Skip to content

IAC_SCAN Determined Only by detect.tools and detect.tools.excluded Property #1548

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

IAC_SCAN Determined Only by detect.tools and detect.tools.excluded Property #1548

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1c59c7e
add iac scan enable check in detect config factory
zahidblackduck Sep 19, 2025
f24757a
Merge conflict resolve with master
zahidblackduck Sep 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion src/main/java/com/blackduck/integration/detect/configuration/DetectConfigurationFactory.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,11 +232,22 @@ public DetectToolFilter createToolFilter(RunDecision runDecision, BlackDuckDecis
AllNoneEnumCollection<DetectTool> excludedTools = detectConfiguration.getValue(DetectProperties.DETECT_TOOLS_EXCLUDED);
ExcludeIncludeEnumFilter<DetectTool> filter = new ExcludeIncludeEnumFilter<>(excludedTools, includedTools, scanTypeEvidenceMap);

boolean iacEnabled = includedTools.containsValue(DetectTool.IAC_SCAN) || !detectConfiguration.getValue(DetectProperties.DETECT_IAC_SCAN_PATHS).isEmpty();
Copy link
Contributor

@andrian-sevastyanov andrian-sevastyanov Sep 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please take a look at the help message for DETECT_IAC_SCAN_PATHS in DetectProperties and update as needed.
Right now it mentions something regarding detect.tools=ALL (it was added when the bug was discovered).

boolean iacEnabled = isIacScanEnabled(includedTools, excludedTools);

return new DetectToolFilter(filter, impactEnabled.orElse(false), iacEnabled, runDecision, blackDuckDecision);
}

private boolean isIacScanEnabled(AllNoneEnumCollection<DetectTool> includedTools, AllNoneEnumCollection<DetectTool> excludedTools) {
Copy link
Contributor

@devmehtabd devmehtabd Sep 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we considered writing a log message in case someone sets iac.scan.path and detect.tools both but the later does not have IAC_SCAN in its value? It could be the case that some users might be running iac scans with this configuration currently.

boolean containsAll = includedTools.containsAll(); // Checking whether --detect.tools=ALL is set or not
boolean containsNone = includedTools.isEmpty(); // Checking whether --detect.tools property is unset or not
boolean iacIncluded = includedTools.containsValue(DetectTool.IAC_SCAN); // Checking whether --detect.tools=IAC_SCAN is set or not
boolean iacExcluded = excludedTools.containsValue(DetectTool.IAC_SCAN); // Checking whether --detect.tools.excluded=IAC_SCAN is set or not

// Enable IAC_SCAN only if it is included by detect.tools (ALL, unset, or explicitly included) and not excluded by detect.tools.excluded.
// The detect.iac.scan.paths property does not affect whether IAC_SCAN runs.
return (containsAll || containsNone || iacIncluded) && !iacExcluded;
}

public RapidScanOptions createRapidScanOptions() {
RapidCompareMode rapidCompareMode = detectConfiguration.getValue(DetectProperties.DETECT_BLACKDUCK_RAPID_COMPARE_MODE);
BlackduckScanMode scanMode= detectConfiguration.getValue(DetectProperties.DETECT_BLACKDUCK_SCAN_MODE);
Expand Down