Checkmarx
diff --git a/‎.github/scripts/signing_win.sh‎
Lines changed: 5 additions & 1 deletion b/‎.github/scripts/signing_win.sh‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/manual-integration-test.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/manual-integration-test.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎cmd/main.go‎
Lines changed: 2 additions & 1 deletion b/‎cmd/main.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎internal/commands/groups.go‎
Lines changed: 8 additions & 9 deletions b/‎internal/commands/groups.go‎
Lines changed: 8 additions & 9 deletions
diff --git a/‎internal/commands/project.go‎
Lines changed: 1 addition & 1 deletion b/‎internal/commands/project.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎internal/commands/util/pr.go‎
Lines changed: 132 additions & 0 deletions b/‎internal/commands/util/pr.go‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎internal/commands/util/pr_test.go‎
Lines changed: 54 additions & 2 deletions b/‎internal/commands/util/pr_test.go‎
Lines changed: 54 additions & 2 deletions
diff --git a/‎internal/params/binds.go‎
Lines changed: 1 addition & 0 deletions b/‎internal/params/binds.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎internal/params/envs.go‎
Lines changed: 1 addition & 0 deletions b/‎internal/params/envs.go‎
Lines changed: 1 addition & 0 deletions
@@ -21,6 +21,10 @@ REMOTE_PATH="/tmp"
 # HSM credentials
 HSM_CREDS=$SIGNING_HSM_CREDS
 
+# Certificate properties
+CERT_LABEL="CNGRSAPriv-cx-signing-2024"
+CERT_LOCATION="/home/ubuntu/checkmarx_2024.crt"
+
 # Check if OS is windows
 if [ "$OS_TYPE" != "windows" ]; then
   echo "The artifact is not a windows binary file, exiting."
@@ -53,7 +57,7 @@ if [ $? -ne 0 ]; then
 fi
 
 # Sign
-ssh -n -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST" "osslsigncode sign -certs /home/ubuntu/checkmarx.crt  -key 'pkcs11:object=CNGRSAPriv-cx-signing' -pass $HSM_CREDS -pkcs11module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so -t http://timestamp.digicert.com -in '$REMOTE_PATH/$FILENAME' -out '$REMOTE_PATH/$FILENAME_SIGNED'"
+ssh -n -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST" "osslsigncode sign -certs $CERT_LOCATION -key 'pkcs11:object=$CERT_LABEL' -pass $HSM_CREDS -pkcs11module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so -t http://timestamp.digicert.com -in '$REMOTE_PATH/$FILENAME' -out '$REMOTE_PATH/$FILENAME_SIGNED'"
 # Check remote command status
 if [ $? -ne 0 ]; then
     echo "Failed to sign file $FILENAME"
 
@@ -75,6 +75,10 @@ jobs:
           AZURE_PROJECT: ${{ secrets.AZURE_PROJECT }}
           AZURE_REPOS: ${{ secrets.AZURE_REPOS }}
           AZURE_TOKEN: ${{ secrets.AZURE_TOKEN }}
+          AZURE_NEW_ORG: "azureAccountTests"
+          AZURE_PROJECT_NAME: "testsProject"
+          AZURE_PR_NUMBER: 1
+          AZURE_NEW_TOKEN: ${{ secrets.AZURE_NEW_TOKEN }}
           BITBUCKET_WORKSPACE: ${{ secrets.BITBUCKET_WORKSPACE }}
           BITBUCKET_REPOS: ${{ secrets.BITBUCKET_REPOS }}
           BITBUCKET_USERNAME: ${{ secrets.BITBUCKET_USERNAME }}
 
@@ -78,6 +78,10 @@ jobs:
           AZURE_PROJECT: ${{ secrets.AZURE_PROJECT }}
           AZURE_REPOS: ${{ secrets.AZURE_REPOS }}
           AZURE_TOKEN: ${{ secrets.AZURE_TOKEN }}
+          AZURE_NEW_ORG: "azureAccountTests"
+          AZURE_PROJECT_NAME: "testsProject"
+          AZURE_PR_NUMBER: 1
+          AZURE_NEW_TOKEN: ${{ secrets.AZURE_NEW_TOKEN }}
           BITBUCKET_WORKSPACE: ${{ secrets.BITBUCKET_WORKSPACE }}
           BITBUCKET_REPOS: ${{ secrets.BITBUCKET_REPOS }}
           BITBUCKET_USERNAME: ${{ secrets.BITBUCKET_USERNAME }}
 
@@ -42,6 +42,7 @@ func main() {
 	bfl := viper.GetString(params.BflPathKey)
 	prDecorationGithubPath := viper.GetString(params.PRDecorationGithubPathKey)
 	prDecorationGitlabPath := viper.GetString(params.PRDecorationGitlabPathKey)
+	prDecorationAzurePath := viper.GetString(params.PRDecorationAzurePathKey)
 	descriptionsPath := viper.GetString(params.DescriptionsPathKey)
 	tenantConfigurationPath := viper.GetString(params.TenantConfigurationPathKey)
 	resultsPdfPath := viper.GetString(params.ResultsPdfReportPathKey)
@@ -72,7 +73,7 @@ func main() {
 	bitBucketServerWrapper := bitbucketserver.NewBitbucketServerWrapper()
 	gitLabWrapper := wrappers.NewGitLabWrapper()
 	bflWrapper := wrappers.NewBflHTTPWrapper(bfl)
-	prWrapper := wrappers.NewHTTPPRWrapper(prDecorationGithubPath, prDecorationGitlabPath)
+	prWrapper := wrappers.NewHTTPPRWrapper(prDecorationGithubPath, prDecorationGitlabPath, prDecorationAzurePath)
 	learnMoreWrapper := wrappers.NewHTTPLearnMoreWrapper(descriptionsPath)
 	tenantConfigurationWrapper := wrappers.NewHTTPTenantConfigurationWrapper(tenantConfigurationPath)
 	jwtWrapper := wrappers.NewJwtWrapper()
 
@@ -3,25 +3,24 @@ package commands
 import (
 	"encoding/json"
 
-	featureFlagsConstants "github.com/checkmarx/ast-cli/internal/constants/feature-flags"
 	commonParams "github.com/checkmarx/ast-cli/internal/params"
 	"github.com/checkmarx/ast-cli/internal/services"
 	"github.com/checkmarx/ast-cli/internal/wrappers"
 	"github.com/spf13/cobra"
 )
 
-func updateGroupValues(input *[]byte, cmd *cobra.Command, groupsWrapper wrappers.GroupsWrapper, featureFlagsWrapper wrappers.FeatureFlagsWrapper) ([]*wrappers.Group, error) {
+func updateGroupValues(input *[]byte, cmd *cobra.Command, groupsWrapper wrappers.GroupsWrapper) ([]*wrappers.Group, error) {
 	groupListStr, _ := cmd.Flags().GetString(commonParams.GroupList)
 	groups, err := services.CreateGroupsMap(groupListStr, groupsWrapper)
 	if err != nil {
 		return groups, err
 	}
-	flagResponse, _ := wrappers.GetSpecificFeatureFlag(featureFlagsWrapper, featureFlagsConstants.AccessManagementEnabled)
-	if !flagResponse.Status {
-		var info map[string]interface{}
-		_ = json.Unmarshal(*input, &info)
-		info["groups"] = services.GetGroupIds(groups)
-		*input, _ = json.Marshal(info)
-	}
+
+	// we're not checking here status of the feature flag, because of refactoring in AM
+	var info map[string]interface{}
+	_ = json.Unmarshal(*input, &info)
+	info["groups"] = services.GetGroupIds(groups)
+	*input, _ = json.Marshal(info)
+
 	return groups, nil
 }
@@ -248,7 +248,7 @@ func runCreateProjectCommand(
 		if err != nil {
 			return err
 		}
-		groups, err := updateGroupValues(&input, cmd, groupsWrapper, featureFlagsWrapper)
+		groups, err := updateGroupValues(&input, cmd, groupsWrapper)
 		if err != nil {
 			return err
 		}
 
@@ -16,6 +16,7 @@ import (
 
 const (
 	failedCreatingGithubPrDecoration = "Failed creating github PR Decoration"
+	failedCreatingAzurePrDecoration  = "Failed creating azure PR Decoration"
 	failedCreatingGitlabPrDecoration = "Failed creating gitlab MR Decoration"
 	errorCodeFormat                  = "%s: CODE: %d, %s\n"
 	policyErrorFormat                = "%s: Failed to get scanID policy information"
@@ -27,6 +28,8 @@ const (
 	gitlabOnPremURLSuffix            = "/api/v4/"
 	githubCloudURL                   = "https://api.github.com/repos/"
 	gitlabCloudURL                   = "https://gitlab.com" + gitlabOnPremURLSuffix
+	azureCloudURL                    = "https://dev.azure.com/"
+	errorAzureOnPremParams           = "code-repository-url must be set when code-repository-username is set"
 )
 
 func NewPRDecorationCommand(prWrapper wrappers.PRWrapper, policyWrapper wrappers.PolicyWrapper, scansWrapper wrappers.ScansWrapper) *cobra.Command {
@@ -42,9 +45,11 @@ func NewPRDecorationCommand(prWrapper wrappers.PRWrapper, policyWrapper wrappers
 
 	prDecorationGithub := PRDecorationGithub(prWrapper, policyWrapper, scansWrapper)
 	prDecorationGitlab := PRDecorationGitlab(prWrapper, policyWrapper, scansWrapper)
+	prDecorationAzure := PRDecorationAzure(prWrapper, policyWrapper, scansWrapper)
 
 	cmd.AddCommand(prDecorationGithub)
 	cmd.AddCommand(prDecorationGitlab)
+	cmd.AddCommand(prDecorationAzure)
 	return cmd
 }
 
@@ -159,6 +164,47 @@ func PRDecorationGitlab(prWrapper wrappers.PRWrapper, policyWrapper wrappers.Pol
 	return prDecorationGitlab
 }
 
+func PRDecorationAzure(prWrapper wrappers.PRWrapper, policyWrapper wrappers.PolicyWrapper, scansWrapper wrappers.ScansWrapper) *cobra.Command {
+	prDecorationAzure := &cobra.Command{
+		Use:   "azure",
+		Short: "Decorate azure PR with vulnerabilities",
+		Long:  "Decorate azure PR with vulnerabilities",
+		Example: heredoc.Doc(
+			`
+			$ cx utils pr azure --scan-id <scan-id> --token <AAD> --namespace <organization> --project <project-name or project-id>
+                --pr-number <pr number> --code-repository-url <code-repository-url>
+		`,
+		),
+		Annotations: map[string]string{
+			"command:doc": heredoc.Doc(
+				`https://checkmarx.com/resource/documents/en/34965-68653-utils.html
+			`,
+			),
+		},
+		RunE: runPRDecorationAzure(prWrapper, policyWrapper, scansWrapper),
+	}
+
+	prDecorationAzure.Flags().String(params.ScanIDFlag, "", "Scan ID to retrieve results from")
+	prDecorationAzure.Flags().String(params.SCMTokenFlag, "", params.AzureTokenUsage)
+	prDecorationAzure.Flags().String(params.NamespaceFlag, "", fmt.Sprintf(params.NamespaceFlagUsage, "Azure"))
+	prDecorationAzure.Flags().String(params.AzureProjectFlag, "", fmt.Sprintf(params.AzureProjectFlagUsage))
+	prDecorationAzure.Flags().Int(params.PRNumberFlag, 0, params.PRNumberFlagUsage)
+	prDecorationAzure.Flags().String(params.CodeRepositoryFlag, "", params.CodeRepositoryFlagUsage)
+	prDecorationAzure.Flags().String(params.CodeRespositoryUsernameFlag, "", fmt.Sprintf(params.CodeRespositoryUsernameFlagUsage))
+
+	// Set the value for token to mask the scm token
+	_ = viper.BindPFlag(params.SCMTokenFlag, prDecorationAzure.Flags().Lookup(params.SCMTokenFlag))
+
+	// mark some fields as required\
+	_ = prDecorationAzure.MarkFlagRequired(params.ScanIDFlag)
+	_ = prDecorationAzure.MarkFlagRequired(params.SCMTokenFlag)
+	_ = prDecorationAzure.MarkFlagRequired(params.NamespaceFlag)
+	_ = prDecorationAzure.MarkFlagRequired(params.AzureProjectFlag)
+	_ = prDecorationAzure.MarkFlagRequired(params.PRNumberFlag)
+
+	return prDecorationAzure
+}
+
 func runPRDecoration(prWrapper wrappers.PRWrapper, policyWrapper wrappers.PolicyWrapper, scansWrapper wrappers.ScansWrapper) func(cmd *cobra.Command, args []string) error {
 	return func(cmd *cobra.Command, args []string) error {
 		scanID, _ := cmd.Flags().GetString(params.ScanIDFlag)
@@ -226,6 +272,13 @@ func updateAPIURLForGitlabOnPrem(apiURL string) string {
 	return gitlabCloudURL
 }
 
+func getAzureAPIURL(apiURL string) string {
+	if apiURL != "" {
+		return apiURL
+	}
+	return azureCloudURL
+}
+
 func runPRDecorationGitlab(prWrapper wrappers.PRWrapper, policyWrapper wrappers.PolicyWrapper, scansWrapper wrappers.ScansWrapper) func(cmd *cobra.Command, args []string) error {
 	return func(cmd *cobra.Command, args []string) error {
 		scanID, _ := cmd.Flags().GetString(params.ScanIDFlag)
@@ -283,6 +336,85 @@ func runPRDecorationGitlab(prWrapper wrappers.PRWrapper, policyWrapper wrappers.
 	}
 }
 
+func runPRDecorationAzure(prWrapper wrappers.PRWrapper, policyWrapper wrappers.PolicyWrapper, scansWrapper wrappers.ScansWrapper) func(cmd *cobra.Command, args []string) error {
+	return func(cmd *cobra.Command, args []string) error {
+		scanID, _ := cmd.Flags().GetString(params.ScanIDFlag)
+		scmTokenFlag, _ := cmd.Flags().GetString(params.SCMTokenFlag)
+		namespaceFlag, _ := cmd.Flags().GetString(params.NamespaceFlag)
+		projectNameFlag, _ := cmd.Flags().GetString(params.AzureProjectFlag)
+		prNumberFlag, _ := cmd.Flags().GetInt(params.PRNumberFlag)
+		apiURL, _ := cmd.Flags().GetString(params.CodeRepositoryFlag)
+		codeRepositoryUserName, _ := cmd.Flags().GetString(params.CodeRespositoryUsernameFlag)
+
+		errParams := validateAzureOnPremParameters(apiURL, codeRepositoryUserName)
+		if errParams != nil {
+			return errParams
+		}
+
+		scanRunningOrQueued, err := IsScanRunningOrQueued(scansWrapper, scanID)
+
+		if err != nil {
+			return err
+		}
+
+		if scanRunningOrQueued {
+			log.Println(noPRDecorationCreated)
+			return nil
+		}
+
+		// Retrieve policies related to the scan and project to include in the PR decoration
+		policies, policyError := getScanViolatedPolicies(scansWrapper, policyWrapper, scanID, cmd)
+		if policyError != nil {
+			return errors.Errorf(policyErrorFormat, failedCreatingAzurePrDecoration)
+		}
+
+		// Build and post the pr decoration
+		updatedAPIURL := getAzureAPIURL(apiURL)
+		updatedScmToken := updateScmTokenForAzure(scmTokenFlag, codeRepositoryUserName)
+		azureNameSpace := createAzureNameSpace(namespaceFlag, projectNameFlag)
+
+		prModel := &wrappers.AzurePRModel{
+			ScanID:    scanID,
+			ScmToken:  updatedScmToken,
+			Namespace: azureNameSpace,
+			PrNumber:  prNumberFlag,
+			Policies:  policies,
+			APIURL:    updatedAPIURL,
+		}
+		prResponse, errorModel, err := prWrapper.PostAzurePRDecoration(prModel)
+		if err != nil {
+			return err
+		}
+
+		if errorModel != nil {
+			return errors.Errorf(errorCodeFormat, failedCreatingAzurePrDecoration, errorModel.Code, errorModel.Message)
+		}
+
+		logger.Print(prResponse)
+
+		return nil
+	}
+}
+
+func validateAzureOnPremParameters(apiURL, codeRepositoryUserName string) error {
+	if apiURL == "" && codeRepositoryUserName != "" {
+		log.Println(errorAzureOnPremParams)
+		return errors.New(errorAzureOnPremParams)
+	}
+	return nil
+}
+
+func createAzureNameSpace(namespace, projectName string) string {
+	return fmt.Sprintf("%s/%s", namespace, projectName)
+}
+
+func updateScmTokenForAzure(scmTokenFlag, codeRepositoryUserName string) string {
+	if codeRepositoryUserName != "" {
+		return fmt.Sprintf("%s:%s", codeRepositoryUserName, scmTokenFlag)
+	}
+	return scmTokenFlag
+}
+
 func getScanViolatedPolicies(scansWrapper wrappers.ScansWrapper, policyWrapper wrappers.PolicyWrapper, scanID string, cmd *cobra.Command) ([]wrappers.PrPolicy, error) {
 	// retrieve scan model to get the projectID
 	scanResponseModel, errorScanModel, err := scansWrapper.GetByID(scanID)
 
@@ -8,22 +8,34 @@ import (
 	"gotest.tools/assert"
 )
 
-func TestNewPRDecorationCommandMustExist(t *testing.T) {
+const (
+	token = "token"
+)
+
+func TestNewGithubPRDecorationCommandMustExist(t *testing.T) {
 	cmd := PRDecorationGithub(nil, nil, nil)
 	assert.Assert(t, cmd != nil, "PR decoration command must exist")
 
 	err := cmd.Execute()
 	assert.ErrorContains(t, err, "scan-id")
 }
 
-func TestNewMRDecorationCommandMustExist(t *testing.T) {
+func TestNewGitlabMRDecorationCommandMustExist(t *testing.T) {
 	cmd := PRDecorationGitlab(nil, nil, nil)
 	assert.Assert(t, cmd != nil, "MR decoration command must exist")
 
 	err := cmd.Execute()
 	assert.ErrorContains(t, err, "scan-id")
 }
 
+func TestNewAzurePRDecorationCommandMustExist(t *testing.T) {
+	cmd := PRDecorationAzure(nil, nil, nil)
+	assert.Assert(t, cmd != nil, "PR decoration command must exist")
+
+	err := cmd.Execute()
+	assert.ErrorContains(t, err, "scan-id")
+}
+
 func TestIsScanRunning_WhenScanRunning_ShouldReturnTrue(t *testing.T) {
 	scansMockWrapper := &mock.ScansMockWrapper{Running: true}
 
@@ -66,3 +78,43 @@ func TestUpdateAPIURLForGitlabOnPrem_whenAPIURLIsNotSet_ShouldReturnCloudAPIURL(
 	cloudAPIURL := updateAPIURLForGitlabOnPrem("")
 	asserts.Equal(t, gitlabCloudURL, cloudAPIURL)
 }
+
+func TestGetAzureAPIURL_whenAPIURLIsSet_ShouldUpdateAPIURL(t *testing.T) {
+	selfHostedURL := "https://azure.example.com"
+	updatedAPIURL := getAzureAPIURL(selfHostedURL)
+	asserts.Equal(t, selfHostedURL, updatedAPIURL)
+}
+
+func TestGetAzureAPIURL_whenAPIURLIsNotSet_ShouldReturnCloudAPIURL(t *testing.T) {
+	cloudAPIURL := getAzureAPIURL("")
+	asserts.Equal(t, azureCloudURL, cloudAPIURL)
+}
+
+func TestUpdateScmTokenForAzureOnPrem_whenUserNameIsSet_ShouldUpdateToken(t *testing.T) {
+	username := "username"
+	expectedToken := username + ":" + token
+	updatedToken := updateScmTokenForAzure(token, username)
+	asserts.Equal(t, expectedToken, updatedToken)
+}
+
+func TestUpdateScmTokenForAzureOnPrem_whenUserNameNotSet_ShouldNotUpdateToken(t *testing.T) {
+	username := ""
+	expectedToken := token
+	updatedToken := updateScmTokenForAzure(token, username)
+	asserts.Equal(t, expectedToken, updatedToken)
+}
+
+func TestCreateAzureNameSpace_ShouldCreateNamespace(t *testing.T) {
+	azureNamespace := createAzureNameSpace("organization", "project")
+	asserts.Equal(t, "organization/project", azureNamespace)
+}
+
+func TestValidateAzureOnPremParameters_WhenParametersAreValid_ShouldReturnNil(t *testing.T) {
+	err := validateAzureOnPremParameters("https://azure.example.com", "username")
+	asserts.Nil(t, err)
+}
+
+func TestValidateAzureOnPremParameters_WhenParametersAreNotValid_ShouldReturnError(t *testing.T) {
+	err := validateAzureOnPremParameters("", "username")
+	asserts.NotNil(t, err)
+}
@@ -28,6 +28,7 @@ var EnvVarsBinds = []struct {
 	{BflPathKey, BflPathEnv, "api/bfl"},
 	{PRDecorationGithubPathKey, PRDecorationGithubPathEnv, "api/flow-publisher/pr/github"},
 	{PRDecorationGitlabPathKey, PRDecorationGitlabPathEnv, "api/flow-publisher/pr/gitlab"},
+	{PRDecorationAzurePathKey, PRDecorationAzurePathEnv, "api/flow-publisher/pr/azure"},
 	{DescriptionsPathKey, DescriptionsPathEnv, "api/queries/descriptions"},
 	{TenantConfigurationPathKey, TenantConfigurationPathEnv, "api/configuration/tenant"},
 	{UploadsPathKey, UploadsPathEnv, "api/uploads"},
 
@@ -30,6 +30,7 @@ const (
 	BflPathEnv                          = "CX_BFL_PATH"
 	PRDecorationGithubPathEnv           = "CX_PR_DECORATION_GITHUB_PATH"
 	PRDecorationGitlabPathEnv           = "CX_PR_DECORATION_GITLAB_PATH"
+	PRDecorationAzurePathEnv            = "CX_PR_DECORATION_AZURE_PATH"
 	SastRmPathEnv                       = "CX_SAST_RM_PATH"
 	UploadsPathEnv                      = "CX_UPLOADS_PATH"
 	TokenExpirySecondsEnv               = "CX_TOKEN_EXPIRY_SECONDS"
Original file line number	Diff line number	Diff line change
`@@ -248,7 +248,7 @@ func runCreateProjectCommand(`
`248`	`248`	`if err != nil {`
`249`	`249`	`return err`
`250`	`250`	`}`
`251`		`- groups, err := updateGroupValues(&input, cmd, groupsWrapper, featureFlagsWrapper)`
	`251`	`+ groups, err := updateGroupValues(&input, cmd, groupsWrapper)`
`252`	`252`	`if err != nil {`
`253`	`253`	`return err`
`254`	`254`	`}`