CM-50645 - Fix secrets commit history scan (#327)

Author: MarshalX

Dockerfile

@@ -1,6 +1,6 @@
 FROM python:3.12.9-alpine3.21 AS base
 WORKDIR /usr/cycode/app
-RUN apk add git=2.47.2-r0
+RUN apk add git=2.47.3-r0
 
 FROM base AS builder
 ENV POETRY_VERSION=1.8.3

cycode/cli/files_collector/commit_range_documents.py

@@ -193,7 +193,10 @@ def get_diff_file_path(diff: 'Diff', relative: bool = False) -> Optional[str]:
 
     if diff.b_blob:
         return diff.b_blob.abspath
-    return diff.a_blob.abspath
+    if diff.a_blob:
+        return diff.a_blob.abspath
+
+    return None
 
 
 def get_diff_file_content(diff: 'Diff') -> str:

cycode/cli/user_settings/configuration_manager.py

@@ -82,7 +82,7 @@ def add_exclusion(self, scope: str, scan_type: str, exclusion_type: str, value:
     @staticmethod
     def _merge_exclusions(local_exclusions: dict, global_exclusions: dict) -> dict:
         keys = set(list(local_exclusions.keys()) + list(global_exclusions.keys()))
-        return {key: local_exclusions.get(key, []) + global_exclusions.get(key, []) for key in keys}
+        return {key: (local_exclusions.get(key) or []) + (global_exclusions.get(key) or []) for key in keys}
 
     def get_or_create_installation_id(self) -> str:
         config_file_manager = self.get_config_file_manager()

cycode/cli/utils/yaml_utils.py

@@ -4,6 +4,10 @@
 
 import yaml
 
+from cycode.logger import get_logger
+
+logger = get_logger('YAML Utils')
+
 
 def _deep_update(source: dict[Hashable, Any], overrides: dict[Hashable, Any]) -> dict[Hashable, Any]:
     for key, value in overrides.items():
@@ -15,10 +19,16 @@ def _deep_update(source: dict[Hashable, Any], overrides: dict[Hashable, Any]) ->
     return source
 
 
-def _yaml_safe_load(file: TextIO) -> dict[Hashable, Any]:
+def _yaml_object_safe_load(file: TextIO) -> dict[Hashable, Any]:
     # loader.get_single_data could return None
     loaded_file = yaml.safe_load(file)
-    if loaded_file is None:
+
+    if not isinstance(loaded_file, dict):
+        # forbid literals at the top level
+        logger.debug(
+            'YAML file does not contain a dictionary at the top level: %s',
+            {'filename': file.name, 'actual_type': type(loaded_file)},
+        )
         return {}
 
     return loaded_file
@@ -29,7 +39,7 @@ def read_yaml_file(filename: str) -> dict[Hashable, Any]:
         return {}
 
     with open(filename, encoding='UTF-8') as file:
-        return _yaml_safe_load(file)
+        return _yaml_object_safe_load(file)
 
 
 def write_yaml_file(filename: str, content: dict[Hashable, Any]) -> None: