Merge branch 'main' into pre-commit-hook

cx-celso-silva · web-flow · commit b466c5303c0b · 2025-03-25T12:14:42.000Z
diff --git a/go.mod b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/MakeNowJust/heredoc v1.0.0
 	github.com/bouk/monkey v1.0.0
 	github.com/gofrs/flock v0.12.1
-	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/gomarkdown/markdown v0.0.0-20241102151059-6bc1ffdc6e8c
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/google/uuid v1.6.0
diff --git a/go.sum b/go.sum
@@ -418,8 +418,8 @@ github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeH
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
-github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
diff --git a/internal/commands/.scripts/up.sh b/internal/commands/.scripts/up.sh
@@ -4,4 +4,4 @@ wget https://sca-downloads.s3.amazonaws.com/cli/latest/ScaResolver-linux64.tar.g
 tar -xzvf ScaResolver-linux64.tar.gz -C /tmp
 rm -rf ScaResolver-linux64.tar.gz
 # ignore mock and wrappers packages, as they checked by integration tests
-go test $(go list ./... | grep -v "mock" | grep -v "wrappers" | grep -v "bitbucketserver" | grep -v "logger") -timeout 20m -coverprofile cover.out
+go test $(go list ./... | grep -v "mock" | grep -v "wrappers" | grep -v "bitbucketserver" | grep -v "logger") -timeout 25m -coverprofile cover.out
diff --git a/internal/commands/root_test.go b/internal/commands/root_test.go
@@ -206,6 +206,7 @@ func assertError(t *testing.T, err error, expectedMessage string) {
 func clearFlags() {
 	mock.Flags = wrappers.FeatureFlagsResponseModel{}
 	mock.Flag = wrappers.FeatureFlagResponseModel{}
+	mock.FFErr = nil
 	wrappers.ClearCache()
 }
 
diff --git a/internal/commands/scan.go b/internal/commands/scan.go
@@ -88,6 +88,7 @@ const (
 	configIncremental                       = "incremental"
 	configFastScan                          = "fastScanMode"
 	configPresetName                        = "presetName"
+	configPresetID                          = "presetId"
 	configEngineVerbose                     = "engineVerbose"
 	configLanguageMode                      = "languageMode"
 	ConfigContainersFilesFilterKey          = "filesFilter"
@@ -553,7 +554,10 @@ func scanCreateSubCommand(
 		false,
 		"Incremental SAST scan should be performed.",
 	)
+
 	createScanCmd.PersistentFlags().String(commonParams.PresetName, "", "The name of the Checkmarx preset to use.")
+	createScanCmd.PersistentFlags().String(commonParams.IacsPresetIDFlag, "", commonParams.IacsPresetIDUsage)
+
 	createScanCmd.PersistentFlags().String(
 		commonParams.ScaResolverFlag,
 		"",
@@ -898,6 +902,7 @@ func addKicsScan(cmd *cobra.Command, resubmitConfig []wrappers.Config) map[strin
 		kicsMapConfig[resultsMapType] = commonParams.KicsType
 		kicsConfig.Filter = deprecatedFlagValue(cmd, commonParams.KicsFilterFlag, commonParams.IacsFilterFlag)
 		kicsConfig.Platforms = deprecatedFlagValue(cmd, commonParams.KicsPlatformsFlag, commonParams.IacsPlatformsFlag)
+		kicsConfig.PresetID, _ = cmd.Flags().GetString(commonParams.IacsPresetIDFlag)
 		for _, config := range resubmitConfig {
 			if config.Type == commonParams.KicsType {
 				resubmitFilter := config.Value[configFilterKey]
@@ -908,6 +913,10 @@ func addKicsScan(cmd *cobra.Command, resubmitConfig []wrappers.Config) map[strin
 				if resubmitPlatforms != nil && kicsConfig.Platforms == "" {
 					kicsConfig.Platforms = resubmitPlatforms.(string)
 				}
+				resubmitPresetID := config.Value[configPresetID]
+				if resubmitPresetID != nil && kicsConfig.PresetID == "" {
+					kicsConfig.PresetID = resubmitPresetID.(string)
+				}
 			}
 		}
 		kicsMapConfig[resultsMapValue] = &kicsConfig
@@ -1123,7 +1132,7 @@ func validateScanTypes(cmd *cobra.Command, jwtWrapper wrappers.JWTWrapper, featu
 	var scanTypes []string
 	var SCSScanTypes []string
 
-	containerEngineCLIEnabled, _ := featureFlagsWrapper.GetSpecificFlag(wrappers.ContainerEngineCLIEnabled)
+	runContainerEngineCLI := isContainersEngineEnabled(featureFlagsWrapper)
 	allowedEngines, err := jwtWrapper.GetAllowedEngines(featureFlagsWrapper)
 	if err != nil {
 		err = errors.Errorf("Error validating scan types: %v", err)
@@ -1140,7 +1149,7 @@ func validateScanTypes(cmd *cobra.Command, jwtWrapper wrappers.JWTWrapper, featu
 
 		scanTypes = strings.Split(userScanTypes, ",")
 		for _, scanType := range scanTypes {
-			if !allowedEngines[scanType] || (scanType == commonParams.ContainersType && !(containerEngineCLIEnabled.Status)) {
+			if !allowedEngines[scanType] || (scanType == commonParams.ContainersType && !(runContainerEngineCLI)) {
 				keys := reflect.ValueOf(allowedEngines).MapKeys()
 				err = errors.Errorf(engineNotAllowed, scanType, scanType, keys)
 				return err
@@ -1156,7 +1165,7 @@ func validateScanTypes(cmd *cobra.Command, jwtWrapper wrappers.JWTWrapper, featu
 
 	} else {
 		for k := range allowedEngines {
-			if k == commonParams.ContainersType && !(containerEngineCLIEnabled.Status) {
+			if k == commonParams.ContainersType && !(runContainerEngineCLI) {
 				continue
 			}
 			scanTypes = append(scanTypes, k)
@@ -1169,6 +1178,16 @@ func validateScanTypes(cmd *cobra.Command, jwtWrapper wrappers.JWTWrapper, featu
 	return nil
 }
 
+func isContainersEngineEnabled(featureFlagsWrapper wrappers.FeatureFlagsWrapper) bool {
+	containerEngineCLIEnabled, err := featureFlagsWrapper.GetSpecificFlag(wrappers.ContainerEngineCLIEnabled)
+	if err != nil {
+		logger.PrintfIfVerbose("Failed to fetch CONTAINER_ENGINE_CLI_ENABLED FF, defaulting to `false`. Error: %s", err)
+		return false
+	}
+
+	return containerEngineCLIEnabled.Status
+}
+
 func scanTypeEnabled(scanType string) bool {
 	scanTypes := strings.Split(actualScanTypes, ",")
 	for _, a := range scanTypes {
@@ -2791,6 +2810,12 @@ func validateCreateScanFlags(cmd *cobra.Command) error {
 		return errors.Errorf("Invalid value for --project-private-package flag. The value must be true or false.")
 	}
 
+	if kicsPresetID, _ := cmd.Flags().GetString(commonParams.IacsPresetIDFlag); kicsPresetID != "" {
+		if _, err := uuid.Parse(kicsPresetID); err != nil {
+			return fmt.Errorf("Invalid value for --%s flag. Must be a valid UUID.", commonParams.IacsPresetIDFlag)
+		}
+	}
+
 	return nil
 }
 
diff --git a/internal/commands/scan_test.go b/internal/commands/scan_test.go
@@ -58,6 +58,7 @@ const (
 	additionalParamsError                  = "flag needs an argument: --additional-params"
 	scanCommand                            = "scan"
 	kicsRealtimeCommand                    = "kics-realtime"
+	kicsPresetIDIncorrectValueError        = "Invalid value for --iac-security-preset-id flag. Must be a valid UUID."
 	InvalidEngineMessage                   = "Please verify if engine is installed"
 	SCSScoreCardError                      = "SCS scan failed to start: Scorecard scan is missing required flags, please include in the ast-cli arguments: " +
 		"--scs-repo-url your_repo_url --scs-repo-token your_repo_token"
@@ -514,6 +515,18 @@ func TestScanWorkFlowWithKicsPlatformsDeprecated(t *testing.T) {
 	assert.NilError(t, err)
 }
 
+func TestScanWorkFlowWithKicsPresetID(t *testing.T) {
+	baseArgs := []string{"scan", "create", "--project-name", "kicsPresetIDMock", "-b", "dummy_branch", "-s", dummyRepo, "--iac-security-preset-id", "4801dea3-b365-4934-a810-ebf481f646c3"}
+	err := executeTestCommand(createASTTestCommand(), baseArgs...)
+	assert.NilError(t, err)
+}
+
+func TestScanWorkFlowWithInvalidKicsPresetID(t *testing.T) {
+	baseArgs := []string{"scan", "create", "--project-name", "kicsPresetIDMock", "-b", "dummy_branch", "-s", dummyRepo, "--iac-security-preset-id", "invalid uuid"}
+	err := executeTestCommand(createASTTestCommand(), baseArgs...)
+	assert.Error(t, err, kicsPresetIDIncorrectValueError, err.Error())
+}
+
 func TestScanWorkFlowWithScaFilter(t *testing.T) {
 	baseArgs := []string{"scan", "create", "--project-name", "scaFilterMock", "-b", "dummy_branch", "-s", dummyRepo, "--sca-filter", "!jQuery"}
 	cmd := createASTTestCommand()
@@ -1945,3 +1958,22 @@ func TestValidateScanTypes(t *testing.T) {
 		})
 	}
 }
+
+func TestIsContainersEngineEnabled_FlagEnabled(t *testing.T) {
+	clearFlags()
+	mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: true}
+	mock.FFErr = nil
+
+	result := isContainersEngineEnabled(mock.FeatureFlagsMockWrapper{})
+	assert.Assert(t, result, "expected result to be true")
+}
+
+func TestIsContainersEngineEnabled_FlagRetrievalFails(t *testing.T) {
+	clearFlags()
+	mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.ContainerEngineCLIEnabled, Status: false}
+	mock.FFErr = errors.New("something went wrong while fetching ff")
+
+	result := isContainersEngineEnabled(mock.FeatureFlagsMockWrapper{})
+
+	assert.Assert(t, !result, "expected result to be false")
+}
diff --git a/internal/params/flags.go b/internal/params/flags.go
@@ -140,6 +140,8 @@ const (
 	KicsPlatformsFlagUsage       = "KICS Platform Flag. Use ',' as the delimiter for arrays."
 	IacsPlatformsFlag            = "iac-security-platforms"
 	IacsPlatformsFlagUsage       = "IaC Security Platform Flag"
+	IacsPresetIDFlag             = "iac-security-preset-id"
+	IacsPresetIDUsage            = "The ID of the IaC Security Preset to use (must be a valid UUID)."
 	ApikeyOverrideFlag           = "apikey-override"
 	ExploitablePathFlag          = "sca-exploitable-path"
 	LastSastScanTime             = "sca-last-sast-scan-time"
diff --git a/internal/services/export.go b/internal/services/export.go
@@ -17,7 +17,7 @@ const (
 	delayValueForReport = 3
 	pendingStatus       = "Pending"
 	completedStatus     = "Completed"
-	pollingTimeout      = 5 // minutes
+	pollingTimeout      = 15 // minutes
 )
 
 func GetExportPackage(exportWrapper wrappers.ExportWrapper, scanID string, scaHideDevAndTestDep bool) (*wrappers.ScaPackageCollectionExport, error) {
@@ -112,6 +112,9 @@ func pollForCompletion(exportWrapper wrappers.ExportWrapper, exportID string) (*
 	logger.PrintIfVerbose("Polling for export report generation completion")
 
 	for pollingResp.ExportStatus == exportingStatus || pollingResp.ExportStatus == pendingStatus {
+		
+		logger.Printf("SCA Export Status is: %s", pollingResp.ExportStatus)
+
 		select {
 		case <-timeout:
 			return nil, errors.Errorf("export generating failed - Timed out after 5 minutes")
diff --git a/internal/wrappers/mock/feature-flags-mock.go b/internal/wrappers/mock/feature-flags-mock.go
@@ -8,6 +8,7 @@ import (
 
 var Flags wrappers.FeatureFlagsResponseModel
 var Flag wrappers.FeatureFlagResponseModel
+var FFErr error
 
 type FeatureFlagsMockWrapper struct {
 }
@@ -22,5 +23,8 @@ func (f FeatureFlagsMockWrapper) GetAll() (*wrappers.FeatureFlagsResponseModel,
 
 func (f FeatureFlagsMockWrapper) GetSpecificFlag(specificFlag string) (*wrappers.FeatureFlagResponseModel, error) {
 	fmt.Println("Called GetSpecificFlag in FeatureFlagsMockWrapper with flag:", specificFlag)
+	if FFErr != nil {
+		return nil, FFErr
+	}
 	return &Flag, nil
 }
diff --git a/internal/wrappers/scans.go b/internal/wrappers/scans.go
@@ -132,6 +132,7 @@ type SastConfig struct {
 type KicsConfig struct {
 	Filter    string `json:"filter,omitempty"`
 	Platforms string `json:"platforms,omitempty"`
+	PresetID  string `json:"presetId,omitempty"`
 }
 
 type ScaConfig struct {
diff --git a/test/integration/data/iac-insecure.zip b/test/integration/data/iac-insecure.zip
diff --git a/test/integration/scan_test.go b/test/integration/scan_test.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"net/http"
 	"os"
 	"path/filepath"
 	"reflect"
@@ -320,6 +321,54 @@ func TestScanCreate_FolderWithSymbolicLinkWithAbsolutePath_CreateScanSuccessfull
 	assert.NilError(t, err)
 }
 
+func TestScanCreate_IaCWithPresetID_CreateScanSuccessfully(t *testing.T) {
+	bindKeysToEnvAndDefault(t)
+
+	// The createPreset(...) function requires these feature flags to be ON.
+	// If ast-cli runs with these flags OFF, the KICS engine in CxOne will ignore
+	// the submitted preset and perform a full scan instead.
+	// Since this test is only meaningful when the flags are ON, it is skipped otherwise.
+	if !isFFEnabled(t, "NEW_PRESET_MANAGEMENT_ENABLED") || !isFFEnabled(t, "KICS_PRESETS_MANAGER_ENABLED") {
+		t.Skip("Preset FFs are not enabled... Skipping test")
+	}
+
+	requestData := CreatePresetRequest{
+		Name: fmt.Sprintf("ast-cli-preset-%s", time.Now().Format("060102_15_04_05")),
+		Queries: []PresetQueries{
+			{
+				FamilyName: "Dockerfile",
+				QueryIDs:   []string{"67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae"},
+			},
+		},
+	}
+	presetID, err := createPreset("iac", requestData)
+	assert.NilError(t, err)
+	defer deletePreset("iac", presetID)
+
+	args := []string{
+		"scan", "create",
+		flag(params.ProjectName), GenerateRandomProjectNameForScan(),
+		flag(params.SourcesFlag), "data/iac-insecure.zip",
+		flag(params.ScanTypes), params.IacType,
+		flag(params.BranchFlag), "dummy_branch",
+		flag(params.IacsPresetIDFlag), presetID,
+		flag(params.ScanInfoFormatFlag), printer.FormatJSON,
+	}
+	scanID, projectID := executeCreateScan(t, args)
+
+	scanWrapper := wrappers.NewHTTPScansWrapper(viper.GetString(params.ScansPathKey))
+	allScansModel, _, err := scanWrapper.Get(map[string]string{"project-id": projectID})
+	asserts.Nil(t, err)
+
+	createdScan := allScansModel.Scans[0]
+	assert.Equal(t, createdScan.ID, scanID, "Scan ID should be equal")
+	assert.Equal(t, len(createdScan.Metadata.Configs), 1, "Scan should have only containers config")
+
+	createdScanConfig := createdScan.Metadata.Configs[0]
+	assert.Equal(t, createdScanConfig.Type, params.KicsType, "Scan type should be equal")
+	assert.Equal(t, createdScanConfig.Value["presetId"], presetID, "IaC scan is not using the created presetID")
+}
+
 func TestScanCreate_FolderWithSymbolicLinkWithRelativePath_CreateScanSuccessfully(t *testing.T) {
 	args := []string{
 		"scan", "create",
@@ -2189,3 +2238,64 @@ func TestCreateScanWithAsyncFlag_TryShowResults_PolicyNotEvaluated(t *testing.T)
 	log.SetOutput(os.Stderr)
 	assert.Assert(t, strings.Contains(buf.String(), "Policy violations aren't returned in the pipeline for scans run in async mode."), "policy shouldn't evaluate in running scan")
 }
+
+type PresetQueries struct {
+	FamilyName string   `json:"familyName"`
+	QueryIDs   []string `json:"queryIds"`
+}
+
+type CreatePresetRequest struct {
+	Name    string          `json:"name"`
+	Queries []PresetQueries `json:"queries"`
+}
+
+type CreatePresetResponse struct {
+	ID      string `json:"id"`
+	Message string `json:"message"`
+}
+
+func createPreset(engine string, body CreatePresetRequest) (string, error) {
+	jsonData, err := json.Marshal(body)
+	if err != nil {
+		return "", errors.Wrap(err, "Error marshalling JSON")
+	}
+
+	resp, err := wrappers.SendHTTPRequest(
+		http.MethodPost,
+		fmt.Sprintf("api/preset-manager/%s/presets", engine),
+		bytes.NewBuffer(jsonData), true, 20,
+	)
+	if err != nil {
+		return "", errors.Wrap(err, "Request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("Expected status 200, got %d", resp.StatusCode)
+	}
+
+	var responseData CreatePresetResponse
+	if err := json.NewDecoder(resp.Body).Decode(&responseData); err != nil {
+		return "", errors.Wrap(err, "Error decoding response")
+	}
+
+	return responseData.ID, err
+}
+
+func deletePreset(engine, presetID string) error {
+	resp, err := wrappers.SendHTTPRequest(
+		http.MethodDelete,
+		fmt.Sprintf("api/preset-manager/%s/presets/%s", engine, presetID),
+		http.NoBody, true, 20,
+	)
+	if err != nil {
+		return errors.Wrap(err, "Request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("Expected status 200, got %d", resp.StatusCode)
+	}
+
+	return nil
+}

Original file line number	Diff line number	Diff line change
`@@ -206,6 +206,7 @@ func assertError(t *testing.T, err error, expectedMessage string) {`
`206`	`206`	`func clearFlags() {`
`207`	`207`	`mock.Flags = wrappers.FeatureFlagsResponseModel{}`
`208`	`208`	`mock.Flag = wrappers.FeatureFlagResponseModel{}`
	`209`	`+ mock.FFErr = nil`
`209`	`210`	`wrappers.ClearCache()`
`210`	`211`	`}`
`211`	`212`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import (`
`8`	`8`
`9`	`9`	`var Flags wrappers.FeatureFlagsResponseModel`
`10`	`10`	`var Flag wrappers.FeatureFlagResponseModel`
	`11`	`+var FFErr error`
`11`	`12`
`12`	`13`	`type FeatureFlagsMockWrapper struct {`
`13`	`14`	`}`
`@@ -22,5 +23,8 @@ func (f FeatureFlagsMockWrapper) GetAll() (*wrappers.FeatureFlagsResponseModel,`
`22`	`23`
`23`	`24`	`func (f FeatureFlagsMockWrapper) GetSpecificFlag(specificFlag string) (*wrappers.FeatureFlagResponseModel, error) {`
`24`	`25`	`fmt.Println("Called GetSpecificFlag in FeatureFlagsMockWrapper with flag:", specificFlag)`
	`26`	`+ if FFErr != nil {`
	`27`	`+ return nil, FFErr`
	`28`	`+ }`
`25`	`29`	`return &Flag, nil`
`26`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,7 @@ type SastConfig struct {`
`132`	`132`	`type KicsConfig struct {`
`133`	`133`	Filter string `json:"filter,omitempty"`
`134`	`134`	Platforms string `json:"platforms,omitempty"`
	`135`	+ PresetID string `json:"presetId,omitempty"`
`135`	`136`	`}`
`136`	`137`
`137`	`138`	`type ScaConfig struct {`