Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Third party dependencies contextual analysis for npm #941

Merged
merged 84 commits into from
Sep 13, 2023
Merged

Third party dependencies contextual analysis for npm #941

merged 84 commits into from
Sep 13, 2023

Conversation

EyalDelarea
Copy link
Contributor

@EyalDelarea EyalDelarea commented Sep 10, 2023
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • All static analysis checks passed.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.

When enabling the new flag of the CLI : third-party-contextual-analysis
The applicability scanner will run on the environments folders as well. ( node_modules etc...)

In this case we will need to exclude the reported applicabilities which originated from the impacted source package.

For example: protobufjs CVE applicability was found:
applicability location is inside node_modules/protobufjs -> disqualify
Other use case:
applicability location is inside node_modules/someOtherDep -> valid.

attiasas and others added 30 commits September 6, 2023 10:50
@attiasas
Improve audit data handling
ccb5c4f
@attiasas
Merge remote-tracking branch 'upstream/dev' into refactor_handle_scan…
ccc3379 
…_results
@attiasas
resolve conflicts
c0cb84f
@attiasas
fix tests
ff11b5d
@attiasas
fix static tests
ffce12b
@attiasas
finish convert xray results to sarif
bace6ff
@attiasas
Merge remote-tracking branch 'upstream/dev' into refactor_handle_scan…
7ee9b55 
…_results
@EyalDelarea
hard coded exclude
9024c73
@EyalDelarea
pull assaf's sarif PR
9e23c46
@attiasas
more sarif utils
633b93c
@attiasas
fix static tests
852a378
@attiasas
Merge remote-tracking branch 'upstream/dev' into refactor_handle_scan…
e80a2e7 
…_results
@attiasas
format
18e4c3f
@attiasas
fix tests
60a9327
@attiasas
fix tests
73de66f
@attiasas
fix tests
a08da44
@attiasas
cleanup
c7c68d2
@attiasas
fix tests
d88a09c
@attiasas
review changes
b62cbe7
@attiasas
fix tests
1fafae7
@attiasas
review changes, add more sarif utils
8fd9fa4
@attiasas
format
a3141fa
@attiasas
fix invocation to sast
7d1ac5c
@attiasas
more Sarif utils
d49a657
@attiasas
more Sarif utils
54a7fa3
@attiasas
more sarif utils
d8a90af
@EyalDelarea
pull dev
ce2c2a2
@EyalDelarea
pull asaffa branch
0907b3c
@attiasas
fix generate applic map
75fa7b2
@attiasas
review changes
84789ef
sverdlov93
sverdlov93 reviewed Sep 13, 2023
View reviewed changes
xray/commands/audit/jas/common.go
@@ -19,8 +19,12 @@ import (
"gopkg.in/yaml.v3"
)

const (
NodeModulesPattern = "**/*node_modules*/**"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
NodeModulesPattern = "**/*node_modules*/**"
nodeModulesPattern = "**/*node_modules*/**"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

been used from applicablitymanager.go so has to be public

@EyalDelarea EyalDelarea temporarily deployed to frogbot September 13, 2023 14:08 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

@EyalDelarea EyalDelarea changed the title Third party contextual analysis for npm Third party dependencies contextual analysis for npm Sep 13, 2023
@EyalDelarea EyalDelarea merged commit 739e5b3 into jfrog:dev Sep 13, 2023
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sverdlov93 sverdlov93 sverdlov93 left review comments

@eyalbe4 eyalbe4 Awaiting requested review from eyalbe4

Assignees
No one assigned
Labels
improvement Automatically generated release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@EyalDelarea @sverdlov93 @attiasas