Support all attributes in Central Configs

[attiasas]

Support multiple working dirs with single-target scan flow & deprecate jfrog-apps-config in new flow

Summary

Refactors the audit scan pipeline to support multiple working directories via a single scan target (--static-sca / Xray lib flow), and deprecates the jfrog-apps-config.yml module system for JAS scans in the new flow. Scan configuration (include/exclude patterns, central config modules) is now carried directly on ScanTarget instead of being resolved through jfrog-apps-config modules.

Depends on:

• XRAY-135682 (bug: secrets/CA when multiple roots are passed)

• XRAY-138915 (improvement: iac does not support multiple roots)

• XSC - Add path patterns to config profile jfrog-client-go#1344

Analyzer-Manager minimum version: 1.33.0

• Update AnalyzerManager version to 1.33.0 #748

Changes

• ScanTarget extended – added Include, Exclude, DeprecatedAppsConfigModule, and CentralConfigModules fields; added methods IsScanRequestedByCentralConfig, GetCentralConfigExclusions, GetDeprecatedAppsConfigModuleExclusions.
• New single-target detection (createSingleScanTarget) – when the new flow (Xray lib BOM generator) is active, a single ScanTarget is created with the working directories as include paths, instead of detecting one target per technology directory.
• JAS scanners refactored – every scanner (Secrets, IaC, SAST, Applicability) now exposes two code paths: Run(target ScanTarget) (new flow, target-based) and DeprecatedRun(module, centralConfigExclusions) (old flow, module-based). Config file generation, exclude-pattern resolution, and SARIF result reading follow the same split.
• jfrog-apps-config deprecated in new flow – AppsConfigModule replaced by DeprecatedAppsConfigModule; config loading only happens in the old (graph-based) flow. A deprecation warning is emitted when the file is detected.
• Exclude/include patterns moved to target level – ScanTarget.Exclude is set during target detection and passed through to BOM generation (Xray lib IgnorePatterns + IncludeDirs) and all JAS scanner config files.
• Central config profile support per-target – matchCentralConfigModules assigns profile modules to targets; ShouldSkipScannerByConfigProfile checks enablement per scan type on the target.
• SARIF invocation rework – fillMissingRequiredInvocationInformation now aggregates execution success and creates a single canonical invocation with include property bag for multi-root targets.
• SBOM logging moved to bomgenerator – logging of component counts and duration is now in the shared GenerateSbomForTarget instead of duplicated in XrayLibBomGenerator.
• Utility additions – GetFullPathsWorkingDirs, IsPathExcluded, ElementsEqual, CreateNewInvocation.
• Tests – new unit tests in commands/audit/audit_test.go, jas/common_test.go, jas/secrets/secretsscanner_test.go, jas/iac/iacscanner_test.go, jas/applicability/applicabilitymanager_test.go, utils/results/results_test.go, utils/paths_test.go, utils/utils_test.go.

Testing

• New and updated unit tests covering target detection, exclude-pattern resolution, central-config module matching, SARIF invocation creation, and scanner config-file generation.
• Existing integration tests updated to match new signatures.

Notes

• In the new flow, jfrog-apps-config.yml is deprecated – flags, env vars, or central JFrog Platform config should be used instead.
• The old graph-based flow is untouched and still loads jfrog-apps-config as before.

[eranturgeman]

maybe not something we want to address but maybe worth noting- if a new tech is added in a PR (new module or something) we will find no match. this is a edge case but maybe worth a comment

[eranturgeman]

I see this check existed before, but I dont think it is really a possible usecase. we can leave it for safety though

[eranturgeman]

maybe add another testcase with multi-rows and different technologies?

[eranturgeman]

LGTM! see my comments