Add diff logic and parallel logger support for audit

[eyalk007]

• The pull request is targeting the dev branch.
• The code has been validated to compile successfully by running go vet ./....
• The code has been formatted properly using go fmt ./....
• All static analysis checks passed.
• All tests have passed. If this feature is not already covered by the tests, new tests have been added.
• Updated the Contributing page / ReadMe page / CI Workflow files if needed.
• All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

---

Depends on:

• Add goroutine-local logger and BufferedLogger for parallel operations jfrog-client-go#1297

[eyalk007]

myabe needs to be moved to frogbot considering the specific use
and selected parallel audit implementation, your call @attiasas

[attiasas]

Mergeing results could stay here if the logic is adjusted to be more general like MergeCommandResults

[attiasas]

Nice work! checkout my comments, also:

1. Update the PR description with the changes
2. Adjust tests base on changes

[attiasas]

maybe this should be at jfrog/jfrog-client-go#1297?

[eyalk007]

these are the options

Move LogCollector to client-go - but it's really just a wrapper
Delete LogCollector entirely - Frogbot can use BufferedLogger directly from client-go

or we Keep it as is

[attiasas]

Removing code from repo is always good :)
If you already passing it in params, just use it no need for wrapper here

[attiasas]

Reminder to remove replace after merging dependend PR

[attiasas]

why not change in createScaScanTaskWithRunner directly?

I don't get the chnage (looking only here) you call log.GetLogger and setting it for the routine but at the end you clear it? code is not clear why you do it. (looks like you are just setting default log to be default and clear it).

I suggest improving this part or at least adding comment about this

[attiasas]

same comment as in scascan.
If this logic is used multiple times (same code), try to create static method to be used in multiple places

[attiasas]

Mergeing results could stay here if the logic is adjusted to be more general like MergeCommandResults

[attiasas]

IDK about the func name, it does not compare, it filters Source results that exists at target

[attiasas]

what about file name changes? it will not catch this...
why are we first filtering only locations and than by fingerprints, can we do it in one go? (reducing go over results multile times)

[eyalk007]

For SAST: Uses fingerprints (precise_sink_and_sink_function) which are content-based, so renames don't matter

for secrets and iac -
This is a known limitation - AM doesn't handle file renames either. If you rename a file, existing findings in that file will show as "new" in the diff. This is acceptable

[eyalk007]

We can write a todo and create a ticket for it, but i dont believe we should handle it now

[attiasas]

yeah, we should

[attiasas]

Removing code from repo is always good :)
If you already passing it in params, just use it no need for wrapper here

[attiasas]

I think you can use WrapTaskWithLoggerPropagation here as well

[attiasas]

as mentioned before, should be moved to utils/formats/sarifutils/sarifutils.go
also adjust comments, make sure what to use and when precise_sink_and_sink_function or significant_full_path fingerprint

[attiasas]

Suggested change

	log.Info("[DIFF] New findings after diff - Secrets:", diffSecrets, "| IaC:", diffIac, "| SAST:", diffSast)
	log.Info("[DIFF] Filtered out - Secrets:", sourceSecrets-diffSecrets, "| IaC:", sourceIac-diffIac, "| SAST:", sourceSast-diffSast)
	log.Debug("[DIFF] New findings after diff - Secrets:", diffSecrets, "| IaC:", diffIac, "| SAST:", diffSast)
	log.Debug("[DIFF] Filtered out - Secrets:", sourceSecrets-diffSecrets, "| IaC:", sourceIac-diffIac, "| SAST:", sourceSast-diffSast)

[attiasas]

Suggested change

	func extractLocationsOnly(run *sarif.Run, targetKeys map[string]bool) {
	for _, result := range run.Results {
	for _, location := range result.Locations {
	key := sarifutils.GetRelativeLocationFileName(location, run.Invocations) + sarifutils.GetLocationSnippetText(location)
	targetKeys[key] = true
	}
	}
	}
	func extractLocationsOnly(targetKeys map[string]bool, runs ...*sarif.Run) {
	for _, run := range runs {
	for _, result := range run.Results {
	for _, location := range result.Locations {
	key := sarifutils.GetRelativeLocationFileName(location, run.Invocations) + sarifutils.GetLocationSnippetText(location)
	targetKeys[key] = true
	}
	}
	}
	}

you can use it to reduce the amount of for loops in code where it is called

[attiasas]

Suggested change

	log.Info("[DIFF] Starting JAS diff calculation")
	log.Debug("[DIFF] Starting JAS diff calculation")

[attiasas]

Suggested change

	func filterExistingFindings(allTargetJasResults []*JasScansResults, sourceJasResults *JasScansResults) *JasScansResults {
	func excludeExistingFindingsInTargets(sourceJasResults *JasScansResults, targetJasResultsToExclude ...*JasScansResults) *JasScansResults {

outside user will have hard time understanding what the func does, consider adjusting the name.
I would also consider changing how params are passed

[attiasas]

this could be extracted to a helper func

[attiasas]

this could be extracted to a helper func, used twice

[attiasas]

If we are moving diff logic here, do we still need the logic in:
jas/sast/jas/secrets/jas/iac?

talking about:

log.Debug("Diff mode - SAST results to compare provided")
	manager.resultsToCompareFileName = filepath.Join(scannerTempDir, "target.sarif")
	// Save the sast results to compare as a report
	err = jas.SaveScanResultsToCompareAsReport(manager.resultsToCompareFileName, resultsToCompare...)

make sure if not needed to delete related logic