Bugfix: make jfrog xray impact paths deterministic#15094
Conversation
df67647 to
2de1751
Compare
|
Sounds like a good plan. It does mean that it might change the hash_code for many existsing findings occurring in reimports/imports leading to a one-time close/create frenzy. |
Maffooch
left a comment
There was a problem hiding this comment.
Sounds like a good plan. It does mean that it might change the hash_code for many existsing findings occurring in reimports/imports leading to a one-time close/create frenzy.
Agreed with Val - description is a default hash code setting for this perser. @paulOsinski can you pleas rebase to the dev branch and add some release notes letting folks know how to rerun their hash calculations?
|
recalculating the hash won't help as the descripton is not retroactively changed. |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
@Maffooch did you see Val's comment? He's right, the description will change along with the hash code so it's not like recalculating will do anything. This will still create "net new" Findings but those are being created anyway by this parser. |
|
Okay, so I think that leaves us with two options
@valentijnscholten would you agree? |
|
I think this time we'll have to accept option 1. |
d3270af to
1bcd057
Compare
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
The JFrog Xray API Summary Artifact parser now sorts impact paths before selecting the first one, so file_path, description, and unique_id_from_tool (the deduplication key) stay stable across re-imports. Previously JFrog's arbitrary impact_path ordering could change the dedup key between scans and cause a single CVE to be re-imported as multiple separate findings. Document the behavior change and cleanup guidance in the 3.1 upgrade notes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
[sc-13285]
The OSS parser at
dojo/tools/jfrog_xray_api_summary_artifact/parser.pypicksimpact_paths[0]from an unordered list returned by JFrog:When JFrog returns the same vulnerability's
impact_pathlist in a different order,file_pathanddescriptionshift between imports.This can cause unexpected issues with deduplication because of drifting, unpredictable issue descriptions. This list should be ordered deterministically for consistency.
Fix
Sort impact_paths in the OSS parser so file_path and description are deterministic. Optionally list all paths in the description so developers see every location, not just one.
Change:
impact_paths = sorted(vulnerability.get("impact_path", []))— every downstream use of impact_paths[0] (file_path, the decoded impact_path feeding unique_id, and the V3 LocationData) is now deterministic.When more than one impact_path exists, description appends a Impact paths: list so developers see every location, not just one (which is a data model limitation)