Merge branch 'main' into CM-58022-cycode-guardrails-support-cursor-scan-via-hooks

Author: Ilanlido

cycode/cli/apps/report/sbom/repository_url/repository_url_command.py

@@ -8,6 +8,10 @@
 from cycode.cli.utils.get_api_client import get_report_cycode_client
 from cycode.cli.utils.progress_bar import SbomReportProgressBarSection
 from cycode.cli.utils.sentry import add_breadcrumb
+from cycode.cli.utils.url_utils import sanitize_repository_url
+from cycode.logger import get_logger
+
+logger = get_logger('Repository URL Command')
 
 
 def repository_url_command(
@@ -28,8 +32,13 @@ def repository_url_command(
     start_scan_time = time.time()
     report_execution_id = -1
 
+    # Sanitize repository URL to remove any embedded credentials/tokens before sending to API
+    sanitized_uri = sanitize_repository_url(uri)
+    if sanitized_uri != uri:
+        logger.debug('Sanitized repository URL to remove credentials')
+
     try:
-        report_execution = client.request_sbom_report_execution(report_parameters, repository_url=uri)
+        report_execution = client.request_sbom_report_execution(report_parameters, repository_url=sanitized_uri)
         report_execution_id = report_execution.id
 
         create_sbom_report(progress_bar, client, report_execution_id, output_file, output_format)

cycode/cli/apps/scan/code_scanner.py

@@ -1,3 +1,4 @@
+import os
 import time
 from platform import platform
 from typing import TYPE_CHECKING, Callable, Optional
@@ -21,6 +22,7 @@
 from cycode.cli.files_collector.sca.sca_file_collector import add_sca_dependencies_tree_documents_if_needed
 from cycode.cli.files_collector.zip_documents import zip_documents
 from cycode.cli.models import CliError, Document, LocalScanResult
+from cycode.cli.utils.path_utils import get_absolute_path, get_path_by_os
 from cycode.cli.utils.progress_bar import ScanProgressBarSection
 from cycode.cli.utils.scan_batch import run_parallel_batched_scan
 from cycode.cli.utils.scan_utils import (
@@ -53,6 +55,21 @@ def scan_disk_files(ctx: typer.Context, paths: tuple[str, ...]) -> None:
             paths,
             is_cycodeignore_allowed=is_cycodeignore_allowed_by_scan_config(ctx),
         )
+
+        # Add entrypoint.cycode file at root path to mark the scan root (only for single path that is a directory)
+        if len(paths) == 1:
+            root_path = paths[0]
+            absolute_root_path = get_absolute_path(root_path)
+            if os.path.isdir(absolute_root_path):
+                entrypoint_path = get_path_by_os(os.path.join(absolute_root_path, consts.CYCODE_ENTRYPOINT_FILENAME))
+                entrypoint_document = Document(
+                    entrypoint_path,
+                    '',  # Empty file content
+                    is_git_diff_format=False,
+                    absolute_path=entrypoint_path,
+                )
+                documents.append(entrypoint_document)
+
         add_sca_dependencies_tree_documents_if_needed(ctx, scan_type, documents)
         scan_documents(ctx, documents, get_scan_parameters(ctx, paths))
     except Exception as e:

cycode/cli/apps/scan/remote_url_resolver.py

@@ -3,6 +3,7 @@
 from cycode.cli import consts
 from cycode.cli.utils.git_proxy import git_proxy
 from cycode.cli.utils.shell_executor import shell
+from cycode.cli.utils.url_utils import sanitize_repository_url
 from cycode.logger import get_logger
 
 logger = get_logger('Remote URL Resolver')
@@ -102,7 +103,11 @@ def _try_get_git_remote_url(path: str) -> Optional[str]:
         repo = git_proxy.get_repo(path, search_parent_directories=True)
         remote_url = repo.remotes[0].config_reader.get('url')
         logger.debug('Found Git remote URL, %s', {'remote_url': remote_url, 'repo_path': repo.working_dir})
-        return remote_url
+        # Sanitize URL to remove any embedded credentials/tokens before returning
+        sanitized_url = sanitize_repository_url(remote_url)
+        if sanitized_url != remote_url:
+            logger.debug('Sanitized repository URL to remove credentials')
+        return sanitized_url
     except Exception as e:
         logger.debug('Failed to get Git remote URL. Probably not a Git repository', exc_info=e)
         return None
@@ -124,7 +129,9 @@ def get_remote_url_scan_parameter(paths: tuple[str, ...]) -> Optional[str]:
         #  - len(paths)*2 Plastic SCM subprocess calls
         remote_url = _try_get_any_remote_url(path)
         if remote_url:
-            remote_urls.add(remote_url)
+            # URLs are already sanitized in _try_get_git_remote_url, but sanitize again as safety measure
+            sanitized_url = sanitize_repository_url(remote_url)
+            remote_urls.add(sanitized_url)
 
     if len(remote_urls) == 1:
         # we are resolving remote_url only if all paths belong to the same repo (identical remote URLs),

cycode/cli/consts.py

@@ -18,6 +18,7 @@
 IAC_SCAN_SUPPORTED_FILE_PREFIXES = ('dockerfile', 'containerfile')
 
 CYCODEIGNORE_FILENAME = '.cycodeignore'
+CYCODE_ENTRYPOINT_FILENAME = 'entrypoint.cycode'
 
 SECRET_SCAN_FILE_EXTENSIONS_TO_IGNORE = (
     '.DS_Store',
@@ -269,6 +270,7 @@
 
 # git consts
 COMMIT_DIFF_DELETED_FILE_CHANGE_TYPE = 'D'
+COMMIT_RANGE_ALL_COMMITS = '--all'
 GIT_HEAD_COMMIT_REV = 'HEAD'
 GIT_EMPTY_TREE_OBJECT = '4b825dc642cb6eb9a060e54bf8d69288fbee4904'
 EMPTY_COMMIT_SHA = '0000000000000000000000000000000000000000'

cycode/cli/files_collector/commit_range_documents.py

@@ -351,10 +351,10 @@ def calculate_pre_push_commit_range(push_update_details: str) -> Optional[str]:
                 return f'{merge_base}..{local_object_name}'
 
             logger.debug('Failed to find merge base with any default branch')
-            return '--all'
+            return consts.COMMIT_RANGE_ALL_COMMITS
         except Exception as e:
             logger.debug('Failed to get repo for pre-push commit range calculation: %s', exc_info=e)
-            return '--all'
+            return consts.COMMIT_RANGE_ALL_COMMITS
 
     # If deleting a branch (local_object_name is all zeros), no need to scan
     if local_object_name == consts.EMPTY_COMMIT_SHA:
@@ -448,9 +448,25 @@ def parse_commit_range(commit_range: str, path: str) -> tuple[Optional[str], Opt
     - 'commit' (interpreted as 'commit..HEAD')
     - '..to' (interpreted as 'HEAD..to')
     - 'from..' (interpreted as 'from..HEAD')
+    - '--all' (interpreted as 'first_commit..HEAD' to scan all commits)
     """
     repo = git_proxy.get_repo(path)
 
+    # Handle '--all' special case: scan all commits from first to HEAD
+    # Usually represents an empty remote repository
+    if commit_range == consts.COMMIT_RANGE_ALL_COMMITS:
+        try:
+            head_commit = repo.rev_parse(consts.GIT_HEAD_COMMIT_REV).hexsha
+            all_commits = repo.git.rev_list('--reverse', head_commit).strip()
+            if all_commits:
+                first_commit = all_commits.splitlines()[0]
+                return first_commit, head_commit, '..'
+            logger.warning("No commits found for range '%s'", commit_range)
+            return None, None, None
+        except Exception as e:
+            logger.warning("Failed to parse commit range '%s'", commit_range, exc_info=e)
+            return None, None, None
+
     separator = '..'
     if '...' in commit_range:
         from_spec, to_spec = commit_range.split('...', 1)

cycode/cli/files_collector/models/in_memory_zip.py

@@ -26,7 +26,11 @@ def append(self, filename: str, unique_id: Optional[str], content: str) -> None:
         if unique_id:
             filename = concat_unique_id(filename, unique_id)
 
-        self.zip.writestr(filename, content)
+        # Encode content to bytes with error handling to handle surrogate characters
+        # that cannot be encoded to UTF-8. Use 'replace' to replace invalid characters
+        # with the Unicode replacement character (U+FFFD).
+        content_bytes = content.encode('utf-8', errors='replace')
+        self.zip.writestr(filename, content_bytes)
 
     def close(self) -> None:
         self.zip.close()

cycode/cli/files_collector/sca/maven/restore_maven_dependencies.py

@@ -24,7 +24,7 @@ def is_project(self, document: Document) -> bool:
         return path.basename(document.path).split('/')[-1] == BUILD_MAVEN_FILE_NAME
 
     def get_commands(self, manifest_file_path: str) -> list[list[str]]:
-        command = ['mvn', 'org.cyclonedx:cyclonedx-maven-plugin:2.7.4:makeAggregateBom', '-f', manifest_file_path]
+        command = ['mvn', 'org.cyclonedx:cyclonedx-maven-plugin:2.9.1:makeAggregateBom', '-f', manifest_file_path]
 
         maven_settings_file = self.ctx.obj.get('maven_settings_file')
         if maven_settings_file:

cycode/cli/printers/tables/table_printer.py

@@ -8,7 +8,7 @@
 from cycode.cli.printers.tables.table_printer_base import TablePrinterBase
 from cycode.cli.printers.utils import is_git_diff_based_scan
 from cycode.cli.printers.utils.detection_ordering.common_ordering import sort_and_group_detections_from_scan_result
-from cycode.cli.utils.string_utils import get_position_in_line, obfuscate_text
+from cycode.cli.utils.string_utils import get_position_in_line, obfuscate_text, sanitize_text_for_encoding
 
 if TYPE_CHECKING:
     from cycode.cli.models import LocalScanResult
@@ -96,6 +96,8 @@ def _enrich_table_with_detection_code_segment_values(
             if not self.show_secret:
                 violation = obfuscate_text(violation)
 
+        violation = sanitize_text_for_encoding(violation)
+
         table.add_cell(LINE_NUMBER_COLUMN, str(detection_line))
         table.add_cell(COLUMN_NUMBER_COLUMN, str(detection_column))
         table.add_cell(VIOLATION_LENGTH_COLUMN, f'{violation_length} chars')

cycode/cli/printers/utils/code_snippet_syntax.py

@@ -5,7 +5,7 @@
 from cycode.cli import consts
 from cycode.cli.console import _SYNTAX_HIGHLIGHT_THEME
 from cycode.cli.printers.utils import is_git_diff_based_scan
-from cycode.cli.utils.string_utils import get_position_in_line, obfuscate_text
+from cycode.cli.utils.string_utils import get_position_in_line, obfuscate_text, sanitize_text_for_encoding
 
 if TYPE_CHECKING:
     from cycode.cli.models import Document
@@ -72,6 +72,7 @@ def _get_code_snippet_syntax_from_file(
             code_lines_to_render.append(line_content)
 
     code_to_render = '\n'.join(code_lines_to_render)
+    code_to_render = sanitize_text_for_encoding(code_to_render)
     return _get_syntax_highlighted_code(
         code=code_to_render,
         lexer=Syntax.guess_lexer(document.path, code=code_to_render),
@@ -94,6 +95,7 @@ def _get_code_snippet_syntax_from_git_diff(
         violation = line_content[detection_position_in_line : detection_position_in_line + violation_length]
         line_content = line_content.replace(violation, obfuscate_text(violation))
 
+    line_content = sanitize_text_for_encoding(line_content)
     return _get_syntax_highlighted_code(
         code=line_content,
         lexer='diff',

cycode/cli/printers/utils/rich_helpers.py

@@ -5,6 +5,7 @@
 from rich.panel import Panel
 
 from cycode.cli.console import console
+from cycode.cli.utils.string_utils import sanitize_text_for_encoding
 
 if TYPE_CHECKING:
     from rich.console import RenderableType
@@ -20,8 +21,9 @@ def get_panel(renderable: 'RenderableType', title: str) -> Panel:
 
 
 def get_markdown_panel(markdown_text: str, title: str) -> Panel:
+    sanitized_text = sanitize_text_for_encoding(markdown_text.strip())
     return get_panel(
-        Markdown(markdown_text.strip()),
+        Markdown(sanitized_text),
         title=title,
     )