XRAY-144809 - CA command [Maven]: Add option to consider plugin deps by gauriy-tech · Pull Request #771 · jfrog/jfrog-cli-security

gauriy-tech · 2026-06-01T04:58:53Z

The pull request is targeting the dev branch.
The code has been validated to compile successfully by running go vet ./....
The code has been formatted properly using go fmt ./....
All static analysis checks passed.
All tests have passed. If this feature is not already covered by the tests, new tests have been added.
Updated the Contributing page / ReadMe page / CI Workflow files if needed.
All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

Full details about the RCA and Fix is described here https://jfrog-int.atlassian.net/browse/XRAY-144809?focusedCommentId=1115010

After Fix

Before Fix

gauriy-tech · 2026-06-08T09:06:41Z

I have read the CLA Document and I hereby sign the CLA

attiasas

Nice job!
Please add an integration test case with a project replicating that.
I would consider also adding this option to jf audit command. most of the logic is the same, users may want to include this in their scan as well

attiasas · 2026-06-08T12:57:23Z

Also, why this is not implemented in maven-dep-tree? I may be a better solution
https://github.com/jfrog/maven-dep-tree

gauriy-tech · 2026-06-09T04:54:25Z

This is needed by a customer, we have consider it to take as a long term solution in https://github.com/jfrog/maven-dep-tree in upcoming quarter

gauriy-tech · 2026-06-09T04:57:44Z

Keeping it for curation scope for this PR , will connect with audit team to discuss enabling for their workflow

gauriy-tech · 2026-06-09T07:11:08Z

Added an integration test case maven tree - one blocked plugin dependency in TestDoCurationAudit (commands/curation/curationaudit_test.go), with a new fixture under tests/testdata/projects/package-managers/maven/maven-curation-plugin-deps/.

What it tests (real mvn run against the mock curation server):

jf ca --mvn-include-plugin-deps detects a curation-blocked artifact that only enters the build via a Maven build plugin's transitive closure — the exact "0 blocked in jf ca but build is blocked" scenario.
Fixture pins maven-jar-plugin:3.4.1, whose fixed closure pulls org.ow2.asm:asm:9.8 (via plexus-archiver:4.9.2). asm is not in mvn dependency:tree, so without the flag it's invisible.
Verifies the end-to-end path: flag wiring → dependency:resolve-plugins → parse → inject into dep graph → curation HEAD probe → blocked PackageStatus (org.ow2.asm:asm:9.8, maven, {pol1, cond1}).

…include-mvn-plugins # Conflicts: # commands/curation/curationaudit.go # sca/bom/buildinfo/technologies/common.go

attiasas · 2026-06-09T07:19:06Z

This is needed by a customer, we have consider it to take as a long term solution in https://github.com/jfrog/maven-dep-tree in upcoming quarter

Should be documented that this is a "temp" fix. I whould rather you add it to the actual maven-dep-tree repo and we will add this only if its urgent until actually implemented. should be documented and tracked

gauriy-tech · 2026-06-09T07:22:41Z

This is needed by a customer, we have consider it to take as a long term solution in https://github.com/jfrog/maven-dep-tree in upcoming quarter - https://jfrog-int.atlassian.net/browse/XRAY-145307

attiasas

LGTM for now. pending to see logic moved to maven-dep-tree

gauriy-tech requested a deployment to frogbot June 1, 2026 04:58 — with GitHub Actions Waiting

gauriy-tech force-pushed the feature/XRAY-144809-include-mvn-plugins branch from cda523a to 61a0c42 Compare June 1, 2026 05:20

gauriy-tech requested a deployment to frogbot June 1, 2026 05:21 — with GitHub Actions Waiting

gauriy-tech force-pushed the feature/XRAY-144809-include-mvn-plugins branch from 61a0c42 to 93373e9 Compare June 2, 2026 05:34

gauriy-tech requested a deployment to frogbot June 2, 2026 05:34 — with GitHub Actions Waiting