From 399cd8361f94cdb94d3b7f4ba0acb18254901cea Mon Sep 17 00:00:00 2001 From: Aniket Shinde Date: Mon, 20 Apr 2026 11:18:06 +0530 Subject: [PATCH 1/5] AST-146807: Create Cloud MD file for ast-cli-java-wrapper repository - Added comprehensive Cloud.md with all essential sections: - Project Overview - Architecture and design patterns - Repository structure - Technology stack (Maven, Java 8, Jackson, Lombok, etc.) - Development setup and prerequisites - Coding standards and guidelines - Project rules and conventions - Testing strategy with JUnit 5 and code coverage - Known issues and limitations - Included recommended sections: - Database schema (N/A for client library) - External integrations (AST Platform, Maven Central) - Deployment information - Performance considerations - API/Endpoints/Interfaces documentation - Security & Access controls - Logging configuration - Debugging steps and common issues - Documentation follows the standardization template from epic AST-146793 --- Claude.md | 598 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 598 insertions(+) create mode 100644 Claude.md diff --git a/Claude.md b/Claude.md new file mode 100644 index 00000000..c0c3be08 --- /dev/null +++ b/Claude.md @@ -0,0 +1,598 @@ +# Cloud.md - AST CLI Java Wrapper Repository + +## Project Overview + +The **ast-cli-java-wrapper** is a Java SDK/wrapper library that provides a shared infrastructure and abstraction layer for the Checkmarx Application Security Testing (AST) platform. It serves as a client library for integrating AST capabilities into Java-based applications and CI/CD pipelines. The wrapper offers technology-neutral repository interfaces and a metadata model for persisting Java classes, enabling developers to interact with the AST platform programmatically. + +**Repository:** https://github.com/CheckmarxDev/ast-cli-java-wrapper +**Package:** Published as Maven dependency (com.checkmarx.ast:ast-cli-java-wrapper) + +--- + +## Architecture + +The ast-cli-java-wrapper follows a modular architecture with clear separation of concerns: + +``` +ast-cli-java-wrapper/ +├── src/main/java/com/checkmarx/ast/ +│ ├── wrapper/ # Core wrapper utilities (CxConfig, CxException, CxConstants) +│ ├── asca/ # ASCA (Application Source Code Analysis) module +│ ├── codebashing/ # CodeBashing integration +│ ├── containersrealtime/ # Container scanning real-time results +│ ├── iacrealtime/ # IaC (Infrastructure as Code) real-time results +│ ├── kicsRealtimeResults/ # KICS (Kics Infrastructure Code Scanner) results +│ ├── ossrealtime/ # OSS (Open Source Software) real-time vulnerability scanning +│ ├── learnMore/ # Learning resources integration +│ ├── mask/ # Secret masking functionality +│ ├── project/ # Project management interfaces +│ ├── scan/ # Scan management +│ ├── results/ # Result handling and processing +│ ├── remediation/ # Remediation guidance +│ ├── predicate/ # Predicate-based filtering +│ └── tenant/ # Tenant management +├── src/test/java/ # Unit tests (JUnit 5) +└── src/main/resources/ # Configuration resources +``` + +**Design Pattern:** The wrapper uses a layered architecture with: +- **Interface Layer:** Technology-neutral interfaces for extensibility +- **Implementation Layer:** Concrete implementations for AST integration +- **Data Model Layer:** POJOs (Plain Old Java Objects) for data persistence and serialization +- **Utility Layer:** Configuration management (CxConfig), exception handling (CxException), and constants + +--- + +## Repository Structure + +``` +. +├── pom.xml # Maven configuration and dependencies +├── README.md # User-facing documentation +├── Cloud.md # This file - development/deployment documentation +├── src/ +│ ├── main/ +│ │ ├── java/ # Production source code +│ │ └── resources/ # Configuration files and resources +│ └── test/ +│ ├── java/ # Unit tests (JUnit 5 + Jupiter) +│ └── resources/ # Test configuration and fixtures +├── target/ # Build output (generated during maven clean install) +└── .github/ # GitHub Actions, workflows (if present) +``` + +**Key Files:** +- `pom.xml` - Defines Maven build configuration, dependencies, and JaCoCo code coverage plugin +- `src/main/java/com/checkmarx/ast/wrapper/CxConfig.java` - Core configuration class +- `src/main/java/com/checkmarx/ast/wrapper/CxException.java` - Custom exception handling +- `src/main/java/com/checkmarx/ast/wrapper/CxConstants.java` - Application constants + +--- + +## Technology Stack + +| Component | Technology | Version | +|-----------|-----------|---------| +| **Language** | Java | 8+ | +| **Build Tool** | Maven | 3+ | +| **JSON Processing** | Jackson | 2.21.1 | +| **JSON Serialization** | GSON | 2.12.1 | +| **Utilities** | Lombok | 1.18.32 | +| **Commons** | Apache Commons Lang3 | 3.18.0 | +| **JSON Parsing** | JSON-Simple | 1.1.1 | +| **Logging** | SLF4J | 2.0.12 | +| **Testing** | JUnit 5 (Jupiter) | 5.10.2 | +| **Code Coverage** | JaCoCo | 0.8.8 | + +**Key Dependencies:** +- **Jackson** - Primary JSON serialization/deserialization framework +- **GSON** - Alternative/supplementary JSON processing +- **Lombok** - Reduces boilerplate via annotations (@Data, @Getter, @Setter, etc.) +- **SLF4J** - Logging abstraction layer with slf4j-simple binding +- **JUnit 5** - Modern testing framework with parameterized tests and extensions + +--- + +## Development Setup + +### Prerequisites + +- **Java Development Kit (JDK):** Version 8 or higher + - Download from [Oracle JDK](https://www.oracle.com/java/technologies/downloads/) or use OpenJDK + - Verify: `java -version` and `javac -version` + +- **Maven:** Version 3.6.0 or higher + - Download from [Apache Maven](https://maven.apache.org/download.cgi) + - Verify: `mvn -version` + +- **Git:** For cloning and version control + +### Local Setup Steps + +1. **Clone the repository:** + ```bash + git clone https://github.com/CheckmarxDev/ast-cli-java-wrapper.git + cd ast-cli-java-wrapper + ``` + +2. **Build the project:** + ```bash + mvn clean install + ``` + - Compiles source code, runs tests, and generates JAR artifact + - Output: `target/ast-cli-java-wrapper-[version].jar` + +3. **Run tests:** + ```bash + mvn test + ``` + +4. **Generate code coverage report:** + ```bash + mvn test jacoco:report + ``` + - Coverage report available at: `target/site/jacoco/index.html` + +5. **Install to local Maven repository:** + ```bash + mvn install + ``` + +### Integration Tests Setup + +To run integration tests that interact with the AST platform, set environment variables: + +**Linux/macOS:** +```bash +export CX_CLIENT_ID="your_client_id" +export CX_CLIENT_SECRET="your_client_secret" +export CX_APIKEY="your_api_key" +export CX_BASE_URI="https://ast.checkmarx.net" +export CX_BASE_AUTH_URI="https://iam.checkmarx.net" +export CX_TENANT="your_tenant_name" +export PATH_TO_EXECUTABLE="/path/to/ast-cli-executable" +``` + +**Windows (PowerShell):** +```powershell +setx CX_CLIENT_ID "your_client_id" +setx CX_CLIENT_SECRET "your_client_secret" +setx CX_APIKEY "your_api_key" +setx CX_BASE_URI "https://ast.checkmarx.net" +setx CX_BASE_AUTH_URI "https://iam.checkmarx.net" +setx CX_TENANT "your_tenant_name" +setx PATH_TO_EXECUTABLE "path\to\ast-cli-executable" +``` + +### IDE Configuration + +- **IntelliJ IDEA:** Import project as Maven project, mark `src/main/java` as Sources Root, `src/test/java` as Tests Root +- **Eclipse:** Use `mvn eclipse:eclipse` or import via "Existing Maven Projects" +- **VS Code:** Install "Extension Pack for Java" and "Maven for Java" extensions + +--- + +## Coding Standards + +### Code Style Guidelines + +1. **Naming Conventions:** + - Classes: PascalCase (e.g., `CxConfig`, `ScanResult`) + - Methods/Variables: camelCase (e.g., `getScanId()`, `scanDetails`) + - Constants: UPPER_SNAKE_CASE (e.g., `MAX_TIMEOUT`, `DEFAULT_PORT`) + - Private fields: prefix with underscore or use Lombok annotations + +2. **Lombok Annotations:** + - Use `@Data` for POJOs (generates getters, setters, equals, hashCode, toString) + - Use `@Getter` / `@Setter` for selective generation + - Use `@AllArgsConstructor` / `@NoArgsConstructor` for constructors + - Avoid verbose getter/setter implementations + +3. **Jackson Annotations:** + - Use `@JsonProperty("fieldName")` for JSON serialization mapping + - Use `@JsonIgnore` for excluding fields from JSON + - Use `@JsonDeserialize` / `@JsonSerialize` for custom type handling + +4. **Documentation:** + - Add JavaDoc comments for public classes and methods + - Keep comments concise and explain the "why", not the "what" + - Include examples in JavaDoc for complex methods + +5. **Exception Handling:** + - Extend `CxException` for domain-specific exceptions + - Use try-catch only for exceptional conditions, not control flow + - Log exceptions with appropriate level (error, warn, debug) + +6. **Code Organization:** + - Keep classes focused on a single responsibility + - Group related methods and fields together + - Use access modifiers appropriately (private by default, public only when needed) + +### Code Quality Tools + +- **JaCoCo Code Coverage:** Minimum coverage target is maintained via `pom.xml` configuration + - Excluded packages (data models, generated code) specified in JaCoCo excludes + - Run: `mvn jacoco:report` to generate coverage report + +- **Maven Compiler:** Configured for Java 8 compatibility + - Source: Java 8 + - Target: Java 8 + - Encoding: UTF-8 + +--- + +## Project Rules + +1. **Branching Strategy:** + - Main development branch: `main` + - Feature branches: `feature/*` + - Bug fixes: `bugfix/*` + - Hotfixes: `hotfix/*` + - Delete merged branches to keep repository clean + +2. **Commit Standards:** + - Write clear, descriptive commit messages + - Reference Jira ticket IDs in commit messages (e.g., "AST-12345: Add feature description") + - Keep commits atomic and logically grouped + +3. **Pull Requests:** + - Create PR against `main` branch + - Include description and acceptance criteria + - Ensure all tests pass before merging + - Require code review from at least one team member + - Squash commits on merge for cleaner history + +4. **Version Management:** + - Versions defined in `pom.xml` as `${ast.wrapper.version}` + - Follow semantic versioning (MAJOR.MINOR.PATCH) + - Update version before release + - Tag releases in Git (e.g., `v1.0.14`) + +5. **Dependency Management:** + - Keep dependencies updated, especially security patches + - Use Maven Dependabot or similar tools for automatic updates + - Review dependency changes in PRs for breaking changes + - Exclude conflicting transitive dependencies if needed + +6. **Documentation:** + - Keep README.md and Cloud.md synchronized with changes + - Document API changes in PR descriptions + - Update environment variables list if new ones are required + +--- + +## Testing Strategy + +### Testing Pyramid + +``` + /\ + / \ Integration Tests (Integration with AST platform) + /____\ + / \ + / \ Unit Tests (JUnit 5 - ~80% of tests) + /________\ + / \ + / \ Manual Testing & E2E + /____________\ +``` + +### Unit Testing + +- **Framework:** JUnit 5 (Jupiter) +- **Location:** `src/test/java/` +- **Naming Convention:** `*Test.java` or `*Tests.java` +- **Coverage Target:** >70% for core modules +- **Execution:** `mvn test` + +**Example Unit Test Structure:** +```java +@DisplayName("ScanResult Tests") +class ScanResultTest { + @Test + @DisplayName("Should deserialize scan result from JSON") + void testDeserializeScanResult() { + // Test implementation + } +} +``` + +### Integration Tests + +- **Environment Setup:** Requires AST platform credentials (see Development Setup) +- **Credentials:** Use environment variables for sensitive data +- **Isolation:** Test data should be isolated and cleaned up after tests +- **Skip in CI:** Can be skipped in pull request CI if platform access is limited + +### Test Fixtures & Mocks + +- Use JSON files in `src/test/resources/` for sample data +- Mock external dependencies where appropriate +- Use parameterized tests (`@ParameterizedTest`) for multiple scenarios + +### Code Coverage + +- **Tool:** JaCoCo Maven Plugin +- **Report Location:** `target/site/jacoco/index.html` +- **Excluded from Coverage:** Data models, POJOs, generated code (as specified in pom.xml) +- **Run:** `mvn test jacoco:report` + +--- + +## Known Issues + +1. **Java 8 Compatibility:** The project targets Java 8 for compatibility with older systems, which limits access to newer Java features (records, text blocks, sealed classes, etc.) + +2. **Dual JSON Libraries:** Both Jackson and GSON are included as dependencies, which may lead to subtle differences in serialization behavior. Prefer Jackson for primary serialization unless GSON is specifically required. + +3. **SLF4J Simple Binding:** The `slf4j-simple` binding is basic and may not be suitable for production environments. Consider switching to Logback or Log4j2 for advanced features. + +4. **JaCoCo Excludes:** Large portions of the codebase are excluded from code coverage (data models, results, etc.), which may mask untested code paths. Review excludes periodically. + +5. **Maven Build Performance:** Large transitive dependency trees and full coverage analysis can slow down builds. Use `mvn clean install -DskipTests` for faster builds during development. + +--- + +## Database Schema + +Not applicable - this is a client library with no persistent storage or database dependencies. + +--- + +## External Integrations + +1. **Checkmarx AST Platform:** + - **Purpose:** Provides security scanning, remediation guidance, and vulnerability data + - **Integration Points:** REST API calls via HTTP clients + - **Authentication:** OAuth 2.0 via `CX_CLIENT_ID` and `CX_CLIENT_SECRET`, or API key via `CX_APIKEY` + - **Endpoints:** Configured via `CX_BASE_URI` and `CX_BASE_AUTH_URI` + +2. **Maven Central Repository:** + - **Artifact:** com.checkmarx.ast:ast-cli-java-wrapper + - **Distribution:** Published JAR for inclusion in other projects + +3. **GitHub:** + - **Repository:** CheckmarxDev/ast-cli-java-wrapper + - **CI/CD:** Likely uses GitHub Actions for automated builds and tests + +--- + +## Deployment Info + +### Publishing to Maven Central + +1. **Build Release:** + ```bash + mvn clean install + ``` + +2. **Create Release Tag:** + ```bash + git tag -a v1.0.14 -m "Release version 1.0.14" + git push origin v1.0.14 + ``` + +3. **Deploy to Maven Central (Checkmarx Process):** + - Typically handled by CI/CD pipeline or release manager + - Requires Sonatype credentials and GPG signing + - Uses `mvn deploy` with Maven settings.xml configuration + +### Artifact Coordinates + +```xml + + com.checkmarx.ast + ast-cli-java-wrapper + 1.0.14 + +``` + +### Versioning + +- Current version: Check `pom.xml` for `` property +- Increment version before release +- Use semantic versioning (MAJOR.MINOR.PATCH) + +--- + +## Performance Considerations + +1. **Serialization:** Jackson is the primary JSON serialization engine and is optimized for performance. Ensure large result sets are streamed rather than loaded entirely in memory. + +2. **HTTP Client Configuration:** Consider connection pooling and timeout configurations when making requests to the AST platform. + +3. **Memory Usage:** For large scan results (KICS, OSS, containers), implement pagination or streaming to avoid OutOfMemoryError. + +4. **Compilation:** Java 8 target ensures compatibility but limits optimization opportunities available in newer Java versions. + +5. **Build Optimization:** Use `mvn clean install -T 1C` for parallel build threads to speed up compilation. + +--- + +## API/Endpoints/Interfaces + +### Core Interfaces + +**CxConfig** - Configuration management +- `getClientId()` - OAuth client identifier +- `getClientSecret()` - OAuth client secret +- `getApiKey()` - API key for authentication +- `getBaseUri()` - AST platform base URL +- `getBaseAuthUri()` - Identity/authentication service URL +- `getTenant()` - Tenant identifier + +**CxException** - Custom exception for domain errors +- Extends RuntimeException +- Used for all AST-specific error conditions + +### Module-Specific Interfaces + +- **Scan Module:** Scan creation, retrieval, status management +- **Results Module:** Result parsing, filtering, and analysis +- **ASCA Module:** Application source code analysis results +- **OSS Module:** Open source software vulnerability data +- **KICS Module:** Infrastructure as code scanning results +- **Remediation Module:** Remediation guidance and solutions +- **CodeBashing Module:** Security training integration +- **Containers Module:** Container image scanning results + +--- + +## Security & Access + +### Authentication + +1. **OAuth 2.0:** + - Client ID: `CX_CLIENT_ID` + - Client Secret: `CX_CLIENT_SECRET` + - Token endpoint: `CX_BASE_AUTH_URI` + - Recommended for service-to-service integration + +2. **API Key:** + - API Key: `CX_APIKEY` + - Recommended for personal use and testing + - Less secure than OAuth, use with caution in production + +### Authorization + +- **Tenant-Based:** Access controlled at tenant level via `CX_TENANT` +- **Scope-Based:** Different operations may require different permissions in AST platform +- **Role-Based:** User roles in AST platform determine available operations + +### Secrets Management + +- **Never commit credentials** to version control +- Use environment variables for local development +- Use CI/CD secrets managers for automated deployments +- Rotate API keys and client secrets regularly +- Audit access logs for suspicious activity + +### Data Protection + +- Use HTTPS for all API communication +- Jackson's default serialization is safe from injection attacks +- Validate all external input before processing +- Sanitize output if displaying user data +- Review JaCoCo excludes to ensure security code is tested + +--- + +## Logging + +### Logging Framework + +- **Framework:** SLF4J with slf4j-simple binding +- **Configuration:** Can be customized via `simplelogger.properties` in classpath +- **Production Use:** Consider upgrading to Logback or Log4j2 for advanced features + +### Logger Usage + +```java +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +class MyClass { + private static final Logger log = LoggerFactory.getLogger(MyClass.class); + + public void myMethod() { + log.info("Operation started"); + log.debug("Debug information"); + log.warn("Warning message"); + log.error("Error occurred", exception); + } +} +``` + +### Log Levels + +- **DEBUG:** Detailed information for debugging +- **INFO:** General informational messages +- **WARN:** Warning messages for potentially problematic situations +- **ERROR:** Error messages for failures + +### Sensitive Data + +- Never log credentials, API keys, or secrets +- Mask sensitive information in logs (user IDs, tokens, etc.) +- Use `log.debug()` for development-only logging +- Review logs regularly for security issues + +--- + +## Debugging Steps + +### Local Debugging + +1. **Enable Debug Logging:** + ```bash + mvn test -Dorg.slf4j.simpleLogger.defaultLogLevel=debug + ``` + +2. **IDE Debugging:** + - Set breakpoints in IDE + - Run tests in debug mode: Right-click test → "Debug" + - Use IntelliJ Debugger or Eclipse Debug perspective + +3. **Maven Debug Output:** + ```bash + mvn -X clean install # Very verbose output + mvn -e test # Print stack traces + ``` + +### Common Issues + +| Issue | Cause | Solution | +|-------|-------|----------| +| Test failures | Missing environment variables | Set CX_* environment variables for integration tests | +| Build failures | Java version mismatch | Ensure JDK 8+ is installed and JAVA_HOME is set | +| Dependency conflicts | Transitive dependency issues | Check pom.xml for exclusions or use `mvn dependency:tree` | +| OOM errors | Large scan results | Increase heap size: `export MAVEN_OPTS="-Xmx2g"` | +| Slow builds | Parallel testing disabled | Use `mvn clean install -T 1C` for parallel builds | + +### Useful Maven Commands + +```bash +mvn dependency:tree # Show dependency hierarchy +mvn help:describe-mojo -Dplugin=org.apache.maven.plugins:maven-compiler-plugin # Plugin help +mvn clean install -o # Offline build (use cached dependencies) +mvn test -Dtest=ScanResultTest # Run specific test +mvn test -Dtest=*Integration # Run tests matching pattern +``` + +### Profiling & Analysis + +```bash +# Generate detailed build report +mvn clean install -Dmaven.compiler.verbose=true + +# Check for deprecated API usage +mvn compile -Werror:sunapi + +# Analyze code with SpotBugs (if configured) +mvn spotbugs:check +``` + +--- + +## Contributing + +- Follow coding standards outlined above +- Write unit tests for new functionality +- Ensure all tests pass: `mvn clean install` +- Update documentation for API changes +- Create pull request with clear description +- Respond to code review feedback +- Maintain backward compatibility where possible + +--- + +## Support & Contact + +**Team:** Checkmarx - AST Integrations Team +**Project Link:** https://github.com/CheckmarxDev/ast-cli-java-wrapper +**Issues:** GitHub Issues for bug reports and feature requests + +--- + +**Last Updated:** April 20, 2026 +**Status:** In Active Development From 472587fe27ac7abd7892f25d215b47c24bb018a3 Mon Sep 17 00:00:00 2001 From: atishj99 Date: Mon, 13 Jul 2026 13:49:33 +0530 Subject: [PATCH 2/5] Squashed commit of the following: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 8e107dc0222f47ca82e43df28c227bdf2d78379f Author: Atish Jadhav Date: Tue Jun 23 19:34:27 2026 +0530 security: fix SCA vulnerability for JUnit (#488) Co-authored-by: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com> commit 06dafaa396c177baeab1ca2d592a592977f3380c Author: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com> Date: Mon Jun 22 12:37:18 2026 +0100 security: harden release workflow and declare workflow_call secrets (#487) * security: harden release workflow and declare workflow_call secrets - Replace actions/checkout v4.3.1 with v6.0.3 and switch from PERSONAL_ACCESS_TOKEN to GITHUB_TOKEN - Fix script injection in Download CLI, Tag, Update POM, Build artifactId, and Publish steps by moving inputs to env vars - Replace deprecated ::set-output with $GITHUB_OUTPUT in Tag step - Update actions/setup-java v4.3.0 to v5.2.0 - Add explicit secrets declaration for workflow_call (MAVEN_GPG_PASSPHRASE, MAVEN_GPG_PRIVATE_KEY, OSSRH_TOKEN, OSSRH_USERNAME) - Fix broken shell conditional in Build artifactId property step * chore(gha): harden GitHub Actions workflows security * chore(gha): disable nightly trigger and remove pr-labeler workflow * chore(gha): configure echo mirror for Maven dependency resolution commit 6661e6016c1aec3e711fb0afe763997fbaa68971 Author: Atish Jadhav <141334503+cx-atish-jadhav@users.noreply.github.com> Date: Thu Jun 18 22:49:44 2026 +0530 Updating ast-cli version and binaries 2.3.54 (#485) * Updating ast-cli version and binaries * Harden workflows: scope permissions, fix set-output, replace dev-drprasad, remove repository_dispatch, comment notify and spotbugs * Remove Maven cache from release and CI workflows * Add publish input to gate Maven Central deploy --------- Co-authored-by: Luís Ventuzelos <207163323+cx-luis-ventuzelos@users.noreply.github.com> commit 06b449c4f896e2d6ffc2f0ae24139ea8aa4d94ec Author: Alon Rosenhek <80337069+cx-alon-rosenhek@users.noreply.github.com> Date: Thu Jun 18 16:57:16 2026 +0300 chore: remove .github/workflows/dependabot-auto-merge.yml commit 6fb3166e7b397aa295f02b8bdc2d5e0d3fbe1d08 Author: Ohad Israeli <243351248+cx-ohad-israeli@users.noreply.github.com> Date: Wed Jun 10 17:39:51 2026 +0300 chore: remove Dependabot configuration commit 814a504d0ad8e2d219aee6742c7bea2b7c3f74a2 Author: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Fri May 29 21:25:57 2026 -0400 [StepSecurity] Apply security best practices (#481) Signed-off-by: StepSecurity Bot Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com> --- .github/dependabot.yml | 17 --- .github/workflows/auto-merge-pr.yml | 20 ---- .github/workflows/checkmarx-one-scan.yml | 30 +++++ .github/workflows/ci.yml | 29 ++--- .github/workflows/dependabot-auto-merge.yml | 25 ---- .github/workflows/manual-tag.yml | 17 +-- .github/workflows/nightly.yml | 31 +++-- .github/workflows/pr-label.yml | 19 ---- .github/workflows/release.yml | 119 ++++++++++++-------- .github/workflows/update-cli.yml | 14 +-- checkmarx-ast-cli.version | 2 +- pom.xml | 12 ++ src/main/resources/cx-linux | 4 +- src/main/resources/cx-linux-arm | 4 +- src/main/resources/cx-mac | 4 +- src/main/resources/cx.exe | 4 +- 16 files changed, 176 insertions(+), 175 deletions(-) delete mode 100644 .github/dependabot.yml delete mode 100644 .github/workflows/auto-merge-pr.yml create mode 100644 .github/workflows/checkmarx-one-scan.yml delete mode 100644 .github/workflows/dependabot-auto-merge.yml delete mode 100644 .github/workflows/pr-label.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 0d227cdc..00000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,17 +0,0 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: -# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates - -version: 2 -updates: - - package-ecosystem: "maven" # See documentation for possible values - directory: "/" # Location of package manifests - schedule: - interval: "daily" - - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - diff --git a/.github/workflows/auto-merge-pr.yml b/.github/workflows/auto-merge-pr.yml deleted file mode 100644 index d215fd2d..00000000 --- a/.github/workflows/auto-merge-pr.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: Post-Check Actions -on: [pull_request] - -permissions: - contents: write - -jobs: - dependabot-merge: - runs-on: cx-public-ubuntu-x64 - if: contains(github.head_ref, 'feature/update_cli') - steps: - - name: Enable auto-merge for Dependabot PRs - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }} - run: gh pr merge --auto --squash "$PR_URL" - - name: Auto approve dependabot PRs - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 #v4 - with: - github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml new file mode 100644 index 00000000..0c441b73 --- /dev/null +++ b/.github/workflows/checkmarx-one-scan.yml @@ -0,0 +1,30 @@ +name: Checkmarx One Scan +on: + workflow_dispatch: + pull_request: + push: + branches: + - main + schedule: + - cron: "00 7 * * *" # Every day at 07:00 + +permissions: + contents: read + +jobs: + cx-scan: + name: Checkmarx One Scan + permissions: + contents: read + runs-on: cx-public-ubuntu-x64 + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Checkmarx One CLI Action + uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc #v.2.3.19 + with: + base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }} + cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} + cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} + cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} + additional_params: --tags sypher --threshold "sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 145ea6f7..e1f15117 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,14 +2,19 @@ name: AST Java Wrapper CI on: [ pull_request ] +permissions: + contents: read + jobs: integration-tests: + permissions: + contents: read runs-on: cx-public-ubuntu-x64 steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} lfs: true - name: Install Git LFS @@ -21,20 +26,16 @@ jobs: - name: Checkout LFS objects run: git lfs checkout - - name: Cache local Maven repository - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- - - name: Set up JDK 11 uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0 with: distribution: 'temurin' java-version: '11' + - name: Configure echo mirror for dependency resolution + run: | + sed -i 's||echocentralhttps://maven.echohq.com|' ~/.m2/settings.xml + - name: Check existence of cx-linux binary run: | if [ ! -f "src/main/resources/cx-linux" ]; then @@ -82,8 +83,8 @@ jobs: - name: Build with Maven run: mvn -B verify -DskipTests -Dgpg.skip --file pom.xml - - name: Run SpotBugs Analysis - if: ${{ github.actor != 'dependabot[bot]' }} - uses: jwgmeligmeyling/spotbugs-github-action@b8e2c3523acb34c87f14e18cbcd2d87db8c8584e #v1.2 - with: - path: '**/spotbugsXml.xml' + # - name: Run SpotBugs Analysis + # if: ${{ github.actor != 'dependabot[bot]' }} + # uses: jwgmeligmeyling/spotbugs-github-action@b8e2c3523acb34c87f14e18cbcd2d87db8c8584e #v1.2 + # with: + # path: '**/spotbugsXml.xml' diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml deleted file mode 100644 index 99bbfd66..00000000 --- a/.github/workflows/dependabot-auto-merge.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: Dependabot auto-merge -on: pull_request - -permissions: - contents: write - -jobs: - dependabot-merge: - runs-on: cx-public-ubuntu-x64 - if: ${{ github.actor == 'dependabot[bot]' }} - steps: - - name: Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 #v2.2.0 - with: - github-token: "${{ secrets.PERSONAL_ACCESS_TOKEN }}" - - name: Enable auto-merge for Dependabot PRs - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }} - run: gh pr merge --auto --squash "$PR_URL" - - name: Auto approve dependabot PRs - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 #v4 - with: - github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} diff --git a/.github/workflows/manual-tag.yml b/.github/workflows/manual-tag.yml index 8fb056dc..57f0d508 100644 --- a/.github/workflows/manual-tag.yml +++ b/.github/workflows/manual-tag.yml @@ -19,14 +19,17 @@ jobs: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} - name: Tag + env: + INPUT_TAG: ${{ github.event.inputs.tag }} + PR_NUMBER: ${{ github.event.pull_request.number }} + PR_TITLE: ${{ github.event.pull_request.title }} run: | - echo ${{ github.event.inputs.tag }} - echo "NEXT_VERSION=${{ github.event.inputs.tag }}" >> $GITHUB_ENV - tag=${{ github.event.inputs.tag }} - message='${{ github.event.inputs.tag }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}' + echo "$INPUT_TAG" + echo "NEXT_VERSION=$INPUT_TAG" >> $GITHUB_ENV + message="$INPUT_TAG: PR #$PR_NUMBER $PR_TITLE" git config user.name "${GITHUB_ACTOR}" git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" - git tag -a "${tag}" -m "${message}" - git push origin "${tag}" + git tag -a "$INPUT_TAG" -m "$message" + git push origin "$INPUT_TAG" diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 73efdc65..5a8b2c9f 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -1,26 +1,35 @@ name: Nightly Release on: - push: - branches: - - main + workflow_dispatch: # push disabled — re-enable when nightly is ready + # push: + # branches: + # - main + +permissions: + contents: read jobs: delete_tag: + permissions: + contents: write runs-on: cx-public-ubuntu-x64 steps: - - name: Delete release - uses: dev-drprasad/delete-tag-and-release@8cd619d00037e4aeb781909c9a6b03940507d0da # v1.0.1 + - name: Delete release and tag env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - delete_release: true - tag_name: 1.0.0-SNAPSHOT + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh release delete "1.0.0-SNAPSHOT" --yes --cleanup-tag --repo ${{ github.repository }} || true + nightly: needs: delete_tag - uses: CheckmarxDev/ast-cli-java-wrapper/.github/workflows/release.yml@main + uses: ./.github/workflows/release.yml with: tag: "1.0.0-SNAPSHOT" dev: true cliTag: "2.0.0-nightly" - secrets: inherit + secrets: + MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }} + MAVEN_GPG_PRIVATE_KEY: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} + OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }} + OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} diff --git a/.github/workflows/pr-label.yml b/.github/workflows/pr-label.yml deleted file mode 100644 index 00dd428e..00000000 --- a/.github/workflows/pr-label.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: PR Labeler -on: - pull_request: - types: [opened] - -permissions: - contents: read - -jobs: - pr-labeler: - permissions: - pull-requests: write # for TimonVS/pr-labeler-action to add labels in PR - runs-on: cx-public-ubuntu-x64 - steps: - - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af #v5 - with: - configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 40fc3593..81520b37 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,6 +16,11 @@ on: description: 'Version of the CLI to bundle' required: false type: string + publish: + description: 'Publish package to Maven Central' + required: false + default: false + type: boolean workflow_call: inputs: tag: @@ -31,25 +36,47 @@ on: description: 'Version of the CLI to bundle' required: false type: string + publish: + description: 'Publish package to Maven Central' + required: false + default: false + type: boolean + secrets: + MAVEN_GPG_PASSPHRASE: + required: true + MAVEN_GPG_PRIVATE_KEY: + required: true + OSSRH_TOKEN: + required: true + OSSRH_USERNAME: + required: true + +permissions: + contents: read jobs: release: + permissions: + id-token: write + contents: write runs-on: cx-public-ubuntu-x64 outputs: CLI_VERSION: ${{ steps.extract_cli_version.outputs.CLI_VERSION }} TAG_NAME: ${{ steps.set_tag_name.outputs.TAG_NAME }} steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: - token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} lfs: true - name: Download CLI if: inputs.cliTag + env: + INPUT_CLI_TAG: ${{ inputs.cliTag }} run: | chmod +x ./.github/scripts/update_cli.sh - ./.github/scripts/update_cli.sh ${{ inputs.cliTag }} + ./.github/scripts/update_cli.sh "$INPUT_CLI_TAG" - name: Extract CLI version id: extract_cli_version @@ -57,7 +84,7 @@ jobs: CLI_VERSION=$(./src/main/resources/cx-linux version | grep -Eo '^[0-9]+\.[0-9]+\.[0-9]+') echo "CLI version being packed is $CLI_VERSION" echo "CLI_VERSION=$CLI_VERSION" >> $GITHUB_ENV - echo "::set-output name=CLI_VERSION::$CLI_VERSION" + echo "CLI_VERSION=$CLI_VERSION" >> $GITHUB_OUTPUT - name: Check if CLI version is latest if: ${{ github.event.inputs.dev == 'false' && !github.event.inputs.cliTag && github.ref == 'refs/heads/main' }} @@ -76,27 +103,19 @@ jobs: - name: Tag id: set_tag_name + env: + INPUT_TAG: ${{ inputs.tag }} run: | - echo ${{ inputs.tag }} - tag=${{ inputs.tag }} - echo "RELEASE_VERSION=${{ inputs.tag }}" >> $GITHUB_ENV - message='${{ inputs.tag }}' + echo "$INPUT_TAG" + echo "RELEASE_VERSION=$INPUT_TAG" >> $GITHUB_ENV git config user.name "${GITHUB_ACTOR}" git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" - git tag -a "${tag}" -m "${message}" - git push origin "${tag}" - echo "::set-output name=TAG_NAME::${{ inputs.tag }}" - - - name: Cache local Maven repository - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- + git tag -a "$INPUT_TAG" -m "$INPUT_TAG" + git push origin "$INPUT_TAG" + echo "TAG_NAME=$INPUT_TAG" >> $GITHUB_OUTPUT - name: Set up Maven Central Repository - uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: '11' distribution: 'temurin' @@ -106,51 +125,59 @@ jobs: gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} gpg-passphrase: MAVEN_GPG_PASSPHRASE + - name: Configure echo mirror for dependency resolution + run: | + sed -i 's||echocentralhttps://maven.echohq.com|' ~/.m2/settings.xml + - name: Update the POM version. - run: mvn -B versions:set -DnewVersion='${{ env.RELEASE_VERSION }}' --file pom.xml -DskipTests + run: mvn -B versions:set -DnewVersion="$RELEASE_VERSION" --file pom.xml -DskipTests - name: Build artifactId property + env: + INPUT_DEV: ${{ inputs.dev }} + INPUT_TAG: ${{ inputs.tag }} run: | prop='' - if [ ${{ inputs.dev }} = true ] && ![ "${{ inputs.tag }}" = "1.0.0-SNAPSHOT" ]; then + if [ "$INPUT_DEV" = "true" ] && [ "$INPUT_TAG" != "1.0.0-SNAPSHOT" ]; then prop='-Dast.wrapper.id=ast-cli-java-wrapper-dev' fi echo "AID_PROP=${prop}" >> $GITHUB_ENV - name: Publish package - run: mvn --batch-mode deploy -DskipTests ${{ env.AID_PROP }} + if: inputs.publish == true + run: mvn --batch-mode deploy -DskipTests $AID_PROP env: MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }} MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }} MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }} - name: Release - uses: softprops/action-gh-release@a6c7483a42ee9d5daced968f6c217562cd680f7f #v2 + uses: step-security/action-gh-release@277bfa82abcfdb73e5bbb19e213fd76532ee2be5 # v3.0.0 with: generate_release_notes: true tag_name: ${{ inputs.tag }} prerelease: ${{ inputs.dev }} - notify: - if: inputs.dev == false - needs: release - uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main - with: - product_name: Java Wrapper - release_version: ${{ needs.release.outputs.TAG_NAME }} - cli_release_version: ${{ needs.release.outputs.CLI_VERSION }} - release_author: "Sypher Team" - release_url: https://github.com/Checkmarx/ast-cli-java-wrapper/releases/tag/${{ needs.release.outputs.TAG_NAME }} - jira_product_name: JAVA_WRAPPER - secrets: inherit + # notify: + # if: inputs.dev == false + # needs: release + # uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main + # with: + # product_name: Java Wrapper + # release_version: ${{ needs.release.outputs.TAG_NAME }} + # cli_release_version: ${{ needs.release.outputs.CLI_VERSION }} + # release_author: "Sypher Team" + # release_url: https://github.com/Checkmarx/ast-cli-java-wrapper/releases/tag/${{ needs.release.outputs.TAG_NAME }} + # jira_product_name: JAVA_WRAPPER + # secrets: inherit - dispatch_auto_release: - name: Update Jenkins/Jetbrains/Eclipse Extensions With new Wrapper Version - if: inputs.dev == false - needs: notify - uses: Checkmarx/plugins-release-workflow/.github/workflows/dispatch-workflow.yml@main - with: - cli_version: ${{ needs.release.outputs.CLI_VERSION }} - is_cli_release: false - is_java_release: true - secrets: inherit + # dispatch_auto_release: + # name: Update Jenkins/Jetbrains/Eclipse Extensions With new Wrapper Version + # if: inputs.dev == false + # needs: notify + # uses: Checkmarx/plugins-release-workflow/.github/workflows/dispatch-workflow.yml@main + # with: + # cli_version: ${{ needs.release.outputs.CLI_VERSION }} + # is_cli_release: false + # is_java_release: true + # secrets: inherit diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml index f50894e1..64037254 100644 --- a/.github/workflows/update-cli.yml +++ b/.github/workflows/update-cli.yml @@ -2,8 +2,6 @@ name: Update checkmarx ast cli on: workflow_dispatch: - repository_dispatch: - types: [cli-version-update] permissions: contents: read @@ -31,8 +29,8 @@ jobs: - name: Get Latest Checkmarx API version id: checkmarx-ast-cli run: | - echo ::set-output name=release_tag::$(curl -sL https://api.github.com/repos/checkmarx/ast-cli/releases/latest | jq -r ".tag_name") - echo ::set-output name=current_tag::$(> $GITHUB_OUTPUT + echo "current_tag=$(> $GITHUB_OUTPUT - name: Update Checkmarx cli version if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag @@ -40,14 +38,16 @@ jobs: RELEASE_TAG: ${{ steps.checkmarx-ast-cli.outputs.release_tag }} run: | # Update current release - echo ${{ steps.checkmarx-ast-cli.outputs.release_tag }} > checkmarx-ast-cli.version + echo "$RELEASE_TAG" > checkmarx-ast-cli.version - name: Download latest cli and update branch if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag + env: + RELEASE_TAG: ${{ steps.checkmarx-ast-cli.outputs.release_tag }} run: | # Update binaries chmod +x ./.github/scripts/update_cli.sh - ./.github/scripts/update_cli.sh ${{ steps.checkmarx-ast-cli.outputs.release_tag }} + ./.github/scripts/update_cli.sh "$RELEASE_TAG" - name: Track large files with Git LFS if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag @@ -63,7 +63,7 @@ jobs: - name: Create Pull Request id: cretae_pull_request if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag - uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 #v6 + uses: step-security/create-pull-request@50c103da2b9ca12cd5bc013fc6931051a5aa872b # v8.1.1 with: token: ${{ secrets.AUTOMATION_TOKEN }} commit-message: Update checkmarx-ast-cli to ${{ steps.checkmarx-ast-cli.outputs.release_tag }} diff --git a/checkmarx-ast-cli.version b/checkmarx-ast-cli.version index aadd7fdc..fae17394 100644 --- a/checkmarx-ast-cli.version +++ b/checkmarx-ast-cli.version @@ -1 +1 @@ -2.3.48 +2.3.54 diff --git a/pom.xml b/pom.xml index 9e8faa71..a468a86c 100644 --- a/pom.xml +++ b/pom.xml @@ -30,6 +30,12 @@ com.googlecode.json-simple json-simple 1.1.1 + + + junit + junit + + com.fasterxml.jackson.core @@ -57,6 +63,12 @@ 5.10.2 test + + junit + junit + 4.13.1 + compile + diff --git a/src/main/resources/cx-linux b/src/main/resources/cx-linux index 1322d953..85f008ed 100755 --- a/src/main/resources/cx-linux +++ b/src/main/resources/cx-linux @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:f73e555c94ea77a10d31e37de49e40d3468ec2787e4e6d917539409210a8fe8d -size 81281208 +oid sha256:776d9864c0104e1d0023641ef931bd1c58478cf56768ce77f2bfbfd6e9e64493 +size 80568482 diff --git a/src/main/resources/cx-linux-arm b/src/main/resources/cx-linux-arm index 5b533e6d..10629171 100755 --- a/src/main/resources/cx-linux-arm +++ b/src/main/resources/cx-linux-arm @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:101acdd3d54073d9964986e279da786e527d0e649f5ae5473a79481bbb8389ef -size 76415160 +oid sha256:d40b3cfb9f930e96a9d6b494d4c7b9cd98e3bb857e55a0f55c92d764bb8c3c1a +size 75235490 diff --git a/src/main/resources/cx-mac b/src/main/resources/cx-mac index d016514b..e137bc67 100755 --- a/src/main/resources/cx-mac +++ b/src/main/resources/cx-mac @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:71a744df366cddf2312b2e4a51f1174ab785d06b48506e08c3c8ee9cde8f82cf -size 162260464 +oid sha256:df4a2d6b72936afa65df8730f0ee491f6d518286421063f50df2e48d3d5b56f9 +size 160422432 diff --git a/src/main/resources/cx.exe b/src/main/resources/cx.exe index 4d61a0c0..f2f6b695 100644 --- a/src/main/resources/cx.exe +++ b/src/main/resources/cx.exe @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:489659950e778b01bf66ba126cd52a1acf8f124db62407b190516c12648baf6b -size 83262400 +oid sha256:c7227ac9dd89f344c12629d367774a2428595b3daff0a2e710981d924f13dbf4 +size 82488128 From 89cfcc0a4cc1cbffa9f194ba80f525d7ef574013 Mon Sep 17 00:00:00 2001 From: atishj99 Date: Thu, 16 Jul 2026 18:20:39 +0530 Subject: [PATCH 3/5] Update to AST CLI 2.3.55 and switch to Echo repository Updates the AST CLI binaries to version 2.3.55 across all platforms (Linux, Linux ARM, macOS, Windows). Switches distribution from Sonatype Central to Checkmarx's Echo repository, adds Echo repository configuration to pom.xml for dependencies and plugins, and configures Maven mirror authentication in CI/release workflows with ECHO_LIBRARIES_ACCESS_KEY secret. Also adds .vscode to gitignore. --- .github/workflows/ci.yml | 4 +++- .github/workflows/release.yml | 6 +++++- .gitignore | 3 ++- checkmarx-ast-cli.version | 2 +- pom.xml | 22 ++++++++++++++++++++-- src/main/resources/cx-linux | 4 ++-- src/main/resources/cx-linux-arm | 4 ++-- src/main/resources/cx-mac | 4 ++-- src/main/resources/cx.exe | 4 ++-- 9 files changed, 39 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e1f15117..13457dc4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,9 @@ jobs: - name: Configure echo mirror for dependency resolution run: | - sed -i 's||echocentralhttps://maven.echohq.com|' ~/.m2/settings.xml + sed -i 's||echo-repo'"$ECHO_LIBRARIES_ACCESS_KEY"'echo*https://maven.echohq.com|' ~/.m2/settings.xml + env: + ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }} - name: Check existence of cx-linux binary run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 81520b37..2845f37d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -50,6 +50,8 @@ on: required: true OSSRH_USERNAME: required: true + ECHO_LIBRARIES_ACCESS_KEY: + required: true permissions: contents: read @@ -127,7 +129,9 @@ jobs: - name: Configure echo mirror for dependency resolution run: | - sed -i 's||echocentralhttps://maven.echohq.com|' ~/.m2/settings.xml + sed -i 's||echo-repo'"$ECHO_LIBRARIES_ACCESS_KEY"'echo*https://maven.echohq.com|' ~/.m2/settings.xml + env: + ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }} - name: Update the POM version. run: mvn -B versions:set -DnewVersion="$RELEASE_VERSION" --file pom.xml -DskipTests diff --git a/.gitignore b/.gitignore index d6921c32..921e4fdf 100644 --- a/.gitignore +++ b/.gitignore @@ -32,4 +32,5 @@ docker-compose.override.yml ################################# Thumbs.db .directory -.DS_Store \ No newline at end of file +.DS_Store +/.vscode diff --git a/checkmarx-ast-cli.version b/checkmarx-ast-cli.version index fae17394..e62a93d5 100644 --- a/checkmarx-ast-cli.version +++ b/checkmarx-ast-cli.version @@ -1 +1 @@ -2.3.54 +2.3.55 diff --git a/pom.xml b/pom.xml index a468a86c..2cf77cba 100644 --- a/pom.xml +++ b/pom.xml @@ -211,14 +211,32 @@ + + + echo-repo + https://maven.echohq.com + + - central - https://central.sonatype.com/api/v1/publish + echo-repo + https://maven.echohq.com + + + echo-repo + https://maven.echohq.com + + true + + + false + + + diff --git a/src/main/resources/cx-linux b/src/main/resources/cx-linux index 85f008ed..452bd052 100755 --- a/src/main/resources/cx-linux +++ b/src/main/resources/cx-linux @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:776d9864c0104e1d0023641ef931bd1c58478cf56768ce77f2bfbfd6e9e64493 -size 80568482 +oid sha256:d76d1d464af46b0dc5976f8c79560344d86e1641b6eb1959e7a8120f5eab7293 +size 83103906 diff --git a/src/main/resources/cx-linux-arm b/src/main/resources/cx-linux-arm index 10629171..0f29d97b 100755 --- a/src/main/resources/cx-linux-arm +++ b/src/main/resources/cx-linux-arm @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:d40b3cfb9f930e96a9d6b494d4c7b9cd98e3bb857e55a0f55c92d764bb8c3c1a -size 75235490 +oid sha256:19f2a49ce38731f078fc7e17e92fdde86e0ba43cd61b0cd9a89636308b9710e5 +size 77529250 diff --git a/src/main/resources/cx-mac b/src/main/resources/cx-mac index e137bc67..951f21fa 100755 --- a/src/main/resources/cx-mac +++ b/src/main/resources/cx-mac @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:df4a2d6b72936afa65df8730f0ee491f6d518286421063f50df2e48d3d5b56f9 -size 160422432 +oid sha256:2a777f54cae91dc22e27dead84734ef5e84107011c9ffde441be988b9c25ac86 +size 165550656 diff --git a/src/main/resources/cx.exe b/src/main/resources/cx.exe index f2f6b695..7d3cbb8d 100644 --- a/src/main/resources/cx.exe +++ b/src/main/resources/cx.exe @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c7227ac9dd89f344c12629d367774a2428595b3daff0a2e710981d924f13dbf4 -size 82488128 +oid sha256:8c9bf6f587910590eebde2364f19c4884f814561afbcdfcc9be3f038fdfc1199 +size 85082432 From e3e876c090fc3768705369c24e18fda03f943358 Mon Sep 17 00:00:00 2001 From: atishj99 Date: Thu, 16 Jul 2026 20:54:39 +0530 Subject: [PATCH 4/5] Release 2.3.56 with Jackson 2.22.0 update Update Jackson dependency from 2.21.1 to 2.22.0 and bump CLI version to 2.3.56. Also includes: - Updated CLI binaries for all platforms (Linux, Linux ARM, macOS, Windows) - Fixed Maven mirror ID in CI workflows from 'echo' to 'echo-repo' for proper dependency resolution --- .github/workflows/ci.yml | 2 +- .github/workflows/release.yml | 2 +- checkmarx-ast-cli.version | 2 +- pom.xml | 2 +- src/main/resources/cx-linux | 4 ++-- src/main/resources/cx-linux-arm | 4 ++-- src/main/resources/cx-mac | 4 ++-- src/main/resources/cx.exe | 4 ++-- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 13457dc4..ff90c8f5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: - name: Configure echo mirror for dependency resolution run: | - sed -i 's||echo-repo'"$ECHO_LIBRARIES_ACCESS_KEY"'echo*https://maven.echohq.com|' ~/.m2/settings.xml + sed -i 's||echo-repo'"$ECHO_LIBRARIES_ACCESS_KEY"'echo-repo*https://maven.echohq.com|' ~/.m2/settings.xml env: ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2845f37d..cf69254d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -129,7 +129,7 @@ jobs: - name: Configure echo mirror for dependency resolution run: | - sed -i 's||echo-repo'"$ECHO_LIBRARIES_ACCESS_KEY"'echo*https://maven.echohq.com|' ~/.m2/settings.xml + sed -i 's||echo-repo'"$ECHO_LIBRARIES_ACCESS_KEY"'echo-repo*https://maven.echohq.com|' ~/.m2/settings.xml env: ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }} diff --git a/checkmarx-ast-cli.version b/checkmarx-ast-cli.version index e62a93d5..ffd98d1f 100644 --- a/checkmarx-ast-cli.version +++ b/checkmarx-ast-cli.version @@ -1 +1 @@ -2.3.55 +2.3.56 diff --git a/pom.xml b/pom.xml index 2cf77cba..fdfeca80 100644 --- a/pom.xml +++ b/pom.xml @@ -40,7 +40,7 @@ com.fasterxml.jackson.core jackson-databind - 2.21.1 + 2.22.0 org.projectlombok diff --git a/src/main/resources/cx-linux b/src/main/resources/cx-linux index 452bd052..6c6363da 100755 --- a/src/main/resources/cx-linux +++ b/src/main/resources/cx-linux @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:d76d1d464af46b0dc5976f8c79560344d86e1641b6eb1959e7a8120f5eab7293 -size 83103906 +oid sha256:e3fa59f01572047bcbfb7d1f437a5b525d067e1427fc12d5d486ffd4aa25bd34 +size 83243170 diff --git a/src/main/resources/cx-linux-arm b/src/main/resources/cx-linux-arm index 0f29d97b..9d9f854e 100755 --- a/src/main/resources/cx-linux-arm +++ b/src/main/resources/cx-linux-arm @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:19f2a49ce38731f078fc7e17e92fdde86e0ba43cd61b0cd9a89636308b9710e5 -size 77529250 +oid sha256:d08b765c42fa2dfa214cdfc0d5c75f6b28a303e38bd391098ffbb4e44ba448d6 +size 77660322 diff --git a/src/main/resources/cx-mac b/src/main/resources/cx-mac index 951f21fa..efd0c4e5 100755 --- a/src/main/resources/cx-mac +++ b/src/main/resources/cx-mac @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:2a777f54cae91dc22e27dead84734ef5e84107011c9ffde441be988b9c25ac86 -size 165550656 +oid sha256:0e40325ced824f2c3689e5b0e5b5893a4f772a18b36531965105b92563707bb5 +size 165800304 diff --git a/src/main/resources/cx.exe b/src/main/resources/cx.exe index 7d3cbb8d..6b8530e8 100644 --- a/src/main/resources/cx.exe +++ b/src/main/resources/cx.exe @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8c9bf6f587910590eebde2364f19c4884f814561afbcdfcc9be3f038fdfc1199 -size 85082432 +oid sha256:6d15db3840c4fb3492bc211879aedd35ee0af076c1475b4c33dcd996c0f333d9 +size 85228864 From 61cd5a315970d6a1d3898215735b58ce7a528d50 Mon Sep 17 00:00:00 2001 From: atishj99 Date: Thu, 16 Jul 2026 21:50:00 +0530 Subject: [PATCH 5/5] Improve Maven echo mirror config in GH workflows Make configuring the Echo Maven mirror more robust in CI and release workflows. In .github/workflows/ci.yml create ~/.m2 and write a complete settings.xml via heredoc (ensures the file exists and injects the echo-repo server/mirror using the ECHO_LIBRARIES_ACCESS_KEY secret). In .github/workflows/release.yml replace the single fragile sed with two targeted sed commands to insert the server and mirrors entries. These changes reduce brittle sed usage and avoid failures when ~/.m2/settings.xml is missing or structured differently. --- .github/workflows/ci.yml | 21 ++++++++++++++++++++- .github/workflows/release.yml | 3 ++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ff90c8f5..85f77102 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,26 @@ jobs: - name: Configure echo mirror for dependency resolution run: | - sed -i 's||echo-repo'"$ECHO_LIBRARIES_ACCESS_KEY"'echo-repo*https://maven.echohq.com|' ~/.m2/settings.xml + mkdir -p ~/.m2 + cat > ~/.m2/settings.xml << EOF + + + + + echo-repo + * + https://maven.echohq.com + + + + + echo-repo + + ${ECHO_LIBRARIES_ACCESS_KEY} + + + + EOF env: ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cf69254d..e2f87b45 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -129,7 +129,8 @@ jobs: - name: Configure echo mirror for dependency resolution run: | - sed -i 's||echo-repo'"$ECHO_LIBRARIES_ACCESS_KEY"'echo-repo*https://maven.echohq.com|' ~/.m2/settings.xml + sed -i 's||echo-repo'"$ECHO_LIBRARIES_ACCESS_KEY"'|' ~/.m2/settings.xml + sed -i 's||echo-repo*https://maven.echohq.com|' ~/.m2/settings.xml env: ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }}