Add OSS-Realtime scan functionality to identify malicious packages (AST-95475, AST-95476, AST-95478)

cmd/main.go

@@ -56,6 +56,7 @@ func main() {
 	sastMetadataPath := viper.GetString(params.SastMetadataPathKey)
 	accessManagementPath := viper.GetString(params.AccessManagementPathKey)
 	byorPath := viper.GetString(params.ByorPathKey)
+	realtimeScannerPath := viper.GetString(params.RealtimeScannerPathKey)
 
 	customStatesWrapper := wrappers.NewCustomStatesHTTPWrapper()
 	scansWrapper := wrappers.NewHTTPScansWrapper(scans)
@@ -91,6 +92,7 @@ func main() {
 	accessManagementWrapper := wrappers.NewAccessManagementHTTPWrapper(accessManagementPath)
 	byorWrapper := wrappers.NewByorHTTPWrapper(byorPath)
 	containerResolverWrapper := wrappers.NewContainerResolverWrapper()
+	realTimeWrapper := wrappers.NewRealtimeScannerHTTPWrapper(realtimeScannerPath, jwtWrapper, featureFlagsWrapper)
 
 	astCli := commands.NewAstCLI(
 		applicationsWrapper,
@@ -127,6 +129,7 @@ func main() {
 		accessManagementWrapper,
 		byorWrapper,
 		containerResolverWrapper,
+		realTimeWrapper,
 	)
 	exitListener()
 	err = astCli.Execute()

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/Checkmarx/containers-resolver v1.0.9
 	github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63
 	github.com/Checkmarx/gen-ai-wrapper v1.0.2
+	github.com/Checkmarx/manifest-parser v0.0.2-check-3
 	github.com/Checkmarx/secret-detection v0.0.3-0.20250327150305-31c2c3be9edf
 	github.com/MakeNowJust/heredoc v1.0.0
 	github.com/bouk/monkey v1.0.0

go.sum

@@ -75,6 +75,8 @@ github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63 h1:SCuTcE
 github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63/go.mod h1:MI6lfLerXU+5eTV/EPTDavgnV3owz3GPT4g/msZBWPo=
 github.com/Checkmarx/gen-ai-wrapper v1.0.2 h1:T6X40+4hYnwfDsvkjWs9VIcE6s1O+8DUu0+sDdCY3GI=
 github.com/Checkmarx/gen-ai-wrapper v1.0.2/go.mod h1:xwRLefezwNNnRGu1EjGS6wNiR9FVV/eP9D+oXwLViVM=
+github.com/Checkmarx/manifest-parser v0.0.2-check-3 h1:yDB4CT3ii6CQSpnHWCZiCrrA4AEDJyalTYfUEbP5TO0=
+github.com/Checkmarx/manifest-parser v0.0.2-check-3/go.mod h1:s11sV8akqWX+H0MwFK3XBF8H6JohAjoQe8ClvdDFziQ=
 github.com/Checkmarx/secret-detection v0.0.3-0.20250327150305-31c2c3be9edf h1:lKiogedU3WzWBc/xI6Xj1BhX2Gp1QBJj8C+czY7CcaE=
 github.com/Checkmarx/secret-detection v0.0.3-0.20250327150305-31c2c3be9edf/go.mod h1:mtAHOm1mHGh7MVu6JdYUyitANsLcHNLUTBIh9pTERNI=
 github.com/CycloneDX/cyclonedx-go v0.9.2 h1:688QHn2X/5nRezKe2ueIVCt+NRqf7fl3AVQk+vaFcIo=

internal/commands/data/manifests/package.json

@@ -0,0 +1,27 @@
+{
+		"dependencies": {
+				"@CheckmarxDev/ast-cli-javascript-wrapper": "file:../ast-cli-javascript-wrapper/CheckmarxDev-ast-cli-javascript-wrapper-0.0.54.tgz",
+				"@checkmarxdev/ast-cli-javascript-wrapper": "0.0.54",
+				"copyfiles": "200",
+				"tree-kill": "^1.2.2"
+		},
+		"description": "Beat vulnerabilities with more-secure code",
+		"devDependencies": {
+				"@types/chai": "4.3.1",
+				"@types/mocha": "9.1.1",
+				"@types/node": "^18.0.0",
+				"@types/vscode": "^1.50.0",
+				"@typescript-eslint/eslint-plugin": "^5.29.0",
+				"@typescript-eslint/parser": "^5.29.0",
+				"chai": "4.3.6",
+				"eslint": "^8.18.0",
+				"mocha": "10.0.0",
+				"typescript": "^4.7.4",
+				"vsce": "^2.9.2",
+				"vscode-extension-tester": "4.2.5",
+				"vscode-extension-tester-locators": "^1.62.2",
+				"webpack": "^5.73.0",
+				"webpack-cli": "^4.10.0"
+		},
+		"version": "2.0.4"
+}

internal/commands/data/manifests/requirements.txt

@@ -0,0 +1,95 @@
+#
+# This file is autogenerated by pip-compile with Python 3.10
+# by the following command:
+#
+#    pip-compile
+#
+contourpy==1.3.1
+    # via matplotlib
+ c==0.12.1
+    # via matplotlib
+  fonttools==4.55.8
+    # via matplotlib
+   kiwisolver==1.4.8
+    # via matplotlib
+    matplotlib==3.10.0
+    # via
+    #   -r requirements.in
+    #   seaborn
+numpy==2.2.2
+    # viaS
+    #   -r requirements.in
+    #   contourpy
+    #   matplotlib
+    #   pandas
+    #   seaborn
+packaging==24.2
+    # via matplotlib
+pandas==2.2.3
+    # via
+    #   -r requirements.in
+    #   seaborn
+pillow==11.1.0
+    # via matplotlib
+pyparsing==3.2.1
+    # via matplotlib
+python-dateutil==2.9.0.post0
+    # via
+    #   matplotlib
+    #   pandas
+pytz==2025.1
+    # via pandas
+seaborn==0.13.2
+    # via -r requirements.in
+six==1.17.0
+    # via python-dateutil
+tzdata==2025.1
+    # via pandas
+
+
+    # Sample requirements.txt with various package specifiers
+
+# Exact version
+
+flask==1.1.2
+
+# Range: greater than or equal and less than
+
+Django>=3.0,<4.0
+
+# Less than or equal
+
+requests<=2.25.1
+
+# Compatible release (PEP 440)
+
+urllib3\~=1.26.0
+
+# Not equal
+
+numpy!=1.19.0
+
+# Wildcard patch version
+
+pandas==1.2.\*
+
+# Extras
+
+package\_with\_extras\[security,docs]==0.1.0
+
+# Environment marker (skip on Python>=3.8)
+
+scipy==1.5.2; python\_version < "3.8"
+
+# Combined ranges with comma
+
+celery>=4.0,<5.0
+
+# Inline comment
+
+gevent==21.8.0  # pinned to a known-good version
+
+# Full-line comment below should be ignored
+
+
+

internal/commands/oss-realtime-engine.go

@@ -0,0 +1,36 @@
+package commands
+
+import (
+	"errors"
+
+	"github.com/checkmarx/ast-cli/internal/commands/util/printer"
+	commonParams "github.com/checkmarx/ast-cli/internal/params"
+	"github.com/checkmarx/ast-cli/internal/services/ossrealtime"
+	"github.com/checkmarx/ast-cli/internal/wrappers"
+	"github.com/spf13/cobra"
+)
+
+func RunScanOssRealtimeCommand(realtimeScannerWrapper wrappers.RealtimeScannerWrapper, jwtWrapper wrappers.JWTWrapper, featureFlagWrapper wrappers.FeatureFlagsWrapper) func(cmd *cobra.Command, args []string) error {
+	return func(cmd *cobra.Command, args []string) error {
+		fileSourceFlag, _ := cmd.Flags().GetString(commonParams.SourcesFlag)
+		if fileSourceFlag == "" {
+			return errors.New("file source flag is required")
+		}
+		wrapperParams := ossrealtime.RealtimeScannerWrapperParams{
+			RealtimeScannerWrapper: realtimeScannerWrapper,
+			JwtWrapper:             jwtWrapper,
+			FeatureFlagWrapper:     featureFlagWrapper,
+		}
+
+		packages, err := ossrealtime.RunOssRealtimeScan(&wrapperParams, fileSourceFlag)
+		if err != nil {
+			return errors.New("failed to run oss-realtime scan: " + err.Error())
+		}
+		err = printer.Print(cmd.OutOrStdout(), packages, printer.FormatJSON)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}

internal/commands/oss-realtime-engine_test.go

@@ -0,0 +1,36 @@
+package commands
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRunScanOssRealtimeCommand_RequirementsTxtFile_ScanSuccess(t *testing.T) {
+	execCmdNilAssertion(
+		t,
+		"scan", "oss-realtime", "-s", "data/manifests/requirements.txt",
+	)
+}
+
+func TestRunScanOssRealtimeCommand_EmptyFilePath_ScanFailed(t *testing.T) {
+	err := execCmdNotNilAssertion(
+		t,
+		"scan", "oss-realtime", "-s", "",
+	)
+	assert.NotNil(t, err)
+}
+
+func TestRunScanOssRealtimeCommand_PackageJsonFile_ScanSuccess(t *testing.T) {
+	execCmdNilAssertion(
+		t,
+		"scan", "oss-realtime", "-s", "data/manifests/package.json",
+	)
+}
+func TestRunScanOssRealtimeCommand_UnsupportedFileType_ScanFailed(t *testing.T) {
+	err := execCmdNotNilAssertion(
+		t,
+		"scan", "oss-realtime", "-s", "not-supported-extension.txt",
+	)
+	assert.NotNil(t, err)
+}

internal/commands/root.go

@@ -55,6 +55,7 @@ func NewAstCLI(
 	accessManagementWrapper wrappers.AccessManagementWrapper,
 	byorWrapper wrappers.ByorWrapper,
 	containerResolverWrapper wrappers.ContainerResolverWrapper,
+	realTimeWrapper wrappers.RealtimeScannerWrapper,
 ) *cobra.Command {
 	// Create the root
 	rootCmd := &cobra.Command{
@@ -157,6 +158,7 @@ func NewAstCLI(
 		accessManagementWrapper,
 		featureFlagsWrapper,
 		containerResolverWrapper,
+		realTimeWrapper,
 	)
 	projectCmd := NewProjectCommand(applicationsWrapper, projectsWrapper, groupsWrapper, accessManagementWrapper, featureFlagsWrapper)
 

internal/commands/root_test.go

@@ -68,6 +68,7 @@ func createASTTestCommand() *cobra.Command {
 	byorWrapper := &mock.ByorMockWrapper{}
 	containerResolverMockWrapper := &mock.ContainerResolverMockWrapper{}
 	customStatesMockWrapper := &mock.CustomStatesMockWrapper{}
+	realTimeWrapper := &mock.RealtimeScannerMockWrapper{}
 	return NewAstCLI(
 		applicationWrapper,
 		scansMockWrapper,
@@ -103,6 +104,7 @@ func createASTTestCommand() *cobra.Command {
 		accessManagementWrapper,
 		byorWrapper,
 		containerResolverMockWrapper,
+		realTimeWrapper,
 	)
 }
 

internal/commands/scan.go

@@ -159,6 +159,7 @@ func NewScanCommand(
 	accessManagementWrapper wrappers.AccessManagementWrapper,
 	featureFlagsWrapper wrappers.FeatureFlagsWrapper,
 	containerResolverWrapper wrappers.ContainerResolverWrapper,
+	realtimeScannerWrapper wrappers.RealtimeScannerWrapper,
 ) *cobra.Command {
 	scanCmd := &cobra.Command{
 		Use:   "scan",
@@ -211,6 +212,8 @@ func NewScanCommand(
 
 	scaRealtimeCmd := scarealtime.NewScaRealtimeCommand(scaRealTimeWrapper)
 
+	ossRealtimeCmd := scanOssRealtimeSubCommand(realtimeScannerWrapper, jwtWrapper, featureFlagsWrapper)
+
 	addFormatFlagToMultipleCommands(
 		[]*cobra.Command{listScansCmd, showScanCmd, workflowScanCmd},
 		printer.FormatTable, printer.FormatList, printer.FormatJSON,
@@ -230,6 +233,7 @@ func NewScanCommand(
 		logsCmd,
 		kicsRealtimeCmd,
 		scaRealtimeCmd,
+		ossRealtimeCmd,
 	)
 	return scanCmd
 }
@@ -441,6 +445,36 @@ func scanASCASubCommand(jwtWrapper wrappers.JWTWrapper, featureFlagsWrapper wrap
 	return scanASCACmd
 }
 
+func scanOssRealtimeSubCommand(realtimeScannerWrapper wrappers.RealtimeScannerWrapper, jwtWrapper wrappers.JWTWrapper, featureFlagsWrapper wrappers.FeatureFlagsWrapper) *cobra.Command {
+	scanOssRealtimeCmd := &cobra.Command{
+		Hidden: true,
+		Use:    "oss-realtime",
+		Short:  "Run a OSS-Realtime scan",
+		Long:   "Running a OSS-Realtime scan is a fast and efficient way to identify malicious packages in a manifest file.",
+		Example: heredoc.Doc(
+			`
+			$ cx scan oss-realtime -s <path to a manifest files separated by commas>
+		`,
+		),
+		Annotations: map[string]string{
+			"command:doc": heredoc.Doc(
+				`
+				https://docs.checkmarx.com/en/34965-68625-checkmarx-one-cli-commands.html
+			`,
+			),
+		},
+		RunE: RunScanOssRealtimeCommand(realtimeScannerWrapper, jwtWrapper, featureFlagsWrapper),
+	}
+
+	scanOssRealtimeCmd.PersistentFlags().StringP(
+		commonParams.SourcesFlag,
+		commonParams.SourcesFlagSh,
+		"",
+		"The file source should be the path to a single file",
+	)
+	return scanOssRealtimeCmd
+}
+
 func scanListSubCommand(scansWrapper wrappers.ScansWrapper, sastMetadataWrapper wrappers.SastMetadataWrapper) *cobra.Command {
 	listScansCmd := &cobra.Command{
 		Use:   "list",

internal/params/binds.go

@@ -75,4 +75,5 @@ var EnvVarsBinds = []struct {
 	{ScsRepoTokenKey, ScsRepoTokenEnv, ""},
 	{RiskManagementPathKey, RiskManagementPathEnv, "api/risk-management/projects/%s/results?scanID=%s"},
 	{ConfigFilePathKey, ConfigFilePathEnv, ""},
+	{RealtimeScannerPathKey, RealtimeScannerPathEnv, "api/realtime-scanner"},
 }

internal/params/envs.go

@@ -74,4 +74,5 @@ const (
 	ScsRepoTokenEnv                     = "SCS_REPO_TOKEN"
 	RiskManagementPathEnv               = "CX_RISK_MANAGEMENT_PATH"
 	ConfigFilePathEnv                   = "CX_CONFIG_FILE_PATH"
+	RealtimeScannerPathEnv              = "CX_REALTIME_SCANNER_PATH"
 )

internal/params/keys.go

@@ -74,4 +74,5 @@ var (
 	ScsRepoTokenKey                     = strings.ToLower(ScsRepoTokenEnv)
 	RiskManagementPathKey               = strings.ToLower(RiskManagementPathEnv)
 	ConfigFilePathKey                   = strings.ToLower(ConfigFilePathEnv)
+	RealtimeScannerPathKey              = strings.ToLower(RealtimeScannerPathEnv)
 )