Skip to content

Bug fixes and Salesforce tickets resolution(AST-146432)#1494

Open
cx-atish-jadhav wants to merge 12 commits into
mainfrom
other/release-integration
Open

Bug fixes and Salesforce tickets resolution(AST-146432)#1494
cx-atish-jadhav wants to merge 12 commits into
mainfrom
other/release-integration

Conversation

@cx-atish-jadhav
Copy link
Copy Markdown
Collaborator

@cx-atish-jadhav cx-atish-jadhav commented May 26, 2026
edited by atlassian Bot
Loading

Release Details

JIRA ID Brief Context About the Build
AST-145741 Salesforce — CLI flag --iac-security-filter not working
AST-155483 Salesforce — AST-CLI — Viper concurrent read/write issue
AST-154753 CxOne Dev Assist — CLI should send Unique ID
AST-137848 cx scan --application-name incorrectly requires application-update permission on subsequent scans even when no update is needed
AST-146432 Salesforce — SAST SARIF inconsistency with BYOR imports
AST-151903 Some extension files were not included in the CLI

cx-atish-jadhav and others added 2 commits May 26, 2026 14:01
@cx-atish-jadhav
Fix KICS container shutdown race condition and add OneAssist license …
e30a441 
…support

- Create kicsshutdown package with thread-safe container name management
- Update signal handler to read container name from kicsshutdown instead of viper
- Prevents race conditions during SIGTERM cleanup
- Add support for OneAssist license in addition to Developer Assist
- Update GetUniqueID() to check both license types
@cx-atish-jadhav @claude
Integrate file updates: SARIF enhancements, filters expansion, and pr…
e7356a7 
…oject/application management improvements

- Add CodeFlow and ThreadFlow support to SARIF result structures with new types
- Extend BaseIncludeFilters with 41 additional file type patterns
- Enhance applications.go with project association polling and duplicate prevention
- Update result.go with CodeFlow handling in SARIF serialization
- Add IsInSource and CommitURL fields to SarifResultProperties
- Fix projects.go verifyApplicationAssociationDone and UpsertProjectGroups functions
- Change IaCS and KICS filter flags from String to StringSlice in scan.go

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@cx-atish-jadhav cx-atish-jadhav changed the title Release integration Bug fixes and Salesforce tickets resolution(AST-146432) May 27, 2026
@cx-atish-jadhav @claude
Fix SCA vulnerabilities: update dependencies to patched versions
b70b80a 
- Upgrade distribution/v3 to v3.0.1-0.20260120145532-40594bd98e6d (security patch)
- Upgrade go-jose/v3 to v3.0.5 (CWE-345: Insufficient Verification)
- Upgrade anchore/stereoscope to v0.2.0
- Upgrade google.golang.org/grpc to v1.80.0
- Upgrade gonum to v0.17.0
- Upgrade containerd/v2 to v2.3.1
- Upgrade go-git/go-git/v5 to v5.18.1-0.20260420130857-e5bbc088b774 (CVE-2026-45022)
- Upgrade go-git/go-billy/v5 to v5.8.1-0.20260506061021-07f2a0bf50e4 (CVE-2026-44973)
- Upgrade Go version to 1.26.3

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@cx-atish-jadhav
Copy link
Copy Markdown
Collaborator Author

cx-atish-jadhav commented May 27, 2026

SCA Vulnerability Fixes Summary

This PR addresses all identified SCA vulnerabilities through dependency upgrades and Go version updates.

Vulnerability Fix Details

CVE/ID Category Package Old Version New Version Vulnerability Type
- CWE-345 github.com/distribution/distribution/v3 v3.0.1-0.20250403190400-dbca4995c83c v3.0.1-0.20260120145532-40594bd98e6d Security Patch
- CWE-345 github.com/go-jose/go-jose/v3 v3.0.4 v3.0.5 Insufficient Verification
CVE-2026-45022 CWE-22 github.com/go-git/go-git/v5 v5.18.0 v5.18.1-0.20260420130857-e5bbc088b774 Path Traversal
CVE-2026-44973 CWE-22 github.com/go-git/go-billy/v5 v5.8.0 v5.8.1-0.20260506061021-07f2a0bf50e4 Path Traversal
- - github.com/anchore/stereoscope v0.1.23 v0.2.0 Transitive Dependency
- - google.golang.org/grpc v1.79.3 v1.80.0 Transitive Dependency
- - gonum.org/v1/gonum v0.16.0 v0.17.0 Transitive Dependency
- - github.com/containerd/containerd v1.7.30 v1.7.32 (via replace) Transitive Dependency
- - github.com/containerd/containerd/v2 v2.3.0 v2.3.1 Transitive Dependency

Additional Changes

Item Old Version New Version
Go Runtime 1.25.9 1.26.3

Vulnerable Paths Remediated

Direct Vulnerabilities

  1. distribution/v3 - Security patch for cryptographic operations
  2. go-jose/v3 - Fixed insufficient verification in JWT handling
  3. go-git/v5 - CVE-2026-45022: Path Traversal vulnerability
  4. go-billy/v5 - CVE-2026-44973: Path Traversal vulnerability

Indirect/Transitive Dependencies

  • Updated through cascading dependency resolution to address multiple vulnerability paths
  • anchore/stereoscope, grpc, gonum updates address vulnerabilities across multiple paths
  • containerd updates fix platform-specific vulnerabilities

Test Data Notes

  • Python test fixtures in internal/commands/data/manifests/requirements.txt remain unchanged (intentional for test scenarios)
  • All production Go dependencies have been patched

Testing Recommendations

  • Run full test suite to verify no regressions
  • Verify all dependency versions resolve correctly
  • Test with new Go 1.26.3 compatibility

@cx-atish-jadhav @claude
Fix additional SCA vulnerabilities: containerd, golang.org/x/image, a…
65f4dd0 
…nd opencontainers/runc

- Upgrade github.com/containerd/containerd v1.7.30 to v1.7.32 (CVE-2026-46680)
- Upgrade golang.org/x/image v0.25.0 to v0.36.1-0.20260211191414-e3d762b1d37e (CVE-2026-33813)
- Upgrade github.com/opencontainers/runc v1.3.3 to v1.3.4 (CVE-2025-52881)
- Upgrade github.com/cilium/ebpf v0.16.0 to v0.17.3 (transitive dependency)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@cx-atish-jadhav
Copy link
Copy Markdown
Collaborator Author

cx-atish-jadhav commented May 27, 2026

Updated SCA Vulnerability Fixes Summary

All identified SCA vulnerabilities have been fixed through dependency upgrades.

Complete Vulnerability Fix Details

CVE/ID Category Package Old Version New Version Vulnerability Type
CVE-2026-46680 CWE-843 github.com/containerd/containerd v1.7.30 v1.7.32 Type Confusion - Symlink Following
CVE-2026-33813 CWE-190 golang.org/x/image v0.25.0 v0.36.1-0.20260211191414-e3d762b1d37e Integer Overflow in WEBP Parsing
CVE-2025-52881 CWE-61 github.com/opencontainers/runc v1.3.3 v1.3.4 UNIX Symlink Following
CVE-2026-45022 CWE-22 github.com/go-git/go-git/v5 v5.18.0 v5.18.1-0.20260420130857-e5bbc088b774 Path Traversal
CVE-2026-44973 CWE-22 github.com/go-git/go-billy/v5 v5.8.0 v5.8.1-0.20260506061021-07f2a0bf50e4 Path Traversal
- CWE-345 github.com/distribution/distribution/v3 v3.0.1-0.20250403190400-dbca4995c83c v3.0.1-0.20260120145532-40594bd98e6d Security Patch
- CWE-345 github.com/go-jose/go-jose/v3 v3.0.4 v3.0.5 Insufficient Verification
- - github.com/anchore/stereoscope v0.1.23 v0.2.0 Transitive Dependency
- - google.golang.org/grpc v1.79.3 v1.80.0 Transitive Dependency
- - gonum.org/v1/gonum v0.16.0 v0.17.0 Transitive Dependency
- - github.com/containerd/containerd/v2 v2.3.0 v2.3.1 Transitive Dependency
- - github.com/cilium/ebpf v0.16.0 v0.17.3 Transitive Dependency

Additional Changes

Item Old Version New Version
Go Runtime 1.25.9 1.26.3

Vulnerability Summary by Category

CWE-61: Symlink Following (1 CVE)

  • CVE-2025-52881: opencontainers/runc - attacker can trick runc into misdirecting writes through racing containers with shared mounts

CWE-190: Integer Overflow (1 CVE)

  • CVE-2026-33813: golang.org/x/image - parsing WEBP images with invalid large size panics on 32-bit platforms

CWE-22: Path Traversal (2 CVEs)

CWE-843: Type Confusion (1 CVE)

  • CVE-2026-46680: containerd - numeric User directives treated as usernames, bypassing runAsNonRoot restriction

CWE-345: Insufficient Verification (2 CVEs)

  • distribution/v3 - cryptographic operations security patch
  • go-jose/v3 - JWT handling verification

Test Data Notes

  • Python test fixtures in remain unchanged (intentional for test scenarios)
  • All production Go dependencies have been patched to address identified vulnerabilities

Commits Made

  1. Initial SCA fixes: distribution/v3, go-jose/v3, anchore/stereoscope, grpc, gonum, containerd/v2, go-git/v5
  2. Additional fixes: containerd v1.7, golang.org/x/image, opencontainers/runc, cilium/ebpf

Testing Recommendations

  • Run full test suite to verify no regressions
  • Verify all dependency versions resolve correctly
  • Test with new Go 1.26.3 compatibility
  • Verify container runtime behavior with updated runc and containerd versions

cx-atish-jadhav and others added 8 commits May 27, 2026 16:54
@cx-atish-jadhav @claude
Fix k8s.io/kubectl version mismatch after SCA dependency upgrades
e4e3aad 
Upgrade k8s.io/kubectl from v0.35.1 to v0.36.0 to resolve missing package
k8s.io/api/scheduling/v1alpha1 caused by k8s.io/api being upgraded to v0.36.0
during SCA vulnerability remediation.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@cx-atish-jadhav
create CLAUDE.md file for ast-cli repo
8249fe4
@cx-atish-jadhav
Updated filters.go
ccb12ae
@cx-atish-jadhav
fix failing unit test case
b6c006b
@cx-atish-jadhav
trivy and integration check fixes
2d38f62
@cx-atish-jadhav
CVE-2026-33813: fixing cxone scan vulnerability
47eee87
@cx-atish-jadhav
Fix CVE vulnerabilities and lint issues
f2eb1ad 
- Upgrade golang.org/x/image to v0.39.0 (CVE-2026-33813)
- Upgrade github.com/go-jose/go-jose/v3 to v3.0.5 (CVE-2026-34986)
- Upgrade github.com/opencontainers/runc to v1.3.4 (CVE-2025-52881)
- Extract repeated string to constant in result_test.go (goconst lint fix)
@cx-atish-jadhav
Override transitive golang.org/x/image and update config
129ef8c 
- Add explicit requirement for golang.org/x/image v0.39.0 to override
  gonum.org/v1/gonum's transitive requirement of v0.25.0 (CVE-2026-33813)
- Update result_test.go constant alignment
- Add cx_config_file_path to integration config
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-umesh-waghode cx-umesh-waghode Awaiting requested review from cx-umesh-waghode cx-umesh-waghode is a code owner

@cx-anurag-dalke cx-anurag-dalke Awaiting requested review from cx-anurag-dalke

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cx-atish-jadhav