From 7243c452e0b0f33591059305da8c16bfcb386ff0 Mon Sep 17 00:00:00 2001 From: Yahav Itzhak Date: Thu, 9 Nov 2023 13:46:27 +0200 Subject: [PATCH] Fine tune JFrog Advanced Security on this project (#2299) --- .jfrog/jfrog-apps-config.yml | 21 +++++++++++++++++++ Jenkinsfile | 2 ++ testdata/npm/npmnpmrcproject/.npmrc | 1 + .../jas-config/sast/flask_webgoat/__init__.py | 1 + .../jas-test/sast/flask_webgoat/__init__.py | 1 + utils/tests/consts.go | 8 ++++--- xray_test.go | 2 ++ 7 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 .jfrog/jfrog-apps-config.yml diff --git a/.jfrog/jfrog-apps-config.yml b/.jfrog/jfrog-apps-config.yml new file mode 100644 index 000000000..d775c8dde --- /dev/null +++ b/.jfrog/jfrog-apps-config.yml @@ -0,0 +1,21 @@ +version: "1.0" +modules: + - exclude_patterns: + - "**/.git/**" + - "**/node_modules/**" + - "**/out/**" + + # Included in .gitignore: + - "**/.vscode/**" + - "**/.idea/**" + exclude_scanners: + - "iac" + scanners: + sast: + exclude_patterns: + - "**/testdata/**" + - "**/docs/**" + secrets: + exclude_patterns: + - "**/testdata/xray/jas-config/secrets/**" + - "**/testdata/xray/jas-test/secrets/**" diff --git a/Jenkinsfile b/Jenkinsfile index df9c92979..c5f2e9671 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -194,6 +194,7 @@ def downloadToolsCert() { // Config Repo21 as default server. def configRepo21() { withCredentials([ + // jfrog-ignore - false positive usernamePassword(credentialsId: 'repo21', usernameVariable: 'REPO21_USER', passwordVariable: 'REPO21_PASSWORD'), string(credentialsId: 'repo21-url', variable: 'REPO21_URL') ]) { @@ -466,6 +467,7 @@ def publishChocoPackage(version, jfrogCliRepoDir, architectures) { def dockerLogin(){ withCredentials([ + // jfrog-ignore - false positive usernamePassword(credentialsId: 'repo21', usernameVariable: 'REPO21_USER', passwordVariable: 'REPO21_PASSWORD'), string(credentialsId: 'repo21-url', variable: 'REPO21_URL') ]) { diff --git a/testdata/npm/npmnpmrcproject/.npmrc b/testdata/npm/npmnpmrcproject/.npmrc index 73f067634..b38227afb 100755 --- a/testdata/npm/npmnpmrcproject/.npmrc +++ b/testdata/npm/npmnpmrcproject/.npmrc @@ -3,4 +3,5 @@ registry=http://NO-NO-REPO/ _auth=YWRtaW46QVBFG1ZkZFMzN3NCakJiaRFVBThVb0JlZzFl always-auth=true email=ddd@dd.dd +# jfrog-ignore - not a real token //NO-NO-REPO/:_authToken=eyJ2ZXIiOzfsdhiOiIyR3A5cDlUYW44NmpaTkxDNlBpa0lmWTU1Uk9Kc1pfNGlFUnRQLVsdfhZmFjdG9yeUBsdhjZDc2MGJmOC0wNjI0LTQwYTYtOGEyMS0zOTViMzg1OWQzNzVcL3VzZXJzXC9hZG1pbiIsInNjcCI6Im1lbWJlci1vZi1ncm91cHM6KiBhcGk6KiIsImF1ZCI6ImpmLWFydGlmYWN0b3J5QGNkNzYwYmY4LTA2MjQtNDBhNisdhmpmLWFydGlmYWN0b3J5QGNkNzYwYmY4LTA2MjQtNDBhNi04YTIxLTM5NWIzODU5ZDM3NSIsImlhdCI6MTUxMzI0MjcxMywianRpIjoiNWZiYmY1ZDAtYjUzNC00ZWMxLWE3NDItZTRiMjNmZDA4YTI5In0.pwNys1ek1v7BtjESjlEMgiVLAdD60vwh1EWvuoGSaxAvu1ppW1fwCJmNjJ69HJbA58tq-AfkusKhr7juoIw2TaIsikyrnrDHv1ELaFupAxDMkDfx4w1GQO3dMzWYDAYoVfeaImpdXQ3_pKemR5eLiRiqJrtEfj52OfIFyVPOuBTvtoqDe8-DvFNFz0TyUAfbLvya8S9I6KGr2mxR4v8eir4me8zp0lPBm7oIKL_tfgr5uP9naTrUg5Ydfkc-vhwU0jK-45R3RQPbpW-NE78yy17TVJuxgE0s2OtMWmLpvr3FJaPCJ5VGPtRexJFbN_7BhR2tl02Wys41lk6pqSpRlA \ No newline at end of file diff --git a/testdata/xray/jas-config/sast/flask_webgoat/__init__.py b/testdata/xray/jas-config/sast/flask_webgoat/__init__.py index 9e2f505a6..19619e056 100644 --- a/testdata/xray/jas-config/sast/flask_webgoat/__init__.py +++ b/testdata/xray/jas-config/sast/flask_webgoat/__init__.py @@ -19,6 +19,7 @@ def query_db(query, args=(), one=False, commit=False): def create_app(): app = Flask(__name__) + # jfrog-ignore - disable secrets scan findings app.secret_key = "aeZ1iwoh2ree2mo0Eereireong4baitixaixu5Ee" db_path = Path(DB_FILENAME) diff --git a/testdata/xray/jas-test/sast/flask_webgoat/__init__.py b/testdata/xray/jas-test/sast/flask_webgoat/__init__.py index 9e2f505a6..19619e056 100644 --- a/testdata/xray/jas-test/sast/flask_webgoat/__init__.py +++ b/testdata/xray/jas-test/sast/flask_webgoat/__init__.py @@ -19,6 +19,7 @@ def query_db(query, args=(), one=False, commit=False): def create_app(): app = Flask(__name__) + # jfrog-ignore - disable secrets scan findings app.secret_key = "aeZ1iwoh2ree2mo0Eereireong4baitixaixu5Ee" db_path = Path(DB_FILENAME) diff --git a/utils/tests/consts.go b/utils/tests/consts.go index fdd8729c0..b6e99dc77 100644 --- a/utils/tests/consts.go +++ b/utils/tests/consts.go @@ -220,9 +220,11 @@ var ( GoPublishWithExclusionPath = "github.com/jfrog/dependency/@v/github.com/jfrog/dependency@v1.1.1/" // Users - UserName1 = "alice" - Password1 = "A12356789z" - UserName2 = "bob" + UserName1 = "alice" + // jfrog-ignore - not a real password + Password1 = "A12356789z" + UserName2 = "bob" + // jfrog-ignore - not a real password Password2 = "1B234578y9" ProjectKey = "prj" ) diff --git a/xray_test.go b/xray_test.go index cf70543d8..a0f024cf0 100644 --- a/xray_test.go +++ b/xray_test.go @@ -421,6 +421,8 @@ func TestXrayAuditMultiProjects(t *testing.T) { multiProject := filepath.Join(filepath.FromSlash(tests.GetTestResourcesPath()), "xray") // Copy the multi project from the testdata to a temp dir assert.NoError(t, biutils.CopyDir(multiProject, tempDirPath, true, nil)) + prevWd := changeWD(t, tempDirPath) + defer clientTestUtils.ChangeDirAndAssert(t, prevWd) workingDirsFlag := fmt.Sprintf("--working-dirs=%s, %s ,%s, %s", filepath.Join(tempDirPath, "maven"), filepath.Join(tempDirPath, "nuget", "single4.0"), filepath.Join(tempDirPath, "python", "pip"), filepath.Join(tempDirPath, "jas-test"))