Add option to include vulnerabilities if violation context exists

audit_test.go

@@ -33,16 +33,16 @@ import (
 )
 
 func TestXrayAuditNpmJson(t *testing.T) {
-	output := testAuditNpm(t, string(format.Json))
+	output := testAuditNpm(t, string(format.Json), false)
 	securityTestUtils.VerifyJsonScanResults(t, output, 1, 0, 1)
 }
 
 func TestXrayAuditNpmSimpleJson(t *testing.T) {
-	output := testAuditNpm(t, string(format.SimpleJson))
+	output := testAuditNpm(t, string(format.SimpleJson), true)
 	securityTestUtils.VerifySimpleJsonScanResults(t, output, 1, 0, 1)
 }
 
-func testAuditNpm(t *testing.T, format string) string {
+func testAuditNpm(t *testing.T, format string, withVuln bool) string {
 	securityTestUtils.InitSecurityTest(t, scangraph.GraphScanMinXrayVersion)
 	tempDirPath, createTempDirCallback := coreTests.CreateTempDirWithCallbackAndAssert(t)
 	defer createTempDirCallback()
@@ -57,7 +57,11 @@ func testAuditNpm(t *testing.T, format string) string {
 	addDummyPackageDescriptor(t, true)
 	watchName, deleteWatch := securityTestUtils.CreateTestWatch(t, "audit-policy", "audit-watch", xrayUtils.High)
 	defer deleteWatch()
-	return securityTests.PlatformCli.RunCliCmdWithOutput(t, "audit", "--npm", "--licenses", "--format="+format, "--watches="+watchName, "--fail=false")
+	args := []string{"audit", "--npm", "--licenses", "--format=" + format, "--watches=" + watchName, "--fail=false"}
+	if withVuln {
+		args = append(args, "--vuln")
+	}
+	return securityTests.PlatformCli.RunCliCmdWithOutput(t, args...)
 }
 
 func TestXrayAuditPnpmJson(t *testing.T) {

cli/docs/flags.go

@@ -103,6 +103,9 @@ const (
 	FixableOnly         = "fixable-only"
 	Rescan              = "rescan"
 	Vuln                = "vuln"
+	buildPrefix         = "build-"
+	BuildVuln           = buildPrefix + Vuln
+	ScanVuln            = scanPrefix + Vuln
 
 	// Unique audit flags
 	auditPrefix                  = "audit-"
@@ -134,22 +137,22 @@ var commandFlags = map[string][]string{
 	OfflineUpdate: {LicenseId, From, To, Version, Target, Stream, Periodic},
 	XrScan: {
 		url, user, password, accessToken, ServerId, SpecFlag, Threads, scanRecursive, scanRegexp, scanAnt,
-		Project, Watches, RepoPath, Licenses, OutputFormat, Fail, ExtendedTable, BypassArchiveLimits, MinSeverity, FixableOnly,
+		Project, Watches, RepoPath, Licenses, OutputFormat, Fail, ExtendedTable, BypassArchiveLimits, MinSeverity, FixableOnly, ScanVuln,
 	},
 	Enrich: {
 		url, user, password, accessToken, ServerId, Threads,
 	},
 	BuildScan: {
-		url, user, password, accessToken, ServerId, Project, Vuln, OutputFormat, Fail, ExtendedTable, Rescan,
+		url, user, password, accessToken, ServerId, Project, BuildVuln, OutputFormat, Fail, ExtendedTable, Rescan,
 	},
 	DockerScan: {
-		ServerId, Project, Watches, RepoPath, Licenses, OutputFormat, Fail, ExtendedTable, BypassArchiveLimits, MinSeverity, FixableOnly,
+		ServerId, Project, Watches, RepoPath, Licenses, OutputFormat, Fail, ExtendedTable, BypassArchiveLimits, MinSeverity, FixableOnly, ScanVuln,
 	},
 	Audit: {
 		url, user, password, accessToken, ServerId, InsecureTls, Project, Watches, RepoPath, Licenses, OutputFormat, ExcludeTestDeps,
 		useWrapperAudit, DepType, RequirementsFile, Fail, ExtendedTable, WorkingDirs, ExclusionsAudit, Mvn, Gradle, Npm,
 		Pnpm, Yarn, Go, Nuget, Pip, Pipenv, Poetry, MinSeverity, FixableOnly, ThirdPartyContextualAnalysis, Threads,
-		Sca, Iac, Sast, Secrets, WithoutCA,
+		Sca, Iac, Sast, Secrets, WithoutCA, ScanVuln,
 	},
 	CurationAudit: {
 		CurationOutput, WorkingDirs, Threads, RequirementsFile,
@@ -215,7 +218,8 @@ var flagsMap = map[string]components.Flag{
 	MinSeverity:         components.NewStringFlag(MinSeverity, "Set the minimum severity of issues to display. The following values are accepted: Low, Medium, High or Critical."),
 	FixableOnly:         components.NewBoolFlag(FixableOnly, "Set to true if you wish to display issues that have a fixed version only."),
 	Rescan:              components.NewBoolFlag(Rescan, "Set to true when scanning an already successfully scanned build, for example after adding an ignore rule."),
-	Vuln:                components.NewBoolFlag(Vuln, "Set to true if you'd like to receive an additional view of all vulnerabilities, regardless of the policy configured in Xray. Ignored if provided 'format' is 'sarif'."),
+	BuildVuln:           components.NewBoolFlag(Vuln, "Set to true if you'd like to receive an additional view of all vulnerabilities, regardless of the policy configured in Xray. Ignored if provided 'format' is 'sarif'."),
+	ScanVuln:            components.NewBoolFlag(Vuln, "Set to true if you'd like to receive an additional view of all vulnerabilities, regardless of the policy configured in Xray."),
 	InsecureTls:         components.NewBoolFlag(InsecureTls, "Set to true to skip TLS certificates verification."),
 	ExcludeTestDeps:     components.NewBoolFlag(ExcludeTestDeps, "[Gradle] Set to true if you'd like to exclude Gradle test dependencies from Xray scanning."),
 	useWrapperAudit: components.NewBoolFlag(

cli/scancommands.go

@@ -233,7 +233,7 @@ func ScanCmd(c *components.Context) error {
 		SetSpec(specFile).
 		SetOutputFormat(format).
 		SetProject(c.GetStringFlagValue(flags.Project)).
-		SetIncludeVulnerabilities(shouldIncludeVulnerabilities(c)).
+		SetIncludeVulnerabilities(c.GetBoolFlagValue(flags.Vuln) || shouldIncludeVulnerabilities(c)).
 		SetIncludeLicenses(c.GetBoolFlagValue(flags.Licenses)).
 		SetFail(c.GetBoolFlagValue(flags.Fail)).
 		SetPrintExtendedTable(c.GetBoolFlagValue(flags.ExtendedTable)).
@@ -451,7 +451,7 @@ func CreateAuditCmd(c *components.Context) (*audit.AuditCommand, error) {
 
 	auditCmd.SetTargetRepoPath(addTrailingSlashToRepoPathIfNeeded(c)).
 		SetProject(c.GetStringFlagValue(flags.Project)).
-		SetIncludeVulnerabilities(shouldIncludeVulnerabilities(c)).
+		SetIncludeVulnerabilities(c.GetBoolFlagValue(flags.Vuln) || shouldIncludeVulnerabilities(c)).
 		SetIncludeLicenses(c.GetBoolFlagValue(flags.Licenses)).
 		SetFail(c.GetBoolFlagValue(flags.Fail)).
 		SetPrintExtendedTable(c.GetBoolFlagValue(flags.ExtendedTable)).
@@ -597,7 +597,7 @@ func DockerScan(c *components.Context, image string) error {
 		SetServerDetails(serverDetails).
 		SetOutputFormat(format).
 		SetProject(c.GetStringFlagValue(flags.Project)).
-		SetIncludeVulnerabilities(shouldIncludeVulnerabilities(c)).
+		SetIncludeVulnerabilities(c.GetBoolFlagValue(flags.Vuln) || shouldIncludeVulnerabilities(c)).
 		SetIncludeLicenses(c.GetBoolFlagValue(flags.Licenses)).
 		SetFail(c.GetBoolFlagValue(flags.Fail)).
 		SetPrintExtendedTable(c.GetBoolFlagValue(flags.ExtendedTable)).

scans_test.go

@@ -42,33 +42,40 @@ import (
 // Binary scan tests
 
 func TestXrayBinaryScanJson(t *testing.T) {
-	output := testXrayBinaryScan(t, string(format.Json))
+	output := testXrayBinaryScan(t, string(format.Json), false)
 	securityTestUtils.VerifyJsonScanResults(t, output, 0, 1, 1)
 }
 
 func TestXrayBinaryScanSimpleJson(t *testing.T) {
-	output := testXrayBinaryScan(t, string(format.SimpleJson))
-	securityTestUtils.VerifySimpleJsonScanResults(t, output, 0, 1, 1)
+	output := testXrayBinaryScan(t, string(format.SimpleJson), true)
+	securityTestUtils.VerifySimpleJsonScanResults(t, output, 1, 1, 1)
 }
 
 func TestXrayBinaryScanJsonWithProgress(t *testing.T) {
 	callback := commonTests.MockProgressInitialization()
 	defer callback()
-	output := testXrayBinaryScan(t, string(format.Json))
+	output := testXrayBinaryScan(t, string(format.Json), false)
 	securityTestUtils.VerifyJsonScanResults(t, output, 0, 1, 1)
 }
 
 func TestXrayBinaryScanSimpleJsonWithProgress(t *testing.T) {
 	callback := commonTests.MockProgressInitialization()
 	defer callback()
-	output := testXrayBinaryScan(t, string(format.SimpleJson))
-	securityTestUtils.VerifySimpleJsonScanResults(t, output, 0, 1, 1)
+	output := testXrayBinaryScan(t, string(format.SimpleJson), true)
+	securityTestUtils.VerifySimpleJsonScanResults(t, output, 1, 1, 1)
 }
 
-func testXrayBinaryScan(t *testing.T, format string) string {
+func testXrayBinaryScan(t *testing.T, format string, withViolation bool) string {
 	securityTestUtils.InitSecurityTest(t, scangraph.GraphScanMinXrayVersion)
 	binariesPath := filepath.Join(filepath.FromSlash(securityTestUtils.GetTestResourcesPath()), "projects", "binaries", "*")
-	return securityTests.PlatformCli.RunCliCmdWithOutput(t, "scan", binariesPath, "--licenses", "--format="+format)
+	args := []string{"scan", binariesPath, "--licenses", "--format=" + format}
+	if withViolation {
+		watchName, deleteWatch := securityTestUtils.CreateTestWatch(t, "audit-policy", "audit-watch", xrayUtils.High)
+		defer deleteWatch()
+		// Include violations and vulnerabilities
+		args = append(args, "--watches="+watchName, "--vuln")
+	}
+	return securityTests.PlatformCli.RunCliCmdWithOutput(t, args...)
 }
 
 func TestXrayBinaryScanWithBypassArchiveLimits(t *testing.T) {

xsc_test.go

@@ -56,15 +56,15 @@ func initXscTest(t *testing.T) func() {
 func TestXscAuditNpmJsonWithWatch(t *testing.T) {
 	restoreFunc := initXscTest(t)
 	defer restoreFunc()
-	output := testAuditNpm(t, string(format.Json))
+	output := testAuditNpm(t, string(format.Json), false)
 	securityTestUtils.VerifyJsonScanResults(t, output, 1, 0, 1)
 }
 
 func TestXscAuditNpmSimpleJsonWithWatch(t *testing.T) {
 	restoreFunc := initXscTest(t)
 	defer restoreFunc()
-	output := testAuditNpm(t, string(format.SimpleJson))
-	securityTestUtils.VerifySimpleJsonScanResults(t, output, 1, 0, 1)
+	output := testAuditNpm(t, string(format.SimpleJson), true)
+	securityTestUtils.VerifySimpleJsonScanResults(t, output, 1, 1, 1)
 }
 
 func TestXscAuditMavenJson(t *testing.T) {
@@ -87,7 +87,7 @@ func TestXscAnalyticsForAudit(t *testing.T) {
 	reportUsageCallBack := clientTests.SetEnvWithCallbackAndAssert(t, coreutils.ReportUsage, "true")
 	defer reportUsageCallBack()
 	// Scan npm project and verify that analytics general event were sent to XSC.
-	output := testAuditNpm(t, string(format.SimpleJson))
+	output := testAuditNpm(t, string(format.SimpleJson), false)
 	validateAnalyticsBasicEvent(t, output)
 }