jfrog · barv-jfrog · Jan 27, 2025 · Jan 27, 2025 · Jan 29, 2025 · Feb 2, 2025
diff --git a/commands/audit/audit.go b/commands/audit/audit.go
@@ -3,6 +3,7 @@ package audit
 import (
 	"errors"
 	"fmt"
+	"github.com/jfrog/jfrog-cli-security/jas/maliciouscode"
 	"strings"
 
 	"github.com/jfrog/gofrog/parallel"
@@ -203,7 +204,7 @@ func (auditCmd *AuditCommand) Run() (err error) {
 func (auditCmd *AuditCommand) getResultWriter(cmdResults *results.SecurityCommandResults) *output.ResultsWriter {
 	var messages []string
 	if !cmdResults.EntitledForJas {
-		messages = []string{coreutils.PrintTitle("The ‘jf audit’ command also supports JFrog Advanced Security features, such as 'Contextual Analysis', 'Secret Detection', 'IaC Scan' and ‘SAST’.\nThis feature isn't enabled on your system. Read more - ") + coreutils.PrintLink(utils.JasInfoURL)}
+		messages = []string{coreutils.PrintTitle("The ‘jf audit’ command also supports JFrog Advanced Security features, such as 'Contextual Analysis', 'Secret Detection', 'Malicious Code Scan', 'IaC Scan' and ‘SAST’.\nThis feature isn't enabled on your system. Read more - ") + coreutils.PrintLink(utils.JasInfoURL)}
 	}
 	return output.NewResultsWriter(cmdResults).
 		SetOutputFormat(auditCmd.OutputFormat()).
@@ -352,6 +353,7 @@ func createJasScansTasks(auditParallelRunner *utils.SecurityParallelRunner, scan
 				ConfigProfile:               auditParams.configProfile,
 				ScansToPerform:              auditParams.ScansToPerform(),
 				SecretsScanType:             secrets.SecretsScannerType,
+				MaliciousScanType:           maliciouscode.MaliciousScannerType,
 				DirectDependencies:          auditParams.DirectDependencies(),
 				ThirdPartyApplicabilityScan: auditParams.thirdPartyApplicabilityScan,
 				ApplicableScanType:          applicability.ApplicabilityScannerType,

diff --git a/commands/scan/scan.go b/commands/scan/scan.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/jfrog/jfrog-cli-security/jas/maliciouscode"
 	"os/exec"
 	"path/filepath"
 	"regexp"
@@ -500,6 +501,7 @@ func (scanCmd *ScanCommand) createIndexerHandlerFunc(file *spec.File, cmdResults
 					Module:             module,
 					ScansToPerform:     utils.GetAllSupportedScans(),
 					SecretsScanType:    secrets.SecretsScannerDockerScanType,
+					MaliciousScanType:  maliciouscode.MaliciousScannerDockerScanType,
 					DirectDependencies: directDepsListFromVulnerabilities(*graphScanResults),
 					ApplicableScanType: applicability.ApplicabilityDockerScanScanType,
 					ScanResults:        targetResults,

diff --git a/go.mod b/go.mod
@@ -111,7 +111,7 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-// replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go dev
+replace github.com/jfrog/jfrog-client-go => github.com/barv-jfrog/jfrog-client-go v0.0.0-20250227080554-3796e0126a92
 
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev
 
@@ -120,3 +120,5 @@ require (
 // replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go dev
 
 // replace github.com/jfrog/froggit-go => github.com/jfrog/froggit-go dev
+
+replace github.com/jfrog/jfrog-apps-config => github.com/barv-jfrog/jfrog-apps-config v0.0.0-20250128142442-6fd49006bb85
diff --git a/go.sum b/go.sum
@@ -22,6 +22,10 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuW
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
+github.com/barv-jfrog/jfrog-apps-config v0.0.0-20250128142442-6fd49006bb85 h1:kNdHaJdeD1QBQ0czgrfKqrcND3T+6dInSI8s23lW4Cw=
+github.com/barv-jfrog/jfrog-apps-config v0.0.0-20250128142442-6fd49006bb85/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
+github.com/barv-jfrog/jfrog-client-go v0.0.0-20250227080554-3796e0126a92 h1:XueIjtY5Q95SuqHUNhRfDdrIKqCALzNAPaqz306vGzg=
+github.com/barv-jfrog/jfrog-client-go v0.0.0-20250227080554-3796e0126a92/go.mod h1:2tQPwRhGS/F357BOKFfZrQbjd4XbzHPYUQm/OFNwLHg=
 github.com/beevik/etree v1.4.0 h1:oz1UedHRepuY3p4N5OjE0nK1WLCqtzHf25bxplKOHLs=
 github.com/beevik/etree v1.4.0/go.mod h1:cyWiXwGoasx60gHvtnEh5x8+uIjUVnjWqBvEnhnqKDA=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
@@ -126,14 +130,10 @@ github.com/jfrog/froggit-go v1.16.2 h1:F//S83iXH14qsCwYzv0zB2JtjS2pJVEsUoEmYA+37
 github.com/jfrog/froggit-go v1.16.2/go.mod h1:5VpdQfAcbuyFl9x/x8HGm7kVk719kEtW/8YJFvKcHPA=
 github.com/jfrog/gofrog v1.7.6 h1:QmfAiRzVyaI7JYGsB7cxfAJePAZTzFz0gRWZSE27c6s=
 github.com/jfrog/gofrog v1.7.6/go.mod h1:ntr1txqNOZtHplmaNd7rS4f8jpA5Apx8em70oYEe7+4=
-github.com/jfrog/jfrog-apps-config v1.0.1 h1:mtv6k7g8A8BVhlHGlSveapqf4mJfonwvXYLipdsOFMY=
-github.com/jfrog/jfrog-apps-config v1.0.1/go.mod h1:8AIIr1oY9JuH5dylz2S6f8Ym2MaadPLR6noCBO4C22w=
 github.com/jfrog/jfrog-cli-artifactory v0.2.0 h1:4jEbIpJIeu8HsduZHr8L6e0bKQrhn6BLyq/aCRoKPQk=
 github.com/jfrog/jfrog-cli-artifactory v0.2.0/go.mod h1:U9gkQhxSPv6tXYEdj0kdsCrmFUjcvYmizrh+DztDxXc=
 github.com/jfrog/jfrog-cli-core/v2 v2.58.1 h1:ZktHuEVDBkM21JNp/0V3HGcMAMt7DLl1iQlbyBNKucE=
 github.com/jfrog/jfrog-cli-core/v2 v2.58.1/go.mod h1:75J6/Z5sMuRAloMAqJtMJIXqNTC1eFh/SulgLGm2fIY=
-github.com/jfrog/jfrog-client-go v1.51.0 h1:O9sgpgEDBW9t05brGYwNR/NMqJ/e3WZY9G8Wge2xR+Q=
-github.com/jfrog/jfrog-client-go v1.51.0/go.mod h1:2tQPwRhGS/F357BOKFfZrQbjd4XbzHPYUQm/OFNwLHg=
 github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k=
 github.com/k0kubun/pp v3.0.1+incompatible/go.mod h1:GWse8YhT0p8pT4ir3ZgBbfZild3tgzSScAn6HmfYukg=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=

diff --git a/jas/maliciouscode/maliciouscodescanner.go b/jas/maliciouscode/maliciouscodescanner.go
@@ -0,0 +1,101 @@
+package maliciouscode
+
+import (
+	clientutils "github.com/jfrog/jfrog-client-go/utils"
+	"path/filepath"
+
+	jfrogappsconfig "github.com/jfrog/jfrog-apps-config/go"
+	"github.com/jfrog/jfrog-cli-security/jas"
+	"github.com/jfrog/jfrog-cli-security/utils"
+	"github.com/jfrog/jfrog-cli-security/utils/formats/sarifutils"
+	"github.com/jfrog/jfrog-cli-security/utils/jasutils"
+	"github.com/jfrog/jfrog-client-go/utils/log"
+	"github.com/owenrumney/go-sarif/v2/sarif"
+)
+
+const (
+	maliciousScanCommand   = "mal"
+	maliciousDocsUrlSuffix = "malicious"
+
+	MaliciousScannerType           MaliciousScanType = "malicious-scan"        // #nosec
+	MaliciousScannerDockerScanType MaliciousScanType = "malicious-docker-scan" // #nosec
+)
+
+type MaliciousScanType string
+
+type MaliciousScanManager struct {
+	scanner         *jas.JasScanner
+	scanType        MaliciousScanType
+	configFileName  string
+	resultsFileName string
+}
+
+// The getMaliciousScanResults function runs the malicious code scan flow, which includes the following steps:
+// Creating an MaliciousSecretManager object.
+// Running the analyzer manager executable.
+// Parsing the analyzer manager results.
+func RunMaliciousScan(scanner *jas.JasScanner, scanType MaliciousScanType, module jfrogappsconfig.Module, threadId int) (vulnerabilitiesResults []*sarif.Run, violationsResults []*sarif.Run, err error) {
+	var scannerTempDir string
+	if scannerTempDir, err = jas.CreateScannerTempDirectory(scanner, jasutils.MaliciousCode.String()); err != nil {
+		return
+	}
+	maliciousScanManager := newMaliciousScanManager(scanner, scanType, scannerTempDir)
+	log.Info(clientutils.GetLogMsgPrefix(threadId, false) + "Running Malicious code scan...")
+	if vulnerabilitiesResults, violationsResults, err = maliciousScanManager.scanner.Run(maliciousScanManager, module); err != nil {
+		return
+	}
+	log.Info(utils.GetScanFindingsLog(utils.MaliciousCodeScan, sarifutils.GetResultsLocationCount(vulnerabilitiesResults...), sarifutils.GetResultsLocationCount(violationsResults...), threadId))
+	return
+}
+
+func newMaliciousScanManager(scanner *jas.JasScanner, scanType MaliciousScanType, scannerTempDir string) (manager *MaliciousScanManager) {
+	return &MaliciousScanManager{
+		scanner:         scanner,
+		scanType:        scanType,
+		configFileName:  filepath.Join(scannerTempDir, "config.yaml"),
+		resultsFileName: filepath.Join(scannerTempDir, "results.sarif"),
+	}
+}
+
+func (msm *MaliciousScanManager) Run(module jfrogappsconfig.Module) (vulnerabilitiesSarifRuns []*sarif.Run, violationsSarifRuns []*sarif.Run, err error) {
+	if err = msm.createConfigFile(module, msm.scanner.Exclusions...); err != nil {
+		return
+	}
+	if err = msm.runAnalyzerManager(); err != nil {
+		return
+	}
+	return jas.ReadJasScanRunsFromFile(msm.resultsFileName, module.SourceRoot, maliciousDocsUrlSuffix, msm.scanner.MinSeverity)
+}
+
+type maliciousScanConfig struct {
+	Scans []maliciousScanConfiguration `yaml:"scans"`
+}
+
+type maliciousScanConfiguration struct {
+	Roots       []string `yaml:"roots"`
+	Output      string   `yaml:"output"`
+	Type        string   `yaml:"type"`
+	SkippedDirs []string `yaml:"skipped-folders"`
+}
+
+func (m *MaliciousScanManager) createConfigFile(module jfrogappsconfig.Module, exclusions ...string) error {
+	roots, err := jas.GetSourceRoots(module, module.Scanners.MaliciousCode)
+	if err != nil {
+		return err
+	}
+	configFileContent := maliciousScanConfig{
+		Scans: []maliciousScanConfiguration{
+			{
+				Roots:       roots,
+				Output:      m.resultsFileName,
+				Type:        string(m.scanType),
+				SkippedDirs: jas.GetExcludePatterns(module, module.Scanners.MaliciousCode, exclusions...),
+			},
+		},
+	}
+	return jas.CreateScannersConfigFile(m.configFileName, configFileContent, jasutils.MaliciousCode)
+}
+
+func (m *MaliciousScanManager) runAnalyzerManager() error {
+	return m.scanner.AnalyzerManager.Exec(m.configFileName, maliciousScanCommand, filepath.Dir(m.scanner.AnalyzerManager.AnalyzerManagerFullPath), m.scanner.ServerDetails, m.scanner.EnvVars)
+}
diff --git a/jas/maliciouscode/maliciouscodescanner_test.go b/jas/maliciouscode/maliciouscodescanner_test.go
@@ -0,0 +1,118 @@
+package maliciouscode
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/jfrog/jfrog-cli-security/utils/jasutils"
+	"github.com/jfrog/jfrog-cli-security/utils/severityutils"
+	"github.com/stretchr/testify/require"
+
+	jfrogappsconfig "github.com/jfrog/jfrog-apps-config/go"
+	"github.com/jfrog/jfrog-cli-security/jas"
+
+	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewMaliciousScanManager(t *testing.T) {
+	scanner, cleanUp := jas.InitJasTest(t)
+	defer cleanUp()
+	maliciousScanManager := newMaliciousScanManager(scanner, MaliciousScannerType, "temoDirPath")
+
+	assert.NotEmpty(t, maliciousScanManager)
+	assert.NotEmpty(t, maliciousScanManager.configFileName)
+	assert.NotEmpty(t, maliciousScanManager.resultsFileName)
+	assert.Equal(t, &jas.FakeServerDetails, maliciousScanManager.scanner.ServerDetails)
+}
+
+func TestMaliciousScan_CreateConfigFile_VerifyFileWasCreated(t *testing.T) {
+	scanner, cleanUp := jas.InitJasTest(t)
+	defer cleanUp()
+
+	scannerTempDir, err := jas.CreateScannerTempDirectory(scanner, jasutils.MaliciousCode.String())
+	require.NoError(t, err)
+	MaliciouscanManager := newMaliciousScanManager(scanner, MaliciousScannerType, scannerTempDir)
+
+	currWd, err := coreutils.GetWorkingDirectory()
+	assert.NoError(t, err)
+	err = MaliciouscanManager.createConfigFile(jfrogappsconfig.Module{SourceRoot: currWd})
+	assert.NoError(t, err)
+
+	defer func() {
+		err = os.Remove(MaliciouscanManager.configFileName)
+		assert.NoError(t, err)
+	}()
+
+	_, fileNotExistError := os.Stat(MaliciouscanManager.configFileName)
+	assert.NoError(t, fileNotExistError)
+	fileContent, err := os.ReadFile(MaliciouscanManager.configFileName)
+	assert.NoError(t, err)
+	assert.True(t, len(fileContent) > 0)
+}
+
+func TestRunAnalyzerManager_ReturnsGeneralError(t *testing.T) {
+	defer func() {
+		os.Clearenv()
+	}()
+
+	scanner, cleanUp := jas.InitJasTest(t)
+	defer cleanUp()
+
+	MaliciouscanManager := newMaliciousScanManager(scanner, MaliciousScannerType, "temoDirPath")
+	assert.Error(t, MaliciouscanManager.runAnalyzerManager())
+}
+
+func TestParseResults_EmptyResults(t *testing.T) {
+	scanner, cleanUp := jas.InitJasTest(t)
+	defer cleanUp()
+	jfrogAppsConfigForTest, err := jas.CreateJFrogAppsConfig([]string{})
+	assert.NoError(t, err)
+	// Arrange
+	MaliciouscanManager := newMaliciousScanManager(scanner, MaliciousScannerType, "temoDirPath")
+	MaliciouscanManager.resultsFileName = filepath.Join(jas.GetTestDataPath(), "Malicious-scan", "no-Malicious.sarif")
+
+	// Act
+	vulnerabilitiesResults, _, err := jas.ReadJasScanRunsFromFile(MaliciouscanManager.resultsFileName, jfrogAppsConfigForTest.Modules[0].SourceRoot, maliciousDocsUrlSuffix, scanner.MinSeverity)
+
+	// Assert
+	if assert.NoError(t, err) && assert.NotNil(t, vulnerabilitiesResults) {
+		assert.Len(t, vulnerabilitiesResults, 1)
+		assert.Empty(t, vulnerabilitiesResults[0].Results)
+	}
+
+}
+
+func TestParseResults_ResultsContainMalicious(t *testing.T) {
+	// Arrange
+	scanner, cleanUp := jas.InitJasTest(t)
+	defer cleanUp()
+	jfrogAppsConfigForTest, err := jas.CreateJFrogAppsConfig([]string{})
+	assert.NoError(t, err)
+
+	MaliciouscanManager := newMaliciousScanManager(scanner, MaliciousScannerType, "temoDirPath")
+	MaliciouscanManager.resultsFileName = filepath.Join(jas.GetTestDataPath(), "Malicious-scan", "contain-Malicious.sarif")
+
+	// Act
+	vulnerabilitiesResults, _, err := jas.ReadJasScanRunsFromFile(MaliciouscanManager.resultsFileName, jfrogAppsConfigForTest.Modules[0].SourceRoot, maliciousDocsUrlSuffix, severityutils.Medium)
+
+	// Assert
+	if assert.NoError(t, err) && assert.NotNil(t, vulnerabilitiesResults) {
+		assert.Len(t, vulnerabilitiesResults, 1)
+		assert.NotEmpty(t, vulnerabilitiesResults[0].Results)
+	}
+	assert.NoError(t, err)
+
+}
+
+func TestGetMaliciousScanResults_AnalyzerManagerReturnsError(t *testing.T) {
+	scanner, cleanUp := jas.InitJasTest(t)
+	defer cleanUp()
+	jfrogAppsConfigForTest, err := jas.CreateJFrogAppsConfig([]string{})
+	assert.NoError(t, err)
+	vulnerabilitiesResults, _, err := RunMaliciousScan(scanner, MaliciousScannerType, jfrogAppsConfigForTest.Modules[0], 0)
+	assert.Error(t, err)
+	assert.ErrorContains(t, jas.ParseAnalyzerManagerError(jasutils.MaliciousCode, err), "failed to run MaliciousCode scan")
+	assert.Nil(t, vulnerabilitiesResults)
+}
diff --git a/jas/runner/jasrunner.go b/jas/runner/jasrunner.go
@@ -3,6 +3,7 @@ package runner
 import (
 	"errors"
 	"fmt"
+	"github.com/jfrog/jfrog-cli-security/jas/maliciouscode"
 
 	"github.com/jfrog/gofrog/parallel"
 	jfrogappsconfig "github.com/jfrog/jfrog-apps-config/go"
@@ -33,6 +34,8 @@ type JasRunnerParams struct {
 
 	ScansToPerform []utils.SubScanType
 
+	// Malicious code scan flags
+	MaliciousScanType maliciouscode.MaliciousScanType
 	// Secret scan flags
 	SecretsScanType secrets.SecretsScanType
 	// Contextual Analysis scan flags
@@ -51,7 +54,7 @@ func AddJasScannersTasks(params JasRunnerParams) (generalError error) {
 	if params.Scanner.AnalyzerManager.AnalyzerManagerFullPath, generalError = jas.GetAnalyzerManagerExecutable(); generalError != nil {
 		return fmt.Errorf("failed to set analyzer manager executable path: %s", generalError.Error())
 	}
-	// For docker scan we support only secrets and contextual scans.
+	// For docker scan we support only secrets, malicious code, and contextual scans.
 	runAllScanners := false
 	if params.ApplicableScanType == applicability.ApplicabilityScannerType || params.SecretsScanType == secrets.SecretsScannerType {
 		runAllScanners = true
@@ -66,6 +69,9 @@ func AddJasScannersTasks(params JasRunnerParams) (generalError error) {
 	if generalError = addJasScanTaskForModuleIfNeeded(params, utils.SecretsScan, runSecretsScan(params.Runner, params.Scanner, params.ScanResults.JasResults, params.Module, params.SecretsScanType, params.TargetOutputDir)); generalError != nil {
 		return
 	}
+	if generalError = addJasScanTaskForModuleIfNeeded(params, utils.MaliciousCodeScan, runMaliciousScan(params.Runner, params.Scanner, params.ScanResults.JasResults, params.Module, params.MaliciousScanType, params.TargetOutputDir)); generalError != nil {
+		return
+	}
 	if !runAllScanners {
 		return
 	}
@@ -102,6 +108,8 @@ func addJasScanTaskForModuleIfNeeded(params JasRunnerParams, subScan utils.SubSc
 			enabled = params.ConfigProfile.Modules[0].ScanConfig.IacScannerConfig.EnableIacScan
 		case jasutils.Applicability:
 			enabled = params.ConfigProfile.Modules[0].ScanConfig.EnableContextualAnalysisScan
+		case jasutils.MaliciousCode:
+			enabled = params.ConfigProfile.Modules[0].ScanConfig.MaliciousScannerConfig.EnableMaliciousScan
 		}
 		if enabled {
 			generalError = addModuleJasScanTask(jasType, params.Runner, task, params.ScanResults, params.AllowPartialResults)
@@ -145,6 +153,24 @@ func runSecretsScan(securityParallelRunner *utils.SecurityParallelRunner, scanne
 	}
 }
 
+func runMaliciousScan(securityParallelRunner *utils.SecurityParallelRunner, scanner *jas.JasScanner, extendedScanResults *results.JasScansResults,
+	module jfrogappsconfig.Module, maliciousScanType maliciouscode.MaliciousScanType, scansOutputDir string) parallel.TaskFunc {
+	return func(threadId int) (err error) {
+		defer func() {
+			securityParallelRunner.JasScannersWg.Done()
+		}()
+		vulnerabilitiesResults, violationsResults, err := maliciouscode.RunMaliciousScan(scanner, maliciousScanType, module, threadId)
+		securityParallelRunner.ResultsMu.Lock()
+		defer securityParallelRunner.ResultsMu.Unlock()
+		// We first add the scan results and only then check for errors, so we can store the exit code in order to report it in the end
+		extendedScanResults.AddJasScanResults(jasutils.MaliciousCode, vulnerabilitiesResults, violationsResults, jas.GetAnalyzerManagerExitCode(err))
+		if err = jas.ParseAnalyzerManagerError(jasutils.MaliciousCode, err); err != nil {
+			return fmt.Errorf("%s%s", clientutils.GetLogMsgPrefix(threadId, false), err.Error())
+		}
+		return dumpSarifRunToFileIfNeeded(scansOutputDir, jasutils.MaliciousCode, vulnerabilitiesResults, violationsResults)
+	}
+}
+
 func runIacScan(securityParallelRunner *utils.SecurityParallelRunner, scanner *jas.JasScanner, extendedScanResults *results.JasScansResults,
 	module jfrogappsconfig.Module, scansOutputDir string) parallel.TaskFunc {
 	return func(threadId int) (err error) {