Adding Xray Source Control Service

go.mod

@@ -94,7 +94,7 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f
+replace github.com/jfrog/jfrog-client-go => github.com/eyaldelarea/jfrog-client-go v1.28.4-0.20230907064804-16e49175c49f
 
 replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38
 

go.sum

@@ -100,6 +100,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/eyaldelarea/jfrog-client-go v1.28.4-0.20230907064804-16e49175c49f h1:V9d6ThTH0cpDAE3iffShj5AM/3zrkdW2BihzrLN1BPg=
+github.com/eyaldelarea/jfrog-client-go v1.28.4-0.20230907064804-16e49175c49f/go.mod h1:soD5VL3X+G+0KKUNSlb0CSdF9nwHsQZCr0xqOGedAHM=
 github.com/forPelevin/gomoji v1.1.8 h1:JElzDdt0TyiUlecy6PfITDL6eGvIaxqYH1V52zrd0qQ=
 github.com/forPelevin/gomoji v1.1.8/go.mod h1:8+Z3KNGkdslmeGZBC3tCrwMrcPy5GRzAD+gL9NAwMXg=
 github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY=
@@ -198,8 +200,6 @@ github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38 h1:XyAcwWP2a
 github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38/go.mod h1:QEskae5fQpjeY2PBzsjWtUQVskYSNDF2sSmw/Gx44dQ=
 github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk=
 github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0=
-github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f h1:S6l0o2sKFLRJ+QYVB5U/PJhrnwFSmKFFY7eHpRPRH8A=
-github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f/go.mod h1:uUnMrqHX7Xi+OCaZEE4b3BtsmGeOSCB7XqaEWVXEH/E=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=

utils/config/config.go

@@ -248,12 +248,12 @@ func getConfigFile() (content []byte, err error) {
 }
 
 func (config *Config) Clone() (*Config, error) {
-	bytes, err := json.Marshal(config)
+	configBytes, err := json.Marshal(config)
 	if err != nil {
 		return nil, errorutils.CheckError(err)
 	}
 	clone := &Config{}
-	if err = json.Unmarshal(bytes, clone); err != nil {
+	if err = json.Unmarshal(configBytes, clone); err != nil {
 		return nil, errorutils.CheckError(err)
 	}
 	return clone, nil
@@ -567,6 +567,8 @@ func (o *ConfigV0) Convert() *ConfigV4 {
 
 type ServerDetails struct {
 	Url                             string `json:"url,omitempty"`
+	XscUrl                          string `json:"-"`
+	XscVersion                      string `json:"-"`
 	SshUrl                          string `json:"-"`
 	ArtifactoryUrl                  string `json:"artifactoryUrl,omitempty"`
 	DistributionUrl                 string `json:"distributionUrl,omitempty"`
@@ -703,6 +705,8 @@ func (serverDetails *ServerDetails) CreateDistAuthConfig() (auth.ServiceDetails,
 
 func (serverDetails *ServerDetails) CreateXrayAuthConfig() (auth.ServiceDetails, error) {
 	artAuth := xrayAuth.NewXrayDetails()
+	artAuth.SetXscUrl(serverDetails.XscUrl)
+	artAuth.SetXscVersion(serverDetails.XscVersion)
 	artAuth.SetUrl(serverDetails.XrayUrl)
 	return serverDetails.createAuthConfig(artAuth)
 }

utils/coreutils/coreconsts.go

@@ -55,4 +55,7 @@ var (
 	Project     = "JFROG_CLI_BUILD_PROJECT"
 	//#nosec G101
 	EncryptionKey = "JFROG_CLI_ENCRYPTION_KEY"
+
+	// Manually sets XSC Multi-Scan-ID for testing purposes.
+	MultiScanId = "JFROG_CLI_XSC_MULTI_SCAN_ID"
 )

utils/usage/usage.go

@@ -136,7 +136,7 @@ func (ur *UsageReporter) reportToXray(features ...ReportFeature) (err error) {
 		err = errorutils.CheckErrorf("Nothing to send.")
 		return
 	}
-	return xrayusage.SendXrayUsageEvents(*serviceManager, events...)
+	return xrayusage.SendXrayUsageEvents(serviceManager, events...)
 }
 
 func (ur *UsageReporter) reportToArtifactory(features ...ReportFeature) (err error) {

xray/commands/audit/audit.go

@@ -2,13 +2,14 @@ package audit
 
 import (
 	"errors"
+	"fmt"
 	rtutils "github.com/jfrog/jfrog-cli-core/v2/artifactory/utils"
+	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
-	"github.com/jfrog/jfrog-cli-core/v2/xray/scangraph"
 	clientutils "github.com/jfrog/jfrog-client-go/utils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
-	"github.com/jfrog/jfrog-client-go/xray"
-	"github.com/jfrog/jfrog-client-go/xray/services"
+	"github.com/jfrog/jfrog-client-go/xray/manager"
+	"github.com/jfrog/jfrog-client-go/xray/scan"
 	"golang.org/x/sync/errgroup"
 	"os"
 
@@ -26,6 +27,12 @@ type AuditCommand struct {
 	AuditParams
 }
 
+type XrayEntitlements struct {
+	errGroup *errgroup.Group
+	Jas      bool
+	Xsc      bool
+}
+
 func NewGenericAuditCommand() *AuditCommand {
 	return &AuditCommand{AuditParams: *NewAuditParams()}
 }
@@ -65,11 +72,12 @@ func (auditCmd *AuditCommand) SetPrintExtendedTable(printExtendedTable bool) *Au
 	return auditCmd
 }
 
-func (auditCmd *AuditCommand) CreateXrayGraphScanParams() *services.XrayGraphScanParams {
-	params := &services.XrayGraphScanParams{
-		RepoPath: auditCmd.targetRepoPath,
-		Watches:  auditCmd.watches,
-		ScanType: services.Dependency,
+func (auditCmd *AuditCommand) CreateXrayGraphScanParams() *scan.XrayGraphScanParams {
+	params := &scan.XrayGraphScanParams{
+		RepoPath:    auditCmd.targetRepoPath,
+		Watches:     auditCmd.watches,
+		ScanType:    scan.Dependency,
+		MultiScanId: os.Getenv(coreutils.MultiScanId),
 	}
 	if auditCmd.projectKey == "" {
 		params.ProjectKey = os.Getenv(coreutils.Project)
@@ -140,6 +148,7 @@ type Results struct {
 	ScaError              error
 	JasError              error
 	ExtendedScanResults   *xrayutils.ExtendedScanResults
+	ScannedTechnologies   []coreutils.Technology
 }
 
 func NewAuditResults() *Results {
@@ -150,52 +159,68 @@ func NewAuditResults() *Results {
 // Returns an audit Results object containing all the scan results.
 // If the current server is entitled for JAS, the advanced security results will be included in the scan results.
 func RunAudit(auditParams *AuditParams) (results *Results, err error) {
+	var entitlements *XrayEntitlements
+	var serverDetails *config.ServerDetails
+
 	// Initialize Results struct
 	results = NewAuditResults()
-
-	serverDetails, err := auditParams.ServerDetails()
-	if err != nil {
-		return
-	}
-	var xrayManager *xray.XrayServicesManager
-	xrayManager, auditParams.xrayVersion, err = xrayutils.CreateXrayServiceManagerAndGetVersion(serverDetails)
-	if err != nil {
-		return
-	}
-	if err = clientutils.ValidateMinimumVersion(clientutils.Xray, auditParams.xrayVersion, scangraph.GraphScanMinXrayVersion); err != nil {
+	if serverDetails, err = auditParams.ServerDetails(); err != nil {
 		return
 	}
-	results.ExtendedScanResults.EntitledForJas, err = isEntitledForJas(xrayManager, auditParams.xrayVersion)
-	if err != nil {
+	// Check entitlements for JAS and XSC and update auditParams with results.
+	if entitlements, err = checkEntitlements(serverDetails, auditParams); err != nil {
 		return
 	}
-
-	errGroup := new(errgroup.Group)
-	if results.ExtendedScanResults.EntitledForJas {
-		// Download (if needed) the analyzer manager in a background routine.
-		errGroup.Go(rtutils.DownloadAnalyzerManagerIfNeeded)
-	}
-
 	// The sca scan doesn't require the analyzer manager, so it can run separately from the analyzer manager download routine.
 	results.ScaError = runScaScan(auditParams, results)
 
 	// Wait for the Download of the AnalyzerManager to complete.
-	if err = errGroup.Wait(); err != nil {
+	if err = entitlements.errGroup.Wait(); err != nil {
 		return
 	}
-
 	// Run scanners only if the user is entitled for Advanced Security
-	if results.ExtendedScanResults.EntitledForJas {
-		results.JasError = runJasScannersAndSetResults(results.ExtendedScanResults, auditParams.DirectDependencies(), serverDetails, auditParams.workingDirs, auditParams.Progress())
+	if entitlements.Jas {
+		results.ExtendedScanResults.EntitledForJas = entitlements.Jas
+		results.JasError = runJasScannersAndSetResults(results.ExtendedScanResults, auditParams.DirectDependencies(), serverDetails, auditParams.workingDirs, auditParams.Progress(), auditParams.xrayGraphScanParams.MultiScanId)
 	}
 	return
 }
 
-func isEntitledForJas(xrayManager *xray.XrayServicesManager, xrayVersion string) (entitled bool, err error) {
+func isEntitledForJas(xrayManager manager.SecurityServiceManager, xrayVersion string) (entitled bool, err error) {
 	if e := clientutils.ValidateMinimumVersion(clientutils.Xray, xrayVersion, xrayutils.EntitlementsMinVersion); e != nil {
 		log.Debug(e)
 		return
 	}
 	entitled, err = xrayManager.IsEntitled(xrayutils.ApplicabilityFeatureId)
 	return
 }
+
+// checkEntitlements validates the entitlements for JAS and XSC.
+func checkEntitlements(serverDetails *config.ServerDetails, auditParams *AuditParams) (entitlements *XrayEntitlements, err error) {
+	var xrayManager manager.SecurityServiceManager
+	if xrayManager, auditParams.xrayVersion, err = xrayutils.CreateXrayServiceManagerAndGetVersion(serverDetails); err != nil {
+		return
+	}
+	// Check entitlements
+	var jasEntitle, xscEntitled bool
+	if jasEntitle, err = isEntitledForJas(xrayManager, auditParams.xrayVersion); err != nil {
+		return
+	}
+	// Setting serverDetails.XscVersion is important as this is how we determined if XSC is enabled or not.
+	if xscEntitled, serverDetails.XscVersion, err = xrayManager.IsXscEnabled(); err != nil {
+		return
+	}
+	entitlements = &XrayEntitlements{Jas: jasEntitle, Xsc: xscEntitled, errGroup: new(errgroup.Group)}
+	log.Debug(fmt.Sprintf("entitlements results: JAS: %t XSC: %t", jasEntitle, xscEntitled))
+
+	// Handle actions needed in case of specific entitlement.
+	if entitlements.Jas {
+		// Download the analyzer manager in a background routine.
+		entitlements.errGroup.Go(rtutils.DownloadAnalyzerManagerIfNeeded)
+	}
+	if entitlements.Xsc {
+		log.Info("XSC version:", serverDetails.XscVersion)
+		auditParams.xscVersion = serverDetails.XscVersion
+	}
+	return
+}

xray/commands/audit/auditparams.go

@@ -2,22 +2,23 @@ package audit
 
 import (
 	xrayutils "github.com/jfrog/jfrog-cli-core/v2/xray/utils"
-	"github.com/jfrog/jfrog-client-go/xray/services"
+	"github.com/jfrog/jfrog-client-go/xray/scan"
 )
 
 type AuditParams struct {
-	xrayGraphScanParams *services.XrayGraphScanParams
+	xrayGraphScanParams *scan.XrayGraphScanParams
 	workingDirs         []string
 	installFunc         func(tech string) error
 	fixableOnly         bool
 	minSeverityFilter   string
 	*xrayutils.AuditBasicParams
 	xrayVersion string
+	xscVersion  string
 }
 
 func NewAuditParams() *AuditParams {
 	return &AuditParams{
-		xrayGraphScanParams: &services.XrayGraphScanParams{},
+		xrayGraphScanParams: &scan.XrayGraphScanParams{},
 		AuditBasicParams:    &xrayutils.AuditBasicParams{},
 	}
 }
@@ -26,7 +27,7 @@ func (params *AuditParams) InstallFunc() func(tech string) error {
 	return params.installFunc
 }
 
-func (params *AuditParams) XrayGraphScanParams() *services.XrayGraphScanParams {
+func (params *AuditParams) XrayGraphScanParams() *scan.XrayGraphScanParams {
 	return params.xrayGraphScanParams
 }
 
@@ -38,7 +39,7 @@ func (params *AuditParams) XrayVersion() string {
 	return params.xrayVersion
 }
 
-func (params *AuditParams) SetXrayGraphScanParams(xrayGraphScanParams *services.XrayGraphScanParams) *AuditParams {
+func (params *AuditParams) SetXrayGraphScanParams(xrayGraphScanParams *scan.XrayGraphScanParams) *AuditParams {
 	params.xrayGraphScanParams = xrayGraphScanParams
 	return params
 }

xray/commands/audit/jas/applicability/applicabilitymanager.go

@@ -10,7 +10,7 @@ import (
 	"github.com/jfrog/jfrog-cli-core/v2/xray/utils"
 	"github.com/jfrog/jfrog-client-go/utils/errorutils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
-	"github.com/jfrog/jfrog-client-go/xray/services"
+	"github.com/jfrog/jfrog-client-go/xray/scan"
 	"github.com/owenrumney/go-sarif/v2/sarif"
 	"golang.org/x/exp/maps"
 	"golang.org/x/exp/slices"
@@ -24,7 +24,7 @@ const (
 type ApplicabilityScanManager struct {
 	applicabilityScanResults map[string]utils.ApplicabilityStatus
 	directDependenciesCves   []string
-	xrayResults              []services.ScanResponse
+	xrayResults              []scan.ScanResponse
 	scanner                  *jas.JasScanner
 }
 
@@ -37,7 +37,7 @@ type ApplicabilityScanManager struct {
 // map[string]string: A map containing the applicability result of each XRAY CVE.
 // bool: true if the user is entitled to the applicability scan, false otherwise.
 // error: An error object (if any).
-func RunApplicabilityScan(xrayResults []services.ScanResponse, directDependencies []string,
+func RunApplicabilityScan(xrayResults []scan.ScanResponse, directDependencies []string,
 	scannedTechnologies []coreutils.Technology, scanner *jas.JasScanner) (results map[string]utils.ApplicabilityStatus, err error) {
 	applicabilityScanManager := newApplicabilityScanManager(xrayResults, directDependencies, scanner)
 	if !applicabilityScanManager.shouldRunApplicabilityScan(scannedTechnologies) {
@@ -52,7 +52,7 @@ func RunApplicabilityScan(xrayResults []services.ScanResponse, directDependencie
 	return
 }
 
-func newApplicabilityScanManager(xrayScanResults []services.ScanResponse, directDependencies []string, scanner *jas.JasScanner) (manager *ApplicabilityScanManager) {
+func newApplicabilityScanManager(xrayScanResults []scan.ScanResponse, directDependencies []string, scanner *jas.JasScanner) (manager *ApplicabilityScanManager) {
 	directDependenciesCves := extractDirectDependenciesCvesFromScan(xrayScanResults, directDependencies)
 	return &ApplicabilityScanManager{
 		applicabilityScanResults: map[string]utils.ApplicabilityStatus{},
@@ -64,7 +64,7 @@ func newApplicabilityScanManager(xrayScanResults []services.ScanResponse, direct
 
 // This function gets a list of xray scan responses that contain direct and indirect vulnerabilities and returns only direct
 // vulnerabilities of the scanned project, ignoring indirect vulnerabilities
-func extractDirectDependenciesCvesFromScan(xrayScanResults []services.ScanResponse, directDependencies []string) []string {
+func extractDirectDependenciesCvesFromScan(xrayScanResults []scan.ScanResponse, directDependencies []string) []string {
 	directsCves := datastructures.MakeSet[string]()
 	for _, scanResult := range xrayScanResults {
 		for _, vulnerability := range scanResult.Vulnerabilities {