Support Multi Locations, Support Sha Instead Of Tag (AST-105014) (#1230)

* support multi locations, support Sha instead of tag

* linter fix - 1

* add UT

* add UT

* linter fix - 2

Author: cx-miryam-foifer

go.mod

@@ -4,7 +4,7 @@ go 1.24.4
 
 require (
 	github.com/Checkmarx/containers-resolver v1.0.15
-	github.com/Checkmarx/containers-types v1.0.6
+	github.com/Checkmarx/containers-types v1.0.7
 	github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63
 	github.com/Checkmarx/gen-ai-wrapper v1.0.2
 	github.com/Checkmarx/manifest-parser v0.1.0
@@ -41,7 +41,7 @@ require (
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/BobuSumisu/aho-corasick v1.0.3 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
-	github.com/Checkmarx/containers-images-extractor v1.0.11
+	github.com/Checkmarx/containers-images-extractor v1.0.14
 	github.com/Checkmarx/containers-syft-packages-extractor v1.0.13 // indirect
 	github.com/CycloneDX/cyclonedx-go v0.9.2 // indirect
 	github.com/DataDog/zstd v1.5.6 // indirect

go.sum

@@ -63,14 +63,14 @@ github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbi
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/Checkmarx/containers-images-extractor v1.0.11 h1:vkXenD5d9oiTn5CjMXx4V+Lr2Ol0WvMLaw+tUgY+Ky4=
-github.com/Checkmarx/containers-images-extractor v1.0.11/go.mod h1:5R3RtBHmMu9bjuXZCKBacPZwxtitXzIdRqQTnO2BeII=
+github.com/Checkmarx/containers-images-extractor v1.0.14 h1:ehGaOupkSbowq7LhiOG+bSuif9cyRuW+LNYFNPF3JKY=
+github.com/Checkmarx/containers-images-extractor v1.0.14/go.mod h1:/oMzTVB9exQNec/xfnVOtu752hRd223SOQt54JvGWUA=
 github.com/Checkmarx/containers-resolver v1.0.15 h1:cm4d6vYWi6G9J9vnAw+dWcMsJwEFMo+anCHVaSp0nMQ=
 github.com/Checkmarx/containers-resolver v1.0.15/go.mod h1:9mdw8elUHj9NO9+ejjuuuCByfxvx9mG+JTJxDLi9ubM=
 github.com/Checkmarx/containers-syft-packages-extractor v1.0.13 h1:9ah0rruMGgRiug/bD/JJDSrDqEqS7sKGVdc5sqbkwk8=
 github.com/Checkmarx/containers-syft-packages-extractor v1.0.13/go.mod h1:EFeB4//lO4KMVj9+eMg6z5jnO9F1e1T4jUoIcx0/19M=
-github.com/Checkmarx/containers-types v1.0.6 h1:wshT95XKnFhn1zfZabg89+SoxwyfjHnkUSOm/OnWtGY=
-github.com/Checkmarx/containers-types v1.0.6/go.mod h1:KR0w8XCosq3+6jRCfQrH7i//Nj2u11qaUJM62CREFZA=
+github.com/Checkmarx/containers-types v1.0.7 h1:SZUB8S//yFc1WlgLbw33conN5eR9CLv+DTewxMGVp7M=
+github.com/Checkmarx/containers-types v1.0.7/go.mod h1:KR0w8XCosq3+6jRCfQrH7i//Nj2u11qaUJM62CREFZA=
 github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63 h1:SCuTcE+CFvgjbIxUNL8rsdB2sAhfuNx85HvxImKta3g=
 github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63/go.mod h1:MI6lfLerXU+5eTV/EPTDavgnV3owz3GPT4g/msZBWPo=
 github.com/Checkmarx/gen-ai-wrapper v1.0.2 h1:T6X40+4hYnwfDsvkjWs9VIcE6s1O+8DUu0+sDdCY3GI=

internal/services/realtimeengine/containersrealtime/containers-realtime.go

@@ -64,6 +64,8 @@ func (c *ContainersRealtimeService) RunContainersRealtimeScan(filePath string) (
 		return &ContainerImageResults{Images: []ContainerImage{}}, nil
 	}
 
+	images = splitLocationsToSeparateResults(images)
+
 	result, err := c.scanImages(images, filePath)
 	if err != nil {
 		logger.PrintfIfVerbose("Failed to scan images via realtime service: %v", err)
@@ -73,6 +75,22 @@ func (c *ContainersRealtimeService) RunContainersRealtimeScan(filePath string) (
 	return result, nil
 }
 
+func splitLocationsToSeparateResults(images []types.ImageModel) []types.ImageModel {
+	for i := 0; i < len(images); {
+		if len(images[i].ImageLocations) > 1 {
+			for _, loc := range images[i].ImageLocations {
+				newImage := images[i]
+				newImage.ImageLocations = []types.ImageLocation{loc}
+				images = append(images, newImage)
+			}
+			images = append(images[:i], images[i+1:]...)
+		} else {
+			i++
+		}
+	}
+	return images
+}
+
 // parseContainersFile parses the containers file and returns a list of images.
 func parseContainersFile(filePath string) ([]types.ImageModel, error) {
 	extractor := imagesExtractor.NewImagesExtractor()
@@ -106,7 +124,13 @@ func (c *ContainersRealtimeService) scanImages(images []types.ImageModel, filePa
 	logger.PrintfIfVerbose("Scanning %d images for vulnerabilities", len(images))
 
 	var requestImages []wrappers.ContainerImageRequestItem
+	var imagesWithSha []wrappers.ContainerImageResponseItem
 	for _, img := range images {
+		if img.IsSha {
+			logger.PrintfIfVerbose("Skipping image with SHA: %s", img.Name)
+			addShaImage(&imagesWithSha, img)
+			continue
+		}
 		imageName, imageTag := splitToImageAndTag(img.Name)
 
 		logger.PrintfIfVerbose("Processing image: %s:%s", imageName, imageTag)
@@ -128,19 +152,54 @@ func (c *ContainersRealtimeService) scanImages(images []types.ImageModel, filePa
 
 	logger.PrintfIfVerbose("Received scan results for %d images", len(response.Images))
 
-	result := c.buildContainerImageResults(response.Images, images, filePath)
+	result := c.buildContainerImageResults(response.Images, imagesWithSha, images, filePath)
 	return &result, nil
 }
 
+func addShaImage(images *[]wrappers.ContainerImageResponseItem, img types.ImageModel) {
+	imageName, imageTag := splitToImageAndSha(img.Name)
+
+	*images = append(*images, wrappers.ContainerImageResponseItem{
+		ImageName:       imageName,
+		ImageTag:        imageTag,
+		Status:          "Unknown",
+		Vulnerabilities: []wrappers.ContainerImageVulnerability{},
+	})
+}
+
+func splitToImageAndSha(image string) (imageName, imageTag string) {
+	atIndex := strings.Index(image, "@")
+	if atIndex == -1 {
+		return splitToImageAndTag(image)
+	}
+
+	nameAndTag := image[:atIndex]
+	shaPart := image[atIndex+1:]
+
+	colonIndex := strings.LastIndex(nameAndTag, ":")
+	if colonIndex != -1 {
+		imageName = nameAndTag[:colonIndex]
+		tag := nameAndTag[colonIndex+1:]
+		imageTag = tag + "@" + shaPart
+	} else {
+		imageName = nameAndTag
+		imageTag = shaPart
+	}
+	return
+}
+
 // buildContainerImageResults builds ContainerImageResults from response and images
-func (c *ContainersRealtimeService) buildContainerImageResults(responseImages []wrappers.ContainerImageResponseItem, images []types.ImageModel, filePath string) ContainerImageResults {
+func (c *ContainersRealtimeService) buildContainerImageResults(responseImages, imagesWithSha []wrappers.ContainerImageResponseItem, images []types.ImageModel, filePath string) ContainerImageResults {
 	var result ContainerImageResults
-	for i, respImg := range responseImages {
-		var locations []realtimeengine.Location
-		if i < len(images) {
-			locations = convertLocations(images[i].ImageLocations)
-		}
 
+	result = mergeImagesToResults(responseImages, result, &images, filePath)
+	result = mergeImagesToResults(imagesWithSha, result, &images, filePath)
+	return result
+}
+
+func mergeImagesToResults(listOfImages []wrappers.ContainerImageResponseItem, result ContainerImageResults, images *[]types.ImageModel, filePath string) ContainerImageResults {
+	for _, respImg := range listOfImages {
+		locations := getImageLocations(images, respImg.ImageName, respImg.ImageTag)
 		containerImage := ContainerImage{
 			ImageName:       respImg.ImageName,
 			ImageTag:        respImg.ImageTag,
@@ -154,6 +213,17 @@ func (c *ContainersRealtimeService) buildContainerImageResults(responseImages []
 	return result
 }
 
+func getImageLocations(images *[]types.ImageModel, imageName, imageTag string) []realtimeengine.Location {
+	for i, img := range *images {
+		if img.Name == imageName+":"+imageTag || img.Name == imageName+"@"+imageTag {
+			location := convertLocations(&img.ImageLocations)
+			*images = append((*images)[:i], (*images)[i+1:]...)
+			return location
+		}
+	}
+	return []realtimeengine.Location{}
+}
+
 // splitToImageAndTag splits the image string into name and tag components.
 func splitToImageAndTag(image string) (imageName, imageTag string) {
 	// Split the image string by the last colon to separate name and tag
@@ -170,9 +240,9 @@ func splitToImageAndTag(image string) (imageName, imageTag string) {
 }
 
 // convertLocations converts types locations to realtimeengine locations.
-func convertLocations(locations []types.ImageLocation) []realtimeengine.Location {
+func convertLocations(locations *[]types.ImageLocation) []realtimeengine.Location {
 	var result []realtimeengine.Location
-	for _, loc := range locations {
+	for _, loc := range *locations {
 		line := loc.Line
 		startIndex := loc.StartIndex
 		endIndex := loc.EndIndex

internal/services/realtimeengine/containersrealtime/containers-realtime_test.go

@@ -4,11 +4,14 @@ import (
 	"errors"
 	"testing"
 
+	"github.com/Checkmarx/containers-types/types"
 	"github.com/checkmarx/ast-cli/internal/wrappers"
 	"github.com/checkmarx/ast-cli/internal/wrappers/mock"
 	"github.com/stretchr/testify/assert"
 )
 
+const testImageName = "nginx"
+
 func TestRunContainersRealtimeScan_ValidLicenseAndFile_Success(t *testing.T) {
 	mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.OssRealtimeEnabled, Status: true}
 	service := NewContainersRealtimeService(
@@ -151,3 +154,64 @@ func TestRunContainersRealtimeScan_ImageVulnerabilityMapping(t *testing.T) {
 	assert.Equal(t, 5, result.Images[0].Locations[0].StartIndex)
 	assert.Equal(t, 17, result.Images[0].Locations[0].EndIndex)
 }
+
+func TestSplitToImageAndSha_whenHasShaAndTag_shouldReturnImageAndShaAndTag(t *testing.T) {
+	image := testImageName + ":latest@sha256:1234567890abcdef"
+	expectedImage := testImageName
+	expectedSha := "latest@sha256:1234567890abcdef"
+
+	imageName, sha := splitToImageAndSha(image)
+
+	assert.Equal(t, expectedImage, imageName)
+	assert.Equal(t, expectedSha, sha)
+}
+
+func TestSplitToImageAndSha_whenHasShaNoTag_shouldReturnImageAndShaNoTag(t *testing.T) {
+	image := testImageName + "@sha256:1234567890abcdef"
+	expectedImage := testImageName
+	expectedSha := "sha256:1234567890abcdef"
+
+	imageName, sha := splitToImageAndSha(image)
+
+	assert.Equal(t, expectedImage, imageName)
+	assert.Equal(t, expectedSha, sha)
+}
+
+func TestSplitLocationsToSeparateResults_MultipleLocations(t *testing.T) {
+	img := types.ImageModel{
+		Name: testImageName,
+		ImageLocations: []types.ImageLocation{
+			{Line: 1, StartIndex: 0, EndIndex: 5},
+			{Line: 2, StartIndex: 6, EndIndex: 11},
+		},
+	}
+	result := splitLocationsToSeparateResults([]types.ImageModel{img})
+	assert.Equal(t, 2, len(result))
+	assert.Equal(t, 1, len(result[0].ImageLocations))
+	assert.Equal(t, 1, result[0].ImageLocations[0].Line)
+	assert.Equal(t, 1, len(result[1].ImageLocations))
+	assert.Equal(t, 2, result[1].ImageLocations[0].Line)
+}
+
+func TestSplitLocationsToSeparateResults_SingleLocation(t *testing.T) {
+	img := types.ImageModel{
+		Name: testImageName,
+		ImageLocations: []types.ImageLocation{
+			{Line: 3, StartIndex: 0, EndIndex: 5},
+		},
+	}
+	result := splitLocationsToSeparateResults([]types.ImageModel{img})
+	assert.Equal(t, 1, len(result))
+	assert.Equal(t, 1, len(result[0].ImageLocations))
+	assert.Equal(t, 3, result[0].ImageLocations[0].Line)
+}
+
+func TestSplitLocationsToSeparateResults_NoLocations(t *testing.T) {
+	img := types.ImageModel{
+		Name:           testImageName,
+		ImageLocations: []types.ImageLocation{},
+	}
+	result := splitLocationsToSeparateResults([]types.ImageModel{img})
+	assert.Equal(t, 1, len(result))
+	assert.Equal(t, 0, len(result[0].ImageLocations))
+}