Open
Conversation
Addition pf Composite_key (source_avit_id is similarityId + '_' + SHA256(similarityId + startNodeName + startFileName + endNodeName + endFileName) to Source AVIT Id column of ServiceNow. Jira link: https://checkmarx.atlassian.net/browse/CXSER-983
cx-apoorva-singh
requested review from
cx-prathmesh-borle,
cx-rakesh-kadu and
cx-umesh-waghode
…9e510026f72021153af1b.js removing stale code
cx-rakesh-kadu
requested changes
Mar 30, 2026
| '?resultId=' + encodeURIComponent(sastResultHash); | ||
|
|
||
| var sastScanUrl = ''; | ||
| if (!jsonLastScanReportResp.results[item].data.resultHash.indexOf('/') == -1) { |
There was a problem hiding this comment.
The ! negates indexOf(...) before comparing to -1, so !0 == -1 → false, !5 == -1 → false, and !(-1) == -1 → false as well. This condition is always false — the else branch (/sast) is always taken, making the URL-building logic dead code. The intent was almost certainly.
Contributor
Author
There was a problem hiding this comment.
will update sastVulnerabilityLink creation
| existingCounter = parseInt(avitNew.getValue('dependency_type') || '0', 10); | ||
| existingLinks = avitNew.getValue('source_vulnerability_summary') || ''; | ||
| existingScanSummaryStr = avitNew.getDisplayValue('app_vul_scan_summary') || ''; | ||
| existingStatus = avitNew.getValue('source_remediation_status') || ''; |
There was a problem hiding this comment.
missing var declaration for existingStatus
Contributor
Author
There was a problem hiding this comment.
will remove existingStatus , it is not being used.
| existingCounter = parseInt(avitNew.getValue('dependency_type') || '0', 10); | ||
| existingLinks = avitNew.getValue('source_vulnerability_summary') || ''; | ||
| existingScanSummaryStr = avitNew.getDisplayValue('app_vul_scan_summary') || ''; | ||
| existingStatus = avitNew.getValue('source_remediation_status') || ''; |
There was a problem hiding this comment.
existingStatus is read but never used anywhere in the function body. It's dead code that should either be removed or actually consumed
Contributor
Author
There was a problem hiding this comment.
will remove existingStatus , it is not being used.
| } else { | ||
| var newCounter = existingCounter + 1; | ||
| resultObj['dependency_type'] = '' + newCounter; | ||
| if (linkHtml && existingCounter < 20) { |
There was a problem hiding this comment.
checked against existingCounter (the pre-increment value) but the result uses newCounter. The check should be against newCounter?
Contributor
Author
There was a problem hiding this comment.
Yes, will add check against newCounter.
cx-rakesh-kadu
requested changes
Mar 31, 2026
updated sastVulnerabilityLink creation added null check for compositeLocationHash removed existingStatus , since it not being used line 442 added check for newCounter insted of existingCounter
change has been added to handle closing of record , which has not been migrated with new composite key and belongs to latest scan hence was not handled by existing closure logic.
…9e510026f72021153af1b.js Updated SAST aggregation to use resultHash as the displayed link text in source_vulnerability_summary instead of the full vulnerability URL. Since resultHash is only about 22 characters and keeps the stored HTML well within the field's 8000 character limit, the append cap was increased from 20 to 30 to retain more finding links per AVIT.
cx-rakesh-kadu
approved these changes
Mar 31, 2026
Update CheckmarxOneAVITClosureProcessor.js This change adds handling for closing records that were not migrated to the new composite key and belong to the latest scan. Such records were not covered by the existing closure logic, and this update ensures they are now processed correctly.
… key and aggregation changes.pdf Document to manually apply composite change in version 1.0.34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Title
CxOne AVIT Composite Key Implementation & Aggregation Logic
Description
This PR introduces a stable composite key for mapping CxOne SAST findings to ServiceNow AVITs, replacing the previous key based on resultHash. The new key is a SHA256 hash of the finding’s code-flow location, ensuring stability across scans and enabling aggregation of multiple findings into a single AVIT. The implementation also includes logic for migration from old keys, aggregation handling, NOT_EXPLOITABLE closure, and ensures correct closure/update behavior for AVITs. Non-SAST findings (SCA, KICS, Containers, etc.) remain unaffected.
Summary of New Changes
Composite Key: SAST source_avit_id is now computed as similarityId + '_' + SHA256(similarityId + startNodeName + startFileName + endNodeName + endFileName).
Aggregation: Multiple findings with the same composite key are aggregated into one AVIT. The count is stored in dependency_type, and up to 20 deep links are stored in source_vulnerability_summary.
Migration: On first scan after deployment, old-key AVITs are re-keyed to the new composite key, and duplicates are closed.
NOT_EXPLOITABLE Handling: If a finding is marked NOT_EXPLOITABLE, all AVITs sharing the composite key for the project/branch are set to FIXED and closed.
Closure Logic: AVITs are closed if all findings disappear in a scan; remain open if any finding remains.
Non-SAST Findings: SCA, KICS, Containers, etc., continue to use the old key logic.
Max Link Limit: Only 20 links are stored per AVIT for aggregated findings.
Test Cases & Coverage
Composite Key Generation (Covered)
Aggregation Logic (Covered)
Migration from Old Key (Covered)
Counter and Link Reset per Scan (Covered)
Closure Logic (Remaining)
Max Link Limit (Remaining)
Non-SAST Findings (Remaining)
Jira Link : https://checkmarx.atlassian.net/browse/CXSER-983