Skip to content

Static sca auto upload and fetch violations #543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
attiasas merged 198 commits into from
Nov 23, 2025
Merged

Static sca auto upload and fetch violations #543

attiasas merged 198 commits into from
Nov 23, 2025

Conversation

@attiasas
Copy link
Contributor

@attiasas attiasas commented Aug 26, 2025
edited
Loading

  • The pull request is targeting the dev branch.
  • The code has been validated to compile successfully by running go vet ./....
  • The code has been formatted properly using go fmt ./....
  • All static analysis checks passed.
  • All tests have passed. If this feature is not already covered by the tests, new tests have been added.
  • Updated the Contributing page / ReadMe page / CI Workflow files if needed.
  • All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

Depends on:

Static-SCA Improvements:

  1. Automatic cdx upload of audit/git audit scan results (you can control which repo by --upload-rt-repo-path),
    A note is added with a link to the scan results that were uploaded.
  2. Wait, fetch, and parse Xray violations using the new API call (generated by JPD for the cdx artifact)
  3. upload-cdx: Wait for results to be parsed by Xray before showing the link.

Other Improvements:

  1. Add --sbom option to git-audit cmd
  2. INFO level Log, extra msg text. and links Improvements & Fixes. (add durations to scans)
  3. Little code refactors to remove code duplications
  4. Align BOM REF to reflect REF in Xray (pkg:/file: prefix, / as delimiter)
  5. Add fail build attribute to simple-json format.
  6. Refactor convertors interface (remove redundant target input for each method)
  7. dump final cdx format file to out-dir if requested
  8. SARIF format - violations will now be displayed at a different run

attiasas added 30 commits July 17, 2025 13:30
@attiasas
Fix upload-cdx and scang links
934b94e
@attiasas
revert to old UI URL gen
5a58fa3
@attiasas
make sure all test (exclude pipenv and nuget) are passing
510aa3a
@attiasas
Merge remote-tracking branch 'upstream/dev' into new_sca_flow_fixes
59c2820
@attiasas
Change flag name to static-sca
519e746
@attiasas
clean and prepare for zip download of scang
8e78199
@attiasas
fix static and tests
557fd54
@attiasas
Merge remote-tracking branch 'upstream/dev' into new_sca_flow_fixes
99ad29d
@attiasas
fix merge
2a8da34
@attiasas
Add Git Context to cdx output if exists and improve git audit with st…
ead9294 
…atic sca
@attiasas
Merge remote-tracking branch 'upstream/dev' into new_sca_flow_fixes
05f6603
@attiasas
fix static test
1fcc42d
@attiasas
fix static test and format
a38df01
@attiasas
no recursive scan in new flow for git audit
3ad9e4e
@attiasas
Merge remote-tracking branch 'upstream/dev' into new_sca_flow_fixes
75a3cfd
@attiasas
Merge remote-tracking branch 'upstream/dev' into new_sca_flow_fixes
cc87e73
@attiasas
Rename scang to xray-lib-plugin and update import flow
d1c9ca2
@attiasas
remove duplicate method
dc722b1
@attiasas
add checksum check and gen to xray lib plugin. reduce code duplication
0dc2c84
@attiasas
run JAS if no tech
f12d2a0
@attiasas
fix plugin download
dea0ad6
@attiasas
respect allow-partial-results
e6f4a10
@attiasas
Merge remote-tracking branch 'upstream/dev' into new_sca_flow_fixes
48a978f
@attiasas
remove unrelated and fix some things
cb1caec
@attiasas
Merge remote-tracking branch 'upstream/dev' into new_sca_flow_fixes
72a8ecc
@attiasas
fix tests
108c96b
@attiasas
revert create repos
ba4176b
@attiasas
add git context to audit params
effe9e6
@attiasas
add git context to git audit params
1c26d17
@attiasas
fix after rename
595460f
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 18, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 18, 2025
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 18, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 18, 2025
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 19, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 19, 2025
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 20, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 20, 2025
@attiasas attiasas marked this pull request as ready for review November 20, 2025 09:00
hadarshjfrog
hadarshjfrog reviewed Nov 23, 2025
View reviewed changes
audit_test.go
}

func TestAuditNewScaCycloneDxYarn(t *testing.T) {
// TODO: yarn not working....
Copy link
Contributor

@hadarshjfrog hadarshjfrog Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reminder

@jfrog jfrog deleted a comment from github-actions bot Nov 23, 2025
@jfrog jfrog deleted a comment from github-actions bot Nov 23, 2025
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Nov 23, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 23, 2025
@attiasas attiasas merged commit bdfcc88 into jfrog:dev Nov 23, 2025
61 of 62 checks passed
@attiasas attiasas deleted the static_sca_violations_remediations branch November 23, 2025 15:03
basel1322 pushed a commit to basel1322/jfrog-cli-security that referenced this pull request Dec 8, 2025
@attiasas @basel1322
Static sca auto upload and fetch violations (jfrog#543)
02112dd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@hadarshjfrog hadarshjfrog hadarshjfrog approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ignore for release Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@attiasas @hadarshjfrog