Merge branch 'main' into Task_25406

Checkmarx · Aug 9, 2023 · ae48b77 · ae48b77
2 parents aa726ad + 44a356d
commit ae48b77
Show file tree

Hide file tree

Showing 8 changed files with 36 additions and 19 deletions.
diff --git a/go.mod b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/viper v1.16.0
 	github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80
-	golang.org/x/crypto v0.11.0
+	golang.org/x/crypto v0.12.0
 	gotest.tools v2.2.0+incompatible
 )
 
@@ -33,8 +33,8 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
-	golang.org/x/sys v0.10.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/sys v0.11.0 // indirect
+	golang.org/x/text v0.12.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -1074,8 +1074,8 @@ golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
-golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
-golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
+golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
+golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1340,8 +1340,9 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
+golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -1352,7 +1353,7 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
+golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1369,8 +1370,8 @@ golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
-golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
+golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

diff --git a/internal/commands/result.go b/internal/commands/result.go
@@ -75,6 +75,7 @@ const (
 	scaLastScanTimeFlagDescription          = "SCA last scan time. Available options: integer above 1"
 	projectPrivatePackageFlagDescription    = "Enable or disable project private package. Available options: true,false"
 	scaPrivatePackageVersionFlagDescription = "SCA project private package version. Example: 0.1.1"
+	policeManagementNoneStatus              = "none"
 )
 
 var filterResultsListFlagUsage = fmt.Sprintf(
@@ -493,7 +494,7 @@ func writeConsoleSummary(summary *wrappers.ResultSummary) error {
 				"              API Security - Total Detected APIs: %d                       \n",
 				summary.APISecurity.APICount)
 		}
-		if summary.Policies != nil {
+		if summary.Policies != nil && !strings.EqualFold(summary.Policies.Status, policeManagementNoneStatus) {
 			fmt.Printf("              -----------------------------------     \n\n")
 			if summary.Policies.BreakBuild {
 				fmt.Printf("            Policy Management Violation - Break Build Enabled:                     \n")
@@ -541,7 +542,7 @@ func writeConsoleSummary(summary *wrappers.ResultSummary) error {
 		} else {
 			fmt.Printf("              |              SCA: %*d|     \n", defaultPaddingSize, summary.ScaIssues)
 		}
-		fmt.Printf("\n")
+		fmt.Printf("              -----------------------------------     \n\n")
 		fmt.Printf("              Checkmarx One - Scan Summary & Details: %s\n", summary.BaseURI)
 	} else {
 		fmt.Printf("Scan executed in asynchronous mode or still running. Hence, no results generated.\n")

diff --git a/internal/commands/util/learnmore.go b/internal/commands/util/learnmore.go
@@ -1,14 +1,15 @@
 package util
 
+// nolint:goimports
 import (
-	"log"
-
 	"github.com/MakeNowJust/heredoc"
 	"github.com/checkmarx/ast-cli/internal/commands/util/printer"
 	"github.com/checkmarx/ast-cli/internal/params"
 	"github.com/checkmarx/ast-cli/internal/wrappers"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
+	"html"
+	"log"
 )
 
 const defaultFormat = "list"
@@ -100,9 +101,9 @@ func toLearnMoreResponseView(response *[]*wrappers.LearnMoreResponse) interface{
 				QueryName:              resp.QueryName,
 				QueryDescriptionID:     resp.QueryDescriptionID,
 				ResultDescription:      resp.ResultDescription,
-				Risk:                   resp.Risk,
-				Cause:                  resp.Cause,
-				GeneralRecommendations: resp.GeneralRecommendations,
+				Risk:                   html.EscapeString(resp.Risk),
+				Cause:                  html.EscapeString(resp.Cause),
+				GeneralRecommendations: html.EscapeString(resp.GeneralRecommendations),
 				Samples:                addSampleResponses(resp.Samples),
 			},
 		)

diff --git a/internal/params/filters.go b/internal/params/filters.go
@@ -128,6 +128,8 @@ var BaseFilters = []string{
 	"*.plist",
 	"go.mod",
 	"go.sum",
+	"Podfile",
+	"Podfile.lock",
 }
 
 var KicsBaseFilters = []string{

diff --git a/internal/wrappers/results-http.go b/internal/wrappers/results-http.go
@@ -61,6 +61,7 @@ func (r *ResultsHTTPWrapper) GetAllResultsByScanID(params map[string]string) (
 		if err != nil {
 			return nil, nil, errors.Wrapf(err, failedToParseGetResults)
 		}
+
 		return &model, nil, nil
 	default:
 		return nil, nil, errors.Errorf("response status code %d", resp.StatusCode)

diff --git a/internal/wrappers/results-modifier.go b/internal/wrappers/results-modifier.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"html"
 	"strings"
 
 	"github.com/checkmarx/ast-cli/internal/logger"
@@ -54,12 +55,22 @@ func (s *ScanResult) UnmarshalJSON(data []byte) error {
 	s.Status = strings.TrimSpace(s.Status)
 	s.State = strings.TrimSpace(s.State)
 	s.Severity = strings.TrimSpace(s.Severity)
-
 	if s.Description == "" && s.ScanResultData.Description != "" {
 		s.Description = s.ScanResultData.Description
 		s.ScanResultData.Description = ""
+	} else {
+		s.Description = html.EscapeString(s.Description)
+		s.ScanResultData.Description = html.EscapeString(s.ScanResultData.Description)
+	}
+	if s.ScanResultData.Nodes != nil {
+		for _, node := range s.ScanResultData.Nodes {
+			if node.Name == "" {
+				continue
+			}
+			node.Name = html.EscapeString(node.Name)
+			node.FullName = html.EscapeString(node.FullName)
+		}
 	}
-
 	// Convert markdown description to html description
 	s.DescriptionHTML = string(markdown.ToHTML([]byte(s.Description), nil, nil))
 

diff --git a/internal/wrappers/scan-kics-realtime.go b/internal/wrappers/scan-kics-realtime.go
@@ -24,7 +24,7 @@ type KicsFiles struct {
 	Line            uint   `json:"line"`
 	IssueType       string `json:"issue_type"`
 	SearchKey       string `json:"search_key"`
-	SearchLine      uint   `json:"search_line"`
+	SearchLine      int    `json:"search_line"`
 	SearchValue     string `json:"search_value"`
 	ExpectedValue   string `json:"expected_value"`
 	ActualValue     string `json:"actual_value"`