Fix multi-target flattening in scan-repository

eyalk007 · eyalk007 · commit e6cc8fc265b2 · 2025-12-18T17:58:59.000+02:00
When JFrog CLI auto-detects multiple working directories, ConvertToSimpleJson
flattens all results together, losing the association between vulnerabilities
and their specific working directories. This causes fixes to be applied to
wrong directories.

This fix:
- Processes each target separately using ConvertTargetToSimpleJson
- Maintains working directory association for accurate fixing
- Handles both single and multiple auto-detected targets uniformly

Depends on: jfrog/jfrog-cli-security#&lt;PR_NUMBER&gt;
(ConvertTargetToSimpleJson function)
diff --git a/go.mod b/go.mod
@@ -126,7 +126,7 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-// replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security dev
+replace github.com/jfrog/jfrog-cli-security => ../jfrog-cli-security
 
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev
 
diff --git a/go.sum b/go.sum
@@ -148,8 +148,6 @@ github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251211075913-35ebcd308e93 h1:r
 github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20251211075913-35ebcd308e93/go.mod h1:7cCaRhXorlbyXZgiW5bplCExFxlnROaG21K12d8inpQ=
 github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251210085744-f8481d179ac5 h1:GYE67ubwl+ZRw3CcXFUi49EwwQp6k+qS8sX0QuHDHO8=
 github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20251210085744-f8481d179ac5/go.mod h1:BMoGi2rG0udCCeaghqlNgiW3fTmT+TNnfTnBoWFYgcg=
-github.com/jfrog/jfrog-cli-security v1.24.2 h1:nyI0lNYR8i6yZYeBDsBJnURYsMnFKEmt7QH4vaNxtGM=
-github.com/jfrog/jfrog-cli-security v1.24.2/go.mod h1:3FXD5IkKtdQOm9CZk6cR7q0iC6PaGMnjqzZqRcQp2r0=
 github.com/jfrog/jfrog-client-go v1.55.1-0.20251217080430-c92b763b7465 h1:Ff3BlNPndrAfa1xFI/ORFzfWTxQxF0buWG61PEJwd3U=
 github.com/jfrog/jfrog-client-go v1.55.1-0.20251217080430-c92b763b7465/go.mod h1:WQ5Y+oKYyHFAlCbHN925bWhnShTd2ruxZ6YTpb76fpU=
 github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
diff --git a/scanrepository/scanrepository.go b/scanrepository/scanrepository.go
@@ -162,7 +162,7 @@ func (cfp *ScanRepositoryCmd) setCommandPrerequisites(repository *utils.Reposito
 }
 
 func (cfp *ScanRepositoryCmd) scanAndFixProject(repository *utils.Repository) (int, error) {
-	var fixNeeded bool
+	var isFixNeeded bool
 	totalFindings := 0
 	// A map that contains the full project paths as a keys
 	// The value is a map of vulnerable package names -> the scanDetails of the vulnerable packages.
@@ -203,22 +203,25 @@ func (cfp *ScanRepositoryCmd) scanAndFixProject(repository *utils.Repository) (i
 		if repository.DetectionOnly {
 			continue
 		}
-		// Prepare the vulnerabilities map for each working dir path
-		currPathVulnerabilities, err := cfp.getVulnerabilitiesMap(scanResults)
-		if err != nil {
-			if err = utils.CreateErrorIfPartialResultsDisabled(cfp.scanDetails.AllowPartialResults(), fmt.Sprintf("An error occurred while preparing the vulnerabilities map for '%s' working directory. Fixes will be skipped for this working directory", fullPathWd), err); err != nil {
-				return totalFindings, err
+
+		for _, target := range scanResults.Targets {
+			targetPath := target.Target
+			currPathVulnerabilities, err := cfp.getVulnerabilitiesMapForTarget(target, scanResults)
+			if err != nil {
+				if err = utils.CreateErrorIfPartialResultsDisabled(cfp.scanDetails.AllowPartialResults(), fmt.Sprintf("An error occurred while preparing the vulnerabilities map for '%s' working directory. Fixes will be skipped for this working directory", targetPath), err); err != nil {
+					return totalFindings, err
+				}
+				continue
 			}
-			continue
-		}
-		if len(currPathVulnerabilities) > 0 {
-			fixNeeded = true
+			if len(currPathVulnerabilities) > 0 {
+				isFixNeeded = true
+			}
+			vulnerabilitiesByPathMap[targetPath] = currPathVulnerabilities
 		}
-		vulnerabilitiesByPathMap[fullPathWd] = currPathVulnerabilities
 	}
 	if repository.DetectionOnly {
 		log.Info(fmt.Sprintf("This command is running in detection mode only. To enable automatic fixing of issues, set the '%s' environment variable to 'false'.", utils.DetectionOnlyEnv))
-	} else if fixNeeded {
+	} else if isFixNeeded {
 		return totalFindings, cfp.fixVulnerablePackages(repository, vulnerabilitiesByPathMap)
 	}
 	return totalFindings, nil
@@ -250,6 +253,18 @@ func (cfp *ScanRepositoryCmd) getVulnerabilitiesMap(scanResults *results.Securit
 	return vulnerabilitiesMap, nil
 }
 
+func (cfp *ScanRepositoryCmd) getVulnerabilitiesMapForTarget(target *results.TargetResults, scanResults *results.SecurityCommandResults) (map[string]*utils.VulnerabilityDetails, error) {
+	convertor := conversion.NewCommandResultsConvertor(conversion.ResultConvertParams{
+		IncludeVulnerabilities: scanResults.IncludesVulnerabilities(),
+		HasViolationContext:    scanResults.HasViolationContext(),
+	})
+	simpleJsonResult, err := convertor.ConvertTargetToSimpleJson(target, scanResults)
+	if err != nil {
+		return nil, err
+	}
+	return cfp.createVulnerabilitiesMapFromSimpleJson(simpleJsonResult)
+}
+
 func (cfp *ScanRepositoryCmd) fixVulnerablePackages(repository *utils.Repository, vulnerabilitiesByWdMap map[string]map[string]*utils.VulnerabilityDetails) (err error) {
 	if cfp.aggregateFixes {
 		err = cfp.fixIssuesSinglePR(repository, vulnerabilitiesByWdMap)
@@ -598,6 +613,29 @@ func (cfp *ScanRepositoryCmd) createVulnerabilitiesMap(scanResults *results.Secu
 	return vulnerabilitiesMap, nil
 }
 
+func (cfp *ScanRepositoryCmd) createVulnerabilitiesMapFromSimpleJson(simpleJsonResult formats.SimpleJsonResults) (map[string]*utils.VulnerabilityDetails, error) {
+	vulnerabilitiesMap := map[string]*utils.VulnerabilityDetails{}
+	var err error
+
+	if len(simpleJsonResult.Vulnerabilities) > 0 {
+		for i := range simpleJsonResult.Vulnerabilities {
+			if err = cfp.addVulnerabilityToFixVersionsMap(&simpleJsonResult.Vulnerabilities[i], vulnerabilitiesMap); err != nil {
+				return nil, err
+			}
+		}
+	} else if len(simpleJsonResult.SecurityViolations) > 0 {
+		for i := range simpleJsonResult.SecurityViolations {
+			if err = cfp.addVulnerabilityToFixVersionsMap(&simpleJsonResult.SecurityViolations[i], vulnerabilitiesMap); err != nil {
+				return nil, err
+			}
+		}
+	}
+	if len(vulnerabilitiesMap) > 0 {
+		log.Debug("Frogbot will attempt to resolve the following vulnerable dependencies:\n", strings.Join(maps.Keys(vulnerabilitiesMap), ",\n"))
+	}
+	return vulnerabilitiesMap, nil
+}
+
 func (cfp *ScanRepositoryCmd) addVulnerabilityToFixVersionsMap(vulnerability *formats.VulnerabilityOrViolationRow, vulnerabilitiesMap map[string]*utils.VulnerabilityDetails) error {
 	if len(vulnerability.FixedVersions) == 0 {
 		return nil
diff --git a/scanrepository/scanrepository_test.go b/scanrepository/scanrepository_test.go
@@ -696,6 +696,69 @@ func TestCreateVulnerabilitiesMap(t *testing.T) {
 	}
 }
 
+func TestGetVulnerabilitiesMapForTarget(t *testing.T) {
+	cfp := &ScanRepositoryCmd{}
+	
+	// Create scan results with multiple targets
+	scanResults := &results.SecurityCommandResults{
+		ResultsMetaData: results.ResultsMetaData{ResultContext: results.ResultContext{IncludeVulnerabilities: true}},
+		Targets: []*results.TargetResults{
+			{
+				ScanTarget: results.ScanTarget{Target: "project1"},
+				ScaResults: &results.ScaScanResults{
+					DeprecatedXrayResults: []services.ScanResponse{{
+						Vulnerabilities: []services.Vulnerability{
+							{
+								Cves:     []services.Cve{{Id: "CVE-2023-1111"}},
+								Severity: "High",
+								Components: map[string]services.Component{
+									"pkg1": {
+										FixedVersions: []string{"1.0.0"},
+										ImpactPaths:   [][]services.ImpactPathNode{{{ComponentId: "root"}, {ComponentId: "pkg1"}}},
+									},
+								},
+							},
+						},
+					}},
+				},
+			},
+			{
+				ScanTarget: results.ScanTarget{Target: "project2"},
+				ScaResults: &results.ScaScanResults{
+					DeprecatedXrayResults: []services.ScanResponse{{
+						Vulnerabilities: []services.Vulnerability{
+							{
+								Cves:     []services.Cve{{Id: "CVE-2023-2222"}},
+								Severity: "Critical",
+								Components: map[string]services.Component{
+									"pkg2": {
+										FixedVersions: []string{"2.0.0"},
+										ImpactPaths:   [][]services.ImpactPathNode{{{ComponentId: "root"}, {ComponentId: "pkg2"}}},
+									},
+								},
+							},
+						},
+					}},
+				},
+			},
+		},
+	}
+	
+	// Test converting first target
+	vulnsMap1, err := cfp.getVulnerabilitiesMapForTarget(scanResults.Targets[0], scanResults)
+	assert.NoError(t, err)
+	assert.Len(t, vulnsMap1, 1)
+	assert.Contains(t, vulnsMap1, "pkg1")
+	assert.NotContains(t, vulnsMap1, "pkg2") // Should NOT contain pkg2
+	
+	// Test converting second target
+	vulnsMap2, err := cfp.getVulnerabilitiesMapForTarget(scanResults.Targets[1], scanResults)
+	assert.NoError(t, err)
+	assert.Len(t, vulnsMap2, 1)
+	assert.Contains(t, vulnsMap2, "pkg2")
+	assert.NotContains(t, vulnsMap2, "pkg1") // Should NOT contain pkg1
+}
+
 // Verifies unsupported packages return specific error
 // Other logic is implemented inside each package-handler.
 func TestUpdatePackageToFixedVersion(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ require (`
`126`	`126`	`gopkg.in/warnings.v0 v0.1.2 // indirect`
`127`	`127`	`)`
`128`	`128`
`129`		`-// replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security dev`
	`129`	`+replace github.com/jfrog/jfrog-cli-security => ../jfrog-cli-security`
`130`	`130`
`131`	`131`	`// replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev`
`132`	`132`