Validate xray url #160

hadarshjfrog · 2024-08-30T11:38:02Z

The pull request is targeting the dev branch.
The code has been validated to compile successfully by running go vet ./....
The code has been formatted properly using go fmt ./....
All static analysis checks passed.
All tests have passed. If this feature is not already covered by the tests, new tests have been added.
All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

When configuring xray-url only, without the url - the audit command didn't recognize them, and couldn't set JAS scanners:

I keep getting this warning “To include 'Advanced Security' scan as part of the audit output, please run the 'jf c add' command before running this command.“ when running the jf audit.

The command I use to reproduce the issue:
jf c add "test" --xray-url="PLATFORM_URL" --interactive=false --access-token="access-token*****"

I was able to solve it using the following cmd:
jf c add "test" --url="PLATFORM_URL" --interactive=false --access-token="access-token******"

orz25 · 2024-09-17T06:59:17Z

@hadarshjfrog I think it's worth adding a test to audit_test.go - configure a server with Xray URL only and validate we get JAS results

github-actions · 2024-09-22T19:06:27Z

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	CONTEXTUAL ANALYSIS	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
Unknown	Not Covered	github.com/golang/go:v1.22.3	github.com/golang/go v1.22.3	[1.22.7] [1.23.1]	CVE-2024-34155
Unknown	Not Covered	github.com/golang/go:v1.22.3	github.com/golang/go v1.22.3	[1.22.7] [1.23.1]	CVE-2024-34158
Unknown	Not Covered	github.com/golang/go:v1.22.3	github.com/golang/go v1.22.3	[1.22.7] [1.23.1]	CVE-2024-34156
Critical	Not Applicable	github.com/golang/go:v1.22.3	github.com/golang/go v1.22.3	[1.21.11] [1.22.4]	CVE-2024-24790
Medium	Not Applicable	github.com/golang/go:v1.22.3	github.com/golang/go v1.22.3	[1.21.11] [1.22.4]	CVE-2024-24789
Unknown	Not Applicable	github.com/golang/go:v1.22.3	github.com/golang/go v1.22.3	[1.21.12] [1.22.5]	CVE-2024-24791

🔬 Research Details

[ CVE-2024-34155 ] github.com/golang/go v1.22.3

Description:
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

[ CVE-2024-34158 ] github.com/golang/go v1.22.3

Description:
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

[ CVE-2024-34156 ] github.com/golang/go v1.22.3

Description:
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

[ CVE-2024-24790 ] github.com/golang/go v1.22.3

Description:
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

[ CVE-2024-24789 ] github.com/golang/go v1.22.3

Description:
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

[ CVE-2024-24791 ] github.com/golang/go v1.22.3

Description:
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

🐸 JFrog Frogbot

orz25 · 2024-10-06T07:45:26Z

audit_test.go

@@ -620,3 +620,37 @@ func TestAuditOnEmptyProject(t *testing.T) {
 	output := securityTests.PlatformCli.WithoutCredentials().RunCliCmdWithOutput(t, "audit", "--format="+string(format.SimpleJson))
 	securityTestUtils.VerifySimpleJsonJasResults(t, output, 0, 0, 0, 0, 0, 0, 0, 0, 0)
 }
+
+// xray-url only


Can you make the comment more informative?

orz25 · 2024-10-06T07:48:54Z

audit_test.go

+	securityTestUtils.VerifySimpleJsonJasResults(t, output, 0, 0, 0, 0, 0, 0, 0, 0, 0)
+}
+
+func getNoJasAuditMockCommandWithXrayUrl() components.Command {


I think we can use the function getNoJasAuditMockCommand (I don't see any difference)

orz25 · 2024-10-06T07:56:21Z

audit_test.go

+}
+
+func TestXrayAuditJasSimpleJsonWithXrayUrl(t *testing.T) {
+	output := testXrayAuditJas(t, securityTests.PlatformCli, filepath.Join("jas", "jas"), "3", false)


I think you should create here a 'cliToRun' object, same in TestXrayAuditNotEntitledForJasWithXrayUrl. Otherwise the test will use the default CLI configured to the integration test

hadarshjfrog assigned eranturgeman Aug 30, 2024

hadarshjfrog had a problem deploying to frogbot August 30, 2024 11:38 — with GitHub Actions Failure

hadarshjfrog force-pushed the validate-xray-url branch from 9878122 to 611df08 Compare August 30, 2024 11:41

hadarshjfrog had a problem deploying to frogbot August 30, 2024 11:41 — with GitHub Actions Failure

hadarshjfrog force-pushed the validate-xray-url branch from 611df08 to ff7aafa Compare August 30, 2024 11:48

hadarshjfrog temporarily deployed to frogbot August 30, 2024 11:48 — with GitHub Actions Inactive

hadarshjfrog added bug Something isn't working safe to test Approve running integration tests on a pull request labels Aug 30, 2024

github-actions bot removed the safe to test Approve running integration tests on a pull request label Aug 30, 2024

hadarshjfrog added the safe to test Approve running integration tests on a pull request label Aug 30, 2024

github-actions bot removed the safe to test Approve running integration tests on a pull request label Aug 30, 2024

hadarshjfrog assigned orz25 Sep 3, 2024

hadarshjfrog added the safe to test Approve running integration tests on a pull request label Sep 3, 2024

github-actions bot removed the safe to test Approve running integration tests on a pull request label Sep 3, 2024

hadarshjfrog force-pushed the validate-xray-url branch from ff7aafa to e60da42 Compare September 5, 2024 07:46

hadarshjfrog temporarily deployed to frogbot September 5, 2024 07:46 — with GitHub Actions Inactive

hadarshjfrog added the safe to test Approve running integration tests on a pull request label Sep 8, 2024

github-actions bot removed the safe to test Approve running integration tests on a pull request label Sep 8, 2024

hadarshjfrog requested a deployment to frogbot September 16, 2024 21:39 — with GitHub Actions Waiting

hadarshjfrog temporarily deployed to frogbot September 16, 2024 21:42 — with GitHub Actions Inactive

hadarshjfrog added the safe to test Approve running integration tests on a pull request label Sep 16, 2024

github-actions bot removed the safe to test Approve running integration tests on a pull request label Sep 16, 2024

hadarshjfrog force-pushed the validate-xray-url branch from 3168835 to d356b6e Compare September 17, 2024 06:42

hadarshjfrog requested a deployment to frogbot September 17, 2024 06:42 — with GitHub Actions Waiting

hadarshjfrog added the safe to test Approve running integration tests on a pull request label Sep 17, 2024

github-actions bot removed the safe to test Approve running integration tests on a pull request label Sep 17, 2024

hadarshjfrog force-pushed the validate-xray-url branch from d356b6e to 80e61ff Compare September 22, 2024 18:44

hadarshjfrog had a problem deploying to frogbot September 22, 2024 18:44 — with GitHub Actions Failure

hadarshjfrog requested a deployment to frogbot September 30, 2024 18:47 — with GitHub Actions Waiting

hadarshjfrog added 2 commits September 30, 2024 21:49

fix env var + add test

8116aab

add xrayUrlOnly to audit_test

684c109

hadarshjfrog force-pushed the validate-xray-url branch from fb4303d to 684c109 Compare October 1, 2024 06:34

hadarshjfrog had a problem deploying to frogbot October 1, 2024 06:34 — with GitHub Actions Failure

hadarshjfrog added the safe to test Approve running integration tests on a pull request label Oct 1, 2024

github-actions bot removed the safe to test Approve running integration tests on a pull request label Oct 1, 2024

fix static analysis

baf77e2

hadarshjfrog requested a deployment to frogbot October 1, 2024 08:31 — with GitHub Actions Waiting

orz25 reviewed Oct 6, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Validate xray url #160

Validate xray url #160

hadarshjfrog commented Aug 30, 2024 •

edited

Loading

orz25 commented Sep 17, 2024 •

edited

Loading

github-actions bot commented Sep 22, 2024

orz25 Oct 6, 2024

orz25 Oct 6, 2024

orz25 Oct 6, 2024

Validate xray url #160

Are you sure you want to change the base?

Validate xray url #160

Conversation

hadarshjfrog commented Aug 30, 2024 • edited Loading

orz25 commented Sep 17, 2024 • edited Loading

github-actions bot commented Sep 22, 2024

📦 Vulnerable Dependencies

✍️ Summary

🔬 Research Details

orz25 Oct 6, 2024

Choose a reason for hiding this comment

orz25 Oct 6, 2024

Choose a reason for hiding this comment

orz25 Oct 6, 2024

Choose a reason for hiding this comment

hadarshjfrog commented Aug 30, 2024 •

edited

Loading

orz25 commented Sep 17, 2024 •

edited

Loading