From 48d6b58042827dfb207366d167d14c378b25994e Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 5 Feb 2026 14:26:46 +0200 Subject: [PATCH 01/10] Move language and project type to techdata --- commands/curation/curationaudit.go | 2 +- jas/common.go | 2 +- utils/artifactory/artifactoryutils.go | 4 +- .../simplejsonparser/simplejsonparser.go | 2 +- utils/techutils/techutils.go | 117 +++++++++--------- utils/techutils/techutils_test.go | 2 +- 6 files changed, 67 insertions(+), 62 deletions(-) diff --git a/commands/curation/curationaudit.go b/commands/curation/curationaudit.go index cac76c591..ab066d8e9 100644 --- a/commands/curation/curationaudit.go +++ b/commands/curation/curationaudit.go @@ -756,7 +756,7 @@ func (ca *CurationAuditCommand) SetRepo(tech techutils.Technology) error { return nil } - resolverParams, err := ca.getRepoParams(techutils.TechToProjectType[tech]) + resolverParams, err := ca.getRepoParams(tech.GetProjectType()) if err != nil { return err } diff --git a/jas/common.go b/jas/common.go index 974a4d044..50697e5e2 100644 --- a/jas/common.go +++ b/jas/common.go @@ -490,7 +490,7 @@ func GetAnalyzerManagerXscEnvVars(msi string, gitRepoUrl, projectKey string, wat } technology := technologies[0] envVars[JfPackageManagerEnvVariable] = technology.String() - envVars[JfLanguageEnvVariable] = string(techutils.TechnologyToLanguage(technology)) + envVars[JfLanguageEnvVariable] = string(technology.GetLanguage()) return envVars } diff --git a/utils/artifactory/artifactoryutils.go b/utils/artifactory/artifactoryutils.go index 751134b17..f3c72aa28 100644 --- a/utils/artifactory/artifactoryutils.go +++ b/utils/artifactory/artifactoryutils.go @@ -45,7 +45,7 @@ func GetResolutionRepoIfExists(tech techutils.Technology) (details *ArtifactoryD // Searches for the configuration file based on the technology type. If found, it extracts the resolver repository from it. func getArtifactoryRepositoryConfig(tech techutils.Technology) (repoConfig *project.RepositoryConfig, err error) { - configFilePath, exists, err := project.GetProjectConfFilePath(techutils.TechToProjectType[tech]) + configFilePath, exists, err := project.GetProjectConfFilePath(tech.GetProjectType()) if err != nil { err = fmt.Errorf("failed while searching for %s.yaml config file: %s", tech.String(), err.Error()) return @@ -54,7 +54,7 @@ func getArtifactoryRepositoryConfig(tech techutils.Technology) (repoConfig *proj // Nuget and Dotnet are identified similarly in the detection process. To prevent redundancy, Dotnet is filtered out earlier in the process, focusing solely on detecting Nuget. // Consequently, it becomes necessary to verify the presence of dotnet.yaml when Nuget detection occurs. if tech == techutils.Nuget { - configFilePath, exists, err = project.GetProjectConfFilePath(techutils.TechToProjectType[techutils.Dotnet]) + configFilePath, exists, err = project.GetProjectConfFilePath(techutils.Dotnet.GetProjectType()) if err != nil { err = fmt.Errorf("failed while searching for %s.yaml config file: %s", tech.String(), err.Error()) return diff --git a/utils/results/conversion/simplejsonparser/simplejsonparser.go b/utils/results/conversion/simplejsonparser/simplejsonparser.go index 36dcde021..217e39684 100644 --- a/utils/results/conversion/simplejsonparser/simplejsonparser.go +++ b/utils/results/conversion/simplejsonparser/simplejsonparser.go @@ -250,7 +250,7 @@ func (sjc *CmdResultsSimpleJsonConverter) createVulnerabilityOrViolationRowFromC ImpactPaths: impactPaths, Cves: results.CdxVulnToCveRows(vulnerability, contextualAnalysis), FixedVersions: results.CdxToFixedVersions(fixedVersions), - Technology: results.GetIssueTechnology(techutils.CdxPackageTypeToXrayPackageType(compType), sjc.currentTarget.Technology), + Technology: results.GetIssueTechnology(techutils.CdxPackageTypeToTechnology(compType).String(), sjc.currentTarget.Technology), References: toReferences(vulnerability), Applicable: applicabilityStatus.ToString(sjc.pretty), JfrogResearchInformation: jfrogResearch, diff --git a/utils/techutils/techutils.go b/utils/techutils/techutils.go index cf0c63a32..a9e33bcc2 100644 --- a/utils/techutils/techutils.go +++ b/utils/techutils/techutils.go @@ -24,6 +24,22 @@ import ( ) const JfrogCleanTechSubModulesEnv = "JFROG_CLI_CLEAN_SUB_MODULES" +const Pypi = "pypi" + +type CodeLanguage string + +const ( + JavaScript CodeLanguage = "javascript" + Python CodeLanguage = "python" + GoLang CodeLanguage = "go" + Java CodeLanguage = "java" + CSharp CodeLanguage = "C#" + CPP CodeLanguage = "C++" + Ruby CodeLanguage = "ruby" + // package can have multiple languages + CocoapodsLang CodeLanguage = "Any" + SwiftLang CodeLanguage = "Any" +) type Technology string @@ -47,7 +63,6 @@ const ( NoTech Technology = "" Gem Technology = "ruby" ) -const Pypi = "pypi" var AllTechnologiesStrings = []string{ Maven.String(), @@ -92,39 +107,6 @@ func IsValidTechnology(tech string) bool { return false } -type CodeLanguage string - -const ( - JavaScript CodeLanguage = "javascript" - Python CodeLanguage = "python" - GoLang CodeLanguage = "go" - Java CodeLanguage = "java" - CSharp CodeLanguage = "C#" - CPP CodeLanguage = "C++" - Ruby CodeLanguage = "ruby" - // CocoapodsLang package can have multiple languages - CocoapodsLang CodeLanguage = "Any" - SwiftLang CodeLanguage = "Any" -) - -// Associates a technology with project type (used in config commands for the package-managers). -// Docker is not present, as there is no docker-config command and, consequently, no docker.yaml file we need to operate on. -var TechToProjectType = map[Technology]project.ProjectType{ - Maven: project.Maven, - Gradle: project.Gradle, - Npm: project.Npm, - Yarn: project.Yarn, - Go: project.Go, - Pip: project.Pip, - Pipenv: project.Pipenv, - Poetry: project.Poetry, - Nuget: project.Nuget, - Dotnet: project.Dotnet, - Cocoapods: project.Cocoapods, - Swift: project.Swift, - Gem: project.Ruby, -} - var packageTypes = map[string]string{ "gav": "Maven", "maven": "Maven", @@ -144,16 +126,15 @@ var packageTypes = map[string]string{ } // The identifier of the package type used in cdx. -// https://github.com/package-url/purl-spec/blob/main/PURL-TYPES.rst +// https://github.com/package-url/purl-spec/blob/main/docs/types.md var cdxPurlPackageTypes = map[string]string{ - "gav": "maven", "docker": "docker", "rpm": "rpm", "deb": "deb", "nuget": "nuget", "generic": "generic", "npm": "npm", - "pypi": "pypi", + "pypi": "pip", "composer": "composer", "go": "golang", "alpine": "alpine", @@ -183,6 +164,10 @@ type TechData struct { packageVersionOperator string // The package installation command of a package packageInstallationCommand string + // The project type of the technology if exists + projectType project.ProjectType + // The language of the technology + language CodeLanguage } // Given a file content, returns true if the content is an indicator of the technology. @@ -193,10 +178,14 @@ var technologiesData = map[Technology]TechData{ indicators: []string{"pom.xml"}, packageDescriptors: []string{"pom.xml"}, execCommand: "mvn", + projectType: project.Maven, + language: Java, }, Gradle: { indicators: []string{"build.gradle", "build.gradle.kts"}, packageDescriptors: []string{"build.gradle", "build.gradle.kts"}, + projectType: project.Gradle, + language: Java, }, Npm: { indicators: []string{"package.json", "package-lock.json", "npm-shrinkwrap.json"}, @@ -205,6 +194,8 @@ var technologiesData = map[Technology]TechData{ formal: string(Npm), packageVersionOperator: "@", packageInstallationCommand: "install", + projectType: project.Npm, + language: JavaScript, }, Pnpm: { indicators: []string{"pnpm-lock.yaml"}, @@ -213,18 +204,24 @@ var technologiesData = map[Technology]TechData{ packageVersionOperator: "@", packageTypeId: "npm://", packageInstallationCommand: "update", + projectType: project.Npm, + language: JavaScript, }, Yarn: { indicators: []string{".yarnrc.yml", "yarn.lock", ".yarn", ".yarnrc"}, exclude: []string{"pnpm-lock.yaml"}, packageDescriptors: []string{"package.json"}, packageVersionOperator: "@", + projectType: project.Yarn, + language: JavaScript, }, Go: { indicators: []string{"go.mod"}, packageDescriptors: []string{"go.mod"}, packageVersionOperator: "@v", packageInstallationCommand: "get", + projectType: project.Go, + language: GoLang, }, Pip: { packageType: Pypi, @@ -232,6 +229,8 @@ var technologiesData = map[Technology]TechData{ validators: map[string]ContentValidator{"pyproject.toml": pyProjectTomlIndicatorContent(Pip)}, packageDescriptors: []string{"setup.py", "requirements.txt", "pyproject.toml"}, exclude: []string{"Pipfile", "Pipfile.lock", "poetry.lock"}, + projectType: project.Pip, + language: Python, }, Pipenv: { packageType: Pypi, @@ -239,6 +238,8 @@ var technologiesData = map[Technology]TechData{ packageDescriptors: []string{"Pipfile"}, packageVersionOperator: "==", packageInstallationCommand: "install", + projectType: project.Pipenv, + language: Python, }, Poetry: { packageType: Pypi, @@ -247,6 +248,8 @@ var technologiesData = map[Technology]TechData{ packageDescriptors: []string{"pyproject.toml"}, packageInstallationCommand: "add", packageVersionOperator: "==", + projectType: project.Poetry, + language: Python, }, Nuget: { indicators: []string{".sln", ".csproj"}, @@ -257,35 +260,48 @@ var technologiesData = map[Technology]TechData{ packageInstallationCommand: "add", // packageName -v packageVersion packageVersionOperator: " -v ", + projectType: project.Nuget, + language: CSharp, }, Dotnet: { indicators: []string{".sln", ".csproj"}, packageDescriptors: []string{".sln", ".csproj"}, formal: ".NET", + projectType: project.Dotnet, + language: CSharp, }, - Docker: {}, - Oci: {}, + Docker: { + projectType: project.Docker, + }, + Oci: {}, Conan: { indicators: []string{"conanfile.txt", "conanfile.py"}, packageDescriptors: []string{"conanfile.txt", "conanfile.py"}, formal: "Conan", + language: CPP, }, Cocoapods: { indicators: []string{"Podfile", "Podfile.lock"}, packageDescriptors: []string{"Podfile", "Podfile.lock"}, formal: "Cocoapods", packageTypeId: "cocoapods://", + projectType: project.Cocoapods, + language: CocoapodsLang, }, Swift: { indicators: []string{"Package.swift", "Package.resolved"}, packageDescriptors: []string{"Package.swift", "Package.resolved"}, formal: "Swift", packageTypeId: "swift://", + projectType: project.Swift, + language: SwiftLang, }, Gem: { indicators: []string{"Gemfile"}, packageDescriptors: []string{"Gemfile"}, formal: "gem", + projectType: project.Ruby, + language: Ruby, }, } @@ -314,23 +330,8 @@ func pyProjectTomlIndicatorContent(tech Technology) ContentValidator { } } -func TechnologyToLanguage(technology Technology) CodeLanguage { - languageMap := map[Technology]CodeLanguage{ - Npm: JavaScript, - Pip: Python, - Poetry: Python, - Pipenv: Python, - Go: GoLang, - Maven: Java, - Gradle: Java, - Nuget: CSharp, - Dotnet: CSharp, - Yarn: JavaScript, - Pnpm: JavaScript, - Cocoapods: CocoapodsLang, - Swift: SwiftLang, - } - return languageMap[technology] +func (tech Technology) GetLanguage() CodeLanguage { + return technologiesData[tech].language } func (tech Technology) ToFormal() string { @@ -365,6 +366,10 @@ func (tech Technology) GetPackageTypeId() string { return technologiesData[tech].packageTypeId } +func (tech Technology) GetProjectType() project.ProjectType { + return technologiesData[tech].projectType +} + func (tech Technology) GetPackageDescriptor() []string { return technologiesData[tech].packageDescriptors } diff --git a/utils/techutils/techutils_test.go b/utils/techutils/techutils_test.go index 0a78da7f3..fad296d30 100644 --- a/utils/techutils/techutils_test.go +++ b/utils/techutils/techutils_test.go @@ -708,7 +708,7 @@ func TestTechnologyToLanguage(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - assert.Equalf(t, tt.language, TechnologyToLanguage(tt.technology), "TechnologyToLanguage(%v) == %v", tt.technology, tt.language) + assert.Equalf(t, tt.language, tt.technology.GetLanguage(), "TechnologyToLanguage(%v) == %v", tt.technology, tt.language) }) } } From 2c266d17eb425bdf64537101bf800e4752ce57e4 Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 5 Feb 2026 16:11:21 +0200 Subject: [PATCH 02/10] remove all other maps other from techdata --- .../technologies/cocoapods/cocoapods.go | 6 +- .../technologies/cocoapods/cocoapods_test.go | 18 +-- sca/bom/buildinfo/technologies/npm/npm.go | 6 +- .../buildinfo/technologies/npm/npm_test.go | 2 +- sca/bom/buildinfo/technologies/pnpm/pnpm.go | 2 +- sca/bom/buildinfo/technologies/swift/swift.go | 6 +- .../technologies/swift/swift_test.go | 20 +-- sca/bom/buildinfo/technologies/yarn/yarn.go | 2 +- .../buildinfo/technologies/yarn/yarn_test.go | 2 +- utils/formats/simplejsonapi.go | 2 +- utils/results/common.go | 2 +- .../simplejsonparser/simplejsonparser.go | 2 +- utils/techutils/techutils.go | 152 +++++++++--------- 13 files changed, 112 insertions(+), 110 deletions(-) diff --git a/sca/bom/buildinfo/technologies/cocoapods/cocoapods.go b/sca/bom/buildinfo/technologies/cocoapods/cocoapods.go index b2b84c6db..3c9adb85e 100644 --- a/sca/bom/buildinfo/technologies/cocoapods/cocoapods.go +++ b/sca/bom/buildinfo/technologies/cocoapods/cocoapods.go @@ -219,7 +219,7 @@ func BuildDependencyTree(params technologies.BuildInfoBomGeneratorParams) (depen } versionMap[packageName] = VersionForMainModule rootNode := &xrayUtils.GraphNode{ - Id: techutils.Cocoapods.GetPackageTypeId() + packageInfo, + Id: techutils.Cocoapods.GetXrayPackageTypeId() + packageInfo, Nodes: []*xrayUtils.GraphNode{}, } // Parse the dependencies into Xray dependency tree format @@ -235,12 +235,12 @@ func parsePodDependenciesList(currNode *xrayUtils.GraphNode, dependenciesGraph m return } uniqueDepsSet.Add(currNode.Id) - pkgName := strings.Split(strings.TrimPrefix(currNode.Id, techutils.Cocoapods.GetPackageTypeId()), ":")[0] + pkgName := strings.Split(strings.TrimPrefix(currNode.Id, techutils.Cocoapods.GetXrayPackageTypeId()), ":")[0] currDepChildren := dependenciesGraph[pkgName] for _, childName := range currDepChildren { fullChildName := fmt.Sprintf("%s:%s", childName, versionMap[childName]) childNode := &xrayUtils.GraphNode{ - Id: techutils.Cocoapods.GetPackageTypeId() + fullChildName, + Id: techutils.Cocoapods.GetXrayPackageTypeId() + fullChildName, Nodes: []*xrayUtils.GraphNode{}, Parent: currNode, } diff --git a/sca/bom/buildinfo/technologies/cocoapods/cocoapods_test.go b/sca/bom/buildinfo/technologies/cocoapods/cocoapods_test.go index 982c11fe5..d495f69f4 100644 --- a/sca/bom/buildinfo/technologies/cocoapods/cocoapods_test.go +++ b/sca/bom/buildinfo/technologies/cocoapods/cocoapods_test.go @@ -35,14 +35,14 @@ func TestBuildCocoapodsDependencyList(t *testing.T) { packageName := filepath.Base(currentDir) packageInfo := fmt.Sprintf("%s:%s", packageName, VersionForMainModule) expectedUniqueDeps := []string{ - techutils.Cocoapods.GetPackageTypeId() + "AppAuth:1.7.5", - techutils.Cocoapods.GetPackageTypeId() + "AppAuth/Core:1.7.5", - techutils.Cocoapods.GetPackageTypeId() + "AppAuth/ExternalUserAgent:1.7.5", - techutils.Cocoapods.GetPackageTypeId() + "GoogleSignIn:6.2.4", - techutils.Cocoapods.GetPackageTypeId() + "GTMAppAuth:1.3.1", - techutils.Cocoapods.GetPackageTypeId() + "GTMSessionFetcher/Core:2.3.0", - techutils.Cocoapods.GetPackageTypeId() + "nanopb:0.3.0", - techutils.Cocoapods.GetPackageTypeId() + packageInfo, + techutils.Cocoapods.GetXrayPackageTypeId() + "AppAuth:1.7.5", + techutils.Cocoapods.GetXrayPackageTypeId() + "AppAuth/Core:1.7.5", + techutils.Cocoapods.GetXrayPackageTypeId() + "AppAuth/ExternalUserAgent:1.7.5", + techutils.Cocoapods.GetXrayPackageTypeId() + "GoogleSignIn:6.2.4", + techutils.Cocoapods.GetXrayPackageTypeId() + "GTMAppAuth:1.3.1", + techutils.Cocoapods.GetXrayPackageTypeId() + "GTMSessionFetcher/Core:2.3.0", + techutils.Cocoapods.GetXrayPackageTypeId() + "nanopb:0.3.0", + techutils.Cocoapods.GetXrayPackageTypeId() + packageInfo, } auditBasicParams := technologies.BuildInfoBomGeneratorParams{ServerDetails: server} @@ -51,7 +51,7 @@ func TestBuildCocoapodsDependencyList(t *testing.T) { assert.ElementsMatch(t, uniqueDeps, expectedUniqueDeps, "First is actual, Second is Expected") assert.NotEmpty(t, rootNode) - assert.Equal(t, rootNode[0].Id, techutils.Cocoapods.GetPackageTypeId()+packageInfo) + assert.Equal(t, rootNode[0].Id, techutils.Cocoapods.GetXrayPackageTypeId()+packageInfo) assert.Len(t, rootNode[0].Nodes, 2) child1 := tests.GetAndAssertNode(t, rootNode[0].Nodes, "nanopb:0.3.0") diff --git a/sca/bom/buildinfo/technologies/npm/npm.go b/sca/bom/buildinfo/technologies/npm/npm.go index 25bb98d27..65af75b4e 100644 --- a/sca/bom/buildinfo/technologies/npm/npm.go +++ b/sca/bom/buildinfo/technologies/npm/npm.go @@ -102,9 +102,9 @@ func addIgnoreScriptsFlag(npmArgs []string) []string { func parseNpmDependenciesList(dependencies []buildinfo.Dependency, packageInfo *biutils.PackageInfo) (*xrayUtils.GraphNode, []string) { treeMap := make(map[string]xray.DepTreeNode) for _, dependency := range dependencies { - dependencyId := techutils.Npm.GetPackageTypeId() + dependency.Id + dependencyId := techutils.Npm.GetXrayPackageTypeId() + dependency.Id for _, requestedByNode := range dependency.RequestedBy { - parent := techutils.Npm.GetPackageTypeId() + requestedByNode[0] + parent := techutils.Npm.GetXrayPackageTypeId() + requestedByNode[0] depTreeNode, ok := treeMap[parent] if ok { depTreeNode.Children = appendUniqueChild(depTreeNode.Children, dependencyId) @@ -114,7 +114,7 @@ func parseNpmDependenciesList(dependencies []buildinfo.Dependency, packageInfo * treeMap[parent] = depTreeNode } } - graph, nodeMapTypes := xray.BuildXrayDependencyTree(treeMap, techutils.Npm.GetPackageTypeId()+packageInfo.BuildInfoModuleId()) + graph, nodeMapTypes := xray.BuildXrayDependencyTree(treeMap, techutils.Npm.GetXrayPackageTypeId()+packageInfo.BuildInfoModuleId()) return graph, maps.Keys(nodeMapTypes) } diff --git a/sca/bom/buildinfo/technologies/npm/npm_test.go b/sca/bom/buildinfo/technologies/npm/npm_test.go index 9af35fa03..1fec44287 100644 --- a/sca/bom/buildinfo/technologies/npm/npm_test.go +++ b/sca/bom/buildinfo/technologies/npm/npm_test.go @@ -107,7 +107,7 @@ func TestParseNpmDependenciesList(t *testing.T) { } expectedUniqueDeps := []string{xrayDependenciesTree.Id} for _, dep := range dependencies { - expectedUniqueDeps = append(expectedUniqueDeps, techutils.Npm.GetPackageTypeId()+dep.Id) + expectedUniqueDeps = append(expectedUniqueDeps, techutils.Npm.GetXrayPackageTypeId()+dep.Id) } assert.ElementsMatch(t, uniqueDeps, expectedUniqueDeps, "First is actual, Second is Expected") diff --git a/sca/bom/buildinfo/technologies/pnpm/pnpm.go b/sca/bom/buildinfo/technologies/pnpm/pnpm.go index dc7858c9e..191afbd99 100644 --- a/sca/bom/buildinfo/technologies/pnpm/pnpm.go +++ b/sca/bom/buildinfo/technologies/pnpm/pnpm.go @@ -180,7 +180,7 @@ func createProjectDependenciesTree(project pnpmLsProject) map[string]xray.DepTre // Return npm://: of a dependency func getDependencyId(depName, version string) string { - return techutils.Npm.GetPackageTypeId() + depName + ":" + version + return techutils.Npm.GetXrayPackageTypeId() + depName + ":" + version } func appendTransitiveDependencies(parent string, dependencies map[string]pnpmLsDependency, result *map[string]xray.DepTreeNode) { diff --git a/sca/bom/buildinfo/technologies/swift/swift.go b/sca/bom/buildinfo/technologies/swift/swift.go index c2c90e862..7eb7970e1 100644 --- a/sca/bom/buildinfo/technologies/swift/swift.go +++ b/sca/bom/buildinfo/technologies/swift/swift.go @@ -275,7 +275,7 @@ func BuildDependencyTree(params technologies.BuildInfoBomGeneratorParams) (depen } versionMap[packageName] = VersionForMainModule rootNode := &xrayUtils.GraphNode{ - Id: techutils.Swift.GetPackageTypeId() + packageInfo, + Id: techutils.Swift.GetXrayPackageTypeId() + packageInfo, Nodes: []*xrayUtils.GraphNode{}, } // Parse the dependencies into Xray dependency tree format @@ -291,12 +291,12 @@ func parseSwiftDependenciesList(currNode *xrayUtils.GraphNode, dependenciesGraph return } uniqueDepsSet.Add(currNode.Id) - pkgName := strings.Split(strings.TrimPrefix(currNode.Id, techutils.Swift.GetPackageTypeId()), ":")[0] + pkgName := strings.Split(strings.TrimPrefix(currNode.Id, techutils.Swift.GetXrayPackageTypeId()), ":")[0] currDepChildren := dependenciesGraph[pkgName] for _, childName := range currDepChildren { fullChildName := fmt.Sprintf("%s:%s", childName, versionMap[childName]) childNode := &xrayUtils.GraphNode{ - Id: techutils.Swift.GetPackageTypeId() + fullChildName, + Id: techutils.Swift.GetXrayPackageTypeId() + fullChildName, Nodes: []*xrayUtils.GraphNode{}, Parent: currNode, } diff --git a/sca/bom/buildinfo/technologies/swift/swift_test.go b/sca/bom/buildinfo/technologies/swift/swift_test.go index c3bc4bdf8..e588917f6 100644 --- a/sca/bom/buildinfo/technologies/swift/swift_test.go +++ b/sca/bom/buildinfo/technologies/swift/swift_test.go @@ -33,15 +33,15 @@ func TestBuildSwiftDependencyList(t *testing.T) { assert.NoError(t, err) packageInfo := fmt.Sprintf("%s:%s", packageName, VersionForMainModule) expectedUniqueDeps := []string{ - techutils.Swift.GetPackageTypeId() + "github.com/apple/swift-algorithms:1.2.0", - techutils.Swift.GetPackageTypeId() + "github.com/apple/swift-numerics:1.0.2", - techutils.Swift.GetPackageTypeId() + "github.com/apple/swift-nio-http2:1.19.0", - techutils.Swift.GetPackageTypeId() + "github.com/apple/swift-atomics:1.2.0", - techutils.Swift.GetPackageTypeId() + "github.com/apple/swift-collections:1.1.4", - techutils.Swift.GetPackageTypeId() + "github.com/apple/swift-system:1.4.0", - techutils.Swift.GetPackageTypeId() + "github.com/apple/swift-http-types:1.0.2", - techutils.Swift.GetPackageTypeId() + "github.com/apple/swift-nio:2.76.1", - techutils.Swift.GetPackageTypeId() + packageInfo, + techutils.Swift.GetXrayPackageTypeId() + "github.com/apple/swift-algorithms:1.2.0", + techutils.Swift.GetXrayPackageTypeId() + "github.com/apple/swift-numerics:1.0.2", + techutils.Swift.GetXrayPackageTypeId() + "github.com/apple/swift-nio-http2:1.19.0", + techutils.Swift.GetXrayPackageTypeId() + "github.com/apple/swift-atomics:1.2.0", + techutils.Swift.GetXrayPackageTypeId() + "github.com/apple/swift-collections:1.1.4", + techutils.Swift.GetXrayPackageTypeId() + "github.com/apple/swift-system:1.4.0", + techutils.Swift.GetXrayPackageTypeId() + "github.com/apple/swift-http-types:1.0.2", + techutils.Swift.GetXrayPackageTypeId() + "github.com/apple/swift-nio:2.76.1", + techutils.Swift.GetXrayPackageTypeId() + packageInfo, } params := technologies.BuildInfoBomGeneratorParams{ServerDetails: server} @@ -50,7 +50,7 @@ func TestBuildSwiftDependencyList(t *testing.T) { assert.ElementsMatch(t, uniqueDeps, expectedUniqueDeps, "First is actual, Second is Expected") assert.NotEmpty(t, rootNode) - assert.Equal(t, rootNode[0].Id, techutils.Swift.GetPackageTypeId()+packageInfo) + assert.Equal(t, rootNode[0].Id, techutils.Swift.GetXrayPackageTypeId()+packageInfo) assert.Len(t, rootNode[0].Nodes, 11) child1 := tests.GetAndAssertNode(t, rootNode[0].Nodes, "github.com/apple/swift-algorithms:1.2.0") diff --git a/sca/bom/buildinfo/technologies/yarn/yarn.go b/sca/bom/buildinfo/technologies/yarn/yarn.go index 13c4cbbe4..00f7d61c0 100644 --- a/sca/bom/buildinfo/technologies/yarn/yarn.go +++ b/sca/bom/buildinfo/technologies/yarn/yarn.go @@ -235,5 +235,5 @@ func getXrayDependencyId(yarnDependency *bibuildutils.YarnDependency) (string, e if err != nil { return "", err } - return techutils.Npm.GetPackageTypeId() + dependencyName + ":" + yarnDependency.Details.Version, nil + return techutils.Npm.GetXrayPackageTypeId() + dependencyName + ":" + yarnDependency.Details.Version, nil } diff --git a/sca/bom/buildinfo/technologies/yarn/yarn_test.go b/sca/bom/buildinfo/technologies/yarn/yarn_test.go index 7541eaf69..be564f670 100644 --- a/sca/bom/buildinfo/technologies/yarn/yarn_test.go +++ b/sca/bom/buildinfo/technologies/yarn/yarn_test.go @@ -20,7 +20,7 @@ import ( ) func TestParseYarnDependenciesMap(t *testing.T) { - npmId := techutils.Npm.GetPackageTypeId() + npmId := techutils.Npm.GetXrayPackageTypeId() testCases := []struct { name string diff --git a/utils/formats/simplejsonapi.go b/utils/formats/simplejsonapi.go index b9fb7a2bf..f663c629a 100644 --- a/utils/formats/simplejsonapi.go +++ b/utils/formats/simplejsonapi.go @@ -76,7 +76,7 @@ type VulnerabilityOrViolationRow struct { References []string `json:"references"` ImpactPaths [][]ComponentRow `json:"impactPaths"` JfrogResearchInformation *JfrogResearchInformation `json:"jfrogResearchInformation"` - Technology techutils.Technology `json:"-"` + Technology techutils.Technology `json:"tech"` } type LicenseViolationRow struct { diff --git a/utils/results/common.go b/utils/results/common.go index 3a0dac740..f5876cecc 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -616,7 +616,7 @@ func GetUniqueKey(vulnerableDependency, vulnerableVersion, xrayID string, fixVer // Found use of a badCode inside the node_modules from a different package, report applicable. func shouldDisqualifyEvidence(components map[string]services.Component, evidenceFilePath string) (disqualify bool) { for key := range components { - if !strings.HasPrefix(key, techutils.Npm.GetPackageTypeId()) { + if !strings.HasPrefix(key, techutils.Npm.GetXrayPackageTypeId()) { return } dependencyName, _, _ := techutils.SplitComponentIdRaw(key) diff --git a/utils/results/conversion/simplejsonparser/simplejsonparser.go b/utils/results/conversion/simplejsonparser/simplejsonparser.go index 217e39684..88926c5a9 100644 --- a/utils/results/conversion/simplejsonparser/simplejsonparser.go +++ b/utils/results/conversion/simplejsonparser/simplejsonparser.go @@ -250,7 +250,7 @@ func (sjc *CmdResultsSimpleJsonConverter) createVulnerabilityOrViolationRowFromC ImpactPaths: impactPaths, Cves: results.CdxVulnToCveRows(vulnerability, contextualAnalysis), FixedVersions: results.CdxToFixedVersions(fixedVersions), - Technology: results.GetIssueTechnology(techutils.CdxPackageTypeToTechnology(compType).String(), sjc.currentTarget.Technology), + Technology: results.GetIssueTechnology(compType, sjc.currentTarget.Technology), References: toReferences(vulnerability), Applicable: applicabilityStatus.ToString(sjc.pretty), JfrogResearchInformation: jfrogResearch, diff --git a/utils/techutils/techutils.go b/utils/techutils/techutils.go index a9e33bcc2..755457697 100644 --- a/utils/techutils/techutils.go +++ b/utils/techutils/techutils.go @@ -24,7 +24,6 @@ import ( ) const JfrogCleanTechSubModulesEnv = "JFROG_CLI_CLEAN_SUB_MODULES" -const Pypi = "pypi" type CodeLanguage string @@ -55,15 +54,26 @@ const ( Poetry Technology = "poetry" Nuget Technology = "nuget" Dotnet Technology = "dotnet" - Docker Technology = "docker" - Oci Technology = "oci" Conan Technology = "conan" Cocoapods Technology = "cocoapods" Swift Technology = "swift" - NoTech Technology = "" Gem Technology = "ruby" + // Not Supported by build-info BOM generator + Docker Technology = "docker" + Oci Technology = "oci" + // Rpm Technology = "rpm" + // Deb Technology = "deb" + // Composer Technology = "composer" + // Alpine Technology = "alpine" + // TODO: replace with Generic + NoTech Technology = "" + // Generic Technology = "generic" ) +// Alternative package types for some technologies +const Pypi = "pypi" // pip, pipenv, poetry +const Gav = "gav" // maven, gradle + var AllTechnologiesStrings = []string{ Maven.String(), Gradle.String(), @@ -107,45 +117,14 @@ func IsValidTechnology(tech string) bool { return false } -var packageTypes = map[string]string{ - "gav": "Maven", - "maven": "Maven", - "gradle": "Gradle", - "docker": "Docker", - "rpm": "RPM", - "deb": "Debian", - "nuget": "NuGet", - "generic": "Generic", - "npm": "npm", - "pip": "Python", - "pypi": "Python", - "composer": "Composer", - "go": "Go", - "alpine": "Alpine", - "rubygems": "Gem", -} - -// The identifier of the package type used in cdx. -// https://github.com/package-url/purl-spec/blob/main/docs/types.md -var cdxPurlPackageTypes = map[string]string{ - "docker": "docker", - "rpm": "rpm", - "deb": "deb", - "nuget": "nuget", - "generic": "generic", - "npm": "npm", - "pypi": "pip", - "composer": "composer", - "go": "golang", - "alpine": "alpine", - "swift": "swift", -} - type TechData struct { - // The name of the package type used in this technology. + // Formal name of the technology (if not as the technology) + formal string + // The name of the package type used in this technology. (if not as the technology) + // https://github.com/package-url/purl-spec/blob/main/docs/types.md packageType string - // The package type ID used in Xray. - packageTypeId string + // The package type used in Xray. (if not as the technology) + xrayPackageType string // Suffixes of file/directory names that indicate if a project uses this technology. // The name of at least one of the files/directories in the project's directory must end with one of these suffixes. indicators []string @@ -156,8 +135,6 @@ type TechData struct { exclude []string // The files that handle the project's dependencies. packageDescriptors []string - // Formal name of the technology - formal string // The executable name of the technology execCommand string // The operator for package versioning @@ -175,6 +152,8 @@ type ContentValidator func(content []byte) bool var technologiesData = map[Technology]TechData{ Maven: { + formal: "Maven", + xrayPackageType: Gav, indicators: []string{"pom.xml"}, packageDescriptors: []string{"pom.xml"}, execCommand: "mvn", @@ -182,6 +161,8 @@ var technologiesData = map[Technology]TechData{ language: Java, }, Gradle: { + formal: "Gradle", + xrayPackageType: Gav, indicators: []string{"build.gradle", "build.gradle.kts"}, packageDescriptors: []string{"build.gradle", "build.gradle.kts"}, projectType: project.Gradle, @@ -198,11 +179,12 @@ var technologiesData = map[Technology]TechData{ language: JavaScript, }, Pnpm: { + packageType: "npm", + xrayPackageType: "npm", indicators: []string{"pnpm-lock.yaml"}, exclude: []string{".yarnrc.yml", "yarn.lock", ".yarn"}, packageDescriptors: []string{"package.json"}, packageVersionOperator: "@", - packageTypeId: "npm://", packageInstallationCommand: "update", projectType: project.Npm, language: JavaScript, @@ -216,6 +198,7 @@ var technologiesData = map[Technology]TechData{ language: JavaScript, }, Go: { + packageType: "golang", indicators: []string{"go.mod"}, packageDescriptors: []string{"go.mod"}, packageVersionOperator: "@v", @@ -224,7 +207,9 @@ var technologiesData = map[Technology]TechData{ language: GoLang, }, Pip: { + formal: "Python", packageType: Pypi, + xrayPackageType: Pypi, indicators: []string{"pyproject.toml", "setup.py", "requirements.txt"}, validators: map[string]ContentValidator{"pyproject.toml": pyProjectTomlIndicatorContent(Pip)}, packageDescriptors: []string{"setup.py", "requirements.txt", "pyproject.toml"}, @@ -233,7 +218,9 @@ var technologiesData = map[Technology]TechData{ language: Python, }, Pipenv: { + formal: "Python", packageType: Pypi, + xrayPackageType: Pypi, indicators: []string{"Pipfile", "Pipfile.lock"}, packageDescriptors: []string{"Pipfile"}, packageVersionOperator: "==", @@ -242,7 +229,9 @@ var technologiesData = map[Technology]TechData{ language: Python, }, Poetry: { + formal: "Poetry", packageType: Pypi, + xrayPackageType: Pypi, indicators: []string{"pyproject.toml", "poetry.lock"}, validators: map[string]ContentValidator{"pyproject.toml": pyProjectTomlIndicatorContent(Poetry)}, packageDescriptors: []string{"pyproject.toml"}, @@ -252,9 +241,9 @@ var technologiesData = map[Technology]TechData{ language: Python, }, Nuget: { + formal: "NuGet", indicators: []string{".sln", ".csproj"}, packageDescriptors: []string{".sln", ".csproj"}, - formal: "NuGet", // .NET CLI is used for NuGet projects execCommand: "dotnet", packageInstallationCommand: "add", @@ -264,45 +253,53 @@ var technologiesData = map[Technology]TechData{ language: CSharp, }, Dotnet: { + formal: ".NET", indicators: []string{".sln", ".csproj"}, packageDescriptors: []string{".sln", ".csproj"}, - formal: ".NET", projectType: project.Dotnet, language: CSharp, }, - Docker: { - projectType: project.Docker, - }, - Oci: {}, Conan: { + formal: "Conan", indicators: []string{"conanfile.txt", "conanfile.py"}, packageDescriptors: []string{"conanfile.txt", "conanfile.py"}, - formal: "Conan", language: CPP, }, Cocoapods: { + formal: "Cocoapods", indicators: []string{"Podfile", "Podfile.lock"}, packageDescriptors: []string{"Podfile", "Podfile.lock"}, - formal: "Cocoapods", - packageTypeId: "cocoapods://", projectType: project.Cocoapods, language: CocoapodsLang, }, Swift: { + formal: "Swift", indicators: []string{"Package.swift", "Package.resolved"}, packageDescriptors: []string{"Package.swift", "Package.resolved"}, - formal: "Swift", - packageTypeId: "swift://", projectType: project.Swift, language: SwiftLang, }, Gem: { + formal: "gem", + packageType: "gem", + xrayPackageType: "rubygems", indicators: []string{"Gemfile"}, packageDescriptors: []string{"Gemfile"}, - formal: "gem", projectType: project.Ruby, language: Ruby, }, + // Not Supported by build-info BOM generator + Docker: { + formal: "Docker", + projectType: project.Docker, + }, + Oci: {}, + // Rpm: { formal: "RPM"}, + // Deb: { formal: "Debian"}, + // Generic: { formal: "Generic"}, + // Composer: { formal: "Composer"}, + // Alpine: { formal: "Alpine"}, + } var ( @@ -352,6 +349,13 @@ func (tech Technology) GetExecCommandName() string { return technologiesData[tech].execCommand } +func (tech Technology) GetXrayPackageType() string { + if technologiesData[tech].xrayPackageType == "" { + return tech.String() + } + return technologiesData[tech].xrayPackageType +} + func (tech Technology) GetPackageType() string { if technologiesData[tech].packageType == "" { return tech.String() @@ -359,11 +363,8 @@ func (tech Technology) GetPackageType() string { return technologiesData[tech].packageType } -func (tech Technology) GetPackageTypeId() string { - if technologiesData[tech].packageTypeId == "" { - return fmt.Sprintf("%s://", tech.GetPackageType()) - } - return technologiesData[tech].packageTypeId +func (tech Technology) GetXrayPackageTypeId() string { + return fmt.Sprintf("%s://", tech.GetXrayPackageType()) } func (tech Technology) GetProjectType() project.ProjectType { @@ -745,7 +746,7 @@ func DetectedTechnologiesToSlice(detected map[Technology]map[string][]string) [] func ToTechnologies(args []string) (technologies []Technology) { for _, argument := range args { - technologies = append(technologies, Technology(argument)) + technologies = append(technologies, ToTechnology(argument)) } return } @@ -828,8 +829,10 @@ func SplitComponentId(componentId string) (string, string, string) { } func ConvertXrayPackageType(xrayPackageType string) string { - if xrayPackageType != "" && packageTypes[xrayPackageType] != "" { - return packageTypes[xrayPackageType] + for tech, cdxType := range technologiesData { + if (cdxType.xrayPackageType != "" && cdxType.xrayPackageType == xrayPackageType) || (cdxType.xrayPackageType == "" && tech.String() == xrayPackageType) { + return cdxType.packageType + } } return xrayPackageType } @@ -846,12 +849,9 @@ func ToXrayComponentId(packageType, componentName, componentVersion string) stri } func CdxPackageTypeToTechnology(cdxPackageType string) Technology { - for tech, cdxType := range cdxPurlPackageTypes { - if cdxType == cdxPackageType { - if tech == "gav" { - return Technology(cdxType) - } - return Technology(tech) + for tech, cdxType := range technologiesData { + if (cdxType.packageType != "" && cdxType.packageType == cdxPackageType) || (cdxType.packageType == "" && tech.String() == cdxPackageType) { + return tech } } // If the package type is not found in the map, return NoTech @@ -859,16 +859,18 @@ func CdxPackageTypeToTechnology(cdxPackageType string) Technology { } func ToCdxPackageType(packageType string) string { - if cdxPackageType, exist := cdxPurlPackageTypes[packageType]; exist { - return cdxPackageType + for tech, cdxType := range technologiesData { + if (cdxType.xrayPackageType != "" && cdxType.xrayPackageType == packageType) || (cdxType.xrayPackageType == "" && tech.String() == packageType) { + return cdxType.packageType + } } return packageType } func CdxPackageTypeToXrayPackageType(cdxPackageType string) string { - for xrayPackageType, cdxType := range cdxPurlPackageTypes { - if cdxType == cdxPackageType { - return xrayPackageType + for tech, cdxType := range technologiesData { + if (cdxType.packageType != "" && cdxType.packageType == cdxPackageType) || (cdxType.packageType == "" && tech.String() == cdxPackageType) { + return cdxType.xrayPackageType } } return cdxPackageType From e104b67a36b543a91812bb7db1ceece392197c65 Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 5 Feb 2026 16:34:07 +0200 Subject: [PATCH 03/10] start fixing tests --- utils/techutils/techutils.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/utils/techutils/techutils.go b/utils/techutils/techutils.go index 755457697..621ec1af6 100644 --- a/utils/techutils/techutils.go +++ b/utils/techutils/techutils.go @@ -849,8 +849,8 @@ func ToXrayComponentId(packageType, componentName, componentVersion string) stri } func CdxPackageTypeToTechnology(cdxPackageType string) Technology { - for tech, cdxType := range technologiesData { - if (cdxType.packageType != "" && cdxType.packageType == cdxPackageType) || (cdxType.packageType == "" && tech.String() == cdxPackageType) { + for tech, techData := range technologiesData { + if (techData.packageType != "" && techData.packageType == cdxPackageType) || (techData.packageType == "" && tech.String() == cdxPackageType) { return tech } } @@ -859,18 +859,18 @@ func CdxPackageTypeToTechnology(cdxPackageType string) Technology { } func ToCdxPackageType(packageType string) string { - for tech, cdxType := range technologiesData { - if (cdxType.xrayPackageType != "" && cdxType.xrayPackageType == packageType) || (cdxType.xrayPackageType == "" && tech.String() == packageType) { - return cdxType.packageType + for tech, techData := range technologiesData { + if (techData.xrayPackageType != "" && techData.xrayPackageType == packageType) || (techData.xrayPackageType == "" && tech.String() == packageType) { + return tech.GetPackageType() } } return packageType } func CdxPackageTypeToXrayPackageType(cdxPackageType string) string { - for tech, cdxType := range technologiesData { - if (cdxType.packageType != "" && cdxType.packageType == cdxPackageType) || (cdxType.packageType == "" && tech.String() == cdxPackageType) { - return cdxType.xrayPackageType + for tech, techData := range technologiesData { + if (techData.packageType != "" && techData.packageType == cdxPackageType) || (techData.packageType == "" && tech.String() == cdxPackageType) { + return tech.GetXrayPackageType() } } return cdxPackageType From 9e799e26356e36bca69a955523c822c9e7047937 Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 5 Feb 2026 16:40:46 +0200 Subject: [PATCH 04/10] fix more --- utils/techutils/techutils.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/utils/techutils/techutils.go b/utils/techutils/techutils.go index 621ec1af6..4c5b519ce 100644 --- a/utils/techutils/techutils.go +++ b/utils/techutils/techutils.go @@ -829,9 +829,9 @@ func SplitComponentId(componentId string) (string, string, string) { } func ConvertXrayPackageType(xrayPackageType string) string { - for tech, cdxType := range technologiesData { - if (cdxType.xrayPackageType != "" && cdxType.xrayPackageType == xrayPackageType) || (cdxType.xrayPackageType == "" && tech.String() == xrayPackageType) { - return cdxType.packageType + for tech, techData := range technologiesData { + if (techData.xrayPackageType != "" && techData.xrayPackageType == xrayPackageType) || (techData.xrayPackageType == "" && tech.String() == xrayPackageType) { + return tech.GetPackageType() } } return xrayPackageType From 02559b11d12723c2c792fe04c188c1d9c1dc8e34 Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 5 Feb 2026 17:02:16 +0200 Subject: [PATCH 05/10] add missing tech data --- utils/results/common.go | 10 ++++- .../simplejsonparser/simplejsonparser.go | 12 ++--- .../conversion/tableparser/tableparser.go | 2 +- utils/techutils/techutils.go | 45 ++++++++----------- utils/techutils/techutils_test.go | 4 +- 5 files changed, 37 insertions(+), 36 deletions(-) diff --git a/utils/results/common.go b/utils/results/common.go index f5876cecc..eb663f509 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -906,12 +906,20 @@ func CreateScaComponentFromXrayCompId(xrayImpactedPackageId string, properties . Type: cyclonedx.ComponentTypeLibrary, Name: compName, Version: compVersion, - PackageURL: techutils.ToPackageUrl(compName, compVersion, techutils.ToCdxPackageType(compType)), + PackageURL: techutils.ToPackageUrl(compName, compVersion, techutils.XrayPackageTypeToCdxPackageType(compType)), } component.Properties = cdxutils.AppendProperties(component.Properties, properties...) return } +func FormalTechOrCdxCompType(cdxCompType string) string { + tech := techutils.CdxPackageTypeToTechnology(cdxCompType) + if tech != techutils.NoTech { + return tech.ToFormal() + } + return cdxCompType +} + func CreateScaComponentFromBinaryNode(node *xrayUtils.BinaryGraphNode) (component cyclonedx.Component) { // Create the component component = CreateScaComponentFromXrayCompId(node.Id) diff --git a/utils/results/conversion/simplejsonparser/simplejsonparser.go b/utils/results/conversion/simplejsonparser/simplejsonparser.go index 88926c5a9..236c88992 100644 --- a/utils/results/conversion/simplejsonparser/simplejsonparser.go +++ b/utils/results/conversion/simplejsonparser/simplejsonparser.go @@ -120,7 +120,7 @@ func (sjc *CmdResultsSimpleJsonConverter) ParseSbomLicenses(sbom *cyclonedx.BOM) ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ ImpactedDependencyName: strings.ReplaceAll(compName, "/", ":"), ImpactedDependencyVersion: compVersion, - ImpactedDependencyType: techutils.ConvertXrayPackageType(techutils.CdxPackageTypeToXrayPackageType(compType)), + ImpactedDependencyType: results.FormalTechOrCdxCompType(compType), Components: results.ExtractComponentDirectComponentsInBOM(sbom, component, impactPaths), }, ImpactPaths: impactPaths, @@ -244,7 +244,7 @@ func (sjc *CmdResultsSimpleJsonConverter) createVulnerabilityOrViolationRowFromC SeverityDetails: severityutils.GetAsDetails(severity, applicabilityStatus, sjc.pretty), ImpactedDependencyName: strings.ReplaceAll(compName, "/", ":"), ImpactedDependencyVersion: compVersion, - ImpactedDependencyType: techutils.ConvertXrayPackageType(techutils.CdxPackageTypeToXrayPackageType(compType)), + ImpactedDependencyType: results.FormalTechOrCdxCompType(compType), Components: directComponents, }, ImpactPaths: impactPaths, @@ -282,7 +282,7 @@ func (sjc *CmdResultsSimpleJsonConverter) createLicenseViolationRow(licenseKey, SeverityDetails: severityutils.GetAsDetails(severity, jasutils.NotScanned, sjc.pretty), ImpactedDependencyName: strings.ReplaceAll(compName, "/", ":"), ImpactedDependencyVersion: compVersion, - ImpactedDependencyType: techutils.ConvertXrayPackageType(techutils.CdxPackageTypeToXrayPackageType(compType)), + ImpactedDependencyType: results.FormalTechOrCdxCompType(compType), Components: directComponents, }, ImpactPaths: impactPaths, @@ -298,7 +298,7 @@ func (sjc *CmdResultsSimpleJsonConverter) createOpRiskViolationRow(opRiskViolati SeverityDetails: severityutils.GetAsDetails(opRiskViolation.Severity, jasutils.NotScanned, sjc.pretty), ImpactedDependencyName: strings.ReplaceAll(compName, "/", ":"), ImpactedDependencyVersion: compVersion, - ImpactedDependencyType: techutils.ConvertXrayPackageType(techutils.CdxPackageTypeToXrayPackageType(compType)), + ImpactedDependencyType: results.FormalTechOrCdxCompType(compType), Components: opRiskViolation.DirectComponents, }, RiskReason: opRiskViolation.RiskReason, @@ -424,7 +424,7 @@ func addSimpleJsonVulnerability(target results.ScanTarget, vulnerabilitiesRows * SeverityDetails: severityutils.GetAsDetails(severity, applicabilityStatus, pretty), ImpactedDependencyName: impactedPackagesName, ImpactedDependencyVersion: impactedPackagesVersion, - ImpactedDependencyType: impactedPackagesType, + ImpactedDependencyType: results.FormalTechOrCdxCompType(impactedPackagesType), Components: directComponents, }, FixedVersions: fixedVersion, @@ -457,7 +457,7 @@ func addSimpleJsonLicense(licenseViolationsRows *[]formats.LicenseRow) results.P ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ ImpactedDependencyName: impactedPackagesName, ImpactedDependencyVersion: impactedPackagesVersion, - ImpactedDependencyType: impactedPackagesType, + ImpactedDependencyType: results.FormalTechOrCdxCompType(impactedPackagesType), Components: directComponents, }, }, diff --git a/utils/results/conversion/tableparser/tableparser.go b/utils/results/conversion/tableparser/tableparser.go index 1ff074132..1a3379fe2 100644 --- a/utils/results/conversion/tableparser/tableparser.go +++ b/utils/results/conversion/tableparser/tableparser.go @@ -125,7 +125,7 @@ func (tc *CmdResultsTableConverter) ParseSbom(sbom *cyclonedx.BOM) (err error) { tc.sbomRows = append(tc.sbomRows, formats.SbomTableRow{ Component: compName, Version: compVersion, - PackageType: techutils.ConvertXrayPackageType(compType), + PackageType: results.FormalTechOrCdxCompType(compType), Relation: relationStr, // For sorting RelationPriority: relationPriority, diff --git a/utils/techutils/techutils.go b/utils/techutils/techutils.go index 4c5b519ce..5d966cb96 100644 --- a/utils/techutils/techutils.go +++ b/utils/techutils/techutils.go @@ -59,12 +59,12 @@ const ( Swift Technology = "swift" Gem Technology = "ruby" // Not Supported by build-info BOM generator - Docker Technology = "docker" - Oci Technology = "oci" - // Rpm Technology = "rpm" - // Deb Technology = "deb" - // Composer Technology = "composer" - // Alpine Technology = "alpine" + Docker Technology = "docker" + Oci Technology = "oci" + Rpm Technology = "rpm" + Deb Technology = "deb" + Composer Technology = "composer" + Alpine Technology = "alpine" // TODO: replace with Generic NoTech Technology = "" // Generic Technology = "generic" @@ -93,6 +93,10 @@ var AllTechnologiesStrings = []string{ Swift.String(), NoTech.String(), Gem.String(), + Rpm.String(), + Deb.String(), + Composer.String(), + Alpine.String(), } func ToTechnology(tech string) Technology { @@ -293,13 +297,11 @@ var technologiesData = map[Technology]TechData{ formal: "Docker", projectType: project.Docker, }, - Oci: {}, - // Rpm: { formal: "RPM"}, - // Deb: { formal: "Debian"}, - // Generic: { formal: "Generic"}, - // Composer: { formal: "Composer"}, - // Alpine: { formal: "Alpine"}, - + Oci: {}, + Rpm: {formal: "RPM"}, + Deb: {formal: "Debian"}, + Composer: {formal: "Composer"}, + Alpine: {formal: "Alpine"}, } var ( @@ -825,10 +827,10 @@ func SplitComponentIdRaw(componentId string) (string, string, string) { func SplitComponentId(componentId string) (string, string, string) { compName, compVersion, packageType := SplitComponentIdRaw(componentId) - return compName, compVersion, ConvertXrayPackageType(packageType) + return compName, compVersion, XrayPackageTypeToCdxPackageType(packageType) } -func ConvertXrayPackageType(xrayPackageType string) string { +func XrayPackageTypeToCdxPackageType(xrayPackageType string) string { for tech, techData := range technologiesData { if (techData.xrayPackageType != "" && techData.xrayPackageType == xrayPackageType) || (techData.xrayPackageType == "" && tech.String() == xrayPackageType) { return tech.GetPackageType() @@ -858,15 +860,6 @@ func CdxPackageTypeToTechnology(cdxPackageType string) Technology { return NoTech } -func ToCdxPackageType(packageType string) string { - for tech, techData := range technologiesData { - if (techData.xrayPackageType != "" && techData.xrayPackageType == packageType) || (techData.xrayPackageType == "" && tech.String() == packageType) { - return tech.GetPackageType() - } - } - return packageType -} - func CdxPackageTypeToXrayPackageType(cdxPackageType string) string { for tech, techData := range technologiesData { if (techData.packageType != "" && techData.packageType == cdxPackageType) || (techData.packageType == "" && tech.String() == cdxPackageType) { @@ -935,10 +928,10 @@ func PurlToXrayComponentId(purl string) (xrayComponentId string) { func XrayComponentIdToPurl(xrayComponentId string) (purl string) { compName, compVersion, compType := SplitComponentIdRaw(xrayComponentId) - return ToPackageUrl(compName, compVersion, ToCdxPackageType(compType)) + return ToPackageUrl(compName, compVersion, XrayPackageTypeToCdxPackageType(compType)) } func XrayComponentIdToCdxComponentRef(xrayImpactedPackageId string) string { compName, compVersion, compType := SplitComponentIdRaw(xrayImpactedPackageId) - return ToPackageRef(compName, compVersion, ToCdxPackageType(compType)) + return ToPackageRef(compName, compVersion, XrayPackageTypeToCdxPackageType(compType)) } diff --git a/utils/techutils/techutils_test.go b/utils/techutils/techutils_test.go index fad296d30..befb9760e 100644 --- a/utils/techutils/techutils_test.go +++ b/utils/techutils/techutils_test.go @@ -713,7 +713,7 @@ func TestTechnologyToLanguage(t *testing.T) { } } -func TestToCdxPackageType(t *testing.T) { +func TestXrayPackageTypeToCdxPackageType(t *testing.T) { tests := []struct { name string input string @@ -726,7 +726,7 @@ func TestToCdxPackageType(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - assert.Equalf(t, tt.expected, ToCdxPackageType(tt.input), "ToCdxPackageType(%v) == %v", tt.input, tt.expected) + assert.Equalf(t, tt.expected, XrayPackageTypeToCdxPackageType(tt.input), "XrayPackageTypeToCdxPackageType(%v) == %v", tt.input, tt.expected) }) } } From a2a6e6eb846ae589c05a6cd3edbe464359420dbe Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 5 Feb 2026 17:37:09 +0200 Subject: [PATCH 06/10] fix and add tests --- utils/formats/simplejsonapi.go | 2 +- utils/techutils/techutils.go | 11 ++++++++- utils/techutils/techutils_test.go | 39 +++++++++++++++++++++++++++++-- 3 files changed, 48 insertions(+), 4 deletions(-) diff --git a/utils/formats/simplejsonapi.go b/utils/formats/simplejsonapi.go index f663c629a..b9fb7a2bf 100644 --- a/utils/formats/simplejsonapi.go +++ b/utils/formats/simplejsonapi.go @@ -76,7 +76,7 @@ type VulnerabilityOrViolationRow struct { References []string `json:"references"` ImpactPaths [][]ComponentRow `json:"impactPaths"` JfrogResearchInformation *JfrogResearchInformation `json:"jfrogResearchInformation"` - Technology techutils.Technology `json:"tech"` + Technology techutils.Technology `json:"-"` } type LicenseViolationRow struct { diff --git a/utils/techutils/techutils.go b/utils/techutils/techutils.go index 5d966cb96..c3498d62b 100644 --- a/utils/techutils/techutils.go +++ b/utils/techutils/techutils.go @@ -166,6 +166,7 @@ var technologiesData = map[Technology]TechData{ }, Gradle: { formal: "Gradle", + packageType: Maven.String(), xrayPackageType: Gav, indicators: []string{"build.gradle", "build.gradle.kts"}, packageDescriptors: []string{"build.gradle", "build.gradle.kts"}, @@ -831,6 +832,10 @@ func SplitComponentId(componentId string) (string, string, string) { } func XrayPackageTypeToCdxPackageType(xrayPackageType string) string { + if xrayPackageType == Gav { + // We prefer maven over gradle for GAV packages, it could be both + return Maven.GetPackageType() + } for tech, techData := range technologiesData { if (techData.xrayPackageType != "" && techData.xrayPackageType == xrayPackageType) || (techData.xrayPackageType == "" && tech.String() == xrayPackageType) { return tech.GetPackageType() @@ -840,7 +845,7 @@ func XrayPackageTypeToCdxPackageType(xrayPackageType string) string { } func ToXrayComponentId(packageType, componentName, componentVersion string) string { - if packageType == "gav" { + if packageType == Gav { componentName = strings.ReplaceAll(componentName, "/", ":") } if componentVersion == "" { @@ -851,6 +856,10 @@ func ToXrayComponentId(packageType, componentName, componentVersion string) stri } func CdxPackageTypeToTechnology(cdxPackageType string) Technology { + if cdxPackageType == Npm.String() || cdxPackageType == Maven.String() || cdxPackageType == Pypi { + // Conflicted with other technologies + return NoTech + } for tech, techData := range technologiesData { if (techData.packageType != "" && techData.packageType == cdxPackageType) || (techData.packageType == "" && tech.String() == cdxPackageType) { return tech diff --git a/utils/techutils/techutils_test.go b/utils/techutils/techutils_test.go index befb9760e..452594d2f 100644 --- a/utils/techutils/techutils_test.go +++ b/utils/techutils/techutils_test.go @@ -719,6 +719,7 @@ func TestXrayPackageTypeToCdxPackageType(t *testing.T) { input string expected string }{ + {"npm to npm", "npm", "npm"}, {"gav to maven", "gav", "maven"}, {"docker to docker", "docker", "docker"}, {"go to golang", "go", "golang"}, @@ -737,6 +738,7 @@ func TestCdxPackageTypeToXrayPackageType(t *testing.T) { input string expected string }{ + {"npm to npm", "npm", "npm"}, {"maven to gav", "maven", "gav"}, {"docker to docker", "docker", "docker"}, {"golang to go", "golang", "go"}, @@ -860,6 +862,36 @@ func TestSplitPackageURL(t *testing.T) { } } +func TestCdxPackageTypeToTechnology(t *testing.T) { + tests := []struct { + name string + input string + expected Technology + }{ + // Conflicts with other technologies + {"npm to None", "npm", NoTech}, + {"pnpm to None", "pnpm", NoTech}, + {"maven to none", "maven", NoTech}, + {"gradle to none", "gradle", NoTech}, + {"pypi to none", "pypi", NoTech}, + {"pip to none", "pip", NoTech}, + {"pipenv to none", "pipenv", NoTech}, + {"poetry to none", "poetry", NoTech}, + // No conflicts with other technologies + {"nuget to nuget", "nuget", Nuget}, + {"dotnet to dotnet", "dotnet", Dotnet}, + {"yarn to yarn", "yarn", Yarn}, + {"golang to golang", "golang", Go}, + {"unknown to no tech", "foobar", NoTech}, + {"docker to docker", "docker", Docker}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + assert.Equalf(t, tt.expected, CdxPackageTypeToTechnology(tt.input), "CdxPackageTypeToTechnology(%v) == %v", tt.input, tt.expected) + }) + } +} + func TestToPackageUrl(t *testing.T) { tests := []struct { name string @@ -869,6 +901,8 @@ func TestToPackageUrl(t *testing.T) { expected string }{ {"npm scope with version", "@scope/package", "1.0.0", "npm", "pkg:npm/%40scope/package@1.0.0"}, + {"maven", "org.apache.commons/commons-lang3", "3.12.0", "maven", "pkg:maven/org.apache.commons/commons-lang3@3.12.0"}, + {"gradle", "xpp3:xpp3_min", "1.1.4c", "gradle", "pkg:gradle/xpp3/xpp3_min@1.1.4c"}, {"golang", "github.com/gophish/gophish", "v0.1.2", "golang", "pkg:golang/github.com/gophish/gophish@v0.1.2"}, {"gav", "xpp3:xpp3_min", "1.1.4c", "gav", "pkg:gav/xpp3/xpp3_min@1.1.4c"}, } @@ -891,6 +925,8 @@ func TestToPackageRef(t *testing.T) { {"npm scope with version", "@scope/package", "1.0.0", "npm", "pkg:npm/%40scope/package@1.0.0"}, {"golang", "github.com/gophish/gophish", "v0.1.2", "golang", "pkg:golang/github.com/gophish/gophish@v0.1.2"}, {"gav", "xpp3:xpp3_min", "1.1.4c", "gav", "pkg:gav/xpp3/xpp3_min@1.1.4c"}, + {"maven", "org.apache.commons/commons-lang3", "3.12.0", "maven", "pkg:maven/org.apache.commons/commons-lang3@3.12.0"}, + {"gradle", "xpp3:xpp3_min", "1.1.4c", "gradle", "pkg:gradle/xpp3/xpp3_min@1.1.4c"}, {"no version", "github.com/gophish/gophish", "", "golang", "pkg:golang/github.com/gophish/gophish"}, {"root", "root", "", "", "pkg:generic/root"}, } @@ -930,7 +966,6 @@ func TestXrayComponentIdToPurl(t *testing.T) { input string expected string }{ - {"npm", "npm://@scope/package:1.0.0", "pkg:npm/%40scope/package@1.0.0"}, {"gav", "gav://xpp3:xpp3_min:1.1.4c", "pkg:maven/xpp3/xpp3_min@1.1.4c"}, {"npm", "npm://@scope/package:1.0.0", "pkg:npm/%40scope/package@1.0.0"}, {"go", "go://github.com/gophish/gophish:v0.1.2", "pkg:golang/github.com/gophish/gophish@v0.1.2"}, @@ -949,7 +984,7 @@ func TestXrayComponentIdToCdxComponentRef(t *testing.T) { input string expected string }{ - {"npm", "npm://@scope/package:1.0.0", "pkg:npm/%40scope/package@1.0.0"}, + {"pnpm", "npm://@scope/package:1.0.0", "pkg:npm/%40scope/package@1.0.0"}, {"gav", "gav://xpp3:xpp3_min:1.1.4c", "pkg:maven/xpp3/xpp3_min@1.1.4c"}, {"go", "go://github.com/gophish/gophish:v0.1.2", "pkg:golang/github.com/gophish/gophish@v0.1.2"}, } From 881f091b0cb93cea12c8d23186813e3d99c50e9c Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 5 Feb 2026 18:03:47 +0200 Subject: [PATCH 07/10] format --- utils/techutils/techutils.go | 4 +--- utils/techutils/techutils_test.go | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/utils/techutils/techutils.go b/utils/techutils/techutils.go index c3498d62b..5c877c348 100644 --- a/utils/techutils/techutils.go +++ b/utils/techutils/techutils.go @@ -65,9 +65,7 @@ const ( Deb Technology = "deb" Composer Technology = "composer" Alpine Technology = "alpine" - // TODO: replace with Generic - NoTech Technology = "" - // Generic Technology = "generic" + NoTech Technology = "" ) // Alternative package types for some technologies diff --git a/utils/techutils/techutils_test.go b/utils/techutils/techutils_test.go index 452594d2f..87f9d3c0a 100644 --- a/utils/techutils/techutils_test.go +++ b/utils/techutils/techutils_test.go @@ -984,7 +984,7 @@ func TestXrayComponentIdToCdxComponentRef(t *testing.T) { input string expected string }{ - {"pnpm", "npm://@scope/package:1.0.0", "pkg:npm/%40scope/package@1.0.0"}, + {"npm", "npm://@scope/package:1.0.0", "pkg:npm/%40scope/package@1.0.0"}, {"gav", "gav://xpp3:xpp3_min:1.1.4c", "pkg:maven/xpp3/xpp3_min@1.1.4c"}, {"go", "go://github.com/gophish/gophish:v0.1.2", "pkg:golang/github.com/gophish/gophish@v0.1.2"}, } From 5a4a9d5e2dfecc9cc4408b38bb5576b74531740b Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 5 Feb 2026 18:14:20 +0200 Subject: [PATCH 08/10] formal only on pretty --- utils/results/common.go | 5 ++++- .../simplejsonparser/simplejsonparser.go | 20 +++++++++---------- .../simplejsonparser/simplejsonparser_test.go | 2 +- .../conversion/tableparser/tableparser.go | 2 +- utils/results/output/resultwriter.go | 2 +- 5 files changed, 17 insertions(+), 14 deletions(-) diff --git a/utils/results/common.go b/utils/results/common.go index eb663f509..e5470e4f6 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -912,7 +912,10 @@ func CreateScaComponentFromXrayCompId(xrayImpactedPackageId string, properties . return } -func FormalTechOrCdxCompType(cdxCompType string) string { +func FormalTechOrCdxCompType(cdxCompType string, pretty bool) string { + if !pretty { + return cdxCompType + } tech := techutils.CdxPackageTypeToTechnology(cdxCompType) if tech != techutils.NoTech { return tech.ToFormal() diff --git a/utils/results/conversion/simplejsonparser/simplejsonparser.go b/utils/results/conversion/simplejsonparser/simplejsonparser.go index 236c88992..8889071fb 100644 --- a/utils/results/conversion/simplejsonparser/simplejsonparser.go +++ b/utils/results/conversion/simplejsonparser/simplejsonparser.go @@ -120,7 +120,7 @@ func (sjc *CmdResultsSimpleJsonConverter) ParseSbomLicenses(sbom *cyclonedx.BOM) ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ ImpactedDependencyName: strings.ReplaceAll(compName, "/", ":"), ImpactedDependencyVersion: compVersion, - ImpactedDependencyType: results.FormalTechOrCdxCompType(compType), + ImpactedDependencyType: results.FormalTechOrCdxCompType(compType, sjc.pretty), Components: results.ExtractComponentDirectComponentsInBOM(sbom, component, impactPaths), }, ImpactPaths: impactPaths, @@ -244,7 +244,7 @@ func (sjc *CmdResultsSimpleJsonConverter) createVulnerabilityOrViolationRowFromC SeverityDetails: severityutils.GetAsDetails(severity, applicabilityStatus, sjc.pretty), ImpactedDependencyName: strings.ReplaceAll(compName, "/", ":"), ImpactedDependencyVersion: compVersion, - ImpactedDependencyType: results.FormalTechOrCdxCompType(compType), + ImpactedDependencyType: results.FormalTechOrCdxCompType(compType, sjc.pretty), Components: directComponents, }, ImpactPaths: impactPaths, @@ -282,7 +282,7 @@ func (sjc *CmdResultsSimpleJsonConverter) createLicenseViolationRow(licenseKey, SeverityDetails: severityutils.GetAsDetails(severity, jasutils.NotScanned, sjc.pretty), ImpactedDependencyName: strings.ReplaceAll(compName, "/", ":"), ImpactedDependencyVersion: compVersion, - ImpactedDependencyType: results.FormalTechOrCdxCompType(compType), + ImpactedDependencyType: results.FormalTechOrCdxCompType(compType, sjc.pretty), Components: directComponents, }, ImpactPaths: impactPaths, @@ -298,7 +298,7 @@ func (sjc *CmdResultsSimpleJsonConverter) createOpRiskViolationRow(opRiskViolati SeverityDetails: severityutils.GetAsDetails(opRiskViolation.Severity, jasutils.NotScanned, sjc.pretty), ImpactedDependencyName: strings.ReplaceAll(compName, "/", ":"), ImpactedDependencyVersion: compVersion, - ImpactedDependencyType: results.FormalTechOrCdxCompType(compType), + ImpactedDependencyType: results.FormalTechOrCdxCompType(compType, sjc.pretty), Components: opRiskViolation.DirectComponents, }, RiskReason: opRiskViolation.RiskReason, @@ -328,7 +328,7 @@ func (sjc *CmdResultsSimpleJsonConverter) DeprecatedParseLicenses(scaResponse se if sjc.current == nil { return results.ErrResetConvertor } - licSimpleJson, err := PrepareSimpleJsonLicenses(sjc.currentTarget, scaResponse.Licenses) + licSimpleJson, err := PrepareSimpleJsonLicenses(sjc.currentTarget, scaResponse.Licenses, sjc.pretty) if err != nil || len(licSimpleJson) == 0 { return } @@ -424,7 +424,7 @@ func addSimpleJsonVulnerability(target results.ScanTarget, vulnerabilitiesRows * SeverityDetails: severityutils.GetAsDetails(severity, applicabilityStatus, pretty), ImpactedDependencyName: impactedPackagesName, ImpactedDependencyVersion: impactedPackagesVersion, - ImpactedDependencyType: results.FormalTechOrCdxCompType(impactedPackagesType), + ImpactedDependencyType: results.FormalTechOrCdxCompType(impactedPackagesType, pretty), Components: directComponents, }, FixedVersions: fixedVersion, @@ -441,13 +441,13 @@ func addSimpleJsonVulnerability(target results.ScanTarget, vulnerabilitiesRows * } } -func PrepareSimpleJsonLicenses(target results.ScanTarget, licenses []services.License) ([]formats.LicenseRow, error) { +func PrepareSimpleJsonLicenses(target results.ScanTarget, licenses []services.License, pretty bool) ([]formats.LicenseRow, error) { var licensesRows []formats.LicenseRow - err := results.ForEachLicense(target, licenses, addSimpleJsonLicense(&licensesRows)) + err := results.ForEachLicense(target, licenses, addSimpleJsonLicense(&licensesRows, pretty)) return licensesRows, err } -func addSimpleJsonLicense(licenseViolationsRows *[]formats.LicenseRow) results.ParseLicenseFunc { +func addSimpleJsonLicense(licenseViolationsRows *[]formats.LicenseRow, pretty bool) results.ParseLicenseFunc { return func(license services.License, impactedPackagesId string, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) error { impactedPackagesName, impactedPackagesVersion, impactedPackagesType := techutils.SplitComponentId(impactedPackagesId) *licenseViolationsRows = append(*licenseViolationsRows, @@ -457,7 +457,7 @@ func addSimpleJsonLicense(licenseViolationsRows *[]formats.LicenseRow) results.P ImpactedDependencyDetails: formats.ImpactedDependencyDetails{ ImpactedDependencyName: impactedPackagesName, ImpactedDependencyVersion: impactedPackagesVersion, - ImpactedDependencyType: results.FormalTechOrCdxCompType(impactedPackagesType), + ImpactedDependencyType: results.FormalTechOrCdxCompType(impactedPackagesType, pretty), Components: directComponents, }, }, diff --git a/utils/results/conversion/simplejsonparser/simplejsonparser_test.go b/utils/results/conversion/simplejsonparser/simplejsonparser_test.go index d792a701e..01cce5c63 100644 --- a/utils/results/conversion/simplejsonparser/simplejsonparser_test.go +++ b/utils/results/conversion/simplejsonparser/simplejsonparser_test.go @@ -432,7 +432,7 @@ func TestPrepareSimpleJsonLicenses(t *testing.T) { } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - out, err := PrepareSimpleJsonLicenses(tc.target, tc.licenses) + out, err := PrepareSimpleJsonLicenses(tc.target, tc.licenses, false) assert.NoError(t, err) assert.ElementsMatch(t, tc.expectedOutput, out) }) diff --git a/utils/results/conversion/tableparser/tableparser.go b/utils/results/conversion/tableparser/tableparser.go index 1a3379fe2..1eb3e3348 100644 --- a/utils/results/conversion/tableparser/tableparser.go +++ b/utils/results/conversion/tableparser/tableparser.go @@ -125,7 +125,7 @@ func (tc *CmdResultsTableConverter) ParseSbom(sbom *cyclonedx.BOM) (err error) { tc.sbomRows = append(tc.sbomRows, formats.SbomTableRow{ Component: compName, Version: compVersion, - PackageType: results.FormalTechOrCdxCompType(compType), + PackageType: results.FormalTechOrCdxCompType(compType, tc.pretty), Relation: relationStr, // For sorting RelationPriority: relationPriority, diff --git a/utils/results/output/resultwriter.go b/utils/results/output/resultwriter.go index 0f1c1b187..215da0096 100644 --- a/utils/results/output/resultwriter.go +++ b/utils/results/output/resultwriter.go @@ -188,7 +188,7 @@ func (rw *ResultsWriter) printSarif() (err error) { } func (rw *ResultsWriter) printCycloneDx() (err error) { - bom, err := rw.createResultsConvertor(true).ConvertToCycloneDx(rw.commandResults) + bom, err := rw.createResultsConvertor(false).ConvertToCycloneDx(rw.commandResults) if err != nil { return } From b8b3b97b71d9a273e2f16e211358de50c5ea1521 Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 5 Feb 2026 18:25:05 +0200 Subject: [PATCH 09/10] fix test --- tests/testdata/output/dockerscan/docker_simple_json.json | 8 ++++---- utils/techutils/techutils.go | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/testdata/output/dockerscan/docker_simple_json.json b/tests/testdata/output/dockerscan/docker_simple_json.json index 6a36693b1..1d41f4405 100644 --- a/tests/testdata/output/dockerscan/docker_simple_json.json +++ b/tests/testdata/output/dockerscan/docker_simple_json.json @@ -4,7 +4,7 @@ "severity": "Critical", "impactedPackageName": "debian:bookworm:libssl3", "impactedPackageVersion": "3.0.13-1~deb12u1", - "impactedPackageType": "Debian", + "impactedPackageType": "deb", "components": [ { "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", @@ -60,7 +60,7 @@ "severity": "Critical", "impactedPackageName": "debian:bookworm:openssl", "impactedPackageVersion": "3.0.13-1~deb12u1", - "impactedPackageType": "Debian", + "impactedPackageType": "deb", "components": [ { "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", @@ -118,7 +118,7 @@ "severity": "Unknown", "impactedPackageName": "debian:bookworm:libssl3", "impactedPackageVersion": "3.0.13-1~deb12u1", - "impactedPackageType": "Debian", + "impactedPackageType": "deb", "components": [ { "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", @@ -186,7 +186,7 @@ "severity": "Unknown", "impactedPackageName": "debian:bookworm:libssl3", "impactedPackageVersion": "3.0.13-1~deb12u1", - "impactedPackageType": "Debian", + "impactedPackageType": "deb", "components": [ { "name": "sha256__f21c087a3964a446bce1aa4e3ec7cf82020dd77ad14f1cf4ea49cbb32eda1595.tar", diff --git a/utils/techutils/techutils.go b/utils/techutils/techutils.go index 5c877c348..6be1e68f9 100644 --- a/utils/techutils/techutils.go +++ b/utils/techutils/techutils.go @@ -62,7 +62,7 @@ const ( Docker Technology = "docker" Oci Technology = "oci" Rpm Technology = "rpm" - Deb Technology = "deb" + Debian Technology = "deb" Composer Technology = "composer" Alpine Technology = "alpine" NoTech Technology = "" @@ -92,7 +92,7 @@ var AllTechnologiesStrings = []string{ NoTech.String(), Gem.String(), Rpm.String(), - Deb.String(), + Debian.String(), Composer.String(), Alpine.String(), } @@ -298,7 +298,7 @@ var technologiesData = map[Technology]TechData{ }, Oci: {}, Rpm: {formal: "RPM"}, - Deb: {formal: "Debian"}, + Debian: {formal: "Debian"}, Composer: {formal: "Composer"}, Alpine: {formal: "Alpine"}, } From f15d3120bca978cda11377e9314f307a96bc7755 Mon Sep 17 00:00:00 2001 From: attiasas Date: Wed, 11 Feb 2026 09:40:57 +0200 Subject: [PATCH 10/10] fix flaky tests if possible --- .github/workflows/test.yml | 18 +++++++++--------- git_test.go | 4 ++-- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3d6661403..c18c9c927 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,7 +23,7 @@ concurrency: # Environment variables shared across all jobs. env: GOPROXY: direct - GO_COMMON_TEST_ARGS: "-v github.com/jfrog/jfrog-cli-security --race --timeout 40m --jfrog.url=${{ secrets.PLATFORM_URL }} --jfrog.adminToken=${{ secrets.PLATFORM_ADMIN_TOKEN }} --test.containerRegistry=${{ secrets.CONTAINER_REGISTRY }}" + GO_COMMON_TEST_ARGS: "-v github.com/jfrog/jfrog-cli-security --race --timeout 40m --jfrog.url=${{ secrets.PLATFORM_URL }} --jfrog.adminToken=${{ secrets.PLATFORM_ADMIN_TOKEN }} --ci.runId=${{ runner.os }}-sec-test --test.containerRegistry=${{ secrets.CONTAINER_REGISTRY }}" GRADLE_OPTS: -Dorg.gradle.daemon=false CI: true JFROG_CLI_LOG_LEVEL: DEBUG @@ -88,7 +88,7 @@ jobs: # Test and generate code coverage - name: Run tests - run: go test ${{ env.GO_COMMON_TEST_ARGS }} --ci.runId=${{ runner.os }}-sec-test -covermode atomic -coverprofile=cover-unit-tests --test.unit + run: go test ${{ env.GO_COMMON_TEST_ARGS }} -covermode atomic -coverprofile=cover-unit-tests --test.unit Audit_Command_Integration_Tests: name: "[${{ matrix.os }}] ${{ matrix.suite.name }} Audit Command Integration Tests" @@ -141,7 +141,7 @@ jobs: # Test - name: Run tests - run: go test ${{ env.GO_COMMON_TEST_ARGS }} ${{ matrix.suite.testFlags }} --ci.runId=${{ runner.os }}-sec-test + run: go test ${{ env.GO_COMMON_TEST_ARGS }} ${{ matrix.suite.testFlags }} Artifactory_Integration_Tests: name: "[${{ matrix.os }}] Artifactory Integration Tests" @@ -170,7 +170,7 @@ jobs: # Test - name: Run tests - run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.artifactory --ci.runId=${{ runner.os }}-sec-test + run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.artifactory Xray_Commands_Integration_Tests: name: "[${{ matrix.os }}] Xray Commands Integration Tests" @@ -224,7 +224,7 @@ jobs: # Test - name: Run tests - run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.xsc --ci.runId=${{ runner.os }}-sec-test + run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.xsc Binary_Scan_Command_Integration_Tests: name: "[${{ matrix.os }}] Binary Scan Command Integration Tests" @@ -253,7 +253,7 @@ jobs: # Test - name: Run tests - run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.scan --ci.runId=${{ runner.os }}-sec-test + run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.scan Docker_Scan_Commands_Integration_Tests: name: "[${{ matrix.os }}] Docker Scan Commands Integration Tests" @@ -282,7 +282,7 @@ jobs: # Test - name: Run tests - run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.dockerScan --ci.runId=${{ runner.os }}-sec-test + run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.dockerScan Other_Commands_Integration_Tests: name: "[${{ matrix.os }}] Other Commands Integration Tests" @@ -311,7 +311,7 @@ jobs: # Test - name: Run tests - run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.curation --test.enrich --ci.runId=${{ runner.os }}-sec-test + run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.curation --test.enrich Git_Commands_Integration_Tests: name: "[${{ matrix.os }}] Git Commands Integration Tests" @@ -340,4 +340,4 @@ jobs: # Test - name: Run tests - run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.git --ci.runId=${{ runner.os }}-sec-test \ No newline at end of file + run: go test ${{ env.GO_COMMON_TEST_ARGS }} --test.git \ No newline at end of file diff --git a/git_test.go b/git_test.go index a118d1ff6..2243f8d95 100644 --- a/git_test.go +++ b/git_test.go @@ -115,9 +115,9 @@ func TestGitAuditStaticScaCycloneDx(t *testing.T) { dummyCloneUrl := getDummyGitRepoUrl() // Create policy and watch for the git repo so we will also get violations (unknown = all vulnerabilities will be reported as violations) - policyName, cleanUpPolicy := securityTestUtils.CreateTestSecurityPolicy(t, "git-repo-ignore-rule-policy", utils.Unknown, true, false) + policyName, cleanUpPolicy := securityTestUtils.CreateTestSecurityPolicy(t, "git-repo-static-sca-policy", utils.Unknown, true, false) defer cleanUpPolicy() - watchName, cleanUpWatch := securityTestUtils.CreateWatchOnGitResources(t, policyName, "git-repo-ignore-rule-watch", xscutils.GetGitRepoUrlKey(dummyCloneUrl)) + watchName, cleanUpWatch := securityTestUtils.CreateWatchOnGitResources(t, policyName, "git-repo-static-sca-watch", xscutils.GetGitRepoUrlKey(dummyCloneUrl)) defer cleanUpWatch() // Run the audit command with git repo and verify violations are reported to the platform.