Update AnalyzerManager default version to 1.34.1

.github/actions/install-and-setup/action.yml

@@ -14,7 +14,7 @@ runs:
     - name: Setup Go
       uses: actions/setup-go@v5
       with:
-        go-version: 1.25
+        go-version: 1.26
     # - name: Setup Go with cache
     #   uses: jfrog/.github/actions/install-go-with-cache@main
 

audit_test.go

@@ -1166,11 +1166,11 @@ func TestAuditNewScaCycloneDxPipenv(t *testing.T) {
 	assert.NoError(t, err)
 	validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
 		ExactResultsMatch: true,
-		Total:             &validations.TotalCount{Vulnerabilities: 10, BomComponents: 4 /* components */ + 1 /* root */, Licenses: 1},
+		Total:             &validations.TotalCount{Vulnerabilities: 11, BomComponents: 4 /* components */ + 1 /* root */, Licenses: 1},
 		SbomComponents:    &validations.SbomCount{Root: 1, Direct: 4},
 		Vulnerabilities: &validations.VulnerabilityCount{
-			ValidateScan:                &validations.ScanCount{Sca: 10},
-			ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 4, NotApplicable: 6},
+			ValidateScan:                &validations.ScanCount{Sca: 11},
+			ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 5, NotApplicable: 6},
 		},
 	})
 }
@@ -1184,11 +1184,11 @@ func TestAuditNewScaCycloneDxUV(t *testing.T) {
 	assert.NoError(t, err)
 	validations.VerifyCycloneDxResults(t, output, validations.ValidationParams{
 		ExactResultsMatch: true,
-		Total:             &validations.TotalCount{Vulnerabilities: 18, BomComponents: 1 /* root */ + 8 /* direct */ + 1 /* file (secret)*/, Licenses: 5},
+		Total:             &validations.TotalCount{Vulnerabilities: 20, BomComponents: 1 /* root */ + 8 /* direct */ + 1 /* file (secret)*/, Licenses: 5},
 		SbomComponents:    &validations.SbomCount{Root: 1, Direct: 8},
 		Vulnerabilities: &validations.VulnerabilityCount{
-			ValidateScan:                &validations.ScanCount{Sca: 16, Sast: 1, Secrets: 1},
-			ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 7, NotApplicable: 9},
+			ValidateScan:                &validations.ScanCount{Sca: 18, Sast: 1, Secrets: 1},
+			ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 9, NotApplicable: 9},
 		},
 	})
 }

git_test.go

@@ -60,14 +60,34 @@ type gitAuditCommandTestParams struct {
 	auditCommandTestParams
 	// Override the test project repo clone url
 	OverrideRepoCloneUrl string
+	OverrideCommitMsg    string
 }
 
 func testGitAuditCommand(t *testing.T, params auditCommandTestParams) (string, error) {
 	return securityTests.PlatformCli.RunCliCmdWithOutputs(t, append([]string{"git"}, getAuditCmdArgs(params)...)...)
 }
 
 func getDummyGitRepoUrl() string {
-	return fmt.Sprintf("https://github.com/jfrog/dummy-repo-url%s.git", securityTests.GetUniqueSuffix())
+	return fmt.Sprintf("https://test.git.provider.com/jfrog-tests/dummy-repo-url%s.git", securityTests.GetUniqueSuffix())
+}
+
+func getDummyCommitMsg(baseMsg string) string {
+	return fmt.Sprintf("commit-message-%s-%s", baseMsg, securityTests.GetUniqueSuffix())
+}
+
+const (
+	testGitUserName  = "jfrog-cli-security-test"
+	testGitUserEmail = "jfrog-cli-security-test@jfrog.com"
+)
+
+// amendHeadCommitForTest amends HEAD with a unique message and timestamp.
+// CI runners and some dev machines have no global git user.identity; -c supplies a local identity.
+func amendHeadCommitForTest(t *testing.T, message string) {
+	t.Helper()
+	cmd := exec.Command("git", "-c", "user.name="+testGitUserName, "-c", "user.email="+testGitUserEmail,
+		"commit", "--amend", "--date=now", "-m", message)
+	out, err := cmd.CombinedOutput()
+	assert.NoError(t, err, "Failed to set dummy commit msg: %s", string(out))
 }
 
 func createTestProjectRunGitAuditAndValidate(t *testing.T, projectPath string, gitAuditParams gitAuditCommandTestParams, xrayVersion, xscVersion, expectError string, validationParams validations.ValidationParams) {
@@ -80,6 +100,9 @@ func createTestProjectRunGitAuditAndValidate(t *testing.T, projectPath string, g
 		// Override the git remote url to a dummy one to avoid flaky tests due to collisions in policy/watch created for the same repo.
 		assert.NoError(t, exec.Command("git", "remote", "set-url", "origin", gitAuditParams.OverrideRepoCloneUrl).Run(), "Failed to set dummy git remote url")
 	}
+	if gitAuditParams.OverrideCommitMsg != "" {
+		amendHeadCommitForTest(t, gitAuditParams.OverrideCommitMsg)
+	}
 	// Run the audit command with git repo and verify violations are reported to the platform.
 	output, err := testGitAuditCommand(t, gitAuditParams.auditCommandTestParams)
 	if expectError != "" {
@@ -138,6 +161,7 @@ func TestGitAuditStaticScaSimpleJson(t *testing.T) {
 				Watches:       []string{watchName},
 			},
 			OverrideRepoCloneUrl: dummyCloneUrl,
+			OverrideCommitMsg:    getDummyCommitMsg("git-audit-static-sca-simple-json"),
 		},
 		xrayVersion, "", "One or more of the detected violations are configured to fail the build that including them",
 		validations.ValidationParams{
@@ -170,6 +194,7 @@ func TestGitAuditViolationsWithIgnoreRule(t *testing.T) {
 		gitAuditCommandTestParams{
 			auditCommandTestParams: auditCommandTestParams{Format: format.SimpleJson, WithLicense: true, WithVuln: true},
 			OverrideRepoCloneUrl:   dummyCloneUrl,
+			OverrideCommitMsg:      getDummyCommitMsg("git-audit-violations-with-ignore-rule-before"),
 		},
 		xrayVersion, xscVersion, "One or more of the detected violations are configured to fail the build that including them",
 		validations.ValidationParams{
@@ -203,6 +228,7 @@ func TestGitAuditViolationsWithIgnoreRule(t *testing.T) {
 		gitAuditCommandTestParams{
 			auditCommandTestParams: auditCommandTestParams{Format: format.SimpleJson},
 			OverrideRepoCloneUrl:   dummyCloneUrl,
+			OverrideCommitMsg:      getDummyCommitMsg("git-audit-violations-with-ignore-rule-after"),
 		},
 		xrayVersion, xscVersion, "",
 		// No Violations should be reported since all violations are ignored.
@@ -267,12 +293,13 @@ func TestGitAuditJasSkipNotApplicableCvesViolations(t *testing.T) {
 		gitAuditCommandTestParams{
 			auditCommandTestParams: auditCommandTestParams{Format: format.SimpleJson, Watches: []string{watchName}, DisableFailOnFailedBuildFlag: true},
 			OverrideRepoCloneUrl:   dummyCloneUrl,
+			OverrideCommitMsg:      getDummyCommitMsg("git-audit-jas-skip-not-applicable-cves-violations-before"),
 		},
 		xrayVersion, xscVersion, "",
 		validations.ValidationParams{
 			Violations: &validations.ViolationCount{
-				ValidateScan:                &validations.ScanCount{Sca: 12, Sast: 2, Secrets: 2},
-				ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotApplicable: 10, NotCovered: 2, Inactive: 2},
+				ValidateScan:                &validations.ScanCount{Sca: 19, Sast: 2, Secrets: 2},
+				ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotApplicable: 15, NotCovered: 4, Inactive: 2},
 			},
 			ExactResultsMatch: true,
 		},
@@ -295,12 +322,13 @@ func TestGitAuditJasSkipNotApplicableCvesViolations(t *testing.T) {
 		gitAuditCommandTestParams{
 			auditCommandTestParams: auditCommandTestParams{Format: format.SimpleJson, Watches: []string{skipWatchName}, DisableFailOnFailedBuildFlag: true},
 			OverrideRepoCloneUrl:   dummyCloneUrl,
+			OverrideCommitMsg:      getDummyCommitMsg("git-audit-jas-skip-not-applicable-cves-violations-after"),
 		},
 		xrayVersion, xscVersion, "",
 		validations.ValidationParams{
 			Violations: &validations.ViolationCount{
-				ValidateScan:                &validations.ScanCount{Sca: 2, Sast: 2, Secrets: 2},
-				ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 2, Inactive: 2},
+				ValidateScan:                &validations.ScanCount{Sca: 4, Sast: 2, Secrets: 2},
+				ValidateApplicabilityStatus: &validations.ApplicabilityStatusCount{NotCovered: 4, Inactive: 2},
 			},
 			ExactResultsMatch: true,
 		},

go.mod

@@ -1,33 +1,33 @@
 module github.com/jfrog/jfrog-cli-security
 
-go 1.25.7
+go 1.26.3
 
 require (
 	github.com/CycloneDX/cyclonedx-go v0.10.0
 	github.com/beevik/etree v1.6.0
-	github.com/go-git/go-git/v5 v5.18.0
+	github.com/go-git/go-git/v5 v5.19.1
 	github.com/google/go-github/v56 v56.0.0
 	github.com/google/uuid v1.6.0
-	github.com/gookit/color v1.6.0
+	github.com/gookit/color v1.6.1
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-plugin v1.6.3
-	github.com/jfrog/build-info-go v1.13.1-0.20260429070557-93b98034d295
+	github.com/jfrog/build-info-go v1.13.1-0.20260521104402-1e35b9b5b0c6
 	github.com/jfrog/froggit-go v1.22.0
 	github.com/jfrog/gofrog v1.7.6
 	github.com/jfrog/jfrog-apps-config v1.0.1
-	github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260501071051-3c8035fc662b
-	github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260504054219-ba16d20c7b0f
-	github.com/jfrog/jfrog-client-go v1.55.1-0.20260505115216-b6c67f807bc3
+	github.com/jfrog/jfrog-cli-artifactory v0.8.1-0.20260522105851-297d2027a72e
+	github.com/jfrog/jfrog-cli-core/v2 v2.60.1-0.20260522091649-43f236276873
+	github.com/jfrog/jfrog-client-go v1.55.1-0.20260522071027-8b60a715d6e4
 	github.com/magiconair/properties v1.8.10
 	github.com/owenrumney/go-sarif/v3 v3.2.3
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/stretchr/testify v1.11.1
 	github.com/urfave/cli v1.22.17
 	github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74
-	golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90
+	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f
 	golang.org/x/sync v0.20.0
-	golang.org/x/sys v0.42.0
-	golang.org/x/text v0.35.0
+	golang.org/x/sys v0.44.0
+	golang.org/x/text v0.37.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -39,7 +39,7 @@ require (
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
 	github.com/andybalholm/brotli v1.2.0 // indirect
-	github.com/buger/jsonparser v1.1.2 // indirect
+	github.com/buger/jsonparser v1.2.0 // indirect
 	github.com/c-bata/go-prompt v0.2.6 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
@@ -65,7 +65,7 @@ require (
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/gfleury/go-bitbucket-v1 v0.0.0-20240917142304-df385efaac68 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.8.0 // indirect
+	github.com/go-git/go-billy/v5 v5.9.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
@@ -82,7 +82,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jedib0t/go-pretty/v6 v6.7.8 // indirect
+	github.com/jedib0t/go-pretty/v6 v6.7.10 // indirect
 	github.com/jfrog/archiver/v3 v3.6.3 // indirect
 	github.com/kevinburke/ssh_config v1.6.0 // indirect
 	github.com/klauspost/compress v1.18.5 // indirect
@@ -107,7 +107,7 @@ require (
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.3.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.26 // indirect
-	github.com/pjbgf/sha1cd v0.5.0 // indirect
+	github.com/pjbgf/sha1cd v0.6.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/term v1.2.0-beta.2 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
@@ -138,11 +138,11 @@ require (
 	go.opentelemetry.io/otel/metric v1.42.0 // indirect
 	go.opentelemetry.io/otel/trace v1.42.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.49.0 // indirect
-	golang.org/x/mod v0.34.0 // indirect
-	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/crypto v0.50.0 // indirect
+	golang.org/x/mod v0.35.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
 	golang.org/x/oauth2 v0.36.0 // indirect
-	golang.org/x/term v0.41.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
 	golang.org/x/time v0.15.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260319201613-d00831a3d3e7 // indirect
 	google.golang.org/grpc v1.79.3 // indirect