Checkmarx · rafaela-soares · Jul 25, 2022 · Jul 21, 2022 · Jul 21, 2022 · Jul 21, 2022
diff --git a/assets/queries/terraform/alicloud/no_ros_stack_policy/query.rego b/assets/queries/terraform/alicloud/no_ros_stack_policy/query.rego
@@ -48,4 +48,3 @@ hasPolicyDuringUpdate(resource){
 }else{
 	common_lib.valid_key(resource, "stack_policy_during_update_url")
 }
-
diff --git a/docs/docker/nightly.csv b/docs/docker/nightly.csv
@@ -433,3 +433,7 @@ scratch,a8e7a611,2022-07-20,sha256:aa0db1182f560bb29d1afbaf8d0ca5e0779e8543d6031
 alpine,a8e7a611,2022-07-20,sha256:aa0db1182f560bb29d1afbaf8d0ca5e0779e8543d603110792bce24a19e706f6
 debian,a8e7a611,2022-07-20,sha256:0f2d0cf342f1df566800e286c4c926353a6b60b8355e0dcb460a839156c8e187
 ubi8,a8e7a611,2022-07-20,sha256:6398049c8978b03454ff5d190cb358dd1f262871f879c368ec2271ba38c61246
+scratch,278acb19,2022-07-21,sha256:027f5bbe9521c315060bc1a9198c911163cf155d68a31cfdca45e52e2a616979
+alpine,278acb19,2022-07-21,sha256:027f5bbe9521c315060bc1a9198c911163cf155d68a31cfdca45e52e2a616979
+debian,278acb19,2022-07-21,sha256:22c026a49665bf94751cc69a71d1d6e78af9cc3e6d1e301fe17b3b82e3b2d12a
+ubi8,278acb19,2022-07-21,sha256:a9d3bb91a83a79af4f33006f521f73163a64036d3ea681e1c3f07d319cefd194
diff --git a/docs/docker/nightly.md b/docs/docker/nightly.md
@@ -434,3 +434,7 @@ scratch  |  a8e7a611  |  2022-07-20  |  sha256:aa0db1182f560bb29d1afbaf8d0ca5e07
 alpine   |  a8e7a611  |  2022-07-20  |  sha256:aa0db1182f560bb29d1afbaf8d0ca5e0779e8543d603110792bce24a19e706f6
 debian   |  a8e7a611  |  2022-07-20  |  sha256:0f2d0cf342f1df566800e286c4c926353a6b60b8355e0dcb460a839156c8e187
 ubi8     |  a8e7a611  |  2022-07-20  |  sha256:6398049c8978b03454ff5d190cb358dd1f262871f879c368ec2271ba38c61246
+scratch  |  278acb19  |  2022-07-21  |  sha256:027f5bbe9521c315060bc1a9198c911163cf155d68a31cfdca45e52e2a616979
+alpine   |  278acb19  |  2022-07-21  |  sha256:027f5bbe9521c315060bc1a9198c911163cf155d68a31cfdca45e52e2a616979
+debian   |  278acb19  |  2022-07-21  |  sha256:22c026a49665bf94751cc69a71d1d6e78af9cc3e6d1e301fe17b3b82e3b2d12a
+ubi8     |  278acb19  |  2022-07-21  |  sha256:a9d3bb91a83a79af4f33006f521f73163a64036d3ea681e1c3f07d319cefd194
diff --git a/go.mod b/go.mod
@@ -4,12 +4,12 @@ go 1.18
 
 require (
 	code.cloudfoundry.org/bytefmt v0.0.0-20211005130812-5bb3c17173e5
-	github.com/BurntSushi/toml v1.1.0
+	github.com/BurntSushi/toml v1.2.0
 	github.com/GoogleCloudPlatform/terraformer v0.8.18
 	github.com/agnivade/levenshtein v1.1.1
 	github.com/alexmullins/zip v0.0.0-20180717182244-4affb64b04d0
 	github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20211114212643-ec144ca0d701
-	github.com/aws/aws-sdk-go v1.44.58
+	github.com/aws/aws-sdk-go v1.44.59
 	github.com/cheggaaa/pb/v3 v3.1.0
 	github.com/emicklei/proto v1.11.0
 	github.com/getsentry/sentry-go v0.13.0

diff --git a/go.sum b/go.sum
@@ -118,8 +118,8 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/Azure/go-ntlmssp v0.0.0-20180810175552-4a21cbd618b4/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.1.0 h1:ksErzDEI1khOiGPgpwuI7x2ebx/uXQNw7xJpn9Eq1+I=
-github.com/BurntSushi/toml v1.1.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.2.0 h1:Rt8g24XnyGTyglgET/PRUNlrUeu9F5L+7FilkXfZgs0=
+github.com/BurntSushi/toml v1.2.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/ChrisTrenkamp/goxpath v0.0.0-20170922090931-c385f95c6022/go.mod h1:nuWgzSkT5PnyOd+272uUmV0dnAnAn42Mk7PiQC5VzN4=
 github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
@@ -272,8 +272,8 @@ github.com/aws/aws-sdk-go v1.25.3/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN
 github.com/aws/aws-sdk-go v1.30.12/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.34.28/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48=
 github.com/aws/aws-sdk-go v1.43.16/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
-github.com/aws/aws-sdk-go v1.44.58 h1:VPfVj0Fa1v+/8HUegdNvGg9XtmuJ3z08WerBuT730gk=
-github.com/aws/aws-sdk-go v1.44.58/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
+github.com/aws/aws-sdk-go v1.44.59 h1:bkdnNsMvMhFmNLqKDAJ6rKR+S0hjOt/3AIJp2mxOK9o=
+github.com/aws/aws-sdk-go v1.44.59/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go-v2 v1.3.0/go.mod h1:hTQc/9pYq5bfFACIUY9tc/2SYWd9Vnmw+testmuQeRY=
 github.com/aws/aws-sdk-go-v2 v1.3.1/go.mod h1:5SmWRTjN6uTRFNCc7rR69xHsdcUJnthmaRHGDsYhpTE=
 github.com/aws/aws-sdk-go-v2 v1.3.2/go.mod h1:7OaACgj2SX3XGWnrIjGlJM22h6yD6MEWKvm7levnnM8=

diff --git a/internal/console/scan.go b/internal/console/scan.go
@@ -143,6 +143,7 @@ func getScanParameters(changedDefaultQueryPath, changedDefaultLibrariesPath bool
 
 func executeScan(scanParams *scan.Parameters) error {
 	log.Debug().Msg("console.scan()")
+
 	for _, warn := range warnings {
 		log.Warn().Msgf(warn)
 	}

diff --git a/pkg/detector/default_detect.go b/pkg/detector/default_detect.go
@@ -22,7 +22,6 @@ func (d defaultDetectLine) DetectLine(file *model.FileMetadata, searchKey string
 		CurrentLine:     0,
 		IsBreak:         false,
 		FoundAtLeastOne: false,
-		Lines:           d.SplitLines(file.OriginalData),
 		ResolvedFile:    file.FilePath,
 		ResolvedFiles:   d.prepareResolvedFiles(file.ResolvedFiles),
 	}
@@ -34,10 +33,11 @@ func (d defaultDetectLine) DetectLine(file *model.FileMetadata, searchKey string
 		sanitizedSubstring = strings.Replace(sanitizedSubstring, str[0], `{{`+strconv.Itoa(idx)+`}}`, -1)
 	}
 
+	lines := d.SplitLines(file.OriginalData)
 	for _, key := range strings.Split(sanitizedSubstring, ".") {
 		substr1, substr2 := GenerateSubstrings(key, extractedString)
 
-		detector = detector.DetectCurrentLine(substr1, substr2, 0)
+		detector, lines = detector.DetectCurrentLine(substr1, substr2, 0, lines)
 
 		if detector.IsBreak {
 			break
@@ -47,7 +47,7 @@ func (d defaultDetectLine) DetectLine(file *model.FileMetadata, searchKey string
 	if detector.FoundAtLeastOne {
 		return model.VulnerabilityLines{
 			Line:         detector.CurrentLine + 1,
-			VulnLines:    GetAdjacentVulnLines(detector.CurrentLine, outputLines, detector.Lines),
+			VulnLines:    GetAdjacentVulnLines(detector.CurrentLine, outputLines, lines),
 			ResolvedFile: detector.ResolvedFile,
 		}
 	}

diff --git a/pkg/detector/docker/docker_detect.go b/pkg/detector/docker/docker_detect.go
@@ -31,7 +31,6 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string,
 		CurrentLine:     0,
 		IsBreak:         false,
 		FoundAtLeastOne: false,
-		Lines:           prepareDockerFileLines(d.SplitLines(file.OriginalData)),
 		ResolvedFile:    file.FilePath,
 		ResolvedFiles:   make(map[string]model.ResolvedFileSplit),
 	}
@@ -46,7 +45,7 @@ func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string,
 	for _, key := range strings.Split(sKey, ".") {
 		substr1, substr2 := detector.GenerateSubstrings(key, extractedString)
 
-		det = det.DetectCurrentLine(substr1, substr2, 0)
+		det, _ = det.DetectCurrentLine(substr1, substr2, 0, prepareDockerFileLines(d.SplitLines(file.OriginalData)))
 
 		if det.IsBreak {
 			break

diff --git a/pkg/detector/helper.go b/pkg/detector/helper.go
@@ -28,7 +28,6 @@ type DefaultDetectLineResponse struct {
 	CurrentLine     int
 	IsBreak         bool
 	FoundAtLeastOne bool
-	Lines           []string
 	ResolvedFile    string
 	ResolvedFiles   map[string]model.ResolvedFileSplit
 }
@@ -252,74 +251,66 @@ func removeExtras(result string, start, end int) string {
 }
 
 // DetectCurrentLine uses levenshtein distance to find the most accurate line for the vulnerability
-func (d *DefaultDetectLineResponse) DetectCurrentLine(str1, str2 string, recurseCount int) *DefaultDetectLineResponse {
+func (d *DefaultDetectLineResponse) DetectCurrentLine(str1, str2 string, recurseCount int,
+	lines []string) (det *DefaultDetectLineResponse, l []string) {
 	distances := make(map[int]int)
 
-	for i := d.CurrentLine; i < len(d.Lines); i++ {
-		if res := d.checkResolvedFile(d.Lines[i], str1, str2, recurseCount); res.FoundAtLeastOne {
-			return res
+	for i := d.CurrentLine; i < len(lines); i++ {
+		if len(d.ResolvedFiles) > 0 {
+			if res, newLines := d.checkResolvedFile(lines[i], str1, str2, recurseCount); res.FoundAtLeastOne {
+				return res, newLines
+			}
 		}
-		distances = d.checkLine(str1, str2, distances, i)
+		distances = checkLine(str1, str2, distances, lines[i], i)
 	}
 
 	if len(distances) == 0 {
-		return &DefaultDetectLineResponse{
-			FoundAtLeastOne: d.FoundAtLeastOne,
-			CurrentLine:     d.CurrentLine,
-			IsBreak:         true,
-			Lines:           d.Lines,
-			ResolvedFile:    d.ResolvedFile,
-			ResolvedFiles:   d.ResolvedFiles,
-		}
+		d.IsBreak = true
+		return d, lines
 	}
 
-	return &DefaultDetectLineResponse{
-		CurrentLine:     SelectLineWithMinimumDistance(distances, d.CurrentLine),
-		IsBreak:         false,
-		FoundAtLeastOne: true,
-		Lines:           d.Lines,
-		ResolvedFile:    d.ResolvedFile,
-		ResolvedFiles:   d.ResolvedFiles,
-	}
+	d.CurrentLine = SelectLineWithMinimumDistance(distances, d.CurrentLine)
+	d.IsBreak = false
+	d.FoundAtLeastOne = true
+
+	return d, lines
 }
 
-func (d *DefaultDetectLineResponse) checkLine(str1, str2 string, distances map[int]int, i int) map[int]int {
-	if str1 != "" && str2 != "" && strings.Contains(d.Lines[i], str1) {
-		restLine := d.Lines[i][strings.Index(d.Lines[i], str1)+len(str1):]
+func checkLine(str1, str2 string, distances map[int]int, line string, i int) map[int]int {
+	if str1 != "" && str2 != "" && strings.Contains(line, str1) {
+		restLine := line[strings.Index(line, str1)+len(str1):]
 		if strings.Contains(restLine, str2) {
-			distances[i] = levenshtein.ComputeDistance(ExtractLineFragment(d.Lines[i], str1, false), str1)
+			distances[i] = levenshtein.ComputeDistance(ExtractLineFragment(line, str1, false), str1)
 			distances[i] += levenshtein.ComputeDistance(ExtractLineFragment(restLine, str2, false), str2)
 		}
-	} else if str1 != "" && strings.Contains(d.Lines[i], str1) {
-		distances[i] = levenshtein.ComputeDistance(ExtractLineFragment(d.Lines[i], str1, false), str1)
+	} else if str1 != "" && strings.Contains(line, str1) {
+		distances[i] = levenshtein.ComputeDistance(ExtractLineFragment(line, str1, false), str1)
 	}
 
 	return distances
 }
 
-func (d *DefaultDetectLineResponse) checkResolvedFile(line, str1, st2 string, recurseCount int) *DefaultDetectLineResponse {
+func (d *DefaultDetectLineResponse) checkResolvedFile(line, str1, st2 string,
+	recurseCount int) (det *DefaultDetectLineResponse, l []string) {
 	for key, r := range d.ResolvedFiles {
 		if strings.Contains(line, key) {
 			if recurseCount > constants.MaxResolvedFiles {
 				break
 			}
-			return d.restore(r.Lines, r.Path).DetectCurrentLine(str1, st2, recurseCount+1)
+			return d.restore(r.Path).DetectCurrentLine(str1, st2, recurseCount+1, r.Lines)
 		}
 	}
-	return &DefaultDetectLineResponse{
-		CurrentLine:     0,
-		IsBreak:         false,
-		FoundAtLeastOne: false,
-	}
+
+	d.CurrentLine = 0
+	d.IsBreak = false
+	d.FoundAtLeastOne = false
+
+	return d, []string{}
 }
 
-func (d *DefaultDetectLineResponse) restore(lines []string, file string) *DefaultDetectLineResponse {
-	return &DefaultDetectLineResponse{
-		CurrentLine:     0,
-		IsBreak:         d.IsBreak,
-		FoundAtLeastOne: false,
-		Lines:           lines,
-		ResolvedFile:    file,
-		ResolvedFiles:   d.ResolvedFiles,
-	}
+func (d *DefaultDetectLineResponse) restore(file string) *DefaultDetectLineResponse {
+	d.CurrentLine = 0
+	d.FoundAtLeastOne = false
+	d.ResolvedFile = file
+	return d
 }
diff --git a/pkg/detector/helper_test.go b/pkg/detector/helper_test.go
@@ -396,7 +396,6 @@ func TestDefaultDetectLineResponse_restore(t *testing.T) {
 				CurrentLine:     0,
 				IsBreak:         false,
 				FoundAtLeastOne: false,
-				Lines:           []string{"this is a line"},
 				ResolvedFile:    "newfile",
 				ResolvedFiles:   map[string]model.ResolvedFileSplit{},
 			},
@@ -408,11 +407,10 @@ func TestDefaultDetectLineResponse_restore(t *testing.T) {
 				CurrentLine:     tt.fields.CurrentLine,
 				IsBreak:         tt.fields.IsBreak,
 				FoundAtLeastOne: tt.fields.FoundAtLeastOne,
-				Lines:           tt.fields.Lines,
 				ResolvedFile:    tt.fields.ResolvedFile,
 				ResolvedFiles:   tt.fields.ResolvedFiles,
 			}
-			if got := d.restore(tt.args.lines, tt.args.file); !reflect.DeepEqual(got, tt.want) {
+			if got := d.restore(tt.args.file); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("restore() = %v, want %v", got, tt.want)
 			}
 		})
@@ -433,11 +431,17 @@ func TestDefaultDetectLineResponse_checkResolvedFile(t *testing.T) {
 		str1 string
 		st2  string
 	}
+
+	type want struct {
+		defaultDetectLineResponse *DefaultDetectLineResponse
+		lines                     []string
+	}
+
 	tests := []struct {
 		name   string
 		fields fields
 		args   args
-		want   *DefaultDetectLineResponse
+		want   want
 	}{
 		{
 			name: "test_lines",
@@ -463,22 +467,25 @@ func TestDefaultDetectLineResponse_checkResolvedFile(t *testing.T) {
 					},
 				},
 			},
-			want: &DefaultDetectLineResponse{
-				CurrentLine:     1,
-				IsBreak:         false,
-				FoundAtLeastOne: true,
-				Lines:           []string{"this is line one", "key: value", "this is line three"},
-				ResolvedFile:    "abs/path/to/file",
-				ResolvedFiles: map[string]model.ResolvedFileSplit{
-					"path/to/file": {
-						Path: "abs/path/to/file",
-						Lines: []string{
-							"this is line one",
-							"key: value",
-							"this is line three",
+			want: want{
+				defaultDetectLineResponse: &DefaultDetectLineResponse{
+					CurrentLine:     1,
+					IsBreak:         false,
+					FoundAtLeastOne: true,
+
+					ResolvedFile: "abs/path/to/file",
+					ResolvedFiles: map[string]model.ResolvedFileSplit{
+						"path/to/file": {
+							Path: "abs/path/to/file",
+							Lines: []string{
+								"this is line one",
+								"key: value",
+								"this is line three",
+							},
 						},
 					},
 				},
+				lines: []string{"this is line one", "key: value", "this is line three"},
 			},
 		},
 	}
@@ -488,12 +495,16 @@ func TestDefaultDetectLineResponse_checkResolvedFile(t *testing.T) {
 				CurrentLine:     tt.fields.CurrentLine,
 				IsBreak:         tt.fields.IsBreak,
 				FoundAtLeastOne: tt.fields.FoundAtLeastOne,
-				Lines:           tt.fields.Lines,
 				ResolvedFile:    tt.fields.ResolvedFile,
 				ResolvedFiles:   tt.fields.ResolvedFiles,
 			}
-			if got := d.checkResolvedFile(tt.args.line, tt.args.str1, tt.args.st2, 0); !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("checkResolvedFile() = %v, want %v", got, tt.want)
+			gotDefaultDetectLineResponse, gotLines := d.checkResolvedFile(tt.args.line, tt.args.str1, tt.args.st2, 0)
+
+			if !reflect.DeepEqual(gotDefaultDetectLineResponse, tt.want.defaultDetectLineResponse) {
+				t.Errorf("checkResolvedFile() = %v, want %v", gotDefaultDetectLineResponse, tt.want.defaultDetectLineResponse)
+			}
+			if !reflect.DeepEqual(gotLines, tt.want.lines) {
+				t.Errorf("checkResolvedFile() = %v, want %v", gotLines, tt.want.lines)
 			}
 		})
 	}

diff --git a/test/fixtures/unresolved_openapi/openapi.yaml b/test/fixtures/unresolved_openapi/openapi.yaml
@@ -24,4 +24,4 @@ components:
   schemas:
     $ref: "./schemas/_index.yaml"
   responses:
-    $ref: "./responses/_index.yaml"
+    $ref: "./responses/_index.yaml"