From a45f8523d8c388b22d207fd1d1743f0bc35d9e55 Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Mon, 30 Jun 2025 14:24:22 +0300 Subject: [PATCH 1/6] added new env var for Frogbot for application key --- utils/consts.go | 1 + 1 file changed, 1 insertion(+) diff --git a/utils/consts.go b/utils/consts.go index 97b064e6a..455b7e658 100644 --- a/utils/consts.go +++ b/utils/consts.go @@ -33,6 +33,7 @@ const ( JFrogTokenEnv = "JF_ACCESS_TOKEN" JfrogUseConfigProfileEnv = "JF_USE_CONFIG_PROFILE" JfrogConfigProfileEnv = "JF_CONFIG_PROFILE" + JfrogApplicationKey = "JF_APPLICATION_KEY" // Git environment variables GitProvider = "JF_GIT_PROVIDER" From a7e4e13aba985bbb73a4298159290b13018c9283 Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Mon, 30 Jun 2025 14:48:39 +0300 Subject: [PATCH 2/6] added new field for application key in JfrogPlatform params + fetching of the new env var if value is not provided from config file --- utils/params.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/utils/params.go b/utils/params.go index bf77dcf74..b022579ca 100644 --- a/utils/params.go +++ b/utils/params.go @@ -294,6 +294,7 @@ type JFrogPlatform struct { Watches []string `yaml:"watches,omitempty"` IncludeVulnerabilities bool `yaml:"includeVulnerabilities,omitempty"` JFrogProjectKey string `yaml:"jfrogProjectKey,omitempty"` + JfrogApplicationKey string `yaml:"jfrogApplicationKey,omitempty"` // TODO eran verify required json name } func (jp *JFrogPlatform) setDefaultsIfNeeded() (err error) { @@ -302,6 +303,8 @@ func (jp *JFrogPlatform) setDefaultsIfNeeded() (err error) { if jp.Watches, err = readArrayParamFromEnv(jfrogWatchesEnv, WatchesDelimiter); err != nil && !e.IsMissingEnvErr(err) { return } + // We don't want to return an error from this function if the error is of type ErrMissingEnv because JFrogPlatform environment variables are not mandatory. + err = nil } if jp.JFrogProjectKey == "" { if err = readParamFromEnv(jfrogProjectEnv, &jp.JFrogProjectKey); err != nil && !e.IsMissingEnvErr(err) { @@ -310,6 +313,13 @@ func (jp *JFrogPlatform) setDefaultsIfNeeded() (err error) { // We don't want to return an error from this function if the error is of type ErrMissingEnv because JFrogPlatform environment variables are not mandatory. err = nil } + if jp.JfrogApplicationKey == "" { + if err = readParamFromEnv(JfrogApplicationKey, &jp.JfrogApplicationKey); err != nil && !e.IsMissingEnvErr(err) { + return + } + // We don't want to return an error from this function if the error is of type ErrMissingEnv because JFrogPlatform environment variables are not mandatory. + err = nil + } if !jp.IncludeVulnerabilities { if jp.IncludeVulnerabilities, err = getBoolEnv(IncludeVulnerabilitiesEnv, false); err != nil { return @@ -543,7 +553,7 @@ func getConfigFileContent(gitClient vcsclient.VcsClient, gitParamsFromEnv *Git, return configFileContent, err } -// BuildRepoAggregator receives the content of a frogbot-config.yml file, along with the Git (built from environment variables) and ServerDetails parameters. +// Receives the content of a frogbot-config.yml file, along with the Git (built from environment variables) and ServerDetails parameters. // Returns a RepoAggregator instance with all the defaults and necessary fields. func BuildRepoAggregator(xrayVersion, xscVersion string, gitClient vcsclient.VcsClient, configFileContent []byte, gitParamsFromEnv *Git, server *coreconfig.ServerDetails, commandName string) (resultAggregator RepoAggregator, err error) { var cleanAggregator RepoAggregator @@ -566,7 +576,7 @@ func BuildRepoAggregator(xrayVersion, xscVersion string, gitClient vcsclient.Vcs return } -// unmarshalFrogbotConfigYaml uses the yaml.Unmarshaler interface to parse the yamlContent. +// Uses the yaml.Unmarshaler interface to parse the yamlContent. // If there is no config file, the function returns a RepoAggregator with an empty repository. func unmarshalFrogbotConfigYaml(yamlContent []byte) (result RepoAggregator, err error) { if len(yamlContent) == 0 { From 991b0da8e9b759d6d57692c8dd6d4682606c2a4e Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Mon, 30 Jun 2025 14:49:21 +0300 Subject: [PATCH 3/6] updated test of unmarshaling config file to validate new app-key addition --- testdata/config/frogbot-config-test-unmarshal.yml | 1 + utils/params_test.go | 1 + 2 files changed, 2 insertions(+) diff --git a/testdata/config/frogbot-config-test-unmarshal.yml b/testdata/config/frogbot-config-test-unmarshal.yml index 0882935a5..7f13e60be 100755 --- a/testdata/config/frogbot-config-test-unmarshal.yml +++ b/testdata/config/frogbot-config-test-unmarshal.yml @@ -35,3 +35,4 @@ - watch-1 - watch-2 jfrogProjectKey: proj + jfrogApplicationKey: app-key diff --git a/utils/params_test.go b/utils/params_test.go index 35f454b7a..aac0dad29 100644 --- a/utils/params_test.go +++ b/utils/params_test.go @@ -502,6 +502,7 @@ func TestFrogbotConfigAggregator_unmarshalFrogbotConfigYaml(t *testing.T) { assert.ElementsMatch(t, []string{"a/b", "b/c"}, thirdRepoProject.WorkingDirs) assert.ElementsMatch(t, []string{"watch-1", "watch-2"}, thirdRepo.Watches) assert.Equal(t, "proj", thirdRepo.JFrogProjectKey) + assert.Equal(t, "app-key", thirdRepo.JfrogApplicationKey) } func TestVerifyValidApiEndpoint(t *testing.T) { From b1b5b2f53a14f8b0e3dd0f9717ba617a939fc2e5 Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Mon, 30 Jun 2025 14:50:46 +0300 Subject: [PATCH 4/6] passing appKey to SetResultsContext to be added to ResultContext --- utils/scandetails.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/scandetails.go b/utils/scandetails.go index d87bdcda9..325efd8c1 100644 --- a/utils/scandetails.go +++ b/utils/scandetails.go @@ -74,8 +74,8 @@ func (sc *ScanDetails) SetProject(project *Project) *ScanDetails { return sc } -func (sc *ScanDetails) SetResultsContext(httpCloneUrl string, watches []string, jfrogProjectKey string, includeVulnerabilities, includeLicenses bool) *ScanDetails { - sc.ResultContext = audit.CreateAuditResultsContext(sc.ServerDetails, sc.XrayVersion, watches, sc.RepoPath, jfrogProjectKey, httpCloneUrl, includeVulnerabilities, includeLicenses, false) +func (sc *ScanDetails) SetResultsContext(httpCloneUrl string, watches []string, jfrogProjectKey string, jfrogApplicationKey string, includeVulnerabilities, includeLicenses bool) *ScanDetails { + sc.ResultContext = audit.CreateAuditResultsContext(sc.ServerDetails, sc.XrayVersion, watches, sc.RepoPath, jfrogProjectKey, httpCloneUrl, jfrogApplicationKey, includeVulnerabilities, includeLicenses, false) return sc } From a121bab11f1f15e03cd62ba8cb5f5b4fe5d8a75f Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Mon, 30 Jun 2025 14:51:39 +0300 Subject: [PATCH 5/6] added application key to ScanDetails creation for scan-pr only (passed empty value to scan-repo) --- scanpullrequest/scanpullrequest.go | 2 +- scanrepository/scanrepository.go | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/scanpullrequest/scanpullrequest.go b/scanpullrequest/scanpullrequest.go index 81a702596..7944174e1 100644 --- a/scanpullrequest/scanpullrequest.go +++ b/scanpullrequest/scanpullrequest.go @@ -176,7 +176,7 @@ func createBaseScanDetails(repoConfig *utils.Repository, client vcsclient.VcsCli } scanDetails = utils.NewScanDetails(client, &repoConfig.Server, &repoConfig.Git). SetJfrogVersions(repoConfig.XrayVersion, repoConfig.XscVersion). - SetResultsContext(repositoryCloneUrl, repoConfig.Watches, repoConfig.JFrogProjectKey, repoConfig.IncludeVulnerabilities, len(repoConfig.AllowedLicenses) > 0). + SetResultsContext(repositoryCloneUrl, repoConfig.Watches, repoConfig.JFrogProjectKey, repoConfig.JfrogApplicationKey, repoConfig.IncludeVulnerabilities, len(repoConfig.AllowedLicenses) > 0). SetFixableOnly(repoConfig.FixableOnly). SetConfigProfile(repoConfig.ConfigProfile). SetSkipAutoInstall(repoConfig.SkipAutoInstall). diff --git a/scanrepository/scanrepository.go b/scanrepository/scanrepository.go index 86e0364ea..bb8ec7186 100644 --- a/scanrepository/scanrepository.go +++ b/scanrepository/scanrepository.go @@ -131,7 +131,8 @@ func (cfp *ScanRepositoryCmd) setCommandPrerequisites(repository *utils.Reposito // Set the scan details cfp.scanDetails = utils.NewScanDetails(client, &repository.Server, &repository.Git). SetJfrogVersions(cfp.XrayVersion, cfp.XscVersion). - SetResultsContext(repositoryCloneUrl, repository.Watches, repository.JFrogProjectKey, repository.IncludeVulnerabilities, len(repository.AllowedLicenses) > 0). + // AppTrust is currently not supported in ScanRepository command, therefore we pass an empty applicationKey + SetResultsContext(repositoryCloneUrl, repository.Watches, repository.JFrogProjectKey, "", repository.IncludeVulnerabilities, len(repository.AllowedLicenses) > 0). SetFixableOnly(repository.FixableOnly). SetConfigProfile(repository.ConfigProfile). SetSkipAutoInstall(repository.SkipAutoInstall). From abde0c38f5e0b9f577b2eebcaca028557e5b89bd Mon Sep 17 00:00:00 2001 From: Eran Turgeman Date: Mon, 30 Jun 2025 14:52:08 +0300 Subject: [PATCH 6/6] update go mod --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 543e05a70..328c961ab 100644 --- a/go.mod +++ b/go.mod @@ -118,7 +118,7 @@ require ( gopkg.in/warnings.v0 v0.1.2 // indirect ) -replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security v1.19.1-0.20250625095826-3aba9954dfc9 +replace github.com/jfrog/jfrog-cli-security => github.com/eranturgeman/jfrog-cli-security v0.0.0-20250630111707-02606baf6aad // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev diff --git a/go.sum b/go.sum index f0e973c73..c3498183e 100644 --- a/go.sum +++ b/go.sum @@ -55,6 +55,8 @@ github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= +github.com/eranturgeman/jfrog-cli-security v0.0.0-20250630111707-02606baf6aad h1:Y4e5Py8UPzhVEUq+2S9yPqF2wNi2E99Gnm7oLvJItNE= +github.com/eranturgeman/jfrog-cli-security v0.0.0-20250630111707-02606baf6aad/go.mod h1:XCm3fmoqCp+BmidG8AUwWpvDiwb2rubJ0gFr5rNtFtM= github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/forPelevin/gomoji v1.3.0 h1:WPIOLWB1bvRYlKZnSSEevLt3IfKlLs+tK+YA9fFYlkE= @@ -130,8 +132,6 @@ github.com/jfrog/jfrog-cli-artifactory v0.3.2 h1:oBhiHBtWZCe4rG/WSwFWw3gqGnkcj3/ github.com/jfrog/jfrog-cli-artifactory v0.3.2/go.mod h1:nRWIPgWl6IiZ7u5Ss40BL1YcL/naWwRgnrGllFBV0Ao= github.com/jfrog/jfrog-cli-core/v2 v2.59.0 h1:Oqi2+skTbJIRDVyhN8kJdCP8w3w1mzXS1/Mx5AIuMsU= github.com/jfrog/jfrog-cli-core/v2 v2.59.0/go.mod h1:1zZB8vn4yIh/hPj3ed82pI5IhKK9/SzeHsofMcknN68= -github.com/jfrog/jfrog-cli-security v1.19.1-0.20250625095826-3aba9954dfc9 h1:whd88aGYFMSTaZVyObNIbDiPJXGII1Nbt0ce6dMI398= -github.com/jfrog/jfrog-cli-security v1.19.1-0.20250625095826-3aba9954dfc9/go.mod h1:XCm3fmoqCp+BmidG8AUwWpvDiwb2rubJ0gFr5rNtFtM= github.com/jfrog/jfrog-client-go v1.28.1-0.20250623080810-85bcce028748 h1:299KpOItnMAdW2ZmWrqn4+j1dEemNWSX/PHq6C+IVQA= github.com/jfrog/jfrog-client-go v1.28.1-0.20250623080810-85bcce028748/go.mod h1:1v0eih4thdPA4clBo9TuvAMT25sGDr1IQJ81DXQ/lBY= github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA=