Devassist: Realtime scanners (OSS, Secrets, Containers, IaC) with unified wrapper and enhanced parsing(AST-115438)

src/main/java/com/checkmarx/ast/containersrealtime/ContainersRealtimeImage.java

@@ -0,0 +1,40 @@
+package com.checkmarx.ast.containersrealtime;
+
+import com.checkmarx.ast.realtime.RealtimeLocation;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+
+import java.util.Collections;
+import java.util.List;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ContainersRealtimeImage {
+    @JsonProperty("ImageName") String imageName;
+    @JsonProperty("ImageTag") String imageTag;
+    @JsonProperty("FilePath") String filePath;
+    @JsonProperty("Locations") List<RealtimeLocation> locations;
+    @JsonProperty("Status") String status;
+    @JsonProperty("Vulnerabilities") List<ContainersRealtimeVulnerability> vulnerabilities;
+
+    @JsonCreator
+    public ContainersRealtimeImage(@JsonProperty("ImageName") String imageName,
+                                   @JsonProperty("ImageTag") String imageTag,
+                                   @JsonProperty("FilePath") String filePath,
+                                   @JsonProperty("Locations") List<RealtimeLocation> locations,
+                                   @JsonProperty("Status") String status,
+                                   @JsonProperty("Vulnerabilities") List<ContainersRealtimeVulnerability> vulnerabilities) {
+        this.imageName = imageName;
+        this.imageTag = imageTag;
+        this.filePath = filePath;
+        this.locations = locations == null ? Collections.emptyList() : locations;
+        this.status = status;
+        this.vulnerabilities = vulnerabilities == null ? Collections.emptyList() : vulnerabilities;
+    }
+}

src/main/java/com/checkmarx/ast/containersrealtime/ContainersRealtimeResults.java

@@ -0,0 +1,53 @@
+package com.checkmarx.ast.containersrealtime;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.List;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ContainersRealtimeResults {
+    private static final Logger log = LoggerFactory.getLogger(ContainersRealtimeResults.class);
+
+    @JsonProperty("Images") List<ContainersRealtimeImage> images;
+
+    @JsonCreator
+    public ContainersRealtimeResults(@JsonProperty("Images") List<ContainersRealtimeImage> images) {
+        this.images = images;
+    }
+
+    public static ContainersRealtimeResults fromLine(String line) {
+        if (StringUtils.isBlank(line)) {
+            return null;
+        }
+        try {
+            if (line.contains("\"Images\"") && isValidJSON(line)) {
+                return new ObjectMapper().readValue(line, ContainersRealtimeResults.class);
+            }
+        } catch (IOException e) {
+            log.debug("Failed to parse containers realtime line: {}", line, e);
+        }
+        return null;
+    }
+
+    private static boolean isValidJSON(String json) {
+        try {
+            new ObjectMapper().readTree(json);
+            return true;
+        } catch (IOException e) {
+            return false;
+        }
+    }
+}

src/main/java/com/checkmarx/ast/containersrealtime/ContainersRealtimeVulnerability.java

@@ -0,0 +1,24 @@
+package com.checkmarx.ast.containersrealtime;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ContainersRealtimeVulnerability {
+    @JsonProperty("CVE") String cve;
+    @JsonProperty("Severity") String severity;
+
+    @JsonCreator
+    public ContainersRealtimeVulnerability(@JsonProperty("CVE") String cve,
+                                           @JsonProperty("Severity") String severity) {
+        this.cve = cve;
+        this.severity = severity;
+    }
+}

src/main/java/com/checkmarx/ast/iacrealtime/IacRealtimeResults.java

@@ -0,0 +1,98 @@
+package com.checkmarx.ast.iacrealtime;
+
+import com.checkmarx.ast.realtime.RealtimeLocation;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class IacRealtimeResults {
+    private static final Logger log = LoggerFactory.getLogger(IacRealtimeResults.class);
+    @JsonProperty("Results") List<Issue> results; // Normalized list (array or single object)
+
+    @JsonCreator
+    public IacRealtimeResults(@JsonProperty("Results") List<Issue> results) {
+        this.results = results == null ? Collections.emptyList() : results;
+    }
+
+    @Value
+    @JsonDeserialize
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    @JsonIgnoreProperties(ignoreUnknown = true)
+    public static class Issue {
+        @JsonProperty("Title") String title;
+        @JsonProperty("Description") String description;
+        @JsonProperty("SimilarityID") String similarityId;
+        @JsonProperty("FilePath") String filePath;
+        @JsonProperty("Severity") String severity;
+        @JsonProperty("ExpectedValue") String expectedValue;
+        @JsonProperty("ActualValue") String actualValue;
+        @JsonProperty("Locations") List<RealtimeLocation> locations;
+
+        @JsonCreator
+        public Issue(@JsonProperty("Title") String title,
+                     @JsonProperty("Description") String description,
+                     @JsonProperty("SimilarityID") String similarityId,
+                     @JsonProperty("FilePath") String filePath,
+                     @JsonProperty("Severity") String severity,
+                     @JsonProperty("ExpectedValue") String expectedValue,
+                     @JsonProperty("ActualValue") String actualValue,
+                     @JsonProperty("Locations") List<RealtimeLocation> locations) {
+            this.title = title;
+            this.description = description;
+            this.similarityId = similarityId;
+            this.filePath = filePath;
+            this.severity = severity;
+            this.expectedValue = expectedValue;
+            this.actualValue = actualValue;
+            this.locations = locations == null ? Collections.emptyList() : locations;
+        }
+    }
+
+    public static IacRealtimeResults fromLine(String line) {
+        if (StringUtils.isBlank(line)) {
+            return null;
+        }
+        try {
+            if (!isValidJSON(line)) {
+                return null;
+            }
+            ObjectMapper mapper = new ObjectMapper();
+            String trimmed = line.trim();
+            if (trimmed.startsWith("[")) {
+                List<Issue> list = mapper.readValue(trimmed, mapper.getTypeFactory().constructCollectionType(List.class, Issue.class));
+                return new IacRealtimeResults(list == null ? Collections.emptyList() : list);
+            }
+            if (trimmed.startsWith("{")) {
+                Issue single = mapper.readValue(trimmed, Issue.class);
+                return new IacRealtimeResults(Collections.singletonList(single));
+            }
+        } catch (IOException e) {
+            log.debug("Failed to parse iac realtime JSON line: {}", line, e);
+        }
+        return null;
+    }
+
+    private static boolean isValidJSON(String json) {
+        try {
+            new ObjectMapper().readTree(json);
+            return true;
+        } catch (IOException e) {
+            return false;
+        }
+    }
+}

src/main/java/com/checkmarx/ast/ossrealtime/OssRealtimeResults.java

@@ -0,0 +1,55 @@
+package com.checkmarx.ast.ossrealtime;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.List;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class OssRealtimeResults {
+    private static final Logger log = LoggerFactory.getLogger(OssRealtimeResults.class);
+
+    @JsonProperty("Packages") List<OssRealtimeScanPackage> packages;
+
+    @JsonCreator
+    public OssRealtimeResults(@JsonProperty("Packages") List<OssRealtimeScanPackage> packages) {
+        this.packages = packages == null ? Collections.emptyList() : packages;
+    }
+
+    public static OssRealtimeResults fromLine(String line) {
+        if (StringUtils.isBlank(line)) {
+            return null;
+        }
+        try {
+            if (isValidJSON(line) && line.contains("\"Packages\"")) {
+                return new ObjectMapper().readValue(line, OssRealtimeResults.class);
+            }
+        } catch (IOException e) {
+            log.debug("Failed to parse oss realtime line: {}", line, e);
+        }
+        return null;
+    }
+
+    private static boolean isValidJSON(String json) {
+        try {
+            new ObjectMapper().readTree(json);
+            return true;
+        } catch (IOException e) {
+            return false;
+        }
+    }
+}
+

src/main/java/com/checkmarx/ast/ossrealtime/OssRealtimeScanPackage.java

@@ -0,0 +1,44 @@
+package com.checkmarx.ast.ossrealtime;
+
+import com.checkmarx.ast.realtime.RealtimeLocation;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+
+import java.util.Collections;
+import java.util.List;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class OssRealtimeScanPackage {
+    @JsonProperty("PackageManager") String packageManager;
+    @JsonProperty("PackageName") String packageName;
+    @JsonProperty("PackageVersion") String packageVersion;
+    @JsonProperty("FilePath") String filePath;
+    @JsonProperty("Locations") List<RealtimeLocation> locations;
+    @JsonProperty("Status") String status;
+    @JsonProperty("Vulnerabilities") List<OssRealtimeVulnerability> vulnerabilities;
+
+    @JsonCreator
+    public OssRealtimeScanPackage(@JsonProperty("PackageManager") String packageManager,
+                                  @JsonProperty("PackageName") String packageName,
+                                  @JsonProperty("PackageVersion") String packageVersion,
+                                  @JsonProperty("FilePath") String filePath,
+                                  @JsonProperty("Locations") List<RealtimeLocation> locations,
+                                  @JsonProperty("Status") String status,
+                                  @JsonProperty("Vulnerabilities") List<OssRealtimeVulnerability> vulnerabilities) {
+        this.packageManager = packageManager;
+        this.packageName = packageName;
+        this.packageVersion = packageVersion;
+        this.filePath = filePath;
+        this.locations = locations == null ? Collections.emptyList() : locations;
+        this.status = status;
+        this.vulnerabilities = vulnerabilities == null ? Collections.emptyList() : vulnerabilities;
+    }
+}
+

src/main/java/com/checkmarx/ast/ossrealtime/OssRealtimeVulnerability.java

@@ -0,0 +1,31 @@
+package com.checkmarx.ast.ossrealtime;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class OssRealtimeVulnerability {
+    @JsonProperty("CVE") String cve;
+    @JsonProperty("Severity") String severity;
+    @JsonProperty("Description") String description;
+    @JsonProperty("FixVersion") String fixVersion;
+
+    @JsonCreator
+    public OssRealtimeVulnerability(@JsonProperty("CVE") String cve,
+                                    @JsonProperty("Severity") String severity,
+                                    @JsonProperty("Description") String description,
+                                    @JsonProperty("FixVersion") String fixVersion) {
+        this.cve = cve;
+        this.severity = severity;
+        this.description = description;
+        this.fixVersion = fixVersion;
+    }
+}
+

src/main/java/com/checkmarx/ast/realtime/RealtimeLocation.java

@@ -0,0 +1,28 @@
+package com.checkmarx.ast.realtime;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import lombok.Value;
+
+@Value
+@JsonDeserialize
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class RealtimeLocation {
+    @JsonProperty("Line") int line;
+    @JsonProperty("StartIndex") int startIndex;
+    @JsonProperty("EndIndex") int endIndex;
+
+    @JsonCreator
+    public RealtimeLocation(@JsonProperty("Line") int line,
+                             @JsonProperty("StartIndex") int startIndex,
+                             @JsonProperty("EndIndex") int endIndex) {
+        this.line = line;
+        this.startIndex = startIndex;
+        this.endIndex = endIndex;
+    }
+}
+