merge with main

Checkmarx · May 23, 2024 · c7db597 · c7db597
2 parents 9815a8e + 8c7dfec
commit c7db597
Show file tree

Hide file tree

Showing 145 changed files with 5,465 additions and 866 deletions.
diff --git a/.github/scripts/signing_win.sh b/.github/scripts/signing_win.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# The purpose of this script is to sign Windows binaries on the remote Checkmarx signing server as part of the CI process
+
+# Check if FILEPATH parameter is provided
+if [ -z "$1" ]; then
+  echo "Usage: $0 <filename>"
+  exit 1
+fi
+
+FILEPATH=$1
+OS_TYPE=$2
+FILENAME=$(basename "$FILEPATH")
+FILENAME_SIGNED="$FILENAME"_signed
+
+# Define remote server details
+REMOTE_USER=$SIGNING_REMOTE_SSH_USER
+REMOTE_HOST=$SIGNING_REMOTE_SSH_HOST
+REMOTE_PATH="/tmp"
+
+# HSM credentials
+HSM_CREDS=$SIGNING_HSM_CREDS
+
+# Check if OS is windows
+if [ "$OS_TYPE" != "windows" ]; then
+  echo "The artifact is not a windows binary file, exiting."
+  exit 0
+fi
+
+# Check if required variables are set
+if [ -z "$REMOTE_USER" ] || [ -z "$REMOTE_HOST" ] || [ -z "$HSM_CREDS" ] || [ -z "$SIGNING_REMOTE_SSH_PRIVATE_KEY" ]; then
+  echo "Required environment variables are not set"
+  exit 1
+fi
+
+# Create an SSH key file from the secret
+SSH_KEY_PATH=$(mktemp)
+echo "$SIGNING_REMOTE_SSH_PRIVATE_KEY" > "$SSH_KEY_PATH"
+chmod 600 "$SSH_KEY_PATH"
+
+# Ensure cleanup of temporary files on exit
+trap 'rm -f "$SSH_KEY_PATH"' EXIT
+
+# Be sure we don't have already uploaded filess on the remote server
+ssh -n -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST" "rm -f '$REMOTE_PATH/$FILENAME' && rm -f '$REMOTE_PATH/$FILENAME_SIGNED'"
+
+# Upload file via scp
+scp -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$FILEPATH" "$REMOTE_USER@$REMOTE_HOST:$REMOTE_PATH"
+# Check if file was uploaded
+if [ $? -ne 0 ]; then
+    echo "Failed to copy $FILEPATH"
+    exit 1
+fi
+
+# Sign
+ssh -n -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST" "osslsigncode sign -certs /home/ubuntu/checkmarx.crt  -key 'pkcs11:object=CNGRSAPriv-cx-signing' -pass $HSM_CREDS -pkcs11module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so -t http://timestamp.digicert.com -in '$REMOTE_PATH/$FILENAME' -out '$REMOTE_PATH/$FILENAME_SIGNED'"
+# Check remote command status
+if [ $? -ne 0 ]; then
+    echo "Failed to sign file $FILENAME"
+    ssh -n -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST" "rm -f '$REMOTE_PATH/$FILENAME'"
+    exit 1
+fi
+
+# Download signed file via scp
+scp -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST:$REMOTE_PATH/$FILENAME_SIGNED" "/tmp/$FILENAME_SIGNED"
+# Check the status
+if [ $? -ne 0 ]; then
+    echo "Failed to download signed file $FILENAME_SIGNED"
+    ssh -n -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST" "rm -f '$REMOTE_PATH/$FILENAME' && rm -f '$REMOTE_PATH/$FILENAME_SIGNED'"
+    exit 1
+fi
+
+# Replace original file with the signed
+rm -f "$FILEPATH" && mv "/tmp/$FILENAME_SIGNED" "$FILEPATH"
+
+# Cleanup remote server
+ssh -n -i "$SSH_KEY_PATH" -o StrictHostKeyChecking=no "$REMOTE_USER@$REMOTE_HOST" "rm -f '$REMOTE_PATH/$FILENAME' && rm -f '$REMOTE_PATH/$FILENAME_SIGNED'"
+# Cleanup
+rm -f "$SSH_KEY_PATH"
+echo "Signing process completed successfully."
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -3,9 +3,6 @@ name: Checkmarx One CLI
 on:
   pull_request:
 
-env:
-  GO_VERSION: '1.21.5'
-
 jobs:
   unit-tests:
     runs-on: ubuntu-latest
@@ -15,7 +12,7 @@ jobs:
       - name: Set up Go version
         uses: actions/setup-go@v4
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
       - run: go version
       - name: go test with coverage
         run: |
@@ -42,7 +39,7 @@ jobs:
       - name: Set up Go version
         uses: actions/setup-go@v4
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
       - run: go version
       - name: Go Build
         run: go build -o ./bin/cx ./cmd
@@ -66,12 +63,12 @@ jobs:
           PR_GITHUB_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
           PR_GITHUB_NAMESPACE: "checkmarx"
           PR_GITHUB_REPO_NAME: "ast-cli"
-          PR_GITHUB_NUMBER: 418
+          PR_GITHUB_NUMBER: 419
           PR_GITLAB_TOKEN : ${{ secrets.PR_GITLAB_TOKEN }}
-          PR_GITLAB_NAMESPACE: "tiagobcx"
-          PR_GITLAB_REPO_NAME: "testProject"
-          PR_GITLAB_PROJECT_ID: 40227565
-          PR_GITLAB_IID: 19
+          PR_GITLAB_NAMESPACE: ${{ secrets.PR_GITLAB_NAMESPACE }}
+          PR_GITLAB_REPO_NAME: ${{ secrets.PR_GITLAB_REPO_NAME }}
+          PR_GITLAB_PROJECT_ID: ${{ secrets.PR_GITLAB_PROJECT_ID }}
+          PR_GITLAB_IID: ${{ secrets.PR_GITLAB_IID }}
           AZURE_ORG: ${{ secrets.AZURE_ORG }}
           AZURE_PROJECT: ${{ secrets.AZURE_PROJECT }}
           AZURE_REPOS: ${{ secrets.AZURE_REPOS }}
@@ -113,10 +110,10 @@ jobs:
       - name: Set up Go version
         uses: actions/setup-go@v4
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
       - run: go version
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc #v3
         with:
           skip-pkg-cache: true
           version: v1.54.2
@@ -127,7 +124,7 @@ jobs:
     name: govulncheck
     steps:
       - id: govulncheck
-        uses: golang/govulncheck-action@v1
+        uses: golang/govulncheck-action@7da72f730e37eeaad891fcff0a532d27ed737cd4 #v1
         with:
-          go-version-input: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
           go-package: ./...
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/[email protected]
+        uses: dependabot/fetch-metadata@bfac3fa29cc6834ca2e3fd659343da191a65d971 # v1.3.1
         with:
           github-token: "${{ secrets.GH_TOKEN }}"
       - name: Enable auto-merge for Dependabot PRs
@@ -20,6 +20,6 @@ jobs:
           GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
         run: gh pr merge --auto --merge "$PR_URL"
       - name: Auto approve dependabot PRs
-        uses: hmarr/auto-approve-action@v2
+        uses: hmarr/auto-approve-action@7782c7e2bdf62b4d79bdcded8332808fd2f179cd #v2
         with:
           github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
diff --git a/.github/workflows/jira_notify.yml b/.github/workflows/jira_notify.yml
@@ -27,15 +27,15 @@ jobs:
       JIRA_URL: "https://checkmarx.atlassian.net/"
     steps:
       - name: Jira Login
-        uses: atlassian/gajira-login@v3
+        uses: atlassian/gajira-login@ca13f8850ea309cf44a6e4e0c49d9aa48ac3ca4c #v3
         env:
           JIRA_BASE_URL: ${{ env.JIRA_URL }}
           JIRA_USER_EMAIL: ${{ secrets.AST_JIRA_USER_EMAIL }}
           JIRA_API_TOKEN: ${{ secrets.AST_JIRA_API_TOKEN }}
 
       - name: Jira Create issue
         id: create_jira_issue
-        uses: atlassian/gajira-create@v3
+        uses: atlassian/gajira-create@1ff0b6bd115a780592b47bfbb63fc4629132e6ec #v3
         with:
           project: AST
           issuetype: Task
@@ -55,7 +55,7 @@ jobs:
             })
 
       - name: Send a teams notification
-        uses: thechetantalwar/teams-notify@v2
+        uses: thechetantalwar/teams-notify@8a78811f5e8f58cdd204efebd79158006428c46b #v2
         with:
           teams_webhook_url: ${{ secrets.TEAMS_WEBHOOK_URI }}
           message: "Github issue created ${{ github.repository }} - Link - ${{inputs.html_url}} - Jira Issue - ${{ env.JIRA_URL }}/browse/${{ steps.create_jira_issue.outputs.issue }}"
diff --git a/.github/workflows/manual-integration-test.yml b/.github/workflows/manual-integration-test.yml
@@ -53,7 +53,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: '^1.17.1'
+          go-version-file: go.mod
       - name: Setup git
         run: git config --global url."https://${{ secrets.PERSONAL_ACCESS_TOKEN }}:@github.com/".insteadOf "https://github.com"
       - name: Download

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Delete release
-        uses: dev-drprasad/[email protected]
+        uses: dev-drprasad/delete-tag-and-release@5eafd8668311bf3e4d6c1e9898f32a317103de68 #v0.2.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

diff --git a/.github/workflows/pr-automation.yml b/.github/workflows/pr-automation.yml
@@ -19,4 +19,4 @@ jobs:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
           PRNUM: ${{ github.event.pull_request.number }}
           PRAUTHOR: ${{ github.event.pull_request.user.login }}
-        run: gh pr edit $PRNUM --add-reviewer Checkmarx/ast-galactica-team
+        run: gh pr edit $PRNUM --add-reviewer Checkmarx/ast-phoenix-team
diff --git a/.github/workflows/pr-label.yml b/.github/workflows/pr-label.yml
@@ -12,7 +12,7 @@ jobs:
       pull-requests: write  # for TimonVS/pr-labeler-action to add labels in PR
     runs-on: ubuntu-latest
     steps:
-      - uses: TimonVS/pr-labeler-action@v3
+      - uses: TimonVS/pr-labeler-action@8447391d87bc7648ce6bf97159c17b642576afb0 #v3
         with:
           configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value
         env:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -30,7 +30,7 @@ permissions:
 
 jobs:
   build:
-    runs-on: macos-latest
+    runs-on: macos-13
     env:
       AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
       APPLE_DEVELOPER_CERTIFICATE_P12_BASE64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
@@ -43,9 +43,9 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v4
         with:
-          go-version: '^1.21.5'
+          go-version-file: go.mod
       - name: Import Code-Signing Certificates
-        uses: Apple-Actions/import-codesign-certs@v1
+        uses: Apple-Actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071 #v1
         with:
           # The certificates in a PKCS12 file encoded as a base64 string
           p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
@@ -61,27 +61,23 @@ jobs:
           brew --version
       - name: Install gon
         run: |
-          brew tap mitchellh/gon
-          brew install mitchellh/gon/gon
-      - name: Install and start docker
+          brew install Bearer/tap/gon
+      - name: Setup Docker on macOS
         if: inputs.dev == false
-        run: |
-          brew install docker
-          colima start
-          sudo ln -sf $HOME/.colima/default/docker.sock /var/run/docker.sock
+        uses: douglascamata/setup-docker-macos-action@v1-alpha
       - name: Test docker
         if: inputs.dev == false
         run: |
           docker version
           docker info
       - name: Login to Docker Hub
         if: inputs.dev == false
-        uses: docker/login-action@v1
+        uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 #v1
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 #v2
         with:
           role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
           aws-region: ${{ secrets.AWS_ASSUME_ROLE_REGION }}
@@ -105,7 +101,7 @@ jobs:
       - name: Echo GoReleaser Args
         run: echo ${{ env.GR_ARGS }}
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 #v3
         with:
           version: v1.18.2
           args: ${{ env.GR_ARGS }}
@@ -114,6 +110,10 @@ jobs:
           GO_BOT_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
           S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }}
           S3_BUCKET_REGION: ${{ secrets.S3_BUCKET_REGION }}
+          SIGNING_REMOTE_SSH_USER: ${{ secrets.SIGNING_REMOTE_SSH_USER }}
+          SIGNING_REMOTE_SSH_HOST: ${{ secrets.SIGNING_REMOTE_SSH_HOST }}
+          SIGNING_REMOTE_SSH_PRIVATE_KEY: ${{ secrets.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
+          SIGNING_HSM_CREDS: ${{ secrets.SIGNING_HSM_CREDS }}
 
   notify:
     runs-on: ubuntu-latest
@@ -131,7 +131,7 @@ jobs:
 
       - name: Converts Markdown to HTML
         id: convert
-        uses: lifepal/[email protected]
+        uses: lifepal/markdown-to-html@71ed74a56602597c05dd7dd0e561631557158ed5 #v1.1
         with:
           text: "${{ steps.release.outputs.body_release }}"
 
@@ -144,7 +144,7 @@ jobs:
 
       - name: Send a Notification
         id: notify
-        uses: thechetantalwar/teams-notify@v2
+        uses: thechetantalwar/teams-notify@8a78811f5e8f58cdd204efebd79158006428c46b #v2
         with:
           teams_webhook_url: ${{ secrets.TEAMS_WEBHOOK_URI }}
           message: "${{ steps.clean.outputs.clean }}"
diff --git a/.gitignore b/.gitignore
@@ -55,4 +55,8 @@ override.tf.json
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*dist/
-/dist
+/dist
+
+# Ignore CLI configuration files and installation log files
+**/colima-Darwin-x86_64
+**/install.log
diff --git a/.golangci.yml b/.golangci.yml
@@ -12,6 +12,7 @@ linters-settings:
           - github.com/spf13/cobra
           - github.com/pkg/errors
           - github.com/google
+          - github.com/MakeNowJust/heredoc
   dupl:
     threshold: 500
   funlen:
@@ -60,7 +61,7 @@ linters-settings:
   misspell:
     locale: US
 linters:
-  # please, do not use `enable-all`: it's deprecated and will be removed soon.
+  # please, do not use `enable-all`: it's deprecated and will be removed soon. 
   # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint
   disable-all: true
   enable:

diff --git a/.goreleaser-dev.yml b/.goreleaser-dev.yml
@@ -32,6 +32,16 @@ builds:
       - -s
       - -w
       - -X github.com/checkmarx/ast-cli/internal/params.Version={{.Version}}
+    hooks:
+      post:
+        - cmd: bash .github/scripts/signing_win.sh dist/cx_windows_amd64_v1/cx.exe {{.Os}} || true
+          output: true
+          env:
+            - SIGNING_REMOTE_SSH_USER={{ .Env.SIGNING_REMOTE_SSH_USER }}
+            - SIGNING_REMOTE_SSH_HOST={{ .Env.SIGNING_REMOTE_SSH_HOST }}
+            - SIGNING_HSM_CREDS={{ .Env.SIGNING_HSM_CREDS }}
+            - SIGNING_REMOTE_SSH_PRIVATE_KEY={{ .Env.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
+
   - main: ./cmd/main.go
     env:
       - CGO_ENABLED=0

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -31,6 +31,16 @@ builds:
       - -s
       - -w
       - -X github.com/checkmarx/ast-cli/internal/params.Version={{.Version}}
+    hooks:
+      post:
+        - cmd: bash .github/scripts/signing_win.sh dist/cx_windows_amd64_v1/cx.exe {{.Os}}
+          output: true
+          env:
+            - SIGNING_REMOTE_SSH_USER={{ .Env.SIGNING_REMOTE_SSH_USER }}
+            - SIGNING_REMOTE_SSH_HOST={{ .Env.SIGNING_REMOTE_SSH_HOST }}
+            - SIGNING_HSM_CREDS={{ .Env.SIGNING_HSM_CREDS }}
+            - SIGNING_REMOTE_SSH_PRIVATE_KEY={{ .Env.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
+
   - main: ./cmd/main.go
     env:
       - CGO_ENABLED=0

diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,6 @@
-FROM alpine:3.19.0
+FROM cgr.dev/chainguard/bash:latest
 
-RUN apk add --no-cache bash
-RUN adduser --system --disabled-password cxuser
-USER cxuser
+USER nonroot
 
 COPY cx /app/bin/cx