checkmarx / ast-cli Goto Github PK
View Code? Open in Web Editor NEWA CLI project wrapping application security testing (AST) APIs
License: Apache License 2.0
A CLI project wrapping application security testing (AST) APIs
License: Apache License 2.0
Hello!
I hope you are doing well!
We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.
Can you enable it, so that we can report it?
Thanks in advance!
PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
In our gitlab projects we are integrating ast-cli
in pipeline execution for SAST scanning in checkmarxOne.
In older versions of checkmarx, cx-flow
provided an option to generate output format gl-sast-report.json
.
Is it planned to support this output format with ast-cli
?
We tried to convert the existing cx_result.json
into a compatible gl-sast-report.json
, but some fields are missing to be compliant with the schema providen by Gitlab at https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/sast-report-format.json
Here the link to gitlab documentation: https://docs.gitlab.com/ee/user/application_security/sast/#reports-json-format.
A clear and concise description of what the bug is.
A clear and concise description of what you expected to happen.
A clear and concise description of where the behavior differed from the expected behavior
Add any other context about the problem here.
Paste the output from your CLI. Redact if needed.
I have some python projects on which requirements.txt files can have variable names like requirement[custom string].txt. Today, the CLI filters them and they are excluded from the scan.
add "requirement*.txt" to the filters.
Currently, when trying to run the CLI dockerimage with the ScaResolver the run will fail, because the alpine image that is used for the ast-cli dockerimage is missing libraries that are required to run the ScaResolver.
The missing libraries are as follows (output from ldd)
ldd ScaResolver�[0;m
/lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000)
libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000)
libdl.so.2 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000)
Error loading shared library libgcc_s.so.1: No such file or directory (needed by ScaResolver)
libz.so.1 => /lib/libz.so.1 (0x7f8cdb232000)
libm.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000)
librt.so.1 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000)
libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000)
Since the dockerimage is built to run as non root user these libraries cannot be added e. g. using apk..
E. g. if you try run this example, https://github.com/Checkmarx/ci-cd-integrations/blob/main/CxScaResolver/bitbucket-pipelines.yml
it will fail with an error like this:
Using SCA resolver: ./ScaResolver [offline -s ./ -n project-name -r /tmp/sca229206833.json --ignore-dev-dependencies true --log-level Debug]
2023/11/08 14:30:17
ScaResolver error: fork/exec ./ScaResolver: no such file or directory
If you look carefully you will notice that the github and azure examples use "ubuntu-latest" as the base image, which has the required libraries.
The mac cli configure utility is broken
$ cx configure <---enter user params here
$ cx configure show --> show save user params here
$ cx configure show --> return empty line
Add any other context about the problem here.
Paste the output from your CLI. Redact if needed.
Please add documentation for supported OS versions incl. OS version numbers or ranges of numbers
E. g. Windows version xx or later
Thanks
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
A clear and concise description of what you want to happen.
Add any other context, alternative solutions, current workarounds or screenshots about the request here.
When trying run the example with the SCA Resolver here: https://github.com/Checkmarx/ci-cd-integrations/blob/main/CxScaResolver/bitbucket-pipelines.yml
It fails because the ScaResolver does not have the required dependencies installed
in the docker file add "apk add gcc"
Add any other context, alternative solutions, current workarounds or screenshots about the request here.
When I launch a new scan, --file-filter param does not work for exclude files or folders
I made some tests with CLI tool. I tried :
cx.exe scan create --project-name bodgeit -s https://github.com/psiinon/bodgeit.git --sast-preset-name "High and Medium" --file-filter "!test/,!advanced.jsp,!advanced.js" --branch "master" --debug
or
cx.exe scan create --project-name bodgeit -s https://github.com/psiinon/bodgeit.git --sast-preset-name "High and Medium" --file-filter "!test/,!advanced.jsp,!advanced.js,!root,!src" --branch "master" --debug
or
cx.exe scan create --project-name bodgeit -s https://github.com/psiinon/bodgeit.git --sast-preset-name "High and Medium" --file-filter "!test/,!advanced.jsp,!advanced.js,!root/*,!src/*" --branch "master" --debug
Whit or without folders/files exclusions the number of vulnerabilities is always the same
`2022/02/22 17:29:10 Connected completed in: 156 (ms)
Created At: 2022-02-22, 16:26:53
Risk: High Risk
Project ID: 3f72e3d2-2f2f-467f-a9b1-d5820e2c9e40
Scan ID: 0f309a66-3a08-4df6-8348-2b90cf08c0ec
Total Issues: 168
High Issues: 70
Medium Issues: 91
Low Issues: 7
Kics Issues: 3
CxSAST Issues: 152
CxSCA Issues: 13`
I haven't found a way to pull all the scan results in one single request(I mean all the scan results from all the sast projects), is there any way to perform this? Something I´m missing? right now I have only found to export the results with ./cx results show --scan-id , but it is limited to one scan id at a time
A clear and concise description of what you want to happen.
Would be nice to export all the project vulnerabilities in one request and export to json
Yes. Once the scan data is validated by our analysts, it would be marked as 'Confirmed', then be dumped out into the json file. The additional filter will allow data filtering with a 'state' of 'CONFIRMED'. In order to support this workflow, a new filter type by 'state' could be built-into the sub-command.
Support the result data filter by type 'state', such as below data flow:
import json
f=open("./cx_result.json","r")
data=json.load(f)
results=data['results']
results_conf = filter(lambda x: x['state']=='CONFIRMED', results)
print(list(results_conf))
[{'type': 'sast', 'id': '0', 'similarityId': '-1627780850', 'status': 'NEW', 'state': 'CONFIRMED', ...}}]
Refer to the '--filter ' flag section in the current implementation document here: https://checkmarx.atlassian.net/wiki/spaces/AST/pages/6025740424/result#Flags
When running the contributor count utility, it throws an NPE when it encounters a repository that does not contain code. The enumeration ends.
It should see the repo is empty and move on without stopping the enumeration.
While enumerating an org's repos, it encountered a repo with no code in it. It threw an NPE and exited the program.
CLI 2.0.58
Powershell on an unknown Windows version.
N/A
Add NTLM Proxy support as this has been an ongoing battle with existing plugins and lack of support.
The PR decoration tool generates a new comment every time a new commit is made to the pull request, which results in clutter. I would like the comment to be updated instead of generating a new one each time.
I propose that the PR decoration tool should be modified to update the existing comment when a new commit is made to the pull request, rather than creating a new comment for each commit.
No additional comments at this time.
After this new version, the option to generate pdf reports from ScanSummary broke the scan.
This is afecting your product ast-github-actions too.
(...)
2024/04/09 16:37:15 Scan Finished with status: Completed
Scan Summary:
Created At: 2024-04-09, 16:33:15
Project Name: my-org/my-project
Scan ID: 123456-cccc-aaa-bbb-abcdefghijk
2024/04/09 16:49:34 Scan status: Running
2024/04/09 16:49:43 Scan Finished with status: Completed
report option "scansummary" unavailable
Run an test and generate a report
./cx scan create -s [email protected]:my-org/project --project-name my-org/projects -b feature/batata --ssh-key "/Users/user/.ssh/id_rsa" --scan-types sast,iac-security,sca --report-pdf-options Sast,Sca,Iac-Security,ScanSummary,ExecutiveSummary,ScanResults --report-format pdf
2024/04/09 16:47:04
Scanning branch feature/batata...
Scan ID :
Project ID :
Project Name : my-org/project
Status : Running
Created at : 04-09-24
Branch : feature/batata
Tags : []
Type : Full
Timeout : NONE
Initiator : my-user
Origin : ASTCLI 2.0.72
Engines : [ sast kics sca]
2024/04/09 16:47:05 Wait for scan to complete aaaaa-aaaa-aaaa-aaa-bbbbbbbbbb Running
2024/04/09 16:47:10 Scan status: Running
2024/04/09 16:47:16 Scan status: Running
2024/04/09 16:47:21 Scan status: Running
2024/04/09 16:47:27 Scan status: Running
2024/04/09 16:47:32 Scan status: Running
2024/04/09 16:47:39 Scan status: Running
2024/04/09 16:47:46 Scan status: Running
2024/04/09 16:47:52 Scan status: Running
2024/04/09 16:47:58 Scan status: Running
2024/04/09 16:48:05 Scan status: Running
2024/04/09 16:48:12 Scan status: Running
2024/04/09 16:48:20 Scan status: Running
2024/04/09 16:48:27 Scan status: Running
2024/04/09 16:48:35 Scan status: Running
2024/04/09 16:48:42 Scan status: Running
2024/04/09 16:48:50 Scan status: Running
2024/04/09 16:48:59 Scan status: Running
2024/04/09 16:49:07 Scan status: Running
2024/04/09 16:49:16 Scan status: Running
2024/04/09 16:49:24 Scan status: Running
2024/04/09 16:49:34 Scan status: Running
2024/04/09 16:49:43 Scan Finished with status: Completed
report option "scansummary" unavailable
When trying to create a project with a "--groups" flag, it returns HTTP 404 Error
User creating the project is a member of that group and has the following ROLES:
CxONE Roles
- manage-application manage-feedbackapp manage-policy-management manage-project manage-webhook
No error and project created with group specified.
DEBUG MODE
2023/10/18 08:40:18 Sending API request to:
2023/10/18 08:40:18 GET /auth/realms//pip/groups?groupName=SupportNA HTTP/1.1
Host: ast.checkmarx.net
Authorization: Bearer ***
User-Agent: ASTCLI/2.0.59
2023/10/18 08:40:18 Request attempt 1 in 4
2023/10/18 08:40:18 Receiving API response:
2023/10/18 08:40:18 HTTP/1.1 404 Not Found
Date: Wed, 18 Oct 2023 13:40:15 GMT
{"error":"RESTEASY003210: Could not find resource for full path: https://iam.checkmarx.net/auth/realms//pip/groups?groupName=SupportNA"}
response status code 404
./cx project create --project-name TestGroupFlag --groups SupportNA --debug
2023/10/18 08:40:17 CLI Version: 2.0.59
2023/10/18 08:40:17 CLI Configuration:
2023/10/18 08:40:17 cx_client_secret:
2023/10/18 08:40:17 cx_branch:
2023/10/18 08:40:17 cx_timeout: 30
2023/10/18 08:40:17 cx_base_auth_uri: https://iam.checkmarx.net/
2023/10/18 08:40:17 cx_tenant:
2023/10/18 08:40:17 cx_proxy_auth_type: basic
2023/10/18 08:40:17 cx_apikey: ***
2023/10/18 08:40:17 cx_base_uri: https://ast.checkmarx.net/
2023/10/18 08:40:17 http_proxy:
2023/10/18 08:40:17 cx_client_id:
2023/10/18 08:40:17 Base Auth URI - Extract from API KEY
2023/10/18 08:40:17 Base Auth URI - https://iam.checkmarx.net/auth/realms/prod_na_testing
2023/10/18 08:40:17 Checking cache for API access token.
2023/10/18 08:40:17 API access token not found in cache!
2023/10/18 08:40:17 Fetching API access token.
2023/10/18 08:40:17 Checking cache for API access token.
2023/10/18 08:40:17 API access token not found in cache!
2023/10/18 08:40:17 Using API key credentials.
2023/10/18 08:40:17 Creating HTTP Client.
2023/10/18 08:40:17 Sending API request to:
2023/10/18 08:40:17 POST /auth/realms/prod_na_testing/protocol/openid-connect/token HTTP/1.1
Host: iam.checkmarx.net
Content-Type: application/x-www-form-urlencoded
User-Agent: ASTCLI/2.0.59
grant_type=refresh_token&client_id=ast-app&refresh_token=***
2023/10/18 08:40:17 Request attempt 1 in 4
2023/10/18 08:40:17 Starting connection: iam.checkmarx.net:443
2023/10/18 08:40:17 DNS looking up host information for: iam.checkmarx.net
2023/10/18 08:40:17 DNS found host address(s): [{IP:13.226.204.7 Zone:} {IP:13.226.204.115 Zone:} {IP:13.226.204.15 Zone:} {IP:13.226.204.12 Zone:}]
2023/10/18 08:40:17 Started TLS Handshake
2023/10/18 08:40:17 Completed TLS handshake
2023/10/18 08:40:18 Connected completed in: 474 (ms)
2023/10/18 08:40:18 Receiving API response:
2023/10/18 08:40:18 HTTP/1.1 200 OK
Content-Length: 7034
Cache-Control: no-store
Connection: keep-alive
Content-Type: application/json
Date: Wed, 18 Oct 2023 13:40:15 GMT
Pragma: no-cache
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
Via: 1.1 7644cbb67f4f24c9050687ef3a2fd358.cloudfront.net (CloudFront)
X-Amz-Cf-Id: MauOmGWEvQgGhXPulXZ_NxdSWP3JriDElBiBNZCBo8OFLAs6fFZ8Yg==
X-Amz-Cf-Pop: DFW55-C2
X-Cache: Miss from cloudfront
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
2023/10/18 08:40:18 Successfully retrieved API token.
2023/10/18 08:40:18 Storing API access token to cache.
2023/10/18 08:40:18 Base URI - Extract from JWT token
2023/10/18 08:40:18 Base URI - https://ast.checkmarx.net
2023/10/18 08:40:18 Creating HTTP Client.
2023/10/18 08:40:18 Sending API request to:
2023/10/18 08:40:18 GET /auth/realms//pip/groups?groupName=SupportNA HTTP/1.1
Host: ast.checkmarx.net
Authorization: Bearer ***
User-Agent: ASTCLI/2.0.59
2023/10/18 08:40:18 Request attempt 1 in 4
2023/10/18 08:40:18 Receiving API response:
2023/10/18 08:40:18 HTTP/1.1 404 Not Found
Content-Length: 136
Connection: keep-alive
Content-Type: application/json
Date: Wed, 18 Oct 2023 13:40:15 GMT
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
Via: 1.1 51ec66f6cf5e6c765ee4a97186ec06a4.cloudfront.net (CloudFront)
X-Amz-Cf-Id: _fI-mMS89ShnBtVAsXjneLdT6MUQXVbuDMqLtOCPertZ6rjfGutmUw==
X-Amz-Cf-Pop: DFW55-C2
X-Cache: Error from cloudfront
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"error":"RESTEASY003210: Could not find resource for full path: https://iam.checkmarx.net/auth/realms//pip/groups?groupName=SupportNA"}
response status code 404
Introduced in version 2.0.19
When we use scan command with
summaryJSON
There is no report generated but in the case where the scan passed there is report.
I think report must be generated even if scan fail because of thresholds like in version 2.0.18
.
Unlike in version 2.0.18
the scan will not generate report if thresholds fail the scan.
--report-format summaryJSON
and --threshold sast-high=0
optionscx_result.json
generated in .
--threshold sast-high=0
or after SAST High issue fixedcx_result.json
generated in .
Here is my analyse:
The BUG was introduced in 2.0.19
in:
| Ast 12482 add summary html for async scans (#405)
The file internal/commands/scan.go
was modified and the createReportsAfterScan
method call was moved from the handleWait
method to the end of the runCreateScanCommand
method.
The problem here is the block
err = applyThreshold(cmd, resultsWrapper, scanResponseModel)
if err != nil {
return err
}
before the call of createReportsAfterScan
.
Here is the lines:
ast-cli/internal/commands/scan.go
Lines 1102 to 1121 in c7a3321
To fix it we may use this code:
AsyncFlag, _ := cmd.Flags().GetBool(commonParams.AsyncFlag)
if !AsyncFlag {
waitDelay, _ := cmd.Flags().GetInt(commonParams.WaitDelayFlag)
err = handleWait(cmd, scanResponseModel, waitDelay, timeoutMinutes, scansWrapper, resultsWrapper)
if err != nil {
return err
}
err = createReportsAfterScan(cmd, scanResponseModel.ID, scansWrapper, resultsWrapper)
if err != nil {
return err
}
err = applyThreshold(cmd, resultsWrapper, scanResponseModel)
if err != nil {
return err
}
} else {
err = createReportsAfterScan(cmd, scanResponseModel.ID, scansWrapper, resultsWrapper)
if err != nil {
return err
}
}
return nil
2022/06/20 09:02:55 Scan status: Running
2022/06/20 09:03:01 Scan status: Running
2022/06/20 09:03:06 Scan Finished with status: Completed
Threshold check finished with status Failed : sast-high: Limit = 0, Current = 1 |
Program exits with code: 1
Scan Failed
Currently i'm trying to export only SAST results from CLI into json format.
When i use ./cx results command i saw in the documentation that only when generating a PDF report i can specify SAST results, but not for .json formats.
Is there a way i can get only SAST results for .json format in CLI?
We have Checkmarx one.
Regards
I've tried to get results by cli, but I've received the message below
Failed listing results: Failed to parse list results: invalid character 'F' looking for beginning of value
PS: MacOS and Linux I've got the same message
Got cli results.
1 - cx project list <-- I got the Project ID
2 - cx scan list --filter project-id=my_project_id <-- I got a scan ID list
3 - cx results show --scan-id scan_id
4 - Error -> Failed listing results: Failed to parse list results: invalid character 'F' looking for beginning of value
project list works fine.
I don't know if it is a BUG or not.
I'm using the cx to export results and import in my DefectDojo, but the information in json is much more rich than sarif file.
When we open the sarif file, all helpUri are the same for all issues, and indicate a documentation of releases from CxOne.
That information isn't util for developers solve the problem.
Any help URL for solve the problem indicated in Checkmarx.
grep -i HelpUri teste.sarif 1 ↵
"helpUri": "https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html",
"helpUri": "https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html",
"helpUri": "https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html",
"helpUri": "https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html",
"helpUri": "https://checkmarx.com/resource/documents/en/34965-67042-checkmarx-one.html",
cx results show --scan-id --report-format sarif
We need more information or an convert tool from json to sarif
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.