Merge pull request #160 from Checkmarx/feature/kobih/fix-vulnerabilities

Fix vulnerabilities and tests, upgrade packages and CLI version (AST-38513)

.github/workflows/ast-scan.yml

@@ -9,7 +9,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Checkmarx One CLI Action
-        uses: checkmarx/ast-github-action@main
+        uses: checkmarx/ast-github-action@dd0f9365942f29a99c3be5bdb308958ede8f906b #main
         with:
           base_uri: ${{ secrets.BASE_URI }}
           cx_tenant: ${{ secrets.TENANT }}

.github/workflows/ci.yml

@@ -14,10 +14,10 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup VSTest
-        uses: darenm/Setup-VSTest@v1
+        uses: darenm/Setup-VSTest@fbb574e849d6225ce9702f86e64eb6cdc4b4e561 #v1
 
       - name: Add MSBuild to PATH
-        uses: microsoft/[email protected]
+        uses: microsoft/setup-msbuild@1ff57057b5cfdc39105cd07a01d78e9b0ea0c14c #v1.3.1
         with:
           vs-version: '17.2'
 

.github/workflows/dependabot-auto-merge.yml

@@ -11,7 +11,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/[email protected]
+        uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 #v1.6.0
         with:
           github-token: "${{ secrets.PERSONAL_ACCESS_TOKEN  }}"
       - name: Enable auto-merge for Dependabot PRs
@@ -20,6 +20,6 @@ jobs:
           GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }}
         run: gh pr merge --auto --merge "$PR_URL"
       - name: Auto approve dependabot PRs
-        uses: hmarr/auto-approve-action@v3
+        uses: hmarr/auto-approve-action@a2e6f2a0ccf5c63ef8754de360464edbf47e66ee #v3
         with:
           github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}

.github/workflows/nightly.yml

@@ -29,7 +29,7 @@ jobs:
     if: ${{needs.check-dependabot-commits.outputs.isDependabot == 'false'}}
     steps:
       - name: Delete release
-        uses: dev-drprasad/[email protected]
+        uses: dev-drprasad/delete-tag-and-release@8cd619d00037e4aeb781909c9a6b03940507d0da #v1.0.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/pr-label.yml

@@ -12,7 +12,7 @@ jobs:
       pull-requests: write  # for TimonVS/pr-labeler-action to add labels in PR
     runs-on: ubuntu-latest
     steps:
-      - uses: TimonVS/pr-labeler-action@v5
+      - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af #v5
         with:
           configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value
         env:

.github/workflows/release.yml

@@ -42,7 +42,7 @@ jobs:
           token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
 
       - name: Add MSBuild to PATH
-        uses: microsoft/[email protected]
+        uses: microsoft/setup-msbuild@1ff57057b5cfdc39105cd07a01d78e9b0ea0c14c #v1.3.1
         with:
           vs-version: '17.2'
 
@@ -71,7 +71,7 @@ jobs:
 
       - name: Increment VSIX version
         id: vsix_version
-        uses: timheuer/vsix-version-stamp@v2
+        uses: timheuer/vsix-version-stamp@9d38292e99e54046455bb68c6a2b5113d269a7d0 #v2
         with:
           manifest-file: ast-visual-studio-extension\source.extension.vsixmanifest
 
@@ -82,15 +82,15 @@ jobs:
         run: msbuild .\ast-visual-studio-extension\ast-visual-studio-extension.csproj /p:Configuration=Release /p:DeployExtension=False
 
       - name: Create Release
-        uses: softprops/[email protected]
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 #v0.1.15
         with:
           tag_name: ${{ inputs.tag }}
           prerelease: ${{ inputs.dev }}
           generate_release_notes: true
           files: '.\ast-visual-studio-extension\bin\Release\ast-visual-studio-extension.vsix'
 
       - name: Publish Release
-        uses: cezarypiatek/[email protected]
+        uses: cezarypiatek/VsixPublisherAction@9c6b58b5955df9901a6e9834be1d0a94cd54aeba #1.0
         if: inputs.dev == false
         with:
           extension-file: '.\ast-visual-studio-extension\bin\Release\ast-visual-studio-extension.vsix'
@@ -112,7 +112,7 @@ jobs:
           echo "::set-output name=body_release::$body_release"
       - name: Converts Markdown to HTML
         id: convert
-        uses: lifepal/[email protected]
+        uses: lifepal/markdown-to-html@253bbd85fbdeafe2d1f18c1b9289be24e5cf8f8f #v1.2
         with:
           text: "${{ steps.release.outputs.body_release }}"
 
@@ -124,7 +124,7 @@ jobs:
           echo "::set-output name=clean::$clean"
       - name: Send a Notification
         id: notify
-        uses: thechetantalwar/teams-notify@v2
+        uses: thechetantalwar/teams-notify@8a78811f5e8f58cdd204efebd79158006428c46b #v2
         with:
           teams_webhook_url: ${{ secrets.TEAMS_WEBHOOK_URI }}
           message: "<h1>Checkmarx Visual Studio Plugin ${{ env.RELEASE_VERSION }}</h1>${{ steps.clean.outputs.clean }}"

.github/workflows/update-cli.yml

@@ -30,7 +30,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@5b4a9f6a9e2af26e5f02351490b90d01eb8ec1e5 #v5
         with:
           token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
           commit-message: Update checkmarx-ast-cli to ${{ steps.checkmarx-ast-cli.outputs.release_tag }}

ast-visual-studio-extension-tests/ast-visual-studio-extension-tests.csproj

@@ -5,12 +5,12 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.0.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
-    <PackageReference Include="System.Configuration.ConfigurationManager" Version="7.0.0" />
+    <PackageReference Include="System.Configuration.ConfigurationManager" Version="8.0.0" />
     <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
-    <PackageReference Include="xunit" Version="2.4.2" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
+    <PackageReference Include="xunit" Version="2.8.0" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.8.0">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>

ast-visual-studio-extension-tests/cx-unit-tests/cx-wrapper-tests/BaseTest.cs

@@ -64,7 +64,7 @@ protected Dictionary<Scan, Results> GetFirstScanWithResults(List<Scan> scanList)
 
                 Results results = cxWrapper.GetResults(new Guid(scan.ID));
 
-                if (results != null && results.results.Any() && results.results.Where(r => r.Type.Equals("sast")).Any())
+                if (results != null && results.results != null && results.results.Any(r => r.Type.Equals("sast")))
                 {
                     result.Add(scan, results);
                     break;

ast-visual-studio-extension-tests/cx-unit-tests/cx-wrapper-tests/ResultTest.cs

@@ -49,7 +49,7 @@ public void TestResultsSummaryJSON()
         [Fact]
         public void TestResultsStructure()
         {
-            List<Scan> scanList = cxWrapper.GetScans();
+            List<Scan> scanList = cxWrapper.GetScans("statuses=Completed");
             Assert.True(scanList.Any());
 
             Results results = GetFirstScanWithResults(scanList).First().Value;

ast-visual-studio-extension-tests/cx-unit-tests/cx-wrapper-tests/TriageTest.cs

@@ -13,7 +13,7 @@ public class TriageTest : BaseTest
         [Fact]
         public void TestTriageShow()
         {
-            List<Scan> scanList = cxWrapper.GetScans("statuses = Completed");
+            List<Scan> scanList = cxWrapper.GetScans("statuses=Completed");
             Assert.True(scanList.Any());
 
             Scan scan = GetFirstScanWithResults(scanList).First().Key;
@@ -27,7 +27,7 @@ public void TestTriageShow()
         [Fact]
         public void TestTriageUpdate()
         {
-            List<Scan> scanList = cxWrapper.GetScans("statuses = Completed");
+            List<Scan> scanList = cxWrapper.GetScans("statuses=Completed");
             Assert.True(scanList.Count > 0);
 
             Scan scan = GetFirstScanWithResults(scanList).First().Key;

ast-visual-studio-extension/ast-visual-studio-extension.csproj

@@ -159,21 +159,24 @@
     <Reference Include="WindowsFormsIntegration" />
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Community.VisualStudio.Toolkit.17" Version="17.0.492" />
+    <PackageReference Include="Community.VisualStudio.Toolkit.17" Version="17.0.507" />
     <PackageReference Include="Community.VisualStudio.VSCT" Version="16.0.29.6" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens">
-      <Version>7.4.1</Version>
+      <Version>7.5.1</Version>
     </PackageReference>
     <PackageReference Include="Microsoft.TeamFoundationServer.Client">
-      <Version>16.205.1</Version>
+      <Version>19.225.1</Version>
+    </PackageReference>
+    <PackageReference Include="Microsoft.VisualStudio.SDK" Version="17.9.37000" />
+    <PackageReference Include="Microsoft.VSSDK.BuildTools" Version="17.9.3184">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.VisualStudio.SDK" Version="17.0.32112.339" />
-    <PackageReference Include="Microsoft.VSSDK.BuildTools" Version="17.0.5240" />
     <PackageReference Include="Microsoft.CodeAnalysis.NetAnalyzers" Version="6.0.0" />
-    <PackageReference Include="log4net" Version="2.0.15" />
+    <PackageReference Include="log4net" Version="2.0.17" />
     <PackageReference Include="Microsoft.VSSDK.Vsixsigntool" Version="16.2.29116.78" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt">
-      <Version>7.4.1</Version>
+      <Version>7.5.1</Version>
     </PackageReference>
     <PackageReference Include="System.Json" Version="4.7.1" />
   </ItemGroup>