@contrast/contrast 1.0.0 → 1.0.1

package/src/audit/languageAnalysisEngine/reduceIdentifiedLanguages.js

@@ -0,0 +1,177 @@
+const {
+  supportedLanguages: { NODE, DOTNET, JAVA, RUBY, PYTHON, GO, PHP, JAVASCRIPT }
+} = require('./constants')
+const i18n = require('i18n')
+
+const DOT_NET_PROJECT_FILE_REGEX = /.+\.csproj$/
+const DOT_NET_LOCK_FILENAME = 'packages.lock.json'
+
+const isDotNetProjectFilename = filename =>
+  filename.search(DOT_NET_PROJECT_FILE_REGEX) !== -1
+const isDotNetLockFilename = filename => filename === DOT_NET_LOCK_FILENAME
+function isJavaMavenProjectFilename(filename) {
+  return filename === 'pom.xml'
+}
+function isJavaGradleProjectFilename(filename) {
+  return filename === 'build.gradle' || filename === 'build.gradle.kts'
+}
+const isRubyProjectFilename = filename => filename === 'Gemfile'
+const isNodeProjectFilename = filename => filename === 'package.json'
+const isPythonProjectFilename = filename =>
+  filename === 'requirements.txt' || filename === 'Pipfile'
+const isPhpProjectFilename = filename => filename === 'composer.json'
+const isPhpLockFilename = filename => filename === 'composer.lock'
+function isNodeLockFilename(filename) {
+  return filename === 'package-lock.json' || filename === 'yarn.lock'
+}
+const isRubyLockFilename = filename => filename === 'Gemfile.lock'
+const isPipfileLockLockFilename = filename => filename === 'Pipfile.lock'
+const isGoProjectFilename = filename => filename === 'go.mod'
+
+const deduceLanguage = filename => {
+  const deducedLanguages = []
+
+  // In theory there shouldn't be multiple languages supported for a single
+  // project filename or lock filename but to protect ourselves and consumers we
+  // will try to detect it
+
+  // Check for project filenames...
+  if (isJavaMavenProjectFilename(filename)) {
+    deducedLanguages.push({ language: JAVA, projectFilename: filename })
+  }
+
+  if (isJavaGradleProjectFilename(filename)) {
+    deducedLanguages.push({ language: JAVA, projectFilename: filename })
+  }
+
+  if (isNodeProjectFilename(filename)) {
+    deducedLanguages.push({ language: NODE, projectFilename: filename })
+  }
+
+  if (isDotNetProjectFilename(filename)) {
+    deducedLanguages.push({ language: DOTNET, projectFilename: filename })
+  }
+
+  if (isRubyProjectFilename(filename)) {
+    deducedLanguages.push({ language: RUBY, projectFilename: filename })
+  }
+
+  if (isPythonProjectFilename(filename)) {
+    deducedLanguages.push({ language: PYTHON, projectFilename: filename })
+  }
+
+  if (isPhpProjectFilename(filename)) {
+    deducedLanguages.push({ language: PHP, projectFilename: filename })
+  }
+
+  // Check for lock filenames...
+  if (isDotNetLockFilename(filename)) {
+    deducedLanguages.push({ language: DOTNET, lockFilename: filename })
+  }
+
+  if (isNodeLockFilename(filename)) {
+    deducedLanguages.push({ language: NODE, lockFilename: filename })
+  }
+
+  if (isRubyLockFilename(filename)) {
+    deducedLanguages.push({ language: RUBY, lockFilename: filename })
+  }
+
+  // this is pipfileLock rather than python lock as there can be different python locks
+  if (isPipfileLockLockFilename(filename)) {
+    deducedLanguages.push({ language: PYTHON, lockFilename: filename })
+  }
+
+  if (isPhpLockFilename(filename)) {
+    deducedLanguages.push({ language: PHP, lockFilename: filename })
+  }
+
+  // go does not have a lockfile, it should have a go.mod file containing the modules
+  if (isGoProjectFilename(filename)) {
+    deducedLanguages.push({ language: GO, projectFilename: filename })
+  }
+
+  return deducedLanguages
+}
+
+const reduceIdentifiedLanguages = identifiedLanguages =>
+  identifiedLanguages.reduce((accumulator, identifiedLanguageInfo) => {
+    const { language, projectFilename, lockFilename } = identifiedLanguageInfo
+
+    // Add an entry to our map for an identified language (and its filename)
+    // if we haven't accumulated it yet. Otherwise simply add the filename to the
+    // existing list.
+    if (!(language in accumulator)) {
+      accumulator[language] = { projectFilenames: [], lockFilenames: [] }
+    }
+
+    if (projectFilename) {
+      accumulator[language].projectFilenames.push(projectFilename)
+    } else {
+      accumulator[language].lockFilenames.push(lockFilename)
+    }
+
+    return accumulator
+  }, {})
+
+/**
+ * Look at each filename and using a heuristic see if we can determine that it
+ * specifies a specific language
+ */
+module.exports = exports = (analysis, next) => {
+  const { projectPath, languageAnalysis, config } = analysis
+
+  let identifiedLanguages = languageAnalysis.projectRootFilenames.reduce(
+    (accumulator, filename) => {
+      const deducedLanguages = deduceLanguage(filename)
+      return [...accumulator, ...deducedLanguages]
+    },
+    []
+  )
+
+  if (Object.keys(identifiedLanguages).length === 0) {
+    next(new Error(i18n.__('languageAnalysisNoLanguage', projectPath)))
+    return
+  }
+
+  let language = config.language
+  if (language === undefined) {
+    languageAnalysis.identifiedLanguages = reduceIdentifiedLanguages(
+      identifiedLanguages
+    )
+  } else {
+    let refinedIdentifiedLanguages = []
+    for (let x in identifiedLanguages) {
+      if (
+        identifiedLanguages[x].language === language.toUpperCase() ||
+        (identifiedLanguages[x].language === NODE &&
+          language.toUpperCase() === JAVASCRIPT)
+      ) {
+        refinedIdentifiedLanguages.push(identifiedLanguages[x])
+      }
+    }
+    //languages found do not meet that supplied by the user
+    if (refinedIdentifiedLanguages.length === 0) {
+      console.log(`Could not detect language as specified: ${config.language}`)
+      process.exit(1)
+    }
+
+    languageAnalysis.identifiedLanguages = reduceIdentifiedLanguages(
+      refinedIdentifiedLanguages
+    )
+  }
+
+  next()
+}
+
+//For testing purposes
+exports.isJavaMavenProjectFilename = isJavaMavenProjectFilename
+exports.isJavaGradleProjectFilename = isJavaGradleProjectFilename
+exports.isNodeProjectFilename = isNodeProjectFilename
+exports.isDotNetProjectFilename = isDotNetProjectFilename
+exports.isDotNetLockFilename = isDotNetLockFilename
+exports.isGoProjectFilename = isGoProjectFilename
+exports.isPhpProjectFilename = isPhpProjectFilename
+exports.isPhpLockFilename = isPhpLockFilename
+exports.deduceLanguage = deduceLanguage
+exports.reduceIdentifiedLanguages = reduceIdentifiedLanguages

package/src/audit/languageAnalysisEngine/report/checkIgnoreDevDep.js

@@ -0,0 +1,27 @@
+const {
+  getGlobalProperties,
+  getFeatures,
+  isFeatureEnabled
+} = require('../util/generalAPI')
+const { CLI_IGNORE_DEV_DEPS } = require('../util/capabilities')
+
+const checkDevDeps = async config => {
+  const shouldIgnoreDev = config.ignoreDev
+  const globalProperties = await getGlobalProperties()
+
+  // returns [ 'CLI_IGNORE_DEV_DEPS' ] if teamserver version is above 3.8.1
+  const features = getFeatures(globalProperties.internal_version)
+
+  // providing user is on version >= 3.8.1, isfeatureEnabled will always return true,
+  // therefore shouldIgnoreDev flag (from params) is needed to disable ignore dev deps
+  const isfeatureEnabled = isFeatureEnabled(features, CLI_IGNORE_DEV_DEPS)
+  let ignoreDevUrl = false
+  if (shouldIgnoreDev) {
+    ignoreDevUrl = isfeatureEnabled
+  }
+  return ignoreDevUrl
+}
+
+module.exports = {
+  checkDevDeps
+}

package/src/audit/languageAnalysisEngine/report/commonReportingFunctions.js

@@ -0,0 +1,303 @@
+const i18n = require('i18n')
+const { getHttpClient } = require('../../../utils/commonApi')
+
+function displaySuccessMessageReport() {
+  console.log('\n' + i18n.__('reportSuccessMessage'))
+}
+
+function getAllDependenciesArray(packageJson) {
+  const {
+    dependencies,
+    optionalDependencies,
+    devDependencies,
+    peerDependencies
+  } = packageJson
+
+  const allDep = {
+    ...dependencies,
+    ...devDependencies,
+    ...optionalDependencies,
+    ...peerDependencies
+  }
+
+  return Object.entries(allDep)
+}
+
+function checkIfDepIsScoped(arrDep) {
+  let count = 0
+  arrDep.forEach(([key, value]) => {
+    if (!key.startsWith('@')) {
+      console.log(` WARNING not scoped: ${key}:${value}`)
+      count++
+    }
+  })
+  return count
+}
+
+const dependencyRiskReport = async (packageJson, config) => {
+  const arrDep = getAllDependenciesArray(packageJson)
+  const unRegisteredDeps = await checkIfDepIsRegisteredOnNPM(arrDep, config)
+  let scopedCount = checkIfDepIsScoped(unRegisteredDeps)
+
+  return {
+    scopedCount: scopedCount,
+    unRegisteredCount: unRegisteredDeps.length
+  }
+}
+
+const checkIfDepIsRegisteredOnNPM = async (arrDep, config) => {
+  let promises = []
+  let unRegisteredDeps = []
+  const client = getHttpClient(config)
+
+  for (const [index, element] of arrDep) {
+    const query = `query artifactByGAV($name: String!, $language: String!, $groupName: String, $version: String!, $nameCheck: Boolean) {
+    artifact: exactVersion(name: $name, language: $language, groupName: $groupName, version: $version, nameCheck: $nameCheck) {
+        version
+        cves {
+            baseScore
+        }}}`
+
+    const data = {
+      query: query,
+      variables: {
+        name: index,
+        version: element,
+        language: 'node',
+        nameCheck: true
+      }
+    }
+
+    promises.push(client.checkLibrary(data))
+  }
+
+  await Promise.all(promises).then(response => {
+    response.forEach(res => {
+      const libName = JSON.parse(res.request.body)
+      if (res.statusCode === 200) {
+        if (res.body.data.artifact == null) {
+          unRegisteredDeps.push([
+            libName.variables.name,
+            libName.variables.version
+          ])
+        }
+      }
+    })
+  })
+
+  if (unRegisteredDeps.length !== 0) {
+    console.log(
+      '\n Dependencies Risk Report',
+      '\n\n Private libraries that are not scoped. We recommend these libraries are reviewed and the scope claimed to prevent dependency confusion breaches'
+    )
+  }
+
+  return unRegisteredDeps
+}
+
+const createLibraryHeader = (
+  id,
+  numberOfVulnerableLibraries,
+  numberOfCves,
+  name
+) => {
+  name
+    ? console.log(` Application Name: ${name} | Application ID: ${id}`)
+    : console.log(` Application ID: ${id}`)
+  console.log(
+    ` Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVE's`
+  )
+}
+
+const breakPipeline = () => {
+  failOptionError()
+  process.exit(1)
+}
+
+const parameterOptions = hasSomeVulnerabilitiesReported => {
+  const inputtedCLIOptions = cliOptions.getCommandLineArgs()
+  let cveSeverityOption = inputtedCLIOptions['cve_severity']
+  let fail = inputtedCLIOptions['fail']
+  let cve_threshold = inputtedCLIOptions['cve_threshold']
+  let expr
+  if (cveSeverityOption && fail && cve_threshold) {
+    expr = 'SeverityAndThreshold'
+  } else if (!cveSeverityOption && fail && cve_threshold) {
+    expr = 'ThresholdOnly'
+  } else if (!cve_threshold && fail && hasSomeVulnerabilitiesReported[0]) {
+    expr = 'FailOnly'
+  }
+  return expr
+}
+
+const analyseReportOptions = hasSomeVulnerabilitiesReported => {
+  const inputtedCLIOptions = cliOptions.getCommandLineArgs()
+  let cve_threshold = inputtedCLIOptions['cve_threshold']
+  let cveSeverity
+  let criticalSeverity
+  let highSeverity
+  let mediumSeverity
+  let lowSeverity
+
+  switch (parameterOptions(hasSomeVulnerabilitiesReported)) {
+    case 'SeverityAndThreshold':
+      cveSeverity = inputtedCLIOptions['cve_severity'].severity
+      criticalSeverity = hasSomeVulnerabilitiesReported[2].critical
+      highSeverity = hasSomeVulnerabilitiesReported[2].high
+      mediumSeverity = hasSomeVulnerabilitiesReported[2].medium
+      lowSeverity = hasSomeVulnerabilitiesReported[2].low
+
+      if (cveSeverity === 'HIGH') {
+        if (cve_threshold < highSeverity + criticalSeverity) {
+          breakPipeline()
+        }
+      }
+
+      if (cveSeverity === 'MEDIUM') {
+        if (cve_threshold < mediumSeverity + highSeverity) {
+          breakPipeline()
+        }
+      }
+
+      if (cveSeverity === 'LOW') {
+        if (cve_threshold < lowSeverity + mediumSeverity + highSeverity) {
+          breakPipeline()
+        }
+      }
+      break
+    case 'ThresholdOnly':
+      if (cve_threshold < hasSomeVulnerabilitiesReported[1]) {
+        breakPipeline()
+      }
+      break
+    case 'FailOnly':
+      breakPipeline()
+      break
+  }
+}
+
+const getReport = async applicationId => {
+  const userParams = await util.getParams(applicationId)
+  const addParams = agent.getAdditionalParams()
+  const protocol = getValidHost(userParams.host)
+  const client = commonApi.getHttpClient(userParams, protocol, addParams)
+  return client
+    .getReport(userParams)
+    .then(res => {
+      if (res.statusCode === 200) {
+        displaySuccessMessageReport()
+        return res.body
+      } else {
+        handleResponseErrors(res, 'report')
+      }
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+const printVulnerabilityResponse = (
+  severity,
+  filteredVulns,
+  vulnerabilities
+) => {
+  let hasSomeVulnerabilitiesReported = false
+  if (severity) {
+    returnCveData(filteredVulns)
+    if (Object.keys(filteredVulns).length > 0)
+      hasSomeVulnerabilitiesReported = true
+  } else {
+    returnCveData(vulnerabilities)
+    if (Object.keys(vulnerabilities).length > 0)
+      hasSomeVulnerabilitiesReported = true
+  }
+  return hasSomeVulnerabilitiesReported
+}
+
+const returnCveData = libraries => {
+  console.log('\n ************************************************************')
+
+  for (const [key, value] of Object.entries(libraries)) {
+    const parts = key.split('/')
+    const nameVersion = parts[1].split('@')
+    const group = parts[0]
+    const name = nameVersion[0]
+    const version = nameVersion[1]
+
+    const libName =
+      group !== 'null'
+        ? `${group}/${name}/${version} is vulnerable`
+        : `${name}/${version} is vulnerable`
+
+    console.log('\n\n ' + libName)
+    value.forEach(vuln => {
+      let sevCode = vuln.severityCode || vuln.severity_code
+      console.log('\n ' + vuln.name + ' ' + sevCode + '\n ' + vuln.description)
+    })
+  }
+}
+
+function searchHighCVEs(vuln) {
+  let sevCode = vuln.severityCode || vuln.severity_code
+  if (sevCode === 'HIGH') {
+    return vuln
+  }
+}
+
+function searchMediumCVEs(vuln) {
+  let sevCode = vuln.severityCode || vuln.severity_code
+  if (sevCode === 'HIGH' || sevCode === 'MEDIUM') {
+    return vuln
+  }
+}
+
+function searchLowCVEs(vuln) {
+  let sevCode = vuln.severityCode || vuln.severity_code
+  if (sevCode === 'HIGH' || sevCode === 'MEDIUM' || sevCode === 'LOW') {
+    return vuln
+  }
+}
+
+const filterVulnerabilitiesBySeverity = (severity, vulnerabilities) => {
+  let filteredVulns = []
+  if (severity) {
+    for (let x in vulnerabilities) {
+      if (severity.severity === 'HIGH') {
+        let highVulnerability = vulnerabilities[x].filter(searchHighCVEs)
+        if (highVulnerability.length > 0) {
+          filteredVulns[x] = highVulnerability
+        }
+      } else if (severity.severity === 'MEDIUM') {
+        let mediumVulnerability = vulnerabilities[x].filter(searchMediumCVEs)
+        if (mediumVulnerability.length > 0) {
+          filteredVulns[x] = mediumVulnerability
+        }
+      } else if (severity.severity === 'LOW') {
+        let lowVulnerability = vulnerabilities[x].filter(searchLowCVEs)
+        if (lowVulnerability.length > 0) {
+          filteredVulns[x] = lowVulnerability
+        }
+      }
+    }
+  }
+  return filteredVulns
+}
+
+module.exports = {
+  displaySuccessMessageReport: displaySuccessMessageReport,
+  getAllDependenciesArray: getAllDependenciesArray,
+  dependencyRiskReport: dependencyRiskReport,
+  createLibraryHeader: createLibraryHeader,
+  breakPipeline: breakPipeline,
+  parameterOptions: parameterOptions,
+  analyseReportOptions: analyseReportOptions,
+  getReport: getReport,
+  checkIfDepIsScoped: checkIfDepIsScoped,
+  checkIfDepIsRegisteredOnNPM: checkIfDepIsRegisteredOnNPM,
+  filterVulnerabilitiesBySeverity: filterVulnerabilitiesBySeverity,
+  searchLowCVEs: searchLowCVEs,
+  searchMediumCVEs: searchMediumCVEs,
+  searchHighCVEs: searchHighCVEs,
+  returnCveData: returnCveData,
+  printVulnerabilityResponse: printVulnerabilityResponse
+}

package/src/audit/languageAnalysisEngine/report/newReportingFeature.js

@@ -0,0 +1,124 @@
+const commonReport = require('./commonReportingFunctions')
+const { handleResponseErrors } = require('../commonApi')
+const { getHttpClient } = require('../../../utils/commonApi')
+
+const vulnReportWithoutDevDep = async (
+  analysis,
+  applicationId,
+  snapshotId,
+  config
+) => {
+  if (config.report) {
+    const reportResponse = await getSpecReport(snapshotId, config)
+    if (reportResponse !== undefined) {
+      const severity = config.cveSeverity
+      const id = applicationId
+      const name = config.applicationName
+      const hasSomeVulnerabilitiesReported = formatVulnerabilityOutput(
+        reportResponse.vulnerabilities,
+        severity,
+        id,
+        name,
+        config
+      )
+      commonReport.analyseReportOptions(hasSomeVulnerabilitiesReported)
+    }
+  }
+}
+
+const getSpecReport = async (reportId, config) => {
+  const client = getHttpClient(config)
+
+  return client
+    .getSpecificReport(config, reportId)
+    .then(res => {
+      if (res.statusCode === 200) {
+        commonReport.displaySuccessMessageReport()
+        return res.body
+      } else {
+        handleResponseErrors(res, 'report')
+      }
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+const countSeverity = vulnerabilities => {
+  const severityCount = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0
+  }
+
+  // eslint-disable-next-line
+  for (const key of Object.keys(vulnerabilities)) {
+    vulnerabilities[key].forEach(vuln => {
+      if (vuln.severityCode === 'HIGH') {
+        severityCount['high'] += 1
+      } else if (vuln.severityCode === 'MEDIUM') {
+        severityCount['medium'] += 1
+      } else if (vuln.severityCode === 'LOW') {
+        severityCount['low'] += 1
+      } else if (vuln.severityCode === 'CRITICAL') {
+        severityCount['critical'] += 1
+      }
+    })
+  }
+  return severityCount
+}
+
+const formatVulnerabilityOutput = (
+  vulnerabilities,
+  severity,
+  id,
+  name,
+  config
+) => {
+  const numberOfVulnerableLibraries = Object.keys(vulnerabilities).length
+  let numberOfCves = 0
+
+  // eslint-disable-next-line
+  for (const key of Object.keys(vulnerabilities)) {
+    numberOfCves += vulnerabilities[key].length
+  }
+
+  commonReport.createLibraryHeader(
+    id,
+    numberOfVulnerableLibraries,
+    numberOfCves,
+    name
+  )
+
+  const severityCount = countSeverity(vulnerabilities)
+  const filteredVulns = commonReport.filterVulnerabilitiesBySeverity(
+    severity,
+    vulnerabilities
+  )
+
+  let hasSomeVulnerabilitiesReported
+  hasSomeVulnerabilitiesReported = commonReport.printVulnerabilityResponse(
+    severity,
+    filteredVulns,
+    vulnerabilities
+  )
+
+  console.log(
+    '\n **************************' +
+      ` Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVE's ` +
+      '************************** '
+  )
+
+  console.log(
+    ' \n Please go to the Contrast UI to view your dependency tree: \n' +
+      ` \n ${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
+  )
+  return [hasSomeVulnerabilitiesReported, numberOfCves, severityCount]
+}
+
+module.exports = {
+  vulnReportWithoutDevDep: vulnReportWithoutDevDep,
+  formatVulnerabilityOutput: formatVulnerabilityOutput,
+  getSpecReport: getSpecReport
+}