@contrast/contrast 1.0.0 → 1.0.3

package/src/lambda/utils.ts

@@ -1,112 +1,182 @@
 import chalk from 'chalk'
-import { capitalize, groupBy, minBy, sortBy } from 'lodash'
+import { groupBy, sortBy, capitalize, minBy } from 'lodash'
+import i18n from 'i18n'
 import { log } from './logUtils'
 
+// fix for using `plural`
+// https://github.com/mashpie/i18n-node/issues/429
+i18n.setLocale('en')
+
+class PrintVulnerability {
+  index: number
+  vulnerability: any
+  group?: any[]
+  title: string
+  severity: string
+  remediation: string
+  description: string
+  recommendation: string
+  whatHappened: string
+
+  constructor(index: number, vulnerability: any, group?: any[]) {
+    const {
+      severityText,
+      title,
+      description,
+      remediation,
+      categoryText
+    } = vulnerability
+
+    this.group = group
+    this.vulnerability = vulnerability
+    this.index = index
+    this.title = title
+    this.severity = capitalize(severityText)
+    this.description = underlineLinks(description)
+    this.remediation = remediation?.description
+    this.recommendation = ''
+    this.whatHappened = ''
+
+    if (categoryText === 'PERMISSIONS') {
+      this.formatPermissions()
+    } else if (categoryText === 'DEPENDENCIES') {
+      this.formatDependencies()
+    }
+  }
+
+  formatPermissions() {
+    const { leastPrivilege, comment } = this.vulnerability.evidence
+    const violatingPolicies = leastPrivilege?.violatingPolicies || []
+
+    const filteredPolicies = violatingPolicies
+      .filter((vp: any) => vp?.suggestedPolicy?.suggestedPolicyCode?.length)
+      .map((vp: any) => vp?.suggestedPolicy)
+
+    const shouldNumerate = filteredPolicies.length > 1
+    filteredPolicies.forEach((policies: any, i: number) => {
+      const { suggestedPolicyCode, description } = policies
+
+      suggestedPolicyCode.forEach((policy: any) => {
+        const { snippet, title } = policy
+        this.recommendation += shouldNumerate
+          ? ` ${i + 1}. ${description}\n`
+          : `${description}\n`
+
+        if (title !== 'DELETE POLICY') {
+          this.recommendation += `${snippet}\n`
+        }
+      })
+    })
+
+    if (comment?.length) {
+      const splitComment = (comment: string) => {
+        const [policy, description] = comment.split(':').map(c => c.trim())
+        return { policy, description }
+      }
+      const groupByPolicy = groupBy(comment, c => splitComment(c).policy)
+
+      Object.entries(groupByPolicy).forEach(([policy, commentArr]) => {
+        const comments = commentArr
+          .map(splitComment)
+          .map(({ description }) => ` - ${description}`)
+          .join('\n')
+        this.whatHappened += i18n.__('whatHappenedItem', { policy, comments })
+      })
+    }
+  }
+
+  formatDependencies() {
+    if (!this.group?.length) {
+      this.recommendation = this.vulnerability?.remediation?.description
+      return
+    }
+
+    const maxSeverity = minBy(this.group, 'severity')
+    this.title = i18n.__('vulnerableDependency')
+    this.severity = capitalize(maxSeverity.severityText)
+    this.recommendation = maxSeverity.remediation?.description
+
+    const library = groupByDependency({ title: this.vulnerability.title })
+    const [packageName, version] = library.split(':')
+    const allCves = this.group.map(groupByCVE)
+
+    this.description = i18n.__mf('vulnerableDependencyDescriptions', {
+      NUM: this.group.length,
+      packageName,
+      version,
+      cves: allCves.join(' | ')
+    })
+  }
+
+  print() {
+    log(`${this.index}.`)
+    // prettier-ignore
+    log(`${chalk.bold(this.severity)} | ${chalk.bold(this.title)} ${this.description}`)
+
+    if (this.whatHappened) {
+      log(`\n${chalk.bold(i18n.__('whatHappenedTitle'))}\n${this.whatHappened}`)
+    }
+
+    if (this.recommendation) {
+      log(`${chalk.bold(i18n.__('recommendation'))}\n${this.recommendation}`)
+    }
+
+    log('')
+  }
+}
+
 const groupByCVE = ({ title }: any) =>
   title.substring(0, title.indexOf('[') - 1)
 
 const groupByDependency = ({ title }: any) =>
   title.substring(title.indexOf('[') + 1, title.indexOf(']'))
 
-const prettyPrintResults = (results: any[]) => {
-  log('')
-
+const printResults = (results: any[]) => {
   //filter out any vulnerabs which is not least privilege or dependencies- cli does not handle other vulnerabs yet
   const vulnerabs = results.filter(r => r.category === 1 || r.category === 4)
   const sortBySeverity = sortBy(vulnerabs, ['severity', 'title'])
   const notDependencies = sortBySeverity.filter(r => r.category !== 1)
   const dependencies = sortBySeverity.filter(r => r.category === 1)
   const dependenciesByLibrary = groupBy(dependencies, groupByDependency)
-  const dependenciesCount = Object.keys(dependenciesByLibrary).length
 
-  notDependencies.forEach(printVulnerability)
+  log('')
 
+  notDependencies.forEach((vulnerability: any, index: number) => {
+    const printVulnerab = new PrintVulnerability(index + 1, vulnerability)
+    printVulnerab.print()
+  })
   const prevIndex = notDependencies.length + 1
-  Object.entries(dependenciesByLibrary).forEach(([library, group], i) => {
-    const maxSeverity = minBy(group, 'severity')
-    const allCves = group.map(groupByCVE)
-
-    log(prevIndex + i)
-    log(
-      `${chalk.bold(capitalize(maxSeverity.severityText))} | ${chalk.bold(
-        'Vulnerable dependency'
-      )} ${library} has ${group.length} known CVEs`
-    )
-    log(allCves.join(', '))
-    if (maxSeverity.remediation?.description) {
-      log(
-        `${chalk.bold('Recommendation:')} ${
-          maxSeverity.remediation.description
-        }`
-      )
-    }
-    log('')
+  Object.entries(dependenciesByLibrary).forEach(([, group], i) => {
+    const printVulnerab = new PrintVulnerability(prevIndex + i, group[0], group)
+    printVulnerab.print()
   })
 
+  const dependenciesCount = Object.keys(dependenciesByLibrary).length
   const resultCount = notDependencies.length + dependenciesCount
+  log(i18n.__n('foundVulnerabilities', resultCount), { bold: true })
+
+  const counters = getNotDependenciesCounters(notDependencies)
+  if (dependenciesCount) {
+    counters.push(i18n.__n('dependenciesCount', dependenciesCount))
+  }
+  log(counters.join(' | '), { bold: true })
+}
+
+const getNotDependenciesCounters = (notDependencies: any[]) => {
   const groupByType = groupBy(notDependencies, ['categoryText'])
-  const summary = Object.values(groupByType).map(
+  return Object.values(groupByType).map(
     group => `${group.length} ${capitalize(group[0].categoryText)}`
   )
-  log(`Found ${resultCount} vulnerabilities`, { bold: true })
-  summary.push(`${dependenciesCount} Dependencies`)
-
-  log(chalk.bold(summary.join(' | ')))
 }
 
 const underlineLinks = (text: string) => {
   if (!text) {
     return text
   }
-
   const urlRegex = /(https?:\/\/[^\s]+)/g
   return text.replace(urlRegex, chalk.underline('$1'))
 }
 
-const printVulnerability = (vulnerability: any, index: number) => {
-  log(index + 1)
-  const descriptionWithLinks = underlineLinks(vulnerability.description)
-  log(
-    `${chalk.bold(capitalize(vulnerability.severityText))} | ${chalk.bold(
-      vulnerability.title
-    )} ${descriptionWithLinks}`
-  )
-
-  const category = vulnerability?.categoryText
-  switch (category) {
-    case 'PERMISSIONS':
-      printLeastPrivilegeRemediation(vulnerability)
-      break
-    default:
-      printRemediation(vulnerability)
-  }
-  log('')
-}
-
-const printLeastPrivilegeRemediation = (vulnerability: any) => {
-  log(
-    `${chalk.bold(
-      'Recommendation:'
-    )} Replace the existing policies with the following`
-  )
-
-  const violatingPolicies =
-    vulnerability?.evidence?.leastPrivilege?.violatingPolicies || []
-
-  violatingPolicies
-    .filter((vp: any) => vp?.suggestedPolicy?.suggestedPolicyCode?.length)
-    .map((vp: any) => vp?.suggestedPolicy?.suggestedPolicyCode)
-    .forEach((policies: any) => {
-      policies.forEach((policy: any) => {
-        console.log(policy.snippet)
-      })
-    })
-}
-
-const printRemediation = (vulnerability: any) => {
-  log(`Remediation - ${vulnerability?.remediation?.description || 'Unknown'}`)
-}
-
 function toLowerKeys(obj: Record<string, unknown>) {
   return Object.keys(obj).reduce((accumulator, key) => {
     const new_key = `${key[0].toLowerCase()}${key.slice(1)}`
@@ -115,11 +185,9 @@ function toLowerKeys(obj: Record<string, unknown>) {
   }, {} as Record<string, unknown>)
 }
 
-export { toLowerKeys, prettyPrintResults }
-
+export { toLowerKeys, printResults }
 export const exportedForTesting = {
-  printLeastPrivilegeRemediation,
-  printRemediation,
-  printVulnerability,
-  underlineLinks
+  underlineLinks,
+  printResults,
+  PrintVulnerability
 }

package/src/sbom/generateSbom.ts

@@ -0,0 +1,17 @@
+import { getHttpClient } from '../utils/commonApi'
+
+export default function generateSbom(config: any) {
+  const client = getHttpClient(config)
+  return client
+    .getSbom(config)
+    .then((res: { statusCode: number; body: any }) => {
+      if (res.statusCode === 200) {
+        return res.body
+      } else {
+        console.log('Unable to retrieve Software Bill of Materials (SBOM)')
+      }
+    })
+    .catch((err: any) => {
+      console.log(err)
+    })
+}

package/src/scan/autoDetection.js

@@ -1,7 +1,5 @@
 const i18n = require('i18n')
-const { zipValidator } = require('./scan')
 const fileFinder = require('./fileUtils')
-const { supportedLanguages } = require('../constants/constants')
 
 const autoDetectFileAndLanguage = async configToUse => {
   const entries = await fileFinder.findFile()
@@ -18,8 +16,6 @@ const autoDetectFileAndLanguage = async configToUse => {
     if (configToUse.name === undefined) {
       configToUse.name = entries[0]
     }
-    zipValidator(configToUse)
-    assignLanguage(entries, configToUse)
   } else {
     errorOnFileDetection(entries)
   }
@@ -46,32 +42,7 @@ const errorOnFileDetection = entries => {
   process.exit(1)
 }
 
-const assignLanguage = (entries, configToUse) => {
-  let split = entries[0].split('.')
-  const fileType = split[split.length - 1]
-  if (fileType === 'war' || fileType === 'jar') {
-    console.log('Language is Java')
-    configToUse.language = 'JAVA'
-  } else if (fileType === 'dll') {
-    console.log('Language is Dotnet')
-    configToUse.language = 'DOTNET'
-  } else if (fileType === 'js') {
-    console.log('Language is Javascript')
-    configToUse.language = supportedLanguages.JAVASCRIPT
-  } else if (fileType === 'zip') {
-    if (configToUse.language !== supportedLanguages.JAVASCRIPT) {
-      console.log(i18n.__('zipErrorScan'))
-      process.exit(1)
-    }
-    console.log('Language is Javascript within zip file')
-  } else {
-    console.log(i18n.__('unknownFileErrorScan'))
-    process.exit(1)
-  }
-}
-
 module.exports = {
   autoDetectFileAndLanguage,
-  assignLanguage,
   errorOnFileDetection
 }

package/src/scan/fileUtils.js

@@ -4,7 +4,7 @@ const i18n = require('i18n')
 
 const findFile = async () => {
   console.log(i18n.__('searchingScanFileDirectory', process.cwd()))
-  return fg(['**/*.jar', '**/*.war', '**/*.zip', '**/*.dll'], {
+  return fg(['**/*.jar', '**/*.war', '**/*.zip', '**/*.dll', '**/*.exe'], {
     dot: false,
     deep: 3,
     onlyFiles: true

package/src/scan/help.js

@@ -1,5 +1,6 @@
 const commandLineUsage = require('command-line-usage')
 const i18n = require('i18n')
+const constants = require('../constants')
 
 const scanUsageGuide = commandLineUsage([
   {
@@ -17,51 +18,19 @@ const scanUsageGuide = commandLineUsage([
   },
   {
     header: i18n.__('constantsScanOptions'),
-    content: [
-      {
-        name: i18n.__('scanOptionsFileName'),
-        summary:
-          '{italic ' +
-          i18n.__('constantsOptional') +
-          '}: ' +
-          i18n.__('scanOptionsFileNameSummary')
-      },
-      {
-        name: i18n.__('scanOptionsLanguage'),
-        summary:
-          '{italic ' +
-          i18n.__('constantsOptional') +
-          '}: ' +
-          i18n.__('scanOptionsLanguageSummaryOptional') +
-          '{italic ' +
-          i18n.__('constantsRequired') +
-          '}: ' +
-          i18n.__('scanOptionsLanguageSummaryRequired')
-      },
-      {
-        name: i18n.__('scanOptionsName'),
-        summary:
-          '{italic ' +
-          i18n.__('constantsOptional') +
-          '}: ' +
-          i18n.__('scanOptionsNameSummary')
-      },
-      {
-        name: i18n.__('scanOptionsTimeout'),
-        summary:
-          '{italic ' +
-          i18n.__('constantsOptional') +
-          '}: ' +
-          i18n.__('scanOptionsTimeoutSummary')
-      },
-      {
-        name: i18n.__('scanOptionsVerbose'),
-        summary:
-          '{italic ' +
-          i18n.__('constantsOptional') +
-          '}: ' +
-          i18n.__('scanOptionsVerboseSummary')
-      }
+    optionList: constants.commandLineDefinitions.scanOptionDefinitions,
+    hide: [
+      'project-id',
+      'organization-id',
+      'api-key',
+      'authorization',
+      'host',
+      'proxy',
+      'help',
+      'ff',
+      'ignore-cert-errors',
+      'verbose',
+      'debug'
     ]
   },
   {

package/src/scan/populateProjectIdAndProjectName.js

@@ -21,6 +21,11 @@ const createProjectId = async (config, client) => {
         console.log(i18n.__('foundExistingProjectScan'))
         return
       }
+      if (res.statusCode === 403) {
+        console.log(i18n.__('permissionsError'))
+        process.exit(1)
+        return
+      }
 
       if (res.statusCode === 201) {
         console.log(i18n.__('projectCreatedScan'))

package/src/scan/saveResults.js

@@ -0,0 +1,14 @@
+const fs = require('fs')
+
+const writeResultsToFile = async (responseBody, name = 'results.sarif') => {
+  try {
+    fs.writeFileSync(name, JSON.stringify(responseBody, null, 2))
+    console.log(`Scan Results saved to ${name}`)
+  } catch (err) {
+    console.log('Error writing Scan Results to file')
+  }
+}
+
+module.exports = {
+  writeResultsToFile: writeResultsToFile
+}

package/src/scan/scan.js

@@ -1,10 +1,9 @@
 const commonApi = require('../utils/commonApi.js')
 const fileUtils = require('../scan/fileUtils')
-const allowedFileTypes = ['.jar', '.war', '.js', '.zip']
+const allowedFileTypes = ['.jar', '.war', '.js', '.zip', '.exe']
 const i18n = require('i18n')
-const AdmZip = require('adm-zip')
 const oraWrapper = require('../utils/oraWrapper')
-const { supportedLanguages } = require('../constants/constants')
+const chalk = require('chalk')
 
 const isFileAllowed = scanOption => {
   let valid = false
@@ -16,6 +15,15 @@ const isFileAllowed = scanOption => {
   return valid
 }
 
+const stripMustacheTags = oldString => {
+  return oldString
+    .replace(/\n/g, ' ')
+    .replace(/{{.*?}}/g, '\n')
+    .replace(/\$\$LINK_DELIM\$\$/g, '\n')
+    .replace(/\s+/g, ' ')
+    .trim()
+}
+
 const sendScan = async config => {
   if (!isFileAllowed(config.file)) {
     console.log(i18n.__('scanErrorFileMessage'))
@@ -40,10 +48,19 @@ const sendScan = async config => {
           }
           return res.body.id
         } else {
+          if (config.debug) {
+            console.log(res.statusCode)
+            console.log(config)
+          }
           oraWrapper.failSpinner(
             startUploadSpinner,
             i18n.__('uploadingScanFail')
           )
+          if (res.statusCode === 403) {
+            console.log(i18n.__('permissionsError'))
+            process.exit(1)
+          }
+          console.log(i18n.__('genericServiceError', res.statusCode))
           process.exit(1)
         }
       })
@@ -53,74 +70,126 @@ const sendScan = async config => {
   }
 }
 
-const zipValidator = configToUse => {
-  if (configToUse.file.endsWith('.zip')) {
-    let zipFileName = configToUse.file.split('/').pop()
-    try {
-      let zip = new AdmZip(configToUse.file)
-      let zipEntries = zip.getEntries()
-      zipEntries.forEach(function(zipEntry) {
-        if (
-          !zipEntry.entryName.includes('._') &&
-          !zipEntry.entryName.includes('/.')
-        ) {
-          if (!zipEntry.isDirectory) {
-            if (!zipEntry.entryName.endsWith('.js')) {
-              console.log(i18n.__('scanZipError', zipFileName))
-              process.exit(1)
-            }
-          }
-        }
+const formatScanOutput = (overview, results) => {
+  console.log()
+
+  if (results.content.length === 0) {
+    console.log(i18n.__('scanNoVulnerabilitiesFound'))
+  } else {
+    let message =
+      overview.critical || overview.high
+        ? 'Here are your top priorities to fix'
+        : "No major issues, here's what we found"
+    console.log(chalk.bold(message))
+    console.log()
+
+    const groups = getGroups(results.content)
+    groups.forEach(entry => {
+      console.log(
+        chalk.bold(
+          `${entry.severity} | ${entry.ruleId} (${entry.lineInfoSet.size})`
+        )
+      )
+      let count = 1
+      entry.lineInfoSet.forEach(lineInfo => {
+        console.log(`\t ${count}. ${lineInfo}`)
+        count++
       })
-      configToUse.language = supportedLanguages.JAVASCRIPT
-    } catch {
-      console.log(i18n.__('zipFileException'))
-    }
+
+      if (entry?.cwe && entry?.cwe.length > 0) {
+        formatLinks('cwe', entry.cwe)
+      }
+      if (entry?.reference && entry?.reference.length > 0) {
+        formatLinks('reference', entry.reference)
+      }
+      if (entry?.owasp && entry?.owasp.length > 0) {
+        formatLinks('owasp', entry.owasp)
+      }
+      console.log(chalk.bold('How to fix:'))
+      console.log(entry.recommendation)
+      console.log()
+    })
+
+    const totalVulnerabilities =
+      overview.critical +
+      overview.high +
+      overview.medium +
+      overview.low +
+      overview.note
+
+    let vulMessage =
+      totalVulnerabilities === 1 ? `vulnerability` : `vulnerabilities`
+    console.log(chalk.bold(`Found ${totalVulnerabilities} ${vulMessage}`))
+    console.log(
+      i18n.__(
+        'foundDetailedVulnerabilities',
+        overview.critical,
+        overview.high,
+        overview.medium,
+        overview.low,
+        overview.note
+      )
+    )
   }
 }
 
-const formatScanOutput = (overview, results) => {
-  console.log()
-  console.log('Here are your top priorities to fix')
+const formatLinks = (objName, entry) => {
+  console.log(chalk.bold(objName + ':'))
+  entry.forEach(link => {
+    console.log(link)
+  })
   console.log()
+}
 
-  results.content.forEach(entry => {
-    console.log(entry.severity, 'ID:', entry.id)
-    console.log(
-      entry.ruleId,
-      'in',
-      entry.locations[0]?.physicalLocation.artifactLocation.uri,
-      '@',
-      entry.codeFlows[0]?.threadFlows[0]?.locations[0]?.location
-        ?.physicalLocation?.region?.startLine
-    )
-    console.log()
+const getGroups = content => {
+  const groupTypeSet = new Set(content.map(({ ruleId }) => ruleId))
+  let groupTypeResults = []
+  groupTypeSet.forEach(groupName => {
+    let groupResultsObj = {
+      ruleId: groupName,
+      lineInfoSet: new Set(),
+      cwe: '',
+      owasp: '',
+      reference: '',
+      recommendation: '',
+      severity: ''
+    }
+    content.forEach(resultEntry => {
+      if (resultEntry.ruleId === groupName) {
+        groupResultsObj.severity = resultEntry.severity
+        groupResultsObj.cwe = resultEntry.cwe
+        groupResultsObj.owasp = resultEntry.owasp
+        groupResultsObj.reference = resultEntry.reference
+        groupResultsObj.recommendation = resultEntry.recommendation
+          ? stripMustacheTags(resultEntry.recommendation)
+          : 'No Recommendations Data Found'
+        groupResultsObj.lineInfoSet.add(formattedCodeLine(resultEntry))
+      }
+    })
+    groupTypeResults.push(groupResultsObj)
   })
+  return groupTypeResults
+}
 
-  const totalVulnerabilities =
-    overview.critical +
-    overview.high +
-    overview.medium +
-    overview.low +
-    overview.note
-
-  console.log(`Found ${totalVulnerabilities} vulnerabilities`)
-  console.log(
-    i18n.__(
-      'foundDetailedVulnerabilities',
-      overview.critical,
-      overview.high,
-      overview.medium,
-      overview.low,
-      overview.note
-    )
-  )
+const formattedCodeLine = resultEntry => {
+  let lineUri = resultEntry.locations[0]?.physicalLocation.artifactLocation.uri
+  return lineUri + ' @ ' + setLineNumber(resultEntry)
+}
+
+const setLineNumber = resultEntry => {
+  return resultEntry.codeFlows?.[0]?.threadFlows[0]?.locations[0]?.location
+    ?.physicalLocation?.region?.startLine
+    ? resultEntry.codeFlows[0]?.threadFlows[0]?.locations[0]?.location
+        ?.physicalLocation?.region?.startLine
+    : resultEntry.locations[0]?.physicalLocation?.region?.startLine
 }
 
 module.exports = {
   sendScan: sendScan,
+  getGroups: getGroups,
   allowedFileTypes: allowedFileTypes,
   isFileAllowed: isFileAllowed,
+  stripMustacheTags: stripMustacheTags,
   formatScanOutput: formatScanOutput,
-  zipValidator: zipValidator
+  formatLinks: formatLinks
 }