Skip to content

Fix multi-target flattening in scan-repository #1003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eyalk007 wants to merge 3 commits into
base: dev
Choose a base branch
from
Open

Fix multi-target flattening in scan-repository #1003

eyalk007 wants to merge 3 commits into from
+129 −18

Conversation

@eyalk007
Copy link
Collaborator

@eyalk007 eyalk007 commented Dec 18, 2025

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.
  • Update documentation about new features / new supported technologies

When JFrog CLI auto-detects multiple working directories, ConvertToSimpleJson flattens all results together, losing the association between vulnerabilities and their specific working directories. In cases of multi-module, this causes fixes to be attempted at root level and not the correct target.

This fix:

  • Processes each target separately using ConvertTargetToSimpleJson
  • Maintains working directory association for accurate fixing
  • Handles both single and multiple auto-detected targets uniformly

@eyalk007 eyalk007 requested a review from orto17 December 18, 2025 16:05
@eyalk007 eyalk007 self-assigned this Dec 18, 2025
@eyalk007 eyalk007 added the bug Something isn't working label Dec 18, 2025
@eyalk007 eyalk007 added the safe to test Approve running integration tests on a pull request label Dec 18, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 18, 2025
@eyalk007 eyalk007 force-pushed the fix-multi-target-flattening branch from e6cc8fc to fa8cc30 Compare December 18, 2025 20:17
@eyalk007
Fix multi-target flattening in scan-repository
d0561b0 
When JFrog CLI auto-detects multiple working directories, ConvertToSimpleJson
flattens all results together, losing the association between vulnerabilities
and their specific working directories.

This fix:
1. Uses IncludeTargets parameter to filter each target separately
2. Limits package handler file walks to current directory only
   - Prevents fixing vulnerabilities in auto-detected subdirectory targets
   - Each target processes its own descriptor files independently

Depends on: IncludeTargets feature in jfrog-cli-security
(currently in attiasas/convert_include_targets branch)
@eyalk007 eyalk007 force-pushed the fix-multi-target-flattening branch from fa8cc30 to d0561b0 Compare December 24, 2025 12:38
eyalk007
eyalk007 commented Dec 29, 2025
View reviewed changes
go.mod
)

// replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security dev
replace github.com/jfrog/jfrog-cli-security => ../jfrog-cli-security
Copy link
Collaborator Author

@eyalk007 eyalk007 Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

replace once cli merges

Copy link
Collaborator Author

@eyalk007 eyalk007 Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

jfrog/jfrog-cli-security#629 (review)

@eyalk007
Simplify comment on skipping subdirectories
785b8c5 
Removed comment about subdirectories being separate targets.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@orto17 orto17 Awaiting requested review from orto17

Assignees

@eyalk007 eyalk007

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eyalk007