From 4b02a95c72f972bdbb203056058a3e4e134eae2d Mon Sep 17 00:00:00 2001
From: Eyal Kapon <eyalk@jfrog.com>
Date: Sun, 22 Sep 2024 12:19:04 +0300
Subject: [PATCH 1/3] added a check for sarif to append only needed scanners

---
 utils/resultwriter.go       | 32 +++++++++++++++++++-------------
 utils/securityJobSummary.go |  2 +-
 2 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/utils/resultwriter.go b/utils/resultwriter.go
index 9eb70064..d9b3f34d 100644
--- a/utils/resultwriter.go
+++ b/utils/resultwriter.go
@@ -141,7 +141,7 @@ func (rw *ResultsWriter) PrintScanResults() error {
 	case format.Json:
 		return PrintJson(rw.results.GetScaScansXrayResults())
 	case format.Sarif:
-		return PrintSarif(rw.results, rw.isMultipleRoots, rw.includeLicenses)
+		return PrintSarif(rw.results, rw.isMultipleRoots, rw.includeLicenses, rw.subScansPreformed, rw.results.ResultType)
 	}
 	return nil
 }
@@ -157,7 +157,7 @@ func (rw *ResultsWriter) printScanResultsTables() (err error) {
 		printMessage(coreutils.PrintTitle("The full scan results are available here: ") + coreutils.PrintLink(resultsPath))
 	}
 	log.Output()
-	if shouldPrintTable(rw.subScansPreformed, ScaScan, rw.results.ResultType) {
+	if shouldScannerBeCalled(rw.subScansPreformed, ScaScan, rw.results.ResultType) {
 		if rw.hasViolationContext {
 			if err = PrintViolationsTable(violations, rw.results, rw.isMultipleRoots, rw.printExtended); err != nil {
 				return
@@ -174,23 +174,23 @@ func (rw *ResultsWriter) printScanResultsTables() (err error) {
 			}
 		}
 	}
-	if shouldPrintTable(rw.subScansPreformed, SecretsScan, rw.results.ResultType) {
+	if shouldScannerBeCalled(rw.subScansPreformed, SecretsScan, rw.results.ResultType) {
 		if err = PrintSecretsTable(rw.results.ExtendedScanResults.SecretsScanResults, rw.results.ExtendedScanResults.EntitledForJas, rw.results.ExtendedScanResults.SecretValidation); err != nil {
 			return
 		}
 	}
-	if shouldPrintTable(rw.subScansPreformed, IacScan, rw.results.ResultType) {
+	if shouldScannerBeCalled(rw.subScansPreformed, IacScan, rw.results.ResultType) {
 		if err = PrintIacTable(rw.results.ExtendedScanResults.IacScanResults, rw.results.ExtendedScanResults.EntitledForJas); err != nil {
 			return
 		}
 	}
-	if !shouldPrintTable(rw.subScansPreformed, SastScan, rw.results.ResultType) {
+	if !shouldScannerBeCalled(rw.subScansPreformed, SastScan, rw.results.ResultType) {
 		return nil
 	}
 	return PrintSastTable(rw.results.ExtendedScanResults.SastScanResults, rw.results.ExtendedScanResults.EntitledForJas)
 }
 
-func shouldPrintTable(requestedScans []SubScanType, subScan SubScanType, scanType CommandType) bool {
+func shouldScannerBeCalled(requestedScans []SubScanType, subScan SubScanType, scanType CommandType) bool {
 	if scanType.IsTargetBinary() && (subScan == IacScan || subScan == SastScan) {
 		return false
 	}
@@ -210,7 +210,13 @@ func printMessage(message string) {
 	log.Output("💬" + message)
 }
 
-func GenerateSarifReportFromResults(results *Results, isMultipleRoots, includeLicenses bool, allowedLicenses []string) (report *sarif.Report, err error) {
+func appendRunsIfRequired(requestedScans []SubScanType, subScan SubScanType, scanType CommandType, results *Results, scanResults []*sarif.Run, report *sarif.Report) {
+	if shouldScannerBeCalled(requestedScans, subScan, scanType) {
+		report.Runs = append(report.Runs, patchRunsToPassIngestionRules(subScan, results, scanResults...)...)
+	}
+}
+
+func GenerateSarifReportFromResults(results *Results, isMultipleRoots, includeLicenses bool, allowedLicenses []string, requestedScans []SubScanType, scanType CommandType) (report *sarif.Report, err error) {
 	report, err = sarifutils.NewReport()
 	if err != nil {
 		return
@@ -220,10 +226,10 @@ func GenerateSarifReportFromResults(results *Results, isMultipleRoots, includeLi
 		return
 	}
 
-	report.Runs = append(report.Runs, patchRunsToPassIngestionRules(ScaScan, results, xrayRun)...)
-	report.Runs = append(report.Runs, patchRunsToPassIngestionRules(IacScan, results, results.ExtendedScanResults.IacScanResults...)...)
-	report.Runs = append(report.Runs, patchRunsToPassIngestionRules(SecretsScan, results, results.ExtendedScanResults.SecretsScanResults...)...)
-	report.Runs = append(report.Runs, patchRunsToPassIngestionRules(SastScan, results, results.ExtendedScanResults.SastScanResults...)...)
+	appendRunsIfRequired(requestedScans, ScaScan, scanType, results, []*sarif.Run{xrayRun}, report)
+	appendRunsIfRequired(requestedScans, IacScan, scanType, results, results.ExtendedScanResults.IacScanResults, report)
+	appendRunsIfRequired(requestedScans, SecretsScan, scanType, results, results.ExtendedScanResults.SecretsScanResults, report)
+	appendRunsIfRequired(requestedScans, SastScan, scanType, results, results.ExtendedScanResults.SastScanResults, report)
 
 	return
 }
@@ -927,8 +933,8 @@ func PrintJson(output interface{}) error {
 	return nil
 }
 
-func PrintSarif(results *Results, isMultipleRoots, includeLicenses bool) error {
-	sarifReport, err := GenerateSarifReportFromResults(results, isMultipleRoots, includeLicenses, nil)
+func PrintSarif(results *Results, isMultipleRoots, includeLicenses bool, subScans []SubScanType, commandType CommandType) error {
+	sarifReport, err := GenerateSarifReportFromResults(results, isMultipleRoots, includeLicenses, nil, subScans, commandType)
 	if err != nil {
 		return err
 	}
diff --git a/utils/securityJobSummary.go b/utils/securityJobSummary.go
index e71d7d51..0e32cfe1 100644
--- a/utils/securityJobSummary.go
+++ b/utils/securityJobSummary.go
@@ -187,7 +187,7 @@ func RecordSarifOutput(cmdResults *Results) (err error) {
 		log.Info("Results can be uploaded to Github security tab automatically by upgrading your JFrog subscription.")
 		return
 	}
-	sarifReport, err := GenerateSarifReportFromResults(cmdResults, true, false, nil)
+	sarifReport, err := GenerateSarifReportFromResults(cmdResults, true, false, nil, []SubScanType{}, cmdResults.ResultType)
 	if err != nil {
 		return err
 	}

From 2f944da129d56ff8b4eacb11a17ca8f695cc99ac Mon Sep 17 00:00:00 2001
From: Eyal Kapon <eyalk@jfrog.com>
Date: Sun, 22 Sep 2024 14:16:56 +0300
Subject: [PATCH 2/3] added a check for sarif to append only needed scanners

---
 utils/securityJobSummary.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/securityJobSummary.go b/utils/securityJobSummary.go
index 0e32cfe1..ce406842 100644
--- a/utils/securityJobSummary.go
+++ b/utils/securityJobSummary.go
@@ -187,7 +187,7 @@ func RecordSarifOutput(cmdResults *Results) (err error) {
 		log.Info("Results can be uploaded to Github security tab automatically by upgrading your JFrog subscription.")
 		return
 	}
-	sarifReport, err := GenerateSarifReportFromResults(cmdResults, true, false, nil, []SubScanType{}, cmdResults.ResultType)
+	sarifReport, err := GenerateSarifReportFromResults(cmdResults, true, false, nil, GetAllSupportedScans(), cmdResults.ResultType)
 	if err != nil {
 		return err
 	}

From 083b79206228e5c934b1dccf1b2d8fdb030981a4 Mon Sep 17 00:00:00 2001
From: Eyal Kapon <eyalk@jfrog.com>
Date: Mon, 23 Sep 2024 12:50:00 +0300
Subject: [PATCH 3/3] cr fixes

---
 commands/scan/dockerscan.go      |  2 +-
 commands/scan/scan.go            |  2 +-
 utils/resultwriter.go            | 15 ++++++++-------
 utils/securityJobSummary.go      |  4 ++--
 utils/securityJobSummary_test.go | 11 +++++------
 5 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/commands/scan/dockerscan.go b/commands/scan/dockerscan.go
index dfb9c59c..88728882 100644
--- a/commands/scan/dockerscan.go
+++ b/commands/scan/dockerscan.go
@@ -106,7 +106,7 @@ func (dsc *DockerScanCommand) Run() (err error) {
 			}
 		}
 		dsc.analyticsMetricsService.UpdateGeneralEvent(dsc.analyticsMetricsService.CreateXscAnalyticsGeneralEventFinalizeFromAuditResults(scanResults))
-		if err = utils.RecordSarifOutput(scanResults); err != nil {
+		if err = utils.RecordSarifOutput(scanResults, utils.GetAllSupportedScans()); err != nil {
 			return
 		}
 		return utils.RecordSecurityCommandSummary(utils.NewDockerScanSummary(
diff --git a/commands/scan/scan.go b/commands/scan/scan.go
index 1d34dbef..b580e70a 100644
--- a/commands/scan/scan.go
+++ b/commands/scan/scan.go
@@ -201,7 +201,7 @@ func (scanCmd *ScanCommand) indexFile(filePath string) (*xrayUtils.BinaryGraphNo
 
 func (scanCmd *ScanCommand) Run() (err error) {
 	return scanCmd.RunAndRecordResults(utils.Binary, func(scanResults *utils.Results) (err error) {
-		if err = utils.RecordSarifOutput(scanResults); err != nil {
+		if err = utils.RecordSarifOutput(scanResults, utils.GetAllSupportedScans()); err != nil {
 			return
 		}
 		return utils.RecordSecurityCommandSummary(utils.NewBinaryScanSummary(
diff --git a/utils/resultwriter.go b/utils/resultwriter.go
index d9b3f34d..6e3ca524 100644
--- a/utils/resultwriter.go
+++ b/utils/resultwriter.go
@@ -210,10 +210,11 @@ func printMessage(message string) {
 	log.Output("💬" + message)
 }
 
-func appendRunsIfRequired(requestedScans []SubScanType, subScan SubScanType, scanType CommandType, results *Results, scanResults []*sarif.Run, report *sarif.Report) {
-	if shouldScannerBeCalled(requestedScans, subScan, scanType) {
-		report.Runs = append(report.Runs, patchRunsToPassIngestionRules(subScan, results, scanResults...)...)
+func filterAndPatchRunsIfRequired(requestedScans []SubScanType, subScan SubScanType, scanType CommandType, results *Results, scanResults []*sarif.Run) (filtered []*sarif.Run) {
+	if !shouldScannerBeCalled(requestedScans, subScan, scanType) {
+		return
 	}
+	return patchRunsToPassIngestionRules(subScan, results, scanResults...)
 }
 
 func GenerateSarifReportFromResults(results *Results, isMultipleRoots, includeLicenses bool, allowedLicenses []string, requestedScans []SubScanType, scanType CommandType) (report *sarif.Report, err error) {
@@ -226,10 +227,10 @@ func GenerateSarifReportFromResults(results *Results, isMultipleRoots, includeLi
 		return
 	}
 
-	appendRunsIfRequired(requestedScans, ScaScan, scanType, results, []*sarif.Run{xrayRun}, report)
-	appendRunsIfRequired(requestedScans, IacScan, scanType, results, results.ExtendedScanResults.IacScanResults, report)
-	appendRunsIfRequired(requestedScans, SecretsScan, scanType, results, results.ExtendedScanResults.SecretsScanResults, report)
-	appendRunsIfRequired(requestedScans, SastScan, scanType, results, results.ExtendedScanResults.SastScanResults, report)
+	report.Runs = append(report.Runs, filterAndPatchRunsIfRequired(requestedScans, ScaScan, scanType, results, []*sarif.Run{xrayRun})...)
+	report.Runs = append(report.Runs, filterAndPatchRunsIfRequired(requestedScans, IacScan, scanType, results, results.ExtendedScanResults.IacScanResults)...)
+	report.Runs = append(report.Runs, filterAndPatchRunsIfRequired(requestedScans, SecretsScan, scanType, results, results.ExtendedScanResults.SecretsScanResults)...)
+	report.Runs = append(report.Runs, filterAndPatchRunsIfRequired(requestedScans, SastScan, scanType, results, results.ExtendedScanResults.SastScanResults)...)
 
 	return
 }
diff --git a/utils/securityJobSummary.go b/utils/securityJobSummary.go
index ce406842..dc283b08 100644
--- a/utils/securityJobSummary.go
+++ b/utils/securityJobSummary.go
@@ -173,7 +173,7 @@ func RecordSecurityCommandSummary(content ScanCommandResultSummary) (err error)
 	return manager.Record(content)
 }
 
-func RecordSarifOutput(cmdResults *Results) (err error) {
+func RecordSarifOutput(cmdResults *Results, supportedScans []SubScanType) (err error) {
 	manager, err := getRecordManager()
 	if err != nil || manager == nil {
 		return
@@ -187,7 +187,7 @@ func RecordSarifOutput(cmdResults *Results) (err error) {
 		log.Info("Results can be uploaded to Github security tab automatically by upgrading your JFrog subscription.")
 		return
 	}
-	sarifReport, err := GenerateSarifReportFromResults(cmdResults, true, false, nil, GetAllSupportedScans(), cmdResults.ResultType)
+	sarifReport, err := GenerateSarifReportFromResults(cmdResults, true, false, nil, supportedScans, cmdResults.ResultType)
 	if err != nil {
 		return err
 	}
diff --git a/utils/securityJobSummary_test.go b/utils/securityJobSummary_test.go
index 218fbc1f..abcc4f3b 100644
--- a/utils/securityJobSummary_test.go
+++ b/utils/securityJobSummary_test.go
@@ -2,11 +2,6 @@ package utils
 
 import (
 	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-
 	"github.com/jfrog/jfrog-cli-core/v2/artifactory/utils/commandsummary"
 	coreUtils "github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
 	coreTests "github.com/jfrog/jfrog-cli-core/v2/utils/tests"
@@ -15,6 +10,10 @@ import (
 	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
 	clientTests "github.com/jfrog/jfrog-client-go/utils/tests"
 	"github.com/stretchr/testify/assert"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
 )
 
 var (
@@ -62,7 +61,7 @@ func TestSaveSarifOutputOnlyForJasEntitled(t *testing.T) {
 			cleanUp := clientTests.SetEnvWithCallbackAndAssert(t, coreUtils.SummaryOutputDirPathEnv, tempDir)
 			defer cleanUp()
 
-			assert.NoError(t, RecordSarifOutput(createDummyJasResult(testCase.isJasEntitled)))
+			assert.NoError(t, RecordSarifOutput(createDummyJasResult(testCase.isJasEntitled), GetAllSupportedScans()))
 			assert.Equal(t, testCase.isJasEntitled, hasFilesInDir(t, filepath.Join(tempDir, commandsummary.OutputDirName, "security", string(commandsummary.SarifReport))))
 		})
 	}