Merge pull request #160 from contentstack/staging

DX | 06-04-2026 | Release

Author: harshitha-cstk

.github/workflows/sca-scan.yml

@@ -2,25 +2,33 @@ name: Source Composition Analysis Scan
 on:
   pull_request:
     types: [opened, synchronize, reopened]
+
 jobs:
   security-sca:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@master
+
       - name: Setup .NET Core @ Latest
         uses: actions/setup-dotnet@v1
         with:
           dotnet-version: "7.0.x"
+
       - name: Run Dotnet Restore
-        run: |
-          dotnet restore
+        run: dotnet restore
+
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master   # just installs Snyk CLI, no deprecated dotnet action
+
       - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/dotnet@master
+        run: |
+          snyk test \
+            --file=Contentstack.Core/obj/project.assets.json \
+            --fail-on=all \
+            --json-file-output=snyk.json   # ← writes snyk.json to disk
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          args: --file=Contentstack.Core/obj/project.assets.json --fail-on=all
-          json: true
-        continue-on-error: true
+        continue-on-error: true            # ← let pipeline continue even if vulns found
+
       - uses: contentstack/sca-policy@main

.gitignore

@@ -66,3 +66,5 @@ packages/
 *.userosscache
 *.sln.docstates
 
+# Python
+Scripts/venv/

Contentstack.Core.Tests/Contentstack.Core.Tests.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk" ToolsVersion="15.0">
+<Project Sdk="Microsoft.NET.Sdk" ToolsVersion="15.0">
 
   <PropertyGroup>
     <TargetFramework>net7.0</TargetFramework>
@@ -27,6 +27,8 @@
     <DotNetCliToolReference Include="dotnet-reportgenerator-cli" Version="4.2.10" />
     <PackageReference Include="AutoFixture" Version="4.18.1" />
     <PackageReference Include="AutoFixture.AutoMoq" Version="4.18.1" />
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
     <PackageReference Include="Moq" Version="4.20.72" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
   </ItemGroup>

Contentstack.Core.Tests/Helpers/TestDataHelper.cs

@@ -187,16 +187,16 @@ static TestDataHelper()
         /// <summary>
         /// Gets a required configuration value and throws if not found
         /// </summary>
-        /// <param name="key">Configuration key</param>
+        /// <param name="configKey">Configuration key name</param>
         /// <returns>Configuration value</returns>
         /// <exception cref="InvalidOperationException">Thrown when configuration is missing</exception>
-        private static string GetRequiredConfig(string key)
+        private static string GetRequiredConfig(string configKey)
         {
-            var value = ConfigurationManager.AppSettings[key];
+            var value = ConfigurationManager.AppSettings[configKey];
             if (string.IsNullOrEmpty(value))
             {
                 throw new InvalidOperationException(
-                    $"Required configuration '{key}' is missing from app.config. " +
+                    $"Required configuration '{configKey}' is missing from app.config. " +
                     $"Please ensure all required keys are present in the <appSettings> section.");
             }
             return value;
@@ -205,12 +205,12 @@ private static string GetRequiredConfig(string key)
         /// <summary>
         /// Gets an optional configuration value with a default
         /// </summary>
-        /// <param name="key">Configuration key</param>
+        /// <param name="configKey">Configuration key name</param>
         /// <param name="defaultValue">Default value if not found</param>
         /// <returns>Configuration value or default</returns>
-        private static string GetOptionalConfig(string key, string defaultValue = null)
+        private static string GetOptionalConfig(string configKey, string defaultValue = null)
         {
-            return ConfigurationManager.AppSettings[key] ?? defaultValue;
+            return ConfigurationManager.AppSettings[configKey] ?? defaultValue;
         }
 
         /// <summary>

Contentstack.Core.Unit.Tests/Contentstack.Core.Unit.Tests.csproj

@@ -18,6 +18,8 @@
     </PackageReference>
     <PackageReference Include="AutoFixture" Version="4.18.1" />
     <PackageReference Include="AutoFixture.AutoMoq" Version="4.18.1" />
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
     <PackageReference Include="Moq" Version="4.20.72" />
     <PackageReference Include="System.Configuration.ConfigurationManager" Version="9.0.0" />
     <PackageReference Include="Microsoft.Extensions.Options" Version="9.0.0" />

Scripts/generate_enhanced_html_report.py

@@ -5,10 +5,10 @@
 - Expected vs Actual values
 - HTTP Request details (including cURL)
 - Response details
-No external dependencies - uses only Python standard library
+Uses defusedxml for secure XML parsing (XXE/DDoS-safe).
 """
 
-import xml.etree.ElementTree as ET
+import defusedxml.ElementTree as ET
 import os
 import sys
 import re
@@ -158,9 +158,9 @@ def parse_trx(self):
                         test_output = stdout_elem.text
                         structured_output = self.parse_structured_output(test_output)
 
-                # Get test category
+                # Get test category (find by id without dynamic XPath to avoid CWE-643)
                 test_def_id = test_result.get('testId', '')
-                test_def = root.find(f".//UnitTest[@id='{test_def_id}']", ns)
+                test_def = next((el for el in root.findall('.//UnitTest', ns) if el.get('id') == test_def_id), None)
                 category = 'General'
                 if test_def is not None:
                     test_method = test_def.find('.//TestMethod', ns)

Scripts/generate_html_report.py

@@ -1,11 +1,11 @@
 #!/usr/bin/env python3
 """
 HTML Test Report Generator for .NET Test Results
-Converts .trx files to beautiful HTML reports
-No external dependencies - uses only Python standard library
+Converts .trx files to beautiful HTML reports.
+Uses defusedxml for secure XML parsing (XXE/DDoS-safe).
 """
 
-import xml.etree.ElementTree as ET
+import defusedxml.ElementTree as ET
 import os
 import sys
 from datetime import datetime
@@ -78,9 +78,9 @@ def parse_trx(self):
                         if stacktrace_elem is not None:
                             error_stacktrace = stacktrace_elem.text
 
-                # Get test category
+                # Get test category (find by id without dynamic XPath to avoid CWE-643)
                 test_def_id = test_result.get('testId', '')
-                test_def = root.find(f".//UnitTest[@id='{test_def_id}']", ns)
+                test_def = next((el for el in root.findall('.//UnitTest', ns) if el.get('id') == test_def_id), None)
                 category = 'General'
                 if test_def is not None:
                     test_method = test_def.find('.//TestMethod', ns)

Scripts/requirements.txt

@@ -0,0 +1,2 @@
+# Secure XML parsing (fixes Snyk CWE-611 Insecure Xml Parser / XXE)
+defusedxml>=0.7.1