Other/release integration (AST-151150)#1502
Closed
cx-hitesh-madgulkar wants to merge 38 commits into
Closed
Conversation
…support - Create kicsshutdown package with thread-safe container name management - Update signal handler to read container name from kicsshutdown instead of viper - Prevents race conditions during SIGTERM cleanup - Add support for OneAssist license in addition to Developer Assist - Update GetUniqueID() to check both license types
…oject/application management improvements - Add CodeFlow and ThreadFlow support to SARIF result structures with new types - Extend BaseIncludeFilters with 41 additional file type patterns - Enhance applications.go with project association polling and duplicate prevention - Update result.go with CodeFlow handling in SARIF serialization - Add IsInSource and CommitURL fields to SarifResultProperties - Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions - Change IaCS and KICS filter flags from String to StringSlice in scan.go Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch) - Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification) - Upgrade anchore/stereoscope to v0.2.0 - Upgrade google.golang.org/grpc to v1.80.0 - Upgrade gonum to v0.17.0 - Upgrade containerd/v2 to v2.3.1 - Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022) - Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973) - Upgrade Go version to 1.26.3 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…nd opencontainers/runc - Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680) - Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813) - Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881) - Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0 during SCA vulnerability remediation. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813) - Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986) - Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881) - Extract repeated string to constant in result_test.go (goconst lint fix)
- Add explicit requirement for golang.org/x/image v0.39.0 to override gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813) - Update result_test.go constant alignment - Add cx_config_file_path to integration config
…support - Create kicsshutdown package with thread-safe container name management - Update signal handler to read container name from kicsshutdown instead of viper - Prevents race conditions during SIGTERM cleanup - Add support for OneAssist license in addition to Developer Assist - Update GetUniqueID() to check both license types
…oject/application management improvements - Add CodeFlow and ThreadFlow support to SARIF result structures with new types - Extend BaseIncludeFilters with 41 additional file type patterns - Enhance applications.go with project association polling and duplicate prevention - Update result.go with CodeFlow handling in SARIF serialization - Add IsInSource and CommitURL fields to SarifResultProperties - Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions - Change IaCS and KICS filter flags from String to StringSlice in scan.go Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch) - Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification) - Upgrade anchore/stereoscope to v0.2.0 - Upgrade google.golang.org/grpc to v1.80.0 - Upgrade gonum to v0.17.0 - Upgrade containerd/v2 to v2.3.1 - Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022) - Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973) - Upgrade Go version to 1.26.3 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…nd opencontainers/runc - Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680) - Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813) - Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881) - Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0 during SCA vulnerability remediation. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813) - Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986) - Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881) - Extract repeated string to constant in result_test.go (goconst lint fix)
- Add explicit requirement for golang.org/x/image v0.39.0 to override gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813) - Update result_test.go constant alignment - Add cx_config_file_path to integration config
…arx/ast-cli into other/release-integration
- Add explicit golang.org/x/image v0.41.0 override (CVE-2026-33813, CVE-2026-46599) pulled transitively through gonum.org/v1/gonum v0.17.0 - Add explicit github.com/opencontainers/runc v1.3.4 (CVE-2025-52881) pulled transitively through github.com/Microsoft/hcsshim v0.15.0-rc.1 - Add explicit github.com/go-jose/go-jose/v3 v3.0.5 (CVE-2026-34986) pulled transitively through github.com/containerd/containerd v1.7.32 - Add explicit github.com/cilium/ebpf v0.17.3 (transitive upgrade) Note: do not run go mod tidy on this module — it strips these security overrides because the packages are indirect and not directly imported. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Reverted golang.org/x/crypto from v0.51.0 back to v0.50.0 as v0.51.0 also flagged as vulnerable by Checkmarx SCA. CVE-2026-46595 & CVE-2026-39829 in golang.org/x/crypto v0.50.0 are marked as Not Exploitable (NE) because: 1. CLI does NOT perform authorization logic (CVE-2026-46595) - Authorization decisions are delegated to Git layer 2. CLI does NOT verify cryptographic signatures (CVE-2026-39829) - No signature verification code in CLI - SSH keys only used for Git authentication 3. Vulnerable code paths in x/crypto are not exercised by CLI - Direct crypto imports (sha256, tls, etc) are from stdlib - Indirect x/crypto usage limited to SSH authentication Acceptable Risk: YES Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
commit 372c01c Author: Ohad Israeli <243351248+cx-ohad-israeli@users.noreply.github.com> Date: Wed Jun 10 17:39:16 2026 +0300 chore: remove Dependabot configuration commit fcc941d Author: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com> Date: Tue Jun 9 17:30:06 2026 +0100 Comment out Docker image signature verification step in release workflow (#1500) commit 7200c50 Author: Atish Jadhav <141334503+cx-atish-jadhav@users.noreply.github.com> Date: Tue Jun 9 14:57:11 2026 +0530 Bugs remediation and Salesforce tickets resolution(AST-146432) (#1499) * Fix KICS container shutdown race condition and add OneAssist license support - Create kicsshutdown package with thread-safe container name management - Update signal handler to read container name from kicsshutdown instead of viper - Prevents race conditions during SIGTERM cleanup - Add support for OneAssist license in addition to Developer Assist - Update GetUniqueID() to check both license types * Integrate file updates: SARIF enhancements, filters expansion, and project/application management improvements - Add CodeFlow and ThreadFlow support to SARIF result structures with new types - Extend BaseIncludeFilters with 41 additional file type patterns - Enhance applications.go with project association polling and duplicate prevention - Update result.go with CodeFlow handling in SARIF serialization - Add IsInSource and CommitURL fields to SarifResultProperties - Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions - Change IaCS and KICS filter flags from String to StringSlice in scan.go Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * Fix SCA vulnerabilities: update dependencies to patched versions - Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch) - Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification) - Upgrade anchore/stereoscope to v0.2.0 - Upgrade google.golang.org/grpc to v1.80.0 - Upgrade gonum to v0.17.0 - Upgrade containerd/v2 to v2.3.1 - Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022) - Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973) - Upgrade Go version to 1.26.3 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * Fix additional SCA vulnerabilities: containerd, golang.org/x/image, and opencontainers/runc - Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680) - Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813) - Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881) - Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * Fix k8s.io/kubectl version mismatch after SCA dependency upgrades Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0 during SCA vulnerability remediation. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * create CLAUDE.md file for ast-cli repo * Updated filters.go * fix failing unit test case * trivy and integration check fixes * CVE-2026-33813: fixing cxone scan vulnerability * Fix CVE vulnerabilities and lint issues - Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813) - Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986) - Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881) - Extract repeated string to constant in result_test.go (goconst lint fix) * Override transitive golang.org/x/image and update config - Add explicit requirement for golang.org/x/image v0.39.0 to override gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813) - Update result_test.go constant alignment - Add cx_config_file_path to integration config * Fix KICS container shutdown race condition and add OneAssist license support - Create kicsshutdown package with thread-safe container name management - Update signal handler to read container name from kicsshutdown instead of viper - Prevents race conditions during SIGTERM cleanup - Add support for OneAssist license in addition to Developer Assist - Update GetUniqueID() to check both license types * Integrate file updates: SARIF enhancements, filters expansion, and project/application management improvements - Add CodeFlow and ThreadFlow support to SARIF result structures with new types - Extend BaseIncludeFilters with 41 additional file type patterns - Enhance applications.go with project association polling and duplicate prevention - Update result.go with CodeFlow handling in SARIF serialization - Add IsInSource and CommitURL fields to SarifResultProperties - Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions - Change IaCS and KICS filter flags from String to StringSlice in scan.go Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * Fix SCA vulnerabilities: update dependencies to patched versions - Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch) - Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification) - Upgrade anchore/stereoscope to v0.2.0 - Upgrade google.golang.org/grpc to v1.80.0 - Upgrade gonum to v0.17.0 - Upgrade containerd/v2 to v2.3.1 - Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022) - Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973) - Upgrade Go version to 1.26.3 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * Fix additional SCA vulnerabilities: containerd, golang.org/x/image, and opencontainers/runc - Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680) - Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813) - Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881) - Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * Fix k8s.io/kubectl version mismatch after SCA dependency upgrades Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0 during SCA vulnerability remediation. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> * create CLAUDE.md file for ast-cli repo * Updated filters.go * fix failing unit test case * trivy and integration check fixes * CVE-2026-33813: fixing cxone scan vulnerability * Fix CVE vulnerabilities and lint issues - Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813) - Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986) - Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881) - Extract repeated string to constant in result_test.go (goconst lint fix) * Override transitive golang.org/x/image and update config - Add explicit requirement for golang.org/x/image v0.39.0 to override gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813) - Update result_test.go constant alignment - Add cx_config_file_path to integration config * Vulnerability fixes and ci changes * Fix transitive CVE vulnerabilities without go mod tidy - Add explicit golang.org/x/image v0.41.0 override (CVE-2026-33813, CVE-2026-46599) pulled transitively through gonum.org/v1/gonum v0.17.0 - Add explicit github.com/opencontainers/runc v1.3.4 (CVE-2025-52881) pulled transitively through github.com/Microsoft/hcsshim v0.15.0-rc.1 - Add explicit github.com/go-jose/go-jose/v3 v3.0.5 (CVE-2026-34986) pulled transitively through github.com/containerd/containerd v1.7.32 - Add explicit github.com/cilium/ebpf v0.17.3 (transitive upgrade) Note: do not run go mod tidy on this module — it strips these security overrides because the packages are indirect and not directly imported. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> * Added harden runner * release workflow - comment out notify step * Commenting the signing logic from dev-release * Cx-One scan fixes for crypto * Revert golang.org/x/crypto upgrade (v0.51.0 also vulnerable) Reverted golang.org/x/crypto from v0.51.0 back to v0.50.0 as v0.51.0 also flagged as vulnerable by Checkmarx SCA. CVE-2026-46595 & CVE-2026-39829 in golang.org/x/crypto v0.50.0 are marked as Not Exploitable (NE) because: 1. CLI does NOT perform authorization logic (CVE-2026-46595) - Authorization decisions are delegated to Git layer 2. CLI does NOT verify cryptographic signatures (CVE-2026-39829) - No signature verification code in CLI - SSH keys only used for Git authentication 3. Vulnerable code paths in x/crypto are not exercised by CLI - Direct crypto imports (sha256, tls, etc) are from stdlib - Indirect x/crypto usage limited to SSH authentication Acceptable Risk: YES Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> Co-authored-by: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com>
Conflicts resolved by taking all changes from release-integration branch. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Contributor
Security Policy Alert: Actions Policy ViolationThis workflow run has been blocked by StepSecurity's actions policy. Disallowed Actions:
To fix this issue, please modify the workflow to use only allowed actions. Contact your organization administrator to request changes to the allowed actions list if needed. For more information, see StepSecurity's Actions Policy documentation. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
By submitting this pull request, you agree to the terms within the Checkmarx Code of Conduct. Please review the contributing guidelines for guidance on creating high-quality pull requests.
Description
Please provide a summary of the changes and the related issue. Include relevant motivation and context.
Type of Change
Checklist