Add diff logic and parallel logger support for audit #642
Conversation
…Results) - based on v1.24.2
- Add branchdiff.go with RunBranchDiffAudit function - Scans target branch first, then source branch (sequential) - SCA diff handled internally by CLI - JAS diff handled by CompareJasResults - Add MergeStatusCodes for partial results filtering - Status codes merged (worst of target + source) for frogbot filtering
- Add logger field to AuditBasicParams with getter/setter - RunAudit swaps global logger if custom logger provided - Enables frogbot to capture logs per-scan for ordered output
- Add LogCollector that captures logs in isolated buffer per audit - Enables parallel audits without log interleaving - Uses goroutine-local logger from jfrog-client-go - Propagate logger to child goroutines in JAS runner and SCA scan - Remove unused diff completion log message
utils/results/diff.go
Outdated
| ) | ||
|
|
||
| // UnifyScaAndJasResults merges SCA and JAS diff results into a single SecurityCommandResults. | ||
| func UnifyScaAndJasResults(scaResults, jasDiffResults *SecurityCommandResults) *SecurityCommandResults { |
There was a problem hiding this comment.
myabe needs to be moved to frogbot considering the specific use
and selected parallel audit implementation, your call @attiasas
There was a problem hiding this comment.
Mergeing results could stay here if the logic is adjusted to be more general like MergeCommandResults
eyalk007
added
the
safe to test
github-actions
bot
removed
the
safe to test
attiasas
left a comment
attiasas
left a comment
There was a problem hiding this comment.
Nice work! checkout my comments, also:
- Update the PR description with the changes
- Adjust tests base on changes
| @@ -0,0 +1,41 @@ | |||
| package audit | |||
There was a problem hiding this comment.
maybe this should be at jfrog/jfrog-client-go#1297?
There was a problem hiding this comment.
these are the options
Move LogCollector to client-go - but it's really just a wrapper
Delete LogCollector entirely - Frogbot can use BufferedLogger directly from client-go
or we Keep it as is
|
|
||
| // replace github.com/jfrog/froggit-go => github.com/jfrog/froggit-go master | ||
|
|
||
| replace github.com/jfrog/jfrog-client-go => github.com/eyalk007/jfrog-client-go v0.0.0-20260114112951-67b77f49255f |
There was a problem hiding this comment.
Reminder to remove replace after merging dependend PR
sca/scan/scascan.go
Outdated
| currentLogger := log.GetLogger() | ||
| scaTask := createScaScanTaskWithRunner(params.Runner, strategy, params) | ||
| wrappedScaTask := func(threadId int) error { | ||
| log.SetLoggerForGoroutine(currentLogger) | ||
| defer log.ClearLoggerForGoroutine() | ||
| return scaTask(threadId) | ||
| } |
There was a problem hiding this comment.
why not change in createScaScanTaskWithRunner directly?
I don't get the chnage (looking only here) you call log.GetLogger and setting it for the routine but at the end you clear it? code is not clear why you do it. (looks like you are just setting default log to be default and clear it).
I suggest improving this part or at least adding comment about this
jas/runner/jasrunner.go
Outdated
| func addModuleJasScanTask(scanType jasutils.JasScanType, securityParallelRunner *utils.SecurityParallelRunner, task parallel.TaskFunc, scanResults *results.TargetResults, allowSkippingErrors bool) (generalError error) { | ||
| securityParallelRunner.JasScannersWg.Add(1) | ||
| if _, addTaskErr := securityParallelRunner.Runner.AddTaskWithError(task, func(err error) { | ||
| currentLogger := log.GetLogger() |
There was a problem hiding this comment.
same comment as in scascan.
If this logic is used multiple times (same code), try to create static method to be used in multiple places
utils/results/diff.go
Outdated
| ) | ||
|
|
||
| // UnifyScaAndJasResults merges SCA and JAS diff results into a single SecurityCommandResults. | ||
| func UnifyScaAndJasResults(scaResults, jasDiffResults *SecurityCommandResults) *SecurityCommandResults { |
There was a problem hiding this comment.
Mergeing results could stay here if the logic is adjusted to be more general like MergeCommandResults
|
|
||
| // CompareJasResults computes the diff between target and source JAS results. | ||
| // Returns only NEW findings in source that don't exist in target. | ||
| func CompareJasResults(targetResults, sourceResults *SecurityCommandResults) *SecurityCommandResults { |
There was a problem hiding this comment.
IDK about the func name, it does not compare, it filters Source results that exists at target
| diffResults := &SecurityCommandResults{ | ||
| ResultsMetaData: ResultsMetaData{ | ||
| EntitledForJas: sourceResults.EntitledForJas, | ||
| SecretValidation: sourceResults.SecretValidation, | ||
| CmdType: sourceResults.CmdType, | ||
| XrayVersion: sourceResults.XrayVersion, | ||
| XscVersion: sourceResults.XscVersion, | ||
| MultiScanId: sourceResults.MultiScanId, | ||
| StartTime: sourceResults.StartTime, | ||
| ResultContext: sourceResults.ResultContext, | ||
| }, | ||
| } |
There was a problem hiding this comment.
| diffResults := &SecurityCommandResults{ | |
| ResultsMetaData: ResultsMetaData{ | |
| EntitledForJas: sourceResults.EntitledForJas, | |
| SecretValidation: sourceResults.SecretValidation, | |
| CmdType: sourceResults.CmdType, | |
| XrayVersion: sourceResults.XrayVersion, | |
| XscVersion: sourceResults.XscVersion, | |
| MultiScanId: sourceResults.MultiScanId, | |
| StartTime: sourceResults.StartTime, | |
| ResultContext: sourceResults.ResultContext, | |
| }, | |
| } | |
| diffResults := &SecurityCommandResults{ | |
| ResultsMetaData: sourceResults.ResultsMetaData, | |
| }, | |
| } |
why not just setting the exact same struct (will help to maintain and be sure all attributes are copied). something. is stopping us from doing that?
utils/results/diff.go
Outdated
| func extractLocationsOnly(run *sarif.Run, targetKeys map[string]bool) { | ||
| for _, result := range run.Results { | ||
| for _, location := range result.Locations { | ||
| key := getRelativeLocationFileName(location, run.Invocations) + getLocationSnippetText(location) |
There was a problem hiding this comment.
what about file name changes? it will not catch this...
why are we first filtering only locations and than by fingerprints, can we do it in one go? (reducing go over results multile times)
There was a problem hiding this comment.
For SAST: Uses fingerprints (precise_sink_and_sink_function) which are content-based, so renames don't matter
for secrets and iac -
This is a known limitation - AM doesn't handle file renames either. If you rename a file, existing findings in that file will show as "new" in the diff. This is acceptable
There was a problem hiding this comment.
We can write a todo and create a ticket for it, but i dont believe we should handle it now
2 participants
devbranch.go vet ./....go fmt ./....Depends on: