@contrast/contrast 1.0.0 → 1.0.1

package/dist/audit/languageAnalysisEngine/report/newReportingFeature.js

@@ -0,0 +1,81 @@
+"use strict";
+const commonReport = require('./commonReportingFunctions');
+const { handleResponseErrors } = require('../commonApi');
+const { getHttpClient } = require('../../../utils/commonApi');
+const vulnReportWithoutDevDep = async (analysis, applicationId, snapshotId, config) => {
+    if (config.report) {
+        const reportResponse = await getSpecReport(snapshotId, config);
+        if (reportResponse !== undefined) {
+            const severity = config.cveSeverity;
+            const id = applicationId;
+            const name = config.applicationName;
+            const hasSomeVulnerabilitiesReported = formatVulnerabilityOutput(reportResponse.vulnerabilities, severity, id, name, config);
+            commonReport.analyseReportOptions(hasSomeVulnerabilitiesReported);
+        }
+    }
+};
+const getSpecReport = async (reportId, config) => {
+    const client = getHttpClient(config);
+    return client
+        .getSpecificReport(config, reportId)
+        .then(res => {
+        if (res.statusCode === 200) {
+            commonReport.displaySuccessMessageReport();
+            return res.body;
+        }
+        else {
+            handleResponseErrors(res, 'report');
+        }
+    })
+        .catch(err => {
+        console.log(err);
+    });
+};
+const countSeverity = vulnerabilities => {
+    const severityCount = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0
+    };
+    for (const key of Object.keys(vulnerabilities)) {
+        vulnerabilities[key].forEach(vuln => {
+            if (vuln.severityCode === 'HIGH') {
+                severityCount['high'] += 1;
+            }
+            else if (vuln.severityCode === 'MEDIUM') {
+                severityCount['medium'] += 1;
+            }
+            else if (vuln.severityCode === 'LOW') {
+                severityCount['low'] += 1;
+            }
+            else if (vuln.severityCode === 'CRITICAL') {
+                severityCount['critical'] += 1;
+            }
+        });
+    }
+    return severityCount;
+};
+const formatVulnerabilityOutput = (vulnerabilities, severity, id, name, config) => {
+    const numberOfVulnerableLibraries = Object.keys(vulnerabilities).length;
+    let numberOfCves = 0;
+    for (const key of Object.keys(vulnerabilities)) {
+        numberOfCves += vulnerabilities[key].length;
+    }
+    commonReport.createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves, name);
+    const severityCount = countSeverity(vulnerabilities);
+    const filteredVulns = commonReport.filterVulnerabilitiesBySeverity(severity, vulnerabilities);
+    let hasSomeVulnerabilitiesReported;
+    hasSomeVulnerabilitiesReported = commonReport.printVulnerabilityResponse(severity, filteredVulns, vulnerabilities);
+    console.log('\n **************************' +
+        ` Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVE's ` +
+        '************************** ');
+    console.log(' \n Please go to the Contrast UI to view your dependency tree: \n' +
+        ` \n ${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`);
+    return [hasSomeVulnerabilitiesReported, numberOfCves, severityCount];
+};
+module.exports = {
+    vulnReportWithoutDevDep: vulnReportWithoutDevDep,
+    formatVulnerabilityOutput: formatVulnerabilityOutput,
+    getSpecReport: getSpecReport
+};

package/dist/audit/languageAnalysisEngine/report/reportingFeature.js

@@ -0,0 +1,133 @@
+"use strict";
+const i18n = require('i18n');
+const commonApi = require('../commonApi');
+const commonReport = require('./commonReportingFunctions');
+function displaySuccessMessageVulnerabilities() {
+    console.log(i18n.__('vulnerabilitiesSuccessMessage'));
+}
+const vulnerabilityReport = async (analysis, applicationId, config) => {
+    let depRiskReportCount = {};
+    if (analysis.language === 'NODE') {
+        depRiskReportCount = await commonReport.dependencyRiskReport(analysis.node.packageJSON, config);
+    }
+    if (config['report']) {
+        const reportResponse = await commonReport.getReport(applicationId);
+        if (reportResponse !== undefined) {
+            const libraryVulnerabilityInput = createLibraryVulnerabilityInput(reportResponse.reports);
+            const libraryVulnerabilityResponse = await getLibraryVulnerabilities(libraryVulnerabilityInput, applicationId);
+            const severity = config['cve_severity'];
+            const id = applicationId;
+            const name = config.applicationName;
+            const hasSomeVulnerabilitiesReported = formatVulnerabilityOutput(libraryVulnerabilityResponse, severity, id, name, depRiskReportCount, config);
+            commonReport.analyseReportOptions(hasSomeVulnerabilitiesReported);
+        }
+    }
+};
+const createLibraryVulnerabilityInput = report => {
+    const language = Object.keys(report[0].report)[0];
+    const reportTree = report[0].report[language].dependencyTree;
+    const libraries = reportTree[Object.keys(reportTree)[0]];
+    let gav = [];
+    for (const key of Object.keys(libraries)) {
+        gav.push({
+            name: libraries[key].name,
+            group: libraries[key].group,
+            version: libraries[key].resolved
+        });
+    }
+    return {
+        name_group_versions: gav,
+        language: language.toUpperCase()
+    };
+};
+const oldCountSeverity = vulnerableLibraries => {
+    const severityCount = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0
+    };
+    vulnerableLibraries.forEach(lib => {
+        lib.vulns.forEach(vuln => {
+            if (vuln.severity_code === 'HIGH') {
+                severityCount['high'] += 1;
+            }
+            else if (vuln.severity_code === 'MEDIUM') {
+                severityCount['medium'] += 1;
+            }
+            else if (vuln.severity_code === 'LOW') {
+                severityCount['low'] += 1;
+            }
+            else if (vuln.severity_code === 'CRITICAL') {
+                severityCount['critical'] += 1;
+            }
+        });
+    });
+    return severityCount;
+};
+const parseVulnerabilites = libraryVulnerabilityResponse => {
+    let parsedVulnerabilites = {};
+    let vulnName = libraryVulnerabilityResponse.libraries;
+    for (let x in vulnName) {
+        let vuln = vulnName[x].vulns;
+        if (vuln.length > 0) {
+            let libname = vulnName[x].group +
+                '/' +
+                vulnName[x].file_name +
+                '@' +
+                vulnName[x].file_version;
+            parsedVulnerabilites[libname] = vulnName[x].vulns;
+        }
+    }
+    return parsedVulnerabilites;
+};
+const formatVulnerabilityOutput = (libraryVulnerabilityResponse, severity, id, name, depRiskReportCount, config) => {
+    let vulnerableLibraries = libraryVulnerabilityResponse.libraries.filter(data => {
+        return data.vulns.length > 0;
+    });
+    const numberOfVulnerableLibraries = vulnerableLibraries.length;
+    let numberOfCves = 0;
+    vulnerableLibraries.forEach(lib => (numberOfCves += lib.vulns.length));
+    commonReport.createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves, name);
+    const severityCount = oldCountSeverity(vulnerableLibraries);
+    let vulnerabilities = parseVulnerabilites(libraryVulnerabilityResponse);
+    let filteredVulns = commonReport.filterVulnerabilitiesBySeverity(severity, vulnerabilities);
+    let hasSomeVulnerabilitiesReported;
+    hasSomeVulnerabilitiesReported = commonReport.printVulnerabilityResponse(severity, filteredVulns, vulnerabilities);
+    console.log('\n **************************' +
+        ` Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVE's ` +
+        '************************** ');
+    if (depRiskReportCount && depRiskReportCount.scopedCount === 0) {
+        console.log(' No private libraries that are not scoped detected');
+    }
+    console.log(' \n Please go to the Contrast UI to view your dependency tree: \n' +
+        ` \n ${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`);
+    return [hasSomeVulnerabilitiesReported, numberOfCves, severityCount];
+};
+const getLibraryVulnerabilities = async (input, applicationId) => {
+    const requestBody = input;
+    const addParams = agent.getAdditionalParams();
+    const userParams = await util.getParams(applicationId);
+    const protocol = getValidHost(userParams.host);
+    const client = commonApi.getHttpClient(userParams, protocol, addParams);
+    return client
+        .getLibraryVulnerabilities(requestBody, userParams)
+        .then(res => {
+        if (res.statusCode === 200) {
+            displaySuccessMessageVulnerabilities();
+            return res.body;
+        }
+        else {
+            handleResponseErrors(res, 'vulnerabilities');
+        }
+    })
+        .catch(err => {
+        console.log(err);
+    });
+};
+module.exports = {
+    vulnerabilityReport: vulnerabilityReport,
+    getLibraryVulnerabilities: getLibraryVulnerabilities,
+    formatVulnerabilityOutput: formatVulnerabilityOutput,
+    createLibraryVulnerabilityInput: createLibraryVulnerabilityInput
+};

package/dist/audit/languageAnalysisEngine/sendSnapshot.js

@@ -0,0 +1,41 @@
+"use strict";
+const prettyjson = require('prettyjson');
+const i18n = require('i18n');
+const { getHttpClient } = require('../../utils/commonApi');
+const { handleResponseErrors } = require('../../common/errorHandling');
+const { APP_VERSION } = require('../../constants/constants');
+function displaySnapshotSuccessMessage(config) {
+    console.log('\n **************************' +
+        i18n.__('successHeader') +
+        '************************** ');
+    console.log('\n' + i18n.__('snapshotSuccessMessage') + '\n');
+    console.log(` ${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`);
+    console.log('\n ***********************************************************');
+}
+const newSendSnapShot = async (analysis, applicationId) => {
+    const analysisLanguage = analysis.config.language.toLowerCase();
+    const requestBody = {
+        appID: analysis.config.applicationId,
+        cliVersion: APP_VERSION,
+        snapshot: { [analysisLanguage]: analysis[analysisLanguage] }
+    };
+    const client = getHttpClient(analysis.config);
+    return client
+        .sendSnapshot(requestBody, analysis.config)
+        .then(res => {
+        if (res.statusCode === 201) {
+            displaySnapshotSuccessMessage(analysis.config);
+            return res.body;
+        }
+        else {
+            handleResponseErrors(res, 'snapshot');
+        }
+    })
+        .catch(err => {
+        console.log(err);
+    });
+};
+module.exports = {
+    newSendSnapShot: newSendSnapShot,
+    displaySnapshotSuccessMessage: displaySnapshotSuccessMessage
+};

package/dist/audit/languageAnalysisEngine/util/capabilities.js

@@ -0,0 +1,11 @@
+"use strict";
+const CLI_IGNORE_DEV_DEPS = 'CLI_IGNORE_DEV_DEPS';
+const featuresTeamServer = [
+    {
+        CLI_IGNORE_DEV_DEPS: '3.9.0'
+    }
+];
+module.exports = {
+    featuresTeamServer,
+    CLI_IGNORE_DEV_DEPS
+};

package/dist/audit/languageAnalysisEngine/util/generalAPI.js

@@ -0,0 +1,39 @@
+"use strict";
+const { featuresTeamServer } = require('./capabilities');
+const semver = require('semver');
+const { handleResponseErrors } = require('../../../common/errorHandling');
+const { getHttpClient } = require('../../../utils/commonApi');
+const getGlobalProperties = async (config) => {
+    const client = getHttpClient(config);
+    return client
+        .getGlobalProperties(config)
+        .then(res => {
+        if (res.statusCode === 200) {
+            return res.body;
+        }
+        else {
+            handleResponseErrors(res, 'globalProperties');
+        }
+    })
+        .catch(err => {
+        console.log(err);
+    });
+};
+const getFeatures = version => {
+    const featuresEnabled = [];
+    featuresTeamServer.forEach(feature => {
+        const versionFrom = Object.values(feature)[0];
+        return semver.gte(version, versionFrom)
+            ? featuresEnabled.push(Object.keys(feature)[0])
+            : null;
+    });
+    return featuresEnabled;
+};
+const isFeatureEnabled = (features, featureName) => {
+    return features.includes(featureName);
+};
+module.exports = {
+    getGlobalProperties,
+    getFeatures,
+    isFeatureEnabled
+};

package/dist/audit/languageAnalysisEngine/util/requestUtils.js

@@ -0,0 +1,14 @@
+"use strict";
+const request = require('request');
+const Promise = require('bluebird');
+Promise.promisifyAll(request);
+function sendRequest({ options, method = 'put' }) {
+    return request[`${method}Async`](options.url, options);
+}
+const sleep = ms => {
+    return new Promise(resolve => setTimeout(resolve, ms));
+};
+module.exports = {
+    sendRequest: sendRequest,
+    sleep: sleep
+};

package/dist/audit/nodeAnalysisEngine/handleNPMLockFileV2.js

@@ -0,0 +1,40 @@
+"use strict";
+const i18n = require('i18n');
+module.exports = exports = (analysis, next) => {
+    const { language: { lockFilePath }, node } = analysis;
+    try {
+        if (node.npmLockFile && node.npmLockFile.lockfileVersion > 1) {
+            const listOfTopDep = Object.keys(node.npmLockFile.dependencies);
+            Object.entries(node.npmLockFile.dependencies).forEach(([key, value]) => {
+                if (value.requires) {
+                    const listOfRequiresDep = Object.keys(value.requires);
+                    listOfRequiresDep.forEach(dep => {
+                        if (!listOfTopDep.includes(dep)) {
+                            addDepToLockFile(value['requires'], dep);
+                        }
+                    });
+                }
+                if (value.dependencies) {
+                    Object.entries(value.dependencies).forEach(([childKey, childValue]) => {
+                        if (childValue.requires) {
+                            const listOfRequiresDep = Object.keys(childValue.requires);
+                            listOfRequiresDep.forEach(dep => {
+                                if (!listOfTopDep.includes(dep)) {
+                                    addDepToLockFile(childValue['requires'], dep);
+                                }
+                            });
+                        }
+                    });
+                }
+            });
+        }
+    }
+    catch (err) {
+        next(next(new Error(i18n.__('NodeParseNPM', lockFilePath) + `${err.message}`)));
+        return;
+    }
+    function addDepToLockFile(depObj, key) {
+        node.npmLockFile.dependencies[key] = { version: depObj[key] };
+    }
+    next();
+};

package/dist/audit/nodeAnalysisEngine/index.js

@@ -0,0 +1,31 @@
+"use strict";
+const AnalysisEngine = require('../AnalysisEngine');
+const readProjectFileContents = require('./readProjectFileContents');
+const readNPMLockFileContents = require('./readNPMLockFileContents');
+const parseNPMLockFileContents = require('./parseNPMLockFileContents');
+const readYarnLockFileContents = require('./readYarnLockFileContents');
+const parseYarnLockFileContents = require('./parseYarnLockFileContents');
+const parseYarn2LockFileContents = require('./parseYarn2LockFileContents');
+const handleNPMLockFileV2 = require('./handleNPMLockFileV2');
+const sanitizer = require('./sanitizer');
+const i18n = require('i18n');
+module.exports = exports = (language, config, callback) => {
+    const ae = new AnalysisEngine({ language, config, node: {} });
+    ae.use([
+        readProjectFileContents,
+        readNPMLockFileContents,
+        parseNPMLockFileContents,
+        readYarnLockFileContents,
+        parseYarnLockFileContents,
+        parseYarn2LockFileContents,
+        handleNPMLockFileV2,
+        sanitizer
+    ]);
+    ae.analyze((err, analysis) => {
+        if (err) {
+            callback(new Error(i18n.__('NodeAnalysisFailure') + `${err.message}`));
+            return;
+        }
+        callback(null, analysis);
+    });
+};

package/dist/audit/nodeAnalysisEngine/parseNPMLockFileContents.js

@@ -0,0 +1,18 @@
+"use strict";
+const i18n = require('i18n');
+module.exports = exports = ({ language: { lockFilePath }, node }, next) => {
+    if (node.rawLockFileContents === undefined) {
+        next();
+    }
+    else {
+        try {
+            node.npmLockFile = JSON.parse(node.rawLockFileContents);
+        }
+        catch (err) {
+            next(new Error(i18n.__('NodeParseNPM', lockFilePath ? lockFilePath : 'undefined') +
+                `${err.message}`));
+            return;
+        }
+        next();
+    }
+};

package/dist/audit/nodeAnalysisEngine/parseYarn2LockFileContents.js

@@ -0,0 +1,51 @@
+"use strict";
+const i18n = require('i18n');
+module.exports = exports = ({ language: { lockFilename }, node }, next) => {
+    if (node.rawYarnLockFileContents == undefined || node.yarnVersion == 1) {
+        next();
+    }
+    else {
+        try {
+            node.yarnLockFile = {};
+            node.yarnLockFile['object'] = node.rawYarnLockFileContents;
+            delete node.yarnLockFile['object'].__metadata;
+            node.yarnLockFile['type'] = 'success';
+            Object.entries(node.rawYarnLockFileContents).forEach(([key, value]) => {
+                const rawKeyNames = key.split(',');
+                const keyNames = formatKey(rawKeyNames);
+                keyNames.forEach(name => {
+                    node.yarnLockFile.object[name] = value;
+                });
+            });
+        }
+        catch (err) {
+            next(new Error(i18n.__('NodeParseYarn2', lockFilename.lockFilePath) +
+                `${err.message}`));
+            return;
+        }
+        next();
+    }
+};
+function formatKey(keyNames) {
+    let name = '';
+    let formattedNames = [];
+    keyNames.forEach(dummyString => {
+        let nameArr = dummyString.split('@');
+        if (nameArr.length > 1) {
+            if (nameArr.length == 2) {
+                name = nameArr[0];
+            }
+            if (nameArr.length == 3) {
+                name = '@' + nameArr[1];
+            }
+            let version = dummyString.split(':').pop('');
+            if (version.length == 1 && version != '*') {
+                version = version + '.0';
+            }
+            let reformattedKey = name.trim() + '@' + version;
+            formattedNames.push(reformattedKey);
+        }
+    });
+    return formattedNames;
+}
+exports.formatKey = formatKey;

package/dist/audit/nodeAnalysisEngine/parseYarnLockFileContents.js

@@ -0,0 +1,18 @@
+"use strict";
+const yarnParser = require('@yarnpkg/lockfile');
+const i18n = require('i18n');
+module.exports = exports = ({ language: { lockFilename }, node }, next) => {
+    if (node.rawYarnLockFileContents === undefined || node.yarnVersion === 2) {
+        next();
+    }
+    else {
+        try {
+            node.yarnLockFile = yarnParser.parse(node.rawYarnLockFileContents);
+        }
+        catch (err) {
+            next(new Error(i18n.__('NodeParseYarn', lockFilename.lockFilePath ? lockFilename.lockFilePath : 'undefined') + `${err.message}`));
+            return;
+        }
+        next();
+    }
+};

package/dist/audit/nodeAnalysisEngine/readNPMLockFileContents.js

@@ -0,0 +1,17 @@
+"use strict";
+const fs = require('fs');
+const i18n = require('i18n');
+module.exports = exports = ({ language: { lockFilePath }, node }, next) => {
+    if (!lockFilePath || !lockFilePath.includes('package-lock.json')) {
+        next();
+        return;
+    }
+    try {
+        node.rawLockFileContents = fs.readFileSync(lockFilePath);
+    }
+    catch (err) {
+        next(new Error(i18n.__('NodeReadNpmError', lockFilePath) + `${err.message}`));
+        return;
+    }
+    next();
+};

package/dist/audit/nodeAnalysisEngine/readProjectFileContents.js

@@ -0,0 +1,14 @@
+"use strict";
+const fs = require('fs');
+const i18n = require('i18n');
+module.exports = exports = (analysis, next) => {
+    const { language: { projectFilePath }, node } = analysis;
+    try {
+        node.packageJSON = JSON.parse(fs.readFileSync(projectFilePath, 'utf8'));
+    }
+    catch (err) {
+        next(new Error(i18n.__('nodeReadProjectFileError', projectFilePath) + `${err.message}`));
+        return;
+    }
+    next();
+};

package/dist/audit/nodeAnalysisEngine/readYarnLockFileContents.js

@@ -0,0 +1,24 @@
+"use strict";
+const fs = require('fs');
+const yaml = require('js-yaml');
+const i18n = require('i18n');
+module.exports = exports = ({ language: { lockFilePath }, node }, next) => {
+    if (!lockFilePath || !lockFilePath.includes('yarn.lock')) {
+        next();
+        return;
+    }
+    try {
+        node.rawYarnLockFileContents = fs.readFileSync(lockFilePath, 'utf8');
+        node.yarnVersion = 1;
+        if (!node.rawYarnLockFileContents.includes('lockfile v1') ||
+            node.rawYarnLockFileContents.includes('__metadata')) {
+            node.rawYarnLockFileContents = yaml.load(fs.readFileSync(lockFilePath, 'utf8'));
+            node.yarnVersion = 2;
+        }
+    }
+    catch (err) {
+        next(new Error(i18n.__('nodeReadYarnLockFileError', lockFilePath) + `${err.message}`));
+        return;
+    }
+    next();
+};

package/dist/audit/nodeAnalysisEngine/sanitizer.js

@@ -0,0 +1,9 @@
+"use strict";
+module.exports = exports = ({ node }, next) => {
+    delete node.rawProjectFileContents;
+    delete node.projectFileJSON;
+    delete node.projectLockFileJSON;
+    delete node.rawLockFileContents;
+    delete node.rawYarnLockFileContents;
+    next();
+};

package/dist/audit/phpAnalysisEngine/index.js

@@ -0,0 +1,23 @@
+"use strict";
+const AnalysisEngine = require('../AnalysisEngine');
+const readProjectFileContents = require('./readProjectFileContents');
+const readLockFileContents = require('./readLockFileContents');
+const parseLockFileContents = require('./parseLockFileContents');
+const sanitizer = require('./sanitizer');
+const i18n = require('i18n');
+module.exports = exports = (language, config, callback) => {
+    const ae = new AnalysisEngine({ language, config, php: {} });
+    ae.use([
+        readProjectFileContents,
+        readLockFileContents,
+        parseLockFileContents,
+        sanitizer
+    ]);
+    ae.analyze((err, analysis) => {
+        if (err) {
+            callback(new Error(i18n.__('phpAnalysisFailure') + `${err.message}`));
+            return;
+        }
+        callback(null, analysis);
+    });
+};

package/dist/audit/phpAnalysisEngine/parseLockFileContents.js

@@ -0,0 +1,52 @@
+"use strict";
+const i18n = require('i18n');
+const _ = require('lodash');
+module.exports = exports = ({ language: { lockFilePath }, php }, next) => {
+    try {
+        php.lockFile = php.rawLockFileContents;
+        let packages = _.keyBy(php.lockFile.packages, 'name');
+        let packagesDev = _.keyBy(php.lockFile['packages-dev'], 'name');
+        php.lockFile.dependencies = _.merge(packages, packagesDev);
+        const listOfTopDep = Object.keys(php.lockFile.dependencies);
+        Object.entries(php.lockFile.dependencies).forEach(([key, value]) => {
+            if (value.require) {
+                const listOfRequiresDep = Object.keys(value.require);
+                listOfRequiresDep.forEach(dep => {
+                    if (!listOfTopDep.includes(dep)) {
+                        addChildDepToLockFileAsOwnObj(value['require'], dep);
+                    }
+                });
+            }
+            if (value['require-dev']) {
+                const listOfRequiresDep = Object.keys(value['require-dev']);
+                listOfRequiresDep.forEach(dep => {
+                    if (!listOfTopDep.includes(dep)) {
+                        addChildDepToLockFileAsOwnObj(value['require-dev'], dep);
+                    }
+                });
+            }
+        });
+        formatParentDepToLockFile();
+    }
+    catch (err) {
+        next(new Error(i18n.__('phpParseComposerLock', lockFilePath) + `${err.message}`));
+        return;
+    }
+    next();
+    function addChildDepToLockFileAsOwnObj(depObj, key) {
+        php.lockFile.dependencies[key] = { version: depObj[key] };
+    }
+    function formatParentDepToLockFile() {
+        for (const [key, value] of Object.entries(php.lockFile.dependencies)) {
+            let requires = {};
+            for (const [childKey, childValue] of Object.entries(value)) {
+                if (childKey === 'require' || childKey === 'require-dev') {
+                    requires = _.merge(requires, childValue);
+                    php.lockFile.dependencies[key].requires = requires;
+                    delete php.lockFile.dependencies[key].require;
+                    delete php.lockFile.dependencies[key]['require-dev'];
+                }
+            }
+        }
+    }
+};

package/dist/audit/phpAnalysisEngine/readLockFileContents.js

@@ -0,0 +1,13 @@
+"use strict";
+const fs = require('fs');
+const i18n = require('i18n');
+module.exports = exports = ({ language: { lockFilePath }, php }, next) => {
+    try {
+        php.rawLockFileContents = JSON.parse(fs.readFileSync(lockFilePath));
+    }
+    catch (err) {
+        next(new Error(i18n.__('phpReadError', lockFilePath) + `${err.message}`));
+        return;
+    }
+    next();
+};

package/dist/audit/phpAnalysisEngine/readProjectFileContents.js

@@ -0,0 +1,16 @@
+"use strict";
+const fs = require('fs');
+const i18n = require('i18n');
+module.exports = exports = (analysis, next) => {
+    const { language: { projectFilePath }, php } = analysis;
+    try {
+        php.composerJSON = JSON.parse(fs.readFileSync(projectFilePath, 'utf8'));
+        php.composerJSON.dependencies = php.composerJSON.require;
+        php.composerJSON.devDependencies = php.composerJSON['require-dev'];
+    }
+    catch (err) {
+        next(new Error(i18n.__('phpReadProjectFileError', projectFilePath) + `${err.message}`));
+        return;
+    }
+    next();
+};

package/dist/audit/phpAnalysisEngine/sanitizer.js

@@ -0,0 +1,5 @@
+"use strict";
+module.exports = exports = ({ php }, next) => {
+    delete php.rawLockFileContents;
+    next();
+};