Skip to content

Commit 7200c50

Browse files
cx-atish-jadhavclaudecx-luis-ventuzelos
authored
Bugs remediation and Salesforce tickets resolution(AST-146432) (#1499)
* Fix KICS container shutdown race condition and add OneAssist license support - Create kicsshutdown package with thread-safe container name management - Update signal handler to read container name from kicsshutdown instead of viper - Prevents race conditions during SIGTERM cleanup - Add support for OneAssist license in addition to Developer Assist - Update GetUniqueID() to check both license types * Integrate file updates: SARIF enhancements, filters expansion, and project/application management improvements - Add CodeFlow and ThreadFlow support to SARIF result structures with new types - Extend BaseIncludeFilters with 41 additional file type patterns - Enhance applications.go with project association polling and duplicate prevention - Update result.go with CodeFlow handling in SARIF serialization - Add IsInSource and CommitURL fields to SarifResultProperties - Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions - Change IaCS and KICS filter flags from String to StringSlice in scan.go Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * Fix SCA vulnerabilities: update dependencies to patched versions - Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch) - Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification) - Upgrade anchore/stereoscope to v0.2.0 - Upgrade google.golang.org/grpc to v1.80.0 - Upgrade gonum to v0.17.0 - Upgrade containerd/v2 to v2.3.1 - Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022) - Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973) - Upgrade Go version to 1.26.3 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * Fix additional SCA vulnerabilities: containerd, golang.org/x/image, and opencontainers/runc - Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680) - Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813) - Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881) - Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * Fix k8s.io/kubectl version mismatch after SCA dependency upgrades Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0 during SCA vulnerability remediation. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * create CLAUDE.md file for ast-cli repo * Updated filters.go * fix failing unit test case * trivy and integration check fixes * CVE-2026-33813: fixing cxone scan vulnerability * Fix CVE vulnerabilities and lint issues - Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813) - Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986) - Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881) - Extract repeated string to constant in result_test.go (goconst lint fix) * Override transitive golang.org/x/image and update config - Add explicit requirement for golang.org/x/image v0.39.0 to override gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813) - Update result_test.go constant alignment - Add cx_config_file_path to integration config * Fix KICS container shutdown race condition and add OneAssist license support - Create kicsshutdown package with thread-safe container name management - Update signal handler to read container name from kicsshutdown instead of viper - Prevents race conditions during SIGTERM cleanup - Add support for OneAssist license in addition to Developer Assist - Update GetUniqueID() to check both license types * Integrate file updates: SARIF enhancements, filters expansion, and project/application management improvements - Add CodeFlow and ThreadFlow support to SARIF result structures with new types - Extend BaseIncludeFilters with 41 additional file type patterns - Enhance applications.go with project association polling and duplicate prevention - Update result.go with CodeFlow handling in SARIF serialization - Add IsInSource and CommitURL fields to SarifResultProperties - Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions - Change IaCS and KICS filter flags from String to StringSlice in scan.go Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * Fix SCA vulnerabilities: update dependencies to patched versions - Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch) - Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification) - Upgrade anchore/stereoscope to v0.2.0 - Upgrade google.golang.org/grpc to v1.80.0 - Upgrade gonum to v0.17.0 - Upgrade containerd/v2 to v2.3.1 - Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022) - Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973) - Upgrade Go version to 1.26.3 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * Fix additional SCA vulnerabilities: containerd, golang.org/x/image, and opencontainers/runc - Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680) - Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813) - Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881) - Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * Fix k8s.io/kubectl version mismatch after SCA dependency upgrades Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0 during SCA vulnerability remediation. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * create CLAUDE.md file for ast-cli repo * Updated filters.go * fix failing unit test case * trivy and integration check fixes * CVE-2026-33813: fixing cxone scan vulnerability * Fix CVE vulnerabilities and lint issues - Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813) - Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986) - Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881) - Extract repeated string to constant in result_test.go (goconst lint fix) * Override transitive golang.org/x/image and update config - Add explicit requirement for golang.org/x/image v0.39.0 to override gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813) - Update result_test.go constant alignment - Add cx_config_file_path to integration config * Vulnerability fixes and ci changes * Fix transitive CVE vulnerabilities without go mod tidy - Add explicit golang.org/x/image v0.41.0 override (CVE-2026-33813, CVE-2026-46599) pulled transitively through gonum.org/v1/gonum v0.17.0 - Add explicit github.com/opencontainers/runc v1.3.4 (CVE-2025-52881) pulled transitively through github.com/Microsoft/hcsshim v0.15.0-rc.1 - Add explicit github.com/go-jose/go-jose/v3 v3.0.5 (CVE-2026-34986) pulled transitively through github.com/containerd/containerd v1.7.32 - Add explicit github.com/cilium/ebpf v0.17.3 (transitive upgrade) Note: do not run go mod tidy on this module — it strips these security overrides because the packages are indirect and not directly imported. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * Added harden runner * release workflow - comment out notify step * Commenting the signing logic from dev-release * Cx-One scan fixes for crypto * Revert golang.org/x/crypto upgrade (v0.51.0 also vulnerable) Reverted golang.org/x/crypto from v0.51.0 back to v0.50.0 as v0.51.0 also flagged as vulnerable by Checkmarx SCA. CVE-2026-46595 & CVE-2026-39829 in golang.org/x/crypto v0.50.0 are marked as Not Exploitable (NE) because: 1. CLI does NOT perform authorization logic (CVE-2026-46595) - Authorization decisions are delegated to Git layer 2. CLI does NOT verify cryptographic signatures (CVE-2026-39829) - No signature verification code in CLI - SSH keys only used for Git authentication 3. Vulnerable code paths in x/crypto are not exercised by CLI - Direct crypto imports (sha256, tls, etc) are from stdlib - Indirect x/crypto usage limited to SSH authentication Acceptable Risk: YES Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> Co-authored-by: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com>
1 parent c9cbe49 commit 7200c50

22 files changed

Lines changed: 1142 additions & 387 deletions

.github/workflows/release.yml

Lines changed: 18 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -4,22 +4,22 @@ on:
44
workflow_call:
55
inputs:
66
tag:
7-
description: 'Next release tag'
7+
description: "Next release tag"
88
required: true
99
type: string
1010
dev:
11-
description: 'Is dev build'
11+
description: "Is dev build"
1212
required: false
1313
default: true
1414
type: boolean
1515
workflow_dispatch:
1616
inputs:
1717
tag:
18-
description: 'Next release tag'
18+
description: "Next release tag"
1919
required: true
2020
type: string
2121
dev:
22-
description: 'Is dev build'
22+
description: "Is dev build"
2323
required: false
2424
default: true
2525
type: boolean
@@ -164,10 +164,8 @@ jobs:
164164
165165
if [ "${{ inputs.dev }}" = "true" ]; then
166166
gh release create "${common[@]}" --prerelease
167-
gh release edit "${{ inputs.tag }}" --draft=false
168167
else
169168
gh release create "${common[@]}"
170-
gh release edit "${{ inputs.tag }}" --draft=false --latest
171169
fi
172170
173171
- name: Cleanup draft release on failure
@@ -176,26 +174,25 @@ jobs:
176174
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
177175
run: gh release delete "${{ inputs.tag }}" --cleanup-tag --yes || true
178176

179-
notify:
180-
name: Update Teams & JIRA About New Release
181-
if: inputs.dev == false && 1 == 0
182-
needs: build
183-
uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main
184-
with:
185-
product_name: CLI
186-
release_version: ${{ inputs.tag }}
187-
cli_release_version: ""
188-
release_author: "Sypher Team"
189-
release_url: https://github.com/Checkmarx/ast-cli/releases/tag/${{ inputs.tag }}
190-
jira_product_name: ASTCLI
191-
secrets: inherit
177+
#notify:
178+
# name: Update Teams & JIRA About New Release
179+
# if: inputs.dev == false && 1 == 0
180+
# needs: build
181+
# uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main
182+
# with:
183+
# product_name: CLI
184+
# release_version: ${{ inputs.tag }}
185+
# cli_release_version: ""
186+
# release_author: "Sypher Team"
187+
# release_url: https://github.com/Checkmarx/ast-cli/releases/tag/${{ inputs.tag }}
188+
# jira_product_name: ASTCLI
189+
# secrets: inherit
192190

193191
dispatch_auto_release:
194192
name: Update Plugins With new Cli Version
195193
if: inputs.dev == false && 1 == 0
196-
needs: notify
194+
#needs: notify
197195
uses: Checkmarx/plugins-release-workflow/.github/workflows/dispatch-workflow.yml@main
198196
with:
199197
cli_version: ${{ inputs.tag }}
200198
secrets: inherit
201-

.goreleaser-dev.yml

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -33,15 +33,15 @@ builds:
3333
- -s
3434
- -w
3535
- -X github.com/checkmarx/ast-cli/internal/params.Version={{.Version}}
36-
hooks:
37-
post:
38-
- cmd: bash .github/scripts/signing_win.sh dist/cx_windows_amd64_v1/cx.exe {{.Os}} || true
39-
output: true
40-
env:
41-
- SIGNING_REMOTE_SSH_USER={{ .Env.SIGNING_REMOTE_SSH_USER }}
42-
- SIGNING_REMOTE_SSH_HOST={{ .Env.SIGNING_REMOTE_SSH_HOST }}
43-
- SIGNING_HSM_CREDS={{ .Env.SIGNING_HSM_CREDS }}
44-
- SIGNING_REMOTE_SSH_PRIVATE_KEY={{ .Env.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
36+
# hooks:
37+
# post:
38+
# - cmd: bash .github/scripts/signing_win.sh dist/cx_windows_amd64_v1/cx.exe {{.Os}}
39+
# output: true
40+
# env:
41+
# - SIGNING_REMOTE_SSH_USER={{ .Env.SIGNING_REMOTE_SSH_USER }}
42+
# - SIGNING_REMOTE_SSH_HOST={{ .Env.SIGNING_REMOTE_SSH_HOST }}
43+
# - SIGNING_HSM_CREDS={{ .Env.SIGNING_HSM_CREDS }}
44+
# - SIGNING_REMOTE_SSH_PRIVATE_KEY={{ .Env.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
4545

4646
- main: ./cmd/main.go
4747
env:
@@ -97,4 +97,4 @@ blobs:
9797

9898
changelog:
9999
use: github-native
100-
100+

0 commit comments

Comments
 (0)