Skip to content

Commit f85ef78

Browse files
cx-atish-jadhavcx-atish-jadhav
committed
Changes regarding sha verification
1 parent 77ffcef commit f85ef78

3 files changed

Lines changed: 70 additions & 38 deletions

File tree

.github/workflows/update-cli.yml

Lines changed: 47 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -40,15 +40,56 @@ jobs:
4040
run: |
4141
echo ${{ steps.checkmarx-ast-cli.outputs.release_tag }} > checkmarx-ast-cli.version
4242
43-
# Update the TypeScript file's cliDefaultVersion field
44-
- name: Update cliDefaultVersion in CxInstaller.ts
43+
# Download CLI binaries and generate checksums
44+
- name: Download CLI and generate checksums
4545
if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag
4646
env:
47-
NEW_CLI_VERSION: ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
47+
RELEASE_TAG: ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
4848
run: |
49-
FILE_PATH="src/main/osinstaller/CxInstaller.ts"
50-
# Ensure that 'cliDefaultVersion' is updated correctly
51-
sed -i "s/\(cliDefaultVersion = '\)[^']*\(';\)/\1${NEW_CLI_VERSION}\2/" $FILE_PATH
49+
VERSION=$RELEASE_TAG
50+
51+
# Initialize checksums object
52+
CHECKSUMS='{}'
53+
54+
# Platform configurations: platform_name,architecture,extension,os_platform
55+
PLATFORMS=(
56+
"windows,x64,zip,windows"
57+
"darwin,x64,tar.gz,darwin"
58+
"linux,x64,tar.gz,linux"
59+
"linux,arm64,tar.gz,linux"
60+
"linux,armv6,tar.gz,linux"
61+
)
62+
63+
for PLATFORM_CONFIG in "${PLATFORMS[@]}"; do
64+
IFS=',' read -r OS_TYPE ARCH EXT OS_PLATFORM <<< "$PLATFORM_CONFIG"
65+
66+
KEY="${OS_PLATFORM}_${ARCH}"
67+
URL="https://download.checkmarx.com/CxOne/CLI/${VERSION}/ast-cli_${VERSION}_${OS_PLATFORM}_${ARCH}.${EXT}"
68+
69+
echo "Downloading checksum for ${KEY} from ${URL}..."
70+
71+
# Download binary
72+
TEMP_FILE="/tmp/ast-cli_${KEY}.${EXT}"
73+
if curl -sL -o "$TEMP_FILE" "$URL"; then
74+
# Calculate SHA-256
75+
CHECKSUM=$(sha256sum "$TEMP_FILE" | awk '{print $1}')
76+
echo "✓ ${KEY}: ${CHECKSUM}"
77+
78+
# Update checksums JSON
79+
CHECKSUMS=$(echo "$CHECKSUMS" | jq --arg key "$KEY" --arg value "$CHECKSUM" '.[$key] = $value')
80+
81+
# Cleanup
82+
rm -f "$TEMP_FILE"
83+
else
84+
echo "✗ Failed to download ${KEY}"
85+
exit 1
86+
fi
87+
done
88+
89+
# Write checksums to file
90+
echo "$CHECKSUMS" | jq '.' > checkmarx-ast-cli.checksums
91+
echo "Checksums updated:"
92+
cat checkmarx-ast-cli.checksums
5293
5394
# Create a Pull Request with the version changes
5495
- name: Create Pull Request

src/main/osinstaller/CxInstaller.ts

Lines changed: 14 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -32,16 +32,6 @@ export class CxInstaller {
3232
linux: { platform: linuxOS, extension: 'tar.gz' }
3333
};
3434

35-
// Default version and its paired SHA-256 checksums, keyed by "platform_architecture".
36-
// Update both together when bumping the default CLI version.
37-
private readonly cliDefaultVersion = '2.3.48';
38-
private static readonly cliDefaultChecksums: Record<string, string> = {
39-
'windows_x64': '441ee8df46cc630ae000f8ba73925113aeed8c4d16cf274944aff3e7197e3470',
40-
'darwin_x64': 'b72f7e4ca14e5e56600b07d22c848a4b85e7c37d2e595424340cc699ea10006b',
41-
'linux_x64': 'eb3eb55add37f150188f5a8b36b2a659f902ad9569dcb7ee652531fe525022e2',
42-
'linux_arm64': '7df61689b3c2bbd4c27face5bdc0da97f63e4533229d6b53dd777f90d3904931',
43-
'linux_armv6': '99659f2e0804b197550efc6a9ddb6029babc980d32bdfeeb508199247ac95878'
44-
};
4535

4636
constructor(platform: string, client: AstClient) {
4737
this.platform = platform as SupportedPlatforms;
@@ -50,8 +40,7 @@ export class CxInstaller {
5040
}
5141

5242
// Returns the CLI version and its platform-specific SHA-256 checksum.
53-
// Tries the version file and checksums file first; falls back to the
54-
// hardcoded defaults if the version file is absent or empty.
43+
// Reads from version and checksums files. Throws CxError if version is absent or version file is empty.
5544
// Result is cached after the first read.
5645
async readASTCLIVersion(): Promise<{ version: string; checksum: string | null }> {
5746
if (this.cliVersion) {
@@ -68,24 +57,23 @@ export class CxInstaller {
6857
const trimmed = content.trim();
6958
if (trimmed) version = trimmed;
7059
} catch {
71-
// version file absent — fall through to defaults
60+
// version file absent — will throw error below
7261
}
7362

74-
let checksum: string | null;
7563
if (version === null) {
76-
version = this.cliDefaultVersion;
77-
checksum = CxInstaller.cliDefaultChecksums[key] ?? null;
78-
} else {
79-
try {
80-
const content = await fsPromises.readFile(this.getChecksumsFilePath(), 'utf-8');
81-
checksum = (JSON.parse(content) as Record<string, string>)[key] ?? null;
82-
if (checksum === null) {
83-
logger.warn(`No checksum found for ${key} in checksums file. Download will not be verified.`);
84-
}
85-
} catch {
86-
logger.warn(`Checksums file not found. Download of version ${version} will not be verified.`);
87-
checksum = null;
64+
throw new CxError(`CLI version not found`);
65+
}
66+
67+
let checksum: string | null;
68+
try {
69+
const content = await fsPromises.readFile(this.getChecksumsFilePath(), 'utf-8');
70+
checksum = (JSON.parse(content) as Record<string, string>)[key] ?? null;
71+
if (checksum === null) {
72+
logger.warn(`No checksum found for ${key} in checksums file. Download will not be verified.`);
8873
}
74+
} catch {
75+
logger.warn(`Checksums file not found. Download of version ${version} will not be verified.`);
76+
checksum = null;
8977
}
9078

9179
this.cliVersion = version;

src/tests/CxInstallerTest.test.ts

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -15,24 +15,27 @@ const cxInstallerWindows = new CxInstaller("win32", astClientInstance);
1515

1616
describe("CxInstaller cases", () => {
1717
it('CxInstaller getDownloadURL Linux Successful case', async () => {
18+
const testVersion = '2.3.48';
19+
jest.spyOn(cxInstallerLinux as any, 'readASTCLIVersion').mockResolvedValue({ version: testVersion, checksum: null });
1820
const { url } = await cxInstallerLinux.getDownloadURL();
19-
const { version } = await cxInstallerLinux.readASTCLIVersion();
2021
const architecture = getArchitecture(cxInstallerLinux.getPlatform());
21-
expect(url).toBe(`https://download.checkmarx.com/CxOne/CLI/${version}/ast-cli_${version}_linux_${architecture}.tar.gz`);
22+
expect(url).toBe(`https://download.checkmarx.com/CxOne/CLI/${testVersion}/ast-cli_${testVersion}_linux_${architecture}.tar.gz`);
2223
});
2324

2425
it('CxInstaller getDownloadURL Mac Successful case', async () => {
26+
const testVersion = '2.3.48';
27+
jest.spyOn(cxInstallerMac as any, 'readASTCLIVersion').mockResolvedValue({ version: testVersion, checksum: null });
2528
const { url } = await cxInstallerMac.getDownloadURL();
26-
const { version } = await cxInstallerLinux.readASTCLIVersion();
2729
const architecture = getArchitecture(cxInstallerMac.getPlatform());
28-
expect(url).toBe(`https://download.checkmarx.com/CxOne/CLI/${version}/ast-cli_${version}_darwin_${architecture}.tar.gz`);
30+
expect(url).toBe(`https://download.checkmarx.com/CxOne/CLI/${testVersion}/ast-cli_${testVersion}_darwin_${architecture}.tar.gz`);
2931
});
3032

3133
it('CxInstaller getDownloadURL Windows Successful case', async () => {
34+
const testVersion = '2.3.48';
35+
jest.spyOn(cxInstallerWindows as any, 'readASTCLIVersion').mockResolvedValue({ version: testVersion, checksum: null });
3236
const { url } = await cxInstallerWindows.getDownloadURL();
33-
const { version } = await cxInstallerLinux.readASTCLIVersion();
3437
const architecture = getArchitecture(cxInstallerWindows.getPlatform());
35-
expect(url).toBe(`https://download.checkmarx.com/CxOne/CLI/${version}/ast-cli_${version}_windows_${architecture}.zip`);
38+
expect(url).toBe(`https://download.checkmarx.com/CxOne/CLI/${testVersion}/ast-cli_${testVersion}_windows_${architecture}.zip`);
3639
});
3740
});
3841

0 commit comments

Comments
 (0)