Scan Pull Request - change to relevant working dir before audit (#404)

jfrog · Jul 30, 2023 · e500ec4 · e500ec4
1 parent 0720844
commit e500ec4
Show file tree

Hide file tree

Showing 7 changed files with 1,121 additions and 54 deletions.
diff --git a/commands/scanpullrequest.go b/commands/scanpullrequest.go
@@ -256,12 +256,18 @@ func downloadAndAuditBranch(scanSetup *utils.ScanDetails) (auditResults *audit.R
 	if err != nil {
 		return
 	}
-	// Cleanup
+	currWd, err := os.Getwd()
+	if err != nil {
+		err = errors.New("unable to retrieve to current working directory while auditing the project. error received:\n" + err.Error())
+		return
+	}
+	if err = os.Chdir(wd); err != nil {
+		err = errors.New("unable to change directory to run an audit on it due to an error:\n" + err.Error())
+		return
+	}
+	// Cleanup and change dir
 	defer func() {
-		e := cleanup()
-		if err == nil {
-			err = e
-		}
+		err = errors.Join(err, os.Chdir(currWd), cleanup())
 	}()
 	fullPathWds := getFullPathWorkingDirs(scanSetup.Project.WorkingDirs, wd)
 	return runInstallAndAudit(scanSetup, fullPathWds...)

diff --git a/commands/utils/simplifiedoutput.go b/commands/utils/simplifiedoutput.go
@@ -80,6 +80,10 @@ func (smo *SimplifiedOutput) EntitledForJas() bool {
 }
 
 func (smo *SimplifiedOutput) VulnerabilitiesContent(vulnerabilities []formats.VulnerabilityOrViolationRow) string {
+	if len(vulnerabilities) == 0 {
+		return ""
+	}
+
 	var contentBuilder strings.Builder
 	// Write summary table part
 	contentBuilder.WriteString(fmt.Sprintf(`

diff --git a/commands/utils/simplifiedoutput_test.go b/commands/utils/simplifiedoutput_test.go
@@ -171,6 +171,11 @@ func TestSimplifiedOutput_VulnerabilitiesContent(t *testing.T) {
 
 	actualContent := so.VulnerabilitiesContent(vulnerabilitiesRows)
 	assert.Equal(t, expectedContent, actualContent, "Content mismatch")
+
+	vulnerabilitiesRows = []formats.VulnerabilityOrViolationRow{}
+	expectedContent = ""
+	actualContent = so.VulnerabilitiesContent(vulnerabilitiesRows)
+	assert.Equal(t, expectedContent, actualContent, "Content mismatch")
 }
 
 func TestSimplifiedOutput_ContentWithContextualAnalysis(t *testing.T) {

diff --git a/commands/utils/standardoutput.go b/commands/utils/standardoutput.go
@@ -83,6 +83,9 @@ func (so *StandardOutput) EntitledForJas() bool {
 }
 
 func (so *StandardOutput) VulnerabilitiesContent(vulnerabilities []formats.VulnerabilityOrViolationRow) string {
+	if len(vulnerabilities) == 0 {
+		return ""
+	}
 	var contentBuilder strings.Builder
 	// Write summary table part
 	contentBuilder.WriteString(fmt.Sprintf(`

diff --git a/commands/utils/standardoutput_test.go b/commands/utils/standardoutput_test.go
@@ -184,8 +184,13 @@ func TestStandardOutput_ContentWithContextualAnalysis(t *testing.T) {
 	// Create a new instance of StandardOutput
 	so := &StandardOutput{entitledForJas: true, vcsProvider: vcsutils.GitHub}
 
+	vulnerabilitiesRows := []formats.VulnerabilityOrViolationRow{}
+	expectedContent := ""
+	actualContent := so.VulnerabilitiesContent(vulnerabilitiesRows)
+	assert.Equal(t, expectedContent, actualContent)
+
 	// Create some sample vulnerabilitiesRows for testing
-	vulnerabilitiesRows := []formats.VulnerabilityOrViolationRow{
+	vulnerabilitiesRows = []formats.VulnerabilityOrViolationRow{
 		{
 			ImpactedDependencyName:    "Dependency1",
 			ImpactedDependencyVersion: "1.0.0",
@@ -201,7 +206,7 @@ func TestStandardOutput_ContentWithContextualAnalysis(t *testing.T) {
 	}
 
 	// Set the expected content string based on the sample data
-	expectedContent := fmt.Sprintf(`
+	expectedContent = fmt.Sprintf(`
 ## 📦 Vulnerable Dependencies 
 
 ### ✍️ Summary
@@ -241,7 +246,7 @@ func TestStandardOutput_ContentWithContextualAnalysis(t *testing.T) {
 		createVulnerabilityDescription(&vulnerabilitiesRows[1]),
 	)
 
-	actualContent := so.VulnerabilitiesContent(vulnerabilitiesRows)
+	actualContent = so.VulnerabilitiesContent(vulnerabilitiesRows)
 	assert.Equal(t, expectedContent, actualContent, "Content mismatch")
 	assert.Contains(t, actualContent, "CONTEXTUAL ANALYSIS")
 	assert.Contains(t, actualContent, "| Applicable |")

diff --git a/go.mod b/go.mod
@@ -6,15 +6,15 @@ require (
 	github.com/go-git/go-git/v5 v5.8.1
 	github.com/golang/mock v1.6.0
 	github.com/jfrog/build-info-go v1.9.6
-	github.com/jfrog/froggit-go v1.12.0
+	github.com/jfrog/froggit-go v1.12.1
 	github.com/jfrog/gofrog v1.3.0
 	github.com/jfrog/jfrog-cli-core/v2 v2.39.3
 	github.com/jfrog/jfrog-client-go v1.31.2
 	github.com/mholt/archiver/v3 v3.5.1
 	github.com/stretchr/testify v1.8.4
 	github.com/urfave/cli/v2 v2.25.7
 	github.com/xeipuuv/gojsonschema v1.2.0
-	golang.org/x/exp v0.0.0-20230725093048-515e97ebf090
+	golang.org/x/exp v0.0.0-20230728194245-b0cb94b80691
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 )
@@ -46,22 +46,22 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/golang/snappy v0.0.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/go-github/v45 v45.2.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gookit/color v1.5.3 // indirect
-	github.com/grokify/mogo v0.40.4 // indirect
+	github.com/grokify/mogo v0.50.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.6.8 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jedib0t/go-pretty/v6 v6.4.6 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.11.4 // indirect
+	github.com/klauspost/compress v1.15.9 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.3 // indirect
 	github.com/klauspost/pgzip v1.2.5 // indirect
-	github.com/ktrysmt/go-bitbucket v0.9.32 // indirect
+	github.com/ktrysmt/go-bitbucket v0.9.63 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
@@ -74,7 +74,7 @@ require (
 	github.com/nwaples/rardecode v1.1.0 // indirect
 	github.com/owenrumney/go-sarif/v2 v2.1.3 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
-	github.com/pierrec/lz4/v4 v4.1.2 // indirect
+	github.com/pierrec/lz4/v4 v4.1.15 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
@@ -93,7 +93,7 @@ require (
 	github.com/ulikunitz/xz v0.5.9 // indirect
 	github.com/urfave/cli v1.22.12 // indirect
 	github.com/vbauerster/mpb/v7 v7.5.3 // indirect
-	github.com/xanzy/go-gitlab v0.52.2 // indirect
+	github.com/xanzy/go-gitlab v0.88.0 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@@ -103,15 +103,15 @@ require (
 	golang.org/x/crypto v0.11.0 // indirect
 	golang.org/x/mod v0.11.0 // indirect
 	golang.org/x/net v0.12.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect
-	golang.org/x/sync v0.1.0 // indirect
+	golang.org/x/oauth2 v0.10.0 // indirect
+	golang.org/x/sync v0.2.0 // indirect
 	golang.org/x/sys v0.10.0 // indirect
 	golang.org/x/term v0.10.0 // indirect
 	golang.org/x/text v0.11.0 // indirect
-	golang.org/x/time v0.1.0 // indirect
-	golang.org/x/tools v0.6.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.7.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )