jfrog-client-go icon indicating copy to clipboard operation
jfrog-client-go copied to clipboard

Published 20 hours ago verified publisher icon jfrog

Unable to marshal Xray Scan Report

Open romelusw opened this issue 3 years ago • 11 comments

Describe the bug CVSV2 and CVSV3 Max score properties appear to be float types in the API response of https://www.jfrog.com/confluence/display/JFROG/Xray+REST+API#XrayRESTAPI-GetVulnerabilitiesReportContent. My initial PR for the new reports endpoint attempted to correct that data type in the scan.go resource:https://github.com/jfrog/jfrog-client-go/pull/428#discussion_r716095933, however, @eyalbe4 suggested reverting the fix and is now causing marshaling issues when using the go library.

To Reproduce

  • Trigger a new XRay report (manually)
  • Retrieve the report content using https://github.com/jfrog/jfrog-client-go#get-vulnerabilities-report-content

Expected behavior API response should be translatable to the models defined in https://github.com/jfrog/jfrog-client-go/tree/master/xray/services.

Versions

  • Xray_version: 3.27.4,
  • Xray_revision: 426aac5

Additional context Sample vulnerability CVE payload: "cves": [ { "cve": "CVE-2021-21285", "cvss_v2_score": 4.3, "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P", "cvss_v3_score": 6.5, "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ],

romelusw avatar Nov 15 '21 19:11 romelusw

Thanks for pointing this out @romelusw. Feel free to issue a follow-up PR to correct this. We'll take care of making this change compatible with usages of struct you'll be modifying outside of jfrog-client-go.

eyalbe4 avatar Nov 15 '21 22:11 eyalbe4

Thanks for pointing this out @romelusw. Feel free to issue a follow-up PR to correct this. We'll take care of making this change compatible with usages of struct you'll be modifying outside of jfrog-client-go.

@eyalbe4 please see: https://github.com/jfrog/jfrog-client-go/pull/470

romelusw avatar Nov 16 '21 17:11 romelusw

The PR is merged @romelusw. Thanks!

eyalbe4 avatar Nov 20 '21 13:11 eyalbe4

Unit test failure fix: https://github.com/jfrog/jfrog-client-go/pull/476

romelusw avatar Nov 22 '21 15:11 romelusw

Hi @romelusw, In Xray's documentation (that you referred to above) it seems like the CVSS fields ("cvss_v2" and "cvss_v3") are strings, and the CVSS scores are at the beginning of these strings. I found another API there ("/api/v1/reports/violations") where the CVSS score field is a float, but this API is not used in jfrog-client-go.

asafgabai avatar Dec 07 '21 13:12 asafgabai

Hi @asafgabai the documentation is also incorrect as those properties and their values do not match with what is returned by the API. Please see my sample payload. You can cross verify with an X-ray instance matching the versions I described in the issue.

romelusw avatar Dec 13 '21 16:12 romelusw

@romelusw Thanks for your answer. I took a look at the PR you opened. Unfortunately, it causes compilation errors in jfrog-cli-core, so it can't be merged right now. I'll think of a solution for this and I'll update here on the progress.

asafgabai avatar Dec 15 '21 06:12 asafgabai

Hi @romelusw, I opened a PR (#497) for fixing this issue. I'll update here when it's released.

asafgabai avatar Dec 28 '21 15:12 asafgabai

Hi @romelusw, the PR was merged and released in v1.7.1 We'd appreciate your feedback on it.

asafgabai avatar Jan 02 '22 13:01 asafgabai

@asafgabai it looks good, can you please update https://github.com/jfrog/jfrog-client-go/pull/476 to account for the new ReportCve type you introduced

romelusw avatar Jan 07 '22 18:01 romelusw

@romelusw I'm glad to hear that. It looks like your PR (#476) doesn't need an update. The Cve struct you changed there was replaced by a new struct in my PR so there's no need to change it anymore. I guess you can close your PR.

asafgabai avatar Jan 09 '22 07:01 asafgabai