Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
9284d2f
Changes for manifest parser for java and sbt
cx-atish-jadhav May 26, 2026
0472227
Merge remote-tracking branch 'origin/main' into feature/manifest-parser
cx-atish-jadhav Jun 18, 2026
26d03ee
Squashed commit of the following:
cx-atish-jadhav Jun 22, 2026
b37c9fb
used prerelease version of manifest parser
cx-atish-jadhav Jun 22, 2026
3fa4166
refactor: extract package manager strings to constants
cx-atish-jadhav Jun 29, 2026
ffffa1a
Updated version of manifest parser to use latest
cx-atish-jadhav Jun 29, 2026
9e755ca
trivy fixes
cx-atish-jadhav Jun 30, 2026
13f8601
Crypto vuln fixes
cx-atish-jadhav Jun 30, 2026
deff927
Merge branch 'main' into feature/manifest-parser
cx-atish-jadhav Jun 30, 2026
11fd91c
trivy fix for containerd
cx-atish-jadhav Jun 30, 2026
58ce531
using echo pip install
cx-atish-jadhav Jul 1, 2026
17039f4
added extra index flag
cx-atish-jadhav Jul 1, 2026
b6bd2a2
added trivy ignore file
cx-atish-jadhav Jul 1, 2026
f7f557e
Updated docker image
cx-aniket-shinde Jul 1, 2026
3786986
Updated trivy Ignore file
cx-aniket-shinde Jul 1, 2026
e14a1d1
workflow changes
cx-aniket-shinde Jul 1, 2026
4b68634
Update ci-tests
cx-aniket-shinde Jul 1, 2026
b81f9fd
Updated echo registry for pip
cx-rakesh-kadu Jul 2, 2026
a11fced
Updated echo registry for pip
cx-rakesh-kadu Jul 2, 2026
bf73841
pip install pre-commit
cx-rakesh-kadu Jul 2, 2026
dbaf06a
pip install pre-commit==4.6.0
cx-rakesh-kadu Jul 2, 2026
47192d9
SYPHER_ECHO_ACCESS_KEY
cx-rakesh-kadu Jul 2, 2026
d038d19
Removed ai code review
cx-aniket-shinde Jul 2, 2026
50d60be
Merge branch 'feature/manifest-parser' of https://github.com/Checkmar…
cx-aniket-shinde Jul 2, 2026
137f99f
SYPHE ECO to ECHO-Libraries
cx-aniket-shinde Jul 2, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 0 additions & 16 deletions .github/workflows/ai-code-review.yml

This file was deleted.

11 changes: 7 additions & 4 deletions .github/workflows/ci-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,14 +44,17 @@ jobs:
with:
go-version-file: go.mod
- run: go version
- name: Check Python version
run: python --version
- name: Install pre-commit
run: |
pip config set global.index-url https://:${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }}@pypi.echohq.com/simple
pip index versions pre-commit
pip install pre-commit==4.6.0
- name: Go Build
run: go build -o ./bin/cx ./cmd
- name: Install gocovmerge
run: go install github.com/wadey/gocovmerge@latest
- name: Install pre-commit
run: |
pip install pre-commit
pre-commit install
- name: Go Integration test
shell: bash
env:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/nightly-parallel.yml
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,7 @@ jobs:
- name: Install pre-commit
if: matrix.needs_precommit == 'true'
run: |
pip install pre-commit
pip install --index-url https://pypi.echohq.com/simple --extra-index-url https://pypi.org/simple pre-commit
pre-commit install

- name: Start Squid proxy
Expand Down
50 changes: 50 additions & 0 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Trivy Ignore File
# These vulnerabilities are accepted risks or false positives in the build

# CVE-2026-33481 (MEDIUM): Syft improper temporary file cleanup
# Library: github.com/anchore/syft v1.21.0
# Status: Fixed in v1.42.3, but only affects SBOM generation
# Risk: Low - temporary file cleanup only affects scanning operations, not CLI runtime
CVE-2026-33481 exp:2026-12-31

# CVE-2026-34040 (HIGH): Moby Authorization bypass vulnerability
# Library: github.com/docker/docker v28.0.3+incompatible
# Status: Unfixed, fix available in v29.3.1
# Risk: Accepted - Docker SDK is only used for container image scanning
# Impact: Only relevant when used as a container registry client
CVE-2026-34040 exp:2026-12-31

# CVE-2026-33997 (MEDIUM): Moby Privilege validation bypass during plugin installation
# Library: github.com/docker/docker v28.0.3+incompatible
# Status: Unfixed
# Risk: Accepted - CLI does not use Docker plugin functionality
# Impact: Only affects Docker daemon with untrusted plugins
CVE-2026-33997 exp:2026-12-31

# CVE-2026-50151 (HIGH): oras-go blob upload vulnerable to credential forwarding
# Library: oras.land/oras-go/v2 v2.6.0
# Status: Fixed in v2.6.1
# Risk: Low - only affects registry credential forwarding via unvalidated Location header
# Impact: Container image scanning with registry redirects
CVE-2026-50151 exp:2026-12-31

# CVE-2026-50162 (MEDIUM): oras-go file store write outside workingDir via symlink traversal
# Library: oras.land/oras-go/v2 v2.6.0
# Status: Fixed in v2.6.1
# Risk: Accepted - symlink traversal only affects local filesystem operations in scanning
# Impact: Container image analysis with malicious symbolic links
CVE-2026-50162 exp:2026-12-31

# GHSA-vh4v-2xq2-g5cg (MEDIUM): ORAS Go forwards registry credentials across registry redirects
# Library: oras.land/oras-go/v2 v2.6.0
# Status: Fixed in v2.6.1
# Risk: Accepted - requires malicious registry redirect, container scanning only
# Impact: Credential exposure in container registry operations
GHSA-vh4v-2xq2-g5cg exp:2026-12-31

# CVE-2026-48978 (LOW): oras-go malicious registry can hijack realm to exfiltrate credentials
# Library: oras.land/oras-go/v2 v2.6.0
# Status: Fixed in v2.6.1
# Risk: Low - requires attacker-controlled registry, container scanning only
# Impact: Credential exfiltration in container registry operations
CVE-2026-48978 exp:2026-12-31
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM checkmarx/bash:5.3-r12-02a1aad732e7ab@sha256:02a1aad732e7ab0659b212d83c2a0bb548d9d8bdec23336f6c0b44f8f3435cb8
FROM checkmarx/bash:5.3-r12-fd4144660b936c@sha256:fd4144660b936cfa93aaf980ff81eaa13aff00cb420e4b115f39fc251bfd86e1
USER nonroot

COPY cx /app/bin/cx
Expand Down
12 changes: 6 additions & 6 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
module github.com/checkmarx/ast-cli

go 1.26.3
go 1.26.4

require (
github.com/Checkmarx/containers-resolver v1.0.34
github.com/Checkmarx/containers-types v1.0.9
github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63
github.com/Checkmarx/gen-ai-wrapper v1.0.3
github.com/Checkmarx/manifest-parser v0.1.2
github.com/Checkmarx/manifest-parser v0.1.3
github.com/Checkmarx/secret-detection v1.2.1
github.com/MakeNowJust/heredoc v1.0.0
github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
Expand All @@ -27,7 +27,7 @@ require (
github.com/stretchr/testify v1.11.1
github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80
github.com/xeipuuv/gojsonschema v1.2.0
golang.org/x/crypto v0.50.0
golang.org/x/crypto v0.52.0
golang.org/x/sync v0.20.0
golang.org/x/text v0.37.0
google.golang.org/grpc v1.80.0
Expand Down Expand Up @@ -290,9 +290,9 @@ require (
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
golang.org/x/mod v0.35.0 // indirect
golang.org/x/net v0.53.1-0.20260416132847-8c4c965e0284 // indirect
golang.org/x/net v0.55.0 // indirect
golang.org/x/oauth2 v0.36.0 // indirect
golang.org/x/sys v0.44.0 // indirect
golang.org/x/sys v0.45.0 // indirect
golang.org/x/term v0.43.0 // indirect
golang.org/x/time v0.15.0 // indirect
golang.org/x/tools v0.44.0 // indirect
Expand Down Expand Up @@ -327,7 +327,7 @@ require (
sigs.k8s.io/yaml v1.6.0 // indirect
)

replace github.com/containerd/containerd => github.com/containerd/containerd v1.7.32
replace github.com/containerd/containerd => github.com/containerd/containerd v1.7.33

replace github.com/containerd/containerd/v2 => github.com/containerd/containerd/v2 v2.1.5

Expand Down
20 changes: 10 additions & 10 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,8 @@ github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63 h1:SCuTcE
github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63/go.mod h1:MI6lfLerXU+5eTV/EPTDavgnV3owz3GPT4g/msZBWPo=
github.com/Checkmarx/gen-ai-wrapper v1.0.3 h1:p7lc/U4dFltsIxAEeWeDNW4+8ovvlJvdb5pVBLcbKs8=
github.com/Checkmarx/gen-ai-wrapper v1.0.3/go.mod h1:xwRLefezwNNnRGu1EjGS6wNiR9FVV/eP9D+oXwLViVM=
github.com/Checkmarx/manifest-parser v0.1.2 h1:Sh2xkpeOWKu56Y7wo+ljckNGHAQX1uITEeH3cI2T0pg=
github.com/Checkmarx/manifest-parser v0.1.2/go.mod h1:hh5FX5FdDieU8CKQEkged4hfOaSylpJzub8PRFXa4kA=
github.com/Checkmarx/manifest-parser v0.1.3 h1:cr+q7QkbkoCsoA5nQnv1/Pp23jnKWBePAwrcJNTk4x8=
github.com/Checkmarx/manifest-parser v0.1.3/go.mod h1:hh5FX5FdDieU8CKQEkged4hfOaSylpJzub8PRFXa4kA=
github.com/Checkmarx/secret-detection v1.2.1 h1:Hzpz74dcN/L14Q86ARvPOZpKBnERzGTpy6sl1RXKOTo=
github.com/Checkmarx/secret-detection v1.2.1/go.mod h1:kbXbtIQisDdB/TNuV7r9HPclEznUyBHLQ5yr7IX7vBQ=
github.com/CycloneDX/cyclonedx-go v0.10.0 h1:7xyklU7YD+CUyGzSFIARG18NYLsKVn4QFg04qSsu+7Y=
Expand Down Expand Up @@ -251,8 +251,8 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH
github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
github.com/containerd/cgroups/v3 v3.1.3 h1:eUNflyMddm18+yrDmZPn3jI7C5hJ9ahABE5q6dyLYXQ=
github.com/containerd/cgroups/v3 v3.1.3/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw=
github.com/containerd/containerd v1.7.32 h1:S54xuVcPxeLaYgaRABtpJ2VyVUVsy0IGf7qHBs+sbY8=
github.com/containerd/containerd v1.7.32/go.mod h1:jdwD6s/BhV4XVJGrvtziNPVA+83n66TwptVaPKprq4E=
github.com/containerd/containerd v1.7.33 h1:iAkYGC/ifR/V+0eR4iXWHNGYUF0DF2PmGV5iz4Irj5M=
github.com/containerd/containerd v1.7.33/go.mod h1:gSbSCVjPCdkfJCjyrzz7aRC+xFlqVbatNpfHfVCYGUM=
github.com/containerd/containerd/api v1.9.0 h1:HZ/licowTRazus+wt9fM6r/9BQO7S0vD5lMcWspGIg0=
github.com/containerd/containerd/api v1.9.0/go.mod h1:GhghKFmTR3hNtyznBoQ0EMWr9ju5AqHjcZPsSpTKutI=
github.com/containerd/continuity v0.5.0 h1:7a85HZpCSs+1Zps0Ee3DPSuAWY+0SJM1JNM51nlEVDg=
Expand Down Expand Up @@ -1104,8 +1104,8 @@ golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5y
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
Expand Down Expand Up @@ -1192,8 +1192,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.53.1-0.20260416132847-8c4c965e0284 h1:1Cik9TO30xv+Uycc5dXzAct+LiGidZMVM1U4chCI6o4=
golang.org/x/net v0.53.1-0.20260416132847-8c4c965e0284/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
Expand Down Expand Up @@ -1303,8 +1303,8 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
Expand Down
20 changes: 17 additions & 3 deletions internal/services/realtimeengine/ossrealtime/oss-realtime.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,12 @@ import (
"github.com/pkg/errors"
)

const (
pkgManagerGradle = "gradle"
pkgManagerSbt = "sbt"
pkgManagerMvn = "mvn"
)

// convertLocations converts models.Location to realtimeengine.Location
func convertLocations(locations []models.Location) []realtimeengine.Location {
var result []realtimeengine.Location
Expand Down Expand Up @@ -144,7 +150,7 @@ func enrichResponseWithRealtimeScannerResults(
for _, pkg := range result.Packages {
entry := getPackageEntryFromPackageMap(packageMap, &pkg)
response.Packages = append(response.Packages, OssPackage{
PackageManager: pkg.PackageManager,
PackageManager: entry.PackageManager,
PackageName: pkg.PackageName,
PackageVersion: pkg.Version,
FilePath: entry.FilePath,
Expand Down Expand Up @@ -220,13 +226,17 @@ func prepareScan(pkgs []models.Package) (*OssPackageResults, *wrappers.RealtimeS
func createPackageMap(pkgs []models.Package) map[string]OssPackage {
packageMap := make(map[string]OssPackage)
for _, pkg := range pkgs {
packageMap[generatePackageMapEntry(pkg.PackageManager, pkg.PackageName, pkg.Version)] = OssPackage{
entry := OssPackage{
PackageManager: pkg.PackageManager,
PackageName: pkg.PackageName,
PackageVersion: pkg.Version,
FilePath: pkg.FilePath,
Locations: convertLocations(pkg.Locations),
}
packageMap[generatePackageMapEntry(pkg.PackageManager, pkg.PackageName, pkg.Version)] = entry
if pkg.PackageManager == pkgManagerGradle || pkg.PackageManager == pkgManagerSbt {
packageMap[generatePackageMapEntry(pkgManagerMvn, pkg.PackageName, pkg.Version)] = entry
}
}
return packageMap
}
Expand Down Expand Up @@ -277,8 +287,12 @@ func createVersionMapping(requestPackages *wrappers.RealtimeScannerPackageReques

// pkgToRequest transforms a parsed package into a scan request.
func pkgToRequest(pkg *models.Package) wrappers.RealtimeScannerPackage {
pkgManager := pkg.PackageManager
if pkg.PackageManager == pkgManagerGradle || pkg.PackageManager == pkgManagerSbt {
pkgManager = pkgManagerMvn
}
return wrappers.RealtimeScannerPackage{
PackageManager: pkg.PackageManager,
PackageManager: pkgManager,
PackageName: pkg.PackageName,
Version: pkg.Version,
}
Expand Down
Loading