Skip to content

Introduce support for multiple sources and new source type #1120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rimapol merged 107 commits into from
Jun 19, 2025
Merged

Introduce support for multiple sources and new source type #1120

rimapol merged 107 commits into from
Jun 19, 2025

Conversation

@rimapol
Copy link
Collaborator

@rimapol rimapol commented May 22, 2025
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • All static analysis checks passed.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.

omerzi and others added 30 commits April 5, 2023 09:49
@omerzi
Promote version to 1.28.1 (jfrog#733)
a664ea4
@eyalbe4
Added the Frogbot badge to the README (jfrog#740)
0b22cb3
@sverdlov93
Merge remote-tracking branch 'upstream/dev' into masterupstream
93d1ee0 
# Conflicts:
#	.github/workflows/analysis.yml
#	go.mod
#	go.sum
#	utils/utils.go
#	xray/services/scan.go
#	xray/services/scan_test.go
@omerzi
Merge remote-tracking branch 'origin/dev'
60012f0
@eyalbe4
Merge branch 'dev'
72340a7
@talarian1
Merge remote-tracking branch 'origin/dev'
3c0e410
@omerzi
Merge remote-tracking branch 'origin/dev'
7dd161b
@talarian1
Merge remote-tracking branch 'origin/dev'
88f4c5c
@yahavi
Merge branch 'master' into dev
21b99ad
@yahavi
Promoted version to 1.29.1
b71c280
@eyalbe4
Merge branch 'dev'
8f7755c
@eyalbe4
Merge branch 'dev'
e6ba583
@RobiNino
Merge branch 'dev'
b624428
@omerzi
Merge branch 'master' into dev
da0c018
@omerzi
Promoted version to 1.31.1
f750025
@omerzi
Merge remote-tracking branch 'origin/dev'
e1d57bd 
# Conflicts:
#	utils/utils.go
@eyalbe4
Merge branch 'dev'
886ff5f
@eyalbe4
Promoted version to 1.31.3
b1ae836
@eyalbe4
Merge branch 'dev'
df38e23
@eyalbe4
Merge branch 'dev'
46b7fb9
@eyalbe4
Resolve conflicts
5f58723
@eyalbe4
Merge branch 'dev'
080ef1a
@attiasas
Merge branch 'dev'
7c244c5
@EyalDelarea
Merge branch 'master' into dev
6d1c9e7
@EyalDelarea
Merge remote-tracking branch 'origin/dev'
b3d917f
@sverdlov93
Merge remote-tracking branch 'upstream/dev'
3be412b
@RobiNino
Merge branch 'dev'
fa697b5
@eranturgeman
Merge remote-tracking branch 'origin/dev'
7b2943f
@eranturgeman
Merge remote-tracking branch 'jfrog-prod/dev'
15552e7
@yahavi
Merge remote-tracking branch 'origin/dev'
9684938
@rimapol rimapol force-pushed the feature/support-multiple-sources branch from f544d9d to 0c93c62 Compare June 6, 2025 10:49
@rimapol rimapol requested a review from bhanurp June 6, 2025 12:22
@rimapol
Copy link
Collaborator Author

rimapol commented Jun 10, 2025

@bhanurp I updated READme.
More comments?

bhanurp
bhanurp reviewed Jun 16, 2025
View reviewed changes
lifecycle/manager.go Outdated
func (lcs *LifecycleServicesManager) CreateReleaseBundlesFromMultipleSources(rbDetails lifecycle.ReleaseBundleDetails,
queryParams lifecycle.CommonOptionalQueryParams, signingKeyName string, sources []lifecycle.RbSource) error {
rbService := lifecycle.NewReleaseBundlesService(lcs.config.GetServiceDetails(), lcs.client)
_, err := rbService.CreateReleaseBundleFromMultipleSources(rbDetails, queryParams, signingKeyName, sources)
Copy link
Contributor

@bhanurp bhanurp Jun 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: It might be a good idea to return the response instead of swallowing and let the caller handle it since jfrog-client-go is an SDK it might useful in other scenarios even though not applicable for your use case.

Copy link
Collaborator Author

@rimapol rimapol Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok

@rimapol rimapol requested a review from bhanurp June 17, 2025 15:06
@bhanurp bhanurp added the safe to test Approve running integration tests on a pull request label Jun 17, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Jun 17, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Jun 17, 2025

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 5 issues
Scan Category Status Security Issues
Software Composition Analysis ℹ️ Not Scanned -
Contextual Analysis ℹ️ Not Scanned -
Static Application Security Testing (SAST) ✅ Done
5 Issues Found 5 Low
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

@github-actions
Copy link
Contributor

github-actions bot commented Jun 17, 2025 

{"before transition", "http://platform.jfrog.io/xray/", "3.106.0", "http://platform.jfrog.io/xsc/api/v1/"}

at xsc/services/utils/utils_test.go (line 16)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Detected usage of communication methods lacking encryption.
Full description

Vulnerability Details
CWE: 319
Rule ID: go-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.

@github-actions
Copy link
Contributor

github-actions bot commented Jun 17, 2025 

{"after transition", "http://platform.jfrog.io/xray/", "3.107.13", "http://platform.jfrog.io/xray/api/v1/xsc/"}

at xsc/services/utils/utils_test.go (line 15)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Detected usage of communication methods lacking encryption.
Full description

Vulnerability Details
CWE: 319
Rule ID: go-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.

@github-actions
Copy link
Contributor

github-actions bot commented Jun 17, 2025 

{"withBuildProperties", "go-repo/github.com/jfrog/test/@v/v1.1.1.zip", "build.name=a;build.number=1", "http://test.url/api/go/", "http://test.url/api/go/go-repo/github.com/jfrog/test/@v/v1.1.1.zip;build.name=a;build.number=1"}

at artifactory/services/go/go_test.go (line 17)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Detected usage of communication methods lacking encryption.
Full description

Vulnerability Details
CWE: 319
Rule ID: go-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.

@github-actions
Copy link
Contributor

github-actions bot commented Jun 17, 2025 

{"withoutBuildProperties", "go-repo/github.com/jfrog/test/@v/v1.1.1.zip", "", "http://test.url/api/go/", "http://test.url/api/go/go-repo/github.com/jfrog/test/@v/v1.1.1.zip"}

at artifactory/services/go/go_test.go (line 18)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Detected usage of communication methods lacking encryption.
Full description

Vulnerability Details
CWE: 319
Rule ID: go-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.

@github-actions
Copy link
Contributor

github-actions bot commented Jun 17, 2025 

{"withoutBuildPropertiesModExtension", "go-repo/github.com/jfrog/test/@v/v1.1.1.mod", "", "http://test.url/api/go/", "http://test.url/api/go/go-repo/github.com/jfrog/test/@v/v1.1.1.mod"}

at artifactory/services/go/go_test.go (line 19)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
low
Low		 Detected usage of communication methods lacking encryption.
Full description

Vulnerability Details
CWE: 319
Rule ID: go-insecure-protocol

Overview

Using insecure protocols—such as HTTP, FTP, or LDAP—can expose sensitive
data during transmission, making it vulnerable to eavesdropping and man-in-the-middle
attacks. Secure protocols like HTTPS and FTPS should be used to ensure data
encryption during communication.

Vulnerable example

In this example, the application uses insecure protocols to communicate,
taking the protocol type from hardcoded strings.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this vulnerable example, the ConnectToFrogService method uses hardcoded
insecure protocols (HTTP and FTP) to connect, making communications susceptible
to attacks.

Remediation

To mitigate the use of insecure protocols, replace them with secure alternatives
such as HTTPS or FTPS.

package main

import (
    "fmt"
)

type SwampService struct {
    InsecureHttpProtocol string
    InsecureFtpProtocol  string
}

func NewSwampService() *SwampService {
    return &SwampService{
        InsecureHttpProtocol: "http://", // Insecure protocol
        InsecureFtpProtocol:  "ftp://",  // Insecure protocol
    }
}

func (s *SwampService) ConnectToFrogService(server string) {
    url := s.InsecureHttpProtocol + server + "/frogEndpoint"
    s.connect(url)

    url = s.InsecureFtpProtocol + server + "/frogFile"
    s.connect(url)
}

func (s *SwampService) connect(url string) {
    fmt.Printf("Connecting to %s\n", url)
    // Logic to connect to the service
}

func main() {
    service := NewSwampService()
    service.ConnectToFrogService("example.com")
}

In this remediated example, the ConnectToFrogService method utilizes
secure protocols (HTTPS and FTPS) to ensure that communications are encrypted,
thereby protecting sensitive data.

@rimapol rimapol merged commit 6ff3439 into jfrog:dev Jun 19, 2025
3 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bhanurp bhanurp bhanurp approved these changes

@fluxxBot fluxxBot Awaiting requested review from fluxxBot

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.