add IncludeDirs option to Xray Bom Lib

[attiasas]

Support multiple working dirs with single-target scan flow & deprecate jfrog-apps-config in new flow

Summary

Refactors the audit scan pipeline to support multiple working directories via a single scan target (--static-sca / Xray lib flow), and deprecates the jfrog-apps-config.yml module system for JAS scans in the new flow. Scan configuration (include/exclude patterns, central config modules) is now carried directly on ScanTarget instead of being resolved through jfrog-apps-config modules.

Depends on:

• XRAY-135682 (bug: secrets/CA when multiple roots are passed)
• XRAY-138915 (improvement: iac does not support multiple roots)

Analyzer-Manager minimum version: 1.33.0

• Update AnalyzerManager version to 1.33.0 #748

Changes

• ScanTarget extended – added Include, Exclude, DeprecatedAppsConfigModule, and CentralConfigModules fields; added methods IsScanRequestedByCentralConfig, GetCentralConfigExclusions, GetDeprecatedAppsConfigModuleExclusions.
• New single-target detection (createSingleScanTarget) – when the new flow (Xray lib BOM generator) is active, a single ScanTarget is created with the working directories as include paths, instead of detecting one target per technology directory.
• JAS scanners refactored – every scanner (Secrets, IaC, SAST, Applicability) now exposes two code paths: Run(target ScanTarget) (new flow, target-based) and DeprecatedRun(module, centralConfigExclusions) (old flow, module-based). Config file generation, exclude-pattern resolution, and SARIF result reading follow the same split.
• jfrog-apps-config deprecated in new flow – AppsConfigModule replaced by DeprecatedAppsConfigModule; config loading only happens in the old (graph-based) flow. A deprecation warning is emitted when the file is detected.
• Exclude/include patterns moved to target level – ScanTarget.Exclude is set during target detection and passed through to BOM generation (Xray lib IgnorePatterns + IncludeDirs) and all JAS scanner config files.
• Central config profile support per-target – matchCentralConfigModules assigns profile modules to targets; ShouldSkipScannerByConfigProfile checks enablement per scan type on the target.
• SARIF invocation rework – fillMissingRequiredInvocationInformation now aggregates execution success and creates a single canonical invocation with include property bag for multi-root targets.
• SBOM logging moved to bomgenerator – logging of component counts and duration is now in the shared GenerateSbomForTarget instead of duplicated in XrayLibBomGenerator.
• Utility additions – GetFullPathsWorkingDirs, IsPathExcluded, ElementsEqual, CreateNewInvocation.
• Tests – new unit tests in commands/audit/audit_test.go, jas/common_test.go, jas/secrets/secretsscanner_test.go, jas/iac/iacscanner_test.go, jas/applicability/applicabilitymanager_test.go, utils/results/results_test.go, utils/paths_test.go, utils/utils_test.go.

Testing

• New and updated unit tests covering target detection, exclude-pattern resolution, central-config module matching, SARIF invocation creation, and scanner config-file generation.
• Existing integration tests updated to match new signatures.

Notes

• In the new flow, jfrog-apps-config.yml is deprecated – flags, env vars, or central JFrog Platform config should be used instead.
• The old graph-based flow is untouched and still loads jfrog-apps-config as before.

[github-actions]

---

🐸 JFrog Frogbot

[eranturgeman]

Unused func, delete

[eranturgeman]

we can remove the func() {...}() wrapper - it adds no value it wraps it and calls the func inside DeprecatedRun.

[eranturgeman]

aren't they already relative paths here?

[eranturgeman]

1. in line 267 do str += st.Name or you'll erase the previous step of the Target/Target + Include dirs
2. The log can contain Target + Include dirs + Name + techs and it will look like that:
   {} [].
   maybe we should make it a bit more readable, like:
   : {} [technologies: ]

[eranturgeman]

maybe not something we want to address but maybe worth noting- if a new tech is added in a PR (new module or something) we will find no match. this is a edge case but maybe worth a comment

[eranturgeman]

can maybe be replaced with coreutils.GetFullPathsWorkingDirs

[eranturgeman]

shouldn't it be params.DeprecatedAppsConfig != nil ?

[eranturgeman]

why manager is passed as a param and it is not a method?

[eranturgeman]

why manager is passed as a param and it is not a method?

[eranturgeman]

why manager is passed as a param and it is not a method?

[eranturgeman]

why manager is passed as a param and it is not a method?

[eranturgeman]

// validate IF target is excluded by config profile exclude patterns

[eranturgeman]

what about test for ShouldSkipScannerByModule

[eranturgeman]

just making sure - it TotalTarget > 1, do we have them all in params.Target.Target?.
Also change the log to " for targets: %s"

[eranturgeman]

also here, it totalTargets > 1 we need to change the log to " for targets ..."

[eranturgeman]

I see this check existed before, but I dont think it is really a possible usecase. we can leave it for safety though

[eranturgeman]

maybe add another testcase with multi-rows and different technologies?

[eranturgeman]

please check that calling GetCentralConfigExclusions is the correct call here. Here we are at the Deprecated case but we are callign the new GetExclusions func (which doesnt include AppsConfig)

[eranturgeman]

please check that calling GetCentralConfigExclusions is the correct call here. Here we are at the Deprecated case but we are callign the new GetExclusions func (which doesnt include AppsConfig)

[eranturgeman]

please check that calling GetCentralConfigExclusions is the correct call here. Here we are at the Deprecated case but we are callign the new GetExclusions func (which doesnt include AppsConfig)

[eranturgeman]

please add testcases of:
slice1: {a, b, c}
slice2: (a, b, b)

slice1: {a,b,b}
slice2: {a,b,c}

[eranturgeman]

if v doesnt exist here wont we get a panic?
for example slice1 = {a,b,b}, slice2={a,c,b}
when we try doing freq["c"]-- I think we get a panic

[eranturgeman]

LGTM! see my comments