Checkmarx · cx-miryam-foifer · Nov 26, 2024 · Nov 25, 2024 · Nov 25, 2024 · Nov 25, 2024
@@ -19,6 +19,7 @@ linters-settings:
           - github.com/jsumners/go-getport
           - github.com/stretchr/testify/assert
           - github.com/gofrs/flock
+          - github.com/golang-jwt/jwt/v5
   dupl:
     threshold: 500
   funlen:

@@ -9,7 +9,7 @@ require (
 	github.com/MakeNowJust/heredoc v1.0.0
 	github.com/bouk/monkey v1.0.0
 	github.com/gofrs/flock v0.8.1
-	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/gomarkdown/markdown v0.0.0-20241102151059-6bc1ffdc6e8c
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/google/uuid v1.6.0

@@ -393,8 +393,8 @@ github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14j
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=

@@ -15,9 +15,8 @@ import (
 	"time"
 
 	applicationErrors "github.com/checkmarx/ast-cli/internal/constants/errors"
-	"github.com/golang-jwt/jwt"
-
 	"github.com/checkmarx/ast-cli/internal/logger"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/pkg/errors"
 	"github.com/spf13/viper"
@@ -733,15 +732,20 @@ func GetURL(path, accessToken string) (string, error) {
 
 func ExtractFromTokenClaims(accessToken, claim string) (string, error) {
 	var value string
-	token, _, err := new(jwt.Parser).ParseUnverified(accessToken, jwt.MapClaims{})
+
+	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
+
+	token, _, err := parser.ParseUnverified(accessToken, jwt.MapClaims{})
 	if err != nil {
 		return "", errors.Errorf(APIKeyDecodeErrorFormat, err)
 	}
+
 	if claims, ok := token.Claims.(jwt.MapClaims); ok && claims[claim] != nil {
 		value = strings.TrimSpace(claims[claim].(string))
 	} else {
 		return "", errors.Errorf(jwtError, claim)
 	}
+
 	return value, nil
 }
 

@@ -8,7 +8,7 @@ import (
 
 	commonParams "github.com/checkmarx/ast-cli/internal/params"
 	"github.com/checkmarx/ast-cli/internal/wrappers/utils"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 	"github.com/spf13/viper"
 )
@@ -92,11 +92,15 @@ func (r *CodeBashingHTTPWrapper) GetCodeBashingURL(field string) (string, error)
 	if err != nil {
 		return "", errors.Errorf(failedGettingCodeBashingURL)
 	}
-	token, _, err := new(jwt.Parser).ParseUnverified(accessToken, jwt.MapClaims{})
+
+	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
+
+	token, _, err := parser.ParseUnverified(accessToken, jwt.MapClaims{})
 	if err != nil {
 		return "", NewAstError(licenseNotFoundExitCode, errors.Errorf(failedGettingCodeBashingURL))
 	}
-	var url = ""
+
+	var url string
 	if claims, ok := token.Claims.(jwt.MapClaims); ok && claims[field] != nil {
 		url = claims[field].(string)
 	}

@@ -5,7 +5,7 @@ import (
 
 	commonParams "github.com/checkmarx/ast-cli/internal/params"
 	"github.com/checkmarx/ast-cli/internal/wrappers/utils"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 )
 
@@ -17,7 +17,7 @@ type JWTStruct struct {
 			AllowedEngines []string `json:"allowedEngines"`
 		} `json:"LicenseData"`
 	} `json:"ast-license"`
-	jwt.Claims
+	jwt.RegisteredClaims // Embedding the standard claims
 }
 
 var enabledEngines = []string{"sast", "sca", "api-security", "iac-security", "scs", "containers", "enterprise-secrets"}
@@ -98,7 +98,10 @@ func prepareEngines(engines []string) map[string]bool {
 }
 
 func extractFromTokenToJwtStruct(accessToken string) (*JWTStruct, error) {
-	token, _, err := new(jwt.Parser).ParseUnverified(accessToken, &JWTStruct{})
+	// Create a new Parser instance
+	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
+
+	token, _, err := parser.ParseUnverified(accessToken, &JWTStruct{})
 	if err != nil {
 		return nil, errors.Errorf(APIKeyDecodeErrorFormat, err)
 	}

@@ -137,7 +137,7 @@ func TestCreateScan_WithOnlyInvalidApikeyEnvVar_Fail(t *testing.T) {
 	}
 
 	err, _ := executeCommand(t, args...)
-	assert.Error(t, err, "Error validating scan types: Token decoding error: token contains an invalid number of segments")
+	assert.Error(t, err, "Error validating scan types: Token decoding error: token is malformed: token contains an invalid number of segments")
 }
 
 func TestCreateScan_WithOnlyInvalidApikeyFlag_Fail(t *testing.T) {
@@ -162,7 +162,7 @@ func TestCreateScan_WithOnlyInvalidApikeyFlag_Fail(t *testing.T) {
 	}
 
 	err, _ := executeCommand(t, args...)
-	assert.Error(t, err, "Error validating scan types: Token decoding error: token contains an invalid number of segments")
+	assert.Error(t, err, "Error validating scan types: Token decoding error: token is malformed: token contains an invalid number of segments")
 }
 
 func TestCreateScan_WithValidClientCredentialsFlag_Success(t *testing.T) {
@@ -215,7 +215,7 @@ func TestCreateScan_WithInvalidClientCredentialsFlag_Fail(t *testing.T) {
 	}
 
 	err, _ := executeCommand(t, args...)
-	assert.Error(t, err, "Error validating scan types: Token decoding error: token contains an invalid number of segments")
+	assert.Error(t, err, "Error validating scan types: Token decoding error: token is malformed: token contains an invalid number of segments")
 }
 
 func TestCreateScan_WithValidClientCredentialsEnvVars_Success(t *testing.T) {