add IncludeDirs option to Xray Bom Lib

[attiasas]

Support multiple working dirs with single-target scan flow & deprecate jfrog-apps-config in new flow

Summary

Refactors the audit scan pipeline to support multiple working directories via a single scan target (--static-sca / Xray lib flow), and deprecates the jfrog-apps-config.yml module system for JAS scans in the new flow. Scan configuration (include/exclude patterns, central config modules) is now carried directly on ScanTarget instead of being resolved through jfrog-apps-config modules.

Depends on: XRAY-135682 (bug: secrets/CA when multiple roots are passed)

Changes

• ScanTarget extended – added Include, Exclude, DeprecatedAppsConfigModule, and CentralConfigModules fields; added methods IsScanRequestedByCentralConfig, GetCentralConfigExclusions, GetDeprecatedAppsConfigModuleExclusions.
• New single-target detection (createSingleScanTarget) – when the new flow (Xray lib BOM generator) is active, a single ScanTarget is created with the working directories as include paths, instead of detecting one target per technology directory.
• JAS scanners refactored – every scanner (Secrets, IaC, SAST, Applicability) now exposes two code paths: Run(target ScanTarget) (new flow, target-based) and DeprecatedRun(module, centralConfigExclusions) (old flow, module-based). Config file generation, exclude-pattern resolution, and SARIF result reading follow the same split.
• jfrog-apps-config deprecated in new flow – AppsConfigModule replaced by DeprecatedAppsConfigModule; config loading only happens in the old (graph-based) flow. A deprecation warning is emitted when the file is detected.
• Exclude/include patterns moved to target level – ScanTarget.Exclude is set during target detection and passed through to BOM generation (Xray lib IgnorePatterns + IncludeDirs) and all JAS scanner config files.
• Central config profile support per-target – matchCentralConfigModules assigns profile modules to targets; ShouldSkipScannerByConfigProfile checks enablement per scan type on the target.
• SARIF invocation rework – fillMissingRequiredInvocationInformation now aggregates execution success and creates a single canonical invocation with include property bag for multi-root targets.
• SBOM logging moved to bomgenerator – logging of component counts and duration is now in the shared GenerateSbomForTarget instead of duplicated in XrayLibBomGenerator.
• Utility additions – GetFullPathsWorkingDirs, IsPathExcluded, ElementsEqual, CreateNewInvocation.
• Tests – new unit tests in commands/audit/audit_test.go, jas/common_test.go, jas/secrets/secretsscanner_test.go, jas/iac/iacscanner_test.go, jas/applicability/applicabilitymanager_test.go, utils/results/results_test.go, utils/paths_test.go, utils/utils_test.go.

Testing

• New and updated unit tests covering target detection, exclude-pattern resolution, central-config module matching, SARIF invocation creation, and scanner config-file generation.
• Existing integration tests updated to match new signatures.

Notes

• In the new flow, jfrog-apps-config.yml is deprecated – flags, env vars, or central JFrog Platform config should be used instead.
• The old graph-based flow is untouched and still loads jfrog-apps-config as before.

[github-actions]

---

🐸 JFrog Frogbot