Fix Duplicate Secret Realtime Results In MultiLine (AST-0000) (#1247)

cx-ben-alvo · web-flow · commit 07d2d00e394b · 2025-07-27T12:41:52.000+03:00
* refactor: rename function to createResultsPerLocationMap for clarity

* test: add test for RunSecretsRealtimeScan with multi-line result

* fix: update location key formatting in results processing

* fix: correct formatting of resultKey in results processing

* fix: add SecretValue field to SecretsRealtimeResult and update related logic
diff --git a/internal/services/realtimeengine/secretsrealtime/config.go b/internal/services/realtimeengine/secretsrealtime/config.go
@@ -5,6 +5,7 @@ import "github.com/checkmarx/ast-cli/internal/services/realtimeengine"
 type SecretsRealtimeResult struct {
 	Title       string                    `json:"Title"`
 	Description string                    `json:"Description"`
+	SecretValue string                    `json:"SecretValue"`
 	FilePath    string                    `json:"FilePath"`
 	Severity    string                    `json:"Severity"`
 	Locations   []realtimeengine.Location `json:"Locations"`
diff --git a/internal/services/realtimeengine/secretsrealtime/secrets-realtime.go b/internal/services/realtimeengine/secretsrealtime/secrets-realtime.go
@@ -107,7 +107,7 @@ func (s *SecretsRealtimeService) RunSecretsRealtimeScan(filePath, ignoredFilePat
 	}
 
 	results := convertToSecretsRealtimeResult(report)
-	resultsPerLineMap := createResultsPerLineMap(results)
+	resultsPerLineMap := createResultsPerLocationMap(results)
 	results = filterGenericAPIKeyVulIfNeeded(results, resultsPerLineMap)
 
 	if ignoredFilePath == "" {
@@ -163,6 +163,7 @@ func convertSecretToResult(secret *secrets.Secret) SecretsRealtimeResult {
 	return SecretsRealtimeResult{
 		Title:       secret.RuleID,
 		Description: secret.RuleDescription,
+		SecretValue: secret.Value,
 		Severity:    getSeverity(secret),
 		FilePath:    secret.Source,
 		Locations:   locations,
@@ -182,15 +183,17 @@ func getSeverity(secret *secrets.Secret) string {
 	}
 }
 
-func createResultsPerLineMap(results []SecretsRealtimeResult) map[string][]SecretsRealtimeResult {
-	resultsPerLine := make(map[string][]SecretsRealtimeResult)
+func createResultsPerLocationMap(results []SecretsRealtimeResult) map[string][]SecretsRealtimeResult {
+	resultsPerLocation := make(map[string][]SecretsRealtimeResult)
 	for _, result := range results {
+		var locationKey string
 		for _, location := range result.Locations {
-			lineKey := fmt.Sprintf("%s:%d", result.FilePath, location.Line)
-			resultsPerLine[lineKey] = append(resultsPerLine[lineKey], result)
+			locationKey = fmt.Sprintf("%s:%d", locationKey, location.Line)
 		}
+		resultKey := fmt.Sprintf("%s%s", result.FilePath, locationKey)
+		resultsPerLocation[resultKey] = append(resultsPerLocation[resultKey], result)
 	}
-	return resultsPerLine
+	return resultsPerLocation
 }
 
 func filterGenericAPIKeyVulIfNeeded(
diff --git a/internal/services/realtimeengine/secretsrealtime/secrets-realtime_test.go b/internal/services/realtimeengine/secretsrealtime/secrets-realtime_test.go
@@ -139,8 +139,31 @@ func TestRunSecretsRealtimeScan_ValidFile_Success(t *testing.T) {
 
 	assert.NoError(t, err)
 	assert.NotNil(t, results)
-	// Note: The actual results depend on the 2ms scanner behavior
-	// This test mainly verifies that the function completes without error
+}
+
+func TestRunSecretsRealtimeScan_MultiLineResult_Success(t *testing.T) {
+	mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.OssRealtimeEnabled, Status: true}
+	value := "PRIVATE_KEY = \"\"\"\n-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA7v8wF+SECRETKEYEXAMPLE+QIDAQABAoIBAQC0\n-----END RSA PRIVATE KEY-----\n\"\"\""
+	// Create a temporary file for testing
+	tempDir := t.TempDir()
+	tempFile := filepath.Join(tempDir, "test-secrets.txt")
+	testContent := value
+	err := os.WriteFile(tempFile, []byte(testContent), 0644)
+	assert.NoError(t, err)
+
+	service := &SecretsRealtimeService{
+		JwtWrapper:         &mock.JWTMockWrapper{},
+		FeatureFlagWrapper: &mock.FeatureFlagsMockWrapper{},
+	}
+
+	results, err := service.RunSecretsRealtimeScan(tempFile, "")
+
+	assert.NoError(t, err)
+	assert.NotNil(t, results)
+	assert.Len(t, results, 1)
+	assert.Len(t, results[0].Locations, 3)
+	assert.NotEmpty(t, results[0].SecretValue)
+
 }
 
 func TestReadFile_ValidFile_Success(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,7 @@ func (s *SecretsRealtimeService) RunSecretsRealtimeScan(filePath, ignoredFilePat`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	`results := convertToSecretsRealtimeResult(report)`
`110`		`- resultsPerLineMap := createResultsPerLineMap(results)`
	`110`	`+ resultsPerLineMap := createResultsPerLocationMap(results)`
`111`	`111`	`results = filterGenericAPIKeyVulIfNeeded(results, resultsPerLineMap)`
`112`	`112`
`113`	`113`	`if ignoredFilePath == "" {`
`@@ -163,6 +163,7 @@ func convertSecretToResult(secret *secrets.Secret) SecretsRealtimeResult {`
`163`	`163`	`return SecretsRealtimeResult{`
`164`	`164`	`Title: secret.RuleID,`
`165`	`165`	`Description: secret.RuleDescription,`
	`166`	`+ SecretValue: secret.Value,`
`166`	`167`	`Severity: getSeverity(secret),`
`167`	`168`	`FilePath: secret.Source,`
`168`	`169`	`Locations: locations,`
`@@ -182,15 +183,17 @@ func getSeverity(secret *secrets.Secret) string {`
`182`	`183`	`}`
`183`	`184`	`}`
`184`	`185`
`185`		`-func createResultsPerLineMap(results []SecretsRealtimeResult) map[string][]SecretsRealtimeResult {`
`186`		`- resultsPerLine := make(map[string][]SecretsRealtimeResult)`
	`186`	`+func createResultsPerLocationMap(results []SecretsRealtimeResult) map[string][]SecretsRealtimeResult {`
	`187`	`+ resultsPerLocation := make(map[string][]SecretsRealtimeResult)`
`187`	`188`	`for _, result := range results {`
	`189`	`+ var locationKey string`
`188`	`190`	`for _, location := range result.Locations {`
`189`		`- lineKey := fmt.Sprintf("%s:%d", result.FilePath, location.Line)`
`190`		`- resultsPerLine[lineKey] = append(resultsPerLine[lineKey], result)`
	`191`	`+ locationKey = fmt.Sprintf("%s:%d", locationKey, location.Line)`
`191`	`192`	`}`
	`193`	`+ resultKey := fmt.Sprintf("%s%s", result.FilePath, locationKey)`
	`194`	`+ resultsPerLocation[resultKey] = append(resultsPerLocation[resultKey], result)`
`192`	`195`	`}`
`193`		`- return resultsPerLine`
	`196`	`+ return resultsPerLocation`
`194`	`197`	`}`
`195`	`198`
`196`	`199`	`func filterGenericAPIKeyVulIfNeeded(`