cycode 2.1.2.dev1__tar.gz → 2.2.1.dev1__tar.gz

{cycode-2.1.2.dev1 → cycode-2.2.1.dev1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cycode
-Version: 2.1.2.dev1
+Version: 2.2.1.dev1
 Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
 Home-page: https://github.com/cycodehq/cycode-cli
 License: MIT

cycode-2.2.1.dev1/cycode/__init__.py

@@ -0,0 +1 @@
+__version__ = '2.2.1.dev1'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag

{cycode-2.1.2.dev1 → cycode-2.2.1.dev1}/cycode/cli/commands/ignore/ignore_command.py

@@ -1,20 +1,16 @@
-import os
 import re
+from typing import Optional
 
 import click
 
 from cycode.cli import consts
 from cycode.cli.config import config, configuration_manager
 from cycode.cli.sentry import add_breadcrumb
-from cycode.cli.utils.path_utils import get_absolute_path
+from cycode.cli.utils.path_utils import get_absolute_path, is_path_exists
 from cycode.cli.utils.string_utils import hash_string_to_sha256
 from cycode.cyclient import logger
 
 
-def _is_path_to_ignore_exists(path: str) -> bool:
-    return os.path.exists(path)
-
-
 def _is_package_pattern_valid(package: str) -> bool:
     return re.search('^[^@]+@[^@]+$', package) is not None
 
@@ -47,10 +43,16 @@ def _is_package_pattern_valid(package: str) -> bool:
     required=False,
     help='Ignore scanning a specific package version while running an SCA scan. Expected pattern: name@version.',
 )
+@click.option(
+    '--by-cve',
+    type=click.STRING,
+    required=False,
+    help='Ignore scanning a specific CVE while running an SCA scan. Expected pattern: CVE-YYYY-NNN.',
+)
 @click.option(
     '--scan-type',
     '-t',
-    default='secret',
+    default=consts.SECRET_SCAN_TYPE,
     help='Specify the type of scan you wish to execute (the default is Secrets).',
     type=click.Choice(config['scans']['supported_scans']),
     required=False,
@@ -64,40 +66,68 @@ def _is_package_pattern_valid(package: str) -> bool:
     required=False,
     help='Add an ignore rule to the global CLI config.',
 )
-def ignore_command(
-    by_value: str, by_sha: str, by_path: str, by_rule: str, by_package: str, scan_type: str, is_global: bool
+def ignore_command(  # noqa: C901
+    by_value: Optional[str],
+    by_sha: Optional[str],
+    by_path: Optional[str],
+    by_rule: Optional[str],
+    by_package: Optional[str],
+    by_cve: Optional[str],
+    scan_type: str = consts.SECRET_SCAN_TYPE,
+    is_global: bool = False,
 ) -> None:
     """Ignores a specific value, path or rule ID."""
     add_breadcrumb('ignore')
 
-    if not by_value and not by_sha and not by_path and not by_rule and not by_package:
-        raise click.ClickException('ignore by type is missing')
+    all_by_values = [by_value, by_sha, by_path, by_rule, by_package, by_cve]
+    if all(by is None for by in all_by_values):
+        raise click.ClickException('Ignore by type is missing')
+    if len([by for by in all_by_values if by is not None]) != 1:
+        raise click.ClickException('You must specify only one ignore by type')
 
     if any(by is not None for by in [by_value, by_sha]) and scan_type != consts.SECRET_SCAN_TYPE:
-        raise click.ClickException('this exclude is supported only for secret scan type')
+        raise click.ClickException('This exclude is supported only for Secret scan type')
+    if (by_cve or by_package) and scan_type != consts.SCA_SCAN_TYPE:
+        raise click.ClickException('This exclude is supported only for SCA scan type')
+
+    # only one of the by values must be set
+    # at least one of the by values must be set
+    exclusion_type = exclusion_value = None
 
-    if by_value is not None:
+    if by_value:
         exclusion_type = consts.EXCLUSIONS_BY_VALUE_SECTION_NAME
         exclusion_value = hash_string_to_sha256(by_value)
-    elif by_sha is not None:
+
+    if by_sha:
         exclusion_type = consts.EXCLUSIONS_BY_SHA_SECTION_NAME
         exclusion_value = by_sha
-    elif by_path is not None:
+
+    if by_path:
         absolute_path = get_absolute_path(by_path)
-        if not _is_path_to_ignore_exists(absolute_path):
-            raise click.ClickException('the provided path to ignore by is not exist')
+        if not is_path_exists(absolute_path):
+            raise click.ClickException('The provided path to ignore by does not exist')
+
         exclusion_type = consts.EXCLUSIONS_BY_PATH_SECTION_NAME
         exclusion_value = get_absolute_path(absolute_path)
-    elif by_package is not None:
-        if scan_type != consts.SCA_SCAN_TYPE:
-            raise click.ClickException('exclude by package is supported only for sca scan type')
+
+    if by_rule:
+        exclusion_type = consts.EXCLUSIONS_BY_RULE_SECTION_NAME
+        exclusion_value = by_rule
+
+    if by_package:
         if not _is_package_pattern_valid(by_package):
             raise click.ClickException('wrong package pattern. should be name@version.')
+
         exclusion_type = consts.EXCLUSIONS_BY_PACKAGE_SECTION_NAME
         exclusion_value = by_package
-    else:
-        exclusion_type = consts.EXCLUSIONS_BY_RULE_SECTION_NAME
-        exclusion_value = by_rule
+
+    if by_cve:
+        exclusion_type = consts.EXCLUSIONS_BY_CVE_SECTION_NAME
+        exclusion_value = by_cve
+
+    if not exclusion_type or not exclusion_value:
+        # should never happen
+        raise click.ClickException('Invalid ignore by type')
 
     configuration_scope = 'global' if is_global else 'local'
     logger.debug(

{cycode-2.1.2.dev1 → cycode-2.2.1.dev1}/cycode/cli/commands/main_cli.py

@@ -3,6 +3,7 @@ from typing import Optional
 
 import click
 
+from cycode import __version__
 from cycode.cli.commands.ai_remediation.ai_remediation_command import ai_remediation_command
 from cycode.cli.commands.auth.auth_command import auth_command
 from cycode.cli.commands.configure.configure_command import configure_command
@@ -10,6 +11,7 @@ from cycode.cli.commands.ignore.ignore_command import ignore_command
 from cycode.cli.commands.report.report_command import report_command
 from cycode.cli.commands.scan.scan_command import scan_command
 from cycode.cli.commands.status.status_command import status_command
+from cycode.cli.commands.version.version_checker import version_checker
 from cycode.cli.commands.version.version_command import version_command
 from cycode.cli.consts import (
     CLI_CONTEXT_SETTINGS,
@@ -48,6 +50,12 @@ from cycode.cyclient.models import UserAgentOptionScheme
     default=False,
     help='Do not show the progress meter.',
 )
+@click.option(
+    '--no-update-notifier',
+    is_flag=True,
+    default=False,
+    help='Do not check CLI for updates.',
+)
 @click.option(
     '--output',
     '-o',
@@ -63,7 +71,12 @@ from cycode.cyclient.models import UserAgentOptionScheme
 )
 @click.pass_context
 def main_cli(
-    context: click.Context, verbose: bool, no_progress_meter: bool, output: str, user_agent: Optional[str]
+    context: click.Context,
+    verbose: bool,
+    no_progress_meter: bool,
+    no_update_notifier: bool,
+    output: str,
+    user_agent: Optional[str],
 ) -> None:
     init_sentry()
     add_breadcrumb('cycode')
@@ -85,3 +98,20 @@ def main_cli(
     if user_agent:
         user_agent_option = UserAgentOptionScheme().loads(user_agent)
         CycodeClientBase.enrich_user_agent(user_agent_option.user_agent_suffix)
+
+    if not no_update_notifier:
+        context.call_on_close(lambda: check_latest_version_on_close())
+
+
+@click.pass_context
+def check_latest_version_on_close(context: click.Context) -> None:
+    output = context.obj.get('output')
+    # don't print anything if the output is JSON
+    if output == 'json':
+        return
+
+    # we always want to check the latest version for "version" and "status" commands
+    should_use_cache = context.invoked_subcommand not in {'version', 'status'}
+    version_checker.check_and_notify_update(
+        current_version=__version__, use_color=context.color, use_cache=should_use_cache
+    )

{cycode-2.1.2.dev1 → cycode-2.2.1.dev1}/cycode/cli/commands/scan/code_scanner.py

@@ -764,58 +764,68 @@ def _exclude_detections_by_exclusions_configuration(detections: List[Detection],
 
 
 def _should_exclude_detection(detection: Detection, exclusions: Dict) -> bool:
+    # FIXME(MarshalX): what the difference between by_value and by_sha?
     exclusions_by_value = exclusions.get(consts.EXCLUSIONS_BY_VALUE_SECTION_NAME, [])
     if _is_detection_sha_configured_in_exclusions(detection, exclusions_by_value):
         logger.debug(
-            'Going to ignore violations because they are on the values-to-ignore list, %s',
-            {'value_sha': detection.detection_details.get('sha512', '')},
+            'Ignoring violation because its value is on the ignore list, %s',
+            {'value_sha': detection.detection_details.get('sha512')},
         )
         return True
 
     exclusions_by_sha = exclusions.get(consts.EXCLUSIONS_BY_SHA_SECTION_NAME, [])
     if _is_detection_sha_configured_in_exclusions(detection, exclusions_by_sha):
         logger.debug(
-            'Going to ignore violations because they are on the SHA ignore list, %s',
-            {'sha': detection.detection_details.get('sha512', '')},
+            'Ignoring violation because its SHA value is on the ignore list, %s',
+            {'sha': detection.detection_details.get('sha512')},
         )
         return True
 
     exclusions_by_rule = exclusions.get(consts.EXCLUSIONS_BY_RULE_SECTION_NAME, [])
-    if exclusions_by_rule:
-        detection_rule = detection.detection_rule_id
-        if detection_rule in exclusions_by_rule:
-            logger.debug(
-                'Going to ignore violations because they are on the Rule ID ignore list, %s',
-                {'detection_rule': detection_rule},
-            )
-            return True
+    detection_rule_id = detection.detection_rule_id
+    if detection_rule_id in exclusions_by_rule:
+        logger.debug(
+            'Ignoring violation because its Detection Rule ID is on the ignore list, %s',
+            {'detection_rule_id': detection_rule_id},
+        )
+        return True
 
     exclusions_by_package = exclusions.get(consts.EXCLUSIONS_BY_PACKAGE_SECTION_NAME, [])
-    if exclusions_by_package:
-        package = _get_package_name(detection)
-        if package in exclusions_by_package:
-            logger.debug(
-                'Going to ignore violations because they are on the packages-to-ignore list, %s', {'package': package}
-            )
-            return True
+    package = _get_package_name(detection)
+    if package and package in exclusions_by_package:
+        logger.debug('Ignoring violation because its package@version is on the ignore list, %s', {'package': package})
+        return True
+
+    exclusions_by_cve = exclusions.get(consts.EXCLUSIONS_BY_CVE_SECTION_NAME, [])
+    cve = _get_cve_identifier(detection)
+    if cve and cve in exclusions_by_cve:
+        logger.debug('Ignoring violation because its CVE is on the ignore list, %s', {'cve': cve})
+        return True
 
     return False
 
 
 def _is_detection_sha_configured_in_exclusions(detection: Detection, exclusions: List[str]) -> bool:
-    detection_sha = detection.detection_details.get('sha512', '')
+    detection_sha = detection.detection_details.get('sha512')
     return detection_sha in exclusions
 
 
-def _get_package_name(detection: Detection) -> str:
-    package_name = detection.detection_details.get('vulnerable_component', '')
-    package_version = detection.detection_details.get('vulnerable_component_version', '')
+def _get_package_name(detection: Detection) -> Optional[str]:
+    package_name = detection.detection_details.get('vulnerable_component')
+    package_version = detection.detection_details.get('vulnerable_component_version')
+
+    if package_name is None:
+        package_name = detection.detection_details.get('package_name')
+        package_version = detection.detection_details.get('package_version')
+
+    if package_name and package_version:
+        return f'{package_name}@{package_version}'
+
+    return None
 
-    if package_name == '':
-        package_name = detection.detection_details.get('package_name', '')
-        package_version = detection.detection_details.get('package_version', '')
 
-    return f'{package_name}@{package_version}'
+def _get_cve_identifier(detection: Detection) -> Optional[str]:
+    return detection.detection_details.get('alert', {}).get('cve_identifier')
 
 
 def _get_document_by_file_name(

cycode-2.2.1.dev1/cycode/cli/commands/version/version_checker.py

@@ -0,0 +1,209 @@
+import os
+import re
+import time
+from pathlib import Path
+from typing import List, Optional, Tuple
+
+import click
+
+from cycode.cli.user_settings.configuration_manager import ConfigurationManager
+from cycode.cli.utils.path_utils import get_file_content
+from cycode.cyclient.cycode_client_base import CycodeClientBase
+
+
+def _compare_versions(
+    current_parts: List[int],
+    latest_parts: List[int],
+    current_is_pre: bool,
+    latest_is_pre: bool,
+    latest_version: str,
+) -> Optional[str]:
+    """Compare version numbers and determine if an update is needed.
+
+    Implements version comparison logic with special handling for pre-release versions:
+    - Won't suggest downgrading from stable to pre-release
+    - Will suggest upgrading from pre-release to stable of the same version
+
+    Args:
+        current_parts: List of numeric version components for the current version
+        latest_parts: List of numeric version components for the latest version
+        current_is_pre: Whether the current version is pre-release
+        latest_is_pre: Whether the latest version is pre-release
+        latest_version: The full latest version string
+
+    Returns:
+        str | None: The latest version string if an update is recommended,
+                   None if no update is needed
+    """
+    # If current is stable and latest is pre-release, don't suggest update
+    if not current_is_pre and latest_is_pre:
+        return None
+
+    # Compare version numbers
+    for current, latest in zip(current_parts, latest_parts):
+        if latest > current:
+            return latest_version
+        if current > latest:
+            return None
+
+    # If all numbers are equal, suggest update if current is pre-release and latest is stable
+    if current_is_pre and not latest_is_pre:
+        return latest_version
+
+    return None
+
+
+class VersionChecker(CycodeClientBase):
+    PYPI_API_URL = 'https://pypi.org/pypi'
+    PYPI_PACKAGE_NAME = 'cycode'
+
+    GIT_CHANGELOG_URL_PREFIX = 'https://github.com/cycodehq/cycode-cli/releases/tag/v'
+
+    DAILY = 24 * 60 * 60  # 24 hours in seconds
+    WEEKLY = DAILY * 7
+
+    def __init__(self) -> None:
+        """Initialize the VersionChecker.
+
+        Sets up the version checker with PyPI API URL and configure the cache file location
+        using the global configuration directory.
+        """
+        super().__init__(self.PYPI_API_URL)
+
+        configuration_manager = ConfigurationManager()
+        config_dir = configuration_manager.global_config_file_manager.get_config_directory_path()
+        self.cache_file = Path(config_dir) / '.version_check'
+
+    def get_latest_version(self) -> Optional[str]:
+        """Fetch the latest version of the package from PyPI.
+
+        Makes an HTTP request to PyPI's JSON API to get the latest version information.
+
+        Returns:
+            str | None: The latest version string if successful, None if the request fails
+                       or the version information is not available.
+        """
+        try:
+            response = self.get(f'{self.PYPI_PACKAGE_NAME}/json')
+            data = response.json()
+            return data.get('info', {}).get('version')
+        except Exception:
+            return None
+
+    @staticmethod
+    def _parse_version(version: str) -> Tuple[List[int], bool]:
+        """Parse version string into components and identify if it's a pre-release.
+
+        Extracts numeric version components and determines if the version is a pre-release
+        by checking for 'dev' in the version string.
+
+        Args:
+            version: The version string to parse (e.g., '1.2.3' or '1.2.3dev4')
+
+        Returns:
+            tuple: A tuple containing:
+                - List[int]: List of numeric version components
+                - bool: True if this is a pre-release version, False otherwise
+        """
+        version_parts = [int(x) for x in re.findall(r'\d+', version)]
+        is_prerelease = 'dev' in version
+
+        return version_parts, is_prerelease
+
+    def _should_check_update(self, is_prerelease: bool) -> bool:
+        """Determine if an update check should be performed based on the last check time.
+
+        Implements a time-based caching mechanism where update checks are performed:
+        - Daily for pre-release versions
+        - Weekly for stable versions
+
+        Args:
+            is_prerelease: Whether the current version is a pre-release
+
+        Returns:
+            bool: True if an update check should be performed, False otherwise
+        """
+        if not os.path.exists(self.cache_file):
+            return True
+
+        file_content = get_file_content(self.cache_file)
+        if file_content is None:
+            return True
+
+        try:
+            last_check = float(file_content.strip())
+        except ValueError:
+            return True
+
+        duration = self.DAILY if is_prerelease else self.WEEKLY
+        return time.time() - last_check >= duration
+
+    def _update_last_check(self) -> None:
+        """Update the timestamp of the last update check.
+
+        Creates the cache directory if it doesn't exist and write the current timestamp
+        to the cache file. Silently handle any IO errors that might occur during the process.
+        """
+        try:
+            os.makedirs(os.path.dirname(self.cache_file), exist_ok=True)
+            with open(self.cache_file, 'w', encoding='UTF-8') as f:
+                f.write(str(time.time()))
+        except IOError:
+            pass
+
+    def check_for_update(self, current_version: str, use_cache: bool = True) -> Optional[str]:
+        """Check if an update is available for the current version.
+
+        Respects the update check frequency (daily/weekly) based on the version type
+
+        Args:
+            current_version: The current version string of the CLI
+            use_cache: If True, use the cached timestamp to determine if an update check is needed
+
+        Returns:
+            str | None: The latest version string if an update is recommended,
+                       None if no update is needed or if check should be skipped
+        """
+        current_parts, current_is_pre = self._parse_version(current_version)
+
+        # Check if we should perform the update check based on frequency
+        if use_cache and not self._should_check_update(current_is_pre):
+            return None
+
+        latest_version = self.get_latest_version()
+        if not latest_version:
+            return None
+
+        # Update the last check timestamp
+        use_cache and self._update_last_check()
+
+        latest_parts, latest_is_pre = self._parse_version(latest_version)
+        return _compare_versions(current_parts, latest_parts, current_is_pre, latest_is_pre, latest_version)
+
+    def check_and_notify_update(self, current_version: str, use_color: bool = True, use_cache: bool = True) -> None:
+        """Check for updates and display a notification if a new version is available.
+
+        Performs the version check and displays a formatted message with update instructions
+        if a newer version is available. The message includes:
+        - Current and new version numbers
+        - Link to the changelog
+        - Command to perform the update
+
+        Args:
+            current_version: Current version of the CLI
+            use_color: If True, use colored output in the terminal
+            use_cache: If True, use the cached timestamp to determine if an update check is needed
+        """
+        latest_version = self.check_for_update(current_version, use_cache)
+        should_update = bool(latest_version)
+        if should_update:
+            update_message = (
+                '\nNew version of cycode available! '
+                f"{click.style(current_version, fg='yellow')} → {click.style(latest_version, fg='bright_blue')}\n"
+                f"Changelog: {click.style(f'{self.GIT_CHANGELOG_URL_PREFIX}{latest_version}', fg='bright_blue')}\n"
+                f"Run {click.style('pip install --upgrade cycode', fg='green')} to update\n"
+            )
+            click.echo(update_message, color=use_color)
+
+
+version_checker = VersionChecker()

{cycode-2.1.2.dev1 → cycode-2.2.1.dev1}/cycode/cli/consts.py

@@ -131,6 +131,7 @@ EXCLUSIONS_BY_SHA_SECTION_NAME = 'shas'
 EXCLUSIONS_BY_PATH_SECTION_NAME = 'paths'
 EXCLUSIONS_BY_RULE_SECTION_NAME = 'rules'
 EXCLUSIONS_BY_PACKAGE_SECTION_NAME = 'packages'
+EXCLUSIONS_BY_CVE_SECTION_NAME = 'cves'
 
 # 5MB in bytes (in decimal)
 FILE_MAX_SIZE_LIMIT_IN_BYTES = 5000000

{cycode-2.1.2.dev1 → cycode-2.2.1.dev1}/cycode/cli/files_collector/walk_ignore.py

@@ -24,7 +24,8 @@ def _walk_to_top(path: str) -> Iterable[str]:
 
 def _collect_top_level_ignore_files(path: str) -> List[str]:
     ignore_files = []
-    for dir_path in _walk_to_top(path):
+    top_paths = reversed(list(_walk_to_top(path)))  # we must reverse it to make top levels more prioritized
+    for dir_path in top_paths:
         for ignore_file in _SUPPORTED_IGNORE_PATTERN_FILES:
             ignore_file_path = os.path.join(dir_path, ignore_file)
             if os.path.exists(ignore_file_path):

{cycode-2.1.2.dev1 → cycode-2.2.1.dev1}/cycode/cli/user_settings/configuration_manager.py

@@ -79,7 +79,8 @@ class ConfigurationManager:
         config_file_manager = self.get_config_file_manager(scope)
         config_file_manager.add_exclusion(scan_type, exclusion_type, value)
 
-    def _merge_exclusions(self, local_exclusions: Dict, global_exclusions: Dict) -> Dict:
+    @staticmethod
+    def _merge_exclusions(local_exclusions: Dict, global_exclusions: Dict) -> Dict:
         keys = set(list(local_exclusions.keys()) + list(global_exclusions.keys()))
         return {key: local_exclusions.get(key, []) + global_exclusions.get(key, []) for key in keys}
 

{cycode-2.1.2.dev1 → cycode-2.2.1.dev1}/cycode/cli/utils/ignore_utils.py

@@ -396,12 +396,10 @@ class IgnoreFilterManager:
 
             # decrease recursion depth of os.walk() by ignoring subdirectories because of topdown=True
             # slicing ([:]) is mandatory to change dict in-place!
-            dirnames[:] = [
-                dirname for dirname in dirnames if not self.is_ignored(os.path.join(rel_dirpath, dirname, ''))
-            ]
+            dirnames[:] = [d for d in dirnames if not self.is_ignored(os.path.join(rel_dirpath, d))]
 
             # remove ignored files
-            filenames = [os.path.basename(f) for f in filenames if not self.is_ignored(os.path.join(rel_dirpath, f))]
+            filenames = [f for f in filenames if not self.is_ignored(os.path.join(rel_dirpath, f))]
 
             yield dirpath, dirnames, filenames
 

{cycode-2.1.2.dev1 → cycode-2.2.1.dev1}/cycode/cli/utils/path_utils.py

@@ -1,13 +1,16 @@
 import json
 import os
 from functools import lru_cache
-from typing import AnyStr, List, Optional
+from typing import TYPE_CHECKING, AnyStr, List, Optional, Union
 
 import click
 from binaryornot.helpers import is_binary_string
 
 from cycode.cyclient import logger
 
+if TYPE_CHECKING:
+    from os import PathLike
+
 
 @lru_cache(maxsize=None)
 def is_sub_path(path: str, sub_path: str) -> bool:
@@ -73,7 +76,7 @@ def join_paths(path: str, filename: str) -> str:
     return os.path.join(path, filename)
 
 
-def get_file_content(file_path: str) -> Optional[AnyStr]:
+def get_file_content(file_path: Union[str, 'PathLike']) -> Optional[AnyStr]:
     try:
         with open(file_path, 'r', encoding='UTF-8') as f:
             return f.read()

{cycode-2.1.2.dev1 → cycode-2.2.1.dev1}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "cycode"
-version = "2.1.2.dev1" # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
+version = "2.2.1.dev1" # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
 description = "Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning."
 keywords=["secret-scan", "cycode", "devops", "token", "secret", "security", "cycode", "code"]
 authors = ["Cycode <support@cycode.com>"]

cycode-2.1.2.dev1/cycode/__init__.py

@@ -1 +0,0 @@
-__version__ = '2.1.2.dev1'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag