checkmarx / ast-cli Goto Github PK

Hello!

I hope you are doing well!

We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.

Can you enable it, so that we can report it?

Thanks in advance!

PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

Is your request related to a workflow problem?

In our gitlab projects we are integrating ast-cli in pipeline execution for SAST scanning in checkmarxOne.
In older versions of checkmarx, cx-flow provided an option to generate output format gl-sast-report.json.

Is it planned to support this output format with ast-cli ?

Propose a solution

We tried to convert the existing cx_result.json into a compatible gl-sast-report.json, but some fields are missing to be compliant with the schema providen by Gitlab at https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/sast-report-format.json

Additional comments

Here the link to gitlab documentation: https://docs.gitlab.com/ee/user/application_security/sast/#reports-json-format.

Describe the bug

A clear and concise description of what the bug is.

Expected behavior

A clear and concise description of what you expected to happen.

Actual behavior

A clear and concise description of where the behavior differed from the expected behavior

Steps to reproduce

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Environment

• CLI version
• Platform (e.g. Windows 10 x64)

Additional comments

Add any other context about the problem here.

Logs

Paste the output from your CLI. Redact if needed.

Is your request related to a workflow problem?

I have some python projects on which requirements.txt files can have variable names like requirement[custom string].txt. Today, the CLI filters them and they are excluded from the scan.

Propose a solution

add "requirement*.txt" to the filters.

Currently, when trying to run the CLI dockerimage with the ScaResolver the run will fail, because the alpine image that is used for the ast-cli dockerimage is missing libraries that are required to run the ScaResolver.
The missing libraries are as follows (output from ldd)
ldd ScaResolver�[0;m
/lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000)
libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000)
libdl.so.2 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000)
Error loading shared library libgcc_s.so.1: No such file or directory (needed by ScaResolver)
libz.so.1 => /lib/libz.so.1 (0x7f8cdb232000)
libm.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000)
librt.so.1 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000)
libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000)

Since the dockerimage is built to run as non root user these libraries cannot be added e. g. using apk..
E. g. if you try run this example, https://github.com/Checkmarx/ci-cd-integrations/blob/main/CxScaResolver/bitbucket-pipelines.yml
it will fail with an error like this:
Using SCA resolver: ./ScaResolver [offline -s ./ -n project-name -r /tmp/sca229206833.json --ignore-dev-dependencies true --log-level Debug]
2023/11/08 14:30:17
ScaResolver error: fork/exec ./ScaResolver: no such file or directory
If you look carefully you will notice that the github and azure examples use "ubuntu-latest" as the base image, which has the required libraries.

Describe the bug

The mac cli configure utility is broken

Expected behavior

$ cx configure <---enter user params here
$ cx configure show --> show save user params here

Actual behavior

$ cx configure show --> return empty line

Steps to reproduce

1. git clone the project in a Macbook (amd64)
2. follow go build procedure
3. add the compiled binary path into the shell $PATH
4. execute the command '$ cx configure' per quickstart document: https://checkmarx.atlassian.net/wiki/spaces/AST/pages/3080487576/CxAST+CLI+Quick+Start+Guide
5. execute the command '$ cx configure show' per document: https://checkmarx.atlassian.net/wiki/spaces/AST/pages/6046941983/configure+show

Environment

• CLI version: $ cx version --> 'dev' as of Jan 18 2021
• Platform (e.g. Windows 10 x64): MacOX amd64

Additional comments

Add any other context about the problem here.

Logs

Paste the output from your CLI. Redact if needed.

Please add documentation for supported OS versions incl. OS version numbers or ranges of numbers
E. g. Windows version xx or later
Thanks

Is your request related to a workflow problem?

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Propose a solution

A clear and concise description of what you want to happen.

Additional comments

Add any other context, alternative solutions, current workarounds or screenshots about the request here.

Is your request related to a workflow problem?

When trying run the example with the SCA Resolver here: https://github.com/Checkmarx/ci-cd-integrations/blob/main/CxScaResolver/bitbucket-pipelines.yml
It fails because the ScaResolver does not have the required dependencies installed

Propose a solution

in the docker file add "apk add gcc"

Additional comments

Add any other context, alternative solutions, current workarounds or screenshots about the request here.

Describe the bug

When I launch a new scan, --file-filter param does not work for exclude files or folders

Steps to reproduce

I made some tests with CLI tool. I tried :

cx.exe scan create --project-name bodgeit -s https://github.com/psiinon/bodgeit.git --sast-preset-name "High and Medium" --file-filter "!test/,!advanced.jsp,!advanced.js" --branch "master" --debug

or

cx.exe scan create --project-name bodgeit -s https://github.com/psiinon/bodgeit.git --sast-preset-name "High and Medium" --file-filter "!test/,!advanced.jsp,!advanced.js,!root,!src" --branch "master" --debug

or

cx.exe scan create --project-name bodgeit -s https://github.com/psiinon/bodgeit.git --sast-preset-name "High and Medium" --file-filter "!test/,!advanced.jsp,!advanced.js,!root/*,!src/*" --branch "master" --debug

Environment

• CLI version : 2.0.12
• Platform : Windows 10 x64

Additional comments

Whit or without folders/files exclusions the number of vulnerabilities is always the same

Logs

`2022/02/22 17:29:10 Connected completed in: 156 (ms)

     Created At: 2022-02-22, 16:26:53
           Risk: High Risk
     Project ID: 3f72e3d2-2f2f-467f-a9b1-d5820e2c9e40
        Scan ID: 0f309a66-3a08-4df6-8348-2b90cf08c0ec
   Total Issues: 168
    High Issues: 70
  Medium Issues: 91
     Low Issues: 7
    Kics Issues: 3
  CxSAST Issues: 152
   CxSCA Issues: 13`

Is your request related to a workflow problem?

I haven't found a way to pull all the scan results in one single request(I mean all the scan results from all the sast projects), is there any way to perform this? Something I´m missing? right now I have only found to export the results with ./cx results show --scan-id , but it is limited to one scan id at a time

Propose a solution

A clear and concise description of what you want to happen.

Additional comments

Would be nice to export all the project vulnerabilities in one request and export to json

Is your request related to a workflow problem?

Yes. Once the scan data is validated by our analysts, it would be marked as 'Confirmed', then be dumped out into the json file. The additional filter will allow data filtering with a 'state' of 'CONFIRMED'. In order to support this workflow, a new filter type by 'state' could be built-into the sub-command.

Propose a solution

Support the result data filter by type 'state', such as below data flow:

import json
f=open("./cx_result.json","r")
data=json.load(f)
results=data['results']
results_conf = filter(lambda x: x['state']=='CONFIRMED', results)
print(list(results_conf))
[{'type': 'sast', 'id': '0', 'similarityId': '-1627780850', 'status': 'NEW', 'state': 'CONFIRMED', ...}}]

Additional comments

Refer to the '--filter ' flag section in the current implementation document here: https://checkmarx.atlassian.net/wiki/spaces/AST/pages/6025740424/result#Flags

Describe the bug

When running the contributor count utility, it throws an NPE when it encounters a repository that does not contain code. The enumeration ends.

Expected behavior

It should see the repo is empty and move on without stopping the enumeration.

Actual behavior

While enumerating an org's repos, it encountered a repo with no code in it. It threw an NPE and exited the program.

Steps to reproduce

1. Use a GitHub org (it probably does the same in other SCMs, I only tried GitHub)
2. Create a new repository, don't add any files to it.
3. Run the contributor count tool to enumerate the org.

Environment

CLI 2.0.58
Powershell on an unknown Windows version.

Additional comments

N/A

Logs

Add NTLM Proxy support as this has been an ongoing battle with existing plugins and lack of support.

Is your request related to a workflow problem?

The PR decoration tool generates a new comment every time a new commit is made to the pull request, which results in clutter. I would like the comment to be updated instead of generating a new one each time.

Propose a solution

I propose that the PR decoration tool should be modified to update the existing comment when a new commit is made to the pull request, rather than creating a new comment for each commit.

Additional comments

No additional comments at this time.

Describe the bug

After this new version, the option to generate pdf reports from ScanSummary broke the scan.
This is afecting your product ast-github-actions too.

Expected behavior

(...)
2024/04/09 16:37:15 Scan Finished with status: Completed
Scan Summary:
Created At: 2024-04-09, 16:33:15
Project Name: my-org/my-project
Scan ID: 123456-cccc-aaa-bbb-abcdefghijk

Actual behavior

2024/04/09 16:49:34 Scan status: Running
2024/04/09 16:49:43 Scan Finished with status: Completed
report option "scansummary" unavailable

Steps to reproduce

Run an test and generate a report

Environment

• 2.0.72 (MacOS)
• ast-github-actions (Main)

Additional comments

Logs

./cx scan create -s [email protected]:my-org/project --project-name my-org/projects -b feature/batata --ssh-key "/Users/user/.ssh/id_rsa" --scan-types sast,iac-security,sca --report-pdf-options Sast,Sca,Iac-Security,ScanSummary,ExecutiveSummary,ScanResults --report-format pdf
2024/04/09 16:47:04

Scanning branch feature/batata...

Scan ID :
Project ID :
Project Name : my-org/project
Status : Running
Created at : 04-09-24
Branch : feature/batata
Tags : []
Type : Full
Timeout : NONE
Initiator : my-user
Origin : ASTCLI 2.0.72
Engines : [ sast kics sca]

2024/04/09 16:47:05 Wait for scan to complete aaaaa-aaaa-aaaa-aaa-bbbbbbbbbb Running
2024/04/09 16:47:10 Scan status: Running
2024/04/09 16:47:16 Scan status: Running
2024/04/09 16:47:21 Scan status: Running
2024/04/09 16:47:27 Scan status: Running
2024/04/09 16:47:32 Scan status: Running
2024/04/09 16:47:39 Scan status: Running
2024/04/09 16:47:46 Scan status: Running
2024/04/09 16:47:52 Scan status: Running
2024/04/09 16:47:58 Scan status: Running
2024/04/09 16:48:05 Scan status: Running
2024/04/09 16:48:12 Scan status: Running
2024/04/09 16:48:20 Scan status: Running
2024/04/09 16:48:27 Scan status: Running
2024/04/09 16:48:35 Scan status: Running
2024/04/09 16:48:42 Scan status: Running
2024/04/09 16:48:50 Scan status: Running
2024/04/09 16:48:59 Scan status: Running
2024/04/09 16:49:07 Scan status: Running
2024/04/09 16:49:16 Scan status: Running
2024/04/09 16:49:24 Scan status: Running
2024/04/09 16:49:34 Scan status: Running
2024/04/09 16:49:43 Scan Finished with status: Completed
report option "scansummary" unavailable

Describe the bug

When trying to create a project with a "--groups" flag, it returns HTTP 404 Error

User creating the project is a member of that group and has the following ROLES:
CxONE Roles
- manage-application manage-feedbackapp manage-policy-management manage-project manage-webhook

Expected behavior

No error and project created with group specified.

Actual behavior

DEBUG MODE
2023/10/18 08:40:18 Sending API request to:
2023/10/18 08:40:18 GET /auth/realms//pip/groups?groupName=SupportNA HTTP/1.1
Host: ast.checkmarx.net
Authorization: Bearer ***
User-Agent: ASTCLI/2.0.59

2023/10/18 08:40:18 Request attempt 1 in 4
2023/10/18 08:40:18 Receiving API response:
2023/10/18 08:40:18 HTTP/1.1 404 Not Found

Date: Wed, 18 Oct 2023 13:40:15 GMT

{"error":"RESTEASY003210: Could not find resource for full path: https://iam.checkmarx.net/auth/realms//pip/groups?groupName=SupportNA"}
response status code 404

Steps to reproduce

./cx project create --project-name TestGroupFlag --groups SupportNA --debug

Environment

• CLI version: testing versions 2.0.55 & 2.0.59
• ast-cli_linux_x64

Logs

DEBUG

2023/10/18 08:40:17 CLI Version: 2.0.59
2023/10/18 08:40:17 CLI Configuration:
2023/10/18 08:40:17 cx_client_secret:
2023/10/18 08:40:17 cx_branch:
2023/10/18 08:40:17 cx_timeout: 30
2023/10/18 08:40:17 cx_base_auth_uri: https://iam.checkmarx.net/
2023/10/18 08:40:17 cx_tenant:
2023/10/18 08:40:17 cx_proxy_auth_type: basic
2023/10/18 08:40:17 cx_apikey: ***
2023/10/18 08:40:17 cx_base_uri: https://ast.checkmarx.net/
2023/10/18 08:40:17 http_proxy:
2023/10/18 08:40:17 cx_client_id:
2023/10/18 08:40:17 Base Auth URI - Extract from API KEY
2023/10/18 08:40:17 Base Auth URI - https://iam.checkmarx.net/auth/realms/prod_na_testing
2023/10/18 08:40:17 Checking cache for API access token.
2023/10/18 08:40:17 API access token not found in cache!
2023/10/18 08:40:17 Fetching API access token.
2023/10/18 08:40:17 Checking cache for API access token.
2023/10/18 08:40:17 API access token not found in cache!
2023/10/18 08:40:17 Using API key credentials.
2023/10/18 08:40:17 Creating HTTP Client.
2023/10/18 08:40:17 Sending API request to:
2023/10/18 08:40:17 POST /auth/realms/prod_na_testing/protocol/openid-connect/token HTTP/1.1
Host: iam.checkmarx.net
Content-Type: application/x-www-form-urlencoded
User-Agent: ASTCLI/2.0.59

grant_type=refresh_token&client_id=ast-app&refresh_token=***
2023/10/18 08:40:17 Request attempt 1 in 4
2023/10/18 08:40:17 Starting connection: iam.checkmarx.net:443
2023/10/18 08:40:17 DNS looking up host information for: iam.checkmarx.net
2023/10/18 08:40:17 DNS found host address(s): [{IP:13.226.204.7 Zone:} {IP:13.226.204.115 Zone:} {IP:13.226.204.15 Zone:} {IP:13.226.204.12 Zone:}]
2023/10/18 08:40:17 Started TLS Handshake
2023/10/18 08:40:17 Completed TLS handshake
2023/10/18 08:40:18 Connected completed in: 474 (ms)
2023/10/18 08:40:18 Receiving API response:
2023/10/18 08:40:18 HTTP/1.1 200 OK
Content-Length: 7034
Cache-Control: no-store
Connection: keep-alive
Content-Type: application/json
Date: Wed, 18 Oct 2023 13:40:15 GMT
Pragma: no-cache
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
Via: 1.1 7644cbb67f4f24c9050687ef3a2fd358.cloudfront.net (CloudFront)
X-Amz-Cf-Id: MauOmGWEvQgGhXPulXZ_NxdSWP3JriDElBiBNZCBo8OFLAs6fFZ8Yg==
X-Amz-Cf-Pop: DFW55-C2
X-Cache: Miss from cloudfront
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block

2023/10/18 08:40:18 Successfully retrieved API token.
2023/10/18 08:40:18 Storing API access token to cache.
2023/10/18 08:40:18 Base URI - Extract from JWT token
2023/10/18 08:40:18 Base URI - https://ast.checkmarx.net
2023/10/18 08:40:18 Creating HTTP Client.
2023/10/18 08:40:18 Sending API request to:
2023/10/18 08:40:18 GET /auth/realms//pip/groups?groupName=SupportNA HTTP/1.1
Host: ast.checkmarx.net
Authorization: Bearer ***
User-Agent: ASTCLI/2.0.59

2023/10/18 08:40:18 Request attempt 1 in 4
2023/10/18 08:40:18 Receiving API response:
2023/10/18 08:40:18 HTTP/1.1 404 Not Found
Content-Length: 136
Connection: keep-alive
Content-Type: application/json
Date: Wed, 18 Oct 2023 13:40:15 GMT
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
Via: 1.1 51ec66f6cf5e6c765ee4a97186ec06a4.cloudfront.net (CloudFront)
X-Amz-Cf-Id: _fI-mMS89ShnBtVAsXjneLdT6MUQXVbuDMqLtOCPertZ6rjfGutmUw==
X-Amz-Cf-Pop: DFW55-C2
X-Cache: Error from cloudfront
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block

{"error":"RESTEASY003210: Could not find resource for full path: https://iam.checkmarx.net/auth/realms//pip/groups?groupName=SupportNA"}
response status code 404

Describe the bug

Introduced in version 2.0.19

When we use scan command with

• thresholds
• report format to summaryJSON
• the scan failed because of thresholds

There is no report generated but in the case where the scan passed there is report.

Expected behavior

I think report must be generated even if scan fail because of thresholds like in version 2.0.18.

Actual behavior

Unlike in version 2.0.18 the scan will not generate report if thresholds fail the scan.

Steps to reproduce

1. Create a project with a security issue SAST High for example
2. Run a scan with --report-format summaryJSON and --threshold sast-high=0 options
3. Notice there is no cx_result.json generated in .
4. Re run the scan without --threshold sast-high=0 or after SAST High issue fixed
5. Notice there is a cx_result.json generated in .

Environment

• 2.0.19
• Linux

Additional comments

Here is my analyse:

The BUG was introduced in 2.0.19 in:
| Ast 12482 add summary html for async scans (#405)

The file internal/commands/scan.go was modified and the createReportsAfterScan method call was moved from the handleWait method to the end of the runCreateScanCommand method.

The problem here is the block

err = applyThreshold(cmd, resultsWrapper, scanResponseModel)
if err != nil {
    return err
}

before the call of createReportsAfterScan.

Here is the lines:

To fix it we may use this code:

AsyncFlag, _ := cmd.Flags().GetBool(commonParams.AsyncFlag)
if !AsyncFlag {
    waitDelay, _ := cmd.Flags().GetInt(commonParams.WaitDelayFlag)
    err = handleWait(cmd, scanResponseModel, waitDelay, timeoutMinutes, scansWrapper, resultsWrapper)
    if err != nil {
        return err
    }

    err = createReportsAfterScan(cmd, scanResponseModel.ID, scansWrapper, resultsWrapper)
    if err != nil {
        return err
    }

    err = applyThreshold(cmd, resultsWrapper, scanResponseModel)
    if err != nil {
        return err
    }
} else {
    err = createReportsAfterScan(cmd, scanResponseModel.ID, scansWrapper, resultsWrapper)
    if err != nil {
        return err
    }
}

return nil

Logs

2022/06/20 09:02:55 Scan status:  Running
2022/06/20 09:03:01 Scan status:  Running
2022/06/20 09:03:06 Scan Finished with status:  Completed
Threshold check finished with status Failed : sast-high: Limit = 0, Current = 1 |
Program exits with code:  1
Scan Failed

Currently i'm trying to export only SAST results from CLI into json format.

When i use ./cx results command i saw in the documentation that only when generating a PDF report i can specify SAST results, but not for .json formats.

Is there a way i can get only SAST results for .json format in CLI?

We have Checkmarx one.

Regards

Describe the bug

I've tried to get results by cli, but I've received the message below

Failed listing results: Failed to parse list results: invalid character 'F' looking for beginning of value

PS: MacOS and Linux I've got the same message

Expected behavior

Got cli results.

Steps to reproduce

1 - cx project list <-- I got the Project ID
2 - cx scan list --filter project-id=my_project_id <-- I got a scan ID list
3 - cx results show --scan-id scan_id
4 - Error -> Failed listing results: Failed to parse list results: invalid character 'F' looking for beginning of value

Environment

• CLI version: 2.0.48
• Platform MacOS and Oracle Linux 8

Additional comments

project list works fine.

Logs

Describe the bug

I don't know if it is a BUG or not.

I'm using the cx to export results and import in my DefectDojo, but the information in json is much more rich than sarif file.

When we open the sarif file, all helpUri are the same for all issues, and indicate a documentation of releases from CxOne.

That information isn't util for developers solve the problem.

Expected behavior

Any help URL for solve the problem indicated in Checkmarx.

Actual behavior

grep -i HelpUri teste.sarif 1 ↵
"helpUri": "https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html",
"helpUri": "https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html",
"helpUri": "https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html",
"helpUri": "https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html",
"helpUri": "https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html",

Steps to reproduce

cx results show --scan-id --report-format sarif

Environment

• CLI version: 2.0.48
• Platform MacOS

Additional comments

We need more information or an convert tool from json to sarif