@contrast/contrast 1.0.0 → 1.0.1

package/src/audit/AnalysisEngine.js

@@ -0,0 +1,103 @@
+/**
+ * The 'AnalysisEngine' type represents a simple state machine that can be used
+ * to move through a list of steps sequentially to analyze a project. Consumers
+ * construct their own steps and add them to the state machine in their desired
+ * order. Upon completion the state machine can callback to the consumer that
+ * originally invoked them with the results of the analysis.
+ */
+class AnalysisEngine {
+  /**
+   * Constructor that creates a new state machine instance. Accepts an optional
+   * argument that initializes the internal state.
+   *
+   * @param {Object} initAnalysis - state used to initialize internal state
+   *
+   * @example
+   * const ae = new AnalysisEngine()
+   * const ae = new AnalysisEngine({ someInfo: [1, 2, 3] })
+   */
+  constructor(initAnalysis = {}) {
+    this.analyzers = []
+    this.analysis = { ...initAnalysis }
+  }
+
+  /**
+   * Takes either a function or a list of functions and adds them in sequential
+   * order to a list. The list will be executed at a later time as the steps of
+   * the state machine.
+   *
+   * Functions must follow the signature (analysis, next) where:
+   * 'analysis' is an object that represents the current internal state
+   * 'next' is a function to be invoked when the step is complete
+   *
+   * The function signature of 'next' is (err) where:
+   * 'err' is an Error that occurred during the previous step invoked
+   *
+   * @param {function(analysis: object, next: function)|function[]} analyzer -
+   * the analyzer(s) to be added to the list of steps in sequential order
+   *
+   * @example
+   * const myAnalyzer = (analysis, next) => {
+   *   // Perform business logic
+   *   // Add results to 'analysis'
+   *   analysis.result = ...
+   *
+   *   // Signal the next analyzer/step to be invoked
+   *   next()
+   * }
+   *
+   * ae.use(myAnalyzer)
+   */
+  use(analyzer) {
+    if (Array.isArray(analyzer)) {
+      this.analyzers = [...this.analyzers, ...analyzer]
+      return
+    }
+
+    this.analyzers.push(analyzer)
+  }
+
+  /**
+   * Starts the execution of the state machine given the steps it is to use.
+   * When complete it callbacks back to the consumer that invoked it. The
+   * callbacks signature is (err, analysis) where:
+   * 'err' is an Error from one of the steps that prevented completion
+   * 'analysis' is the final internal state
+   *
+   * @param {function(err: Error, analysis: object)} callback - callback to be
+   * invoked when state machine complete or fails prematurely
+   * @param config:object containing config - needed for Java analysis - optional for other languages
+   */
+  analyze(callback, config) {
+    let i = 0
+
+    const next = err => {
+      // If one of the analyzers encountered an error then callback
+      if (err) {
+        return setImmediate(() => callback(err, this.analysis))
+      }
+
+      // If there are no more analyzers to invoke then callback
+      if (i >= this.analyzers.length) {
+        return setImmediate(() => callback(null, this.analysis))
+      }
+
+      // Invoke the next analyzer
+      const analyzer = this.analyzers[i]
+      i++
+
+      setImmediate(() => {
+        // Protect ourselves from any uncaught errors thrown by analyzers
+        try {
+          analyzer(this.analysis, next, config)
+        } catch (uncaughtErr) {
+          next(uncaughtErr)
+        }
+      })
+    }
+
+    next()
+  }
+}
+
+module.exports = exports = AnalysisEngine

package/src/audit/catalogueApplication/catalogueApplication.js

@@ -0,0 +1,42 @@
+const i18n = require('i18n')
+const { getHttpClient, handleResponseErrors } = require('../../utils/commonApi')
+
+const locationOfApp = (config, appId) => {
+  return `${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${appId}`
+}
+
+const displaySuccessMessage = (config, appId) => {
+  console.log(
+    '\n **************************' +
+      i18n.__('successHeader') +
+      '************************** \n'
+  )
+  console.log('\n' + i18n.__('catalogueSuccessCommand') + appId + '\n')
+  console.log(locationOfApp(config, appId))
+  console.log(
+    '\n *********************************************************** \n'
+  )
+}
+
+const catalogueApplication = async config => {
+  const client = getHttpClient(config)
+  let appId
+  await client
+    .catalogueCommand(config)
+    .then(res => {
+      if (res.statusCode === 201) {
+        displaySuccessMessage(config, res.body.application.app_id)
+        appId = res.body.application.app_id
+      } else {
+        handleResponseErrors(res, 'catalogue')
+      }
+    })
+    .catch(err => {
+      console.log(err)
+    })
+  return appId
+}
+
+module.exports = {
+  catalogueApplication: catalogueApplication
+}

package/src/audit/dotnetAnalysisEngine/index.js

@@ -0,0 +1,26 @@
+const AnalysisEngine = require('../AnalysisEngine')
+const readProjectFileContents = require('./readProjectFileContents')
+const parseProjectFileContents = require('./parseProjectFileContents')
+const readLockFileContents = require('./readLockFileContents')
+const parseLockFileContents = require('./parseLockFileContents')
+const sanitizer = require('./sanitizer')
+const i18n = require('i18n')
+
+module.exports = exports = (language, config, callback) => {
+  const ae = new AnalysisEngine({ language, config, dotnet: {} })
+  ae.use([
+    readProjectFileContents,
+    parseProjectFileContents,
+    readLockFileContents,
+    parseLockFileContents,
+    sanitizer
+  ])
+
+  ae.analyze((err, analysis) => {
+    if (err) {
+      callback(new Error(i18n.__('dotnetAnalysisFailure') + err.message))
+      return
+    }
+    callback(null, analysis)
+  })
+}

package/src/audit/dotnetAnalysisEngine/parseLockFileContents.js

@@ -0,0 +1,47 @@
+const i18n = require('i18n')
+
+module.exports = exports = ({ language: { lockFilePath }, dotnet }, next) => {
+  const { rawLockFileContents } = dotnet
+
+  // If we never read the lock file then pass priority
+  if (!rawLockFileContents) {
+    next()
+
+    return
+  }
+
+  try {
+    let count = 0 // Used to test if some nodes are deleted
+    dotnet.lockFile = JSON.parse(rawLockFileContents)
+
+    for (const dependenciesNode in dotnet.lockFile.dependencies) {
+      for (const innerNode in dotnet.lockFile.dependencies[dependenciesNode]) {
+        const nodeValidation = JSON.stringify(
+          dotnet.lockFile.dependencies[dependenciesNode][innerNode]
+        )
+        if (nodeValidation.includes('"type":"Project"')) {
+          count += 1
+          delete dotnet.lockFile.dependencies[dependenciesNode][innerNode]
+          dotnet.additionalInfo = 'dependenciesNote'
+        }
+      }
+    }
+
+    // If dependencies removed wait for json to be displayed and flag warning
+    if (count > 0) {
+      const multiLevelProjectWarning = () => {
+        console.log('')
+        console.log(i18n.__('dependenciesNote'))
+      }
+      setTimeout(multiLevelProjectWarning, 7000)
+    }
+  } catch (err) {
+    next(
+      new Error(i18n.__('dotnetParseLockfile', lockFilePath) + `${err.message}`)
+    )
+
+    return
+  }
+
+  next()
+}

package/src/audit/dotnetAnalysisEngine/parseProjectFileContents.js

@@ -0,0 +1,29 @@
+const xml2js = require('xml2js')
+const i18n = require('i18n')
+
+module.exports = exports = (
+  { language: { projectFilePath }, dotnet },
+  next
+) => {
+  const { rawProjectFileContents } = dotnet
+
+  // Read the .NET project file contents. We are reading into memory presuming
+  // that the contents of the file aren't large which may be bad... Could look
+  // into streaming in the future
+  // explicitArray: false - to not abuse of arrays, with this option we are able to read JSON properties in an easier way
+  // mergeAttrs: true  - to merge attributes and child elements as properties of the parent
+  const parser = new xml2js.Parser({ explicitArray: false, mergeAttrs: true })
+  parser.parseString(rawProjectFileContents, (err, projectFileXML) => {
+    if (err) {
+      next(
+        new Error(i18n.__('dotnetParseProjectFile', projectFilePath) + `${err}`)
+      )
+
+      return
+    }
+
+    dotnet.projectFile = projectFileXML
+
+    next()
+  })
+}

package/src/audit/dotnetAnalysisEngine/readLockFileContents.js

@@ -0,0 +1,30 @@
+const fs = require('fs')
+const i18n = require('i18n')
+
+module.exports = exports = (analysis, next) => {
+  const {
+    language: { lockFilePath },
+    dotnet
+  } = analysis
+
+  // Make sure to check to see if there was a lock file detected as its not
+  // required
+  if (!lockFilePath) {
+    next()
+    return
+  }
+
+  // we're working on the assumtion that a dotNet project will only ever have one lock file
+  //while other language may have more
+  try {
+    dotnet.rawLockFileContents = fs.readFileSync(lockFilePath)
+  } catch (err) {
+    next(
+      new Error(i18n.__('dotnetReadLockfile', lockFilePath) + `${err.message}`)
+    )
+
+    return
+  }
+
+  next()
+}

package/src/audit/dotnetAnalysisEngine/readProjectFileContents.js

@@ -0,0 +1,26 @@
+const fs = require('fs')
+const i18n = require('i18n')
+
+module.exports = exports = (analysis, next) => {
+  const {
+    language: { projectFilePath },
+    dotnet
+  } = analysis
+
+  // Read the .NET project file contents. We are reading into memory presuming
+  // that the contents of the file aren't large which may be bad... Could look
+  // into streaming in the future
+  try {
+    dotnet.rawProjectFileContents = fs.readFileSync(projectFilePath)
+  } catch (err) {
+    next(
+      new Error(
+        i18n.__('dotnetReadProjectFile', projectFilePath) + `${err.message}`
+      )
+    )
+
+    return
+  }
+
+  next()
+}

package/src/audit/dotnetAnalysisEngine/sanitizer.js

@@ -0,0 +1,11 @@
+module.exports = exports = ({ dotnet }, next) => {
+  // Remove anything sensitive or unnecessary from being sent to the backend as
+  // a result of our .NET project analysis
+  delete dotnet.rawProjectFileContents
+  delete dotnet.parsedProjectFileContents
+  delete dotnet.projectFileXML
+  delete dotnet.packageReferences
+  delete dotnet.rawLockFileContents
+
+  next()
+}

package/src/audit/goAnalysisEngine/index.js

@@ -0,0 +1,18 @@
+const AnalysisEngine = require('../AnalysisEngine')
+const readProjectFileContents = require('./readProjectFileContents')
+const parseProjectFileContents = require('./parseProjectFileContents')
+const sanitizer = require('./sanitizer')
+const i18n = require('i18n')
+
+module.exports = exports = (language, config, callback) => {
+  const ae = new AnalysisEngine({ language, config, go: {} })
+  ae.use([readProjectFileContents, parseProjectFileContents, sanitizer])
+
+  ae.analyze((err, analysis) => {
+    if (err) {
+      callback(new Error(i18n.__('goAnalysisError') + `${err.message}`))
+      return
+    }
+    callback(null, analysis)
+  })
+}

package/src/audit/goAnalysisEngine/parseProjectFileContents.js

@@ -0,0 +1,209 @@
+const i18n = require('i18n')
+const crypto = require('crypto')
+
+module.exports = exports = ({ go }, next) => {
+  const { modGraphOutput } = go
+  try {
+    go.goDependencyTrees = parseGo(modGraphOutput)
+  } catch (err) {
+    next(new Error(i18n.__('goParseProjectFile') + `${err.message}`))
+    return
+  }
+  next()
+}
+
+const splitAllLinesIntoArray = modGraphOutput => {
+  return modGraphOutput.split(/\r\n|\r|\n/)
+}
+
+const parseGo = modGraphOutput => {
+  let splitLines = splitAllLinesIntoArray(modGraphOutput)
+  const directDepNames = getDirectDepNames(splitLines)
+  const uniqueTransitiveDepNames = getAllUniqueTransitiveDepNames(
+    splitLines,
+    directDepNames
+  )
+
+  let rootNodes = createRootNodes(splitLines)
+
+  createTransitiveDeps(uniqueTransitiveDepNames, splitLines, rootNodes)
+
+  //console.log(rootNodes)
+
+  return rootNodes
+}
+
+const getAllDepsOfADepAsEdge = (dep, deps) => {
+  let edges = {}
+
+  const depRows = deps.filter(line => {
+    return line.startsWith(dep)
+  })
+
+  depRows.forEach(dep => {
+    const edgeName = dep.split(' ')[1]
+    edges[edgeName] = edgeName
+  })
+
+  return edges
+}
+
+const getAllDepsOfADepAsName = (dep, deps) => {
+  let edges = []
+
+  const depRows = deps.filter(line => {
+    return line.startsWith(dep)
+  })
+
+  depRows.forEach(dep => {
+    const edgeName = dep.split(' ')[1]
+    edges.push(edgeName)
+  })
+
+  return edges
+}
+
+const createRootNodes = deps => {
+  let rootDep = {}
+  const rootDeps = getRootDeps(deps)
+
+  const edges = rootDeps.map(dep => {
+    return dep.split(' ')[1]
+  })
+
+  rootDep[rootDeps[0].split(' ')[0]] = {}
+
+  edges.forEach(edge => {
+    const splitEdge = edge.split('@')
+    const splitGroupName = splitEdge[0].split('/')
+    const name = splitGroupName.pop()
+    const lastSlash = splitEdge[0].lastIndexOf('/')
+    let group = splitEdge[0].substring(0, lastSlash)
+    const hash = getHash(splitEdge[0])
+
+    group = checkGroupExists(group, name)
+
+    //get the edges of the root dependency
+    const edgesOfDep = getAllDepsOfADepAsEdge(edge, deps)
+
+    rootDep[rootDeps[0].split(' ')[0]][edge] = {
+      artifactID: name,
+      group: group,
+      version: splitEdge[1],
+      scope: '"compile',
+      type: 'direct',
+      hash: hash,
+      edges: edgesOfDep
+    }
+  })
+  return rootDep
+}
+
+const getRootDeps = deps => {
+  const rootDeps = deps.filter(dep => {
+    const parentDep = dep.split(' ')[0]
+    if (parentDep.split('@v').length === 1) {
+      return dep
+    }
+  })
+  return rootDeps
+}
+
+const getHash = library => {
+  let shaSum = crypto.createHash('sha1')
+  shaSum.update(library)
+  return shaSum.digest('hex')
+}
+
+const getDirectDepNames = deps => {
+  const directDepNames = []
+
+  deps.forEach(dep => {
+    const parentDep = dep.split(' ')[0]
+    if (parentDep.split('@v').length === 1) {
+      dep.split(' ')[1] !== undefined
+        ? directDepNames.push(dep.split(' ')[1])
+        : null
+    }
+  })
+  return directDepNames
+}
+
+const getAllUniqueTransitiveDepNames = (deps, directDepNames) => {
+  let uniqueDeps = []
+
+  deps.forEach(dep => {
+    const parentDep = dep.split(' ')[0]
+    if (parentDep.split('@v').length !== 1) {
+      if (!directDepNames.includes(parentDep)) {
+        if (!uniqueDeps.includes(parentDep)) {
+          parentDep.length > 1 ? uniqueDeps.push(parentDep) : null
+        }
+      }
+    }
+  })
+  return uniqueDeps
+}
+
+const checkGroupExists = (group, name) => {
+  if (group === null || group === '') {
+    return name
+  }
+  return group
+}
+
+const createTransitiveDeps = (transitiveDeps, splitLines, rootNodes) => {
+  transitiveDeps.forEach(dep => {
+    //create transitive dep
+    const splitEdge = dep.split('@')
+    const splitGroupName = splitEdge[0].split('/')
+    const name = splitGroupName.pop()
+    const lastSlash = splitEdge[0].lastIndexOf('/')
+    let group = splitEdge[0].substring(0, lastSlash)
+    const hash = getHash(splitEdge[0])
+
+    group = checkGroupExists(group, name)
+
+    const transitiveDep = {
+      artifactID: name,
+      group: group,
+      version: splitEdge[1],
+      scope: 'compile',
+      type: 'transitive',
+      hash: hash,
+      edges: {}
+    }
+
+    //add edges to transitiveDep
+    const edges = getAllDepsOfADepAsEdge(dep, splitLines)
+    transitiveDep.edges = edges
+
+    //add all edges as a transitive dependency to rootNodes
+    const edgesAsName = getAllDepsOfADepAsName(dep, splitLines)
+
+    edgesAsName.forEach(dep => {
+      const splitEdge = dep.split('@')
+      const splitGroupName = splitEdge[0].split('/')
+      const name = splitGroupName.pop()
+      const lastSlash = splitEdge[0].lastIndexOf('/')
+      let group = splitEdge[0].substring(0, lastSlash)
+      const hash = getHash(splitEdge[0])
+
+      group = checkGroupExists(group, name)
+
+      const transitiveDep = {
+        artifactID: name,
+        group: group,
+        version: splitEdge[1],
+        scope: 'compile',
+        type: 'transitive',
+        hash: hash,
+        edges: {}
+      }
+      rootNodes[Object.keys(rootNodes)[0]][dep] = transitiveDep
+    })
+
+    //add transitive dependency to rootNodes
+    rootNodes[Object.keys(rootNodes)[0]][dep] = transitiveDep
+  })
+}

package/src/audit/goAnalysisEngine/readProjectFileContents.js

@@ -0,0 +1,31 @@
+const child_process = require('child_process')
+const i18n = require('i18n')
+
+module.exports = exports = async (
+  { language: { projectFilePath }, go },
+  next
+) => {
+  let cmdStdout
+  let cwd
+  try {
+    cwd = projectFilePath.replace('go.mod', '')
+    // A sample of this output can be found
+    // in the go test folder data/goModGraphResults.text
+    cmdStdout = child_process.execSync('go mod graph', { cwd })
+
+    go.modGraphOutput = cmdStdout.toString()
+
+    next()
+  } catch (err) {
+    if (err.message === 'spawnSync /bin/sh ENOENT') {
+      err.message =
+        '\n\n*************** No transitive dependencies ***************\n\nWe are unable to build a dependency tree view from your repository as there were no transitive dependencies found.'
+    }
+    next(
+      new Error(
+        i18n.__('goReadProjectFile', cwd, `${err.message ? err.message : ''}`)
+      )
+    )
+    return
+  }
+}

package/src/audit/goAnalysisEngine/sanitizer.js

@@ -0,0 +1,7 @@
+module.exports = exports = ({ go }, next) => {
+  // Remove anything sensitive or unnecessary from being sent to the backend as
+  // a result of our Go project analysis
+  delete go.modGraphOutput
+
+  next()
+}

package/src/audit/javaAnalysisEngine/index.js

@@ -0,0 +1,41 @@
+const AnalysisEngine = require('../AnalysisEngine')
+
+const readProjectFileContents = require('./readProjectFileContents')
+const parseMavenProjectFileContents = require('./parseMavenProjectFileContents')
+const parseProjectFileContents = require('./parseProjectFileContents')
+const sanitizer = require('./sanitizer')
+const i18n = require('i18n')
+
+module.exports = exports = (language, config, callback) => {
+  const ae = new AnalysisEngine({ language, config, java: {} })
+
+  // Remove ".kts" from filename to look the same as a Gradle projectFileName so we can support Kotlin
+  language.projectFilePath = language.projectFilePath.replace(
+    'build.gradle.kts',
+    'build.gradle'
+  )
+
+  if (config['beta_unified_java_parser']) {
+    console.log('Using new parser...')
+    ae.use([readProjectFileContents, parseProjectFileContents, sanitizer])
+  } else if (
+    language.projectFilePath.endsWith('pom.xml') &&
+    !config['beta_unified_java_parser']
+  ) {
+    ae.use([readProjectFileContents, parseMavenProjectFileContents, sanitizer])
+  } else {
+    ae.use([
+      readProjectFileContents,
+      parseMavenProjectFileContents,
+      parseProjectFileContents,
+      sanitizer
+    ])
+  }
+  ae.analyze((err, analysis) => {
+    if (err) {
+      console.log(i18n.__('javaAnalysisError'), err.message)
+      return
+    }
+    callback(null, analysis, config)
+  }, config)
+}