Unable to marshal Xray Scan Report

[romelusw]

Describe the bug
CVSV2 and CVSV3 Max score properties appear to be float types in the API response of https://www.jfrog.com/confluence/display/JFROG/Xray+REST+API#XrayRESTAPI-GetVulnerabilitiesReportContent. My initial PR for the new reports endpoint attempted to correct that data type in the scan.go resource:#428 (comment), however, @eyalbe4 suggested reverting the fix and is now causing marshaling issues when using the go library.

To Reproduce

• Trigger a new XRay report (manually)
• Retrieve the report content using https://github.com/jfrog/jfrog-client-go#get-vulnerabilities-report-content

Expected behavior
API response should be translatable to the models defined in https://github.com/jfrog/jfrog-client-go/tree/master/xray/services.

Versions

• Xray_version: 3.27.4,
• Xray_revision: 426aac5

Additional context
Sample vulnerability CVE payload:
"cves": [ { "cve": "CVE-2021-21285", "cvss_v2_score": 4.3, "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P", "cvss_v3_score": 6.5, "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ],

[eyalbe4]

Thanks for pointing this out @romelusw.
Feel free to issue a follow-up PR to correct this. We'll take care of making this change compatible with usages of struct you'll be modifying outside of jfrog-client-go.

[romelusw]

Thanks for pointing this out @romelusw. Feel free to issue a follow-up PR to correct this. We'll take care of making this change compatible with usages of struct you'll be modifying outside of jfrog-client-go.

@eyalbe4 please see: #470

[eyalbe4]

The PR is merged @romelusw. Thanks!

[romelusw]

Unit test failure fix: #476

[asafgabai]

Hi @romelusw, In Xray's documentation (that you referred to above) it seems like the CVSS fields ("cvss_v2" and "cvss_v3") are strings, and the CVSS scores are at the beginning of these strings. I found another API there ("/api/v1/reports/violations") where the CVSS score field is a float, but this API is not used in jfrog-client-go.

[romelusw]

Hi @asafgabai the documentation is also incorrect as those properties and their values do not match with what is returned by the API. Please see my sample payload. You can cross verify with an X-ray instance matching the versions I described in the issue.

[asafgabai]

@romelusw Thanks for your answer. I took a look at the PR you opened. Unfortunately, it causes compilation errors in jfrog-cli-core, so it can't be merged right now. I'll think of a solution for this and I'll update here on the progress.

[asafgabai]

Hi @romelusw, I opened a PR (#497) for fixing this issue. I'll update here when it's released.

[asafgabai]

Hi @romelusw, the PR was merged and released in v1.7.1
We'd appreciate your feedback on it.

[romelusw]

@asafgabai it looks good, can you please update #476 to account for the new ReportCve type you introduced

[asafgabai]

@romelusw I'm glad to hear that. It looks like your PR (#476) doesn't need an update. The Cve struct you changed there was replaced by a new struct in my PR so there's no need to change it anymore. I guess you can close your PR.

[shuvadipc]

Closing this inactive thread.