From 15fe862c4a9e96421ccdef84e1d95851094ee575 Mon Sep 17 00:00:00 2001 From: attiasas Date: Tue, 23 Dec 2025 10:50:57 +0200 Subject: [PATCH 1/4] Update Analyzer Manager to v1.28.0 --- jas/analyzermanager.go | 2 +- utils/results/common.go | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/jas/analyzermanager.go b/jas/analyzermanager.go index d93c5ec1..f6ff0fe0 100644 --- a/jas/analyzermanager.go +++ b/jas/analyzermanager.go @@ -23,7 +23,7 @@ import ( const ( ApplicabilityFeatureId = "contextual_analysis" AnalyzerManagerZipName = "analyzerManager.zip" - defaultAnalyzerManagerVersion = "1.27.0" + defaultAnalyzerManagerVersion = "1.28.0" analyzerManagerDownloadPath = "xsc-gen-exe-analyzer-manager-local/v1" analyzerManagerDirName = "analyzerManager" analyzerManagerExecutableName = "analyzerManager" diff --git a/utils/results/common.go b/utils/results/common.go index 6e049b3c..cea83934 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -59,6 +59,11 @@ func ForEachJasIssue(runs []*sarif.Run, entitledForJas bool, handler ParseJasIss } for _, run := range runs { for _, result := range run.Results { + if result.Kind == "informational" { + // The specified rule was evaluated and produced a purely informational result that does not indicate the presence of a problem + log.Verbose(fmt.Sprintf("Skipping informational result with rule id: %s", sarifutils.GetResultRuleId(result))) + continue + } severity, err := severityutils.ParseSeverity(result.Level, true) if err != nil { return err From 7aaf8f8b40b1ff8d5b221348c4215faa35daef65 Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 25 Dec 2025 10:10:51 +0200 Subject: [PATCH 2/4] Limit full tree size when converting from BOM --- utils/results/common.go | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/utils/results/common.go b/utils/results/common.go index cea83934..774333d3 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -33,6 +33,9 @@ const ( DirectDependencyPathLength = 2 nodeModules = "node_modules" + // MaxUniqueAppearances defines the maximum number of times a dependency can appear in a dependency tree. + MaxUniqueAppearances = 10 + // #LC-LC LocationIdTemplate = "%s#L%dC%d-L%dC%d" // Applicability properties for cdx @@ -1029,10 +1032,11 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc // No dependencies or components in the SBOM, return an empty slice return } + dependencyAppearances := map[string]int8{} for _, rootEntry := range cdxutils.GetRootDependenciesEntries(sbom, false) { // Create a new GraphNode with ref as the ID, when populating the tree we need to use the ref as the ID currentTree := &xrayUtils.GraphNode{Id: rootEntry.Ref} - populateDepsNodeDataFromBom(currentTree, sbom.Dependencies) + populateDepsNodeDataFromBom(currentTree, sbom.Dependencies, dependencyAppearances) fullDependencyTrees = append(fullDependencyTrees, currentTree) } // Translate refs to Purl/Xray IDs @@ -1042,9 +1046,10 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc return } -func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency) { - if node == nil || node.NodeHasLoop() { - // If the node is nil or has a loop, return +func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency, dependencyAppearances map[string]int8) { + dependencyAppearances[node.Id]++ + if node == nil || dependencyAppearances[node.Id] >= MaxUniqueAppearances || node.NodeHasLoop() { + // If the node is nil or has a loop or appeared too many times, stop the recursion return } for _, dep := range cdxutils.GetDirectDependencies(dependencies, node.Id) { @@ -1052,7 +1057,7 @@ func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cycl // Add the dependency to the current node node.Nodes = append(node.Nodes, depNode) // Recursively populate the node data - populateDepsNodeDataFromBom(depNode, dependencies) + populateDepsNodeDataFromBom(depNode, dependencies, dependencyAppearances) } } From 65cbab1781a995a5c55b42c2511e37a32a4b4bbd Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 25 Dec 2025 10:18:30 +0200 Subject: [PATCH 3/4] revert change --- utils/results/common.go | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/utils/results/common.go b/utils/results/common.go index 774333d3..b7639543 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -33,9 +33,6 @@ const ( DirectDependencyPathLength = 2 nodeModules = "node_modules" - // MaxUniqueAppearances defines the maximum number of times a dependency can appear in a dependency tree. - MaxUniqueAppearances = 10 - // #LC-LC LocationIdTemplate = "%s#L%dC%d-L%dC%d" // Applicability properties for cdx @@ -1032,11 +1029,10 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc // No dependencies or components in the SBOM, return an empty slice return } - dependencyAppearances := map[string]int8{} for _, rootEntry := range cdxutils.GetRootDependenciesEntries(sbom, false) { // Create a new GraphNode with ref as the ID, when populating the tree we need to use the ref as the ID currentTree := &xrayUtils.GraphNode{Id: rootEntry.Ref} - populateDepsNodeDataFromBom(currentTree, sbom.Dependencies, dependencyAppearances) + populateDepsNodeDataFromBom(currentTree, sbom.Dependencies) fullDependencyTrees = append(fullDependencyTrees, currentTree) } // Translate refs to Purl/Xray IDs @@ -1046,10 +1042,9 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc return } -func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency, dependencyAppearances map[string]int8) { - dependencyAppearances[node.Id]++ - if node == nil || dependencyAppearances[node.Id] >= MaxUniqueAppearances || node.NodeHasLoop() { - // If the node is nil or has a loop or appeared too many times, stop the recursion +func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency) { + if node == nil || node.NodeHasLoop() { + // If the node is nil or has a loop. stop the recursion return } for _, dep := range cdxutils.GetDirectDependencies(dependencies, node.Id) { @@ -1057,7 +1052,7 @@ func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cycl // Add the dependency to the current node node.Nodes = append(node.Nodes, depNode) // Recursively populate the node data - populateDepsNodeDataFromBom(depNode, dependencies, dependencyAppearances) + populateDepsNodeDataFromBom(depNode, dependencies) } } From 26bed4c3c6cc9e819ced4d86060ad1ea94bf647e Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 25 Dec 2025 10:19:15 +0200 Subject: [PATCH 4/4] revert comment --- utils/results/common.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/results/common.go b/utils/results/common.go index b7639543..cea83934 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -1044,7 +1044,7 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency) { if node == nil || node.NodeHasLoop() { - // If the node is nil or has a loop. stop the recursion + // If the node is nil or has a loop, return return } for _, dep := range cdxutils.GetDirectDependencies(dependencies, node.Id) {