2024 q4 release2 integration branch (#143)

* Changes for default preset and plugin version and avoid duplicate scan and SAST medium vulnerability

* Changes for vulnerability fixes and loglevel

* Removing spring core to fix vulnerability

* Fix for issue in config as code and updating version

pom.xml

@@ -6,7 +6,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.cx.plugin</groupId>
     <artifactId>CxConsolePlugin</artifactId>
-    <version>1.1.34</version>
+    <version>1.1.36</version>
     <packaging>jar</packaging>
 
     <repositories>
@@ -78,6 +78,7 @@
                             <mainClass>com.cx.plugin.cli.CxConsoleLauncher</mainClass>
                             <classpathPrefix>lib/</classpathPrefix>
                             <addClasspath>true</addClasspath>
+                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
                         </manifest>
                     </archive>
                 </configuration>
@@ -132,7 +133,7 @@
         <dependency>
             <groupId>com.checkmarx</groupId>
             <artifactId>cx-client-common</artifactId>
-            <version>2024.3.26</version>
+            <version>2024.3.28</version>
             <!-- Remove these excludes once latest FSA is used -->
             <exclusions>
 				<exclusion>
@@ -147,10 +148,6 @@
                     <groupId>ch.qos.logback</groupId>
                     <artifactId>logback-classic</artifactId>
                 </exclusion>
-                <exclusion>
-                    <groupId>org.springframework</groupId>
-                    <artifactId>spring-core</artifactId>
-                </exclusion>
                 <exclusion>
 					<groupId>io.vertx</groupId>
 					<artifactId>vertx-core</artifactId>
@@ -193,11 +190,6 @@
             <artifactId>jackson-dataformat-yaml</artifactId>
             <version>2.15.0-rc1</version>
         </dependency>
-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-core</artifactId>
-            <version>5.3.20</version>
-        </dependency>
         <dependency>
 			<groupId>io.vertx</groupId>
 			<artifactId>vertx-core</artifactId>
@@ -369,12 +361,12 @@
 		<dependency>
 			<groupId>io.netty</groupId>
 			<artifactId>netty-resolver-dns</artifactId>
-			<version>4.1.112.Final</version>
+			<version>4.1.115.Final</version>
 		</dependency>
 		<dependency>
 			<groupId>io.netty</groupId>
 			<artifactId>netty-common</artifactId>
-			<version>4.1.112.Final</version>
+			<version>4.1.115.Final</version>
 		</dependency>
         <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-to-slf4j -->
         <dependency>

src/main/java/com/cx/plugin/cli/CxConsoleLauncher.java

@@ -306,9 +306,18 @@ private static boolean isCliCmdOption(String argName) {
     private static void initFileLogging(String logLocation, String logLevel) {
         System.setProperty("cliLogPath", logLocation);
         System.setProperty("logLevel", logLevel);
+        log.debug("cliLogPath :"+logLocation);
+        log.debug("logLevel :"+logLevel);  
+        Configurator.reconfigure();        
     }
 
     private static String getLogLevel(CommandLine commandLine) {
-        return commandLine.hasOption(Parameters.VERBOSE) ? "TRACE" : "INFO";
+    	if(commandLine.hasOption(Parameters.VERBOSE)) {
+    		return "TRACE";
+    	}
+    	else if(commandLine.hasOption(Parameters.LOG_LEVEL) && commandLine.getOptionValue(LOG_LEVEL)!=null) {
+    		return commandLine.getOptionValue(LOG_LEVEL).toUpperCase();
+    	}
+    	else return "INFO";
     }
 }

src/main/java/com/cx/plugin/cli/constants/ArgDescriptions.java

@@ -113,6 +113,7 @@ private ArgDescriptions() {
     static final String IS_CHECKED_POLICY = "This parameter will break the build if the CxOSA policy is violated. Optional.";
     static final String VERBOSE = "Turns on verbose mode. All messages and events will be sent to the console or log file.";
     static final String LOG_PATH = "Log file to be created.";
+    static final String LOG_LEVEL = "Log level.";
     static final String TRUSTED_CERTIFICATES = "The ‘TrustedCertificates’ parameter can be used to add certified security to the connection. By default, all certificates are trusted. When disabled, only certificates signed by a trusted certificate authority can be accepted.";
 
     static final String SCA_API_URL = "IP address or resolvable name of a SCA instance.";

src/main/java/com/cx/plugin/cli/constants/Command.java

@@ -164,6 +164,7 @@ public static Options getOptions() {
         options.addOption(SCA_FOLDER_EXCLUDE, true, ArgDescriptions.SCA_FOLDER_EXCLUDE);
         options.addOption(VERBOSE, VERBOSE_LONG, false, ArgDescriptions.VERBOSE);
         options.addOption(LOG_PATH, true, ArgDescriptions.LOG_PATH);
+        options.addOption(LOG_LEVEL, true, ArgDescriptions.LOG_LEVEL);
         options.addOption(TRUSTED_CERTIFICATES, false, ArgDescriptions.TRUSTED_CERTIFICATES);
         options.addOption(CONFIGURATION, true, ArgDescriptions.CONFIGURATION);
 

src/main/java/com/cx/plugin/cli/constants/Parameters.java

@@ -23,6 +23,7 @@ private Parameters() {
 
     public static final String FULL_PROJECT_PATH = "projectname";
     public static final String LOG_PATH = "log";
+    public static final String LOG_LEVEL = "loglevel";
     public static final String IS_CHECKED_POLICY = "checkpolicy";
 
     public static final String WORKSPACE_MODE = "workspacemode";

src/main/java/com/cx/plugin/cli/utils/CxConfigHelper.java

@@ -72,7 +72,7 @@ public final class CxConfigHelper {
             "be loaded,please check if file exist's and if file content is valid";
     private static Logger log = LogManager.getLogger(CxConfigHelper.class);
 
-    private static final String DEFAULT_PRESET_NAME = "Checkmarx Default";
+    private static final String DEFAULT_PRESET_NAME = "Project Default";
 
     private static PropertiesManager props;
 
@@ -137,6 +137,7 @@ public CxScanConfig resolveConfiguration(Command command, CommandLine cmd) throw
 
 
         scanConfig.setCxOrigin(CX_ORIGIN);
+        scanConfig.setPluginVersion(CxConfigHelper.class.getPackage().getImplementationVersion());
 
         if (scanConfig.isSastOrOSAEnabled() || command.equals(Command.GENERATE_TOKEN) || command.equals(Command.REVOKE_TOKEN)) {
             scanConfig.setUrl(getSastOrOsaServerUrl());
@@ -230,7 +231,7 @@ public CxScanConfig resolveConfiguration(Command command, CommandLine cmd) throw
                 scanConfig.setIncremental(isIncremental);
             }
         }
-        scanConfig.setAvoidDuplicateProjectScans(cmd.hasOption(AVOID_DUPLICATE_PROJECT_SCANS));
+        scanConfig.setAvoidDuplicateProjectScans(cmd.hasOption(AVOID_DUPLICATE_PROJECT_SCANS));        
         setSASTThresholds(scanConfig);
 
         String dsLocationPath = getSharedDependencyScanOption(scanConfig, OSA_LOCATION_PATH, SCA_LOCATION_PATH);
@@ -254,7 +255,10 @@ public CxScanConfig resolveConfiguration(Command command, CommandLine cmd) throw
 
         if (cmd.hasOption(CONFIG_AS_CODE))
             checkForConfigAsCode(scanConfig);
-
+        if(scanConfig.getAvoidDuplicateProjectScans()!=null && scanConfig.getAvoidDuplicateProjectScans().booleanValue()) {
+            //TODO: set scanConfig.setAvoidDuplicateProjectScans(false) in releases after 1.1.36
+            log.warn("avoidduplicateprojectscans option will be deprecated in version after v1.1.36. SAST configuration will be used to determine the parallel scan policy.");
+            }
         return scanConfig;
     }
 
@@ -1068,27 +1072,13 @@ private static String extractTeamPath(String fullPath, boolean isScaScan) throws
 
     }
 
-    public static String getPluginVersion() {
-        String version = "";
-        try {
-            InputStream is = CxConfigHelper.class.getClassLoader().getResourceAsStream("META-INF/maven/com.cx.plugin/CxConsolePlugin/pom.xml");
-            if (is != null) {
-                MavenXpp3Reader reader = new MavenXpp3Reader();
-                org.apache.maven.model.Model model = reader.read(is);
-                version = model.getVersion();
-            }
-        } catch (Exception e) {
-        }
-        return version;
-    }
-
 
     public static void printConfig(CommandLine commandLine) {
         log.info("-----------------------------------------------------------------------------------------");
         log.info("CxConsole Configuration: ");
         log.info("--------------------");
 
-        String pluginVersion = getPluginVersion();
+        String pluginVersion = CxConfigHelper.class.getPackage()!=null ? CxConfigHelper.class.getPackage().getImplementationVersion() : "";
         log.info("plugin version: {}", pluginVersion);
         for (Option param : commandLine.getOptions()) {
             String name = param.getLongOpt() != null ? param.getLongOpt() : param.getOpt();