From 15fe862c4a9e96421ccdef84e1d95851094ee575 Mon Sep 17 00:00:00 2001 From: attiasas Date: Tue, 23 Dec 2025 10:50:57 +0200 Subject: [PATCH 1/7] Update Analyzer Manager to v1.28.0 --- jas/analyzermanager.go | 2 +- utils/results/common.go | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/jas/analyzermanager.go b/jas/analyzermanager.go index d93c5ec18..f6ff0fe0e 100644 --- a/jas/analyzermanager.go +++ b/jas/analyzermanager.go @@ -23,7 +23,7 @@ import ( const ( ApplicabilityFeatureId = "contextual_analysis" AnalyzerManagerZipName = "analyzerManager.zip" - defaultAnalyzerManagerVersion = "1.27.0" + defaultAnalyzerManagerVersion = "1.28.0" analyzerManagerDownloadPath = "xsc-gen-exe-analyzer-manager-local/v1" analyzerManagerDirName = "analyzerManager" analyzerManagerExecutableName = "analyzerManager" diff --git a/utils/results/common.go b/utils/results/common.go index 6e049b3ca..cea839348 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -59,6 +59,11 @@ func ForEachJasIssue(runs []*sarif.Run, entitledForJas bool, handler ParseJasIss } for _, run := range runs { for _, result := range run.Results { + if result.Kind == "informational" { + // The specified rule was evaluated and produced a purely informational result that does not indicate the presence of a problem + log.Verbose(fmt.Sprintf("Skipping informational result with rule id: %s", sarifutils.GetResultRuleId(result))) + continue + } severity, err := severityutils.ParseSeverity(result.Level, true) if err != nil { return err From 7aaf8f8b40b1ff8d5b221348c4215faa35daef65 Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 25 Dec 2025 10:10:51 +0200 Subject: [PATCH 2/7] Limit full tree size when converting from BOM --- utils/results/common.go | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/utils/results/common.go b/utils/results/common.go index cea839348..774333d3d 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -33,6 +33,9 @@ const ( DirectDependencyPathLength = 2 nodeModules = "node_modules" + // MaxUniqueAppearances defines the maximum number of times a dependency can appear in a dependency tree. + MaxUniqueAppearances = 10 + // #LC-LC LocationIdTemplate = "%s#L%dC%d-L%dC%d" // Applicability properties for cdx @@ -1029,10 +1032,11 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc // No dependencies or components in the SBOM, return an empty slice return } + dependencyAppearances := map[string]int8{} for _, rootEntry := range cdxutils.GetRootDependenciesEntries(sbom, false) { // Create a new GraphNode with ref as the ID, when populating the tree we need to use the ref as the ID currentTree := &xrayUtils.GraphNode{Id: rootEntry.Ref} - populateDepsNodeDataFromBom(currentTree, sbom.Dependencies) + populateDepsNodeDataFromBom(currentTree, sbom.Dependencies, dependencyAppearances) fullDependencyTrees = append(fullDependencyTrees, currentTree) } // Translate refs to Purl/Xray IDs @@ -1042,9 +1046,10 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc return } -func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency) { - if node == nil || node.NodeHasLoop() { - // If the node is nil or has a loop, return +func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency, dependencyAppearances map[string]int8) { + dependencyAppearances[node.Id]++ + if node == nil || dependencyAppearances[node.Id] >= MaxUniqueAppearances || node.NodeHasLoop() { + // If the node is nil or has a loop or appeared too many times, stop the recursion return } for _, dep := range cdxutils.GetDirectDependencies(dependencies, node.Id) { @@ -1052,7 +1057,7 @@ func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cycl // Add the dependency to the current node node.Nodes = append(node.Nodes, depNode) // Recursively populate the node data - populateDepsNodeDataFromBom(depNode, dependencies) + populateDepsNodeDataFromBom(depNode, dependencies, dependencyAppearances) } } From 65cbab1781a995a5c55b42c2511e37a32a4b4bbd Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 25 Dec 2025 10:18:30 +0200 Subject: [PATCH 3/7] revert change --- utils/results/common.go | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/utils/results/common.go b/utils/results/common.go index 774333d3d..b7639543c 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -33,9 +33,6 @@ const ( DirectDependencyPathLength = 2 nodeModules = "node_modules" - // MaxUniqueAppearances defines the maximum number of times a dependency can appear in a dependency tree. - MaxUniqueAppearances = 10 - // #LC-LC LocationIdTemplate = "%s#L%dC%d-L%dC%d" // Applicability properties for cdx @@ -1032,11 +1029,10 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc // No dependencies or components in the SBOM, return an empty slice return } - dependencyAppearances := map[string]int8{} for _, rootEntry := range cdxutils.GetRootDependenciesEntries(sbom, false) { // Create a new GraphNode with ref as the ID, when populating the tree we need to use the ref as the ID currentTree := &xrayUtils.GraphNode{Id: rootEntry.Ref} - populateDepsNodeDataFromBom(currentTree, sbom.Dependencies, dependencyAppearances) + populateDepsNodeDataFromBom(currentTree, sbom.Dependencies) fullDependencyTrees = append(fullDependencyTrees, currentTree) } // Translate refs to Purl/Xray IDs @@ -1046,10 +1042,9 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc return } -func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency, dependencyAppearances map[string]int8) { - dependencyAppearances[node.Id]++ - if node == nil || dependencyAppearances[node.Id] >= MaxUniqueAppearances || node.NodeHasLoop() { - // If the node is nil or has a loop or appeared too many times, stop the recursion +func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency) { + if node == nil || node.NodeHasLoop() { + // If the node is nil or has a loop. stop the recursion return } for _, dep := range cdxutils.GetDirectDependencies(dependencies, node.Id) { @@ -1057,7 +1052,7 @@ func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cycl // Add the dependency to the current node node.Nodes = append(node.Nodes, depNode) // Recursively populate the node data - populateDepsNodeDataFromBom(depNode, dependencies, dependencyAppearances) + populateDepsNodeDataFromBom(depNode, dependencies) } } From 26bed4c3c6cc9e819ced4d86060ad1ea94bf647e Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 25 Dec 2025 10:19:15 +0200 Subject: [PATCH 4/7] revert comment --- utils/results/common.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/results/common.go b/utils/results/common.go index b7639543c..cea839348 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -1044,7 +1044,7 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency) { if node == nil || node.NodeHasLoop() { - // If the node is nil or has a loop. stop the recursion + // If the node is nil or has a loop, return return } for _, dep := range cdxutils.GetDirectDependencies(dependencies, node.Id) { From b763e011ed7fdc66300bd374332b637eaa705145 Mon Sep 17 00:00:00 2001 From: attiasas Date: Sun, 11 Jan 2026 10:22:11 +0200 Subject: [PATCH 5/7] Update to v1.29.0 --- jas/analyzermanager.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jas/analyzermanager.go b/jas/analyzermanager.go index f6ff0fe0e..2d529bc20 100644 --- a/jas/analyzermanager.go +++ b/jas/analyzermanager.go @@ -23,7 +23,7 @@ import ( const ( ApplicabilityFeatureId = "contextual_analysis" AnalyzerManagerZipName = "analyzerManager.zip" - defaultAnalyzerManagerVersion = "1.28.0" + defaultAnalyzerManagerVersion = "1.29.0" analyzerManagerDownloadPath = "xsc-gen-exe-analyzer-manager-local/v1" analyzerManagerDirName = "analyzerManager" analyzerManagerExecutableName = "analyzerManager" From 78b49f692e60204ea1fda3fa6a3575f70f6696b0 Mon Sep 17 00:00:00 2001 From: attiasas Date: Sun, 11 Jan 2026 11:57:27 +0200 Subject: [PATCH 6/7] fix unrelated tests --- git_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/git_test.go b/git_test.go index b8033ae47..1917935ec 100644 --- a/git_test.go +++ b/git_test.go @@ -290,8 +290,8 @@ func TestGitAuditJasSkipNotApplicableCvesViolations(t *testing.T) { xrayVersion, xscVersion, "", validations.ValidationParams{ Violations: &validations.ViolationCount{ - ValidateScan: &validations.ScanCount{Sca: 6, Sast: 2, Secrets: 2}, - ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 6, Inactive: 2}, + ValidateScan: &validations.ScanCount{Sca: 5, Sast: 2, Secrets: 2}, + ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 5, Inactive: 2}, }, ExactResultsMatch: true, }, From 012ad9a9c609ddd4efaf32bfbd25b2bb00116a3a Mon Sep 17 00:00:00 2001 From: attiasas Date: Sun, 18 Jan 2026 13:42:58 +0200 Subject: [PATCH 7/7] add git audit vulns to validate violation issue if occur --- git_test.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/git_test.go b/git_test.go index a118d1ff6..1820c65c0 100644 --- a/git_test.go +++ b/git_test.go @@ -204,6 +204,7 @@ func TestGitAuditViolationsWithIgnoreRule(t *testing.T) { } func TestGitAuditJasViolationsProjectKeySimpleJson(t *testing.T) { + xrayVersion, xscVersion, testCleanUp := integration.InitGitTest(t, services.MinXrayVersionGitRepoKey) defer testCleanUp() @@ -220,10 +221,12 @@ func TestGitAuditJasViolationsProjectKeySimpleJson(t *testing.T) { // Run the audit command with git repo and verify violations are reported to the platform. createTestProjectRunGitAuditAndValidate(t, filepath.Join(filepath.FromSlash(securityTests.GetTestResourcesPath()), "git", "projects", "issues"), - gitAuditCommandTestParams{auditCommandTestParams: auditCommandTestParams{Format: format.SimpleJson, ProjectKey: *securityTests.JfrogTestProjectKey}}, + gitAuditCommandTestParams{auditCommandTestParams: auditCommandTestParams{Format: format.SimpleJson, ProjectKey: *securityTests.JfrogTestProjectKey, WithVuln: true}}, xrayVersion, xscVersion, policy.NewFailBuildError().Error(), validations.ValidationParams{ - Total: &validations.TotalCount{Violations: 12}, + Total: &validations.TotalCount{Vulnerabilities: 12, Violations: 12}, + // Validate we have vulnerabilities for each scan type (to make sure if violations are issue when fail or not related and issue from other places before) + Vulnerabilities: &validations.VulnerabilityCount{ValidateScan: &validations.ScanCount{Sca: 1, Sast: 1, Secrets: 1}}, // Check that we have at least one violation for each scan type. (IAC is not supported yet) Violations: &validations.ViolationCount{ValidateScan: &validations.ScanCount{Sca: 1, Sast: 1, Secrets: 1}}, },