Resolve SCA triage log errors and bump jackson-databind to 2.21.1 (AST-136208)

[cx-atish-jadhav]

Description

This PR fixes SCA triage errors observed in JetBrains logs when opening SCA results from CxOne and upgrades the jackson-databind dependency to a non-vulnerable version.

Previously, the triage show/update functionality used a generic similarity-ID flow. However, SCA requires the use of the --vulnerability-identifiers flag. Due to this mismatch, the CLI returned errors such as:

“Failed showing the predicate. Vulnerabilities are required for SCA triage.”

---

What changed

• Added SCA-specific CLI support in the wrapper:

  • triageScaShow(...)
  • triageScaUpdate(...)

• Introduced a new SCA constant in CxConstants:

  • --vulnerability-identifiers

• Added validation to handle missing or blank SCA vulnerability identifiers.

• Added SCA triage integration coverage in PredicateTest.

---

Dependency update

The Maven build reported a vulnerability in the Java wrapper version 2.4.7, which depends on jackson-databind version 2.16.1 (now known to be vulnerable).

To resolve this and ensure the scan passes successfully, the jackson-databind version has been upgraded to 2.21.1 in the pom.xml of the Java wrapper.

---

Result

• SCA triage now uses the correct CLI contract.
• Noisy SCA triage failure logs are eliminated.
• Existing non-SCA triage behavior remains unchanged.

[cx-ben-alvo]

Checkmarx One – Scan Summary & Details – 5fe17a32-4578-4663-acde-2e26c5c3f5ca

---

New Issues (6)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		ALB Deletion Protection Disabled	/positive1.tf: 15	details Application Load Balancer should have deletion protection enabled
2		ALB Listening on HTTP	/positive1.tf: 9	details AWS Application Load Balancer (alb) should not listen on HTTP
3		ALB Not Dropping Invalid Headers	/positive1.tf: 15	details It's considered a best practice when using Application Load Balancers to drop invalid header fields
4		APT-GET Missing Flags To Avoid Manual Input	/Dockerfile: 5	details Check if apt-get calls use flags to avoid user manual input.
5		IAM Access Analyzer Not Enabled	/positive1.tf: 1	details IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
6		Shield Advanced Not In Use	/positive1.tf: 15	details AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing,...

---

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Cxfa47c4e4-5ef9	Maven-com.fasterxml.jackson.core:jackson-core-2.16.1

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

[cx-anurag-dalke]

ok