@contrast/contrast 1.0.0 → 1.0.3

package/src/audit/languageAnalysisEngine/report/reportingFeature.js

@@ -0,0 +1,190 @@
+const i18n = require('i18n')
+const commonApi = require('../commonApi')
+const commonReport = require('./commonReportingFunctions')
+
+function displaySuccessMessageVulnerabilities() {
+  console.log(i18n.__('vulnerabilitiesSuccessMessage'))
+}
+
+const vulnerabilityReport = async (analysis, applicationId, config) => {
+  let depRiskReportCount = {}
+  if (analysis.language === 'NODE') {
+    depRiskReportCount = await commonReport.dependencyRiskReport(
+      analysis.node.packageJSON,
+      config
+    )
+  }
+  if (config['report']) {
+    const reportResponse = await commonReport.getReport(applicationId)
+    if (reportResponse !== undefined) {
+      const libraryVulnerabilityInput = createLibraryVulnerabilityInput(
+        reportResponse.reports
+      )
+      const libraryVulnerabilityResponse = await getLibraryVulnerabilities(
+        libraryVulnerabilityInput,
+        applicationId
+      )
+
+      const severity = config['cve_severity']
+      const id = applicationId
+      const name = config.applicationName
+      const hasSomeVulnerabilitiesReported = formatVulnerabilityOutput(
+        libraryVulnerabilityResponse,
+        severity,
+        id,
+        name,
+        depRiskReportCount,
+        config
+      )
+      commonReport.analyseReportOptions(hasSomeVulnerabilitiesReported)
+    }
+  }
+}
+
+const createLibraryVulnerabilityInput = report => {
+  const language = Object.keys(report[0].report)[0]
+  const reportTree = report[0].report[language].dependencyTree
+  const libraries = reportTree[Object.keys(reportTree)[0]]
+
+  let gav = []
+  // eslint-disable-next-line
+  for (const key of Object.keys(libraries)) {
+    gav.push({
+      name: libraries[key].name,
+      group: libraries[key].group,
+      version: libraries[key].resolved
+    })
+  }
+
+  return {
+    name_group_versions: gav,
+    language: language.toUpperCase()
+  }
+}
+
+const oldCountSeverity = vulnerableLibraries => {
+  const severityCount = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0
+  }
+
+  vulnerableLibraries.forEach(lib => {
+    lib.vulns.forEach(vuln => {
+      if (vuln.severity_code === 'HIGH') {
+        severityCount['high'] += 1
+      } else if (vuln.severity_code === 'MEDIUM') {
+        severityCount['medium'] += 1
+      } else if (vuln.severity_code === 'LOW') {
+        severityCount['low'] += 1
+      } else if (vuln.severity_code === 'CRITICAL') {
+        severityCount['critical'] += 1
+      }
+    })
+  })
+  return severityCount
+}
+
+const parseVulnerabilites = libraryVulnerabilityResponse => {
+  let parsedVulnerabilites = {}
+  let vulnName = libraryVulnerabilityResponse.libraries
+  for (let x in vulnName) {
+    let vuln = vulnName[x].vulns
+    if (vuln.length > 0) {
+      let libname =
+        vulnName[x].group +
+        '/' +
+        vulnName[x].file_name +
+        '@' +
+        vulnName[x].file_version
+      parsedVulnerabilites[libname] = vulnName[x].vulns
+    }
+  }
+  return parsedVulnerabilites
+}
+
+const formatVulnerabilityOutput = (
+  libraryVulnerabilityResponse,
+  severity,
+  id,
+  name,
+  depRiskReportCount,
+  config
+) => {
+  let vulnerableLibraries = libraryVulnerabilityResponse.libraries.filter(
+    data => {
+      return data.vulns.length > 0
+    }
+  )
+
+  const numberOfVulnerableLibraries = vulnerableLibraries.length
+  let numberOfCves = 0
+  vulnerableLibraries.forEach(lib => (numberOfCves += lib.vulns.length))
+  commonReport.createLibraryHeader(
+    id,
+    numberOfVulnerableLibraries,
+    numberOfCves,
+    name
+  )
+
+  const severityCount = oldCountSeverity(vulnerableLibraries)
+
+  // parse so filter code will work for both new (ignore dev dep) and current report
+  let vulnerabilities = parseVulnerabilites(libraryVulnerabilityResponse)
+  let filteredVulns = commonReport.filterVulnerabilitiesBySeverity(
+    severity,
+    vulnerabilities
+  )
+  let hasSomeVulnerabilitiesReported
+  hasSomeVulnerabilitiesReported = commonReport.printVulnerabilityResponse(
+    severity,
+    filteredVulns,
+    vulnerabilities
+  )
+
+  console.log(
+    '\n **************************' +
+      ` Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVE's ` +
+      '************************** '
+  )
+
+  if (depRiskReportCount && depRiskReportCount.scopedCount === 0) {
+    console.log(' No private libraries that are not scoped detected')
+  }
+
+  console.log(
+    ' \n Please go to the Contrast UI to view your dependency tree: \n' +
+      ` \n ${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
+  )
+  return [hasSomeVulnerabilitiesReported, numberOfCves, severityCount]
+}
+
+const getLibraryVulnerabilities = async (input, applicationId) => {
+  const requestBody = input
+  const addParams = agent.getAdditionalParams()
+  const userParams = await util.getParams(applicationId)
+  const protocol = getValidHost(userParams.host)
+  const client = commonApi.getHttpClient(userParams, protocol, addParams)
+
+  return client
+    .getLibraryVulnerabilities(requestBody, userParams)
+    .then(res => {
+      if (res.statusCode === 200) {
+        displaySuccessMessageVulnerabilities()
+        return res.body
+      } else {
+        handleResponseErrors(res, 'vulnerabilities')
+      }
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+module.exports = {
+  vulnerabilityReport: vulnerabilityReport,
+  getLibraryVulnerabilities: getLibraryVulnerabilities,
+  formatVulnerabilityOutput: formatVulnerabilityOutput,
+  createLibraryVulnerabilityInput: createLibraryVulnerabilityInput
+}

package/src/audit/languageAnalysisEngine/sendSnapshot.js

@@ -0,0 +1,51 @@
+const prettyjson = require('prettyjson')
+const i18n = require('i18n')
+const { getHttpClient } = require('../../utils/commonApi')
+const { handleResponseErrors } = require('../../common/errorHandling')
+const { APP_VERSION } = require('../../constants/constants')
+
+function displaySnapshotSuccessMessage(config) {
+  console.log(
+    '\n **************************' +
+      i18n.__('successHeader') +
+      '************************** '
+  )
+  console.log('\n' + i18n.__('snapshotSuccessMessage') + '\n')
+  console.log(
+    ` ${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
+  )
+  console.log('\n ***********************************************************')
+}
+
+const newSendSnapShot = async (analysis, applicationId) => {
+  const analysisLanguage = analysis.config.language.toLowerCase()
+  const requestBody = {
+    appID: analysis.config.applicationId,
+    cliVersion: APP_VERSION,
+    snapshot: { [analysisLanguage]: analysis[analysisLanguage] }
+  }
+
+  const client = getHttpClient(analysis.config)
+
+  return client
+    .sendSnapshot(requestBody, analysis.config)
+    .then(res => {
+      // if (!analysis.config.silent) {
+      //   console.log(prettyjson.render(requestBody))
+      // }
+      if (res.statusCode === 201) {
+        displaySnapshotSuccessMessage(analysis.config)
+        return res.body
+      } else {
+        handleResponseErrors(res, 'snapshot')
+      }
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+module.exports = {
+  newSendSnapShot: newSendSnapShot,
+  displaySnapshotSuccessMessage: displaySnapshotSuccessMessage
+}

package/src/audit/languageAnalysisEngine/util/capabilities.js

@@ -0,0 +1,12 @@
+const CLI_IGNORE_DEV_DEPS = 'CLI_IGNORE_DEV_DEPS'
+
+const featuresTeamServer = [
+  {
+    CLI_IGNORE_DEV_DEPS: '3.9.0'
+  }
+]
+
+module.exports = {
+  featuresTeamServer,
+  CLI_IGNORE_DEV_DEPS
+}

package/src/audit/languageAnalysisEngine/util/generalAPI.js

@@ -0,0 +1,43 @@
+const { featuresTeamServer } = require('./capabilities')
+const semver = require('semver')
+const { handleResponseErrors } = require('../../../common/errorHandling')
+const { getHttpClient } = require('../../../utils/commonApi')
+
+const getGlobalProperties = async config => {
+  const client = getHttpClient(config)
+
+  return client
+    .getGlobalProperties(config)
+    .then(res => {
+      if (res.statusCode === 200) {
+        return res.body
+      } else {
+        handleResponseErrors(res, 'globalProperties')
+      }
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+const getFeatures = version => {
+  const featuresEnabled = []
+
+  featuresTeamServer.forEach(feature => {
+    const versionFrom = Object.values(feature)[0]
+    return semver.gte(version, versionFrom)
+      ? featuresEnabled.push(Object.keys(feature)[0])
+      : null
+  })
+  return featuresEnabled
+}
+
+const isFeatureEnabled = (features, featureName) => {
+  return features.includes(featureName)
+}
+
+module.exports = {
+  getGlobalProperties,
+  getFeatures,
+  isFeatureEnabled
+}

package/src/audit/languageAnalysisEngine/util/requestUtils.js

@@ -0,0 +1,17 @@
+const request = require('request')
+const Promise = require('bluebird')
+
+Promise.promisifyAll(request)
+
+function sendRequest({ options, method = 'put' }) {
+  return request[`${method}Async`](options.url, options)
+}
+
+const sleep = ms => {
+  return new Promise(resolve => setTimeout(resolve, ms))
+}
+
+module.exports = {
+  sendRequest: sendRequest,
+  sleep: sleep
+}

package/src/audit/nodeAnalysisEngine/handleNPMLockFileV2.js

@@ -0,0 +1,49 @@
+const i18n = require('i18n')
+module.exports = exports = (analysis, next) => {
+  const {
+    language: { lockFilePath },
+    node
+  } = analysis
+
+  try {
+    if (node.npmLockFile && node.npmLockFile.lockfileVersion > 1) {
+      const listOfTopDep = Object.keys(node.npmLockFile.dependencies)
+      Object.entries(node.npmLockFile.dependencies).forEach(([key, value]) => {
+        if (value.requires) {
+          const listOfRequiresDep = Object.keys(value.requires)
+          listOfRequiresDep.forEach(dep => {
+            if (!listOfTopDep.includes(dep)) {
+              addDepToLockFile(value['requires'], dep)
+            }
+          })
+        }
+
+        if (value.dependencies) {
+          Object.entries(value.dependencies).forEach(
+            ([childKey, childValue]) => {
+              if (childValue.requires) {
+                const listOfRequiresDep = Object.keys(childValue.requires)
+                listOfRequiresDep.forEach(dep => {
+                  if (!listOfTopDep.includes(dep)) {
+                    addDepToLockFile(childValue['requires'], dep)
+                  }
+                })
+              }
+            }
+          )
+        }
+      })
+    }
+  } catch (err) {
+    next(
+      next(new Error(i18n.__('NodeParseNPM', lockFilePath) + `${err.message}`))
+    )
+    return
+  }
+
+  function addDepToLockFile(depObj, key) {
+    node.npmLockFile.dependencies[key] = { version: depObj[key] }
+  }
+
+  next()
+}

package/src/audit/nodeAnalysisEngine/index.js

@@ -0,0 +1,35 @@
+const AnalysisEngine = require('../AnalysisEngine')
+
+const readProjectFileContents = require('./readProjectFileContents')
+const readNPMLockFileContents = require('./readNPMLockFileContents')
+const parseNPMLockFileContents = require('./parseNPMLockFileContents')
+const readYarnLockFileContents = require('./readYarnLockFileContents')
+const parseYarnLockFileContents = require('./parseYarnLockFileContents')
+const parseYarn2LockFileContents = require('./parseYarn2LockFileContents')
+const handleNPMLockFileV2 = require('./handleNPMLockFileV2')
+const sanitizer = require('./sanitizer')
+const i18n = require('i18n')
+
+module.exports = exports = (language, config, callback) => {
+  const ae = new AnalysisEngine({ language, config, node: {} })
+
+  ae.use([
+    readProjectFileContents,
+    readNPMLockFileContents,
+    parseNPMLockFileContents,
+    readYarnLockFileContents,
+    parseYarnLockFileContents,
+    parseYarn2LockFileContents,
+    handleNPMLockFileV2,
+    sanitizer
+  ])
+
+  ae.analyze((err, analysis) => {
+    if (err) {
+      callback(new Error(i18n.__('NodeAnalysisFailure') + `${err.message}`))
+      return
+    }
+
+    callback(null, analysis)
+  })
+}

package/src/audit/nodeAnalysisEngine/parseNPMLockFileContents.js

@@ -0,0 +1,20 @@
+const i18n = require('i18n')
+module.exports = exports = ({ language: { lockFilePath }, node }, next) => {
+  // If we never read the package-lock file then pass priority
+  if (node.rawLockFileContents === undefined) {
+    next()
+  } else {
+    try {
+      node.npmLockFile = JSON.parse(node.rawLockFileContents)
+    } catch (err) {
+      next(
+        new Error(
+          i18n.__('NodeParseNPM', lockFilePath ? lockFilePath : 'undefined') +
+            `${err.message}`
+        )
+      )
+      return
+    }
+    next()
+  }
+}

package/src/audit/nodeAnalysisEngine/parseYarn2LockFileContents.js

@@ -0,0 +1,63 @@
+const i18n = require('i18n')
+module.exports = exports = ({ language: { lockFilename }, node }, next) => {
+  // If we never read the lock file or its an earlier version then pass priority
+  if (node.rawYarnLockFileContents == undefined || node.yarnVersion == 1) {
+    next()
+  } else {
+    try {
+      node.yarnLockFile = {}
+      node.yarnLockFile['object'] = node.rawYarnLockFileContents
+      delete node.yarnLockFile['object'].__metadata
+      node.yarnLockFile['type'] = 'success'
+
+      Object.entries(node.rawYarnLockFileContents).forEach(([key, value]) => {
+        const rawKeyNames = key.split(',')
+        const keyNames = formatKey(rawKeyNames)
+
+        keyNames.forEach(name => {
+          node.yarnLockFile.object[name] = value
+        })
+      })
+    } catch (err) {
+      next(
+        new Error(
+          i18n.__('NodeParseYarn2', lockFilename.lockFilePath) +
+            `${err.message}`
+        )
+      )
+
+      return
+    }
+
+    next()
+  }
+}
+
+function formatKey(keyNames) {
+  let name = ''
+  let formattedNames = []
+  keyNames.forEach(dummyString => {
+    let nameArr = dummyString.split('@')
+    if (nameArr.length > 1) {
+      if (nameArr.length == 2) {
+        name = nameArr[0]
+      }
+
+      if (nameArr.length == 3) {
+        name = '@' + nameArr[1]
+      }
+
+      let version = dummyString.split(':').pop('')
+
+      if (version.length == 1 && version != '*') {
+        version = version + '.0'
+      }
+      let reformattedKey = name.trim() + '@' + version
+
+      formattedNames.push(reformattedKey)
+    }
+  })
+  return formattedNames
+}
+
+exports.formatKey = formatKey

package/src/audit/nodeAnalysisEngine/parseYarnLockFileContents.js

@@ -0,0 +1,26 @@
+const yarnParser = require('@yarnpkg/lockfile')
+const i18n = require('i18n')
+
+module.exports = exports = ({ language: { lockFilename }, node }, next) => {
+  // If we never read the lock file then pass priority
+  if (node.rawYarnLockFileContents === undefined || node.yarnVersion === 2) {
+    next()
+  } else {
+    try {
+      node.yarnLockFile = yarnParser.parse(node.rawYarnLockFileContents)
+    } catch (err) {
+      next(
+        new Error(
+          i18n.__(
+            'NodeParseYarn',
+            lockFilename.lockFilePath ? lockFilename.lockFilePath : 'undefined'
+          ) + `${err.message}`
+        )
+      )
+
+      return
+    }
+
+    next()
+  }
+}

package/src/audit/nodeAnalysisEngine/readNPMLockFileContents.js

@@ -0,0 +1,23 @@
+const fs = require('fs')
+const i18n = require('i18n')
+
+module.exports = exports = ({ language: { lockFilePath }, node }, next) => {
+  // check if the lockFilename is populated and if it is check to
+  // see if it has the package-lock if not then go on to next handler
+  if (!lockFilePath || !lockFilePath.includes('package-lock.json')) {
+    next()
+    return
+  }
+
+  try {
+    node.rawLockFileContents = fs.readFileSync(lockFilePath)
+  } catch (err) {
+    next(
+      new Error(i18n.__('NodeReadNpmError', lockFilePath) + `${err.message}`)
+    )
+
+    return
+  }
+
+  next()
+}

package/src/audit/nodeAnalysisEngine/readProjectFileContents.js

@@ -0,0 +1,27 @@
+const fs = require('fs')
+const i18n = require('i18n')
+
+module.exports = exports = (analysis, next) => {
+  const {
+    language: { projectFilePath },
+    node
+  } = analysis
+
+  // Read the NODE project file contents. We are reading into memory presuming
+  // that the contents of the file aren't large which may be bad... Could look
+  // into streaming in the future
+
+  try {
+    // package.json is stored in the projectFilePath other files have the word lock so are stored in lockFilename arr
+    node.packageJSON = JSON.parse(fs.readFileSync(projectFilePath, 'utf8'))
+  } catch (err) {
+    next(
+      new Error(
+        i18n.__('nodeReadProjectFileError', projectFilePath) + `${err.message}`
+      )
+    )
+    return
+  }
+
+  next()
+}

package/src/audit/nodeAnalysisEngine/readYarnLockFileContents.js

@@ -0,0 +1,36 @@
+const fs = require('fs')
+const yaml = require('js-yaml')
+const i18n = require('i18n')
+
+module.exports = exports = ({ language: { lockFilePath }, node }, next) => {
+  // check if the lockFilePath is populated and if it is check to
+  // see if it has the package-lock if not then go on to next handler
+  if (!lockFilePath || !lockFilePath.includes('yarn.lock')) {
+    next()
+    return
+  }
+
+  try {
+    node.rawYarnLockFileContents = fs.readFileSync(lockFilePath, 'utf8')
+    node.yarnVersion = 1
+
+    if (
+      !node.rawYarnLockFileContents.includes('lockfile v1') ||
+      node.rawYarnLockFileContents.includes('__metadata')
+    ) {
+      node.rawYarnLockFileContents = yaml.load(
+        fs.readFileSync(lockFilePath, 'utf8')
+      )
+      node.yarnVersion = 2
+    }
+  } catch (err) {
+    next(
+      new Error(
+        i18n.__('nodeReadYarnLockFileError', lockFilePath) + `${err.message}`
+      )
+    )
+
+    return
+  }
+  next()
+}

package/src/audit/nodeAnalysisEngine/sanitizer.js

@@ -0,0 +1,11 @@
+module.exports = exports = ({ node }, next) => {
+  // Remove anything sensitive or unnecessary from being sent to the backend as
+  // a result of our NODE project analysis
+  delete node.rawProjectFileContents
+  delete node.projectFileJSON
+  delete node.projectLockFileJSON
+  delete node.rawLockFileContents
+  delete node.rawYarnLockFileContents
+
+  next()
+}

package/src/audit/phpAnalysisEngine/index.js

@@ -0,0 +1,27 @@
+const AnalysisEngine = require('../AnalysisEngine')
+
+const readProjectFileContents = require('./readProjectFileContents')
+const readLockFileContents = require('./readLockFileContents')
+const parseLockFileContents = require('./parseLockFileContents')
+const sanitizer = require('./sanitizer')
+const i18n = require('i18n')
+
+module.exports = exports = (language, config, callback) => {
+  const ae = new AnalysisEngine({ language, config, php: {} })
+
+  ae.use([
+    readProjectFileContents,
+    readLockFileContents,
+    parseLockFileContents,
+    sanitizer
+  ])
+
+  ae.analyze((err, analysis) => {
+    if (err) {
+      callback(new Error(i18n.__('phpAnalysisFailure') + `${err.message}`))
+      return
+    }
+
+    callback(null, analysis)
+  })
+}