Add diff logic and parallel logger support for audit #642
Conversation
…Results) - based on v1.24.2
- Add branchdiff.go with RunBranchDiffAudit function - Scans target branch first, then source branch (sequential) - SCA diff handled internally by CLI - JAS diff handled by CompareJasResults - Add MergeStatusCodes for partial results filtering - Status codes merged (worst of target + source) for frogbot filtering
- Add logger field to AuditBasicParams with getter/setter - RunAudit swaps global logger if custom logger provided - Enables frogbot to capture logs per-scan for ordered output
- Add LogCollector that captures logs in isolated buffer per audit - Enables parallel audits without log interleaving - Uses goroutine-local logger from jfrog-client-go - Propagate logger to child goroutines in JAS runner and SCA scan - Remove unused diff completion log message
eyalk007
added
the
safe to test
github-actions
bot
removed
the
safe to test
attiasas
left a comment
attiasas
left a comment
There was a problem hiding this comment.
Nice work! checkout my comments, also:
- Update the PR description with the changes
- Adjust tests base on changes
commands/audit/logcollector.go
Outdated
| @@ -0,0 +1,41 @@ | |||
| package audit | |||
There was a problem hiding this comment.
maybe this should be at jfrog/jfrog-client-go#1297?
There was a problem hiding this comment.
these are the options
Move LogCollector to client-go - but it's really just a wrapper
Delete LogCollector entirely - Frogbot can use BufferedLogger directly from client-go
or we Keep it as is
There was a problem hiding this comment.
Removing code from repo is always good :)
If you already passing it in params, just use it no need for wrapper here
There was a problem hiding this comment.
doen tell me if you like it now
|
|
||
| // replace github.com/jfrog/froggit-go => github.com/jfrog/froggit-go master | ||
|
|
||
| replace github.com/jfrog/jfrog-client-go => github.com/eyalk007/jfrog-client-go v0.0.0-20260114112951-67b77f49255f |
There was a problem hiding this comment.
Reminder to remove replace after merging dependend PR
|
|
||
| // CompareJasResults computes the diff between target and source JAS results. | ||
| // Returns only NEW findings in source that don't exist in target. | ||
| func CompareJasResults(targetResults, sourceResults *SecurityCommandResults) *SecurityCommandResults { |
There was a problem hiding this comment.
IDK about the func name, it does not compare, it filters Source results that exists at target
utils/results/diff.go
Outdated
| func extractLocationsOnly(run *sarif.Run, targetKeys map[string]bool) { | ||
| for _, result := range run.Results { | ||
| for _, location := range result.Locations { | ||
| key := getRelativeLocationFileName(location, run.Invocations) + getLocationSnippetText(location) |
There was a problem hiding this comment.
what about file name changes? it will not catch this...
why are we first filtering only locations and than by fingerprints, can we do it in one go? (reducing go over results multile times)
There was a problem hiding this comment.
For SAST: Uses fingerprints (precise_sink_and_sink_function) which are content-based, so renames don't matter
for secrets and iac -
This is a known limitation - AM doesn't handle file renames either. If you rename a file, existing findings in that file will show as "new" in the diff. This is acceptable
There was a problem hiding this comment.
We can write a todo and create a ticket for it, but i dont believe we should handle it now
commands/audit/logcollector.go
Outdated
| @@ -0,0 +1,41 @@ | |||
| package audit | |||
There was a problem hiding this comment.
Removing code from repo is always good :)
If you already passing it in params, just use it no need for wrapper here
commands/audit/audit.go
Outdated
| // Worker goroutines need this propagated so their logs are captured in the same buffer. | ||
| currentLogger := log.GetLogger() | ||
| jasTask := createJasScansTask(auditParallelRunner, scanResults, serverDetails, auditParams, jasScanner) | ||
| wrappedJasTask := func(threadId int) error { | ||
| // Propagate parent's logger to this worker goroutine for isolated log capture | ||
| log.SetLoggerForGoroutine(currentLogger) | ||
| defer log.ClearLoggerForGoroutine() | ||
| return jasTask(threadId) | ||
| } | ||
| if _, jasErr := auditParallelRunner.Runner.AddTaskWithError(wrappedJasTask, func(taskErr error) { |
There was a problem hiding this comment.
I think you can use WrapTaskWithLoggerPropagation here as well
| log.Info("[DIFF] New findings after diff - Secrets:", diffSecrets, "| IaC:", diffIac, "| SAST:", diffSast) | ||
| log.Info("[DIFF] Filtered out - Secrets:", sourceSecrets-diffSecrets, "| IaC:", sourceIac-diffIac, "| SAST:", sourceSast-diffSast) |
There was a problem hiding this comment.
| log.Info("[DIFF] New findings after diff - Secrets:", diffSecrets, "| IaC:", diffIac, "| SAST:", diffSast) | |
| log.Info("[DIFF] Filtered out - Secrets:", sourceSecrets-diffSecrets, "| IaC:", sourceIac-diffIac, "| SAST:", sourceSast-diffSast) | |
| log.Debug("[DIFF] New findings after diff - Secrets:", diffSecrets, "| IaC:", diffIac, "| SAST:", diffSast) | |
| log.Debug("[DIFF] Filtered out - Secrets:", sourceSecrets-diffSecrets, "| IaC:", sourceIac-diffIac, "| SAST:", sourceSast-diffSast) |
There was a problem hiding this comment.
i acutally think they are good info logs
its for hte userr to undestand the state post diff, im waiting on or to tell me what she thinks on logs @orto17
There was a problem hiding this comment.
talked to or she wants them as info
| // CompareJasResults computes the diff between target and source JAS results. | ||
| // Returns only NEW findings in source that don't exist in target. | ||
| func CompareJasResults(targetResults, sourceResults *SecurityCommandResults) *SecurityCommandResults { | ||
| log.Info("[DIFF] Starting JAS diff calculation") |
There was a problem hiding this comment.
| log.Info("[DIFF] Starting JAS diff calculation") | |
| log.Debug("[DIFF] Starting JAS diff calculation") |
There was a problem hiding this comment.
dont know if i agrree with it, i think it should be info, we can maybe do it in frogbot and log it info there
@orto17
There was a problem hiding this comment.
talked to or she wants them on info
attiasas
left a comment
attiasas
left a comment
There was a problem hiding this comment.
If we are moving diff logic here, do we still need the logic in:
jas/sast/jas/secrets/jas/iac?
talking about:
log.Debug("Diff mode - SAST results to compare provided")
manager.resultsToCompareFileName = filepath.Join(scannerTempDir, "target.sarif")
// Save the sast results to compare as a report
err = jas.SaveScanResultsToCompareAsReport(manager.resultsToCompareFileName, resultsToCompare...)
make sure if not needed to delete related logic
- Rename filterExistingFindings to excludeExistingFindingsInTargets - Extract countJasFindings and extractAllJasResultKeys helpers - Move getSastFingerprint to sarifutils.GetSastDiffFingerprint - Use WrapTaskWithLoggerPropagation helper in audit.go - Remove LogCollector wrapper - use BufferedLogger directly from client-go
When merging SCA and JAS diff results, the ResultsStatus field was not being copied, causing all status codes (SastStatusCode, IacStatusCode, etc.) to remain nil. This resulted in Frogbot displaying 'Not Scanned' for JAS scans even when they ran successfully but produced 0 new findings after diff. Now properly merging SCA status codes (including ContextualAnalysis) and JAS-only status codes (SAST, Secrets, IaC) into the unified results.
eyalk007
force-pushed
the
parallel-scanning-v3-compat
branch
from
5e7efdc to
bccd932
Compare
2 participants
devbranch.go vet ./....go fmt ./....Depends on: