Add vulnerability handling in OSS package and cache logic

Introduced support for tracking vulnerabilities in OSS package data structures and cache handling. Updated relevant methods to process and populate vulnerability details from realtime scanner and cache. This change enhances reporting and visibility of security issues in OSS packages.

Author: cx-ben-alvo

go.mod

@@ -34,6 +34,7 @@ require (
 )
 
 require (
+	helm.sh/helm/v3 v3.17.3 // indirect
 	dario.cat/mergo v1.0.1 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20240914100643-eb91380d8434 // indirect
@@ -289,7 +290,6 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	helm.sh/helm/v3 v3.17.3 // indirect
 	k8s.io/api v0.32.3 // indirect
 	k8s.io/apiextensions-apiserver v0.32.3 // indirect
 	k8s.io/apimachinery v0.32.3 // indirect

internal/services/ossrealtime/config.go

@@ -1,19 +1,55 @@
 package ossrealtime
 
+import (
+	"github.com/checkmarx/ast-cli/internal/services/ossrealtime/osscache"
+	"github.com/checkmarx/ast-cli/internal/wrappers"
+)
+
 // OssPackage represents a package's details for OSS scanning.
 type OssPackage struct {
-	PackageManager string `json:"PackageManager"`
-	PackageName    string `json:"PackageName"`
-	PackageVersion string `json:"PackageVersion"`
-	FilePath       string `json:"FilePath"`
-	LineStart      int    `json:"LineStart"`
-	LineEnd        int    `json:"LineEnd"`
-	StartIndex     int    `json:"StartIndex"`
-	EndIndex       int    `json:"EndIndex"`
-	Status         string `json:"Status"`
+	PackageManager  string          `json:"PackageManager"`
+	PackageName     string          `json:"PackageName"`
+	PackageVersion  string          `json:"PackageVersion"`
+	FilePath        string          `json:"FilePath"`
+	LineStart       int             `json:"LineStart"`
+	LineEnd         int             `json:"LineEnd"`
+	StartIndex      int             `json:"StartIndex"`
+	EndIndex        int             `json:"EndIndex"`
+	Status          string          `json:"Status"`
+	Vulnerabilities []Vulnerability `json:"Vulnerabilities"`
 }
 
 // OssPackageResults holds the results of an OSS scan.
 type OssPackageResults struct {
 	Packages []OssPackage `json:"Packages"`
 }
+
+type Vulnerability struct {
+	CVE         string `json:"CVE"`
+	Description string `json:"Description"`
+	Severity    string `json:"Severity"`
+}
+
+func NewOssVulnerabilitiesFromRealtimeScannerVulnerabilities(vulnerabilities []wrappers.RealtimeScannerVulnerability) []Vulnerability {
+	vulns := make([]Vulnerability, len(vulnerabilities))
+	for i, v := range vulnerabilities {
+		vulns[i] = Vulnerability{
+			CVE:         v.CVE,
+			Description: v.Description,
+			Severity:    v.Severity,
+		}
+	}
+	return vulns
+}
+
+func NewOssVulnerabilitiesFromOssCacheVulnerabilities(vulnerabilities []osscache.Vulnerability) []Vulnerability {
+	vulns := make([]Vulnerability, len(vulnerabilities))
+	for i, v := range vulnerabilities {
+		vulns[i] = Vulnerability{
+			CVE:         v.CVE,
+			Description: v.Description,
+			Severity:    v.Severity,
+		}
+	}
+	return vulns
+}

internal/services/ossrealtime/oss-realtime.go

@@ -37,9 +37,9 @@ func (o *OssRealtimeService) RunOssRealtimeScan(filePath string) (*OssPackageRes
 		return nil, errors.New("file path is required")
 	}
 
-	if enabled, err := o.isFeatureFlagEnabled(); err != nil || !enabled {
-		return nil, err
-	}
+	//if enabled, err := o.isFeatureFlagEnabled(); err != nil || !enabled {
+	//	return nil, err
+	//}
 
 	if err := o.ensureLicense(); err != nil {
 		return nil, err
@@ -71,15 +71,16 @@ func enrichResponseWithRealtimeScannerResults(
 	for _, pkg := range result.Packages {
 		entry := getPackageEntryFromPackageMap(packageMap, &pkg)
 		response.Packages = append(response.Packages, OssPackage{
-			PackageManager: pkg.PackageManager,
-			PackageName:    pkg.PackageName,
-			PackageVersion: pkg.Version,
-			FilePath:       entry.FilePath,
-			LineStart:      entry.LineStart,
-			LineEnd:        entry.LineEnd,
-			StartIndex:     entry.StartIndex,
-			EndIndex:       entry.EndIndex,
-			Status:         pkg.Status,
+			PackageManager:  pkg.PackageManager,
+			PackageName:     pkg.PackageName,
+			PackageVersion:  pkg.Version,
+			FilePath:        entry.FilePath,
+			LineStart:       entry.LineStart,
+			LineEnd:         entry.LineEnd,
+			StartIndex:      entry.StartIndex,
+			EndIndex:        entry.EndIndex,
+			Status:          pkg.Status,
+			Vulnerabilities: NewOssVulnerabilitiesFromRealtimeScannerVulnerabilities(pkg.Vulnerabilities),
 		})
 	}
 }
@@ -143,17 +144,18 @@ func prepareScan(pkgs []models.Package) (*OssPackageResults, *wrappers.RealtimeS
 	cacheMap := osscache.BuildCacheMap(*cache)
 	for _, pkg := range pkgs {
 		key := osscache.GenerateCacheKey(pkg.PackageManager, pkg.PackageName, pkg.Version)
-		if status, found := cacheMap[key]; found {
+		if cachedPkg, found := cacheMap[key]; found {
 			resp.Packages = append(resp.Packages, OssPackage{
-				PackageManager: pkg.PackageManager,
-				PackageName:    pkg.PackageName,
-				PackageVersion: pkg.Version,
-				LineStart:      pkg.LineStart,
-				LineEnd:        pkg.LineEnd,
-				FilePath:       pkg.FilePath,
-				StartIndex:     pkg.StartIndex,
-				EndIndex:       pkg.EndIndex,
-				Status:         status,
+				PackageManager:  pkg.PackageManager,
+				PackageName:     pkg.PackageName,
+				PackageVersion:  pkg.Version,
+				LineStart:       pkg.LineStart,
+				LineEnd:         pkg.LineEnd,
+				FilePath:        pkg.FilePath,
+				StartIndex:      pkg.StartIndex,
+				EndIndex:        pkg.EndIndex,
+				Status:          cachedPkg.Status,
+				Vulnerabilities: NewOssVulnerabilitiesFromOssCacheVulnerabilities(cachedPkg.Vulnerabilities),
 			})
 		} else {
 			req.Packages = append(req.Packages, pkgToRequest(&pkg))

internal/services/ossrealtime/osscache/oss-realtime-cache.go

@@ -68,12 +68,21 @@ func AppendToCache(packages *wrappers.RealtimeScannerPackageResponse) error {
 	}
 
 	for _, pkg := range packages.Packages {
+		vulnerabilities := make([]Vulnerability, 0)
 		if pkg.Status != "Unknown" {
+			for _, v := range pkg.Vulnerabilities {
+				vulnerabilities = append(vulnerabilities, Vulnerability{
+					CVE:         v.CVE,
+					Description: v.Description,
+					Severity:    v.Severity,
+				})
+			}
 			cache.Packages = append(cache.Packages, PackageEntry{
-				PackageManager: pkg.PackageManager,
-				PackageName:    pkg.PackageName,
-				PackageVersion: pkg.Version,
-				Status:         pkg.Status,
+				PackageManager:  pkg.PackageManager,
+				PackageName:     pkg.PackageName,
+				PackageVersion:  pkg.Version,
+				Status:          pkg.Status,
+				Vulnerabilities: vulnerabilities,
 			})
 		}
 	}
@@ -86,10 +95,10 @@ func GetCacheFilePath() string {
 }
 
 // BuildCacheMap creates a lookup map from cache entries.
-func BuildCacheMap(cache Cache) map[string]string {
-	m := make(map[string]string, len(cache.Packages))
+func BuildCacheMap(cache Cache) map[string]PackageEntry {
+	m := make(map[string]PackageEntry, len(cache.Packages))
 	for _, pkg := range cache.Packages {
-		m[GenerateCacheKey(pkg.PackageManager, pkg.PackageName, pkg.PackageVersion)] = pkg.Status
+		m[GenerateCacheKey(pkg.PackageManager, pkg.PackageName, pkg.PackageVersion)] = pkg
 	}
 	return m
 }

internal/services/ossrealtime/osscache/types.go

@@ -1,12 +1,35 @@
 package osscache
 
-import "time"
+import (
+	"time"
+
+	"github.com/checkmarx/ast-cli/internal/wrappers"
+)
 
 type PackageEntry struct {
-	PackageManager string `json:"packageManager"`
-	PackageName    string `json:"packageName"`
-	PackageVersion string `json:"packageVersion"`
-	Status         string `json:"status"`
+	PackageManager  string          `json:"packageManager"`
+	PackageName     string          `json:"packageName"`
+	PackageVersion  string          `json:"packageVersion"`
+	Status          string          `json:"status"`
+	Vulnerabilities []Vulnerability `json:"vulnerabilities"`
+}
+
+type Vulnerability struct {
+	CVE         string `json:"CVE"`
+	Description string `json:"Description"`
+	Severity    string `json:"Severity"`
+}
+
+func (p *PackageEntry) ConvertVulnerabilities() []wrappers.RealtimeScannerVulnerability {
+	vulnerabilities := make([]wrappers.RealtimeScannerVulnerability, len(p.Vulnerabilities))
+	for i, v := range p.Vulnerabilities {
+		vulnerabilities[i] = wrappers.RealtimeScannerVulnerability{
+			CVE:         v.CVE,
+			Description: v.Description,
+			Severity:    v.Severity,
+		}
+	}
+	return vulnerabilities
 }
 
 type Cache struct {

internal/wrappers/realtime-scanner.go

@@ -5,10 +5,17 @@ type RealtimeScannerWrapper interface {
 }
 
 type RealtimeScannerResults struct {
-	PackageManager string `json:"PackageManager"`
-	PackageName    string `json:"PackageName"`
-	Version        string `json:"PackageVersion"`
-	Status         string `json:"Status,omitempty"`
+	PackageManager  string                         `json:"PackageManager"`
+	PackageName     string                         `json:"PackageName"`
+	Version         string                         `json:"PackageVersion"`
+	Status          string                         `json:"Status"`
+	Vulnerabilities []RealtimeScannerVulnerability `json:"Vulnerabilities"`
+}
+
+type RealtimeScannerVulnerability struct {
+	CVE         string `json:"CVE"`
+	Description string `json:"Description"`
+	Severity    string `json:"Severity"`
 }
 
 type RealtimeScannerPackageResponse struct {