Add entitlment snippet (#711)

Author: attiasas

commands/audit/audit.go

@@ -174,8 +174,10 @@ func shouldIncludeVulnerabilities(includeVulnerabilities bool, watches []string,
 
 func shouldIncludeSnippetDetection(params *AuditParams) bool {
 	if profile := params.GetConfigProfile(); profile != nil && len(profile.Modules) > 0 {
-		if profile.Modules[0].ScanConfig.ScaScannerConfig.EnableSnippetDetection {
-			return true
+		for _, module := range profile.Modules {
+			if module.ScanConfig.ScaScannerConfig.EnableSnippetDetection {
+				return true
+			}
 		}
 	}
 	if params.resultsContext.IncludeSnippetDetection {
@@ -282,14 +284,14 @@ func (auditCmd *AuditCommand) Run() (err error) {
 
 func (auditCmd *AuditCommand) getResultWriter(cmdResults *results.SecurityCommandResults) *output.ResultsWriter {
 	var messages []string
-	if !cmdResults.EntitledForJas {
+	if !cmdResults.Entitlements.Jas {
 		messages = []string{coreutils.PrintTitle("In addition to SCA, the ‘jf audit’ command supports the following Advanced Security scans: 'Contextual Analysis', 'Secrets Detection', 'IaC', and ‘SAST’.\nThese scans are available within Advanced Security license. Read more - ") + coreutils.PrintLink(utils.JasInfoURL)}
 	}
 	if cmdResults.ResultsPlatformUrl != "" && auditCmd.gitContext != nil {
 		messages = append(messages, output.GetCommandResultsPlatformUrlMessage(cmdResults, true))
 	}
 	var tableNotes []string
-	if cmdResults.EntitledForJas && cmdResults.HasViolationContext() && len(cmdResults.ResultContext.GitRepoHttpsCloneUrl) == 0 {
+	if cmdResults.Entitlements.Jas && cmdResults.HasViolationContext() && len(cmdResults.ResultContext.GitRepoHttpsCloneUrl) == 0 {
 		tableNotes = []string{"Note: The following vulnerability violations are NOT supported by this audit:\n- Secrets\n- Infrastructure as Code (IaC)\n- Static Application Security Testing (SAST)"}
 	}
 	return output.NewResultsWriter(cmdResults).
@@ -377,7 +379,6 @@ func getScanLogicOptions(params *AuditParams) (bomGenOptions []bom.SbomGenerator
 		xrayplugin.WithBinaryPath(params.CustomBomGenBinaryPath()),
 		xrayplugin.WithIgnorePatterns(params.Exclusions()),
 		xrayplugin.WithSpecificTechnologies(params.Technologies()),
-		xrayplugin.WithSnippetDetection(shouldIncludeSnippetDetection(params)),
 	}
 	// Scan Strategies Options
 	scanGraphParams, err := params.ToXrayScanGraphParams()
@@ -418,17 +419,29 @@ func initAuditCmdResults(params *AuditParams) (cmdResults *results.SecurityComma
 	entitledForJas, err := isEntitledForJas(xrayManager, params)
 	if err != nil {
 		return cmdResults.AddGeneralError(err, false)
-	} else {
-		cmdResults.SetEntitledForJas(entitledForJas)
 	}
+	cmdResults.SetEntitledForJas(entitledForJas)
 	if entitledForJas {
+		// Validate required installed software
 		if utils.IsJASRequested(cmdResults.CmdType, params.ScansToPerform()...) {
 			if err = jas.ValidateRequiredInstalledSoftware(); err != nil {
 				return cmdResults.AddGeneralError(err, false)
 			}
 		}
+		// Validate secret validation entitlement
 		cmdResults.SetSecretValidation(jas.CheckForSecretValidation(xrayManager, params.GetXrayVersion(), slices.Contains(params.ScansToPerform(), utils.SecretTokenValidationScan)))
 	}
+	// Snippet detection requires JAS entitlement and also the Snippet Detection feature is enabled in Xray.
+	if shouldIncludeSnippetDetection(params) {
+		entitledForSnippetDetection, err := isEntitledForSnippetDetection(entitledForJas, xrayManager, params)
+		if err != nil {
+			return cmdResults.AddGeneralError(err, false)
+		}
+		if !entitledForSnippetDetection {
+			return cmdResults.AddGeneralError(fmt.Errorf("snippet detection is requested but the JFrog instance is not entitled for it"), false)
+		}
+		cmdResults.SetEntitledForSnippetDetection(entitledForSnippetDetection)
+	}
 	return
 }
 
@@ -440,6 +453,14 @@ func isEntitledForJas(xrayManager *xray.XrayServicesManager, auditParams *AuditP
 	return jas.IsEntitledForJas(xrayManager, auditParams.GetXrayVersion())
 }
 
+func isEntitledForSnippetDetection(isEntitledForJas bool, xrayManager *xray.XrayServicesManager, auditParams *AuditParams) (entitled bool, err error) {
+	if !isEntitledForJas {
+		return false, nil
+	}
+	// Snippet detection requires JAS entitlement and also the Snippet Detection feature is enabled in Xray.
+	return xrayutils.IsEntitled(xrayManager, auditParams.GetXrayVersion(), xrayplugin.SnippetDetectionFeatureId)
+}
+
 func populateScanTargets(cmdResults *results.SecurityCommandResults, params *AuditParams) {
 	// Populate the scan targets based on the provided parameters.
 	detectScanTargets(cmdResults, params)
@@ -458,7 +479,10 @@ func populateScanTargets(cmdResults *results.SecurityCommandResults, params *Aud
 			// No need to generate the SBOM if we are not going to use it.
 			continue
 		}
-		bom.GenerateSbomForTarget(params.BomGenerator().WithOptions(buildinfo.WithDescriptors(targetResult.GetDescriptors())),
+		bom.GenerateSbomForTarget(params.BomGenerator().WithOptions(
+			buildinfo.WithDescriptors(targetResult.GetDescriptors()),
+			xrayplugin.WithSnippetDetection(shouldIncludeSnippetDetection(params)),
+		),
 			bom.SbomGeneratorParams{
 				Target:               targetResult,
 				AllowPartialResults:  params.AllowPartialResults(),
@@ -616,7 +640,7 @@ func addScaScansToRunner(auditParallelRunner *utils.SecurityParallelRunner, audi
 }
 
 func addJasScansToRunner(auditParallelRunner *utils.SecurityParallelRunner, auditParams *AuditParams, scanResults *results.SecurityCommandResults, isNewFlow bool) (jasScanner *jas.JasScanner, generalError error) {
-	if !scanResults.EntitledForJas {
+	if !scanResults.Entitlements.Jas {
 		log.Info("Advanced Security is not enabled on this system, so Advanced Security scans were skipped...")
 		return
 	}

commands/git/audit/gitaudit.go

@@ -136,7 +136,7 @@ func RunGitAudit(params GitAuditParams) (scanResults *results.SecurityCommandRes
 
 func (gaCmd *GitAuditCommand) getResultWriter(cmdResults *results.SecurityCommandResults) *output.ResultsWriter {
 	var messages []string
-	if !cmdResults.EntitledForJas {
+	if !cmdResults.Entitlements.Jas {
 		messages = []string{coreutils.PrintTitle("In addition to SCA, the ‘jf git audit’ command supports the following Advanced Security scans: 'Contextual Analysis', 'Secrets Detection', 'IaC', and ‘SAST’.\nThese scans are available within Advanced Security license. Read more - ") + coreutils.PrintLink(utils.JasInfoURL)}
 	}
 	if cmdResults.ResultsPlatformUrl != "" {

commands/scan/scan.go

@@ -352,7 +352,7 @@ func (scanCmd *ScanCommand) initScanCmdResults(cmdType utils.CommandType) (xrayM
 func (scanCmd *ScanCommand) prepareForScan(cmdResults *results.SecurityCommandResults, xrayManager *xrayClient.XrayServicesManager) (err error) {
 	// Download (if needed) the analyzer manager in a background routine.
 	AnalyzerErrGroup := new(errgroup.Group)
-	if cmdResults.EntitledForJas && utils.IsJASRequested(cmdResults.CmdType, scanCmd.scansToPerform...) {
+	if cmdResults.Entitlements.Jas && utils.IsJASRequested(cmdResults.CmdType, scanCmd.scansToPerform...) {
 		if scanCmd.customAnalyzerManagerPath == "" {
 			AnalyzerErrGroup.Go(func() error {
 				return jas.DownloadAnalyzerManagerIfNeeded(0)
@@ -444,7 +444,7 @@ func (scanCmd *ScanCommand) createIndexerHandlerFunc(file *spec.File, cmdResults
 				}
 				// SCA scan
 				targetCompId, graphScanResults, err := scanCmd.RunBinaryScaScan(file.Target, cmdResults, targetResults, deprecatedGraph, scanThreadId)
-				if err != nil || !cmdResults.EntitledForJas {
+				if err != nil || !cmdResults.Entitlements.Jas {
 					return
 				}
 				// Run Jas scans

git_test.go

@@ -271,8 +271,8 @@ func TestGitAuditJasSkipNotApplicableCvesViolations(t *testing.T) {
 		xrayVersion, xscVersion, "",
 		validations.ValidationParams{
 			Violations: &validations.ViolationCount{
-				ValidateScan:                &validations.ScanCount{Sca: 10, Sast: 2, Secrets: 2},
-				ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotApplicable: 5, NotCovered: 5, Inactive: 2},
+				ValidateScan:                &validations.ScanCount{Sca: 11, Sast: 2, Secrets: 2},
+				ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotApplicable: 5, NotCovered: 6, Inactive: 2},
 			},
 			ExactResultsMatch: true,
 		},
@@ -299,8 +299,8 @@ func TestGitAuditJasSkipNotApplicableCvesViolations(t *testing.T) {
 		xrayVersion, xscVersion, "",
 		validations.ValidationParams{
 			Violations: &validations.ViolationCount{
-				ValidateScan:                &validations.ScanCount{Sca: 5, Sast: 2, Secrets: 2},
-				ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 5, Inactive: 2},
+				ValidateScan:                &validations.ScanCount{Sca: 6, Sast: 2, Secrets: 2},
+				ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 6, Inactive: 2},
 			},
 			ExactResultsMatch: true,
 		},

policy/enforcer/policyenforcer.go

@@ -312,7 +312,7 @@ func locateJasVulnerabilityInfo(cmdResults *results.SecurityCommandResults, jasT
 			log.Debug(fmt.Sprintf("Skipping %s violation search for target %s with no Jas results", jasType, target.ScanTarget))
 			continue
 		}
-		if err := results.ForEachJasIssue(target.JasResults.GetVulnerabilitiesResults(jasType), cmdResults.EntitledForJas,
+		if err := results.ForEachJasIssue(target.JasResults.GetVulnerabilitiesResults(jasType), cmdResults.Entitlements.Jas,
 			func(run *sarif.Run, rule *sarif.ReportingDescriptor, severity severityutils.Severity, result *sarif.Result, location *sarif.Location) error {
 				if !found && isMatchingJasViolation(id, jasType, rule, location, run.Invocations, violation) {
 					// Found a relevant issue (JAS Violations only provide abbreviation and file name, no region so we match only by those)

policy/local/localconvertor.go

@@ -50,24 +50,24 @@ func (d *DeprecatedViolationGenerator) GenerateViolations(cmdResults *results.Se
 	for _, target := range cmdResults.Targets {
 		// SCA violations (from DeprecatedXrayResults)
 		if target.ScaResults != nil {
-			if e := d.generateScaViolations(target, &convertedViolations, cmdResults.EntitledForJas); e != nil {
+			if e := d.generateScaViolations(target, &convertedViolations, cmdResults.Entitlements.Jas); e != nil {
 				err = errors.Join(err, fmt.Errorf("failed to convert SCA violations for target %s: %w", target.Target, e))
 			}
 		}
 		// JAS violations (from JasResults)
 		if target.JasResults != nil {
 			if len(target.JasResults.JasViolations.SecretsScanResults) > 0 {
-				if e := results.ForEachJasIssue(target.JasResults.JasViolations.SecretsScanResults, cmdResults.EntitledForJas, convertJasViolationsToPolicyViolations(&convertedViolations, jasutils.Secrets)); e != nil {
+				if e := results.ForEachJasIssue(target.JasResults.JasViolations.SecretsScanResults, cmdResults.Entitlements.Jas, convertJasViolationsToPolicyViolations(&convertedViolations, jasutils.Secrets)); e != nil {
 					err = errors.Join(err, fmt.Errorf("failed to convert JAS Secret violations for target %s: %w", target.Target, e))
 				}
 			}
 			if len(target.JasResults.JasViolations.IacScanResults) > 0 {
-				if e := results.ForEachJasIssue(target.JasResults.JasViolations.IacScanResults, cmdResults.EntitledForJas, convertJasViolationsToPolicyViolations(&convertedViolations, jasutils.IaC)); e != nil {
+				if e := results.ForEachJasIssue(target.JasResults.JasViolations.IacScanResults, cmdResults.Entitlements.Jas, convertJasViolationsToPolicyViolations(&convertedViolations, jasutils.IaC)); e != nil {
 					err = errors.Join(err, fmt.Errorf("failed to convert JAS IaC violations for target %s: %w", target.Target, e))
 				}
 			}
 			if len(target.JasResults.JasViolations.SastScanResults) > 0 {
-				if e := results.ForEachJasIssue(target.JasResults.JasViolations.SastScanResults, cmdResults.EntitledForJas, convertJasViolationsToPolicyViolations(&convertedViolations, jasutils.Sast)); e != nil {
+				if e := results.ForEachJasIssue(target.JasResults.JasViolations.SastScanResults, cmdResults.Entitlements.Jas, convertJasViolationsToPolicyViolations(&convertedViolations, jasutils.Sast)); e != nil {
 					err = errors.Join(err, fmt.Errorf("failed to convert JAS SAST violations for target %s: %w", target.Target, e))
 				}
 			}

sca/bom/buildinfo/technologies/pnpm/pnpm_test.go

@@ -43,7 +43,7 @@ func TestBuildDependencyTreeLimitedDepth(t *testing.T) {
 			name:      "With transitive dependencies",
 			treeDepth: "1",
 			expectedUniqueDeps: []string{
-				"npm://axios:1.13.6",
+				"npm://axios:1.14.0",
 				"npm://balaganjs:1.0.0",
 				"npm://yargs:13.3.0",
 				"npm://zen-website:1.0.0",
@@ -53,7 +53,7 @@ func TestBuildDependencyTreeLimitedDepth(t *testing.T) {
 				Nodes: []*xrayUtils.GraphNode{
 					{
 						Id:    "npm://balaganjs:1.0.0",
-						Nodes: []*xrayUtils.GraphNode{{Id: "npm://axios:1.13.6"}, {Id: "npm://yargs:13.3.0"}},
+						Nodes: []*xrayUtils.GraphNode{{Id: "npm://axios:1.14.0"}, {Id: "npm://yargs:13.3.0"}},
 					},
 				},
 			},

sca/bom/xrayplugin/xraylibbom.go

@@ -16,6 +16,9 @@ import (
 	"github.com/jfrog/jfrog-client-go/utils/log"
 )
 
+// SnippetDetectionFeatureId is "curation" because snippet detection is gated by the curation entitlement on the Xray server.
+const SnippetDetectionFeatureId = "curation"
+
 type XrayLibBomGenerator struct {
 	binaryPath       string
 	snippetDetection bool

utils/results/conversion/convertor.go

@@ -123,7 +123,7 @@ func parseCommandResults[T interface{}](params ResultConvertParams, parser Resul
 		if err = parseScaResults(params, parser, cmdResults.CmdType, targetScansResults); err != nil {
 			return
 		}
-		if !cmdResults.EntitledForJas {
+		if !cmdResults.Entitlements.Jas {
 			continue
 		}
 		if err = parseJasResults(params, parser, targetScansResults); err != nil {

utils/results/conversion/cyclonedxparser/cyclonedxparser.go

@@ -73,7 +73,7 @@ func (cdc *CmdResultsCycloneDxConverter) Get() (bom *cdxutils.FullBOM, err error
 }
 
 func (cdc *CmdResultsCycloneDxConverter) Reset(metadata results.ResultsMetaData, statusCodes results.ResultsStatus, multipleTargets bool) (err error) {
-	cdc.entitledForJas = metadata.EntitledForJas
+	cdc.entitledForJas = metadata.Entitlements.Jas
 	cdc.gitContext = metadata.GitContext
 	cdc.xrayVersion = metadata.XrayVersion
 	// Reset the BOM