Merge remote-tracking branch 'origin/dev' into v2

Author: jfrog-ecosystem

build/npm/v2-jf/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "jfrog-cli-v2-jf",
-  "version": "2.78.2",
+  "version": "2.78.3",
   "description": "🐸 Command-line interface for JFrog Artifactory, Xray, Distribution, Pipelines and Mission Control 🐸",
   "homepage": "https://github.com/jfrog/jfrog-cli",
   "preferGlobal": true,

build/npm/v2-jf/package.json

@@ -1,6 +1,6 @@
 {
   "name": "jfrog-cli-v2",
-  "version": "2.78.2",
+  "version": "2.78.3",
   "description": "🐸 Command-line interface for JFrog Artifactory, Xray, Distribution, Pipelines and Mission Control 🐸",
   "homepage": "https://github.com/jfrog/jfrog-cli",
   "preferGlobal": true,

build/npm/v2/package-lock.json

@@ -1015,3 +1015,115 @@ type buildAddDepsBuildInfoTestParams struct {
 	buildNumber          string
 	expectedModule       string
 }
+
+func TestBuildInfoPropertiesRemoval(t *testing.T) {
+	initArtifactoryTest(t, "")
+	inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, tests.RtBuildName1, artHttpDetails)
+
+	runRt(t, "upload", "testdata/a/a1.in", tests.RtRepo1+"/test/a1.in")
+
+	test := buildAddDepsBuildInfoTestParams{
+		description:          "Test properties field removal",
+		commandArgs:          []string{"--module=testModule", "testdata/a/a1.in"},
+		expectedDependencies: []string{"a1.in"},
+		buildName:            tests.RtBuildName1,
+		buildNumber:          "1",
+		expectedModule:       "testModule",
+	}
+
+	collectDepsAndPublishBuild(test, false, t)
+
+	buildInfo, found, err := tests.GetBuildInfo(serverDetails, tests.RtBuildName1, "1")
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
+	if !found {
+		assert.True(t, found, "build info was expected to be found")
+		return
+	}
+
+	buildInfoBytes, err := json.Marshal(buildInfo)
+	assert.NoError(t, err)
+
+	var buildInfoMap map[string]interface{}
+	err = json.Unmarshal(buildInfoBytes, &buildInfoMap)
+	assert.NoError(t, err)
+
+	buildInfoData, ok := buildInfoMap["buildInfo"].(map[string]interface{})
+	assert.True(t, ok, "Failed to get buildInfo data")
+
+	modules, ok := buildInfoData["modules"].([]interface{})
+	assert.True(t, ok, "Failed to get modules array")
+	assert.NotEmpty(t, modules, "No modules found in build info")
+
+	for _, module := range modules {
+		moduleMap, ok := module.(map[string]interface{})
+		assert.True(t, ok, "Failed to parse module")
+		_, hasProperties := moduleMap["properties"]
+		assert.False(t, hasProperties, "Properties field should not be present in module")
+	}
+
+	inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, tests.RtBuildName1, artHttpDetails)
+	cleanArtifactoryTest()
+}
+
+func TestBuildInfoPropertiesRemovalInBadAndPublish(t *testing.T) {
+	initArtifactoryTest(t, "")
+	buildName := tests.RtBuildName1 + "-props"
+	buildNumber := "1"
+
+	inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, buildName, artHttpDetails)
+
+	runRt(t, "upload", "testdata/a/a1.in", tests.RtRepo1+"/test/a1.in")
+
+	badTest := buildAddDepsBuildInfoTestParams{
+		description:          "Test properties field removal in bad command",
+		commandArgs:          []string{"--module=badModule", "testdata/a/a1.in"},
+		expectedDependencies: []string{"a1.in"},
+		buildName:            buildName,
+		buildNumber:          buildNumber,
+		expectedModule:       "badModule",
+	}
+	collectDepsAndPublishBuild(badTest, false, t)
+
+	specFile, err := tests.CreateSpec(tests.UploadFlatRecursive)
+	assert.NoError(t, err)
+	runRt(t, "upload", "--spec="+specFile, "--build-name="+buildName, "--build-number="+buildNumber, "--module=publishModule")
+
+	runRt(t, "bp", buildName, buildNumber)
+
+	buildInfo, found, err := tests.GetBuildInfo(serverDetails, buildName, buildNumber)
+	if err != nil {
+		assert.NoError(t, err)
+		return
+	}
+	if !found {
+		assert.True(t, found, "build info was expected to be found")
+		return
+	}
+
+	buildInfoBytes, err := json.Marshal(buildInfo)
+	assert.NoError(t, err)
+
+	var buildInfoMap map[string]interface{}
+	err = json.Unmarshal(buildInfoBytes, &buildInfoMap)
+	assert.NoError(t, err)
+
+	buildInfoData, ok := buildInfoMap["buildInfo"].(map[string]interface{})
+	assert.True(t, ok, "Failed to get buildInfo data")
+
+	modules, ok := buildInfoData["modules"].([]interface{})
+	assert.True(t, ok, "Failed to get modules array")
+	assert.NotEmpty(t, modules, "No modules found in build info")
+
+	for _, module := range modules {
+		moduleMap, ok := module.(map[string]interface{})
+		assert.True(t, ok, "Failed to parse module")
+		_, hasProperties := moduleMap["properties"]
+		assert.False(t, hasProperties, "Properties field should not be present in module")
+	}
+
+	inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, buildName, artHttpDetails)
+	cleanArtifactoryTest()
+}

build/npm/v2/package.json

@@ -102,6 +102,11 @@ const (
 	JfrogSecurityCliAnalyzerManagerVersion = `    JFROG_CLI_ANALYZER_MANAGER_VERSION
 		Specifies the version of Analyzer Manager to be used for security commands, provided in semantic versioning (e.g 1.13.4) format. 
 		By default, the latest stable version is used. `
+
+	//#nosec G101
+	JfrogCliGithubToken = `    JFROG_CLI_GITHUB_TOKEN
+		[Default: None]
+		Specifies the GitHub token to be used for cli version check on Github repository.`
 )
 
 var (
@@ -142,7 +147,8 @@ func GetGlobalEnvVars() string {
 		JfrogCliEncryptionKey,
 		JfrogCliAvoidNewVersionWarning,
 		JfrogCliCommandSummaryOutputDirectory,
-		JfrogSecurityCliAnalyzerManagerVersion)
+		JfrogSecurityCliAnalyzerManagerVersion,
+		JfrogCliGithubToken)
 }
 
 func CreateEnvVars(envVars ...string) string {

buildinfo_test.go

@@ -24,14 +24,15 @@ const (
 	Security  MarkdownSection = "security"
 	BuildInfo MarkdownSection = "build-info"
 	Upload    MarkdownSection = "upload"
+	Evidence  MarkdownSection = "evidence"
 )
 
 const (
 	markdownFileName   = "markdown.md"
 	finalSarifFileName = "final.sarif"
 )
 
-var markdownSections = []MarkdownSection{Security, BuildInfo, Upload}
+var markdownSections = []MarkdownSection{Security, BuildInfo, Upload, Evidence}
 
 func (ms MarkdownSection) String() string {
 	return string(ms)
@@ -185,6 +186,8 @@ func invokeSectionMarkdownGeneration(section MarkdownSection) error {
 		return generateBuildInfoMarkdown()
 	case Upload:
 		return generateUploadMarkdown()
+	case Evidence:
+		return generateEvidenceMarkdown()
 	default:
 		return fmt.Errorf("unknown section: %s", section)
 	}
@@ -209,6 +212,14 @@ func generateBuildInfoMarkdown() error {
 	return buildInfoSummary.GenerateMarkdown()
 }
 
+func generateEvidenceMarkdown() error {
+	evidenceSummary, err := commandsummary.NewEvidenceSummary()
+	if err != nil {
+		return fmt.Errorf("error generating evidence markdown: %w", err)
+	}
+	return evidenceSummary.GenerateMarkdown()
+}
+
 func generateUploadMarkdown() error {
 	if should, err := shouldGenerateUploadSummary(); err != nil || !should {
 		log.Debug("Skipping upload summary generation due build-info data to avoid duplications...")

docs/common/env.go

@@ -1,6 +1,8 @@
 module github.com/jfrog/jfrog-cli
 
-go 1.24.4
+go 1.24.5
+
+toolchain go1.24.6
 
 replace (
 	// Should not be updated to 0.2.6 due to a bug (https://github.com/jfrog/jfrog-cli-core/pull/372)
@@ -16,13 +18,13 @@ require (
 	github.com/docker/docker v27.5.1+incompatible
 	github.com/gocarina/gocsv v0.0.0-20240520201108-78e41c74b4b1
 	github.com/jfrog/archiver/v3 v3.6.1
-	github.com/jfrog/build-info-go v1.10.14
+	github.com/jfrog/build-info-go v1.10.15
 	github.com/jfrog/gofrog v1.7.6
-	github.com/jfrog/jfrog-cli-artifactory v0.5.1
-	github.com/jfrog/jfrog-cli-core/v2 v2.59.3
+	github.com/jfrog/jfrog-cli-artifactory v0.6.0
+	github.com/jfrog/jfrog-cli-core/v2 v2.59.4
 	github.com/jfrog/jfrog-cli-platform-services v1.10.0
-	github.com/jfrog/jfrog-cli-security v1.20.2
-	github.com/jfrog/jfrog-client-go v1.54.3
+	github.com/jfrog/jfrog-cli-security v1.21.0
+	github.com/jfrog/jfrog-client-go v1.54.4
 	github.com/jszwec/csvutil v1.10.0
 	github.com/manifoldco/promptui v0.9.0
 	github.com/stretchr/testify v1.10.0
@@ -67,7 +69,7 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/fatih/color v1.16.0 // indirect
+	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/forPelevin/gomoji v1.3.0 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
@@ -96,8 +98,8 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/certificate-transparency-go v1.3.1 // indirect
+	github.com/golang/snappy v1.0.0 // indirect
+	github.com/google/certificate-transparency-go v1.3.2 // indirect
 	github.com/google/go-containerregistry v0.20.3 // indirect
 	github.com/google/go-github/v56 v56.0.0 // indirect
 	github.com/google/go-github/v62 v62.0.0 // indirect
@@ -118,7 +120,7 @@ require (
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jedib0t/go-pretty/v6 v6.6.5 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
-	github.com/jfrog/froggit-go v1.20.0 // indirect
+	github.com/jfrog/froggit-go v1.20.1 // indirect
 	github.com/jfrog/go-mockhttp v0.3.1 // indirect
 	github.com/jfrog/jfrog-apps-config v1.0.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -132,7 +134,7 @@ require (
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/magiconair/properties v1.8.9 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mattn/go-tty v0.0.5 // indirect
@@ -188,6 +190,7 @@ require (
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/spf13/viper v1.20.1 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
 	github.com/theupdateframework/go-tuf/v2 v2.1.1 // indirect
@@ -225,7 +228,7 @@ require (
 	golang.org/x/time v0.11.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect
-	google.golang.org/grpc v1.72.0 // indirect
+	google.golang.org/grpc v1.72.2 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
@@ -236,16 +239,16 @@ require (
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/utils v0.0.0-20240310230437-4693a0247e57 // indirect
 	sigs.k8s.io/controller-runtime v0.17.5 // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
 
-// replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20250529104758-6d769a684388
+// replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20250806055519-cdc723aaec09
 
 // replace github.com/jfrog/jfrog-cli-artifactory => github.com/jfrog/jfrog-cli-artifactory v0.4.1-0.20250718083259-4a60768eb51b
 
-// replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.59.2-0.20250717045550-6e019038f578
+// replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.59.2-0.20250804083101-9cf424ecc926
 
 // replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20250717041744-d3ea4d99f4e7