Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/ci-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,14 +44,14 @@ jobs:
with:
go-version-file: go.mod
- run: go version
- name: Install pre-commit
run: |
pip config set global.extra-index-url https://__token__:${{ secrets.ECHO_ACCESS_KEY }}@pypi.echohq.com/simple
pip install pre-commit==4.6.0
- name: Go Build
run: go build -o ./bin/cx ./cmd
- name: Install gocovmerge
run: go install github.com/wadey/gocovmerge@latest
- name: Install pre-commit
run: |
pip install pre-commit
pre-commit install
- name: Go Integration test
shell: bash
env:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/nightly-parallel.yml
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ jobs:
- name: Install pre-commit
if: matrix.needs_precommit == 'true'
run: |
pip install pre-commit
pip install --index-url https://pypi.echohq.com/simple --extra-index-url https://pypi.org/simple pre-commit
pre-commit install

- name: Start Squid proxy
Expand Down
22 changes: 22 additions & 0 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Trivy Ignore File
# These vulnerabilities are accepted risks or false positives in the build

# CVE-2026-33481 (MEDIUM): Syft improper temporary file cleanup
# Library: github.com/anchore/syft v1.21.0
# Status: Fixed in v1.42.3, but only affects SBOM generation
# Risk: Low - temporary file cleanup only affects scanning operations, not CLI runtime
CVE-2026-33481 exp:2026-12-31

# CVE-2026-34040 (HIGH): Moby Authorization bypass vulnerability
# Library: github.com/docker/docker v28.0.3+incompatible
# Status: Unfixed, fix available in v29.3.1
# Risk: Accepted - Docker SDK is only used for container image scanning
# Impact: Only relevant when used as a container registry client
CVE-2026-34040 exp:2026-12-31

# CVE-2026-33997 (MEDIUM): Moby Privilege validation bypass during plugin installation
# Library: github.com/docker/docker v28.0.3+incompatible
# Status: Unfixed
# Risk: Accepted - CLI does not use Docker plugin functionality
# Impact: Only affects Docker daemon with untrusted plugins
CVE-2026-33997 exp:2026-12-31
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM checkmarx/bash:5.3-r12-02a1aad732e7ab@sha256:02a1aad732e7ab0659b212d83c2a0bb548d9d8bdec23336f6c0b44f8f3435cb8
FROM checkmarx/bash:5.3-r12-fd4144660b936c@sha256:fd4144660b936cfa93aaf980ff81eaa13aff00cb420e4b115f39fc251bfd86e1
USER nonroot

COPY cx /app/bin/cx
Expand Down
12 changes: 6 additions & 6 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
module github.com/checkmarx/ast-cli

go 1.26.3
go 1.26.4

require (
github.com/Checkmarx/containers-resolver v1.0.34
github.com/Checkmarx/containers-types v1.0.9
github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63
github.com/Checkmarx/gen-ai-wrapper v1.0.3
github.com/Checkmarx/manifest-parser v0.1.2
github.com/Checkmarx/manifest-parser v0.1.3
github.com/Checkmarx/secret-detection v1.2.1
github.com/MakeNowJust/heredoc v1.0.0
github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
Expand All @@ -27,7 +27,7 @@ require (
github.com/stretchr/testify v1.11.1
github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80
github.com/xeipuuv/gojsonschema v1.2.0
golang.org/x/crypto v0.50.0
golang.org/x/crypto v0.52.0
golang.org/x/sync v0.20.0
golang.org/x/text v0.37.0
google.golang.org/grpc v1.80.0
Expand Down Expand Up @@ -290,9 +290,9 @@ require (
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
golang.org/x/mod v0.35.0 // indirect
golang.org/x/net v0.53.1-0.20260416132847-8c4c965e0284 // indirect
golang.org/x/net v0.55.0 // indirect
golang.org/x/oauth2 v0.36.0 // indirect
golang.org/x/sys v0.44.0 // indirect
golang.org/x/sys v0.45.0 // indirect
golang.org/x/term v0.43.0 // indirect
golang.org/x/time v0.15.0 // indirect
golang.org/x/tools v0.44.0 // indirect
Expand Down Expand Up @@ -327,7 +327,7 @@ require (
sigs.k8s.io/yaml v1.6.0 // indirect
)

replace github.com/containerd/containerd => github.com/containerd/containerd v1.7.32
replace github.com/containerd/containerd => github.com/containerd/containerd v1.7.33

replace github.com/containerd/containerd/v2 => github.com/containerd/containerd/v2 v2.1.5

Expand Down
20 changes: 10 additions & 10 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,8 @@ github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63 h1:SCuTcE
github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63/go.mod h1:MI6lfLerXU+5eTV/EPTDavgnV3owz3GPT4g/msZBWPo=
github.com/Checkmarx/gen-ai-wrapper v1.0.3 h1:p7lc/U4dFltsIxAEeWeDNW4+8ovvlJvdb5pVBLcbKs8=
github.com/Checkmarx/gen-ai-wrapper v1.0.3/go.mod h1:xwRLefezwNNnRGu1EjGS6wNiR9FVV/eP9D+oXwLViVM=
github.com/Checkmarx/manifest-parser v0.1.2 h1:Sh2xkpeOWKu56Y7wo+ljckNGHAQX1uITEeH3cI2T0pg=
github.com/Checkmarx/manifest-parser v0.1.2/go.mod h1:hh5FX5FdDieU8CKQEkged4hfOaSylpJzub8PRFXa4kA=
github.com/Checkmarx/manifest-parser v0.1.3 h1:cr+q7QkbkoCsoA5nQnv1/Pp23jnKWBePAwrcJNTk4x8=
github.com/Checkmarx/manifest-parser v0.1.3/go.mod h1:hh5FX5FdDieU8CKQEkged4hfOaSylpJzub8PRFXa4kA=
github.com/Checkmarx/secret-detection v1.2.1 h1:Hzpz74dcN/L14Q86ARvPOZpKBnERzGTpy6sl1RXKOTo=
github.com/Checkmarx/secret-detection v1.2.1/go.mod h1:kbXbtIQisDdB/TNuV7r9HPclEznUyBHLQ5yr7IX7vBQ=
github.com/CycloneDX/cyclonedx-go v0.10.0 h1:7xyklU7YD+CUyGzSFIARG18NYLsKVn4QFg04qSsu+7Y=
Expand Down Expand Up @@ -251,8 +251,8 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH
github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
github.com/containerd/cgroups/v3 v3.1.3 h1:eUNflyMddm18+yrDmZPn3jI7C5hJ9ahABE5q6dyLYXQ=
github.com/containerd/cgroups/v3 v3.1.3/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw=
github.com/containerd/containerd v1.7.32 h1:S54xuVcPxeLaYgaRABtpJ2VyVUVsy0IGf7qHBs+sbY8=
github.com/containerd/containerd v1.7.32/go.mod h1:jdwD6s/BhV4XVJGrvtziNPVA+83n66TwptVaPKprq4E=
github.com/containerd/containerd v1.7.33 h1:iAkYGC/ifR/V+0eR4iXWHNGYUF0DF2PmGV5iz4Irj5M=
github.com/containerd/containerd v1.7.33/go.mod h1:gSbSCVjPCdkfJCjyrzz7aRC+xFlqVbatNpfHfVCYGUM=
github.com/containerd/containerd/api v1.9.0 h1:HZ/licowTRazus+wt9fM6r/9BQO7S0vD5lMcWspGIg0=
github.com/containerd/containerd/api v1.9.0/go.mod h1:GhghKFmTR3hNtyznBoQ0EMWr9ju5AqHjcZPsSpTKutI=
github.com/containerd/continuity v0.5.0 h1:7a85HZpCSs+1Zps0Ee3DPSuAWY+0SJM1JNM51nlEVDg=
Expand Down Expand Up @@ -1104,8 +1104,8 @@ golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5y
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
Expand Down Expand Up @@ -1192,8 +1192,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.53.1-0.20260416132847-8c4c965e0284 h1:1Cik9TO30xv+Uycc5dXzAct+LiGidZMVM1U4chCI6o4=
golang.org/x/net v0.53.1-0.20260416132847-8c4c965e0284/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
Expand Down Expand Up @@ -1303,8 +1303,8 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
Expand Down
20 changes: 17 additions & 3 deletions internal/services/realtimeengine/ossrealtime/oss-realtime.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,12 @@ import (
"github.com/pkg/errors"
)

const (
pkgManagerGradle = "gradle"
pkgManagerSbt = "sbt"
pkgManagerMvn = "mvn"
)

// convertLocations converts models.Location to realtimeengine.Location
func convertLocations(locations []models.Location) []realtimeengine.Location {
var result []realtimeengine.Location
Expand Down Expand Up @@ -144,7 +150,7 @@ func enrichResponseWithRealtimeScannerResults(
for _, pkg := range result.Packages {
entry := getPackageEntryFromPackageMap(packageMap, &pkg)
response.Packages = append(response.Packages, OssPackage{
PackageManager: pkg.PackageManager,
PackageManager: entry.PackageManager,
PackageName: pkg.PackageName,
PackageVersion: pkg.Version,
FilePath: entry.FilePath,
Expand Down Expand Up @@ -220,13 +226,17 @@ func prepareScan(pkgs []models.Package) (*OssPackageResults, *wrappers.RealtimeS
func createPackageMap(pkgs []models.Package) map[string]OssPackage {
packageMap := make(map[string]OssPackage)
for _, pkg := range pkgs {
packageMap[generatePackageMapEntry(pkg.PackageManager, pkg.PackageName, pkg.Version)] = OssPackage{
entry := OssPackage{
PackageManager: pkg.PackageManager,
PackageName: pkg.PackageName,
PackageVersion: pkg.Version,
FilePath: pkg.FilePath,
Locations: convertLocations(pkg.Locations),
}
packageMap[generatePackageMapEntry(pkg.PackageManager, pkg.PackageName, pkg.Version)] = entry
if pkg.PackageManager == pkgManagerGradle || pkg.PackageManager == pkgManagerSbt {
packageMap[generatePackageMapEntry(pkgManagerMvn, pkg.PackageName, pkg.Version)] = entry
}
}
return packageMap
}
Expand Down Expand Up @@ -277,8 +287,12 @@ func createVersionMapping(requestPackages *wrappers.RealtimeScannerPackageReques

// pkgToRequest transforms a parsed package into a scan request.
func pkgToRequest(pkg *models.Package) wrappers.RealtimeScannerPackage {
pkgManager := pkg.PackageManager
if pkg.PackageManager == pkgManagerGradle || pkg.PackageManager == pkgManagerSbt {
pkgManager = pkgManagerMvn
}
return wrappers.RealtimeScannerPackage{
PackageManager: pkg.PackageManager,
PackageManager: pkgManager,
PackageName: pkg.PackageName,
Version: pkg.Version,
}
Expand Down
Loading