cycode 3.2.2.dev1__tar.gz → 3.2.2.dev3__tar.gz

{cycode-3.2.2.dev1 → cycode-3.2.2.dev3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cycode
-Version: 3.2.2.dev1
+Version: 3.2.2.dev3
 Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
 Home-page: https://github.com/cycodehq/cycode-cli
 License: MIT
@@ -582,18 +582,19 @@ This information can be helpful when:
 
 The Cycode CLI application offers several types of scans so that you can choose the option that best fits your case. The following are the current options and commands available:
 
-| Option                                                     | Description                                                                                                            |
-|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|
-| `-t, --scan-type [secret\|iac\|sca\|sast]`                 | Specify the scan you wish to execute (`secret`/`iac`/`sca`/`sast`), the default is `secret`.                           |
-| `--show-secret BOOLEAN`                                    | Show secrets in plain text. See [Show/Hide Secrets](#showhide-secrets) section for more details.                       |
-| `--soft-fail BOOLEAN`                                      | Run scan without failing, always return a non-error status code. See [Soft Fail](#soft-fail) section for more details. |
-| `--severity-threshold [INFO\|LOW\|MEDIUM\|HIGH\|CRITICAL]` | Show only violations at the specified level or higher.                                                                 |
-| `--sca-scan`                                               | Specify the SCA scan you wish to execute (`package-vulnerabilities`/`license-compliance`). The default is both.        |
-| `--monitor`                                                | When specified, the scan results will be recorded in Cycode.                                                           |
-| `--cycode-report`                                          | Display a link to the scan report in the Cycode platform in the console output.                                        |
-| `--no-restore`                                             | When specified, Cycode will not run the restore command. This will scan direct dependencies ONLY!                      |
-| `--gradle-all-sub-projects`                                | Run gradle restore command for all sub projects. This should be run from the project root directory ONLY!              |
-| `--help`                                                   | Show options for given command.                                                                                        |
+| Option                                                     | Description                                                                                                                      |
+|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|
+| `-t, --scan-type [secret\|iac\|sca\|sast]`                 | Specify the scan you wish to execute (`secret`/`iac`/`sca`/`sast`), the default is `secret`.                                     |
+| `--show-secret BOOLEAN`                                    | Show secrets in plain text. See [Show/Hide Secrets](#showhide-secrets) section for more details.                                 |
+| `--soft-fail BOOLEAN`                                      | Run scan without failing, always return a non-error status code. See [Soft Fail](#soft-fail) section for more details.           |
+| `--severity-threshold [INFO\|LOW\|MEDIUM\|HIGH\|CRITICAL]` | Show only violations at the specified level or higher.                                                                           |
+| `--sca-scan`                                               | Specify the SCA scan you wish to execute (`package-vulnerabilities`/`license-compliance`). The default is both.                  |
+| `--monitor`                                                | When specified, the scan results will be recorded in Cycode.                                                                     |
+| `--cycode-report`                                          | Display a link to the scan report in the Cycode platform in the console output.                                                  |
+| `--no-restore`                                             | When specified, Cycode will not run the restore command. This will scan direct dependencies ONLY!                                |
+| `--gradle-all-sub-projects`                                | Run gradle restore command for all sub projects. This should be run from                                                         |
+| `--maven-settings-file`                                    | For Maven only, allows using a custom [settings.xml](https://maven.apache.org/settings.html) file when scanning for dependencies |
+| `--help`                                                   | Show options for given command.                                                                                                  |
 
 | Command                                | Description                                                     |
 |----------------------------------------|-----------------------------------------------------------------|

{cycode-3.2.2.dev1 → cycode-3.2.2.dev3}/README.md

@@ -538,18 +538,19 @@ This information can be helpful when:
 
 The Cycode CLI application offers several types of scans so that you can choose the option that best fits your case. The following are the current options and commands available:
 
-| Option                                                     | Description                                                                                                            |
-|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|
-| `-t, --scan-type [secret\|iac\|sca\|sast]`                 | Specify the scan you wish to execute (`secret`/`iac`/`sca`/`sast`), the default is `secret`.                           |
-| `--show-secret BOOLEAN`                                    | Show secrets in plain text. See [Show/Hide Secrets](#showhide-secrets) section for more details.                       |
-| `--soft-fail BOOLEAN`                                      | Run scan without failing, always return a non-error status code. See [Soft Fail](#soft-fail) section for more details. |
-| `--severity-threshold [INFO\|LOW\|MEDIUM\|HIGH\|CRITICAL]` | Show only violations at the specified level or higher.                                                                 |
-| `--sca-scan`                                               | Specify the SCA scan you wish to execute (`package-vulnerabilities`/`license-compliance`). The default is both.        |
-| `--monitor`                                                | When specified, the scan results will be recorded in Cycode.                                                           |
-| `--cycode-report`                                          | Display a link to the scan report in the Cycode platform in the console output.                                        |
-| `--no-restore`                                             | When specified, Cycode will not run the restore command. This will scan direct dependencies ONLY!                      |
-| `--gradle-all-sub-projects`                                | Run gradle restore command for all sub projects. This should be run from the project root directory ONLY!              |
-| `--help`                                                   | Show options for given command.                                                                                        |
+| Option                                                     | Description                                                                                                                      |
+|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|
+| `-t, --scan-type [secret\|iac\|sca\|sast]`                 | Specify the scan you wish to execute (`secret`/`iac`/`sca`/`sast`), the default is `secret`.                                     |
+| `--show-secret BOOLEAN`                                    | Show secrets in plain text. See [Show/Hide Secrets](#showhide-secrets) section for more details.                                 |
+| `--soft-fail BOOLEAN`                                      | Run scan without failing, always return a non-error status code. See [Soft Fail](#soft-fail) section for more details.           |
+| `--severity-threshold [INFO\|LOW\|MEDIUM\|HIGH\|CRITICAL]` | Show only violations at the specified level or higher.                                                                           |
+| `--sca-scan`                                               | Specify the SCA scan you wish to execute (`package-vulnerabilities`/`license-compliance`). The default is both.                  |
+| `--monitor`                                                | When specified, the scan results will be recorded in Cycode.                                                                     |
+| `--cycode-report`                                          | Display a link to the scan report in the Cycode platform in the console output.                                                  |
+| `--no-restore`                                             | When specified, Cycode will not run the restore command. This will scan direct dependencies ONLY!                                |
+| `--gradle-all-sub-projects`                                | Run gradle restore command for all sub projects. This should be run from                                                         |
+| `--maven-settings-file`                                    | For Maven only, allows using a custom [settings.xml](https://maven.apache.org/settings.html) file when scanning for dependencies |
+| `--help`                                                   | Show options for given command.                                                                                                  |
 
 | Command                                | Description                                                     |
 |----------------------------------------|-----------------------------------------------------------------|

cycode-3.2.2.dev3/cycode/__init__.py

@@ -0,0 +1 @@
+__version__ = '3.2.2.dev3'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag

{cycode-3.2.2.dev1 → cycode-3.2.2.dev3}/cycode/cli/apps/scan/scan_command.py

@@ -88,6 +88,16 @@ def scan_command(
             rich_help_panel=_SCA_RICH_HELP_PANEL,
         ),
     ] = False,
+    maven_settings_file: Annotated[
+        Optional[Path],
+        typer.Option(
+            '--maven-settings-file',
+            show_default=False,
+            help='When specified, Cycode will use this settings.xml file when building the maven dependency tree.',
+            dir_okay=False,
+            rich_help_panel=_SCA_RICH_HELP_PANEL,
+        ),
+    ] = None,
     export_type: Annotated[
         ExportTypeOption,
         typer.Option(
@@ -143,6 +153,7 @@ def scan_command(
     ctx.obj['sync'] = sync
     ctx.obj['severity_threshold'] = severity_threshold
     ctx.obj['monitor'] = monitor
+    ctx.obj['maven_settings_file'] = maven_settings_file
     ctx.obj['report'] = report
 
     scan_client = get_scan_cycode_client(ctx)

{cycode-3.2.2.dev1 → cycode-3.2.2.dev3}/cycode/cli/files_collector/sca/maven/restore_maven_dependencies.py

@@ -24,7 +24,12 @@ class RestoreMavenDependencies(BaseRestoreDependencies):
         return path.basename(document.path).split('/')[-1] == BUILD_MAVEN_FILE_NAME
 
     def get_commands(self, manifest_file_path: str) -> list[list[str]]:
-        return [['mvn', 'org.cyclonedx:cyclonedx-maven-plugin:2.7.4:makeAggregateBom', '-f', manifest_file_path]]
+        command = ['mvn', 'org.cyclonedx:cyclonedx-maven-plugin:2.7.4:makeAggregateBom', '-f', manifest_file_path]
+
+        maven_settings_file = self.ctx.obj.get('maven_settings_file')
+        if maven_settings_file:
+            command += ['-s', str(maven_settings_file)]
+        return [command]
 
     def get_lock_file_name(self) -> str:
         return join_paths('target', MAVEN_CYCLONE_DEP_TREE_FILE_NAME)
@@ -46,7 +51,7 @@ class RestoreMavenDependencies(BaseRestoreDependencies):
 
     def restore_from_secondary_command(self, document: Document, manifest_file_path: str) -> Optional[Document]:
         restore_content = execute_commands(
-            commands=create_secondary_restore_commands(manifest_file_path),
+            commands=self.create_secondary_restore_commands(manifest_file_path),
             timeout=self.command_timeout,
             working_directory=self.get_working_directory(document),
         )
@@ -61,10 +66,8 @@ class RestoreMavenDependencies(BaseRestoreDependencies):
             absolute_path=restore_file_path,
         )
 
-
-def create_secondary_restore_commands(manifest_file_path: str) -> list[list[str]]:
-    return [
-        [
+    def create_secondary_restore_commands(self, manifest_file_path: str) -> list[list[str]]:
+        command = [
             'mvn',
             'dependency:tree',
             '-B',
@@ -73,4 +76,9 @@ def create_secondary_restore_commands(manifest_file_path: str) -> list[list[str]
             manifest_file_path,
             f'-DoutputFile={MAVEN_DEP_TREE_FILE_NAME}',
         ]
-    ]
+
+        maven_settings_file = self.ctx.obj.get('maven_settings_file')
+        if maven_settings_file:
+            command += ['-s', str(maven_settings_file)]
+
+        return [command]

{cycode-3.2.2.dev1 → cycode-3.2.2.dev3}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "cycode"
-version = "3.2.2.dev1" # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
+version = "3.2.2.dev3" # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
 description = "Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning."
 keywords=["secret-scan", "cycode", "devops", "token", "secret", "security", "cycode", "code"]
 authors = ["Cycode <support@cycode.com>"]

cycode-3.2.2.dev1/cycode/__init__.py

@@ -1 +0,0 @@
-__version__ = '3.2.2.dev1'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag