@contrast/contrast 1.0.0 → 1.0.1

package/dist/scan/fileUtils.js

@@ -4,7 +4,7 @@ const fs = require('fs');
 const i18n = require('i18n');
 const findFile = async () => {
     console.log(i18n.__('searchingScanFileDirectory', process.cwd()));
-    return fg(['**/*.jar', '**/*.war', '**/*.zip', '**/*.dll'], {
+    return fg(['**/*.jar', '**/*.war', '**/*.zip', '**/*.dll', '**/*.exe'], {
         dot: false,
         deep: 3,
         onlyFiles: true

package/dist/scan/help.js

@@ -1,6 +1,7 @@
 "use strict";
 const commandLineUsage = require('command-line-usage');
 const i18n = require('i18n');
+const constants = require('../constants');
 const scanUsageGuide = commandLineUsage([
     {
         header: i18n.__('scanHeader')
@@ -17,46 +18,17 @@ const scanUsageGuide = commandLineUsage([
     },
     {
         header: i18n.__('constantsScanOptions'),
-        content: [
-            {
-                name: i18n.__('scanOptionsFileName'),
-                summary: '{italic ' +
-                    i18n.__('constantsOptional') +
-                    '}: ' +
-                    i18n.__('scanOptionsFileNameSummary')
-            },
-            {
-                name: i18n.__('scanOptionsLanguage'),
-                summary: '{italic ' +
-                    i18n.__('constantsOptional') +
-                    '}: ' +
-                    i18n.__('scanOptionsLanguageSummaryOptional') +
-                    '{italic ' +
-                    i18n.__('constantsRequired') +
-                    '}: ' +
-                    i18n.__('scanOptionsLanguageSummaryRequired')
-            },
-            {
-                name: i18n.__('scanOptionsName'),
-                summary: '{italic ' +
-                    i18n.__('constantsOptional') +
-                    '}: ' +
-                    i18n.__('scanOptionsNameSummary')
-            },
-            {
-                name: i18n.__('scanOptionsTimeout'),
-                summary: '{italic ' +
-                    i18n.__('constantsOptional') +
-                    '}: ' +
-                    i18n.__('scanOptionsTimeoutSummary')
-            },
-            {
-                name: i18n.__('scanOptionsVerbose'),
-                summary: '{italic ' +
-                    i18n.__('constantsOptional') +
-                    '}: ' +
-                    i18n.__('scanOptionsVerboseSummary')
-            }
+        optionList: constants.commandLineDefinitions.scanOptionDefinitions,
+        hide: [
+            'project-id',
+            'language',
+            'organization-id',
+            'api-key',
+            'authorization',
+            'host',
+            'proxy',
+            'ff',
+            'ignore-cert-errors'
         ]
     },
     {

package/dist/scan/populateProjectIdAndProjectName.js

@@ -19,6 +19,10 @@ const createProjectId = async (config, client) => {
             console.log(i18n.__('foundExistingProjectScan'));
             return;
         }
+        if (res.statusCode === 403) {
+            console.log(i18n.__('permissionsError'));
+            return;
+        }
         if (res.statusCode === 201) {
             console.log(i18n.__('projectCreatedScan'));
             if (config.verbose) {

package/dist/scan/saveResults.js

@@ -0,0 +1,15 @@
+"use strict";
+const fs = require('fs');
+const writeResultsToFile = (responseBody, name = 'results.sarif') => {
+    fs.writeFile(name, JSON.stringify(responseBody, null, 2), err => {
+        if (err) {
+            console.log('Error writing Scan Results to file');
+        }
+        else {
+            console.log(`Scan Results saved to ${name}`);
+        }
+    });
+};
+module.exports = {
+    writeResultsToFile
+};

package/dist/scan/scan.js

@@ -1,11 +1,10 @@
 "use strict";
 const commonApi = require('../utils/commonApi.js');
 const fileUtils = require('../scan/fileUtils');
-const allowedFileTypes = ['.jar', '.war', '.js', '.zip'];
+const allowedFileTypes = ['.jar', '.war', '.js', '.zip', '.exe'];
 const i18n = require('i18n');
-const AdmZip = require('adm-zip');
 const oraWrapper = require('../utils/oraWrapper');
-const { supportedLanguages } = require('../constants/constants');
+const chalk = require('chalk');
 const isFileAllowed = scanOption => {
     let valid = false;
     allowedFileTypes.forEach(fileType => {
@@ -15,6 +14,13 @@ const isFileAllowed = scanOption => {
     });
     return valid;
 };
+const stripMustacheTags = oldString => {
+    return oldString
+        .replace(/\n/g, ' ')
+        .replace(/{{.*?}}/g, '\n')
+        .replace(/\s+/g, ' ')
+        .trim();
+};
 const sendScan = async (config) => {
     if (!isFileAllowed(config.file)) {
         console.log(i18n.__('scanErrorFileMessage'));
@@ -36,7 +42,14 @@ const sendScan = async (config) => {
                 return res.body.id;
             }
             else {
+                if (config.debug) {
+                    console.log(res.statusCode);
+                    console.log(config);
+                }
                 oraWrapper.failSpinner(startUploadSpinner, i18n.__('uploadingScanFail'));
+                if (res.statusCode === 403) {
+                    console.log(i18n.__('permissionsError'));
+                }
                 process.exit(1);
             }
         })
@@ -45,52 +58,74 @@ const sendScan = async (config) => {
         });
     }
 };
-const zipValidator = configToUse => {
-    if (configToUse.file.endsWith('.zip')) {
-        let zipFileName = configToUse.file.split('/').pop();
-        try {
-            let zip = new AdmZip(configToUse.file);
-            let zipEntries = zip.getEntries();
-            zipEntries.forEach(function (zipEntry) {
-                if (!zipEntry.entryName.includes('._') &&
-                    !zipEntry.entryName.includes('/.')) {
-                    if (!zipEntry.isDirectory) {
-                        if (!zipEntry.entryName.endsWith('.js')) {
-                            console.log(i18n.__('scanZipError', zipFileName));
-                            process.exit(1);
-                        }
-                    }
-                }
-            });
-            configToUse.language = supportedLanguages.JAVASCRIPT;
-        }
-        catch {
-            console.log(i18n.__('zipFileException'));
-        }
-    }
-};
 const formatScanOutput = (overview, results) => {
     console.log();
-    console.log('Here are your top priorities to fix');
-    console.log();
-    results.content.forEach(entry => {
-        console.log(entry.severity, 'ID:', entry.id);
-        console.log(entry.ruleId, 'in', entry.locations[0]?.physicalLocation.artifactLocation.uri, '@', entry.codeFlows[0]?.threadFlows[0]?.locations[0]?.location
-            ?.physicalLocation?.region?.startLine);
+    if (results.content.length === 0) {
+        console.log(i18n.__('scanNoVulnerabilitiesFound'));
+    }
+    else {
+        console.log(chalk.bold('Here are your top priorities to fix'));
         console.log();
+        const groups = getGroups(results.content);
+        groups.forEach(entry => {
+            console.log(chalk.bold(`${entry.severity} | ${entry.ruleId} (${entry.lineInfoSet.size})`));
+            let count = 1;
+            entry.lineInfoSet.forEach(lineInfo => {
+                console.log(`\t ${count}. ${lineInfo}`);
+                count++;
+            });
+            console.log(chalk.bold('How to fix:'));
+            console.log(entry.recommendation);
+            console.log();
+        });
+        const totalVulnerabilities = overview.critical +
+            overview.high +
+            overview.medium +
+            overview.low +
+            overview.note;
+        console.log(chalk.bold(`Found ${totalVulnerabilities} vulnerabilities`));
+        console.log(i18n.__('foundDetailedVulnerabilities', overview.critical, overview.high, overview.medium, overview.low, overview.note));
+    }
+};
+const getGroups = content => {
+    const groupTypeSet = new Set(content.map(({ ruleId }) => ruleId));
+    let groupTypeResults = [];
+    groupTypeSet.forEach(groupName => {
+        let groupResultsObj = {
+            ruleId: groupName,
+            lineInfoSet: new Set(),
+            recommendation: '',
+            severity: ''
+        };
+        content.forEach(resultEntry => {
+            if (resultEntry.ruleId === groupName) {
+                groupResultsObj.severity = resultEntry.severity;
+                groupResultsObj.recommendation = resultEntry.recommendation
+                    ? stripMustacheTags(resultEntry.recommendation)
+                    : '';
+                groupResultsObj.lineInfoSet.add(formattedCodeLine(resultEntry));
+            }
+        });
+        groupTypeResults.push(groupResultsObj);
     });
-    const totalVulnerabilities = overview.critical +
-        overview.high +
-        overview.medium +
-        overview.low +
-        overview.note;
-    console.log(`Found ${totalVulnerabilities} vulnerabilities`);
-    console.log(i18n.__('foundDetailedVulnerabilities', overview.critical, overview.high, overview.medium, overview.low, overview.note));
+    return groupTypeResults;
+};
+const formattedCodeLine = resultEntry => {
+    let lineUri = resultEntry.locations[0]?.physicalLocation.artifactLocation.uri;
+    return lineUri + ' @ ' + setLineNumber(resultEntry);
+};
+const setLineNumber = resultEntry => {
+    return resultEntry.codeFlows?.[0]?.threadFlows[0]?.locations[0]?.location
+        ?.physicalLocation?.region?.startLine
+        ? resultEntry.codeFlows[0]?.threadFlows[0]?.locations[0]?.location
+            ?.physicalLocation?.region?.startLine
+        : resultEntry.locations[0]?.physicalLocation?.region?.startLine;
 };
 module.exports = {
     sendScan: sendScan,
+    getGroups: getGroups,
     allowedFileTypes: allowedFileTypes,
     isFileAllowed: isFileAllowed,
-    formatScanOutput: formatScanOutput,
-    zipValidator: zipValidator
+    stripMustacheTags: stripMustacheTags,
+    formatScanOutput: formatScanOutput
 };

package/dist/scan/scanConfig.js

@@ -0,0 +1,20 @@
+"use strict";
+const paramHandler = require('../utils/paramsUtil/paramHandler');
+const constants = require('../../src/constants.js');
+const parsedCLIOptions = require('../../src/utils/parsedCLIOptions');
+const path = require('path');
+const getScanConfig = argv => {
+    let scanParams = parsedCLIOptions.getCommandLineArgsCustom(argv, constants.commandLineDefinitions.scanOptionDefinitions);
+    const paramsAuth = paramHandler.getAuth(scanParams);
+    if (!scanParams.name && scanParams.file) {
+        scanParams.name = getFileName(scanParams.file);
+    }
+    return { ...paramsAuth, ...scanParams };
+};
+const getFileName = file => {
+    return file.split(path.sep).pop();
+};
+module.exports = {
+    getScanConfig,
+    getFileName
+};

package/dist/scan/scanController.js

@@ -5,7 +5,6 @@ const populateProjectIdAndProjectName = require('./populateProjectIdAndProjectNa
 const scan = require('./scan');
 const scanResults = require('./scanResults');
 const autoDetection = require('./autoDetection');
-const paramHandler = require('../utils/paramsUtil/paramHandler');
 const fileFunctions = require('./fileUtils');
 const getTimeout = config => {
     if (config.timeout) {
@@ -18,23 +17,22 @@ const getTimeout = config => {
         return 300;
     }
 };
-const startScan = async () => {
-    let paramsAuth = paramHandler.getAuth();
-    let getScanSubCommands = paramHandler.getScanSubCommands();
-    const configToUse = { ...paramsAuth, ...getScanSubCommands };
-    if (configToUse.file === undefined || configToUse.file === null) {
-        await autoDetection.autoDetectFileAndLanguage(configToUse);
-    }
-    else {
-        if (fileFunctions.fileExists(configToUse.file)) {
-            scan.zipValidator(configToUse);
-            autoDetection.assignLanguage([configToUse.file], configToUse);
-        }
-        else {
+const fileAndLanguageLogic = async (configToUse) => {
+    if (configToUse.file) {
+        if (!fileFunctions.fileExists(configToUse.file)) {
             console.log(i18n.__('fileNotExist'));
             process.exit(0);
         }
+        return configToUse;
     }
+    else {
+        if (configToUse.file === undefined || configToUse.file === null) {
+            await autoDetection.autoDetectFileAndLanguage(configToUse);
+        }
+    }
+};
+const startScan = async (configToUse) => {
+    await fileAndLanguageLogic(configToUse);
     if (!configToUse.projectId) {
         configToUse.projectId = await populateProjectIdAndProjectName.populateProjectId(configToUse);
     }
@@ -46,7 +44,7 @@ const startScan = async () => {
         const scanResultsInstances = await scanResults.returnScanResultsInstances(configToUse, scanDetail.id);
         succeedSpinner(startScanSpinner, 'Contrast Scan complete');
         const projectOverview = await scanResults.returnScanProjectById(configToUse);
-        return { projectOverview, scanResultsInstances };
+        return { projectOverview, scanDetail, scanResultsInstances };
     }
 };
 module.exports = {

package/dist/scan/scanResults.js

@@ -1,8 +1,8 @@
 "use strict";
 const commonApi = require('../utils/commonApi');
 const requestUtils = require('../../src/utils/requestUtils');
-const i18n = require('i18n');
 const oraFunctions = require('../utils/oraWrapper');
+const _ = require('lodash');
 const getScanId = async (config, codeArtifactId, client) => {
     return client
         .getScanId(config, codeArtifactId)
@@ -29,25 +29,27 @@ const returnScanResults = async (config, codeArtifactId, timeout, startScanSpinn
     let scanId = await getScanId(config, codeArtifactId, client);
     let startTime = new Date();
     let complete = false;
-    while (!complete) {
-        let result = await pollScanResults(config, scanId, client);
-        if (JSON.stringify(result.statusCode) == 200) {
-            if (result.body.status === 'COMPLETED') {
-                complete = true;
-                return result.body;
+    if (!_.isNil(scanId)) {
+        while (!complete) {
+            let result = await pollScanResults(config, scanId, client);
+            if (JSON.stringify(result.statusCode) == 200) {
+                if (result.body.status === 'COMPLETED') {
+                    complete = true;
+                    return result.body;
+                }
+                if (result.body.status === 'FAILED') {
+                    complete = true;
+                    oraFunctions.failSpinner(startScanSpinner, 'Contrast Scan Failed.');
+                    process.exit(1);
+                }
             }
-            if (result.body.status === 'FAILED') {
-                complete = true;
-                oraFunctions.failSpinner(startScanSpinner, 'Contrast Scan Failed.');
+            let endTime = new Date() - startTime;
+            if (requestUtils.millisToSeconds(endTime) > timeout) {
+                oraFunctions.failSpinner(startScanSpinner, 'Contrast Scan timed out at the specified ' + timeout + ' seconds.');
+                console.log('Please try again, allowing more time.');
                 process.exit(1);
             }
         }
-        let endTime = new Date() - startTime;
-        if (requestUtils.millisToSeconds(endTime) > timeout) {
-            oraFunctions.failSpinner(startScanSpinner, 'Contrast Scan timed out at the specified ' + timeout + ' seconds.');
-            console.log('Please try again, allowing more time.');
-            process.exit(1);
-        }
     }
 };
 const returnScanResultsInstances = async (config, scanId) => {

package/dist/utils/commonApi.js

@@ -1,7 +1,7 @@
 "use strict";
 const HttpClient = require('./../common/HTTPClient');
-const { badRequestError, unauthenticatedError, forbiddenError, proxyError, hostWarningError, genericError } = require('../common/errorHandling');
-const handleResponseErrors = (res, api, hostPresent) => {
+const { badRequestError, unauthenticatedError, forbiddenError, proxyError, genericError } = require('../common/errorHandling');
+const handleResponseErrors = (res, api) => {
     if (res.statusCode === 400) {
         api === 'catalogue' ? badRequestError(true) : badRequestError(false);
     }
@@ -15,7 +15,7 @@ const handleResponseErrors = (res, api, hostPresent) => {
         proxyError();
     }
     else {
-        hostPresent === false ? hostWarningError() : genericError();
+        genericError();
     }
 };
 const getProtocol = host => {

package/dist/utils/fileUtils.js

@@ -0,0 +1,31 @@
+"use strict";
+const fg = require('fast-glob');
+const fs = require('fs');
+const i18n = require('i18n');
+const findFile = async () => {
+    console.log(i18n.__('searchingScanFileDirectory', process.cwd()));
+    return fg(['**/*.jar', '**/*.war', '**/*.zip', '**/*.dll'], {
+        dot: false,
+        deep: 3,
+        onlyFiles: true
+    });
+};
+const checkFilePermissions = file => {
+    let readableFile = false;
+    try {
+        fs.accessSync(file, fs.constants.R_OK);
+        return (readableFile = true);
+    }
+    catch (err) {
+        console.log('Invalid permissions found on ', file);
+        process.exit(0);
+    }
+};
+const fileExists = path => {
+    return fs.existsSync(path);
+};
+module.exports = {
+    findFile,
+    fileExists,
+    checkFilePermissions
+};

package/dist/utils/paramsUtil/commandlineParams.js

@@ -1,7 +1,5 @@
 "use strict";
-const cliOptions = require('../parsedCLIOptions');
-const parsedCLIOptions = cliOptions.getCommandLineArgs();
-const getAuth = () => {
+const getAuth = parsedCLIOptions => {
     let params = {};
     params.apiKey = parsedCLIOptions['apiKey'];
     params.authorization = parsedCLIOptions['authorization'];
@@ -9,23 +7,6 @@ const getAuth = () => {
     params.organizationId = parsedCLIOptions['organizationId'];
     return params;
 };
-const getScanParams = () => {
-    let scanParams = {};
-    scanParams.help = parsedCLIOptions['help'];
-    scanParams.file = parsedCLIOptions['file'];
-    scanParams.language = parsedCLIOptions['language']
-        ? parsedCLIOptions['language'].toUpperCase()
-        : parsedCLIOptions['language'];
-    scanParams.ff = parsedCLIOptions['ff'];
-    scanParams.timeout = parsedCLIOptions['timeout'];
-    scanParams.name = parsedCLIOptions['name'];
-    scanParams.verbose = parsedCLIOptions['verbose'];
-    if (!scanParams.name) {
-        scanParams.name = scanParams.file;
-    }
-    return scanParams;
-};
 module.exports = {
-    getScanParams: getScanParams,
     getAuth: getAuth
 };

package/dist/utils/paramsUtil/genericCommandLineParams.js

@@ -0,0 +1,12 @@
+"use strict";
+const cliOptions = require('../parsedCLIOptions');
+const getGenericCommandLineParams = () => {
+    return cliOptions.getCommandLineArgsGeneric();
+};
+const getSpecificCommandLineParams = (parameterList, optionDefinition) => {
+    return cliOptions.getCommandLineArgsCustom(parameterList, optionDefinition);
+};
+module.exports = {
+    getSpecificCommandLineParams,
+    getGenericCommandLineParams
+};

package/dist/utils/paramsUtil/paramHandler.js

@@ -4,8 +4,8 @@ const configStoreParams = require('./configStoreParams');
 const envVariableParams = require('./envVariableParams');
 const { validateAuthParams } = require('../validationCheck');
 const i18n = require('i18n');
-const getAuth = () => {
-    let commandLineAuthParamsAuth = commandlineAuth.getAuth();
+const getAuth = params => {
+    let commandLineAuthParamsAuth = commandlineAuth.getAuth(params);
     let envVariableParamsAuth = envVariableParams.getAuth();
     let configStoreParamsAuth = configStoreParams.getAuth();
     if (validateAuthParams(commandLineAuthParamsAuth)) {
@@ -22,7 +22,4 @@ const getAuth = () => {
         process.exit(1);
     }
 };
-const getScanSubCommands = () => {
-    return commandlineAuth.getScanParams();
-};
-module.exports = { getAuth: getAuth, getScanSubCommands: getScanSubCommands };
+module.exports = { getAuth: getAuth };

package/dist/utils/parsedCLIOptions.js

@@ -1,13 +1,19 @@
 "use strict";
-const constants = require('../constants');
 const commandLineArgs = require('command-line-args');
-const getCommandLineArgs = () => {
-    return commandLineArgs(constants.commandLineDefinitions.scanOptionDefinitions, {
-        partial: true,
-        camelCase: true,
-        caseInsensitive: true
-    });
+const getCommandLineArgsCustom = (parameterList, optionDefinitions) => {
+    try {
+        return commandLineArgs(optionDefinitions, {
+            argv: parameterList,
+            partial: false,
+            camelCase: true,
+            caseInsensitive: true
+        });
+    }
+    catch (e) {
+        console.log(e.message.toString());
+        process.exit(1);
+    }
 };
 module.exports = {
-    getCommandLineArgs: getCommandLineArgs
+    getCommandLineArgsCustom
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -21,7 +21,9 @@
   "scripts": {
     "build": "tsc",
     "test": "jest --testPathIgnorePatterns=./test-integration/",
-    "test-int": "jest ./test-integration/scan/",
+    "test-int": "jest ./test-integration/",
+    "test-int-scan": "jest ./test-integration/scan",
+    "test-int-audit": "jest ./test-integration/audit",
     "format": "prettier --write \"**/*.{ts,tsx,js,css,scss,json,md,yml}\" .eslintrc.* .babelrc",
     "check-format": "prettier --check \"**/*.{ts,tsx,js,css,scss,json,md,yml}\" .eslintrc.* .babelrc",
     "coverage-local": "nyc --reporter=text mocha './test/**/*.spec.js'",
@@ -36,26 +38,28 @@
     "node": ">=16.13.2 <17"
   },
   "dependencies": {
-    "@aws-sdk/client-iam": "^3.53.0",
-    "@aws-sdk/client-lambda": "^3.53.0",
+    "@aws-sdk/client-iam": "^3.78.0",
+    "@aws-sdk/client-lambda": "^3.78.0",
+    "@types/semver": "^7.3.9",
     "@yarnpkg/lockfile": "^1.1.0",
-    "adm-zip": "^0.5.9",
     "bluebird": "^3.7.2",
-    "chalk": "^4.1.2",
+    "boxen": "5.1.2",
+    "chalk": "4.1.2",
     "command-line-args": "^5.2.1",
-    "command-line-usage": "^6.1.1",
-    "conf": "^10.1.1",
+    "command-line-usage": "^6.1.3",
+    "conf": "^10.1.2",
     "dotenv": "^16.0.0",
     "fast-glob": "^3.2.11",
-    "i18n": "^0.14.1",
+    "i18n": "^0.14.2",
     "js-yaml": "^4.1.0",
+    "latest-version": "5.1.0",
     "lodash": "^4.17.21",
     "log-symbols": "^4.1.0",
     "open": "^8.4.0",
     "ora": "5.4.1",
     "prettyjson": "^1.2.5",
     "request": "^2.88.2",
-    "semver": "^7.3.5",
+    "semver": "^7.3.7",
     "string-builder": "^0.1.8",
     "string-multiple-replace": "^1.0.5",
     "tmp": "^0.2.1",
@@ -68,24 +72,25 @@
     "@types/command-line-usage": "^5.0.2",
     "@types/i18n": "^0.13.2",
     "@types/jest": "^27.4.1",
-    "@types/lodash": "^4.14.181",
-    "@typescript-eslint/eslint-plugin": "^5.13.0",
-    "@typescript-eslint/parser": "^5.13.0",
+    "@types/lodash": "^4.14.182",
+    "@typescript-eslint/eslint-plugin": "^5.21.0",
+    "@typescript-eslint/parser": "^5.21.0",
     "csv-writer": "^1.6.0",
-    "eslint": "^8.8.0",
-    "eslint-config-prettier": "^8.3.0",
+    "eslint": "^8.14.0",
+    "eslint-config-prettier": "^8.5.0",
     "eslint-plugin-prettier": "^4.0.0",
-    "husky": "^3.0.9",
-    "jest": "^27.4.7",
-    "mocha": "^9.2.1",
+    "husky": "^3.1.0",
+    "jest": "^27.5.1",
+    "jest-junit": "^13.2.0",
+    "mocha": "^9.2.2",
     "npm-license-crawler": "^0.2.1",
     "nyc": "^15.1.0",
-    "pkg": "^5.5.2",
+    "pkg": "^5.6.0",
     "prettier": "^1.19.1",
     "tmp": "^0.2.1",
-    "ts-jest": "^27.1.3",
+    "ts-jest": "^27.1.4",
     "ts-node": "^10.7.0",
-    "typescript": "^4.6.2",
+    "typescript": "^4.6.3",
     "uuid": "^8.3.2"
   },
   "resolutions": {