From a413a91a40076ffb157f550e0c23f2009f218372 Mon Sep 17 00:00:00 2001 From: Checkmarx Automation Date: Tue, 22 Jul 2025 19:14:19 +0300 Subject: [PATCH 1/2] Refactor cleanup logic in containerScanner: Remove deletion of .checkmarx containers folder. The caller (AST CLI) will now handle cleanup after processing the container-resolution.json file. --- pkg/containerResolver/containerScanner.go | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/pkg/containerResolver/containerScanner.go b/pkg/containerResolver/containerScanner.go index 415ef74..85d1e71 100644 --- a/pkg/containerResolver/containerScanner.go +++ b/pkg/containerResolver/containerScanner.go @@ -116,16 +116,12 @@ func cleanup(originalPath string, outputPath string, checkmarxPath string) error } } - // Clean up containers folder inside .checkmarx if checkmarxPath is provided - if checkmarxPath != "" { - // checkmarxPath points to .checkmarx/containers, so we delete this directory - cxErr := imagesExtractor.DeleteDirectory(checkmarxPath) - if cxErr != nil { - log.Warn().Err(cxErr).Msg("Could not delete containers directory inside .checkmarx folder") - } - } + // Note: We no longer clean up the containers folder inside .checkmarx here + // as the caller (AST CLI) needs the container-resolution.json file for further processing. + // The cleanup of .checkmarx/containers should be handled by the caller after it has + // processed the resolution file. - // Only return error from output directory cleanup, not from .checkmarx cleanup + // Only return error from output directory cleanup return err } From 5f97b5965259c5371db3fa8cc5cf9ff8e057f79e Mon Sep 17 00:00:00 2001 From: Checkmarx Automation Date: Tue, 22 Jul 2025 19:19:43 +0300 Subject: [PATCH 2/2] Enhance containerScanner tests: Add verification for containers directory existence post-Resolve to address cleanup bug. Update cleanup logic to ensure .checkmarx containers folder is retained for caller processing. --- pkg/containerResolver/containerScanner.go | 2 -- pkg/containerResolver/containerScanner_test.go | 6 ++++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/pkg/containerResolver/containerScanner.go b/pkg/containerResolver/containerScanner.go index 85d1e71..5bb73e2 100644 --- a/pkg/containerResolver/containerScanner.go +++ b/pkg/containerResolver/containerScanner.go @@ -116,8 +116,6 @@ func cleanup(originalPath string, outputPath string, checkmarxPath string) error } } - // Note: We no longer clean up the containers folder inside .checkmarx here - // as the caller (AST CLI) needs the container-resolution.json file for further processing. // The cleanup of .checkmarx/containers should be handled by the caller after it has // processed the resolution file. diff --git a/pkg/containerResolver/containerScanner_test.go b/pkg/containerResolver/containerScanner_test.go index 26da2cb..1bafca8 100644 --- a/pkg/containerResolver/containerScanner_test.go +++ b/pkg/containerResolver/containerScanner_test.go @@ -145,6 +145,12 @@ func TestResolve(t *testing.T) { mockImagesExtractor.AssertCalled(t, "ExtractAndMergeImagesFromFiles", sampleFileImages, mock.Anything, mock.Anything) mockSyftPackagesExtractor.AssertCalled(t, "AnalyzeImagesWithPlatform", mock.Anything, "linux/amd64") mockImagesExtractor.AssertCalled(t, "SaveObjectToFile", checkmarxPath, expectedResolution) + + // Verify that the containers directory still exists after Resolve completes + // This tests the fix for the cleanup bug where the directory was being deleted too early + if _, err := os.Stat(checkmarxPath); os.IsNotExist(err) { + t.Errorf("Expected containers directory to exist after Resolve completes, but it was deleted") + } }) t.Run("ScanPath Validation failure", func(t *testing.T) {