Merge branch 'main' of https://github.com/Checkmarx/ast-cli into feature/ast-105749-sbom-scan

Author: cx-hitesh-madgulkar

go.mod

@@ -3,7 +3,7 @@ module github.com/checkmarx/ast-cli
 go 1.24.4
 
 require (
-	github.com/Checkmarx/containers-resolver v1.0.15
+	github.com/Checkmarx/containers-resolver v1.0.19
 	github.com/Checkmarx/containers-types v1.0.9
 	github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63
 	github.com/Checkmarx/gen-ai-wrapper v1.0.2
@@ -42,7 +42,7 @@ require (
 	github.com/BobuSumisu/aho-corasick v1.0.3 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/Checkmarx/containers-images-extractor v1.0.17
-	github.com/Checkmarx/containers-syft-packages-extractor v1.0.13 // indirect
+	github.com/Checkmarx/containers-syft-packages-extractor v1.0.15 // indirect
 	github.com/CycloneDX/cyclonedx-go v0.9.2 // indirect
 	github.com/DataDog/zstd v1.5.6 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect

go.sum

@@ -65,10 +65,10 @@ github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Checkmarx/containers-images-extractor v1.0.17 h1:lzisdh50nR5yzTjTkT9r9dlHHI7aC72XTGjTp35KqHM=
 github.com/Checkmarx/containers-images-extractor v1.0.17/go.mod h1:hRXOiq6Vw2QiIuxIqV+6+osMk0vvIpoMdTMLyz9OfE8=
-github.com/Checkmarx/containers-resolver v1.0.15 h1:cm4d6vYWi6G9J9vnAw+dWcMsJwEFMo+anCHVaSp0nMQ=
-github.com/Checkmarx/containers-resolver v1.0.15/go.mod h1:9mdw8elUHj9NO9+ejjuuuCByfxvx9mG+JTJxDLi9ubM=
-github.com/Checkmarx/containers-syft-packages-extractor v1.0.13 h1:9ah0rruMGgRiug/bD/JJDSrDqEqS7sKGVdc5sqbkwk8=
-github.com/Checkmarx/containers-syft-packages-extractor v1.0.13/go.mod h1:EFeB4//lO4KMVj9+eMg6z5jnO9F1e1T4jUoIcx0/19M=
+github.com/Checkmarx/containers-resolver v1.0.19 h1:OqPJq3dL0vv8BC2Qco6/VTqmg1Jurk32Yf/bW9cZuq8=
+github.com/Checkmarx/containers-resolver v1.0.19/go.mod h1:UwT3Z+rf6RZv1voMt1xtEctWguhQrzHk1dhEb0Dl5fY=
+github.com/Checkmarx/containers-syft-packages-extractor v1.0.15 h1:yM7Plt86oL47Kijr1fwsrWwuACNTwWgxZSZ/lifXTlk=
+github.com/Checkmarx/containers-syft-packages-extractor v1.0.15/go.mod h1:Jr3dQVFslMCJ+8orsF1orFn05cO3mprUy5b43yn0IIM=
 github.com/Checkmarx/containers-types v1.0.9 h1:LbHDj9LZ0x3f28wDx398WC19sw0U0EfEewHMLStBwvs=
 github.com/Checkmarx/containers-types v1.0.9/go.mod h1:KR0w8XCosq3+6jRCfQrH7i//Nj2u11qaUJM62CREFZA=
 github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63 h1:SCuTcE+CFvgjbIxUNL8rsdB2sAhfuNx85HvxImKta3g=

internal/commands/scan.go

@@ -1132,7 +1132,8 @@ func addContainersScan(cmd *cobra.Command, resubmitConfig []wrappers.Config) (ma
 	containerMapConfig[resultsMapType] = commonParams.ContainersType
 	containerConfig := wrappers.ContainerConfig{}
 
-	initializeContainersConfigWithResubmitValues(resubmitConfig, &containerConfig)
+	containerResolveLocally, _ := cmd.Flags().GetBool(commonParams.ContainerResolveLocallyFlag)
+	initializeContainersConfigWithResubmitValues(resubmitConfig, &containerConfig, containerResolveLocally)
 
 	fileFolderFilter, _ := cmd.PersistentFlags().GetString(commonParams.ContainersFileFolderFilterFlag)
 	if fileFolderFilter != "" {
@@ -1151,7 +1152,7 @@ func addContainersScan(cmd *cobra.Command, resubmitConfig []wrappers.Config) (ma
 		containerConfig.ImagesFilter = imageTagFilter
 	}
 	userCustomImages, _ := cmd.Flags().GetString(commonParams.ContainerImagesFlag)
-	if userCustomImages != "" {
+	if userCustomImages != "" && !containerResolveLocally {
 		containerImagesList := strings.Split(strings.TrimSpace(userCustomImages), ",")
 		for _, containerImageName := range containerImagesList {
 			if containerImagesErr := validateContainerImageFormat(containerImageName); containerImagesErr != nil {
@@ -1166,7 +1167,7 @@ func addContainersScan(cmd *cobra.Command, resubmitConfig []wrappers.Config) (ma
 	return containerMapConfig, nil
 }
 
-func initializeContainersConfigWithResubmitValues(resubmitConfig []wrappers.Config, containerConfig *wrappers.ContainerConfig) {
+func initializeContainersConfigWithResubmitValues(resubmitConfig []wrappers.Config, containerConfig *wrappers.ContainerConfig, containerResolveLocally bool) {
 	for _, config := range resubmitConfig {
 		if config.Type != commonParams.ContainersType {
 			continue
@@ -1188,7 +1189,7 @@ func initializeContainersConfigWithResubmitValues(resubmitConfig []wrappers.Conf
 			containerConfig.ImagesFilter = resubmitImagesFilter.(string)
 		}
 		resubmitUserCustomImages := config.Value[ConfigUserCustomImagesKey]
-		if resubmitUserCustomImages != nil && resubmitUserCustomImages != "" {
+		if resubmitUserCustomImages != nil && resubmitUserCustomImages != "" && !containerResolveLocally {
 			containerConfig.UserCustomImages = resubmitUserCustomImages.(string)
 		}
 	}
@@ -1753,7 +1754,7 @@ func getUploadURLFromSource(cmd *cobra.Command, uploadsWrapper wrappers.UploadsW
 
 		if isSingleContainerScanTriggered() && containerResolveLocally {
 			logger.PrintIfVerbose("Single container scan triggered: compressing only the container resolution file")
-			containerResolutionFilePath := filepath.Join(directoryPath, containerResolutionFileName)
+			containerResolutionFilePath := filepath.Join(directoryPath, ".checkmarx", "containers", containerResolutionFileName)
 			zipFilePath, dirPathErr = util.CompressFile(containerResolutionFilePath, containerResolutionFileName, directoryCreationPrefix)
 		} else if isSingleContainerScanTriggered() && containerImagesFlag != "" {
 			logger.PrintIfVerbose("Single container scan with external images: creating minimal zip file")

internal/commands/scan_test.go

@@ -1855,12 +1855,13 @@ func TestAddContainersScan_WithCustomImages_ShouldSetUserCustomImages(t *testing
 func TestInitializeContainersConfigWithResubmitValues_UserCustomImages(t *testing.T) {
 	// Define test cases
 	testCases := []struct {
-		name                 string
-		resubmitConfig       []wrappers.Config
-		expectedCustomImages string
+		name                    string
+		resubmitConfig          []wrappers.Config
+		containerResolveLocally bool
+		expectedCustomImages    string
 	}{
 		{
-			name: "When UserCustomImages is valid string, it should be set in containerConfig",
+			name: "When UserCustomImages is valid string and ContainerResolveLocally is false, it should be set in containerConfig",
 			resubmitConfig: []wrappers.Config{
 				{
 					Type: commonParams.ContainersType,
@@ -1869,7 +1870,21 @@ func TestInitializeContainersConfigWithResubmitValues_UserCustomImages(t *testin
 					},
 				},
 			},
-			expectedCustomImages: "image1:tag1,image2:tag2",
+			containerResolveLocally: false,
+			expectedCustomImages:    "image1:tag1,image2:tag2",
+		},
+		{
+			name: "When UserCustomImages is valid string and ContainerResolveLocally is true, it should not be set in containerConfig",
+			resubmitConfig: []wrappers.Config{
+				{
+					Type: commonParams.ContainersType,
+					Value: map[string]interface{}{
+						ConfigUserCustomImagesKey: "image1:tag1,image2:tag2",
+					},
+				},
+			},
+			containerResolveLocally: true,
+			expectedCustomImages:    "",
 		},
 		{
 			name: "When UserCustomImages is empty string, containerConfig should not be updated",
@@ -1881,7 +1896,8 @@ func TestInitializeContainersConfigWithResubmitValues_UserCustomImages(t *testin
 					},
 				},
 			},
-			expectedCustomImages: "",
+			containerResolveLocally: false,
+			expectedCustomImages:    "",
 		},
 		{
 			name: "When UserCustomImages is nil, containerConfig should not be updated",
@@ -1893,7 +1909,8 @@ func TestInitializeContainersConfigWithResubmitValues_UserCustomImages(t *testin
 					},
 				},
 			},
-			expectedCustomImages: "",
+			containerResolveLocally: false,
+			expectedCustomImages:    "",
 		},
 		{
 			name: "When config.Value doesn't have UserCustomImages key, containerConfig should not be updated",
@@ -1903,7 +1920,8 @@ func TestInitializeContainersConfigWithResubmitValues_UserCustomImages(t *testin
 					Value: map[string]interface{}{},
 				},
 			},
-			expectedCustomImages: "",
+			containerResolveLocally: false,
+			expectedCustomImages:    "",
 		},
 	}
 
@@ -1914,7 +1932,7 @@ func TestInitializeContainersConfigWithResubmitValues_UserCustomImages(t *testin
 			containerConfig := &wrappers.ContainerConfig{}
 
 			// Call the function under test
-			initializeContainersConfigWithResubmitValues(tc.resubmitConfig, containerConfig)
+			initializeContainersConfigWithResubmitValues(tc.resubmitConfig, containerConfig, tc.containerResolveLocally)
 
 			// Assert the result
 			assert.Equal(t, tc.expectedCustomImages, containerConfig.UserCustomImages,

internal/services/realtimeengine/containersrealtime/containers-realtime.go

@@ -15,6 +15,8 @@ import (
 	"github.com/pkg/errors"
 )
 
+const defaultTag = "latest"
+
 // ContainersRealtimeService is the service responsible for performing real-time container scanning.
 type ContainersRealtimeService struct {
 	JwtWrapper             wrappers.JWTWrapper
@@ -218,26 +220,31 @@ func mergeImagesToResults(listOfImages []wrappers.ContainerImageResponseItem, re
 
 func getImageLocations(images *[]types.ImageModel, imageName, imageTag string) (location []realtimeengine.Location, filePath string) {
 	for i, img := range *images {
-		if img.Name == imageName+":"+imageTag || img.Name == imageName+"@"+imageTag {
-			location := convertLocations(&img.ImageLocations)
-			filePath := ""
-			if len(img.ImageLocations) > 0 {
-				filePath = img.ImageLocations[0].Path
-			}
-			*images = append((*images)[:i], (*images)[i+1:]...)
-			return location, filePath
+		if !isSameImage(img.Name, imageName, imageTag) {
+			continue
 		}
+		location := convertLocations(&img.ImageLocations)
+		filePath := ""
+		if len(img.ImageLocations) > 0 {
+			filePath = img.ImageLocations[0].Path
+		}
+		*images = append((*images)[:i], (*images)[i+1:]...)
+		return location, filePath
 	}
 	return []realtimeengine.Location{}, ""
 }
 
+func isSameImage(curImage, imageName, imageTag string) bool {
+	return curImage == imageName+":"+imageTag || curImage == imageName+"@"+imageTag || curImage == imageName && imageTag == defaultTag
+}
+
 // splitToImageAndTag splits the image string into name and tag components.
 func splitToImageAndTag(image string) (imageName, imageTag string) {
 	// Split the image string by the last colon to separate name and tag
 	lastColonIndex := strings.LastIndex(image, ":")
 
 	if lastColonIndex == len(image)-1 || lastColonIndex == -1 {
-		return image, "latest" // No tag specified, default to "latest"
+		return image, defaultTag // No tag specified, default to "latest"
 	}
 
 	imageName = image[:lastColonIndex]

internal/services/realtimeengine/secretsrealtime/secrets-realtime.go

@@ -3,9 +3,10 @@ package secretsrealtime
 import (
 	"encoding/json"
 	"fmt"
+	"os"
+
 	errorconstants "github.com/checkmarx/ast-cli/internal/constants/errors"
 	"github.com/checkmarx/ast-cli/internal/logger"
-	"os"
 
 	"github.com/checkmarx/2ms/v3/lib/reporting"
 	"github.com/checkmarx/2ms/v3/lib/secrets"
@@ -22,6 +23,7 @@ const (
 	criticalSeverity = "Critical"
 	highSeverity     = "High"
 	mediumSeverity   = "Medium"
+	genericAPIKey    = "generic-api-key"
 )
 
 type SecretsRealtimeService struct {
@@ -105,6 +107,8 @@ func (s *SecretsRealtimeService) RunSecretsRealtimeScan(filePath, ignoredFilePat
 	}
 
 	results := convertToSecretsRealtimeResult(report)
+	resultsPerLineMap := createResultsPerLineMap(results)
+	results = filterGenericAPIKeyVulIfNeeded(results, resultsPerLineMap)
 
 	if ignoredFilePath == "" {
 		return results, nil
@@ -177,3 +181,38 @@ func getSeverity(secret *secrets.Secret) string {
 		return highSeverity
 	}
 }
+
+func createResultsPerLineMap(results []SecretsRealtimeResult) map[string][]SecretsRealtimeResult {
+	resultsPerLine := make(map[string][]SecretsRealtimeResult)
+	for _, result := range results {
+		for _, location := range result.Locations {
+			lineKey := fmt.Sprintf("%s:%d", result.FilePath, location.Line)
+			resultsPerLine[lineKey] = append(resultsPerLine[lineKey], result)
+		}
+	}
+	return resultsPerLine
+}
+
+func filterGenericAPIKeyVulIfNeeded(
+	results []SecretsRealtimeResult,
+	resultsPerLine map[string][]SecretsRealtimeResult,
+) []SecretsRealtimeResult {
+	if len(results) == 0 || len(resultsPerLine) == 0 {
+		return results
+	}
+
+	var filtered []SecretsRealtimeResult
+	for _, entries := range resultsPerLine {
+		if len(entries) <= 1 {
+			filtered = append(filtered, entries...)
+			continue
+		}
+
+		for i := 0; i < len(entries); i++ {
+			if entries[i].Title != genericAPIKey {
+				filtered = append(filtered, entries[i])
+			}
+		}
+	}
+	return filtered
+}

internal/services/realtimeengine/secretsrealtime/secrets-realtime_test.go

@@ -73,12 +73,12 @@ func TestRunSecretsRealtimeScan_WithIgnoreFile_FiltersResult(t *testing.T) {
 	tempDir := t.TempDir()
 
 	testFile := filepath.Join(tempDir, "test.txt")
-	testContent := "aws_access_key_id = AKIAIOSFODNN7EXAMPLE\ngithub_token = ghp_XXXXXXXXXXXXXXXXXXXX"
+	testContent := "pat = \"ghp_1234567890abcdef1234567890abcdef12345678\""
 	assert.NoError(t, os.WriteFile(testFile, []byte(testContent), 0644))
 
 	ignoreFile := filepath.Join(tempDir, "ignored.json")
 	ignored := []IgnoredSecret{
-		{Title: "github-token", FilePath: "test.txt", Line: 2},
+		{Title: "github-pat", FilePath: testFile, Line: 0},
 	}
 	data, _ := json.Marshal(ignored)
 	assert.NoError(t, os.WriteFile(ignoreFile, data, 0644))
@@ -93,7 +93,30 @@ func TestRunSecretsRealtimeScan_WithIgnoreFile_FiltersResult(t *testing.T) {
 	assert.NotNil(t, results)
 
 	for _, r := range results {
-		assert.NotEqual(t, "github-token", r.Title)
+		assert.NotEqual(t, "github-pat", r.Title)
+	}
+}
+
+func TestRunSecretsRealtimeScan_PatVulAndGenericVul_ReturnedOnlyPathVul(t *testing.T) {
+	mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.OssRealtimeEnabled, Status: true}
+
+	tempDir := t.TempDir()
+
+	testFile := filepath.Join(tempDir, "test.txt")
+	testContent := "token = \"ghp_1234567890abcdef1234567890abcdef12345678\""
+	assert.NoError(t, os.WriteFile(testFile, []byte(testContent), 0644))
+
+	service := &SecretsRealtimeService{
+		JwtWrapper:         &mock.JWTMockWrapper{},
+		FeatureFlagWrapper: &mock.FeatureFlagsMockWrapper{},
+	}
+
+	results, err := service.RunSecretsRealtimeScan(testFile, "")
+	assert.NoError(t, err)
+	assert.NotNil(t, results)
+
+	for _, r := range results {
+		assert.Equal(t, "github-pat", r.Title)
 	}
 }