Skip to content

fix: backfill SCA recommendedVersion from ScanReportJson export#1506

Open
anuragtiwari005 wants to merge 1 commit into
Checkmarx:mainfrom
anuragtiwari005:fixed-recommended-version
Open

fix: backfill SCA recommendedVersion from ScanReportJson export#1506
anuragtiwari005 wants to merge 1 commit into
Checkmarx:mainfrom
anuragtiwari005:fixed-recommended-version

Conversation

@anuragtiwari005

@anuragtiwari005 anuragtiwari005 commented Jun 29, 2026

Copy link
Copy Markdown

By submitting this pull request, you agree to the terms within the Checkmarx Code of Conduct. Please review the contributing guidelines for guidance on creating high-quality pull requests.

Description

Summary

SCA findings in JSON scan reports (cx_result.json) often have an empty data.recommendedVersion even though the ScanReportJson export already contains a per-CVE fix version (NextFixedVersion).

The CLI already downloads ScanReportJson during result enrichment (ReadResultsenrichScaResultsGetExportPackage) and uses it to populate package metadata (scaPackageData, dependency paths, fixLink). However, recommendedVersion was only passed through from the Results API and was never backfilled from the export.

This change fills data.recommendedVersion from export data when the Results API value is empty, using a {CveName|PackageID} lookup keyed to NextFixedVersion.

Problem

  • recommendedVersion in JSON output comes from the paginated Results API response.
  • For many SCA findings (including transitive dependencies and per-CVE remediation cases), the API returns an empty string.
  • The CLI already fetches ScanReportJson export but previously parsed only a subset of vulnerability fields (Id, Type, IsIgnored, PackageID) and ignored NextFixedVersion.
  • Downstream consumers (CI/CD integrations, SAR/SCA tooling) rely on recommendedVersion for upgrade/remediation guidance.

Solution

  1. Extend export ScaType to parse CveName and NextFixedVersion from ScanReportJson Vulnerabilities.
  2. After existing SCA package enrichment, backfill empty data.recommendedVersion values from export using lookup key {CveName|PackageID} (falls back to Id when CveName is absent).
  3. Do not overwrite non-empty recommendedVersion values returned by the Results API.

Files changed

  • internal/wrappers/export.go — add export vulnerability fields
  • internal/commands/result.go — backfill logic in enrichScaResults
  • internal/commands/result_test.go — unit tests for lookup and backfill behavior

Test plan

  • go test ./internal/commands/ -run 'Test_backfillRecommendedVersionsFromExport|Test_buildScaUpgradeVersionLookup|Test_addPackageInformation'
  • Run cx scan create --report-format json on a repo with SCA findings where Results API returns empty recommendedVersion
  • Verify cx_result.json now contains data.recommendedVersion populated from export where available
  • Verify findings that already had recommendedVersion from the API are unchanged

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Related Issues

Link any related issues or tickets.

Checklist

  • I have performed a self-review of my code
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)
  • Any dependent changes have been merged and published in downstream modules
  • I have updated the CLI help for new/changed functionality in this PR (if applicable)
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used

Screenshots (if applicable)

Add screenshots to help explain your changes.

Additional Notes

Add any other relevant information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant