Commit 7200c50
Bugs remediation and Salesforce tickets resolution(AST-146432) (#1499)
* Fix KICS container shutdown race condition and add OneAssist license support
- Create kicsshutdown package with thread-safe container name management
- Update signal handler to read container name from kicsshutdown instead of viper
- Prevents race conditions during SIGTERM cleanup
- Add support for OneAssist license in addition to Developer Assist
- Update GetUniqueID() to check both license types
* Integrate file updates: SARIF enhancements, filters expansion, and project/application management improvements
- Add CodeFlow and ThreadFlow support to SARIF result structures with new types
- Extend BaseIncludeFilters with 41 additional file type patterns
- Enhance applications.go with project association polling and duplicate prevention
- Update result.go with CodeFlow handling in SARIF serialization
- Add IsInSource and CommitURL fields to SarifResultProperties
- Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions
- Change IaCS and KICS filter flags from String to StringSlice in scan.go
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
* Fix SCA vulnerabilities: update dependencies to patched versions
- Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch)
- Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification)
- Upgrade anchore/stereoscope to v0.2.0
- Upgrade google.golang.org/grpc to v1.80.0
- Upgrade gonum to v0.17.0
- Upgrade containerd/v2 to v2.3.1
- Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022)
- Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973)
- Upgrade Go version to 1.26.3
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
* Fix additional SCA vulnerabilities: containerd, golang.org/x/image, and opencontainers/runc
- Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680)
- Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813)
- Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881)
- Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency)
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
* Fix k8s.io/kubectl version mismatch after SCA dependency upgrades
Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package
k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0
during SCA vulnerability remediation.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
* create CLAUDE.md file for ast-cli repo
* Updated filters.go
* fix failing unit test case
* trivy and integration check fixes
* CVE-2026-33813: fixing cxone scan vulnerability
* Fix CVE vulnerabilities and lint issues
- Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813)
- Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986)
- Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881)
- Extract repeated string to constant in result_test.go (goconst lint fix)
* Override transitive golang.org/x/image and update config
- Add explicit requirement for golang.org/x/image v0.39.0 to override
gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813)
- Update result_test.go constant alignment
- Add cx_config_file_path to integration config
* Fix KICS container shutdown race condition and add OneAssist license support
- Create kicsshutdown package with thread-safe container name management
- Update signal handler to read container name from kicsshutdown instead of viper
- Prevents race conditions during SIGTERM cleanup
- Add support for OneAssist license in addition to Developer Assist
- Update GetUniqueID() to check both license types
* Integrate file updates: SARIF enhancements, filters expansion, and project/application management improvements
- Add CodeFlow and ThreadFlow support to SARIF result structures with new types
- Extend BaseIncludeFilters with 41 additional file type patterns
- Enhance applications.go with project association polling and duplicate prevention
- Update result.go with CodeFlow handling in SARIF serialization
- Add IsInSource and CommitURL fields to SarifResultProperties
- Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions
- Change IaCS and KICS filter flags from String to StringSlice in scan.go
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
* Fix SCA vulnerabilities: update dependencies to patched versions
- Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch)
- Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification)
- Upgrade anchore/stereoscope to v0.2.0
- Upgrade google.golang.org/grpc to v1.80.0
- Upgrade gonum to v0.17.0
- Upgrade containerd/v2 to v2.3.1
- Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022)
- Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973)
- Upgrade Go version to 1.26.3
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
* Fix additional SCA vulnerabilities: containerd, golang.org/x/image, and opencontainers/runc
- Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680)
- Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813)
- Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881)
- Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency)
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
* Fix k8s.io/kubectl version mismatch after SCA dependency upgrades
Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package
k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0
during SCA vulnerability remediation.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
* create CLAUDE.md file for ast-cli repo
* Updated filters.go
* fix failing unit test case
* trivy and integration check fixes
* CVE-2026-33813: fixing cxone scan vulnerability
* Fix CVE vulnerabilities and lint issues
- Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813)
- Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986)
- Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881)
- Extract repeated string to constant in result_test.go (goconst lint fix)
* Override transitive golang.org/x/image and update config
- Add explicit requirement for golang.org/x/image v0.39.0 to override
gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813)
- Update result_test.go constant alignment
- Add cx_config_file_path to integration config
* Vulnerability fixes and ci changes
* Fix transitive CVE vulnerabilities without go mod tidy
- Add explicit golang.org/x/image v0.41.0 override (CVE-2026-33813, CVE-2026-46599)
pulled transitively through gonum.org/v1/gonum v0.17.0
- Add explicit github.com/opencontainers/runc v1.3.4 (CVE-2025-52881)
pulled transitively through github.com/Microsoft/hcsshim v0.15.0-rc.1
- Add explicit github.com/go-jose/go-jose/v3 v3.0.5 (CVE-2026-34986)
pulled transitively through github.com/containerd/containerd v1.7.32
- Add explicit github.com/cilium/ebpf v0.17.3 (transitive upgrade)
Note: do not run go mod tidy on this module — it strips these security
overrides because the packages are indirect and not directly imported.
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
* Added harden runner
* release workflow - comment out notify step
* Commenting the signing logic from dev-release
* Cx-One scan fixes for crypto
* Revert golang.org/x/crypto upgrade (v0.51.0 also vulnerable)
Reverted golang.org/x/crypto from v0.51.0 back to v0.50.0 as v0.51.0
also flagged as vulnerable by Checkmarx SCA.
CVE-2026-46595 & CVE-2026-39829 in golang.org/x/crypto v0.50.0 are
marked as Not Exploitable (NE) because:
1. CLI does NOT perform authorization logic (CVE-2026-46595)
- Authorization decisions are delegated to Git layer
2. CLI does NOT verify cryptographic signatures (CVE-2026-39829)
- No signature verification code in CLI
- SSH keys only used for Git authentication
3. Vulnerable code paths in x/crypto are not exercised by CLI
- Direct crypto imports (sha256, tls, etc) are from stdlib
- Indirect x/crypto usage limited to SSH authentication
Acceptable Risk: YES
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>
Co-authored-by: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com>1 parent c9cbe49 commit 7200c50
22 files changed
Lines changed: 1142 additions & 387 deletions
File tree
- .github/workflows
- cmd
- internal
- commands
- kicsshutdown
- params
- services
- realtimeengine/iacrealtime
- wrappers
- mock
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
7 | | - | |
| 7 | + | |
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
11 | | - | |
| 11 | + | |
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
16 | 16 | | |
17 | 17 | | |
18 | | - | |
| 18 | + | |
19 | 19 | | |
20 | 20 | | |
21 | 21 | | |
22 | | - | |
| 22 | + | |
23 | 23 | | |
24 | 24 | | |
25 | 25 | | |
| |||
164 | 164 | | |
165 | 165 | | |
166 | 166 | | |
167 | | - | |
168 | 167 | | |
169 | 168 | | |
170 | | - | |
171 | 169 | | |
172 | 170 | | |
173 | 171 | | |
| |||
176 | 174 | | |
177 | 175 | | |
178 | 176 | | |
179 | | - | |
180 | | - | |
181 | | - | |
182 | | - | |
183 | | - | |
184 | | - | |
185 | | - | |
186 | | - | |
187 | | - | |
188 | | - | |
189 | | - | |
190 | | - | |
191 | | - | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
192 | 190 | | |
193 | 191 | | |
194 | 192 | | |
195 | 193 | | |
196 | | - | |
| 194 | + | |
197 | 195 | | |
198 | 196 | | |
199 | 197 | | |
200 | 198 | | |
201 | | - | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
33 | 33 | | |
34 | 34 | | |
35 | 35 | | |
36 | | - | |
37 | | - | |
38 | | - | |
39 | | - | |
40 | | - | |
41 | | - | |
42 | | - | |
43 | | - | |
44 | | - | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
45 | 45 | | |
46 | 46 | | |
47 | 47 | | |
| |||
97 | 97 | | |
98 | 98 | | |
99 | 99 | | |
100 | | - | |
| 100 | + | |
0 commit comments