Devassist: Realtime scanners (OSS, Secrets, Containers, IaC) with unified wrapper and enhanced parsing(AST-115438) (#451)

* aimcp server changes

* oss-realtime scanner changes

* Create OssRealtimeVulnerability.java

* Unify realtime scan wrappers; consolidate Secrets/IaC models; deprecate and stub obsolete result classes

* Add ContainersRealtimeVulnerability model for containers realtime scan parsing

* Add @JsonCreator constructor to OssRealtimeVulnerability for reliable Jackson deserialization

* Refactoring package name and adding test for oss and mcp flag

* Add integration tests for OSS, Container, and Secrets realtime scanners

* Changed variable from id to CVE as per OSS response

* Add maskedResult for secret remediation and change log level from INFO to DEBUG

* Remove masked secrets functionality from codebase

* Implemented mask cmd in java wrapper

---------

Co-authored-by: cx-anand-nandeshwar <[email protected]>

Author: cx-atish-jadhav

src/main/java/com/checkmarx/ast/containersrealtime/ContainersRealtimeImage.java

@@ -0,0 +1,40 @@
+package com.checkmarx.ast.containersrealtime;
+
+import com.checkmarx.ast.realtime.RealtimeLocation;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+
+import java.util.Collections;
+import java.util.List;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ContainersRealtimeImage {
+    @JsonProperty("ImageName") String imageName;
+    @JsonProperty("ImageTag") String imageTag;
+    @JsonProperty("FilePath") String filePath;
+    @JsonProperty("Locations") List<RealtimeLocation> locations;
+    @JsonProperty("Status") String status;
+    @JsonProperty("Vulnerabilities") List<ContainersRealtimeVulnerability> vulnerabilities;
+
+    @JsonCreator
+    public ContainersRealtimeImage(@JsonProperty("ImageName") String imageName,
+                                   @JsonProperty("ImageTag") String imageTag,
+                                   @JsonProperty("FilePath") String filePath,
+                                   @JsonProperty("Locations") List<RealtimeLocation> locations,
+                                   @JsonProperty("Status") String status,
+                                   @JsonProperty("Vulnerabilities") List<ContainersRealtimeVulnerability> vulnerabilities) {
+        this.imageName = imageName;
+        this.imageTag = imageTag;
+        this.filePath = filePath;
+        this.locations = locations == null ? Collections.emptyList() : locations;
+        this.status = status;
+        this.vulnerabilities = vulnerabilities == null ? Collections.emptyList() : vulnerabilities;
+    }
+}

src/main/java/com/checkmarx/ast/containersrealtime/ContainersRealtimeResults.java

@@ -0,0 +1,53 @@
+package com.checkmarx.ast.containersrealtime;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.List;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ContainersRealtimeResults {
+    private static final Logger log = LoggerFactory.getLogger(ContainersRealtimeResults.class);
+
+    @JsonProperty("Images") List<ContainersRealtimeImage> images;
+
+    @JsonCreator
+    public ContainersRealtimeResults(@JsonProperty("Images") List<ContainersRealtimeImage> images) {
+        this.images = images;
+    }
+
+    public static ContainersRealtimeResults fromLine(String line) {
+        if (StringUtils.isBlank(line)) {
+            return null;
+        }
+        try {
+            if (line.contains("\"Images\"") && isValidJSON(line)) {
+                return new ObjectMapper().readValue(line, ContainersRealtimeResults.class);
+            }
+        } catch (IOException e) {
+            log.debug("Failed to parse containers realtime line: {}", line, e);
+        }
+        return null;
+    }
+
+    private static boolean isValidJSON(String json) {
+        try {
+            new ObjectMapper().readTree(json);
+            return true;
+        } catch (IOException e) {
+            return false;
+        }
+    }
+}

src/main/java/com/checkmarx/ast/containersrealtime/ContainersRealtimeVulnerability.java

@@ -0,0 +1,24 @@
+package com.checkmarx.ast.containersrealtime;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ContainersRealtimeVulnerability {
+    @JsonProperty("CVE") String cve;
+    @JsonProperty("Severity") String severity;
+
+    @JsonCreator
+    public ContainersRealtimeVulnerability(@JsonProperty("CVE") String cve,
+                                           @JsonProperty("Severity") String severity) {
+        this.cve = cve;
+        this.severity = severity;
+    }
+}

src/main/java/com/checkmarx/ast/iacrealtime/IacRealtimeResults.java

@@ -0,0 +1,98 @@
+package com.checkmarx.ast.iacrealtime;
+
+import com.checkmarx.ast.realtime.RealtimeLocation;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class IacRealtimeResults {
+    private static final Logger log = LoggerFactory.getLogger(IacRealtimeResults.class);
+    @JsonProperty("Results") List<Issue> results; // Normalized list (array or single object)
+
+    @JsonCreator
+    public IacRealtimeResults(@JsonProperty("Results") List<Issue> results) {
+        this.results = results == null ? Collections.emptyList() : results;
+    }
+
+    @Value
+    @JsonDeserialize
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    @JsonIgnoreProperties(ignoreUnknown = true)
+    public static class Issue {
+        @JsonProperty("Title") String title;
+        @JsonProperty("Description") String description;
+        @JsonProperty("SimilarityID") String similarityId;
+        @JsonProperty("FilePath") String filePath;
+        @JsonProperty("Severity") String severity;
+        @JsonProperty("ExpectedValue") String expectedValue;
+        @JsonProperty("ActualValue") String actualValue;
+        @JsonProperty("Locations") List<RealtimeLocation> locations;
+
+        @JsonCreator
+        public Issue(@JsonProperty("Title") String title,
+                     @JsonProperty("Description") String description,
+                     @JsonProperty("SimilarityID") String similarityId,
+                     @JsonProperty("FilePath") String filePath,
+                     @JsonProperty("Severity") String severity,
+                     @JsonProperty("ExpectedValue") String expectedValue,
+                     @JsonProperty("ActualValue") String actualValue,
+                     @JsonProperty("Locations") List<RealtimeLocation> locations) {
+            this.title = title;
+            this.description = description;
+            this.similarityId = similarityId;
+            this.filePath = filePath;
+            this.severity = severity;
+            this.expectedValue = expectedValue;
+            this.actualValue = actualValue;
+            this.locations = locations == null ? Collections.emptyList() : locations;
+        }
+    }
+
+    public static IacRealtimeResults fromLine(String line) {
+        if (StringUtils.isBlank(line)) {
+            return null;
+        }
+        try {
+            if (!isValidJSON(line)) {
+                return null;
+            }
+            ObjectMapper mapper = new ObjectMapper();
+            String trimmed = line.trim();
+            if (trimmed.startsWith("[")) {
+                List<Issue> list = mapper.readValue(trimmed, mapper.getTypeFactory().constructCollectionType(List.class, Issue.class));
+                return new IacRealtimeResults(list == null ? Collections.emptyList() : list);
+            }
+            if (trimmed.startsWith("{")) {
+                Issue single = mapper.readValue(trimmed, Issue.class);
+                return new IacRealtimeResults(Collections.singletonList(single));
+            }
+        } catch (IOException e) {
+            log.debug("Failed to parse iac realtime JSON line: {}", line, e);
+        }
+        return null;
+    }
+
+    private static boolean isValidJSON(String json) {
+        try {
+            new ObjectMapper().readTree(json);
+            return true;
+        } catch (IOException e) {
+            return false;
+        }
+    }
+}

src/main/java/com/checkmarx/ast/mask/MaskResult.java

@@ -0,0 +1,37 @@
+package com.checkmarx.ast.mask;
+
+import com.checkmarx.ast.utils.JsonParser;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.type.TypeFactory;
+import lombok.EqualsAndHashCode;
+import lombok.ToString;
+import lombok.Value;
+
+import java.util.List;
+
+@Value
+@EqualsAndHashCode()
+@JsonDeserialize()
+@ToString(callSuper = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class MaskResult {
+
+    List<MaskedSecret> maskedSecrets;
+    String maskedFile;
+
+    @JsonCreator
+    public MaskResult(@JsonProperty("maskedSecrets") List<MaskedSecret> maskedSecrets,
+                     @JsonProperty("maskedFile") String maskedFile) {
+        this.maskedSecrets = maskedSecrets;
+        this.maskedFile = maskedFile;
+    }
+
+    public static MaskResult fromLine(String line) {
+        return JsonParser.parse(line, TypeFactory.defaultInstance().constructType(MaskResult.class));
+    }
+}

src/main/java/com/checkmarx/ast/mask/MaskedSecret.java

@@ -0,0 +1,32 @@
+package com.checkmarx.ast.mask;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.EqualsAndHashCode;
+import lombok.ToString;
+import lombok.Value;
+
+@Value
+@EqualsAndHashCode()
+@JsonDeserialize()
+@ToString(callSuper = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class MaskedSecret {
+
+    String masked;
+    String secret;
+    int line;
+
+    @JsonCreator
+    public MaskedSecret(@JsonProperty("masked") String masked,
+                       @JsonProperty("secret") String secret,
+                       @JsonProperty("line") int line) {
+        this.masked = masked;
+        this.secret = secret;
+        this.line = line;
+    }
+}

src/main/java/com/checkmarx/ast/ossrealtime/OssRealtimeResults.java

@@ -0,0 +1,55 @@
+package com.checkmarx.ast.ossrealtime;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class OssRealtimeResults {
+    private static final Logger log = LoggerFactory.getLogger(OssRealtimeResults.class);
+
+    @JsonProperty("Packages") List<OssRealtimeScanPackage> packages;
+
+    @JsonCreator
+    public OssRealtimeResults(@JsonProperty("Packages") List<OssRealtimeScanPackage> packages) {
+        this.packages = packages == null ? Collections.emptyList() : packages;
+    }
+
+    public static OssRealtimeResults fromLine(String line) {
+        if (StringUtils.isBlank(line)) {
+            return null;
+        }
+        try {
+            if (isValidJSON(line) && line.contains("\"Packages\"")) {
+                return new ObjectMapper().readValue(line, OssRealtimeResults.class);
+            }
+        } catch (IOException e) {
+            log.debug("Failed to parse oss realtime line: {}", line, e);
+        }
+        return null;
+    }
+
+    private static boolean isValidJSON(String json) {
+        try {
+            new ObjectMapper().readTree(json);
+            return true;
+        } catch (IOException e) {
+            return false;
+        }
+    }
+}
+

src/main/java/com/checkmarx/ast/ossrealtime/OssRealtimeScanPackage.java

@@ -0,0 +1,44 @@
+package com.checkmarx.ast.ossrealtime;
+
+import com.checkmarx.ast.realtime.RealtimeLocation;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+
+import java.util.Collections;
+import java.util.List;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class OssRealtimeScanPackage {
+    @JsonProperty("PackageManager") String packageManager;
+    @JsonProperty("PackageName") String packageName;
+    @JsonProperty("PackageVersion") String packageVersion;
+    @JsonProperty("FilePath") String filePath;
+    @JsonProperty("Locations") List<RealtimeLocation> locations;
+    @JsonProperty("Status") String status;
+    @JsonProperty("Vulnerabilities") List<OssRealtimeVulnerability> vulnerabilities;
+
+    @JsonCreator
+    public OssRealtimeScanPackage(@JsonProperty("PackageManager") String packageManager,
+                                  @JsonProperty("PackageName") String packageName,
+                                  @JsonProperty("PackageVersion") String packageVersion,
+                                  @JsonProperty("FilePath") String filePath,
+                                  @JsonProperty("Locations") List<RealtimeLocation> locations,
+                                  @JsonProperty("Status") String status,
+                                  @JsonProperty("Vulnerabilities") List<OssRealtimeVulnerability> vulnerabilities) {
+        this.packageManager = packageManager;
+        this.packageName = packageName;
+        this.packageVersion = packageVersion;
+        this.filePath = filePath;
+        this.locations = locations == null ? Collections.emptyList() : locations;
+        this.status = status;
+        this.vulnerabilities = vulnerabilities == null ? Collections.emptyList() : vulnerabilities;
+    }
+}
+