Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Commands to usage report #2752

Merged
merged 12 commits into from
Nov 13, 2024
Merged

Conversation

EyalDelarea
Copy link
Contributor

@EyalDelarea EyalDelarea commented Nov 10, 2024

  • All tests have passed. If this feature is not already covered by the tests, new tests have been added.
  • The pull request is targeting the dev branch.
  • The code has been validated to compile successfully by running go vet ./....
  • The code has been formatted properly using go fmt ./....

Note: This PR depends on jfrog-cli-core#1299 & setup-jfrog-cli#224.

Description

This PR enhances the usage reporting by adding tracking for specific config and rt_build_publish command executions:

Config Command:

Adds usage tracking specifically for config command that used OIDC integration, if not - no usage is sent.
Will send config_oidc as command name

RT Build Publish Command:

Reports the rt_build_publish command usage as rt_build_publish. or rt_build_publish_auto. depends on the usage.

@EyalDelarea EyalDelarea added the improvement Automatically generated release notes label Nov 10, 2024
@EyalDelarea EyalDelarea added the safe to test Approve running integration tests on a pull request label Nov 10, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 10, 2024
Copy link
Contributor

🚨 Frogbot scanned this pull request and found the below:


This comment was marked as resolved.

Copy link
Contributor

tr

at artifactory_test.go (line 1797)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

High
Failure to properly validate SSL certificates in connections
Full description

Overview

Improper certificate validation is a type of vulnerability that occurs when
an application does not properly validate the authenticity of a certificate
presented by a remote server.

Vulnerable example

package main

import (
    "crypto/tls"
    "net/http"
)

func doReq(req *http.Request) *http.Response {
    tr := &http.Transport{
        TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
    }
    client := &http.Client{Transport: tr}
    res, _ := client.Do(req)
    return res
}

In this example, the InsecureSkipVerify field is set to true, which
disables certificate validation, making the application vulnerable.

Remediation

tr := &http.Transport{
-    TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+    TLSClientConfig: &tls.Config{InsecureSkipVerify: false},
}

By setting InsecureSkipVerify to false, the application will validate
the authenticity of the certificate presented by the remote server.

Code Flows
Vulnerable data flow analysis result

↘️ { //#nosec G402 jfrog-ignore - false positive TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, } (at artifactory_test.go line 1768)

↘️ tr (at artifactory_test.go line 1768)

↘️ tr (at artifactory_test.go line 1797)


@EyalDelarea EyalDelarea added the safe to test Approve running integration tests on a pull request label Nov 11, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 11, 2024
@EyalDelarea EyalDelarea requested a review from eyalbe4 November 11, 2024 12:58
@EyalDelarea EyalDelarea added the safe to test Approve running integration tests on a pull request label Nov 13, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 13, 2024
@EyalDelarea EyalDelarea added the safe to test Approve running integration tests on a pull request label Nov 13, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Nov 13, 2024
@EyalDelarea EyalDelarea merged commit ebe9796 into jfrog:dev Nov 13, 2024
13 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
improvement Automatically generated release notes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants