Merge branch 'main' into bug/AST-106740

Author: cx-anurag-dalke

go.mod

@@ -3,7 +3,7 @@ module github.com/checkmarx/ast-cli
 go 1.24.4
 
 require (
-	github.com/Checkmarx/containers-resolver v1.0.15
+	github.com/Checkmarx/containers-resolver v1.0.19
 	github.com/Checkmarx/containers-types v1.0.9
 	github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63
 	github.com/Checkmarx/gen-ai-wrapper v1.0.2
@@ -42,7 +42,7 @@ require (
 	github.com/BobuSumisu/aho-corasick v1.0.3 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/Checkmarx/containers-images-extractor v1.0.17
-	github.com/Checkmarx/containers-syft-packages-extractor v1.0.13 // indirect
+	github.com/Checkmarx/containers-syft-packages-extractor v1.0.15 // indirect
 	github.com/CycloneDX/cyclonedx-go v0.9.2 // indirect
 	github.com/DataDog/zstd v1.5.6 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect

go.sum

@@ -65,10 +65,10 @@ github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Checkmarx/containers-images-extractor v1.0.17 h1:lzisdh50nR5yzTjTkT9r9dlHHI7aC72XTGjTp35KqHM=
 github.com/Checkmarx/containers-images-extractor v1.0.17/go.mod h1:hRXOiq6Vw2QiIuxIqV+6+osMk0vvIpoMdTMLyz9OfE8=
-github.com/Checkmarx/containers-resolver v1.0.15 h1:cm4d6vYWi6G9J9vnAw+dWcMsJwEFMo+anCHVaSp0nMQ=
-github.com/Checkmarx/containers-resolver v1.0.15/go.mod h1:9mdw8elUHj9NO9+ejjuuuCByfxvx9mG+JTJxDLi9ubM=
-github.com/Checkmarx/containers-syft-packages-extractor v1.0.13 h1:9ah0rruMGgRiug/bD/JJDSrDqEqS7sKGVdc5sqbkwk8=
-github.com/Checkmarx/containers-syft-packages-extractor v1.0.13/go.mod h1:EFeB4//lO4KMVj9+eMg6z5jnO9F1e1T4jUoIcx0/19M=
+github.com/Checkmarx/containers-resolver v1.0.19 h1:OqPJq3dL0vv8BC2Qco6/VTqmg1Jurk32Yf/bW9cZuq8=
+github.com/Checkmarx/containers-resolver v1.0.19/go.mod h1:UwT3Z+rf6RZv1voMt1xtEctWguhQrzHk1dhEb0Dl5fY=
+github.com/Checkmarx/containers-syft-packages-extractor v1.0.15 h1:yM7Plt86oL47Kijr1fwsrWwuACNTwWgxZSZ/lifXTlk=
+github.com/Checkmarx/containers-syft-packages-extractor v1.0.15/go.mod h1:Jr3dQVFslMCJ+8orsF1orFn05cO3mprUy5b43yn0IIM=
 github.com/Checkmarx/containers-types v1.0.9 h1:LbHDj9LZ0x3f28wDx398WC19sw0U0EfEewHMLStBwvs=
 github.com/Checkmarx/containers-types v1.0.9/go.mod h1:KR0w8XCosq3+6jRCfQrH7i//Nj2u11qaUJM62CREFZA=
 github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63 h1:SCuTcE+CFvgjbIxUNL8rsdB2sAhfuNx85HvxImKta3g=

internal/commands/scan.go

@@ -1122,7 +1122,8 @@ func addContainersScan(cmd *cobra.Command, resubmitConfig []wrappers.Config) (ma
 	containerMapConfig[resultsMapType] = commonParams.ContainersType
 	containerConfig := wrappers.ContainerConfig{}
 
-	initializeContainersConfigWithResubmitValues(resubmitConfig, &containerConfig)
+	containerResolveLocally, _ := cmd.Flags().GetBool(commonParams.ContainerResolveLocallyFlag)
+	initializeContainersConfigWithResubmitValues(resubmitConfig, &containerConfig, containerResolveLocally)
 
 	fileFolderFilter, _ := cmd.PersistentFlags().GetString(commonParams.ContainersFileFolderFilterFlag)
 	if fileFolderFilter != "" {
@@ -1141,7 +1142,7 @@ func addContainersScan(cmd *cobra.Command, resubmitConfig []wrappers.Config) (ma
 		containerConfig.ImagesFilter = imageTagFilter
 	}
 	userCustomImages, _ := cmd.Flags().GetString(commonParams.ContainerImagesFlag)
-	if userCustomImages != "" {
+	if userCustomImages != "" && !containerResolveLocally {
 		containerImagesList := strings.Split(strings.TrimSpace(userCustomImages), ",")
 		for _, containerImageName := range containerImagesList {
 			if containerImagesErr := validateContainerImageFormat(containerImageName); containerImagesErr != nil {
@@ -1156,7 +1157,7 @@ func addContainersScan(cmd *cobra.Command, resubmitConfig []wrappers.Config) (ma
 	return containerMapConfig, nil
 }
 
-func initializeContainersConfigWithResubmitValues(resubmitConfig []wrappers.Config, containerConfig *wrappers.ContainerConfig) {
+func initializeContainersConfigWithResubmitValues(resubmitConfig []wrappers.Config, containerConfig *wrappers.ContainerConfig, containerResolveLocally bool) {
 	for _, config := range resubmitConfig {
 		if config.Type != commonParams.ContainersType {
 			continue
@@ -1178,7 +1179,7 @@ func initializeContainersConfigWithResubmitValues(resubmitConfig []wrappers.Conf
 			containerConfig.ImagesFilter = resubmitImagesFilter.(string)
 		}
 		resubmitUserCustomImages := config.Value[ConfigUserCustomImagesKey]
-		if resubmitUserCustomImages != nil && resubmitUserCustomImages != "" {
+		if resubmitUserCustomImages != nil && resubmitUserCustomImages != "" && !containerResolveLocally {
 			containerConfig.UserCustomImages = resubmitUserCustomImages.(string)
 		}
 	}
@@ -1702,7 +1703,7 @@ func getUploadURLFromSource(cmd *cobra.Command, uploadsWrapper wrappers.UploadsW
 
 		if isSingleContainerScanTriggered() && containerResolveLocally {
 			logger.PrintIfVerbose("Single container scan triggered: compressing only the container resolution file")
-			containerResolutionFilePath := filepath.Join(directoryPath, containerResolutionFileName)
+			containerResolutionFilePath := filepath.Join(directoryPath, ".checkmarx", "containers", containerResolutionFileName)
 			zipFilePath, dirPathErr = util.CompressFile(containerResolutionFilePath, containerResolutionFileName, directoryCreationPrefix)
 		} else if isSingleContainerScanTriggered() && containerImagesFlag != "" {
 			logger.PrintIfVerbose("Single container scan with external images: creating minimal zip file")

internal/commands/scan_test.go

@@ -1854,12 +1854,13 @@ func TestAddContainersScan_WithCustomImages_ShouldSetUserCustomImages(t *testing
 func TestInitializeContainersConfigWithResubmitValues_UserCustomImages(t *testing.T) {
 	// Define test cases
 	testCases := []struct {
-		name                 string
-		resubmitConfig       []wrappers.Config
-		expectedCustomImages string
+		name                    string
+		resubmitConfig          []wrappers.Config
+		containerResolveLocally bool
+		expectedCustomImages    string
 	}{
 		{
-			name: "When UserCustomImages is valid string, it should be set in containerConfig",
+			name: "When UserCustomImages is valid string and ContainerResolveLocally is false, it should be set in containerConfig",
 			resubmitConfig: []wrappers.Config{
 				{
 					Type: commonParams.ContainersType,
@@ -1868,7 +1869,21 @@ func TestInitializeContainersConfigWithResubmitValues_UserCustomImages(t *testin
 					},
 				},
 			},
-			expectedCustomImages: "image1:tag1,image2:tag2",
+			containerResolveLocally: false,
+			expectedCustomImages:    "image1:tag1,image2:tag2",
+		},
+		{
+			name: "When UserCustomImages is valid string and ContainerResolveLocally is true, it should not be set in containerConfig",
+			resubmitConfig: []wrappers.Config{
+				{
+					Type: commonParams.ContainersType,
+					Value: map[string]interface{}{
+						ConfigUserCustomImagesKey: "image1:tag1,image2:tag2",
+					},
+				},
+			},
+			containerResolveLocally: true,
+			expectedCustomImages:    "",
 		},
 		{
 			name: "When UserCustomImages is empty string, containerConfig should not be updated",
@@ -1880,7 +1895,8 @@ func TestInitializeContainersConfigWithResubmitValues_UserCustomImages(t *testin
 					},
 				},
 			},
-			expectedCustomImages: "",
+			containerResolveLocally: false,
+			expectedCustomImages:    "",
 		},
 		{
 			name: "When UserCustomImages is nil, containerConfig should not be updated",
@@ -1892,7 +1908,8 @@ func TestInitializeContainersConfigWithResubmitValues_UserCustomImages(t *testin
 					},
 				},
 			},
-			expectedCustomImages: "",
+			containerResolveLocally: false,
+			expectedCustomImages:    "",
 		},
 		{
 			name: "When config.Value doesn't have UserCustomImages key, containerConfig should not be updated",
@@ -1902,7 +1919,8 @@ func TestInitializeContainersConfigWithResubmitValues_UserCustomImages(t *testin
 					Value: map[string]interface{}{},
 				},
 			},
-			expectedCustomImages: "",
+			containerResolveLocally: false,
+			expectedCustomImages:    "",
 		},
 	}
 
@@ -1913,7 +1931,7 @@ func TestInitializeContainersConfigWithResubmitValues_UserCustomImages(t *testin
 			containerConfig := &wrappers.ContainerConfig{}
 
 			// Call the function under test
-			initializeContainersConfigWithResubmitValues(tc.resubmitConfig, containerConfig)
+			initializeContainersConfigWithResubmitValues(tc.resubmitConfig, containerConfig, tc.containerResolveLocally)
 
 			// Assert the result
 			assert.Equal(t, tc.expectedCustomImages, containerConfig.UserCustomImages,

internal/services/realtimeengine/containersrealtime/containers-realtime.go

@@ -15,6 +15,8 @@ import (
 	"github.com/pkg/errors"
 )
 
+const defaultTag = "latest"
+
 // ContainersRealtimeService is the service responsible for performing real-time container scanning.
 type ContainersRealtimeService struct {
 	JwtWrapper             wrappers.JWTWrapper
@@ -218,26 +220,31 @@ func mergeImagesToResults(listOfImages []wrappers.ContainerImageResponseItem, re
 
 func getImageLocations(images *[]types.ImageModel, imageName, imageTag string) (location []realtimeengine.Location, filePath string) {
 	for i, img := range *images {
-		if img.Name == imageName+":"+imageTag || img.Name == imageName+"@"+imageTag {
-			location := convertLocations(&img.ImageLocations)
-			filePath := ""
-			if len(img.ImageLocations) > 0 {
-				filePath = img.ImageLocations[0].Path
-			}
-			*images = append((*images)[:i], (*images)[i+1:]...)
-			return location, filePath
+		if !isSameImage(img.Name, imageName, imageTag) {
+			continue
 		}
+		location := convertLocations(&img.ImageLocations)
+		filePath := ""
+		if len(img.ImageLocations) > 0 {
+			filePath = img.ImageLocations[0].Path
+		}
+		*images = append((*images)[:i], (*images)[i+1:]...)
+		return location, filePath
 	}
 	return []realtimeengine.Location{}, ""
 }
 
+func isSameImage(curImage, imageName, imageTag string) bool {
+	return curImage == imageName+":"+imageTag || curImage == imageName+"@"+imageTag || curImage == imageName && imageTag == defaultTag
+}
+
 // splitToImageAndTag splits the image string into name and tag components.
 func splitToImageAndTag(image string) (imageName, imageTag string) {
 	// Split the image string by the last colon to separate name and tag
 	lastColonIndex := strings.LastIndex(image, ":")
 
 	if lastColonIndex == len(image)-1 || lastColonIndex == -1 {
-		return image, "latest" // No tag specified, default to "latest"
+		return image, defaultTag // No tag specified, default to "latest"
 	}
 
 	imageName = image[:lastColonIndex]

internal/services/realtimeengine/secretsrealtime/config.go

@@ -5,6 +5,7 @@ import "github.com/checkmarx/ast-cli/internal/services/realtimeengine"
 type SecretsRealtimeResult struct {
 	Title       string                    `json:"Title"`
 	Description string                    `json:"Description"`
+	SecretValue string                    `json:"SecretValue"`
 	FilePath    string                    `json:"FilePath"`
 	Severity    string                    `json:"Severity"`
 	Locations   []realtimeengine.Location `json:"Locations"`

internal/services/realtimeengine/secretsrealtime/secrets-realtime.go

@@ -107,7 +107,7 @@ func (s *SecretsRealtimeService) RunSecretsRealtimeScan(filePath, ignoredFilePat
 	}
 
 	results := convertToSecretsRealtimeResult(report)
-	resultsPerLineMap := createResultsPerLineMap(results)
+	resultsPerLineMap := createResultsPerLocationMap(results)
 	results = filterGenericAPIKeyVulIfNeeded(results, resultsPerLineMap)
 
 	if ignoredFilePath == "" {
@@ -163,6 +163,7 @@ func convertSecretToResult(secret *secrets.Secret) SecretsRealtimeResult {
 	return SecretsRealtimeResult{
 		Title:       secret.RuleID,
 		Description: secret.RuleDescription,
+		SecretValue: secret.Value,
 		Severity:    getSeverity(secret),
 		FilePath:    secret.Source,
 		Locations:   locations,
@@ -182,15 +183,17 @@ func getSeverity(secret *secrets.Secret) string {
 	}
 }
 
-func createResultsPerLineMap(results []SecretsRealtimeResult) map[string][]SecretsRealtimeResult {
-	resultsPerLine := make(map[string][]SecretsRealtimeResult)
+func createResultsPerLocationMap(results []SecretsRealtimeResult) map[string][]SecretsRealtimeResult {
+	resultsPerLocation := make(map[string][]SecretsRealtimeResult)
 	for _, result := range results {
+		var locationKey string
 		for _, location := range result.Locations {
-			lineKey := fmt.Sprintf("%s:%d", result.FilePath, location.Line)
-			resultsPerLine[lineKey] = append(resultsPerLine[lineKey], result)
+			locationKey = fmt.Sprintf("%s:%d", locationKey, location.Line)
 		}
+		resultKey := fmt.Sprintf("%s%s", result.FilePath, locationKey)
+		resultsPerLocation[resultKey] = append(resultsPerLocation[resultKey], result)
 	}
-	return resultsPerLine
+	return resultsPerLocation
 }
 
 func filterGenericAPIKeyVulIfNeeded(

internal/services/realtimeengine/secretsrealtime/secrets-realtime_test.go

@@ -139,8 +139,31 @@ func TestRunSecretsRealtimeScan_ValidFile_Success(t *testing.T) {
 
 	assert.NoError(t, err)
 	assert.NotNil(t, results)
-	// Note: The actual results depend on the 2ms scanner behavior
-	// This test mainly verifies that the function completes without error
+}
+
+func TestRunSecretsRealtimeScan_MultiLineResult_Success(t *testing.T) {
+	mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.OssRealtimeEnabled, Status: true}
+	value := "PRIVATE_KEY = \"\"\"\n-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA7v8wF+SECRETKEYEXAMPLE+QIDAQABAoIBAQC0\n-----END RSA PRIVATE KEY-----\n\"\"\""
+	// Create a temporary file for testing
+	tempDir := t.TempDir()
+	tempFile := filepath.Join(tempDir, "test-secrets.txt")
+	testContent := value
+	err := os.WriteFile(tempFile, []byte(testContent), 0644)
+	assert.NoError(t, err)
+
+	service := &SecretsRealtimeService{
+		JwtWrapper:         &mock.JWTMockWrapper{},
+		FeatureFlagWrapper: &mock.FeatureFlagsMockWrapper{},
+	}
+
+	results, err := service.RunSecretsRealtimeScan(tempFile, "")
+
+	assert.NoError(t, err)
+	assert.NotNil(t, results)
+	assert.Len(t, results, 1)
+	assert.Len(t, results[0].Locations, 3)
+	assert.NotEmpty(t, results[0].SecretValue)
+
 }
 
 func TestReadFile_ValidFile_Success(t *testing.T) {