Add OSS-Realtime scan functionality to identify malicious packages (AST-95475, AST-95476, AST-95478)

.github/workflows/ci.yml

@@ -47,8 +47,8 @@ jobs:
         run: go install github.com/wadey/gocovmerge@latest
       - name: Install pre-commit
         run: |
-         pip install pre-commit
-         pre-commit install
+          pip install pre-commit
+          pre-commit install
       - name: Go Integration test
         shell: bash
         env:
@@ -71,7 +71,7 @@ jobs:
           PR_GITHUB_NAMESPACE: "checkmarx"
           PR_GITHUB_REPO_NAME: "ast-cli"
           PR_GITHUB_NUMBER: 983
-          PR_GITLAB_TOKEN : ${{ secrets.PR_GITLAB_TOKEN }}
+          PR_GITLAB_TOKEN: ${{ secrets.PR_GITLAB_TOKEN }}
           PR_GITLAB_NAMESPACE: ${{ secrets.PR_GITLAB_NAMESPACE }}
           PR_GITLAB_REPO_NAME: ${{ secrets.PR_GITLAB_REPO_NAME }}
           PR_GITLAB_PROJECT_ID: ${{ secrets.PR_GITLAB_PROJECT_ID }}
@@ -127,14 +127,16 @@ jobs:
         with:
           go-version-file: go.mod
       - run: go version
+      - run: go mod tidy
       - name: golangci-lint
         uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc #v3
         with:
           skip-pkg-cache: true
-          version: v1.54.2
+          version: v1.64.2
           args: -c .golangci.yml
             --timeout 5m
           only-new-issues: true
+
   govulncheck:
     runs-on: ubuntu-latest
     name: govulncheck
@@ -163,7 +165,7 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Build the project
-        run:  go build -o ./cx ./cmd
+        run: go build -o ./cx ./cmd
       - name: Build Docker image
         run: docker build -t ast-cli:${{ github.sha }} .
       - name: Run Trivy scanner without downloading DBs
@@ -178,7 +180,7 @@ jobs:
           output: './trivy-image-results.txt'
         env:
           TRIVY_SKIP_JAVA_DB_UPDATE: true
-      
+
       - name: Inspect action report
         if: always()
         shell: bash

.golangci.yml

@@ -1,5 +1,43 @@
+# .golangci.yml
+
+run:
+  timeout: 5m
+  issues:
+    exclude-dirs:
+      - test/testdata_etc
+      - internal/cache
+      - internal/renameio
+      - internal/robustio
+
+linters:
+  disable-all: true
+  enable:
+    - bodyclose
+    - depguard
+    - dogsled
+    - dupl
+    - errcheck
+    - funlen
+    - gochecknoinits
+    - goconst
+    - gocritic
+    - gocyclo
+    - gofmt
+    - goimports
+    - ineffassign
+    - mnd                # replacement for gomnd
+    - nakedret
+    - revive             # replacement for golint
+    - rowserrcheck
+    - staticcheck
+    - stylecheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused             # covers deadcode/varcheck/structcheck
+    - whitespace
+
 linters-settings:
-  #  https://golangci-lint.run/usage/linters/#depguard
   depguard:
     list-type: blacklist
     rules:
@@ -9,6 +47,8 @@ linters-settings:
           - github.com/checkmarx/ast-cli/internal
           - github.com/gookit/color
           - github.com/CheckmarxDev/containers-resolver/pkg/containerResolver
+          - github.com/Checkmarx/manifest-parser/pkg/parser/models
+          - github.com/Checkmarx/manifest-parser/pkg/parser
           - github.com/Checkmarx/gen-ai-prompts/prompts/sast_result_remediation
           - github.com/spf13/viper
           - github.com/Checkmarx/gen-ai-wrapper
@@ -36,7 +76,7 @@ linters-settings:
       - performance
       - style
     disabled-checks:
-      - dupImport # https://github.com/go-critic/go-critic/issues/845
+      - dupImport     # https://github.com/go-critic/go-critic/issues/845
       - ifElseChain
       - octalLiteral
       - whyNoLint
@@ -45,15 +85,16 @@ linters-settings:
     min-complexity: 15
   goimports:
     local-prefixes: github.com/golangci/golangci-lint
-  golint:
-    min-confidence: 0
-  gomnd:
+  mnd:
     settings:
       mnd:
-        # don't include the "operation" and "assign"
         checks: argument,case,condition,return
+  revive:
+    rules:
+      - name: exported
+        arguments:
+          - disableStutteringCheck
   govet:
-    check-shadowing: true
     settings:
       printf:
         funcs:
@@ -67,71 +108,14 @@ linters-settings:
     suggest-new: true
   misspell:
     locale: US
-linters:
-  # please, do not use `enable-all`: it's deprecated and will be removed soon. 
-  # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint
-  disable-all: true
-  enable:
-    - bodyclose
-    - deadcode
-    - depguard
-    - dogsled
-    - dupl
-    - errcheck
-    - funlen
-    - gochecknoinits
-    - goconst
-    - gocritic
-    - gocyclo
-    - gofmt
-    - goimports
-    - golint
-    - gomnd
-    - goprintffuncname
-    - gosimple
-    - govet
-    - ineffassign
-    - interfacer
-    - lll
-    - misspell
-    - nakedret
-    - rowserrcheck
-    - scopelint
-    - staticcheck
-    - structcheck
-    - stylecheck
-    - typecheck
-    - unconvert
-    - unparam
-    - unused
-    - varcheck
-    - whitespace
-  # don't enable:
-  # - gochecknoglobals
-  # - gocognit
-  # - godox
-  # - maligned
-  # - prealloc
 
 issues:
-  # Excluding configuration per-path, per-linter, per-text and per-source
   exclude-rules:
     - path: _test\.go
       linters:
-        - gomnd
-run:
-  skip-dirs:
-    - test/testdata_etc
-    - internal/cache
-    - internal/renameio
-    - internal/robustio
-
-  # In case of linter atoi() erros
-  # go: '^1.21'
+        - mnd
 
-# golangci.com configuration
-# https://github.com/golangci/golangci/wiki/Configuration
 service:
-  golangci-lint-version: 1.54.2 # use the fixed version to not introduce new linters unexpectedly
+  golangci-lint-version: 1.64.2
   prepare:
-    - echo "here I can run custom commands, but no preparation needed for this repo"
+    - echo "No special prep steps needed"

cmd/main.go

@@ -56,6 +56,7 @@ func main() {
 	sastMetadataPath := viper.GetString(params.SastMetadataPathKey)
 	accessManagementPath := viper.GetString(params.AccessManagementPathKey)
 	byorPath := viper.GetString(params.ByorPathKey)
+	realtimeScannerPath := viper.GetString(params.RealtimeScannerPathKey)
 
 	customStatesWrapper := wrappers.NewCustomStatesHTTPWrapper()
 	scansWrapper := wrappers.NewHTTPScansWrapper(scans)
@@ -91,6 +92,7 @@ func main() {
 	accessManagementWrapper := wrappers.NewAccessManagementHTTPWrapper(accessManagementPath)
 	byorWrapper := wrappers.NewByorHTTPWrapper(byorPath)
 	containerResolverWrapper := wrappers.NewContainerResolverWrapper()
+	realTimeWrapper := wrappers.NewRealtimeScannerHTTPWrapper(realtimeScannerPath, jwtWrapper, featureFlagsWrapper)
 
 	astCli := commands.NewAstCLI(
 		applicationsWrapper,
@@ -127,6 +129,7 @@ func main() {
 		accessManagementWrapper,
 		byorWrapper,
 		containerResolverWrapper,
+		realTimeWrapper,
 	)
 	exitListener()
 	err = astCli.Execute()

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/Checkmarx/containers-resolver v1.0.9
 	github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63
 	github.com/Checkmarx/gen-ai-wrapper v1.0.2
+	github.com/Checkmarx/manifest-parser v0.0.4
 	github.com/Checkmarx/secret-detection v0.0.3-0.20250327150305-31c2c3be9edf
 	github.com/MakeNowJust/heredoc v1.0.0
 	github.com/bouk/monkey v1.0.0

go.sum

@@ -75,6 +75,8 @@ github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63 h1:SCuTcE
 github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63/go.mod h1:MI6lfLerXU+5eTV/EPTDavgnV3owz3GPT4g/msZBWPo=
 github.com/Checkmarx/gen-ai-wrapper v1.0.2 h1:T6X40+4hYnwfDsvkjWs9VIcE6s1O+8DUu0+sDdCY3GI=
 github.com/Checkmarx/gen-ai-wrapper v1.0.2/go.mod h1:xwRLefezwNNnRGu1EjGS6wNiR9FVV/eP9D+oXwLViVM=
+github.com/Checkmarx/manifest-parser v0.0.4 h1:0UB+FTJu3A9YT/VeJDNvMrX7KBy4mYCVJVK8kNYkcaU=
+github.com/Checkmarx/manifest-parser v0.0.4/go.mod h1:s11sV8akqWX+H0MwFK3XBF8H6JohAjoQe8ClvdDFziQ=
 github.com/Checkmarx/secret-detection v0.0.3-0.20250327150305-31c2c3be9edf h1:lKiogedU3WzWBc/xI6Xj1BhX2Gp1QBJj8C+czY7CcaE=
 github.com/Checkmarx/secret-detection v0.0.3-0.20250327150305-31c2c3be9edf/go.mod h1:mtAHOm1mHGh7MVu6JdYUyitANsLcHNLUTBIh9pTERNI=
 github.com/CycloneDX/cyclonedx-go v0.9.2 h1:688QHn2X/5nRezKe2ueIVCt+NRqf7fl3AVQk+vaFcIo=

internal/commands/data/manifests/package.json

@@ -0,0 +1,27 @@
+{
+		"dependencies": {
+				"@CheckmarxDev/ast-cli-javascript-wrapper": "file:../ast-cli-javascript-wrapper/CheckmarxDev-ast-cli-javascript-wrapper-0.0.54.tgz",
+				"@checkmarxdev/ast-cli-javascript-wrapper": "0.0.54",
+				"copyfiles": "200",
+				"tree-kill": "^1.2.2"
+		},
+		"description": "Beat vulnerabilities with more-secure code",
+		"devDependencies": {
+				"@types/chai": "4.3.1",
+				"@types/mocha": "9.1.1",
+				"@types/node": "^18.0.0",
+				"@types/vscode": "^1.50.0",
+				"@typescript-eslint/eslint-plugin": "^5.29.0",
+				"@typescript-eslint/parser": "^5.29.0",
+				"chai": "4.3.6",
+				"eslint": "^8.18.0",
+				"mocha": "10.0.0",
+				"typescript": "^4.7.4",
+				"vsce": "^2.9.2",
+				"vscode-extension-tester": "4.2.5",
+				"vscode-extension-tester-locators": "^1.62.2",
+				"webpack": "^5.73.0",
+				"webpack-cli": "^4.10.0"
+		},
+		"version": "2.0.4"
+}

internal/commands/data/manifests/requirements.txt

@@ -0,0 +1,95 @@
+#
+# This file is autogenerated by pip-compile with Python 3.10
+# by the following command:
+#
+#    pip-compile
+#
+contourpy==1.3.1
+    # via matplotlib
+ c==0.12.1
+    # via matplotlib
+  fonttools==4.55.8
+    # via matplotlib
+   kiwisolver==1.4.8
+    # via matplotlib
+    matplotlib==3.10.0
+    # via
+    #   -r requirements.in
+    #   seaborn
+numpy==2.2.2
+    # viaS
+    #   -r requirements.in
+    #   contourpy
+    #   matplotlib
+    #   pandas
+    #   seaborn
+packaging==24.2
+    # via matplotlib
+pandas==2.2.3
+    # via
+    #   -r requirements.in
+    #   seaborn
+pillow==11.1.0
+    # via matplotlib
+pyparsing==3.2.1
+    # via matplotlib
+python-dateutil==2.9.0.post0
+    # via
+    #   matplotlib
+    #   pandas
+pytz==2025.1
+    # via pandas
+seaborn==0.13.2
+    # via -r requirements.in
+six==1.17.0
+    # via python-dateutil
+tzdata==2025.1
+    # via pandas
+
+
+    # Sample requirements.txt with various package specifiers
+
+# Exact version
+
+flask==1.1.2
+
+# Range: greater than or equal and less than
+
+Django>=3.0,<4.0
+
+# Less than or equal
+
+requests<=2.25.1
+
+# Compatible release (PEP 440)
+
+urllib3\~=1.26.0
+
+# Not equal
+
+numpy!=1.19.0
+
+# Wildcard patch version
+
+pandas==1.2.\*
+
+# Extras
+
+package\_with\_extras\[security,docs]==0.1.0
+
+# Environment marker (skip on Python>=3.8)
+
+scipy==1.5.2; python\_version < "3.8"
+
+# Combined ranges with comma
+
+celery>=4.0,<5.0
+
+# Inline comment
+
+gevent==21.8.0  # pinned to a known-good version
+
+# Full-line comment below should be ignored
+
+
+