Merge remote-tracking branch 'refs/remotes/origin/CM-63882-cli-fix-scan-type-validation' into CM-63882-cli-fix-scan-type-validation

aaron-butler-cy-int · aaron-butler-cy-int · commit 55b070ed606f · 2026-05-21T09:28:53.000-04:00
diff --git a/.github/workflows/build_executable.yml b/.github/workflows/build_executable.yml
@@ -38,7 +38,7 @@ jobs:
     steps:
       - name: Run Cimon
         if: matrix.os == 'ubuntu-22.04'
-        uses: cycodelabs/cimon-action@f99ad5557cb80964bc2b2e76a47bf4b5ba6e323b # v0.10.0
+        uses: cycodelabs/cimon-action@3ca67e875f34772093aa3bf3c185a711720bf5d9 # v0.10.1
         with:
           client-id: ${{ secrets.CIMON_CLIENT_ID }}
           secret: ${{ secrets.CIMON_SECRET }}
@@ -68,7 +68,7 @@ jobs:
 
       - name: Load cached Poetry setup
         id: cached-poetry
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.local
           key: poetry-${{ matrix.os }}-2  # increment to reset cache
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -37,7 +37,7 @@ jobs:
 
       - name: Load cached Poetry setup
         id: cached_poetry
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.local
           key: poetry-ubuntu-1  # increment to reset cache
@@ -76,7 +76,7 @@ jobs:
       - name: Build and push
         id: docker_build
         if: ${{ github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/v') }}
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64
@@ -86,7 +86,7 @@ jobs:
       - name: Verify build
         id: docker_verify_build
         if: ${{ github.event_name != 'workflow_dispatch' && !startsWith(github.ref, 'refs/tags/v') }}
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64
diff --git a/.github/workflows/pre_release.yml b/.github/workflows/pre_release.yml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Run Cimon
-        uses: cycodelabs/cimon-action@f99ad5557cb80964bc2b2e76a47bf4b5ba6e323b # v0.10.0
+        uses: cycodelabs/cimon-action@3ca67e875f34772093aa3bf3c185a711720bf5d9 # v0.10.1
         with:
           client-id: ${{ secrets.CIMON_CLIENT_ID }}
           secret: ${{ secrets.CIMON_SECRET }}
@@ -39,7 +39,7 @@ jobs:
 
       - name: Load cached Poetry setup
         id: cached-poetry
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.local
           key: poetry-ubuntu-1  # increment to reset cache
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Run Cimon
-        uses: cycodelabs/cimon-action@f99ad5557cb80964bc2b2e76a47bf4b5ba6e323b # v0.10.0
+        uses: cycodelabs/cimon-action@3ca67e875f34772093aa3bf3c185a711720bf5d9 # v0.10.1
         with:
           client-id: ${{ secrets.CIMON_CLIENT_ID }}
           secret: ${{ secrets.CIMON_SECRET }}
@@ -38,7 +38,7 @@ jobs:
 
       - name: Load cached Poetry setup
         id: cached-poetry
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.local
           key: poetry-ubuntu-1  # increment to reset cache
diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Run Cimon
-        uses: cycodelabs/cimon-action@f99ad5557cb80964bc2b2e76a47bf4b5ba6e323b # v0.10.0
+        uses: cycodelabs/cimon-action@3ca67e875f34772093aa3bf3c185a711720bf5d9 # v0.10.1
         with:
           client-id: ${{ secrets.CIMON_CLIENT_ID }}
           secret: ${{ secrets.CIMON_SECRET }}
@@ -30,7 +30,7 @@ jobs:
 
       - name: Load cached Poetry setup
         id: cached-poetry
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.local
           key: poetry-ubuntu-1  # increment to reset cache
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Run Cimon
-        uses: cycodelabs/cimon-action@f99ad5557cb80964bc2b2e76a47bf4b5ba6e323b # v0.10.0
+        uses: cycodelabs/cimon-action@3ca67e875f34772093aa3bf3c185a711720bf5d9 # v0.10.1
         with:
           client-id: ${{ secrets.CIMON_CLIENT_ID }}
           secret: ${{ secrets.CIMON_SECRET }}
@@ -32,7 +32,7 @@ jobs:
 
       - name: Load cached Poetry setup
         id: cached-poetry
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.local
           key: poetry-ubuntu-1  # increment to reset cache
diff --git a/.github/workflows/tests_full.yml b/.github/workflows/tests_full.yml
@@ -24,7 +24,7 @@ jobs:
     steps:
       - name: Run Cimon
         if: matrix.os == 'ubuntu-latest'
-        uses: cycodelabs/cimon-action@f99ad5557cb80964bc2b2e76a47bf4b5ba6e323b # v0.10.0
+        uses: cycodelabs/cimon-action@3ca67e875f34772093aa3bf3c185a711720bf5d9 # v0.10.1
         with:
           client-id: ${{ secrets.CIMON_CLIENT_ID }}
           secret: ${{ secrets.CIMON_SECRET }}
@@ -47,7 +47,7 @@ jobs:
 
       - name: Load cached Poetry setup
         id: cached-poetry
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.local
           key: poetry-${{ matrix.os }}-${{ matrix.python-version }}-3  # increment to reset cache
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1 +1 @@
-* @elsapet @gotbadger @mateusz-sterczewski
+* @avishaiamiel @omerr-cycode
diff --git a/README.md b/README.md
@@ -21,6 +21,7 @@ This guide walks you through both installation and usage.
     2. [Available Options](#available-options)
     3. [MCP Tools](#mcp-tools)
     4. [Usage Examples](#usage-examples)
+    5. [Advanced Configuration](#advanced-configuration)
 5. [Platform Command](#platform-command-beta)
     1. [Discovering Commands](#discovering-commands)
     2. [Examples](#platform-examples)
@@ -559,6 +560,38 @@ cycode mcp -t streamable-http -H 127.0.0.2 -p 9000 &
 }
 ```
 
+### Advanced Configuration 
+##### Custom Certificates and Timeouts (Proxy Environments)
+
+If your organization uses a corporate proxy or a custom CA bundle for HTTPS inspection, you need to tell Cycode CLI (and the underlying Python TLS stack) where to find the trusted certificate bundle. You can also increase the MCP tool call timeout if scans are being cut short.
+
+| Environment Variable | Description |
+|----------------------|-------------|
+| `REQUESTS_CA_BUNDLE` | Path to a custom CA bundle file (`.pem` or `.crt`). Used by the `requests` library for all HTTPS calls made by Cycode CLI. |
+| `SSL_CERT_FILE`      | Path to a custom CA bundle file. Used by Python's low-level `ssl` module. Set this alongside `REQUESTS_CA_BUNDLE` for full coverage. |
+| `MCP_TOOL_TIMEOUT`   | Timeout (in seconds) that MCP clients such as Claude and GitHub Copilot wait for a tool call to complete. Increase this if long-running scans are being cut off before they finish. |
+
+> [!TIP]
+> Set both `REQUESTS_CA_BUNDLE` and `SSL_CERT_FILE` to the same CA bundle path. `REQUESTS_CA_BUNDLE` covers the HTTP layer; `SSL_CERT_FILE` covers the lower-level TLS layer. Using only one may still cause certificate errors in some environments.
+
+Example `mcp.json` configuration with custom certificates and a longer timeout:
+
+```json
+{
+  "mcpServers": {
+    "cycode": {
+      "command": "cycode",
+      "args": ["mcp"],
+      "env": {
+        "REQUESTS_CA_BUNDLE": "/path/to/your/corporate-ca-bundle.pem",
+        "SSL_CERT_FILE": "/path/to/your/corporate-ca-bundle.pem",
+        "MCP_TOOL_TIMEOUT": "1800"
+      }
+    }
+  }
+}
+```
+
 > [!NOTE]
 > The MCP server requires proper Cycode CLI authentication to function. Make sure you have authenticated using `cycode auth` or configured your credentials before starting the MCP server.
 
@@ -608,6 +641,8 @@ This information can be helpful when:
 - Identifying authentication problems
 - Debugging transport-specific issues
 
+### MCP Configuration
+
 
 # Platform Command \[BETA\]
 
diff --git a/cycode/cli/files_collector/sca/maven/restore_maven_dependencies.py b/cycode/cli/files_collector/sca/maven/restore_maven_dependencies.py
@@ -1,3 +1,4 @@
+import json
 from os import path
 from pathlib import Path
 from typing import Optional
@@ -20,6 +21,16 @@
 MAVEN_DEP_TREE_FILE_NAME = 'bcde.mvndeps'
 
 
+def _has_dependency_graph(bom_content: Optional[str]) -> bool:
+    try:
+        if not bom_content:
+            return False
+        bom = json.loads(bom_content)
+        return any(dep.get('dependsOn') for dep in bom.get('dependencies', []))
+    except Exception:
+        return False
+
+
 class RestoreMavenDependencies(BaseRestoreDependencies):
     def __init__(self, ctx: typer.Context, is_git_diff: bool, command_timeout: int) -> None:
         super().__init__(ctx, is_git_diff, command_timeout)
@@ -46,8 +57,16 @@ def try_restore_dependencies(self, document: Document) -> Optional[Document]:
         if document.content is None:
             return self.restore_from_secondary_command(document, manifest_file_path)
 
-        # super() reads the content and cleans up any generated file; no re-read needed
-        return super().try_restore_dependencies(document)
+        restore_dependencies_document = super().try_restore_dependencies(document)
+        if restore_dependencies_document is None:
+            return None
+
+        if not _has_dependency_graph(restore_dependencies_document.content):
+            fallback = self.restore_from_secondary_command(document, manifest_file_path)
+            if fallback is not None and fallback.content is not None:
+                return fallback
+
+        return restore_dependencies_document
 
     def restore_from_secondary_command(self, document: Document, manifest_file_path: str) -> Optional[Document]:
         restore_content = execute_commands(
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -37,13 +37,13 @@ click = ">=8.1.0,<8.2.0"
 colorama = ">=0.4.3,<0.5.0"
 pyyaml = ">=6.0,<7.0"
 marshmallow = ">=3.15.0,<4.0.0"
-gitpython = ">=3.1.47,<3.2.0"
+gitpython = ">=3.1.50,<3.2.0"
 arrow = ">=1.0.0,<1.5.0"
 requests = ">=2.32.4,<3.0"
 urllib3 = ">=2.4.0,<3.0.0"
 pyjwt = ">=2.8.0,<3.0"
 rich = ">=13.9.4, <14"
-patch-ng = "1.19.0"
+patch-ng = "1.19.1"
 typer = "^0.15.3"
 tenacity = ">=9.0.0,<9.1.0"
 mcp = { version = ">=1.9.3,<2.0.0", markers = "python_version >= '3.10'" }
@@ -60,7 +60,7 @@ pyfakefs = ">=5.7.2,<5.11.0"
 
 [tool.poetry.group.executable.dependencies]
 pyinstaller = {version=">=6.0.0,<7.0.0", python=">=3.9,<3.15"}
-dunamai = ">=1.18.0,<1.27.0"
+dunamai = ">=1.26.1,<1.27.0"
 
 [tool.poetry.group.dev.dependencies]
 ruff = "0.11.7"
diff --git a/tests/cli/files_collector/sca/test_restore_maven_dependencies.py b/tests/cli/files_collector/sca/test_restore_maven_dependencies.py

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-* @elsapet @gotbadger @mateusz-sterczewski`
	`1`	`+* @avishaiamiel @omerr-cycode`