Merge pull request #1185 from Checkmarx/other/elchanan/oss-realtime-location-structure

Convert OssPackage to use Locations array instead of individual line fields (AST-99444)

Author: cx-elchanan-arbiv

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/Checkmarx/containers-resolver v1.0.11
 	github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63
 	github.com/Checkmarx/gen-ai-wrapper v1.0.2
-	github.com/Checkmarx/manifest-parser v0.0.7
+	github.com/Checkmarx/manifest-parser v0.0.8
 	github.com/Checkmarx/secret-detection v0.0.3-0.20250327150305-31c2c3be9edf
 	github.com/MakeNowJust/heredoc v1.0.0
 	github.com/bouk/monkey v1.0.0

go.sum

@@ -75,8 +75,8 @@ github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63 h1:SCuTcE
 github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63/go.mod h1:MI6lfLerXU+5eTV/EPTDavgnV3owz3GPT4g/msZBWPo=
 github.com/Checkmarx/gen-ai-wrapper v1.0.2 h1:T6X40+4hYnwfDsvkjWs9VIcE6s1O+8DUu0+sDdCY3GI=
 github.com/Checkmarx/gen-ai-wrapper v1.0.2/go.mod h1:xwRLefezwNNnRGu1EjGS6wNiR9FVV/eP9D+oXwLViVM=
-github.com/Checkmarx/manifest-parser v0.0.7 h1:lfbDS8tLzQoe8Zwt0HwKmtHWd3NTXHFg/niJFJhUYhE=
-github.com/Checkmarx/manifest-parser v0.0.7/go.mod h1:s11sV8akqWX+H0MwFK3XBF8H6JohAjoQe8ClvdDFziQ=
+github.com/Checkmarx/manifest-parser v0.0.8 h1:rbmPp1X7UE3LeEhZxkjcOqAzMpwzgnWz4wjNWtiku3o=
+github.com/Checkmarx/manifest-parser v0.0.8/go.mod h1:hh5FX5FdDieU8CKQEkged4hfOaSylpJzub8PRFXa4kA=
 github.com/Checkmarx/secret-detection v0.0.3-0.20250327150305-31c2c3be9edf h1:lKiogedU3WzWBc/xI6Xj1BhX2Gp1QBJj8C+czY7CcaE=
 github.com/Checkmarx/secret-detection v0.0.3-0.20250327150305-31c2c3be9edf/go.mod h1:mtAHOm1mHGh7MVu6JdYUyitANsLcHNLUTBIh9pTERNI=
 github.com/CycloneDX/cyclonedx-go v0.9.2 h1:688QHn2X/5nRezKe2ueIVCt+NRqf7fl3AVQk+vaFcIo=

internal/commands/data/manifests/test.csproj

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <DebugType>pdbonly</DebugType>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <ItemGroup>
+    <Compile Include="CxExtension\CxInitialPanel.xaml.cs">
+      <DependentUpon>CxInitialPanel.xaml</DependentUpon>
+    </Compile>
+    <Compile Include="CxExtension\CxWindowControl.xaml.cs">
+      <DependentUpon>CxWindowControl.xaml</DependentUpon>
+    </Compile>
+    <Compile Include="CxExtension\CxWindowPackage.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <Content Include="log4net.config">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+      <IncludeInVSIX>true</IncludeInVSIX>
+    </Content>
+    <None Include="source.extension.vsixmanifest">
+      <SubType>Designer</SubType>
+    </None>
+  </ItemGroup>
+  <ItemGroup>
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="WindowsFormsIntegration" />
+  </ItemGroup>
+  <ItemGroup>
+    <PackageReference Include="Community.VisualStudio.Toolkit.17" Version="17.0.507" />
+    <PackageReference Include="Community.VisualStudio.VSCT" Version="16.0.29.6" />
+    <PackageReference Include="Microsoft.TeamFoundationServer.Client">
+      <Version>19.225.1</Version>
+    </PackageReference>
+    <PackageReference Include="Microsoft.VisualStudio.SDK" Version="17.0.32112.339" />
+    <PackageReference Include="System.Json" Version="4.7.1" />
+  </ItemGroup>
+  <ItemGroup>
+    <EmbeddedResource Include="CxPreferences\CxPreferencesUI.resx">
+      <DependentUpon>CxPreferencesUI.cs</DependentUpon>
+    </EmbeddedResource>
+  </ItemGroup>
+  <ItemGroup>
+    <Page Include="CxExtension\CxInitialPanel.xaml">
+      <Generator>MSBuild:Compile</Generator>
+      <SubType>Designer</SubType>
+    </Page>
+    <Page Include="CxExtension\CxWindowControl.xaml">
+      <SubType>Designer</SubType>
+    </Page>
+  </ItemGroup>
+  <ItemGroup />
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+</Project> 

internal/services/realtimeengine/ossrealtime/config.go

@@ -1,17 +1,16 @@
 package ossrealtime
 
+import "github.com/checkmarx/ast-cli/internal/services/realtimeengine"
+
 // OssPackage represents a package's details for OSS scanning.
 type OssPackage struct {
-	PackageManager  string          `json:"PackageManager"`
-	PackageName     string          `json:"PackageName"`
-	PackageVersion  string          `json:"PackageVersion"`
-	FilePath        string          `json:"FilePath"`
-	LineStart       int             `json:"LineStart"`
-	LineEnd         int             `json:"LineEnd"`
-	StartIndex      int             `json:"StartIndex"`
-	EndIndex        int             `json:"EndIndex"`
-	Status          string          `json:"Status"`
-	Vulnerabilities []Vulnerability `json:"Vulnerabilities"`
+	PackageManager  string                    `json:"PackageManager"`
+	PackageName     string                    `json:"PackageName"`
+	PackageVersion  string                    `json:"PackageVersion"`
+	FilePath        string                    `json:"FilePath"`
+	Locations       []realtimeengine.Location `json:"Locations"`
+	Status          string                    `json:"Status"`
+	Vulnerabilities []Vulnerability           `json:"Vulnerabilities"`
 }
 
 // OssPackageResults holds the results of an OSS scan.

internal/services/realtimeengine/ossrealtime/oss-realtime.go

@@ -8,11 +8,25 @@ import (
 	"github.com/Checkmarx/manifest-parser/pkg/parser/models"
 	errorconstants "github.com/checkmarx/ast-cli/internal/constants/errors"
 	"github.com/checkmarx/ast-cli/internal/logger"
+	"github.com/checkmarx/ast-cli/internal/services/realtimeengine"
 	"github.com/checkmarx/ast-cli/internal/services/realtimeengine/ossrealtime/osscache"
 	"github.com/checkmarx/ast-cli/internal/wrappers"
 	"github.com/pkg/errors"
 )
 
+// convertLocations converts models.Location to realtimeengine.Location
+func convertLocations(locations []models.Location) []realtimeengine.Location {
+	var result []realtimeengine.Location
+	for _, loc := range locations {
+		result = append(result, realtimeengine.Location{
+			Line:       loc.Line,
+			StartIndex: loc.StartIndex,
+			EndIndex:   loc.EndIndex,
+		})
+	}
+	return result
+}
+
 // OssRealtimeService is the service responsible for performing real-time OSS scanning.
 type OssRealtimeService struct {
 	JwtWrapper             wrappers.JWTWrapper
@@ -81,10 +95,7 @@ func enrichResponseWithRealtimeScannerResults(
 			PackageName:     pkg.PackageName,
 			PackageVersion:  pkg.Version,
 			FilePath:        entry.FilePath,
-			LineStart:       entry.LineStart,
-			LineEnd:         entry.LineEnd,
-			StartIndex:      entry.StartIndex,
-			EndIndex:        entry.EndIndex,
+			Locations:       entry.Locations,
 			Status:          pkg.Status,
 			Vulnerabilities: vulnerabilityMapper.FromRealtimeScanner(pkg.Vulnerabilities),
 		})
@@ -157,11 +168,8 @@ func prepareScan(pkgs []models.Package) (*OssPackageResults, *wrappers.RealtimeS
 				PackageManager:  pkg.PackageManager,
 				PackageName:     pkg.PackageName,
 				PackageVersion:  pkg.Version,
-				LineStart:       pkg.LineStart,
-				LineEnd:         pkg.LineEnd,
 				FilePath:        pkg.FilePath,
-				StartIndex:      pkg.StartIndex,
-				EndIndex:        pkg.EndIndex,
+				Locations:       convertLocations(pkg.Locations),
 				Status:          cachedPkg.Status,
 				Vulnerabilities: vulnerabilityMapper.FromCache(cachedPkg.Vulnerabilities),
 			})
@@ -181,10 +189,7 @@ func createPackageMap(pkgs []models.Package) map[string]OssPackage {
 			PackageName:    pkg.PackageName,
 			PackageVersion: pkg.Version,
 			FilePath:       pkg.FilePath,
-			LineStart:      pkg.LineStart,
-			LineEnd:        pkg.LineEnd,
-			StartIndex:     pkg.StartIndex,
-			EndIndex:       pkg.EndIndex,
+			Locations:      convertLocations(pkg.Locations),
 		}
 	}
 	return packageMap

internal/services/realtimeengine/ossrealtime/oss-realtime_test.go

@@ -262,3 +262,53 @@ func TestScanAndCache_CacheExistsAndScanSuccess_CacheUpdated(t *testing.T) {
 	assert.Equal(t, "4.17.1", cache.Packages[1].PackageVersion)
 	assert.Equal(t, "Malicious", cache.Packages[1].Status)
 }
+
+func TestOssRealtimeScan_CsprojFile_ReturnsLocations(t *testing.T) {
+	// Arrange
+	mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.OssRealtimeEnabled, Status: true}
+	ossRealtimeService := NewOssRealtimeService(
+		&mock.JWTMockWrapper{},
+		&mock.FeatureFlagsMockWrapper{},
+		&mock.RealtimeScannerMockWrapper{},
+	)
+	response, err := ossRealtimeService.RunOssRealtimeScan("../../../commands/data/manifests/test.csproj")
+
+	// Assert
+	assert.Nil(t, err)
+	assert.NotNil(t, response)
+	assert.Equal(t, 5, len(response.Packages), "Should find exactly 5 packages in test.csproj")
+
+	// Find the Microsoft.TeamFoundationServer.Client package that should have 3 locations
+	var tfsPackage *OssPackage
+	for _, pkg := range response.Packages {
+		if pkg.PackageName == "Microsoft.TeamFoundationServer.Client" && pkg.PackageVersion == "19.225.1" {
+			tfsPackage = &pkg
+			break
+		}
+	}
+
+	// Assert TFS package was found and has expected locations
+	assert.NotNil(t, tfsPackage, "Should find Microsoft.TeamFoundationServer.Client package")
+	assert.Equal(t, 3, len(tfsPackage.Locations), "TFS package should have exactly 3 locations")
+	assert.Equal(t, "../../../commands/data/manifests/test.csproj", tfsPackage.FilePath)
+
+	// Verify specific location details
+	expectedLocations := []struct {
+		line       int
+		startIndex int
+		endIndex   int
+	}{
+		{32, 4, 70}, // Location 0: Line=32, StartIndex=4, EndIndex=70
+		{33, 6, 33}, // Location 1: Line=33, StartIndex=6, EndIndex=33
+		{34, 4, 23}, // Location 2: Line=34, StartIndex=4, EndIndex=23
+	}
+
+	for i, expected := range expectedLocations {
+		assert.Equal(t, expected.line, tfsPackage.Locations[i].Line,
+			"Location %d line should be %d", i, expected.line)
+		assert.Equal(t, expected.startIndex, tfsPackage.Locations[i].StartIndex,
+			"Location %d startIndex should be %d", i, expected.startIndex)
+		assert.Equal(t, expected.endIndex, tfsPackage.Locations[i].EndIndex,
+			"Location %d endIndex should be %d", i, expected.endIndex)
+	}
+}