Skip to content

prod - Reverse merge#45

Merged
vignesh-testsigma merged 6 commits into
devfrom
prod
May 7, 2026
Merged

prod - Reverse merge#45
vignesh-testsigma merged 6 commits into
devfrom
prod

Conversation

@vignesh-testsigma
Copy link
Copy Markdown
Contributor

@vignesh-testsigma vignesh-testsigma commented May 7, 2026

No description provided.

vikram-chaitanya and others added 6 commits March 17, 2026 13:58
@vikram-chaitanya
Merge pull request #43 from testsigmahq/dev
4d88b3c 
Dev -> main merge
@vikram-chaitanya @claude
fix: improve security scan to use CycloneDX SBOM for accurate vulnera…
846d691 
…bility detection

Switch from scanning Gradle cache dir to generating a proper CycloneDX SBOM
via the cyclonedx-gradle-plugin and feeding it to Grype. This ensures shaded/fat
JARs (e.g. testsigma-java-sdk) have their bundled transitive dependencies fully
resolved and reported, closing the gap where 'dir:' scanning missed embedded libs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@vikram-chaitanya @claude
fix: enhance security scan with JAR collection, syft SBOM, and Trivy
7a9fa46 
Replace the Gradle CycloneDX plugin approach with a proper multi-stage scan:
- Add Gradle init-script step that copies runtimeClasspath JARs into .dep-jars/
  inside the workspace (no cache-path guessing, workspace-mounted so syft sees them)
- Add scan-target fallback step that warns and falls back to source scan if no JARs
- Switch SBOM generation to anchore/sbom-action (syft), which reads
  META-INF/maven/*/pom.properties from each JAR — correctly surfaces bundled
  dependencies inside fat/shaded JARs (e.g. testsigma-java-sdk's embedded
  jackson-databind 2.12.1 that the Gradle plugin missed)
- Feed the syft SBOM into both Grype (SARIF) and Trivy (JSON) for dual-scanner coverage
- Remove org.cyclonedx.bom Gradle plugin; SBOM generation is now CI-only

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@vikram-chaitanya @claude
fix: upgrade vulnerable dependencies and bump version to 1.2.25_cloud
cdb6dfc 
- org.json:json 20160810 → 20231013 (CVE-2022-45688, CVE-2023-5072)
- org.testng:testng 7.4.0 → 7.7.0 (CVE-2022-4065)
- org.apache.commons:commons-lang3 3.12.0 → 3.18.0 (CVE-2025-48924)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@vikram-chaitanya
Updated testng version to 7.10.2
da5f19b
@vikram-chaitanya
version updated to 1.2.26_cloud
5173b2b
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 7, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 178b494c-457d-44f4-b0bd-51f93d10a415

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch prod

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@vignesh-testsigma vignesh-testsigma merged commit 61bc52f into dev May 7, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jayavel-testsigma jayavel-testsigma jayavel-testsigma approved these changes

@rahul-testsigma rahul-testsigma rahul-testsigma approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vignesh-testsigma @jayavel-testsigma @rahul-testsigma @vikram-chaitanya