Add ignore file path flag and tests for ossRealtime(AST-103853) (#1214)

cx-itay-paz · Itay Paz · web-flow · commit 1fe1f1c0bcde · 2025-07-09T20:51:01.000+03:00
* Add ignore file path flag and tests

* fix complexity

* fix lint

* use getid

* fix lint

* fix unit test

---------

Co-authored-by: Itay Paz &lt;itaypaz@Itays-MacBook-Pro-2.local&gt;
diff --git a/internal/commands/data/checkmarxIgnoredTempList.json b/internal/commands/data/checkmarxIgnoredTempList.json
@@ -0,0 +1,7 @@
+[
+  {
+    "PackageManager": "npm",
+    "PackageName": "coa",
+    "PackageVersion": "3.1.3"
+  }
+]
diff --git a/internal/commands/data/checkmarxIgnoredTempListCsproj.json b/internal/commands/data/checkmarxIgnoredTempListCsproj.json
@@ -0,0 +1,7 @@
+[
+  {
+    "PackageManager": "nuget",
+    "PackageName": "Microsoft.Extensions.Caching.Memory",
+    "PackageVersion": "6.0.3"
+  }
+]
diff --git a/internal/commands/data/emptyIgnoreList.json b/internal/commands/data/emptyIgnoreList.json
@@ -0,0 +1,3 @@
+[
+
+]
diff --git a/internal/commands/data/manifests/package.json b/internal/commands/data/manifests/package.json
@@ -3,7 +3,9 @@
 				"@CheckmarxDev/ast-cli-javascript-wrapper": "file:../ast-cli-javascript-wrapper/CheckmarxDev-ast-cli-javascript-wrapper-0.0.54.tgz",
 				"@checkmarxdev/ast-cli-javascript-wrapper": "0.0.54",
 				"copyfiles": "200",
-				"tree-kill": "^1.2.2"
+				"tree-kill": "^1.2.2",
+				"coa":"3.1.3"
+
 		},
 		"description": "Beat vulnerabilities with more-secure code",
 		"devDependencies": {
diff --git a/internal/commands/data/manifests/test.csproj b/internal/commands/data/manifests/test.csproj
@@ -34,6 +34,9 @@
       <Version>19.225.1</Version>
     </PackageReference>
     <PackageReference Include="Microsoft.VisualStudio.SDK" Version="17.0.32112.339" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory">
+          <Version>6.0.1</Version>
+      </PackageReference>
     <PackageReference Include="System.Json" Version="4.7.1" />
   </ItemGroup>
   <ItemGroup>
diff --git a/internal/commands/oss-realtime-engine.go b/internal/commands/oss-realtime-engine.go
@@ -9,20 +9,26 @@ import (
 	"github.com/spf13/cobra"
 )
 
-func RunScanOssRealtimeCommand(realtimeScannerWrapper wrappers.RealtimeScannerWrapper,
+func RunScanOssRealtimeCommand(
+	realtimeScannerWrapper wrappers.RealtimeScannerWrapper,
 	jwtWrapper wrappers.JWTWrapper,
-	featureFlagWrapper wrappers.FeatureFlagsWrapper) func(cmd *cobra.Command, args []string) error {
+	featureFlagWrapper wrappers.FeatureFlagsWrapper,
+) func(cmd *cobra.Command, args []string) error {
 	return func(cmd *cobra.Command, _ []string) error {
 		fileSourceFlag, _ := cmd.Flags().GetString(commonParams.SourcesFlag)
 		if fileSourceFlag == "" {
 			return errorconstants.NewRealtimeEngineError("file path is required").Error()
 		}
+
+		ignoredFilePathFlag, _ := cmd.Flags().GetString(commonParams.IgnoredFilePathFlag)
+
 		ossRealtimeService := ossrealtime.NewOssRealtimeService(jwtWrapper, featureFlagWrapper, realtimeScannerWrapper)
 
-		packages, err := ossRealtimeService.RunOssRealtimeScan(fileSourceFlag)
+		packages, err := ossRealtimeService.RunOssRealtimeScan(fileSourceFlag, ignoredFilePathFlag)
 		if err != nil {
 			return err
 		}
+
 		err = printer.Print(cmd.OutOrStdout(), packages, printer.FormatJSON)
 		if err != nil {
 			return errorconstants.NewRealtimeEngineError("failed to return packages").Error()
diff --git a/internal/commands/scan.go b/internal/commands/scan.go
@@ -454,22 +454,26 @@ func scanASCASubCommand(jwtWrapper wrappers.JWTWrapper, featureFlagsWrapper wrap
 	return scanASCACmd
 }
 
-func scanOssRealtimeSubCommand(realtimeScannerWrapper wrappers.RealtimeScannerWrapper, jwtWrapper wrappers.JWTWrapper, featureFlagsWrapper wrappers.FeatureFlagsWrapper) *cobra.Command {
+func scanOssRealtimeSubCommand(
+	realtimeScannerWrapper wrappers.RealtimeScannerWrapper,
+	jwtWrapper wrappers.JWTWrapper,
+	featureFlagsWrapper wrappers.FeatureFlagsWrapper,
+) *cobra.Command {
 	scanOssRealtimeCmd := &cobra.Command{
 		Hidden: true,
 		Use:    "oss-realtime",
 		Short:  "Run a OSS-Realtime scan",
 		Long:   "Running a OSS-Realtime scan is a fast and efficient way to identify malicious packages in a manifest file",
 		Example: heredoc.Doc(
 			`
-			$ cx scan oss-realtime -s <path to a manifest files separated by commas>
-		`,
+			$ cx scan oss-realtime -s <path to a manifest file> --ignored-file-path <path to ignored packages JSON>
+			`,
 		),
 		Annotations: map[string]string{
 			"command:doc": heredoc.Doc(
 				`
 				https://docs.checkmarx.com/en/34965-68625-checkmarx-one-cli-commands.html
-			`,
+				`,
 			),
 		},
 		RunE: RunScanOssRealtimeCommand(realtimeScannerWrapper, jwtWrapper, featureFlagsWrapper),
@@ -481,6 +485,13 @@ func scanOssRealtimeSubCommand(realtimeScannerWrapper wrappers.RealtimeScannerWr
 		"",
 		"The file source should be the path to a single file or multiple files separated by commas",
 	)
+
+	scanOssRealtimeCmd.Flags().String(
+		commonParams.IgnoredFilePathFlag,
+		"",
+		"Path to a JSON file listing ignored packages",
+	)
+
 	return scanOssRealtimeCmd
 }
 
diff --git a/internal/params/flags.go b/internal/params/flags.go
@@ -18,6 +18,7 @@ const (
 	RetryDelayPollingDefault       = 60
 	RetryDelayUsage                = "Time between retries in seconds, use with --" + RetryFlag
 	SourcesFlag                    = "file-source"
+	IgnoredFilePathFlag            = "ignored-file-path"
 	SourcesFlagSh                  = "s"
 	TenantFlag                     = "tenant"
 	TenantFlagUsage                = "Checkmarx tenant"
diff --git a/internal/services/realtimeengine/ossrealtime/config.go b/internal/services/realtimeengine/ossrealtime/config.go
@@ -1,6 +1,10 @@
 package ossrealtime
 
-import "github.com/checkmarx/ast-cli/internal/services/realtimeengine"
+import (
+	"fmt"
+
+	"github.com/checkmarx/ast-cli/internal/services/realtimeengine"
+)
 
 // OssPackage represents a package's details for OSS scanning.
 type OssPackage struct {
@@ -18,6 +22,24 @@ type OssPackageResults struct {
 	Packages []OssPackage `json:"Packages"`
 }
 
+func composeID(packageManager, packageName, packageVersion string) string {
+	return fmt.Sprintf("%s_%s_%s", packageManager, packageName, packageVersion)
+}
+
+func (p *OssPackage) GetID() string {
+	return composeID(p.PackageManager, p.PackageName, p.PackageVersion)
+}
+
+type IgnoredPackage struct {
+	PackageManager string `json:"PackageManager"`
+	PackageName    string `json:"PackageName"`
+	PackageVersion string `json:"PackageVersion"`
+}
+
+func (p IgnoredPackage) GetID() string {
+	return composeID(p.PackageManager, p.PackageName, p.PackageVersion)
+}
+
 type Vulnerability struct {
 	CVE         string `json:"CVE"`
 	Description string `json:"Description"`
diff --git a/internal/services/realtimeengine/ossrealtime/oss-realtime.go b/internal/services/realtimeengine/ossrealtime/oss-realtime.go
@@ -1,7 +1,9 @@
 package ossrealtime
 
 import (
+	"encoding/json"
 	"fmt"
+	"os"
 	"strings"
 
 	"github.com/Checkmarx/manifest-parser/pkg/parser"
@@ -48,7 +50,7 @@ func NewOssRealtimeService(
 }
 
 // RunOssRealtimeScan performs an OSS real-time scan on the given manifest file.
-func (o *OssRealtimeService) RunOssRealtimeScan(filePath string) (*OssPackageResults, error) {
+func (o *OssRealtimeService) RunOssRealtimeScan(filePath, ignoredFilePath string) (*OssPackageResults, error) {
 	if filePath == "" {
 		return nil, errorconstants.NewRealtimeEngineError("file path is required").Error()
 	}
@@ -79,9 +81,56 @@ func (o *OssRealtimeService) RunOssRealtimeScan(filePath string) (*OssPackageRes
 		packageMap := createPackageMap(pkgs)
 		enrichResponseWithRealtimeScannerResults(response, result, packageMap)
 	}
+
+	if ignoredFilePath != "" {
+		ignoredPkgs, err := loadIgnoredPackages(ignoredFilePath)
+		if err != nil {
+			return nil, errorconstants.NewRealtimeEngineError("failed to load ignored packages").Error()
+		}
+
+		ignoreMap := buildIgnoreMap(ignoredPkgs)
+		response.Packages = filterIgnoredPackages(response.Packages, ignoreMap)
+	}
+
 	return response, nil
 }
 
+func buildIgnoreMap(ignored []IgnoredPackage) map[string]bool {
+	m := make(map[string]bool)
+	for _, ign := range ignored {
+		m[ign.GetID()] = true
+	}
+	return m
+}
+
+func isIgnored(pkg *OssPackage, ignoreMap map[string]bool) bool {
+	return ignoreMap[pkg.GetID()]
+}
+
+func loadIgnoredPackages(path string) ([]IgnoredPackage, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	var ignored []IgnoredPackage
+	err = json.Unmarshal(data, &ignored)
+	if err != nil {
+		return nil, err
+	}
+	return ignored, nil
+}
+
+func filterIgnoredPackages(packages []OssPackage, ignoreMap map[string]bool) []OssPackage {
+	filtered := make([]OssPackage, 0, len(packages))
+	for i := range packages {
+		pkg := &packages[i]
+		if !isIgnored(pkg, ignoreMap) {
+			filtered = append(filtered, *pkg)
+		}
+	}
+	return filtered
+}
+
 func enrichResponseWithRealtimeScannerResults(
 	response *OssPackageResults,
 	result *wrappers.RealtimeScannerPackageResponse,
diff --git a/internal/services/realtimeengine/ossrealtime/oss-realtime_test.go b/internal/services/realtimeengine/ossrealtime/oss-realtime_test.go
@@ -46,7 +46,7 @@ func TestRunOssRealtimeScan_ValidLicenseAndManifest_ScanSuccess(t *testing.T) {
 
 	const filePath = "../../../commands/data/manifests/package.json"
 
-	response, err := ossRealtimeService.RunOssRealtimeScan(filePath)
+	response, err := ossRealtimeService.RunOssRealtimeScan(filePath, "")
 
 	assert.Nil(t, err)
 	assert.NotNil(t, response)
@@ -63,7 +63,7 @@ func TestRunOssRealtimeScan_InvalidLicenseAndValidManifest_ScanFail(t *testing.T
 
 	const filePath = "../../../commands/data/manifests/package.json"
 
-	response, err := ossRealtimeService.RunOssRealtimeScan(filePath)
+	response, err := ossRealtimeService.RunOssRealtimeScan(filePath, "")
 
 	assert.NotNil(t, err)
 	assert.Nil(t, response)
@@ -79,12 +79,88 @@ func TestRunOssRealtimeScan_ValidLicenseAndInvalidManifest_ScanFail(t *testing.T
 
 	const filePath = "not-supported-manifest.ruby"
 
-	response, err := ossRealtimeService.RunOssRealtimeScan(filePath)
+	response, err := ossRealtimeService.RunOssRealtimeScan(filePath, "")
 
 	assert.NotNil(t, err)
 	assert.Nil(t, response)
 }
 
+func TestRunOssRealtimeScan_WithIgnoredPackage_IgnoresPackage(t *testing.T) {
+	mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.OssRealtimeEnabled, Status: true}
+	ossRealtimeService := NewOssRealtimeService(
+		&mock.JWTMockWrapper{},
+		&mock.FeatureFlagsMockWrapper{},
+		&mock.RealtimeScannerMockWrapper{},
+	)
+
+	const filePath = "../../../commands/data/manifests/package.json"
+	const ignoredPath = "../../../commands/data/checkmarxIgnoredTempList.json"
+
+	response, err := ossRealtimeService.RunOssRealtimeScan(filePath, ignoredPath)
+
+	assert.Nil(t, err)
+	assert.NotNil(t, response)
+
+	for _, pkg := range response.Packages {
+		assert.NotEqual(t, "coa", pkg.PackageName, "Package 'coa' should be ignored but was found in the results")
+	}
+}
+
+func TestRunOssRealtimeScan_WithEmptyIgnoreFile_AllPackagesIncluded(t *testing.T) {
+	mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.OssRealtimeEnabled, Status: true}
+	ossRealtimeService := NewOssRealtimeService(
+		&mock.JWTMockWrapper{},
+		&mock.FeatureFlagsMockWrapper{},
+		&mock.RealtimeScannerMockWrapper{},
+	)
+
+	const filePath = "../../../commands/data/manifests/package.json"
+	const ignoredPath = "../../../commands/data/emptyIgnoreList.json"
+
+	response, err := ossRealtimeService.RunOssRealtimeScan(filePath, ignoredPath)
+
+	assert.Nil(t, err)
+	assert.NotNil(t, response)
+
+	var found bool
+	for _, pkg := range response.Packages {
+		if pkg.PackageName == "coa" && pkg.PackageVersion == "3.1.3" {
+			found = true
+			break
+		}
+	}
+	assert.True(t, found, "'coa' should not be ignored if ignore list is empty")
+}
+
+func TestRunOssRealtimeScan_IgnoredPackageWithDifferentVersion_IsNotIgnored(t *testing.T) {
+	mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.OssRealtimeEnabled, Status: true}
+	ossRealtimeService := NewOssRealtimeService(
+		&mock.JWTMockWrapper{},
+		&mock.FeatureFlagsMockWrapper{},
+		&mock.RealtimeScannerMockWrapper{},
+	)
+
+	const filePath = "../../../commands/data/manifests/test.csproj"
+	const ignoredPath = "../../../commands/data/checkmarxIgnoredTempListCsproj.json"
+
+	response, err := ossRealtimeService.RunOssRealtimeScan(filePath, ignoredPath)
+
+	assert.Nil(t, err)
+	assert.NotNil(t, response)
+
+	var found bool
+	for _, pkg := range response.Packages {
+		if pkg.PackageManager == "nuget" &&
+			pkg.PackageName == "Microsoft.Extensions.Caching.Memory" &&
+			pkg.PackageVersion == "6.0.1" {
+			found = true
+			break
+		}
+	}
+
+	assert.True(t, found, "Package 'Microsoft.Extensions.Caching.Memory@6.0.1' should NOT be ignored since version in ignore file is 6.0.3")
+}
+
 func TestPrepareScan_CacheExistsAndContainsPartialResults_RealtimeScannerRequestIsCalledPartially(t *testing.T) {
 	mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.OssRealtimeEnabled, Status: true}
 	cleanCacheFile(t)
@@ -271,12 +347,12 @@ func TestOssRealtimeScan_CsprojFile_ReturnsLocations(t *testing.T) {
 		&mock.FeatureFlagsMockWrapper{},
 		&mock.RealtimeScannerMockWrapper{},
 	)
-	response, err := ossRealtimeService.RunOssRealtimeScan("../../../commands/data/manifests/test.csproj")
+	response, err := ossRealtimeService.RunOssRealtimeScan("../../../commands/data/manifests/test.csproj", "")
 
 	// Assert
 	assert.Nil(t, err)
 	assert.NotNil(t, response)
-	assert.Equal(t, 5, len(response.Packages), "Should find exactly 5 packages in test.csproj")
+	assert.Equal(t, 6, len(response.Packages), "Should find exactly 5 packages in test.csproj")
 
 	// Find the Microsoft.TeamFoundationServer.Client package that should have 3 locations
 	var tfsPackage *OssPackage
