AppTrust: Forward ApplicationKey through audit params to AnalyzerManager

commands/audit/audit.go

@@ -105,11 +105,12 @@ func (auditCmd *AuditCommand) SetThreads(threads int) *AuditCommand {
 }
 
 // Create a results context based on the provided parameters. resolves conflicts between the parameters based on the retrieved platform watches.
-func CreateAuditResultsContext(serverDetails *config.ServerDetails, xrayVersion string, watches []string, artifactoryRepoPath, projectKey, gitRepoHttpsCloneUrl string, includeVulnerabilities, includeLicenses, includeSbom bool) (context results.ResultContext) {
+func CreateAuditResultsContext(serverDetails *config.ServerDetails, xrayVersion string, watches []string, artifactoryRepoPath, projectKey, gitRepoHttpsCloneUrl, applicationKey string, includeVulnerabilities, includeLicenses, includeSbom bool) (context results.ResultContext) {
 	context = results.ResultContext{
 		RepoPath:               artifactoryRepoPath,
 		Watches:                watches,
 		ProjectKey:             projectKey,
+		ApplicationKey:         applicationKey,
 		IncludeVulnerabilities: shouldIncludeVulnerabilities(includeVulnerabilities, watches, artifactoryRepoPath, projectKey, ""),
 		IncludeLicenses:        includeLicenses,
 		IncludeSbom:            includeSbom,
@@ -183,6 +184,8 @@ func (auditCmd *AuditCommand) Run() (err error) {
 			auditCmd.targetRepoPath,
 			auditCmd.projectKey,
 			auditCmd.gitRepoHttpsCloneUrl,
+			// AppTrust is currently not supported in Audit command, therefore we pass an empty applicationKey
+			"",
 			auditCmd.IncludeVulnerabilities,
 			auditCmd.IncludeLicenses,
 			auditCmd.IncludeSbom,
@@ -496,6 +499,7 @@ func addJasScansToRunner(auditParallelRunner *utils.SecurityParallelRunner, audi
 				auditParams.GetMultiScanId(),
 				utils.GetGitRepoUrlKey(auditParams.resultsContext.GitRepoHttpsCloneUrl),
 				auditParams.resultsContext.ProjectKey,
+				auditParams.resultsContext.ApplicationKey,
 				auditParams.resultsContext.Watches,
 				scanResults.GetTechnologies()...,
 			),

commands/audit/audit_test.go

@@ -834,6 +834,7 @@ func TestCreateResultsContext(t *testing.T) {
 	mockWatches := []string{"watch-1", "watch-2"}
 	mockProjectKey := "project"
 	mockArtifactoryRepoPath := "repo/path"
+	mockApplicationKey := "app-key"
 
 	tests := []struct {
 		name                    string
@@ -867,6 +868,7 @@ func TestCreateResultsContext(t *testing.T) {
 			httpCloneUrl           string
 			watches                []string
 			jfrogProjectKey        string
+			jfrogApplicationKey    string
 			includeVulnerabilities bool
 			includeLicenses        bool
 			includeSbom            bool
@@ -875,6 +877,7 @@ func TestCreateResultsContext(t *testing.T) {
 			expectedHttpCloneUrl           string
 			expectedWatches                []string
 			expectedJfrogProjectKey        string
+			expectedJfrogApplicationKey    string
 			expectedIncludeVulnerabilities bool
 			expectedIncludeLicenses        bool
 			expectedIncludeSbom            bool
@@ -905,6 +908,12 @@ func TestCreateResultsContext(t *testing.T) {
 				includeLicenses:         true,
 				expectedIncludeLicenses: true,
 			},
+			{
+				name:                           "Application Key",
+				jfrogApplicationKey:            mockApplicationKey,
+				expectedJfrogApplicationKey:    mockApplicationKey,
+				expectedIncludeVulnerabilities: true,
+			},
 			{
 				name:                           "Git Clone Url",
 				httpCloneUrl:                   validations.TestMockGitInfo.Source.GitRepoHttpsCloneUrl,
@@ -916,13 +925,15 @@ func TestCreateResultsContext(t *testing.T) {
 				httpCloneUrl:           validations.TestMockGitInfo.Source.GitRepoHttpsCloneUrl,
 				watches:                mockWatches,
 				jfrogProjectKey:        mockProjectKey,
+				jfrogApplicationKey:    mockApplicationKey,
 				includeVulnerabilities: true,
 				includeLicenses:        true,
 				includeSbom:            true,
 
 				expectedHttpCloneUrl:           testCaseExpectedGitRepoHttpsCloneUrl,
 				expectedWatches:                mockWatches,
 				expectedJfrogProjectKey:        mockProjectKey,
+				expectedJfrogApplicationKey:    mockApplicationKey,
 				expectedIncludeVulnerabilities: true,
 				expectedIncludeLicenses:        true,
 				expectedIncludeSbom:            true,
@@ -932,11 +943,12 @@ func TestCreateResultsContext(t *testing.T) {
 			t.Run(fmt.Sprintf("%s - %s", test.name, testCase.name), func(t *testing.T) {
 				mockServer, serverDetails, _ := validations.XrayServer(t, validations.MockServerParams{XrayVersion: test.xrayVersion, ReturnMockPlatformWatches: test.expectedPlatformWatches})
 				defer mockServer.Close()
-				context := CreateAuditResultsContext(serverDetails, test.xrayVersion, testCase.watches, testCase.artifactoryRepoPath, testCase.jfrogProjectKey, testCase.httpCloneUrl, testCase.includeVulnerabilities, testCase.includeLicenses, testCase.includeSbom)
+				context := CreateAuditResultsContext(serverDetails, test.xrayVersion, testCase.watches, testCase.artifactoryRepoPath, testCase.jfrogProjectKey, testCase.httpCloneUrl, testCase.jfrogApplicationKey, testCase.includeVulnerabilities, testCase.includeLicenses, testCase.includeSbom)
 				assert.Equal(t, testCase.expectedArtifactoryRepoPath, context.RepoPath)
 				assert.Equal(t, testCase.expectedHttpCloneUrl, context.GitRepoHttpsCloneUrl)
 				assert.Equal(t, testCase.expectedWatches, context.Watches)
 				assert.Equal(t, testCase.expectedJfrogProjectKey, context.ProjectKey)
+				assert.Equal(t, testCase.expectedJfrogApplicationKey, context.ApplicationKey)
 				assert.Equal(t, testCase.expectedIncludeVulnerabilities, context.IncludeVulnerabilities)
 				assert.Equal(t, testCase.expectedIncludeLicenses, context.IncludeLicenses)
 				assert.Equal(t, testCase.expectedIncludeSbom, context.IncludeSbom)

commands/git/audit/gitaudit.go

@@ -84,6 +84,8 @@ func toAuditParams(params GitAuditParams) *sourceAudit.AuditParams {
 		params.resultsContext.RepoPath,
 		params.resultsContext.ProjectKey,
 		params.source.Source.GitRepoHttpsCloneUrl,
+		// AppTrust is currently not supported in Git Audit command, therefore we pass an empty applicationKey
+		"",
 		params.resultsContext.IncludeVulnerabilities,
 		params.resultsContext.IncludeLicenses,
 		false,

commands/scan/scan.go

@@ -522,9 +522,11 @@ func (scanCmd *ScanCommand) RunBinaryJasScans(cmdType utils.CommandType, msi str
 			jas.NotDiffScanEnvValue,
 			jas.GetAnalyzerManagerXscEnvVars(
 				msi,
-				// Passing but empty since not supported for binary scans
-				scanCmd.resultsContext.GitRepoHttpsCloneUrl,
+				// GitRepoHttpsCloneUrl is not relevant for binary scans, therefore we pass an empty value
+				"",
 				scanCmd.resultsContext.ProjectKey,
+				// AppTrust is not supported for binary scans, therefore we pass an empty applicationKey
+				"",
 				scanCmd.resultsContext.Watches,
 				targetResults.GetTechnologies()...,
 			),

jas/analyzermanager.go

@@ -39,6 +39,7 @@ const (
 	watchesEnvVariable                        = "AM_WATCHES"
 	projectEnvVariable                        = "AM_PROJECT_KEY"
 	gitRepoEnvVariable                        = "AM_GIT_REPO_VIOLATIONS"
+	applicationKeyEnvVariable                 = "AM_APPLICATION_KEY"
 	notEntitledExitCode                       = 31
 	unsupportedCommandExitCode                = 13
 	unsupportedOsExitCode                     = 55

jas/common.go

@@ -450,14 +450,17 @@ func CheckForSecretValidation(xrayManager *xray.XrayServicesManager, xrayVersion
 	return err == nil && isEnabled
 }
 
-func GetAnalyzerManagerXscEnvVars(msi string, gitRepoUrl, projectKey string, watches []string, technologies ...techutils.Technology) map[string]string {
+func GetAnalyzerManagerXscEnvVars(msi string, gitRepoUrl, projectKey, applicationKey string, watches []string, technologies ...techutils.Technology) map[string]string {
 	envVars := map[string]string{utils.JfMsiEnvVariable: msi}
 	if gitRepoUrl != "" {
 		envVars[gitRepoEnvVariable] = gitRepoUrl
 	}
 	if projectKey != "" {
 		envVars[projectEnvVariable] = projectKey
 	}
+	if applicationKey != "" {
+		envVars[applicationKeyEnvVariable] = applicationKey
+	}
 	if len(watches) > 0 {
 		envVars[watchesEnvVariable] = strings.Join(watches, ",")
 	}

jas/common_test.go

@@ -416,6 +416,7 @@ func TestGetAnalyzerManagerXscEnvVars(t *testing.T) {
 		msi            string
 		gitRepoUrl     string
 		projectKey     string
+		applicationKey string
 		watches        []string
 		technologies   []techutils.Technology
 		expectedOutput map[string]string
@@ -482,10 +483,24 @@ func TestGetAnalyzerManagerXscEnvVars(t *testing.T) {
 				watchesEnvVariable:          "watch1,watch2",
 			},
 		},
+		{
+			name:           "With Application Key",
+			msi:            "msi",
+			gitRepoUrl:     "gitRepoUrl",
+			applicationKey: "appKey",
+			technologies:   []techutils.Technology{techutils.Npm},
+			expectedOutput: map[string]string{
+				JfPackageManagerEnvVariable: string(techutils.Npm),
+				JfLanguageEnvVariable:       string(techutils.JavaScript),
+				utils.JfMsiEnvVariable:      "msi",
+				gitRepoEnvVariable:          "gitRepoUrl",
+				applicationKeyEnvVariable:   "appKey",
+			},
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			assert.Equal(t, test.expectedOutput, GetAnalyzerManagerXscEnvVars(test.msi, test.gitRepoUrl, test.projectKey, test.watches, test.technologies...))
+			assert.Equal(t, test.expectedOutput, GetAnalyzerManagerXscEnvVars(test.msi, test.gitRepoUrl, test.projectKey, test.applicationKey, test.watches, test.technologies...))
 		})
 	}
 }

jas/runner/jasrunner_test.go

@@ -43,7 +43,7 @@ func TestJasRunner(t *testing.T) {
 	securityParallelRunnerForTest := utils.CreateSecurityParallelRunner(cliutils.Threads)
 	targetResults := results.NewCommandResults(utils.SourceCode).SetEntitledForJas(true).SetSecretValidation(true).NewScanResults(results.ScanTarget{Target: "target", Technology: techutils.Pip})
 
-	jasScanner, err := jas.NewJasScanner(&jas.FakeServerDetails, jas.WithEnvVars(false, jas.NotDiffScanEnvValue, jas.GetAnalyzerManagerXscEnvVars("", "", "", []string{}, targetResults.GetTechnologies()...)))
+	jasScanner, err := jas.NewJasScanner(&jas.FakeServerDetails, jas.WithEnvVars(false, jas.NotDiffScanEnvValue, jas.GetAnalyzerManagerXscEnvVars("", "", "", "", []string{}, targetResults.GetTechnologies()...)))
 	assert.NoError(t, err)
 
 	targetResults.ScaScanResults(0, jas.FakeBasicXrayResults[0])

sca/bom/buildinfo/technologies/conan/conan_test.go

@@ -18,10 +18,10 @@ var expectedResult = &xrayUtils.GraphNode{
 	Nodes: []*xrayUtils.GraphNode{
 		{Id: "conan://zlib:1.3.1"},
 		{Id: "conan://openssl:3.0.9", Nodes: []*xrayUtils.GraphNode{{Id: "conan://zlib:1.3.1"}}},
-		{Id: "conan://meson:1.4.1", Nodes: []*xrayUtils.GraphNode{{Id: "conan://ninja:1.12.1"}}},
+		{Id: "conan://meson:1.4.1", Nodes: []*xrayUtils.GraphNode{{Id: "conan://ninja:1.13.0"}}},
 	},
 }
-var expectedUniqueDeps = []string{"conan://openssl:3.0.9", "conan://zlib:1.3.1", "conan://meson:1.4.1", "conan://ninja:1.12.1"}
+var expectedUniqueDeps = []string{"conan://openssl:3.0.9", "conan://zlib:1.3.1", "conan://meson:1.4.1", "conan://ninja:1.13.0"}
 
 func TestParseConanDependencyTree(t *testing.T) {
 	_, cleanUp := technologies.CreateTestWorkspace(t, filepath.Join("other", "conan"))
@@ -58,7 +58,7 @@ func TestCalculateUniqueDeps(t *testing.T) {
 		"1": {Name: "zlib", Version: "1.3.1"},
 		"2": {Name: "openssl", Version: "3.0.9"},
 		"3": {Name: "meson", Version: "1.4.1"},
-		"4": {Name: "ninja", Version: "1.12.1"},
+		"4": {Name: "ninja", Version: "1.13.0"},
 		"5": {Name: "openssl", Version: "3.0.9"}, // duplicate, should be removed
 	}
 

tests/testdata/other/conan/dependencies.json

@@ -133,7 +133,7 @@
             "visible": true
           },
           "4": {
-            "ref": "ninja/1.12.1",
+            "ref": "ninja/1.13.0",
             "run": true,
             "libs": false,
             "skip": false,
@@ -887,7 +887,7 @@
         "vendor": false,
         "dependencies": {
           "4": {
-            "ref": "ninja/1.12.1",
+            "ref": "ninja/1.13.0",
             "run": true,
             "libs": false,
             "skip": false,
@@ -906,7 +906,7 @@
         "test": false
       },
       "4": {
-        "ref": "ninja/1.12.1#fd583651bf0c6a901943495d49878803",
+        "ref": "ninja/1.13.0#fd583651bf0c6a901943495d49878803",
         "id": "4",
         "recipe": "Downloaded",
         "package_id": "3593751651824fb813502c69c971267624ced41a",
@@ -937,7 +937,7 @@
         "win_bash_run": null,
         "default_options": null,
         "options_description": null,
-        "version": "1.12.1",
+        "version": "1.13.0",
         "topics": [
           "ninja",
           "build"
@@ -993,7 +993,7 @@
           }
         },
         "conf_info": {},
-        "label": "ninja/1.12.1",
+        "label": "ninja/1.13.0",
         "info": {
           "settings": {
             "os": "Linux",
@@ -1012,7 +1012,7 @@
     },
     "overrides": {},
     "resolved_ranges": {
-      "ninja/[>=1.10.2 <2]": "ninja/1.12.1"
+      "ninja/[>=1.10.2 <2]": "ninja/1.13.0"
     },
     "replaced_requires": {},
     "error": null

utils/results/results.go

@@ -55,6 +55,8 @@ type ResultContext struct {
 	ProjectKey string `json:"project_key,omitempty"`
 	// (Resource) If gitRepository is provided we will fetch the watches defined on the git repository.
 	GitRepoHttpsCloneUrl string `json:"git_repo_key,omitempty"`
+	// (Resource) If applicationKey is provided we will fetch the watches defined on the application, and the scans will be performed and presented in the Application context only.
+	ApplicationKey string `json:"application_key,omitempty"`
 	// If non of the above is provided or requested, the results will include vulnerabilities
 	IncludeVulnerabilities bool `json:"include_vulnerabilities"`
 	// If requested, the results will include licenses