNameTemplate: "[feature]-${BRANCH_NAME_HASH}"}},
},
}
for _, test := range testCases {
t.Run(test.desc, func(t *testing.T) {
- titleOutput, err := test.gitManager.GenerateAggregatedFixBranchName(coreutils.Go)
+ titleOutput, err := test.gitManager.GenerateAggregatedFixBranchName([]coreutils.Technology{coreutils.Go})
assert.NoError(t, err)
assert.Equal(t, test.expected, titleOutput)
})
@@ -157,12 +156,12 @@ func TestGitManager_GenerateAggregatedCommitMessage(t *testing.T) {
gitManager GitManager
expected string
}{
- {gitManager: GitManager{}, expected: outputwriter.GetAggregatedPullRequestTitle(coreutils.Pipenv)},
+ {gitManager: GitManager{}, expected: "[🐸 Frogbot] Update Pipenv dependencies"},
{gitManager: GitManager{customTemplates: CustomTemplates{commitMessageTemplate: "custom_template"}}, expected: "custom_template"},
}
for _, test := range testCases {
t.Run(test.expected, func(t *testing.T) {
- commit := test.gitManager.GenerateAggregatedCommitMessage(coreutils.Pipenv)
+ commit := test.gitManager.GenerateAggregatedCommitMessage([]coreutils.Technology{coreutils.Pipenv})
assert.Equal(t, commit, test.expected)
})
}
@@ -295,3 +294,32 @@ func TestGitManager_SetRemoteGitUrl(t *testing.T) {
})
}
}
+
+func TestGetAggregatedPullRequestTitle(t *testing.T) {
+ defaultGm := GitManager{}
+ testsCases := []struct {
+ tech []coreutils.Technology
+ gm GitManager
+ expected string
+ }{
+ {gm: defaultGm, tech: []coreutils.Technology{}, expected: "[🐸 Frogbot] Update dependencies"},
+ {gm: defaultGm, tech: []coreutils.Technology{coreutils.Maven}, expected: "[🐸 Frogbot] Update Maven dependencies"},
+ {gm: defaultGm, tech: []coreutils.Technology{coreutils.Gradle}, expected: "[🐸 Frogbot] Update Gradle dependencies"},
+ {gm: defaultGm, tech: []coreutils.Technology{coreutils.Npm}, expected: "[🐸 Frogbot] Update npm dependencies"},
+ {gm: defaultGm, tech: []coreutils.Technology{coreutils.Yarn}, expected: "[🐸 Frogbot] Update Yarn dependencies"},
+ {gm: GitManager{customTemplates: CustomTemplates{pullRequestTitleTemplate: "[Dependencies] My template "}}, tech: []coreutils.Technology{coreutils.Yarn}, expected: "[Dependencies] My template - Yarn Dependencies"},
+ {gm: GitManager{customTemplates: CustomTemplates{pullRequestTitleTemplate: ""}}, tech: []coreutils.Technology{coreutils.Yarn}, expected: "[🐸 Frogbot] Update Yarn dependencies"},
+ {gm: GitManager{customTemplates: CustomTemplates{pullRequestTitleTemplate: "[Feature] %s hello"}}, tech: []coreutils.Technology{coreutils.Yarn}, expected: "[Feature] hello - Yarn Dependencies"},
+ {gm: GitManager{customTemplates: CustomTemplates{pullRequestTitleTemplate: "[Feature] %s %d hello"}}, tech: []coreutils.Technology{coreutils.Yarn}, expected: "[Feature] hello - Yarn Dependencies"},
+ {gm: GitManager{customTemplates: CustomTemplates{pullRequestTitleTemplate: "[Feature] %s %d hello"}}, tech: []coreutils.Technology{coreutils.Yarn}, expected: "[Feature] hello - Yarn Dependencies"},
+ {gm: GitManager{customTemplates: CustomTemplates{pullRequestTitleTemplate: "[Feature] %s %f hello"}}, tech: []coreutils.Technology{coreutils.Yarn, coreutils.Go}, expected: "[Feature] hello - Yarn,Go Dependencies"},
+ {gm: GitManager{customTemplates: CustomTemplates{pullRequestTitleTemplate: "[Feature] %s %d hello"}}, tech: []coreutils.Technology{coreutils.Yarn, coreutils.Go, coreutils.Npm}, expected: "[Feature] hello - Yarn,Go,npm Dependencies"},
+ {gm: GitManager{customTemplates: CustomTemplates{pullRequestTitleTemplate: "[Feature] %s %d hello"}}, tech: []coreutils.Technology{}, expected: "[Feature] hello"},
+ }
+ for _, test := range testsCases {
+ t.Run(test.expected, func(t *testing.T) {
+ title := test.gm.GenerateAggregatedPullRequestTitle(test.tech)
+ assert.Equal(t, test.expected, title)
+ })
+ }
+}
diff --git a/utils/issuescollection.go b/utils/issuescollection.go
new file mode 100644
index 000000000..24a9ded9a
--- /dev/null
+++ b/utils/issuescollection.go
@@ -0,0 +1,56 @@
+package utils
+
+import "github.com/jfrog/jfrog-cli-core/v2/xray/formats"
+
+type IssuesCollection struct {
+ Vulnerabilities []formats.VulnerabilityOrViolationRow
+ Iacs []formats.SourceCodeRow
+ Secrets []formats.SourceCodeRow
+ Sast []formats.SourceCodeRow
+ Licenses []formats.LicenseRow
+}
+
+func (ic *IssuesCollection) VulnerabilitiesExists() bool {
+ return len(ic.Vulnerabilities) > 0
+}
+
+func (ic *IssuesCollection) IacExists() bool {
+ return len(ic.Iacs) > 0
+}
+
+func (ic *IssuesCollection) LicensesExists() bool {
+ return len(ic.Licenses) > 0
+}
+
+func (ic *IssuesCollection) SecretsExists() bool {
+ return len(ic.Secrets) > 0
+}
+
+func (ic *IssuesCollection) SastExists() bool {
+ return len(ic.Sast) > 0
+}
+
+func (ic *IssuesCollection) IssuesExists() bool {
+ return ic.VulnerabilitiesExists() || ic.IacExists() || ic.LicensesExists() || ic.SastExists()
+}
+
+func (ic *IssuesCollection) Append(issues *IssuesCollection) {
+ if issues == nil {
+ return
+ }
+ if len(issues.Vulnerabilities) > 0 {
+ ic.Vulnerabilities = append(ic.Vulnerabilities, issues.Vulnerabilities...)
+ }
+ if len(issues.Secrets) > 0 {
+ ic.Secrets = append(ic.Secrets, issues.Secrets...)
+ }
+ if len(issues.Sast) > 0 {
+ ic.Sast = append(ic.Sast, issues.Sast...)
+ }
+ if len(issues.Iacs) > 0 {
+ ic.Iacs = append(ic.Iacs, issues.Iacs...)
+ }
+ if len(issues.Licenses) > 0 {
+ ic.Licenses = append(ic.Licenses, issues.Licenses...)
+ }
+}
diff --git a/utils/outputwriter/outputwriter.go b/utils/outputwriter/outputwriter.go
index a9f68b561..cb9eb1955 100644
--- a/utils/outputwriter/outputwriter.go
+++ b/utils/outputwriter/outputwriter.go
@@ -5,7 +5,6 @@ import (
"strings"
"github.com/jfrog/froggit-go/vcsutils"
- "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
"github.com/jfrog/jfrog-cli-core/v2/xray/formats"
xrayutils "github.com/jfrog/jfrog-cli-core/v2/xray/utils"
)
@@ -16,6 +15,13 @@ const (
vulnerabilitiesTableHeader = "\n| SEVERITY | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: |"
vulnerabilitiesTableHeaderWithContextualAnalysis = "| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |\n| :---------------------: | :----------------------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | :---------------------------------: |"
iacTableHeader = "\n| SEVERITY | FILE | LINE:COLUMN | FINDING |\n| :---------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: |"
+ vulnerableDependenciesTitle = "## 📦 Vulnerable Dependencies"
+ summaryTitle = "### ✍️ Summary"
+ researchDetailsTitle = "## 🔬 Research Details"
+ iacTitle = "## 🛠️ Infrastructure as Code"
+ licenseTitle = "## ⚖️ Violated Licenses"
+ contextualAnalysisTitle = "## 📦🔍 Contextual Analysis CVE Vulnerability\n"
+ licenseTableHeader = "\n| LICENSE | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | \n| :---------------------: | :----------------------------------: | :-----------------------------------: |"
SecretsEmailCSS = `body {
font-family: Arial, sans-serif;
background-color: #f5f5f5;
@@ -99,6 +105,7 @@ type OutputWriter interface {
NoVulnerabilitiesTitle() string
VulnerabilitiesTitle(isComment bool) string
VulnerabilitiesContent(vulnerabilities []formats.VulnerabilityOrViolationRow) string
+ LicensesContent(licenses []formats.LicenseRow) string
IacTableContent(iacRows []formats.SourceCodeRow) string
Footer() string
Separator() string
@@ -126,7 +133,7 @@ func GetCompatibleOutputWriter(provider vcsutils.VcsProvider) OutputWriter {
func createVulnerabilityDescription(vulnerability *formats.VulnerabilityOrViolationRow) string {
var descriptionBuilder strings.Builder
vulnResearch := vulnerability.JfrogResearchInformation
- if vulnerability.JfrogResearchInformation == nil {
+ if vulnResearch == nil {
vulnResearch = &formats.JfrogResearchInformation{Details: vulnerability.Summary}
}
@@ -151,6 +158,20 @@ func getVulnerabilitiesTableContent(vulnerabilities []formats.VulnerabilityOrVio
return tableContent
}
+func getLicensesTableContent(licenses []formats.LicenseRow, writer OutputWriter) string {
+ var tableContent strings.Builder
+ for _, license := range licenses {
+ var directDependenciesBuilder strings.Builder
+ for _, component := range license.Components {
+ directDependenciesBuilder.WriteString(fmt.Sprintf("%s %s%s", component.Name, component.Version, writer.Separator()))
+ }
+ directDependencies := strings.TrimSuffix(directDependenciesBuilder.String(), writer.Separator())
+ impactedDependency := fmt.Sprintf("%s %s", license.ImpactedDependencyName, license.ImpactedDependencyVersion)
+ tableContent.WriteString(fmt.Sprintf("\n| %s | %s | %s |", license.LicenseKey, directDependencies, impactedDependency))
+ }
+ return tableContent.String()
+}
+
func getIacTableContent(iacRows []formats.SourceCodeRow, writer OutputWriter) string {
var tableContent string
for _, iac := range iacRows {
@@ -193,13 +214,6 @@ at %s (line %d)
location.StartLine)
}
-func GetAggregatedPullRequestTitle(tech coreutils.Technology) string {
- if tech.ToString() == "" {
- return FrogbotTitlePrefix + " Update dependencies"
- }
- return fmt.Sprintf("%s Update %s dependencies", FrogbotTitlePrefix, tech.ToFormal())
-}
-
func getVulnerabilitiesTableHeader(showCaColumn bool) string {
if showCaColumn {
return vulnerabilitiesTableHeaderWithContextualAnalysis
diff --git a/utils/outputwriter/outputwriter_test.go b/utils/outputwriter/outputwriter_test.go
index 49864275d..2f3ccb8de 100644
--- a/utils/outputwriter/outputwriter_test.go
+++ b/utils/outputwriter/outputwriter_test.go
@@ -1,25 +1,64 @@
package outputwriter
import (
- "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
+ "github.com/jfrog/jfrog-cli-core/v2/xray/formats"
"github.com/stretchr/testify/assert"
"testing"
)
-func TestGetAggregatedPullRequestTitle(t *testing.T) {
- tests := []struct {
- tech coreutils.Technology
- expected string
- }{
- {tech: "", expected: "[🐸 Frogbot] Update dependencies"},
- {tech: coreutils.Maven, expected: "[🐸 Frogbot] Update Maven dependencies"},
- {tech: coreutils.Gradle, expected: "[🐸 Frogbot] Update Gradle dependencies"},
- {tech: coreutils.Npm, expected: "[🐸 Frogbot] Update npm dependencies"},
- {tech: coreutils.Yarn, expected: "[🐸 Frogbot] Update Yarn dependencies"},
+func TestMarkdownComment(t *testing.T) {
+ text := ""
+ result := MarkdownComment(text)
+ expected := "\n\n[comment]: <> ()\n"
+ assert.Equal(t, expected, result)
+
+ text = "This is a comment"
+ result = MarkdownComment(text)
+ expected = "\n\n[comment]: <> (This is a comment)\n"
+ assert.Equal(t, expected, result)
+}
+
+func testGetLicensesTableContent(t *testing.T, writer OutputWriter) {
+ licenses := []formats.LicenseRow{}
+ result := getLicensesTableContent(licenses, writer)
+ expected := ""
+ assert.Equal(t, expected, result)
+
+ // Single license with components
+ licenses = []formats.LicenseRow{
+ {
+ LicenseKey: "License1",
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ Components: []formats.ComponentRow{{Name: "Comp1", Version: "1.0"}},
+ ImpactedDependencyName: "Dep1",
+ ImpactedDependencyVersion: "2.0",
+ },
+ },
}
+ result = getLicensesTableContent(licenses, writer)
+ expected = "\n| License1 | Comp1 1.0 | Dep1 2.0 |"
+ assert.Equal(t, expected, result)
- for _, test := range tests {
- title := GetAggregatedPullRequestTitle(test.tech)
- assert.Equal(t, test.expected, title)
+ // Test case 3: Multiple licenses with components
+ licenses = []formats.LicenseRow{
+ {
+ LicenseKey: "License1",
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ Components: []formats.ComponentRow{{Name: "Comp1", Version: "1.0"}},
+ ImpactedDependencyName: "Dep1",
+ ImpactedDependencyVersion: "2.0",
+ },
+ },
+ {
+ LicenseKey: "License2",
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ Components: []formats.ComponentRow{{Name: "Comp2", Version: "2.0"}},
+ ImpactedDependencyName: "Dep2",
+ ImpactedDependencyVersion: "3.0",
+ },
+ },
}
+ result = getLicensesTableContent(licenses, writer)
+ expected = "\n| License1 | Comp1 1.0 | Dep1 2.0 |\n| License2 | Comp2 2.0 | Dep2 3.0 |"
+ assert.Equal(t, expected, result)
}
diff --git a/utils/outputwriter/simplifiedoutput.go b/utils/outputwriter/simplifiedoutput.go
index 00ee05536..b89779323 100644
--- a/utils/outputwriter/simplifiedoutput.go
+++ b/utils/outputwriter/simplifiedoutput.go
@@ -83,20 +83,24 @@ func (smo *SimplifiedOutput) VulnerabilitiesContent(vulnerabilities []formats.Vu
// Write summary table part
contentBuilder.WriteString(fmt.Sprintf(`
---
-## 📦 Vulnerable Dependencies
+%s
---
-### ✍️ Summary
+%s
%s %s
---
-### 👇 Details
+%s
---
`,
+
+ vulnerableDependenciesTitle,
+ summaryTitle,
getVulnerabilitiesTableHeader(smo.showCaColumn),
- getVulnerabilitiesTableContent(vulnerabilities, smo)))
+ getVulnerabilitiesTableContent(vulnerabilities, smo),
+ researchDetailsTitle))
for i := range vulnerabilities {
contentBuilder.WriteString(fmt.Sprintf(`
#### %s%s %s
@@ -146,16 +150,18 @@ func (smo *SimplifiedOutput) ApplicableCveReviewContent(severity, finding, fullD
func (smo *SimplifiedOutput) IacReviewContent(severity, finding, fullDetails string) string {
return fmt.Sprintf(`
-## 🛠️ Infrastructure as Code (Iac) Vulnerability
-
%s
-### 👇 Details
+%s
+
+%s
%s
`,
+ iacTitle,
GetJasMarkdownDescription(smo.FormattedSeverity(severity, "Applicable"), finding),
+ researchDetailsTitle,
fullDetails)
}
@@ -207,17 +213,37 @@ Vulnerable data flow analysis result:
return contentBuilder.String()
}
+func (smo *SimplifiedOutput) LicensesContent(licenses []formats.LicenseRow) string {
+ if len(licenses) == 0 {
+ return ""
+ }
+
+ return fmt.Sprintf(`
+---
+%s
+---
+
+%s
+%s
+
+`,
+ licenseTitle,
+ licenseTableHeader,
+ getLicensesTableContent(licenses, smo))
+}
+
func (smo *SimplifiedOutput) IacTableContent(iacRows []formats.SourceCodeRow) string {
if len(iacRows) == 0 {
return ""
}
return fmt.Sprintf(`
-## 🛠️ Infrastructure as Code
+%s
%s %s
`,
+ iacTitle,
iacTableHeader,
getIacTableContent(iacRows, smo))
}
@@ -237,7 +263,7 @@ func (smo *SimplifiedOutput) FormattedSeverity(severity, _ string) string {
func (smo *SimplifiedOutput) UntitledForJasMsg() string {
msg := ""
if !smo.entitledForJas {
- msg = "\n\n**Frogbot** also supports **Contextual Analysis, Secret Detection and IaC Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/xray/) package, which isn't enabled on your system.\n"
+ msg = "\n\n---\n**Frogbot** also supports **Contextual Analysis, Secret Detection and IaC Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/xray/) package, which isn't enabled on your system.\n"
}
return msg
}
diff --git a/utils/outputwriter/simplifiedoutput_test.go b/utils/outputwriter/simplifiedoutput_test.go
index 6614335c7..c34bea018 100644
--- a/utils/outputwriter/simplifiedoutput_test.go
+++ b/utils/outputwriter/simplifiedoutput_test.go
@@ -5,6 +5,7 @@ import (
"github.com/jfrog/froggit-go/vcsutils"
"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
"github.com/jfrog/jfrog-cli-core/v2/xray/formats"
+ "github.com/jfrog/jfrog-cli-core/v2/xray/utils"
"github.com/stretchr/testify/assert"
"testing"
)
@@ -21,13 +22,15 @@ func TestSimplifiedOutput_VulnerabilitiesTableRow(t *testing.T) {
{
name: "Single CVE and one direct dependency",
vulnerability: formats.VulnerabilityOrViolationRow{
- Severity: "High",
- Components: []formats.ComponentRow{
- {Name: "dep1", Version: "1.0.0"},
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ SeverityDetails: formats.SeverityDetails{Severity: "High"},
+ ImpactedDependencyName: "impacted_dep",
+ ImpactedDependencyVersion: "2.0.0",
+ Components: []formats.ComponentRow{
+ {Name: "dep1", Version: "1.0.0"},
+ },
},
- ImpactedDependencyName: "impacted_dep",
- ImpactedDependencyVersion: "2.0.0",
- FixedVersions: []string{"3.0.0"},
+ FixedVersions: []string{"3.0.0"},
Cves: []formats.CveRow{
{Id: "CVE-2022-0001"},
},
@@ -38,28 +41,32 @@ func TestSimplifiedOutput_VulnerabilitiesTableRow(t *testing.T) {
{
name: "No CVE and multiple direct dependencies",
vulnerability: formats.VulnerabilityOrViolationRow{
- Severity: "Low",
- Components: []formats.ComponentRow{
- {Name: "dep1", Version: "1.0.0"},
- {Name: "dep2", Version: "2.0.0"},
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ SeverityDetails: formats.SeverityDetails{Severity: "Low"},
+ ImpactedDependencyName: "impacted_dep",
+ ImpactedDependencyVersion: "3.0.0",
+ Components: []formats.ComponentRow{
+ {Name: "dep1", Version: "1.0.0"},
+ {Name: "dep2", Version: "2.0.0"},
+ },
},
- ImpactedDependencyName: "impacted_dep",
- ImpactedDependencyVersion: "3.0.0",
- FixedVersions: []string{"4.0.0", "4.1.0", "4.2.0", "5.0.0"},
- Cves: []formats.CveRow{},
- Technology: coreutils.Dotnet,
+ FixedVersions: []string{"4.0.0", "4.1.0", "4.2.0", "5.0.0"},
+ Cves: []formats.CveRow{},
+ Technology: coreutils.Dotnet,
},
expectedOutput: "| Low | dep1:1.0.0 | impacted_dep:3.0.0 | 4.0.0, 4.1.0, 4.2.0, 5.0.0 | - |\n| | dep2:2.0.0 | | |",
},
{
name: "Multiple CVEs",
vulnerability: formats.VulnerabilityOrViolationRow{
- Severity: "Critical",
- Components: []formats.ComponentRow{{Name: "direct", Version: "1.0.2"}},
- Applicable: "Applicable",
- ImpactedDependencyName: "impacted_dep",
- ImpactedDependencyVersion: "4.0.0",
- FixedVersions: []string{"5.0.0", "6.0.0"},
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ SeverityDetails: formats.SeverityDetails{Severity: "Critical"},
+ ImpactedDependencyName: "impacted_dep",
+ ImpactedDependencyVersion: "4.0.0",
+ Components: []formats.ComponentRow{{Name: "direct", Version: "1.0.2"}},
+ },
+ Applicable: "Applicable",
+ FixedVersions: []string{"5.0.0", "6.0.0"},
Cves: []formats.CveRow{
{Id: "CVE-2022-0002"},
{Id: "CVE-2022-0003"},
@@ -119,20 +126,24 @@ func TestSimplifiedOutput_VulnerabilitiesContent(t *testing.T) {
// Create some sample vulnerabilitiesRows for testing
vulnerabilitiesRows := []formats.VulnerabilityOrViolationRow{
{
- Severity: "Critical",
- ImpactedDependencyName: "Dependency1",
- Components: []formats.ComponentRow{{Name: "Direct1", Version: "1.0.0"}, {Name: "Direct2", Version: "2.0.0"}},
- FixedVersions: []string{"2.2.3"},
- Cves: []formats.CveRow{{Id: "CVE-2023-1234"}},
- ImpactedDependencyVersion: "1.0.0",
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ SeverityDetails: formats.SeverityDetails{Severity: "Critical"},
+ ImpactedDependencyName: "Dependency1",
+ ImpactedDependencyVersion: "1.0.0",
+ Components: []formats.ComponentRow{{Name: "Direct1", Version: "1.0.0"}, {Name: "Direct2", Version: "2.0.0"}},
+ },
+ FixedVersions: []string{"2.2.3"},
+ Cves: []formats.CveRow{{Id: "CVE-2023-1234"}},
},
{
- Severity: "High",
- Components: []formats.ComponentRow{{Name: "Direct1", Version: "1.0.0"}, {Name: "Direct2", Version: "2.0.0"}},
- ImpactedDependencyName: "Dependency2",
- FixedVersions: []string{"2.2.3"},
- Cves: []formats.CveRow{{Id: "CVE-2023-1234"}},
- ImpactedDependencyVersion: "2.0.0",
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ SeverityDetails: formats.SeverityDetails{Severity: "High"},
+ ImpactedDependencyName: "Dependency2",
+ ImpactedDependencyVersion: "2.0.0",
+ Components: []formats.ComponentRow{{Name: "Direct1", Version: "1.0.0"}, {Name: "Direct2", Version: "2.0.0"}},
+ },
+ FixedVersions: []string{"2.2.3"},
+ Cves: []formats.CveRow{{Id: "CVE-2023-1234"}},
},
}
@@ -142,12 +153,12 @@ func TestSimplifiedOutput_VulnerabilitiesContent(t *testing.T) {
## 📦 Vulnerable Dependencies
---
-### ✍️ Summary
+### ✍️ Summary
%s %s
---
-### 👇 Details
+## 🔬 Research Details
---
@@ -186,24 +197,28 @@ func TestSimplifiedOutput_ContentWithContextualAnalysis(t *testing.T) {
vulnerabilitiesRows := []formats.VulnerabilityOrViolationRow{
{
- ImpactedDependencyName: "Dependency1",
- ImpactedDependencyVersion: "1.0.0",
- Severity: "High",
- FixedVersions: []string{"2.2.3"},
- Components: []formats.ComponentRow{{Name: "Direct1", Version: "1.0.0"}, {Name: "Direct2", Version: "2.0.0"}},
- Cves: []formats.CveRow{{Id: "CVE-2023-1234"}},
- Applicable: "Applicable",
- Technology: coreutils.Npm,
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ SeverityDetails: formats.SeverityDetails{Severity: "High"},
+ ImpactedDependencyName: "Dependency1",
+ ImpactedDependencyVersion: "1.0.0",
+ Components: []formats.ComponentRow{{Name: "Direct1", Version: "1.0.0"}, {Name: "Direct2", Version: "2.0.0"}},
+ },
+ FixedVersions: []string{"2.2.3"},
+ Cves: []formats.CveRow{{Id: "CVE-2023-1234"}},
+ Applicable: utils.Applicable.String(),
+ Technology: coreutils.Npm,
},
{
- ImpactedDependencyName: "Dependency2",
- ImpactedDependencyVersion: "2.0.0",
- Severity: "Low",
- Components: []formats.ComponentRow{{Name: "Direct1", Version: "1.0.0"}, {Name: "Direct2", Version: "2.0.0"}},
- FixedVersions: []string{"2.2.3"},
- Cves: []formats.CveRow{{Id: "CVE-2024-1234"}},
- Applicable: "Not Applicable",
- Technology: coreutils.Poetry,
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ SeverityDetails: formats.SeverityDetails{Severity: "Low"},
+ ImpactedDependencyName: "Dependency2",
+ ImpactedDependencyVersion: "2.0.0",
+ Components: []formats.ComponentRow{{Name: "Direct1", Version: "1.0.0"}, {Name: "Direct2", Version: "2.0.0"}},
+ },
+ FixedVersions: []string{"2.2.3"},
+ Cves: []formats.CveRow{{Id: "CVE-2024-1234"}},
+ Applicable: "Not Applicable",
+ Technology: coreutils.Poetry,
},
}
@@ -212,12 +227,12 @@ func TestSimplifiedOutput_ContentWithContextualAnalysis(t *testing.T) {
## 📦 Vulnerable Dependencies
---
-### ✍️ Summary
+### ✍️ Summary
%s %s
---
-### 👇 Details
+## 🔬 Research Details
---
@@ -263,8 +278,7 @@ func TestSimplifiedOutput_IacContent(t *testing.T) {
name: "Single IAC row",
iacRows: []formats.SourceCodeRow{
{
- Severity: "High",
- SeverityNumValue: 3,
+ SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 3},
Location: formats.Location{
File: "applicable/req_sw_terraform_azure_redis_auth.tf",
StartLine: 11,
@@ -273,14 +287,13 @@ func TestSimplifiedOutput_IacContent(t *testing.T) {
},
},
},
- expectedOutput: "\n## 🛠️ Infrastructure as Code \n\n\n| SEVERITY | FILE | LINE:COLUMN | FINDING |\n| :---------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | \n| High | applicable/req_sw_terraform_azure_redis_auth.tf | 11:1 | Missing Periodic patching was detected |\n\n",
+ expectedOutput: "\n## 🛠️ Infrastructure as Code\n\n\n| SEVERITY | FILE | LINE:COLUMN | FINDING |\n| :---------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | \n| High | applicable/req_sw_terraform_azure_redis_auth.tf | 11:1 | Missing Periodic patching was detected |\n\n",
},
{
name: "Multiple IAC rows",
iacRows: []formats.SourceCodeRow{
{
- Severity: "High",
- SeverityNumValue: 3,
+ SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 3},
Location: formats.Location{
File: "applicable/req_sw_terraform_azure_redis_patch.tf",
StartLine: 11,
@@ -289,8 +302,7 @@ func TestSimplifiedOutput_IacContent(t *testing.T) {
},
},
{
- Severity: "High",
- SeverityNumValue: 3,
+ SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 3},
Location: formats.Location{
File: "applicable/req_sw_terraform_azure_redis_auth.tf",
StartLine: 11,
@@ -299,7 +311,7 @@ func TestSimplifiedOutput_IacContent(t *testing.T) {
},
},
},
- expectedOutput: "\n## 🛠️ Infrastructure as Code \n\n\n| SEVERITY | FILE | LINE:COLUMN | FINDING |\n| :---------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | \n| High | applicable/req_sw_terraform_azure_redis_patch.tf | 11:1 | Missing redis firewall definition or start_ip=0.0.0.0 was detected, Missing redis firewall definition or start_ip=0.0.0.0 was detected |\n| High | applicable/req_sw_terraform_azure_redis_auth.tf | 11:1 | Missing Periodic patching was detected |\n\n",
+ expectedOutput: "\n## 🛠️ Infrastructure as Code\n\n\n| SEVERITY | FILE | LINE:COLUMN | FINDING |\n| :---------------------: | :----------------------------------: | :-----------------------------------: | :---------------------------------: | \n| High | applicable/req_sw_terraform_azure_redis_patch.tf | 11:1 | Missing redis firewall definition or start_ip=0.0.0.0 was detected, Missing redis firewall definition or start_ip=0.0.0.0 was detected |\n| High | applicable/req_sw_terraform_azure_redis_auth.tf | 11:1 | Missing Periodic patching was detected |\n\n",
},
}
@@ -327,8 +339,7 @@ func TestSimplifiedOutput_GetIacTableContent(t *testing.T) {
name: "Single IAC row",
iacRows: []formats.SourceCodeRow{
{
- Severity: "Medium",
- SeverityNumValue: 2,
+ SeverityDetails: formats.SeverityDetails{Severity: "Medium", SeverityNumValue: 2},
Location: formats.Location{
File: "file1",
StartLine: 1,
@@ -343,8 +354,7 @@ func TestSimplifiedOutput_GetIacTableContent(t *testing.T) {
name: "Multiple IAC rows",
iacRows: []formats.SourceCodeRow{
{
- Severity: "High",
- SeverityNumValue: 3,
+ SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 3},
Location: formats.Location{
File: "file1",
StartLine: 1,
@@ -353,8 +363,7 @@ func TestSimplifiedOutput_GetIacTableContent(t *testing.T) {
},
},
{
- Severity: "Medium",
- SeverityNumValue: 2,
+ SeverityDetails: formats.SeverityDetails{Severity: "Medium", SeverityNumValue: 2},
Location: formats.Location{
File: "file2",
StartLine: 2,
@@ -374,3 +383,8 @@ func TestSimplifiedOutput_GetIacTableContent(t *testing.T) {
})
}
}
+
+func TestSimplifiedOutput_GetLicensesTableContent(t *testing.T) {
+ writer := &SimplifiedOutput{}
+ testGetLicensesTableContent(t, writer)
+}
diff --git a/utils/outputwriter/standardoutput.go b/utils/outputwriter/standardoutput.go
index 9ee439501..ed6b3626d 100644
--- a/utils/outputwriter/standardoutput.go
+++ b/utils/outputwriter/standardoutput.go
@@ -84,9 +84,9 @@ func (so *StandardOutput) VulnerabilitiesContent(vulnerabilities []formats.Vulne
var contentBuilder strings.Builder
// Write summary table part
contentBuilder.WriteString(fmt.Sprintf(`
-## 📦 Vulnerable Dependencies
+%s
-### ✍️ Summary
+%s
@@ -94,10 +94,13 @@ func (so *StandardOutput) VulnerabilitiesContent(vulnerabilities []formats.Vulne
-## 👇 Details
+%s
`,
+ vulnerableDependenciesTitle,
+ summaryTitle,
getVulnerabilitiesTableHeader(so.showCaColumn),
- getVulnerabilitiesTableContent(vulnerabilities, so)))
+ getVulnerabilitiesTableContent(vulnerabilities, so),
+ researchDetailsTitle))
// Write details for each vulnerability
for i := range vulnerabilities {
if len(vulnerabilities) == 1 {
@@ -126,7 +129,7 @@ func (so *StandardOutput) VulnerabilitiesContent(vulnerabilities []formats.Vulne
func (so *StandardOutput) ApplicableCveReviewContent(severity, finding, fullDetails, cve, cveDetails, impactedDependency, remediation string) string {
var contentBuilder strings.Builder
contentBuilder.WriteString(fmt.Sprintf(`
-## 📦🔍 Contextual Analysis CVE Vulnerability
+%s
@@ -151,6 +154,7 @@ func (so *StandardOutput) ApplicableCveReviewContent(severity, finding, fullDeta
`,
+ contextualAnalysisTitle,
GetApplicabilityMarkdownDescription(so.FormattedSeverity(severity, "Applicable"), cve, impactedDependency, finding),
fullDetails,
cveDetails))
@@ -173,7 +177,7 @@ func (so *StandardOutput) ApplicableCveReviewContent(severity, finding, fullDeta
func (so *StandardOutput) IacReviewContent(severity, finding, fullDetails string) string {
return fmt.Sprintf(`
-## 🛠️ Infrastructure as Code (Iac) Vulnerability
+%s
@@ -190,6 +194,7 @@ func (so *StandardOutput) IacReviewContent(severity, finding, fullDetails string
`,
+ iacTitle,
GetJasMarkdownDescription(so.FormattedSeverity(severity, "Applicable"), finding),
fullDetails)
}
@@ -302,6 +307,7 @@ func (so *StandardOutput) UntitledForJasMsg() string {
if !so.entitledForJas {
msg =
`
+---
**Frogbot** also supports **Contextual Analysis, Secret Detection and IaC Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/xray/) package, which isn't enabled on your system.
@@ -311,3 +317,22 @@ func (so *StandardOutput) UntitledForJasMsg() string {
}
return msg
}
+
+func (so *StandardOutput) LicensesContent(licenses []formats.LicenseRow) string {
+ if len(licenses) == 0 {
+ return ""
+ }
+ return fmt.Sprintf(`
+%s
+
+
+
+%s %s
+
+
+
+`,
+ licenseTitle,
+ licenseTableHeader,
+ getLicensesTableContent(licenses, so))
+}
diff --git a/utils/outputwriter/standardoutput_test.go b/utils/outputwriter/standardoutput_test.go
index d0d7440b4..2a4deb250 100644
--- a/utils/outputwriter/standardoutput_test.go
+++ b/utils/outputwriter/standardoutput_test.go
@@ -19,21 +19,25 @@ func TestStandardOutput_TableRow(t *testing.T) {
{
name: "Single CVE and no direct dependencies",
vulnerability: formats.VulnerabilityOrViolationRow{
- Severity: "Critical",
- ImpactedDependencyName: "testdep",
- ImpactedDependencyVersion: "1.0.0",
- FixedVersions: []string{"2.0.0"},
- Cves: []formats.CveRow{{Id: "CVE-2022-1234"}},
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ SeverityDetails: formats.SeverityDetails{Severity: "Critical"},
+ ImpactedDependencyName: "testdep",
+ ImpactedDependencyVersion: "1.0.0",
+ },
+ FixedVersions: []string{"2.0.0"},
+ Cves: []formats.CveRow{{Id: "CVE-2022-1234"}},
},
expected: "| 
Critical | | testdep:1.0.0 | 2.0.0 | CVE-2022-1234 |",
},
{
name: "Multiple CVEs and no direct dependencies",
vulnerability: formats.VulnerabilityOrViolationRow{
- Severity: "High",
- ImpactedDependencyName: "testdep2",
- ImpactedDependencyVersion: "1.0.0",
- FixedVersions: []string{"2.0.0", "3.0.0"},
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ SeverityDetails: formats.SeverityDetails{Severity: "High"},
+ ImpactedDependencyName: "testdep2",
+ ImpactedDependencyVersion: "1.0.0",
+ },
+ FixedVersions: []string{"2.0.0", "3.0.0"},
Cves: []formats.CveRow{
{Id: "CVE-2022-1234"},
{Id: "CVE-2022-5678"},
@@ -44,33 +48,37 @@ func TestStandardOutput_TableRow(t *testing.T) {
{
name: "Single CVE and direct dependencies",
vulnerability: formats.VulnerabilityOrViolationRow{
- Severity: "Low",
- ImpactedDependencyName: "testdep3",
- ImpactedDependencyVersion: "1.0.0",
- FixedVersions: []string{"2.0.0"},
- Cves: []formats.CveRow{{Id: "CVE-2022-1234"}},
- Components: []formats.ComponentRow{
- {Name: "dep1", Version: "1.0.0"},
- {Name: "dep2", Version: "2.0.0"},
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ SeverityDetails: formats.SeverityDetails{Severity: "Low"},
+ ImpactedDependencyName: "testdep3",
+ ImpactedDependencyVersion: "1.0.0",
+ Components: []formats.ComponentRow{
+ {Name: "dep1", Version: "1.0.0"},
+ {Name: "dep2", Version: "2.0.0"},
+ },
},
+ FixedVersions: []string{"2.0.0"},
+ Cves: []formats.CveRow{{Id: "CVE-2022-1234"}},
},
expected: "| 
Low | dep1:1.0.0
dep2:2.0.0 | testdep3:1.0.0 | 2.0.0 | CVE-2022-1234 |",
},
{
name: "Multiple CVEs and direct dependencies",
vulnerability: formats.VulnerabilityOrViolationRow{
- Severity: "High",
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ SeverityDetails: formats.SeverityDetails{Severity: "High"},
+ ImpactedDependencyName: "impacted",
+ ImpactedDependencyVersion: "3.0.0",
+ Components: []formats.ComponentRow{
+ {Name: "dep1", Version: "1.0.0"},
+ {Name: "dep2", Version: "2.0.0"},
+ },
+ },
Cves: []formats.CveRow{
{Id: "CVE-1"},
{Id: "CVE-2"},
},
- Components: []formats.ComponentRow{
- {Name: "dep1", Version: "1.0.0"},
- {Name: "dep2", Version: "2.0.0"},
- },
- ImpactedDependencyName: "impacted",
- ImpactedDependencyVersion: "3.0.0",
- FixedVersions: []string{"4.0.0", "5.0.0"},
+ FixedVersions: []string{"4.0.0", "5.0.0"},
},
expected: "| 
High | dep1:1.0.0
dep2:2.0.0 | impacted:3.0.0 | 4.0.0
5.0.0 | CVE-1
CVE-2 |",
},
@@ -127,18 +135,22 @@ func TestStandardOutput_VulnerabilitiesContent(t *testing.T) {
// Create some sample vulnerabilitiesRows for testing
vulnerabilitiesRows := []formats.VulnerabilityOrViolationRow{
{
- ImpactedDependencyName: "Dependency1",
- ImpactedDependencyVersion: "1.0.0",
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ ImpactedDependencyName: "Dependency1",
+ ImpactedDependencyVersion: "1.0.0",
+ },
},
{
- ImpactedDependencyName: "Dependency2",
- ImpactedDependencyVersion: "2.0.0",
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ ImpactedDependencyName: "Dependency2",
+ ImpactedDependencyVersion: "2.0.0",
+ },
},
}
// Set the expected content string based on the sample data
expectedContent := fmt.Sprintf(`
-## 📦 Vulnerable Dependencies
+## 📦 Vulnerable Dependencies
### ✍️ Summary
@@ -148,7 +160,7 @@ func TestStandardOutput_VulnerabilitiesContent(t *testing.T) {
-## 👇 Details
+## 🔬 Research Details
%s%s %s
@@ -194,24 +206,28 @@ func TestStandardOutput_ContentWithContextualAnalysis(t *testing.T) {
// Create some sample vulnerabilitiesRows for testing
vulnerabilitiesRows = []formats.VulnerabilityOrViolationRow{
{
- ImpactedDependencyName: "Dependency1",
- ImpactedDependencyVersion: "1.0.0",
- Applicable: "Applicable",
- Technology: coreutils.Pip,
- Cves: []formats.CveRow{{Id: "CVE-2023-1234"}, {Id: "CVE-2023-4321"}},
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ ImpactedDependencyName: "Dependency1",
+ ImpactedDependencyVersion: "1.0.0",
+ },
+ Applicable: "Applicable",
+ Technology: coreutils.Pip,
+ Cves: []formats.CveRow{{Id: "CVE-2023-1234"}, {Id: "CVE-2023-4321"}},
},
{
- ImpactedDependencyName: "Dependency2",
- ImpactedDependencyVersion: "2.0.0",
- Applicable: "Not Applicable",
- Technology: coreutils.Pip,
- Cves: []formats.CveRow{{Id: "CVE-2022-4321"}},
+ ImpactedDependencyDetails: formats.ImpactedDependencyDetails{
+ ImpactedDependencyName: "Dependency2",
+ ImpactedDependencyVersion: "2.0.0",
+ },
+ Applicable: "Not Applicable",
+ Technology: coreutils.Pip,
+ Cves: []formats.CveRow{{Id: "CVE-2022-4321"}},
},
}
// Set the expected content string based on the sample data
expectedContent = fmt.Sprintf(`
-## 📦 Vulnerable Dependencies
+## 📦 Vulnerable Dependencies
### ✍️ Summary
@@ -221,7 +237,7 @@ func TestStandardOutput_ContentWithContextualAnalysis(t *testing.T) {
-## 👇 Details
+## 🔬 Research Details
%s%s %s
@@ -273,8 +289,7 @@ func TestStandardOutput_IacContent(t *testing.T) {
name: "Single IAC row",
iacRows: []formats.SourceCodeRow{
{
- Severity: "High",
- SeverityNumValue: 3,
+ SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 3},
Location: formats.Location{
File: "applicable/req_sw_terraform_azure_redis_auth.tf",
StartLine: 11,
@@ -289,8 +304,7 @@ func TestStandardOutput_IacContent(t *testing.T) {
name: "Multiple IAC rows",
iacRows: []formats.SourceCodeRow{
{
- Severity: "High",
- SeverityNumValue: 3,
+ SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 3},
Location: formats.Location{
File: "applicable/req_sw_terraform_azure_redis_patch.tf",
StartLine: 11,
@@ -299,8 +313,7 @@ func TestStandardOutput_IacContent(t *testing.T) {
},
},
{
- Severity: "High",
- SeverityNumValue: 3,
+ SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 3},
Location: formats.Location{
File: "applicable/req_sw_terraform_azure_redis_auth.tf",
StartLine: 11,
@@ -337,8 +350,7 @@ func TestStandardOutput_GetIacTableContent(t *testing.T) {
name: "Single IAC row",
iacRows: []formats.SourceCodeRow{
{
- Severity: "Medium",
- SeverityNumValue: 2,
+ SeverityDetails: formats.SeverityDetails{Severity: "Medium", SeverityNumValue: 2},
Location: formats.Location{
File: "file1",
StartLine: 1,
@@ -353,8 +365,7 @@ func TestStandardOutput_GetIacTableContent(t *testing.T) {
name: "Multiple IAC rows",
iacRows: []formats.SourceCodeRow{
{
- Severity: "High",
- SeverityNumValue: 3,
+ SeverityDetails: formats.SeverityDetails{Severity: "High", SeverityNumValue: 3},
Location: formats.Location{
File: "file1",
StartLine: 1,
@@ -363,8 +374,7 @@ func TestStandardOutput_GetIacTableContent(t *testing.T) {
},
},
{
- Severity: "Medium",
- SeverityNumValue: 2,
+ SeverityDetails: formats.SeverityDetails{Severity: "Medium", SeverityNumValue: 2},
Location: formats.Location{
File: "file2",
StartLine: 2,
@@ -384,3 +394,8 @@ func TestStandardOutput_GetIacTableContent(t *testing.T) {
})
}
}
+
+func TestStandardOutput_GetLicensesTableContent(t *testing.T) {
+ writer := &StandardOutput{}
+ testGetLicensesTableContent(t, writer)
+}
diff --git a/utils/params.go b/utils/params.go
index 3d5dfa6c8..98dbe020a 100644
--- a/utils/params.go
+++ b/utils/params.go
@@ -113,6 +113,7 @@ type Scan struct {
FixableOnly bool `yaml:"fixableOnly,omitempty"`
FailOnSecurityIssues *bool `yaml:"failOnSecurityIssues,omitempty"`
MinSeverity string `yaml:"minSeverity,omitempty"`
+ AllowedLicenses []string `yaml:"allowedLicenses,omitempty"`
Projects []Project `yaml:"projects,omitempty"`
EmailDetails `yaml:",inline"`
}
@@ -182,6 +183,11 @@ func (s *Scan) setDefaultsIfNeeded() (err error) {
if len(s.Projects) == 0 {
s.Projects = append(s.Projects, Project{})
}
+ if len(s.AllowedLicenses) == 0 {
+ if s.AllowedLicenses, err = readArrayParamFromEnv(AllowedLicensesEnv, ","); err != nil && !e.IsMissingEnvErr(err) {
+ return
+ }
+ }
for i := range s.Projects {
if err = s.Projects[i].setDefaultsIfNeeded(); err != nil {
return
@@ -198,16 +204,10 @@ type JFrogPlatform struct {
func (jp *JFrogPlatform) setDefaultsIfNeeded() (err error) {
e := &ErrMissingEnv{}
- if jp.Watches == nil {
- var watches string
- if err = readParamFromEnv(jfrogWatchesEnv, &watches); err != nil && !e.IsMissingEnvErr(err) {
+ if len(jp.Watches) == 0 {
+ if jp.Watches, err = readArrayParamFromEnv(jfrogWatchesEnv, WatchesDelimiter); err != nil && !e.IsMissingEnvErr(err) {
return
}
- if watches != "" {
- // Remove spaces if exists
- watches = strings.ReplaceAll(watches, " ", "")
- jp.Watches = strings.Split(watches, WatchesDelimiter)
- }
}
if jp.JFrogProjectKey == "" {
@@ -427,11 +427,6 @@ func extractGitParamsFromEnvs() (*Git, error) {
if branch != "" {
gitEnvParams.Branches = []string{branch}
}
- // Set the repository name
- if err = readParamFromEnv(GitRepoEnv, &gitEnvParams.RepoName); err != nil && !e.IsMissingEnvErr(err) {
- return nil, err
- }
-
// Non-mandatory Git Api Endpoint, if not set, default values will be used.
if err = readParamFromEnv(GitApiEndpointEnv, &gitEnvParams.APIEndpoint); err != nil && !e.IsMissingEnvErr(err) {
return nil, err
@@ -439,19 +434,24 @@ func extractGitParamsFromEnvs() (*Git, error) {
if err = verifyValidApiEndpoint(gitEnvParams.APIEndpoint); err != nil {
return nil, err
}
- // Set the Git provider
+ // [Mandatory] Set the Git provider
if gitEnvParams.GitProvider, err = extractVcsProviderFromEnv(); err != nil {
return nil, err
}
- // Set the git repository owner name (organization)
+ // [Mandatory] Set the git repository owner name (organization)
if err = readParamFromEnv(GitRepoOwnerEnv, &gitEnvParams.RepoOwner); err != nil {
return nil, err
}
- // Set the access token to the git provider
+ // [Mandatory] Set the access token to the git provider
if err = readParamFromEnv(GitTokenEnv, &gitEnvParams.Token); err != nil {
return nil, err
}
+ // [Mandatory] Set the repository name
+ if err = readParamFromEnv(GitRepoEnv, &gitEnvParams.RepoName); err != nil {
+ return nil, err
+ }
+
// Set Bitbucket Server username
// Mandatory only for Bitbucket Server, this authentication detail is required for performing git operations.
if err = readParamFromEnv(GitUsernameEnv, &gitEnvParams.Username); err != nil && !e.IsMissingEnvErr(err) {
@@ -488,6 +488,21 @@ func verifyValidApiEndpoint(apiEndpoint string) error {
return nil
}
+func readArrayParamFromEnv(envKey, delimiter string) ([]string, error) {
+ var envValue string
+ var err error
+ e := &ErrMissingEnv{}
+ if err = readParamFromEnv(envKey, &envValue); err != nil && !e.IsMissingEnvErr(err) {
+ return nil, err
+ }
+ if envValue == "" {
+ return nil, &ErrMissingEnv{VariableName: envKey}
+ }
+ // Remove spaces if exists
+ envValue = strings.ReplaceAll(envValue, " ", "")
+ return strings.Split(envValue, delimiter), nil
+}
+
func readParamFromEnv(envKey string, paramValue *string) error {
*paramValue = getTrimmedEnv(envKey)
if *paramValue == "" {
@@ -550,7 +565,7 @@ func ReadConfigFromFileSystem(configRelativePath string) (configFileContent []by
}
log.Debug(FrogbotConfigFile, "found in", fullConfigDirPath)
- configFileContent, err = os.ReadFile(fullConfigDirPath)
+ configFileContent, err = os.ReadFile(filepath.Clean(fullConfigDirPath))
if err != nil {
err = fmt.Errorf("an error occurd while reading the %s file at: %s\n%s", FrogbotConfigFile, configRelativePath, err.Error())
}
diff --git a/utils/params_test.go b/utils/params_test.go
index 74b4df157..8fdf862f8 100644
--- a/utils/params_test.go
+++ b/utils/params_test.go
@@ -143,6 +143,10 @@ func TestExtractClientInfo(t *testing.T) {
SetEnvAndAssert(t, map[string]string{GitRepoOwnerEnv: "jfrog"})
_, err = extractGitParamsFromEnvs()
assert.EqualError(t, err, "'JF_GIT_TOKEN' environment variable is missing")
+
+ SetEnvAndAssert(t, map[string]string{GitTokenEnv: "token"})
+ _, err = extractGitParamsFromEnvs()
+ assert.EqualError(t, err, "'JF_GIT_REPO' environment variable is missing")
}
func TestExtractAndAssertRepoParams(t *testing.T) {
@@ -161,6 +165,7 @@ func TestExtractAndAssertRepoParams(t *testing.T) {
GitEmailAuthorEnv: "myemail@jfrog.com",
MinSeverityEnv: "high",
FixableOnlyEnv: "true",
+ AllowedLicensesEnv: "MIT, Apache-2.0, ISC",
})
defer func() {
assert.NoError(t, SanitizeEnv())
@@ -191,6 +196,7 @@ func TestExtractAndAssertRepoParams(t *testing.T) {
assert.Equal(t, true, repo.AggregateFixes)
assert.Equal(t, "myemail@jfrog.com", repo.EmailAuthor)
assert.ElementsMatch(t, []string{"watch-2", "watch-1"}, repo.Watches)
+ assert.ElementsMatch(t, []string{"MIT", "ISC", "Apache-2.0"}, repo.AllowedLicenses)
for _, project := range repo.Projects {
testExtractAndAssertProjectParams(t, project)
}
@@ -224,6 +230,7 @@ func TestBuildRepoAggregatorWithEmptyScan(t *testing.T) {
assert.False(t, scan.IncludeAllVulnerabilities)
assert.False(t, scan.FixableOnly)
assert.Empty(t, scan.MinSeverity)
+ assert.Empty(t, scan.AllowedLicenses)
assert.True(t, *scan.FailOnSecurityIssues)
assert.Len(t, scan.Projects, 1)
project := scan.Projects[0]
@@ -337,6 +344,7 @@ func TestGenerateConfigAggregatorFromEnv(t *testing.T) {
FailOnSecurityIssuesEnv: "false",
MinSeverityEnv: "medium",
FixableOnlyEnv: "true",
+ AllowedLicensesEnv: "MIT, Apache-2.0",
GitPullRequestIDEnv: "0",
})
defer func() {
@@ -367,6 +375,7 @@ func TestGenerateConfigAggregatorFromEnv(t *testing.T) {
assert.Equal(t, false, *repo.FailOnSecurityIssues)
assert.Equal(t, "Medium", repo.MinSeverity)
assert.Equal(t, true, repo.FixableOnly)
+ assert.ElementsMatch(t, []string{"MIT", "Apache-2.0"}, repo.AllowedLicenses)
assert.Equal(t, gitParams.RepoOwner, repo.RepoOwner)
assert.Equal(t, gitParams.Token, repo.Token)
assert.Equal(t, gitParams.APIEndpoint, repo.APIEndpoint)
@@ -521,6 +530,7 @@ func TestBuildMergedRepoAggregator(t *testing.T) {
assert.Equal(t, "commit-msg", repo.CommitMessageTemplate)
assert.Equal(t, "proj", repo.JFrogProjectKey)
assert.Equal(t, "myPullRequests", repo.PullRequestTitleTemplate)
+ assert.ElementsMatch(t, []string{"ISC", "MIT"}, repo.AllowedLicenses)
assert.ElementsMatch(t, []string{"watch-1", "watch-2"}, repo.Watches)
project := repo.Projects[0]
assert.ElementsMatch(t, []string{"a/b"}, project.WorkingDirs)
diff --git a/utils/reviewcomment.go b/utils/reviewcomment.go
index 92209765a..76c3df852 100644
--- a/utils/reviewcomment.go
+++ b/utils/reviewcomment.go
@@ -28,7 +28,7 @@ const (
CommentId = "FrogbotReviewComment"
)
-func AddReviewComments(repo *Repository, pullRequestID int, client vcsclient.VcsClient, vulnerabilitiesRows []formats.VulnerabilityOrViolationRow, iacIssues, sastIssues []formats.SourceCodeRow) (err error) {
+func AddReviewComments(repo *Repository, pullRequestID int, client vcsclient.VcsClient, issues *IssuesCollection) (err error) {
if err = deleteOldReviewComments(repo, pullRequestID, client); err != nil {
err = errors.New("couldn't delete pull request review comment: " + err.Error())
return
@@ -37,7 +37,7 @@ func AddReviewComments(repo *Repository, pullRequestID int, client vcsclient.Vcs
err = errors.New("couldn't delete pull request comment: " + err.Error())
return
}
- commentsToAdd := getNewReviewComments(repo, vulnerabilitiesRows, iacIssues, sastIssues)
+ commentsToAdd := getNewReviewComments(repo, issues)
if len(commentsToAdd) == 0 {
return
}
@@ -106,10 +106,10 @@ func getRegularCommentContent(comment ReviewComment) string {
return content + outputwriter.GetLocationDescription(comment.Location) + comment.CommentInfo.Content
}
-func getNewReviewComments(repo *Repository, vulnerabilitiesRows []formats.VulnerabilityOrViolationRow, iacIssues, sastIssues []formats.SourceCodeRow) (commentsToAdd []ReviewComment) {
+func getNewReviewComments(repo *Repository, issues *IssuesCollection) (commentsToAdd []ReviewComment) {
writer := repo.OutputWriter
- for _, vulnerability := range vulnerabilitiesRows {
+ for _, vulnerability := range issues.Vulnerabilities {
for _, cve := range vulnerability.Cves {
if cve.Applicability != nil {
for _, evidence := range cve.Applicability.Evidence {
@@ -118,11 +118,11 @@ func getNewReviewComments(repo *Repository, vulnerabilitiesRows []formats.Vulner
}
}
}
- for _, iac := range iacIssues {
+ for _, iac := range issues.Iacs {
commentsToAdd = append(commentsToAdd, generateReviewComment(IacComment, iac.Location, generateReviewCommentContent(IacComment, iac, writer)))
}
- for _, sast := range sastIssues {
+ for _, sast := range issues.Sast {
commentsToAdd = append(commentsToAdd, generateReviewComment(SastComment, sast.Location, generateReviewCommentContent(SastComment, sast, writer)))
}
return
diff --git a/utils/scandetails.go b/utils/scandetails.go
index 0026b8e26..3b66d7267 100644
--- a/utils/scandetails.go
+++ b/utils/scandetails.go
@@ -46,8 +46,8 @@ func (sc *ScanDetails) SetProject(project *Project) *ScanDetails {
return sc
}
-func (sc *ScanDetails) SetXrayGraphScanParams(watches []string, jfrogProjectKey string) *ScanDetails {
- sc.XrayGraphScanParams = createXrayScanParams(watches, jfrogProjectKey)
+func (sc *ScanDetails) SetXrayGraphScanParams(watches []string, jfrogProjectKey string, includeLicenses bool) *ScanDetails {
+ sc.XrayGraphScanParams = createXrayScanParams(watches, jfrogProjectKey, includeLicenses)
return sc
}
@@ -96,10 +96,10 @@ func (sc *ScanDetails) SetRepoName(repoName string) *ScanDetails {
return sc
}
-func createXrayScanParams(watches []string, project string) (params *services.XrayGraphScanParams) {
+func createXrayScanParams(watches []string, project string, includeLicenses bool) (params *services.XrayGraphScanParams) {
params = &services.XrayGraphScanParams{
ScanType: services.Dependency,
- IncludeLicenses: false,
+ IncludeLicenses: includeLicenses,
}
if len(watches) > 0 {
params.Watches = watches
@@ -109,7 +109,6 @@ func createXrayScanParams(watches []string, project string) (params *services.Xr
params.ProjectKey = project
return
}
- // No context was supplied. We therefore request from Xray to return all known vulnerabilities.
params.IncludeVulnerabilities = true
return
}
@@ -153,7 +152,10 @@ func (sc *ScanDetails) runInstallIfNeeded(workDir string) (err error) {
log.Info(fmt.Sprintf("Executing '%s %s' at %s", sc.InstallCommandName, strings.Join(sc.InstallCommandArgs, " "), workDir))
output, err := sc.runInstallCommand()
if err != nil && !sc.FailOnInstallationErrors() {
- log.Info(installationCmdFailedErr, err.Error(), "\n", string(output))
+ log.Info(installationCmdFailedErr, err.Error())
+ if len(output) > 0 {
+ log.Info(string(output))
+ }
// failOnInstallationErrors set to 'false'
err = nil
}
diff --git a/utils/scandetails_test.go b/utils/scandetails_test.go
index 8810a3196..6dcaf2826 100644
--- a/utils/scandetails_test.go
+++ b/utils/scandetails_test.go
@@ -10,25 +10,25 @@ import (
func TestCreateXrayScanParams(t *testing.T) {
// Project
scanDetails := &ScanDetails{}
- scanDetails.SetXrayGraphScanParams(nil, "")
+ scanDetails.SetXrayGraphScanParams(nil, "", false)
assert.Empty(t, scanDetails.Watches)
assert.Equal(t, "", scanDetails.ProjectKey)
assert.True(t, scanDetails.IncludeVulnerabilities)
assert.False(t, scanDetails.IncludeLicenses)
// Watches
- scanDetails.SetXrayGraphScanParams([]string{"watch-1", "watch-2"}, "")
+ scanDetails.SetXrayGraphScanParams([]string{"watch-1", "watch-2"}, "", false)
assert.Equal(t, []string{"watch-1", "watch-2"}, scanDetails.Watches)
assert.Equal(t, "", scanDetails.ProjectKey)
assert.False(t, scanDetails.IncludeVulnerabilities)
assert.False(t, scanDetails.IncludeLicenses)
// Project
- scanDetails.SetXrayGraphScanParams(nil, "project")
+ scanDetails.SetXrayGraphScanParams(nil, "project", true)
assert.Empty(t, scanDetails.Watches)
assert.Equal(t, "project", scanDetails.ProjectKey)
assert.False(t, scanDetails.IncludeVulnerabilities)
- assert.False(t, scanDetails.IncludeLicenses)
+ assert.True(t, scanDetails.IncludeLicenses)
}
func TestRunInstallIfNeeded(t *testing.T) {
diff --git a/utils/testsutils.go b/utils/testsutils.go
index 2fe2a8822..6b3740caf 100644
--- a/utils/testsutils.go
+++ b/utils/testsutils.go
@@ -6,8 +6,10 @@ import (
goGitConfig "github.com/go-git/go-git/v5/config"
"github.com/go-git/go-git/v5/plumbing/object"
biutils "github.com/jfrog/build-info-go/utils"
+ "github.com/jfrog/gofrog/datastructures"
"github.com/jfrog/jfrog-cli-core/v2/utils/config"
"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
+ "github.com/owenrumney/go-sarif/v2/sarif"
"os"
"path/filepath"
"strings"
@@ -105,3 +107,40 @@ func CreateDotGitWithCommit(t *testing.T, wd, port string, repositoriesPath ...s
assert.NoError(t, err)
}
}
+
+func GetRunWithDummyResults(results ...*sarif.Result) *sarif.Run {
+ run := sarif.NewRunWithInformationURI("", "")
+ ids := datastructures.MakeSet[string]()
+ for _, result := range results {
+ if !ids.Exists(*result.RuleID) {
+ run.Tool.Driver.Rules = append(run.Tool.Driver.Rules, sarif.NewRule(*result.RuleID))
+ ids.Add(*result.RuleID)
+ }
+ }
+ return run.WithResults(results)
+}
+
+func GetDummyPassingResult(ruleId string) *sarif.Result {
+ kind := "pass"
+ return &sarif.Result{
+ Kind: &kind,
+ RuleID: &ruleId,
+ }
+}
+
+func GetDummyResultWithOneLocation(fileName string, startLine, startCol int, snippet, ruleId string, level string) *sarif.Result {
+ return &sarif.Result{
+ Locations: []*sarif.Location{
+ {
+ PhysicalLocation: &sarif.PhysicalLocation{
+ ArtifactLocation: &sarif.ArtifactLocation{URI: &fileName},
+ Region: &sarif.Region{
+ StartLine: &startLine,
+ StartColumn: &startCol,
+ Snippet: &sarif.ArtifactContent{Text: &snippet}}},
+ },
+ },
+ Level: &level,
+ RuleID: &ruleId,
+ }
+}
diff --git a/utils/utils.go b/utils/utils.go
index a2b146213..0ee939155 100644
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -198,7 +198,7 @@ func VulnerabilityDetailsToMD5Hash(vulnerabilities ...formats.VulnerabilityOrVio
hash := crypto.MD5.New()
var keys []string
for _, vuln := range vulnerabilities {
- keys = append(keys, GetUniqueID(vuln))
+ keys = append(keys, GetVulnerabiltiesUniqueID(vuln))
}
sort.Strings(keys)
for key, value := range keys {
@@ -347,7 +347,7 @@ func BuildServerConfigFile(server *config.ServerDetails) (previousJFrogHomeDir,
return
}
-func GetUniqueID(vulnerability formats.VulnerabilityOrViolationRow) string {
+func GetVulnerabiltiesUniqueID(vulnerability formats.VulnerabilityOrViolationRow) string {
return xrayutils.GetUniqueKey(
vulnerability.ImpactedDependencyName,
vulnerability.ImpactedDependencyVersion,
@@ -366,3 +366,76 @@ func GetSortedPullRequestComments(client vcsclient.VcsClient, repoOwner, repoNam
})
return pullRequestsComments, nil
}
+
+func ConvertSarifPathsToRelative(issues *IssuesCollection, workingDirs ...string) {
+ convertSarifPathsInCveApplicability(issues.Vulnerabilities, workingDirs...)
+ convertSarifPathsInIacs(issues.Iacs, workingDirs...)
+ convertSarifPathsInSecrets(issues.Secrets, workingDirs...)
+ convertSarifPathsInSast(issues.Sast, workingDirs...)
+}
+
+func convertSarifPathsInCveApplicability(vulnerabilities []formats.VulnerabilityOrViolationRow, workingDirs ...string) {
+ for _, row := range vulnerabilities {
+ for _, cve := range row.Cves {
+ if cve.Applicability != nil {
+ for i := range cve.Applicability.Evidence {
+ for _, wd := range workingDirs {
+ cve.Applicability.Evidence[i].File = xrayutils.ExtractRelativePath(cve.Applicability.Evidence[i].File, wd)
+ }
+ }
+ }
+ }
+ }
+}
+
+func convertSarifPathsInIacs(iacs []formats.SourceCodeRow, workingDirs ...string) {
+ for i := range iacs {
+ iac := &iacs[i]
+ for _, wd := range workingDirs {
+ iac.Location.File = xrayutils.ExtractRelativePath(iac.Location.File, wd)
+ }
+ }
+}
+
+func convertSarifPathsInSecrets(secrets []formats.SourceCodeRow, workingDirs ...string) {
+ for i := range secrets {
+ secret := &secrets[i]
+ for _, wd := range workingDirs {
+ secret.Location.File = xrayutils.ExtractRelativePath(secret.Location.File, wd)
+ }
+ }
+}
+
+func convertSarifPathsInSast(sast []formats.SourceCodeRow, workingDirs ...string) {
+ for i := range sast {
+ sastIssue := &sast[i]
+ for _, wd := range workingDirs {
+ sastIssue.Location.File = xrayutils.ExtractRelativePath(sastIssue.Location.File, wd)
+ for f := range sastIssue.CodeFlow {
+ for l := range sastIssue.CodeFlow[f] {
+ sastIssue.CodeFlow[f][l].File = xrayutils.ExtractRelativePath(sastIssue.CodeFlow[f][l].File, wd)
+ }
+ }
+ }
+ }
+}
+
+// Normalizes whitespace in text, ensuring that words are separated by a single space, and any extra whitespace is removed.
+func normalizeWhitespaces(text string) string {
+ return strings.Join(strings.Fields(text), " ")
+}
+
+// Converts Technology array into a string with a separator.
+func techArrayToString(techsArray []coreutils.Technology, separator string) (result string) {
+ if len(techsArray) == 0 {
+ return ""
+ }
+ if len(techsArray) < 2 {
+ return techsArray[0].ToFormal()
+ }
+ var techString []string
+ for _, tech := range techsArray {
+ techString = append(techString, tech.ToFormal())
+ }
+ return strings.Join(techString, separator)
+}
diff --git a/utils/utils_test.go b/utils/utils_test.go
index a647b06b1..f9c075743 100644
--- a/utils/utils_test.go
+++ b/utils/utils_test.go
@@ -113,23 +113,23 @@ func TestFixVersionsMapToMd5Hash(t *testing.T) {
}{
{
vulnerabilities: []*VulnerabilityDetails{
- {SuggestedFixedVersion: "1.2.3", VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{ImpactedDependencyName: "pkg", Technology: coreutils.Npm}, IsDirectDependency: false}},
+ {SuggestedFixedVersion: "1.2.3", VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ImpactedDependencyName: "pkg"}, Technology: coreutils.Npm}, IsDirectDependency: false}},
expectedHash: "5ce60f326e1d1e329b74e3310b34c969",
}, {
vulnerabilities: []*VulnerabilityDetails{
- {SuggestedFixedVersion: "5.2.3", VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{ImpactedDependencyName: "pkg", Technology: coreutils.Go}, IsDirectDependency: false},
- {SuggestedFixedVersion: "1.2.3", VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{ImpactedDependencyName: "pkg2", Technology: coreutils.Go}, IsDirectDependency: false}},
+ {SuggestedFixedVersion: "5.2.3", VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ImpactedDependencyName: "pkg"}, Technology: coreutils.Go}, IsDirectDependency: false},
+ {SuggestedFixedVersion: "1.2.3", VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ImpactedDependencyName: "pkg2"}, Technology: coreutils.Go}, IsDirectDependency: false}},
expectedHash: "bf6e3f3204b8df46400785c60e9ff4c9",
},
{
// The Same map with different order should be the same hash.
vulnerabilities: []*VulnerabilityDetails{
- {SuggestedFixedVersion: "1.2.3", VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{ImpactedDependencyName: "pkg2", Technology: coreutils.Go}, IsDirectDependency: false},
- {SuggestedFixedVersion: "5.2.3", VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{ImpactedDependencyName: "pkg", Technology: coreutils.Go}, IsDirectDependency: false}},
+ {SuggestedFixedVersion: "1.2.3", VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ImpactedDependencyName: "pkg2"}, Technology: coreutils.Go}, IsDirectDependency: false},
+ {SuggestedFixedVersion: "5.2.3", VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ImpactedDependencyName: "pkg"}, Technology: coreutils.Go}, IsDirectDependency: false}},
expectedHash: "bf6e3f3204b8df46400785c60e9ff4c9",
}, {
vulnerabilities: []*VulnerabilityDetails{
- {SuggestedFixedVersion: "0.2.33", VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{ImpactedDependencyName: "myNuget", Technology: coreutils.Nuget}, IsDirectDependency: false}},
+ {SuggestedFixedVersion: "0.2.33", VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ImpactedDependencyName: "myNuget"}, Technology: coreutils.Nuget}, IsDirectDependency: false}},
expectedHash: "ee2d3be06ca4fe53f6ab769e06d74702",
},
}
@@ -324,3 +324,51 @@ func TestExtractVunerabilitiesDetailsToRows(t *testing.T) {
})
}
}
+
+func TestNormalizeWhiteSpace(t *testing.T) {
+ testCases := []struct {
+ input string
+ expected string
+ }{
+ {input: "hello world", expected: "hello world"},
+ {input: "hello world", expected: "hello world"},
+ {input: " hello world", expected: "hello world"},
+ {input: " hello world ", expected: "hello world"},
+ {input: " hello world a ", expected: "hello world a"},
+ }
+ for _, tc := range testCases {
+ t.Run(tc.expected, func(t *testing.T) {
+ output := normalizeWhitespaces(tc.input)
+ assert.Equal(t, tc.expected, output)
+ })
+ }
+}
+
+func TestTechArrayToString(t *testing.T) {
+ testCases := []struct {
+ techArray []coreutils.Technology
+ separator string
+ expected string
+ }{{
+ techArray: []coreutils.Technology{coreutils.Maven, coreutils.Go},
+ separator: fixBranchTechSeparator, expected: "Maven-Go",
+ }, {
+ techArray: []coreutils.Technology{coreutils.Go},
+ separator: fixBranchTechSeparator, expected: "Go",
+ }, {
+ techArray: []coreutils.Technology{coreutils.Go},
+ separator: pullRequestTitleTechSeparator, expected: "Go",
+ }, {
+ techArray: []coreutils.Technology{coreutils.Go, coreutils.Pip, coreutils.Npm},
+ separator: pullRequestTitleTechSeparator, expected: "Go,Pip,npm",
+ }, {
+ techArray: []coreutils.Technology{coreutils.Go, coreutils.Pip, coreutils.Npm},
+ separator: fixBranchTechSeparator, expected: "Go-Pip-npm",
+ }}
+ for _, tc := range testCases {
+ t.Run(tc.expected, func(t *testing.T) {
+ output := techArrayToString(tc.techArray, tc.separator)
+ assert.Equal(t, tc.expected, output)
+ })
+ }
+}