Merge branch 'main' into other/remove-node-modules-1

.github/workflows/ast-scan.yml

@@ -1,18 +1,25 @@
 name: Checkmarx One Scan
-
-on: [ pull_request, workflow_dispatch ]
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: '00 7 * * *' # Every day at 07:00
 
 jobs:
   cx-scan:
+    name: Checkmarx One Scan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Checkmarx One CLI Action
-        uses: checkmarx/ast-github-action@1fe318de2993222574e6249750ba9000a4e2a6cd #v2.0.33 - Check for the latest version and updated here if there is a new one
+        uses: checkmarx/ast-github-action@03a90e7253dadd7e2fff55f5dfbce647b39040a1 # v.2.0.37
         with:
           base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
           cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
           cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
           cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
-          additional_params: --tags phoenix --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;sca-critical=1;sca-high=1;sca-medium=2;sca-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1" --debug
+          additional_params: --tags phoenix --threshold "sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1"

.github/workflows/ci.yml

@@ -7,12 +7,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Use Node.js 14
+      - name: Use Node.js 20
         uses: actions/[email protected]
         env:
           INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}
         with:
-          node-version: 14
+          node-version: 20
       - name: Authenticate with GitHub package registry
         run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}" > ~/.npmrc
       - name: npm install

cxAstScan/package.json

@@ -1,6 +1,6 @@
 {
   "dependencies": {
-    "azure-pipelines-task-lib": "4.10.1",
-    "@checkmarxdev/ast-cli-javascript-wrapper-runtime-cli": "1.0.2"
+    "azure-pipelines-task-lib": "4.13.0",
+    "@checkmarxdev/ast-cli-javascript-wrapper-runtime-cli": "1.0.4"
   }
 }

cxAstScan/services/CleanUpRunner.ts

@@ -7,62 +7,98 @@ export class CleanUpRunner {
     cxWrapperFactory= new CxWrapperFactory();
 
     async run() {
-        console.log("Getting job status");
-        const jobStatus = taskLib.getVariable('AGENT_JOBSTATUS');
-        console.log("Job status: " + jobStatus);
-        if (jobStatus !== 'Canceled') {
-            console.log("Pipeline not cancelled, nothing to do.");
-            taskLib.setResult(taskLib.TaskResult.Succeeded, "");
-            return;
-        }
-
-        const cxScanConfig = getConfiguration();
-        const wrapper = await this.cxWrapperFactory.createWrapper(cxScanConfig);
-        let data: string;
-
         try {
-            data = await fs.readFile(getLogFilename(), 'utf8')
-        } catch (err: any) {
-            if (err.code === 'ENOENT') {
-                console.log("Log file not created. Task ended successfully")
+            console.log("Getting job status");
+            const jobStatus = taskLib.getVariable('AGENT_JOBSTATUS');
+            console.log("Job status: " + jobStatus);
+            if (jobStatus !== 'Canceled') {
+                console.log("Pipeline not cancelled, nothing to do.");
                 taskLib.setResult(taskLib.TaskResult.Succeeded, "");
-            } else if (err.code === 'EACCES') {
-                console.log('No permissions to read log file')
-                taskLib.setResult(taskLib.TaskResult.Failed, "")
-            } else {
-                throw err
+                return;
             }
-            return
-        }
 
-        //Regex to get the scanID ofthe logs
-        const regexScanId = new RegExp(/"(ID)":"((\\"|[^"])*)"/i);
+            const cxScanConfig = getConfiguration();
+            const wrapper = await this.cxWrapperFactory.createWrapper(cxScanConfig);
+            let data: string;
 
-        const regexArray = regexScanId.exec(data!);
+            try {
+                data = await fs.readFile(getLogFilename(), 'utf8')
+            } catch (err: any) {
+                if (err.code === 'ENOENT') {
+                    console.log("Log file not created. Task ended successfully")
+                    taskLib.setResult(taskLib.TaskResult.Succeeded, "");
+                } else if (err.code === 'EACCES') {
+                    console.log('No permissions to read log file')
+                    taskLib.setResult(taskLib.TaskResult.Failed, "")
+                } else {
+                    throw err
+                }
+                return
+            }
 
-        try {
-            if (regexArray) {
-                //m[2] is the scanID
-                console.log("Canceling scan with ID: " + regexArray[2])
-                await wrapper.scanCancel(regexArray[2]);
-            } else {
-                console.log("Scan not created. Terminating job.")
+            //Regex to get the scanID ofthe logs
+            const regexScanId = new RegExp(/"(ID)":"((\\"|[^"])*)"/i);
+
+            const regexArray = regexScanId.exec(data!);
+
+            try {
+                if (regexArray) {
+                    //m[2] is the scanID
+                    console.log("Canceling scan with ID: " + regexArray[2])
+                    await wrapper.scanCancel(regexArray[2]);
+                } else {
+                    console.log("Scan not created. Terminating job.")
+                }
+            } catch (err) {
+                console.log("Error canceling scan: " + err + " " + Date.now().toString())
+                taskLib.setResult(taskLib.TaskResult.Failed, "");
+                return
             }
+
+            taskLib.setResult(taskLib.TaskResult.Succeeded, "");
+
         } catch (err) {
-            console.log("Error canceling scan: " + err + " " + Date.now().toString())
-            taskLib.setResult(taskLib.TaskResult.Failed, "");
             return
+        } finally {
+            await this.deleteZipFile()
+            await this.deleteLogFile()
         }
+    }
 
-        taskLib.setResult(taskLib.TaskResult.Succeeded, "");
+    async deleteZipFile(): Promise<void> {
+        try {
+            const logFileName = getLogFilename();
+            const data = await fs.readFile(logFileName, 'utf-8');
+            const zipFilePath = this.extractZipFilePath(data);
+            if (zipFilePath) {
+                // Delete the zip file
+                await fs.unlink(zipFilePath);
+                console.log(`Deleted zip file: ${zipFilePath}`);
+            } else {
+                console.log('No zip file path found in the log file.');
+            }
+        } catch (error: any) {
+            if(error.code === 'ENOENT') {
+                console.log('Zip file already deleted.');
+            }
+            else {
+                console.error('Error deleting zip file', error);
+            }
+        }
+    }
 
+    async deleteLogFile(): Promise<void> {
         try {
-            fs.unlink(getLogFilename())
-            //file removed
+            await fs.unlink(getLogFilename());
+            console.log('Log file deleted successfully.');
         } catch (err) {
-            console.log("Unable to delete log file.", err)
+            console.log("Unable to delete log file.", err);
         }
-
     }
 
+    extractZipFilePath(data: string): string | null {
+        const zipFilePattern = /Temporary zip file path:\s*(.*)$/m;
+        const match = data.match(zipFilePattern);
+        return match ? match[1].trim() : null;
+    }
 }