Add maskedResult for secret remediation and change log level from INFO to DEBUG

Author: cx-atish-jadhav

src/main/java/com/checkmarx/ast/secretsrealtime/MaskResult.java

@@ -0,0 +1,96 @@
+package com.checkmarx.ast.secretsrealtime;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.Value;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Represents the result of a mask secrets command operation.
+ * Contains masked secrets and the masked file content.
+ * This is separate from realtime scanning results.
+ */
+@Value
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class MaskResult {
+    private static final Logger log = LoggerFactory.getLogger(MaskResult.class);
+
+    /**
+     * List of masked secrets found in the file
+     */
+    @JsonProperty("maskedSecrets")
+    List<MaskedSecret> maskedSecrets;
+
+    /**
+     * The masked file content with secrets redacted
+     */
+    @JsonProperty("maskedFile")
+    String maskedFile;
+
+    @JsonCreator
+    public MaskResult(@JsonProperty("maskedSecrets") List<MaskedSecret> maskedSecrets,
+                     @JsonProperty("maskedFile") String maskedFile) {
+        this.maskedSecrets = maskedSecrets == null ? Collections.emptyList() : maskedSecrets;
+        this.maskedFile = maskedFile;
+    }
+
+    /**
+     * Parses mask command output from JSON response
+     * @param root JsonNode containing the mask command response
+     * @return MaskResult object with parsed data
+     */
+    public static MaskResult parse(JsonNode root) {
+        if (root == null) {
+            return new MaskResult(Collections.emptyList(), "");
+        }
+
+        List<MaskedSecret> secrets = new ArrayList<>();
+        JsonNode maskedSecretsNode = root.get("maskedSecrets");
+
+        if (maskedSecretsNode != null && maskedSecretsNode.isArray()) {
+            for (JsonNode secretNode : maskedSecretsNode) {
+                String masked = secretNode.has("masked") ? secretNode.get("masked").asText() : "";
+                String secret = secretNode.has("secret") ? secretNode.get("secret").asText() : "";
+                int line = secretNode.has("line") ? secretNode.get("line").asInt() : 0;
+
+                secrets.add(new MaskedSecret(masked, secret, line));
+            }
+        }
+
+        String maskedFile = root.has("maskedFile") ? root.get("maskedFile").asText() : "";
+
+        return new MaskResult(secrets, maskedFile);
+    }
+
+    /**
+     * Parses mask command output from JSON string
+     * @param jsonString JSON string containing the mask command response
+     * @return MaskResult object with parsed data, or null if parsing fails
+     */
+    public static MaskResult fromJsonString(String jsonString) {
+        if (StringUtils.isBlank(jsonString)) {
+            return null;
+        }
+
+        try {
+            ObjectMapper mapper = new ObjectMapper();
+            JsonNode root = mapper.readTree(jsonString.trim());
+            return parse(root);
+        } catch (IOException e) {
+            log.debug("Failed to parse mask result JSON: {}", jsonString, e);
+            return null;
+        }
+    }
+}

src/main/java/com/checkmarx/ast/secretsrealtime/MaskedSecret.java

@@ -0,0 +1,44 @@
+package com.checkmarx.ast.secretsrealtime;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.Value;
+
+/**
+ * Represents a single masked secret from the mask command output.
+ * This is used for the separate mask functionality (not realtime scan results).
+ */
+@Value
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class MaskedSecret {
+
+    /**
+     * The masked/redacted version of the secret
+     */
+    @JsonProperty("masked")
+    String masked;
+
+    /**
+     * The original secret value (may be empty for security reasons)
+     */
+    @JsonProperty("secret")
+    String secret;
+
+    /**
+     * Line number where the secret was found
+     */
+    @JsonProperty("line")
+    int line;
+
+    @JsonCreator
+    public MaskedSecret(@JsonProperty("masked") String masked,
+                       @JsonProperty("secret") String secret,
+                       @JsonProperty("line") int line) {
+        this.masked = masked;
+        this.secret = secret;
+        this.line = line;
+    }
+}

src/main/java/com/checkmarx/ast/wrapper/CxConstants.java

@@ -80,4 +80,5 @@ public final class CxConstants {
     static final String SUB_CMD_IAC_REALTIME = "iac-realtime";
     static final String SUB_CMD_SECRETS_REALTIME = "secrets-realtime";
     static final String SUB_CMD_CONTAINERS_REALTIME = "containers-realtime";
+    static final String CMD_MASK_SECRETS = "mask";
 }

src/main/java/com/checkmarx/ast/wrapper/CxWrapper.java

@@ -6,6 +6,7 @@
 import com.checkmarx.ast.learnMore.LearnMore;
 import com.checkmarx.ast.ossrealtime.OssRealtimeResults;
 import com.checkmarx.ast.secretsrealtime.SecretsRealtimeResults;
+import com.checkmarx.ast.secretsrealtime.MaskResult;
 import com.checkmarx.ast.iacrealtime.IacRealtimeResults;
 import com.checkmarx.ast.containersrealtime.ContainersRealtimeResults;
 import com.checkmarx.ast.predicate.CustomState;
@@ -441,6 +442,23 @@ public SecretsRealtimeResults secretsRealtimeScan(@NonNull String sourcePath, St
         return realtimeScan(CxConstants.SUB_CMD_SECRETS_REALTIME, sourcePath, ignoredFilePath, SecretsRealtimeResults::fromLine);
     }
 
+    /**
+     * Executes mask secrets command to obfuscate/redact secrets in a file
+     * @param filePath path to the file to mask
+     * @return MaskResult containing masked secrets and masked file content
+     */
+    public MaskResult maskSecrets(@NonNull String filePath) throws IOException, InterruptedException, CxException {
+        this.logger.info("Executing 'mask' command using the CLI for file: {}", filePath);
+
+        List<String> arguments = new ArrayList<>();
+        arguments.add(CxConstants.CMD_MASK_SECRETS);
+        arguments.add(CxConstants.SOURCE);
+        arguments.add(filePath);
+
+        String output = Execution.executeCommand(withConfigArguments(arguments), logger, line -> line);
+        return MaskResult.fromJsonString(output);
+    }
+
     // Containers Realtime
     public ContainersRealtimeResults containersRealtimeScan(@NonNull String sourcePath, String ignoredFilePath)
             throws IOException, InterruptedException, CxException {

src/main/java/com/checkmarx/ast/wrapper/Execution.java

@@ -57,7 +57,7 @@ static <T> T executeCommand(List<String> arguments,
             String line;
             StringBuilder output = new StringBuilder();
             while ((line = br.readLine()) != null) {
-                logger.info(line);
+                logger.debug(line);
                 output.append(line).append(LINE_SEPARATOR);
                 T parsedLine = lineParser.apply(line);
                 if (parsedLine != null) {
@@ -98,7 +98,7 @@ static String executeCommand(List<String> arguments,
             String line;
             StringBuilder stringBuilder = new StringBuilder();
             while ((line = br.readLine()) != null) {
-                logger.info(line);
+                logger.debug(line);
                 stringBuilder.append(line).append(LINE_SEPARATOR);
             }
             process.waitFor();

src/test/java/com/checkmarx/ast/SecretsRealtimeResultsTest.java

@@ -2,6 +2,8 @@
 
 import com.checkmarx.ast.realtime.RealtimeLocation;
 import com.checkmarx.ast.secretsrealtime.SecretsRealtimeResults;
+import com.checkmarx.ast.secretsrealtime.MaskResult;
+import com.checkmarx.ast.secretsrealtime.MaskedSecret;
 import com.checkmarx.ast.wrapper.CxException;
 import org.junit.jupiter.api.*;
 
@@ -204,6 +206,188 @@ void secretsScanMultipleFileTypes() {
         }
     }
 
+    /* ------------------------------------------------------ */
+    /* Integration tests for Secrets Masking functionality    */
+    /* ------------------------------------------------------ */
+
+    /**
+     * Tests basic mask secrets functionality - successful case.
+     * Similar to the JavaScript test, verifies that the mask command returns proper MaskResult
+     * with masked secrets detected in a JSON file containing API keys and passwords.
+     */
+    @Test
+    @DisplayName("Mask secrets successful case - returns masked content")
+    void maskSecretsSuccessfulCase() throws Exception {
+        Assumptions.assumeTrue(isCliConfigured(), "PATH_TO_EXECUTABLE not configured - skipping integration test");
+        String secretsFile = "src/test/resources/secrets-test.json";
+        Assumptions.assumeTrue(Files.exists(Paths.get(secretsFile)), "Secrets test file not found - cannot test masking");
+
+        MaskResult result = wrapper.maskSecrets(secretsFile);
+
+        assertNotNull(result, "Mask result should not be null");
+        assertNotNull(result.getMaskedSecrets(), "Masked secrets list should be initialized");
+        assertNotNull(result.getMaskedFile(), "Masked file content should be provided");
+
+        // Expect at least one secret to be found in our test file
+        assertFalse(result.getMaskedSecrets().isEmpty(), "Should find masked secrets in test file");
+
+        // Verify structure of masked secrets
+        MaskedSecret firstSecret = result.getMaskedSecrets().get(0);
+        assertNotNull(firstSecret.getMasked(), "Masked value should be provided");
+        assertTrue(firstSecret.getLine() > 0, "Line number should be positive");
+
+        // Masked file should contain the original structure but with secrets redacted
+        assertFalse(result.getMaskedFile().trim().isEmpty(), "Masked file content should not be empty");
+        assertTrue(result.getMaskedFile().contains("{"), "Masked file should preserve JSON structure");
+    }
+
+    /**
+     * Tests mask functionality across different file types.
+     * Verifies that the mask command can handle various file extensions and formats
+     * without crashing and produces appropriate masked results.
+     */
+    @Test
+    @DisplayName("Mask secrets handles multiple file types correctly")
+    void maskSecretsMultipleFileTypes() {
+        Assumptions.assumeTrue(isCliConfigured(), "PATH_TO_EXECUTABLE not configured - skipping integration test");
+
+        String[] testFiles = {
+            "src/test/resources/python-vul-file.py",
+            "src/test/resources/csharp-file.cs"
+        };
+
+        for (String filePath : testFiles) {
+            if (Files.exists(Paths.get(filePath))) {
+                assertDoesNotThrow(() -> {
+                    MaskResult result = wrapper.maskSecrets(filePath);
+                    assertNotNull(result, "Mask result should not be null for file: " + filePath);
+                    assertNotNull(result.getMaskedSecrets(), "Masked secrets should be initialized for: " + filePath);
+                    assertNotNull(result.getMaskedFile(), "Masked file should not be null for: " + filePath);
+                }, "Mask command should handle file type gracefully: " + filePath);
+            }
+        }
+    }
+
+    /**
+     * Tests error handling when masking a non-existent file.
+     * Verifies that the mask command properly throws a CxException with meaningful error message
+     * when provided with invalid file paths.
+     */
+    @Test
+    @DisplayName("Mask secrets throws appropriate exception for non-existent file")
+    void maskSecretsHandlesInvalidPath() {
+        Assumptions.assumeTrue(isCliConfigured(), "PATH_TO_EXECUTABLE not configured - skipping integration test");
+
+        // Test with a non-existent file path
+        String invalidPath = "src/test/resources/NonExistentFile.py";
+
+        // The CLI should throw a CxException with a meaningful error message for invalid paths
+        CxException exception = assertThrows(CxException.class, () ->
+            wrapper.maskSecrets(invalidPath)
+        );
+
+        // Verify the exception contains information about the invalid file path
+        String errorMessage = exception.getMessage();
+        assertNotNull(errorMessage, "Exception should contain an error message");
+        assertTrue(errorMessage.contains("invalid file path") || errorMessage.contains("file") || errorMessage.contains("path"),
+                "Exception message should indicate the issue is related to file path: " + errorMessage);
+    }
+
+    /**
+     * Tests that masked file content differs from original when secrets are present.
+     * Verifies that the masking process actually modifies the file content to redact secrets.
+     */
+    @Test
+    @DisplayName("Masked file content differs from original when secrets exist")
+    void maskedContentDiffersFromOriginal() throws Exception {
+        Assumptions.assumeTrue(isCliConfigured(), "PATH_TO_EXECUTABLE not configured - skipping integration test");
+        String secretsFile = "src/test/resources/secrets-test.json";
+        Assumptions.assumeTrue(Files.exists(Paths.get(secretsFile)), "Secrets test file not found - cannot test content masking");
+
+        // Read original file content
+        String originalContent = Files.readString(Paths.get(secretsFile));
+
+        // Get masked content
+        MaskResult result = wrapper.maskSecrets(secretsFile);
+        assertNotNull(result, "Mask result should not be null");
+
+        String maskedContent = result.getMaskedFile();
+        assertNotNull(maskedContent, "Masked content should not be null");
+
+        // Since our test file contains secrets, the content should be different after masking
+        if (!result.getMaskedSecrets().isEmpty()) {
+            assertNotEquals(originalContent, maskedContent,
+                "Masked content should differ from original when secrets are present");
+
+            // Verify that original secrets are not present in masked content
+            assertFalse(maskedContent.contains("sk-1234567890abcdef1234567890abcdef"),
+                "Original API key should be masked in output");
+            assertFalse(maskedContent.contains("SuperSecret123!"),
+                "Original password should be masked in output");
+        }
+    }
+
+    /* ------------------------------------------------------ */
+    /* Unit tests for Mask JSON parsing functionality        */
+    /* ------------------------------------------------------ */
+
+    /**
+     * Tests MaskResult JSON parsing with valid mask command response.
+     * Verifies that well-formed mask JSON is correctly parsed into MaskResult objects.
+     */
+    @Test
+    @DisplayName("Valid mask JSON response parsing creates correct MaskResult")
+    void testMaskResultJsonParsing() {
+        String json = "{" +
+                "\"maskedSecrets\":[" +
+                "{\"masked\":\"****\",\"secret\":\"password123\",\"line\":5}," +
+                "{\"masked\":\"***\",\"secret\":\"key\",\"line\":10}" +
+                "]," +
+                "\"maskedFile\":\"const password = '****';\\nconst apiKey = '***';\"" +
+                "}";
+
+        MaskResult result = MaskResult.fromJsonString(json);
+
+        assertNotNull(result, "MaskResult should not be null");
+        assertEquals(2, result.getMaskedSecrets().size(), "Should parse 2 masked secrets");
+
+        MaskedSecret firstSecret = result.getMaskedSecrets().get(0);
+        assertEquals("****", firstSecret.getMasked());
+        assertEquals("password123", firstSecret.getSecret());
+        assertEquals(5, firstSecret.getLine());
+
+        MaskedSecret secondSecret = result.getMaskedSecrets().get(1);
+        assertEquals("***", secondSecret.getMasked());
+        assertEquals("key", secondSecret.getSecret());
+        assertEquals(10, secondSecret.getLine());
+
+        assertTrue(result.getMaskedFile().contains("const password = '****'"));
+        assertTrue(result.getMaskedFile().contains("const apiKey = '***'"));
+    }
+
+    /**
+     * Tests MaskResult parsing robustness with edge cases.
+     * Verifies that the parser gracefully handles various invalid input scenarios.
+     */
+    @Test
+    @DisplayName("MaskResult handles malformed JSON and edge cases gracefully")
+    void testMaskResultEdgeCases() {
+        // Blank/null inputs
+        assertNull(MaskResult.fromJsonString(""));
+        assertNull(MaskResult.fromJsonString("  "));
+        assertNull(MaskResult.fromJsonString(null));
+
+        // Invalid JSON structures
+        assertNull(MaskResult.fromJsonString("{"));
+        assertNull(MaskResult.fromJsonString("not a json"));
+
+        // Empty but valid JSON
+        MaskResult emptyResult = MaskResult.fromJsonString("{}");
+        assertNotNull(emptyResult);
+        assertTrue(emptyResult.getMaskedSecrets().isEmpty());
+        assertNotNull(emptyResult.getMaskedFile());
+    }
+
     /* ------------------------------------------------------ */
     /* Unit tests for JSON parsing robustness                */
     /* ------------------------------------------------------ */