diff --git a/.golangci.yml b/.golangci.yml index 79aab8b7a..a918e83b4 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -19,6 +19,7 @@ linters-settings: - github.com/jsumners/go-getport - github.com/stretchr/testify/assert - github.com/gofrs/flock + - github.com/golang-jwt/jwt/v5 dupl: threshold: 500 funlen: diff --git a/go.mod b/go.mod index b7614d5cb..cfec4f15d 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/MakeNowJust/heredoc v1.0.0 github.com/bouk/monkey v1.0.0 github.com/gofrs/flock v0.8.1 - github.com/golang-jwt/jwt v3.2.2+incompatible + github.com/golang-jwt/jwt/v5 v5.2.1 github.com/gomarkdown/markdown v0.0.0-20241102151059-6bc1ffdc6e8c github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 github.com/google/uuid v1.6.0 diff --git a/go.sum b/go.sum index 25db92c85..584072056 100644 --- a/go.sum +++ b/go.sum @@ -393,8 +393,8 @@ github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14j github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= -github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= diff --git a/internal/wrappers/client.go b/internal/wrappers/client.go index d8fb131d0..65675211f 100644 --- a/internal/wrappers/client.go +++ b/internal/wrappers/client.go @@ -15,9 +15,8 @@ import ( "time" applicationErrors "github.com/checkmarx/ast-cli/internal/constants/errors" - "github.com/golang-jwt/jwt" - "github.com/checkmarx/ast-cli/internal/logger" + "github.com/golang-jwt/jwt/v5" "github.com/pkg/errors" "github.com/spf13/viper" @@ -733,15 +732,20 @@ func GetURL(path, accessToken string) (string, error) { func ExtractFromTokenClaims(accessToken, claim string) (string, error) { var value string - token, _, err := new(jwt.Parser).ParseUnverified(accessToken, jwt.MapClaims{}) + + parser := jwt.NewParser(jwt.WithoutClaimsValidation()) + + token, _, err := parser.ParseUnverified(accessToken, jwt.MapClaims{}) if err != nil { return "", errors.Errorf(APIKeyDecodeErrorFormat, err) } + if claims, ok := token.Claims.(jwt.MapClaims); ok && claims[claim] != nil { value = strings.TrimSpace(claims[claim].(string)) } else { return "", errors.Errorf(jwtError, claim) } + return value, nil } diff --git a/internal/wrappers/codebashing-http.go b/internal/wrappers/codebashing-http.go index 48ee8be20..d7f295246 100644 --- a/internal/wrappers/codebashing-http.go +++ b/internal/wrappers/codebashing-http.go @@ -8,7 +8,7 @@ import ( commonParams "github.com/checkmarx/ast-cli/internal/params" "github.com/checkmarx/ast-cli/internal/wrappers/utils" - "github.com/golang-jwt/jwt" + "github.com/golang-jwt/jwt/v5" "github.com/pkg/errors" "github.com/spf13/viper" ) @@ -92,11 +92,15 @@ func (r *CodeBashingHTTPWrapper) GetCodeBashingURL(field string) (string, error) if err != nil { return "", errors.Errorf(failedGettingCodeBashingURL) } - token, _, err := new(jwt.Parser).ParseUnverified(accessToken, jwt.MapClaims{}) + + parser := jwt.NewParser(jwt.WithoutClaimsValidation()) + + token, _, err := parser.ParseUnverified(accessToken, jwt.MapClaims{}) if err != nil { return "", NewAstError(licenseNotFoundExitCode, errors.Errorf(failedGettingCodeBashingURL)) } - var url = "" + + var url string if claims, ok := token.Claims.(jwt.MapClaims); ok && claims[field] != nil { url = claims[field].(string) } diff --git a/internal/wrappers/jwt-helper.go b/internal/wrappers/jwt-helper.go index a18c3ea70..39d8bc301 100644 --- a/internal/wrappers/jwt-helper.go +++ b/internal/wrappers/jwt-helper.go @@ -5,7 +5,7 @@ import ( commonParams "github.com/checkmarx/ast-cli/internal/params" "github.com/checkmarx/ast-cli/internal/wrappers/utils" - "github.com/golang-jwt/jwt" + "github.com/golang-jwt/jwt/v5" "github.com/pkg/errors" ) @@ -17,7 +17,7 @@ type JWTStruct struct { AllowedEngines []string `json:"allowedEngines"` } `json:"LicenseData"` } `json:"ast-license"` - jwt.Claims + jwt.RegisteredClaims // Embedding the standard claims } var enabledEngines = []string{"sast", "sca", "api-security", "iac-security", "scs", "containers", "enterprise-secrets"} @@ -98,7 +98,10 @@ func prepareEngines(engines []string) map[string]bool { } func extractFromTokenToJwtStruct(accessToken string) (*JWTStruct, error) { - token, _, err := new(jwt.Parser).ParseUnverified(accessToken, &JWTStruct{}) + // Create a new Parser instance + parser := jwt.NewParser(jwt.WithoutClaimsValidation()) + + token, _, err := parser.ParseUnverified(accessToken, &JWTStruct{}) if err != nil { return nil, errors.Errorf(APIKeyDecodeErrorFormat, err) } diff --git a/test/integration/scan_test.go b/test/integration/scan_test.go index fe9956a9c..99cfa416f 100644 --- a/test/integration/scan_test.go +++ b/test/integration/scan_test.go @@ -137,7 +137,7 @@ func TestCreateScan_WithOnlyInvalidApikeyEnvVar_Fail(t *testing.T) { } err, _ := executeCommand(t, args...) - assert.Error(t, err, "Error validating scan types: Token decoding error: token contains an invalid number of segments") + assert.Error(t, err, "Error validating scan types: Token decoding error: token is malformed: token contains an invalid number of segments") } func TestCreateScan_WithOnlyInvalidApikeyFlag_Fail(t *testing.T) { @@ -162,7 +162,7 @@ func TestCreateScan_WithOnlyInvalidApikeyFlag_Fail(t *testing.T) { } err, _ := executeCommand(t, args...) - assert.Error(t, err, "Error validating scan types: Token decoding error: token contains an invalid number of segments") + assert.Error(t, err, "Error validating scan types: Token decoding error: token is malformed: token contains an invalid number of segments") } func TestCreateScan_WithValidClientCredentialsFlag_Success(t *testing.T) { @@ -215,7 +215,7 @@ func TestCreateScan_WithInvalidClientCredentialsFlag_Fail(t *testing.T) { } err, _ := executeCommand(t, args...) - assert.Error(t, err, "Error validating scan types: Token decoding error: token contains an invalid number of segments") + assert.Error(t, err, "Error validating scan types: Token decoding error: token is malformed: token contains an invalid number of segments") } func TestCreateScan_WithValidClientCredentialsEnvVars_Success(t *testing.T) {