@contrast/contrast 1.0.0 → 1.0.3

package/dist/audit/languageAnalysisEngine/checkIdentifiedLanguageHasLockFile.js

@@ -0,0 +1,35 @@
+"use strict";
+const i18n = require('i18n');
+module.exports = exports = (analysis, next) => {
+    try {
+        const { languageAnalysis } = analysis;
+        if (Object.getOwnPropertyNames(languageAnalysis.identifiedLanguages)[0] ===
+            'JAVA' ||
+            Object.getOwnPropertyNames(languageAnalysis.identifiedLanguages)[0] ===
+                'GO') {
+            next();
+            return;
+        }
+        checkForLockFile(languageAnalysis.identifiedLanguages);
+    }
+    catch (err) {
+        next(err);
+        return;
+    }
+    next();
+    return;
+};
+const checkForLockFile = identifiedLanguages => {
+    if (Object.keys(identifiedLanguages).length == 1) {
+        let { lockFilenames } = Object.values(identifiedLanguages)[0];
+        if (lockFilenames.length == 0) {
+            const [language] = Object.keys(identifiedLanguages);
+            throw new Error(i18n.__('languageAnalysisHasNoLockFile', language));
+        }
+        if (lockFilenames.length > 1) {
+            const [language] = Object.keys(identifiedLanguages);
+            throw new Error(i18n.__('languageAnalysisHasMultipleLockFiles', language, String(lockFilenames)));
+        }
+    }
+};
+exports.checkForLockFile = checkForLockFile;

package/dist/audit/languageAnalysisEngine/checkIdentifiedLanguageHasProjectFile.js

@@ -0,0 +1,23 @@
+"use strict";
+const i18n = require('i18n');
+module.exports = exports = (analysis, next) => {
+    const { languageAnalysis } = analysis;
+    try {
+        checkIdentifiedLanguageHasProjectFile(languageAnalysis.identifiedLanguages);
+    }
+    catch (err) {
+        next(err);
+        return;
+    }
+    next();
+};
+const checkIdentifiedLanguageHasProjectFile = identifiedLanguages => {
+    if (Object.keys(identifiedLanguages).length == 1) {
+        let { projectFilenames } = Object.values(identifiedLanguages)[0];
+        if (projectFilenames.length == 0) {
+            const [language] = Object.keys(identifiedLanguages);
+            throw new Error(i18n.__('languageAnalysisProjectFileError', language));
+        }
+    }
+};
+exports.checkIdentifiedLanguageHasProjectFile = checkIdentifiedLanguageHasProjectFile;

package/dist/audit/languageAnalysisEngine/commonApi.js

@@ -0,0 +1,18 @@
+"use strict";
+const { getHttpClient } = require('../../utils/commonApi');
+const returnAppId = async (config) => {
+    const client = getHttpClient(config);
+    let appId;
+    await client.getAppId(config).then(res => {
+        if (res.body) {
+            let obj = res.body['applications'];
+            if (obj) {
+                appId = obj.length === 0 ? '' : obj[0].app_id;
+            }
+        }
+    });
+    return appId;
+};
+module.exports = {
+    returnAppId: returnAppId
+};

package/dist/audit/languageAnalysisEngine/constants.js

@@ -0,0 +1,20 @@
+"use strict";
+const NODE = 'NODE';
+const JAVASCRIPT = 'JAVASCRIPT';
+const DOTNET = 'DOTNET';
+const JAVA = 'JAVA';
+const RUBY = 'RUBY';
+const PYTHON = 'PYTHON';
+const GO = 'GO';
+const PHP = 'PHP';
+const LOW = 'LOW';
+const MEDIUM = 'MEDIUM';
+const HIGH = 'HIGH';
+const CRITICAL = 'CRITICAL';
+module.exports = {
+    supportedLanguages: { NODE, DOTNET, JAVA, RUBY, PYTHON, GO, PHP, JAVASCRIPT },
+    LOW: LOW,
+    MEDIUM: MEDIUM,
+    HIGH: HIGH,
+    CRITICAL: CRITICAL
+};

package/dist/audit/languageAnalysisEngine/filterProjectPath.js

@@ -0,0 +1,20 @@
+"use strict";
+const path = require('path');
+function resolveFilePath(filepath) {
+    if (filepath[0] === '~') {
+        return path.join(process.env.HOME, filepath.slice(1));
+    }
+    return filepath;
+}
+const returnProjectPath = () => {
+    if (process.env.PWD !== (undefined || null || 'undefined')) {
+        return process.env.PWD;
+    }
+    else {
+        return process.argv[process.argv.indexOf('--project_path') + 1];
+    }
+};
+module.exports = {
+    returnProjectPath: returnProjectPath,
+    resolveFilePath: resolveFilePath
+};

package/dist/audit/languageAnalysisEngine/getIdentifiedLanguageInfo.js

@@ -0,0 +1,25 @@
+"use strict";
+const path = require('path');
+module.exports = exports = (analysis, next) => {
+    const { projectPath, languageAnalysis } = analysis;
+    languageAnalysis.identifiedLanguageInfo = getIdentifiedLanguageInfo(projectPath, languageAnalysis.identifiedLanguages);
+    next();
+};
+const getIdentifiedLanguageInfo = (projectPath, identifiedLanguages) => {
+    const [language] = Object.keys(identifiedLanguages);
+    const { projectFilenames: [projectFilename], lockFilenames: [lockFilename] } = Object.values(identifiedLanguages)[0];
+    let identifiedLanguageInfo = {
+        language,
+        projectFilename,
+        projectFilePath: path.join(projectPath, projectFilename)
+    };
+    if (lockFilename) {
+        identifiedLanguageInfo = {
+            ...identifiedLanguageInfo,
+            lockFilename,
+            lockFilePath: path.join(projectPath, lockFilename)
+        };
+    }
+    return identifiedLanguageInfo;
+};
+exports.getIdentifiedLanguageInfo = getIdentifiedLanguageInfo;

package/dist/audit/languageAnalysisEngine/getProjectRootFilenames.js

@@ -0,0 +1,39 @@
+"use strict";
+const fs = require('fs');
+const path = require('path');
+const i18n = require('i18n');
+module.exports = exports = (analysis, next) => {
+    const { projectPath, languageAnalysis } = analysis;
+    try {
+        languageAnalysis.projectRootFilenames = getProjectRootFilenames(projectPath);
+    }
+    catch (err) {
+        next(err);
+        return;
+    }
+    next();
+};
+const getProjectRootFilenames = projectPath => {
+    let projectStats = null;
+    try {
+        projectStats = fs.statSync(projectPath);
+    }
+    catch (err) {
+        throw new Error(i18n.__('languageAnalysisProjectRootFileNameFailure', projectPath) +
+            `${err.message}`);
+    }
+    if (projectStats.isDirectory()) {
+        try {
+            return fs.readdirSync(projectPath);
+        }
+        catch (err) {
+            throw new Error(i18n.__('languageAnalysisProjectRootFileNameReadError', projectPath) +
+                `${err.message}`);
+        }
+    }
+    if (projectStats.isFile()) {
+        return [path.basename(projectPath)];
+    }
+    throw new Error(i18n.__('languageAnalysisProjectRootFileNameMissingError'), projectPath);
+};
+exports.getProjectRootFilenames = getProjectRootFilenames;

package/dist/audit/languageAnalysisEngine/index.js

@@ -0,0 +1,39 @@
+"use strict";
+const AnalysisEngine = require('./../AnalysisEngine');
+const i18n = require('i18n');
+const getProjectRootFilenames = require('./getProjectRootFilenames');
+const reduceIdentifiedLanguages = require('./reduceIdentifiedLanguages');
+const checkForMultipleIdentifiedLanguages = require('./checkForMultipleIdentifiedLanguages');
+const checkForMultipleIdentifiedProjectFiles = require('./checkForMultipleIdentifiedProjectFiles');
+const checkIdentifiedLanguageHasProjectFile = require('./checkIdentifiedLanguageHasProjectFile');
+const checkIdentifiedLanguageHasLockFile = require('./checkIdentifiedLanguageHasLockFile');
+const getIdentifiedLanguageInfo = require('./getIdentifiedLanguageInfo');
+const { libraryAnalysisError } = require('../../common/errorHandling');
+module.exports = exports = (projectPath, callback, appId, config) => {
+    const ae = new AnalysisEngine({
+        projectPath,
+        appId,
+        languageAnalysis: { appId: appId },
+        config
+    });
+    ae.use([
+        getProjectRootFilenames,
+        reduceIdentifiedLanguages,
+        checkForMultipleIdentifiedLanguages,
+        checkForMultipleIdentifiedProjectFiles,
+        checkIdentifiedLanguageHasProjectFile,
+        checkIdentifiedLanguageHasLockFile,
+        getIdentifiedLanguageInfo
+    ]);
+    ae.analyze((err, analysis) => {
+        if (err) {
+            console.log('*******************' +
+                i18n.__('languageAnalysisFailureMessage') +
+                '****************');
+            console.error(`${err.message}`);
+            libraryAnalysisError();
+            process.exit(1);
+        }
+        callback(null, analysis);
+    });
+};

package/dist/audit/languageAnalysisEngine/langugageAnalysisFactory.js

@@ -0,0 +1,95 @@
+"use strict";
+const { supportedLanguages: { DOTNET, NODE, JAVA, RUBY, PYTHON, GO, PHP } } = require('../languageAnalysisEngine/constants');
+const i18n = require('i18n');
+const dotnetAE = require('../dotnetAnalysisEngine');
+const nodeAE = require('../nodeAnalysisEngine');
+const javaAE = require('../javaAnalysisEngine');
+const rubyAE = require('../rubyAnalysisEngine');
+const pythonAE = require('../pythonAnalysisEngine');
+const phpAE = require('../phpAnalysisEngine');
+const goAE = require('../goAnalysisEngine');
+const { vulnerabilityReport } = require('./report/reportingFeature');
+const { vulnReportWithoutDevDep } = require('./report/newReportingFeature');
+const { checkDevDeps } = require('./report/checkIgnoreDevDep');
+const { newSendSnapShot } = require('../languageAnalysisEngine/sendSnapshot');
+const fs = require('fs');
+const chalk = require('chalk');
+const saveFile = require('../../commands/audit/saveFile').default;
+const generateSbom = require('../../sbom/generateSbom').default;
+module.exports = exports = (err, analysis) => {
+    const { identifiedLanguageInfo } = analysis.languageAnalysis;
+    const catalogueAppId = analysis.languageAnalysis.appId;
+    if (err) {
+        console.error(err);
+        return;
+    }
+    const langCallback = async (err, analysis) => {
+        const config = analysis.config;
+        if (err) {
+            console.log();
+            console.log('***********' +
+                i18n.__('languageAnalysisFactoryFailureHeader') +
+                '****************');
+            console.log(identifiedLanguageInfo.language);
+            console.log();
+            console.error(`${identifiedLanguageInfo.language}` +
+                i18n.__('languageAnalysisFailure') +
+                err);
+            return process.exit(5);
+        }
+        console.log('\n **************CONTRAST OSS ANALYSIS BEGINS**************');
+        const snapshotResponse = await newSendSnapShot(analysis, catalogueAppId);
+        if (config.report) {
+            const ignoreDevUrl = await checkDevDeps(config);
+            if (ignoreDevUrl) {
+                await vulnReportWithoutDevDep(analysis, catalogueAppId, snapshotResponse.id, config);
+            }
+            else {
+                await vulnerabilityReport(analysis, catalogueAppId, config);
+            }
+        }
+        await auditSave(config);
+        console.log('\n ***************CONTRAST OSS ANALYSIS COMPLETE************** \n');
+    };
+    if (identifiedLanguageInfo.language === DOTNET) {
+        dotnetAE(identifiedLanguageInfo, analysis.config, langCallback);
+    }
+    if (identifiedLanguageInfo.language === NODE) {
+        nodeAE(identifiedLanguageInfo, analysis.config, langCallback);
+    }
+    if (identifiedLanguageInfo.language === JAVA) {
+        javaAE(identifiedLanguageInfo, analysis.config, langCallback);
+    }
+    if (identifiedLanguageInfo.language === RUBY) {
+        rubyAE(identifiedLanguageInfo, analysis.config, langCallback);
+    }
+    if (identifiedLanguageInfo.language === PYTHON) {
+        pythonAE(identifiedLanguageInfo, analysis.config, langCallback);
+    }
+    if (identifiedLanguageInfo.language === PHP) {
+        phpAE(identifiedLanguageInfo, analysis.config, langCallback);
+    }
+    if (identifiedLanguageInfo.language === GO) {
+        goAE(identifiedLanguageInfo, analysis.config, langCallback);
+    }
+};
+async function auditSave(config) {
+    if (config.save) {
+        if (config.save.toLowerCase() === 'sbom') {
+            saveFile(config, await generateSbom(config));
+            const filename = `${config.applicationId}-sbom-cyclonedx.json`;
+            if (fs.existsSync(filename)) {
+                console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`);
+            }
+            else {
+                console.log(chalk.yellow.bold(`\n Unable to save ${filename} Software Bill of Materials (SBOM)`));
+            }
+        }
+        else {
+            console.log(i18n.__('auditBadFiletypeSpecifiedForSave'));
+        }
+    }
+    else {
+        console.log(i18n.__('auditNoFiletypeSpecifiedForSave'));
+    }
+}

package/dist/audit/languageAnalysisEngine/reduceIdentifiedLanguages.js

@@ -0,0 +1,121 @@
+"use strict";
+const { supportedLanguages: { NODE, DOTNET, JAVA, RUBY, PYTHON, GO, PHP, JAVASCRIPT } } = require('./constants');
+const i18n = require('i18n');
+const DOT_NET_PROJECT_FILE_REGEX = /.+\.csproj$/;
+const DOT_NET_LOCK_FILENAME = 'packages.lock.json';
+const isDotNetProjectFilename = filename => filename.search(DOT_NET_PROJECT_FILE_REGEX) !== -1;
+const isDotNetLockFilename = filename => filename === DOT_NET_LOCK_FILENAME;
+function isJavaMavenProjectFilename(filename) {
+    return filename === 'pom.xml';
+}
+function isJavaGradleProjectFilename(filename) {
+    return filename === 'build.gradle' || filename === 'build.gradle.kts';
+}
+const isRubyProjectFilename = filename => filename === 'Gemfile';
+const isNodeProjectFilename = filename => filename === 'package.json';
+const isPythonProjectFilename = filename => filename === 'requirements.txt' || filename === 'Pipfile';
+const isPhpProjectFilename = filename => filename === 'composer.json';
+const isPhpLockFilename = filename => filename === 'composer.lock';
+function isNodeLockFilename(filename) {
+    return filename === 'package-lock.json' || filename === 'yarn.lock';
+}
+const isRubyLockFilename = filename => filename === 'Gemfile.lock';
+const isPipfileLockLockFilename = filename => filename === 'Pipfile.lock';
+const isGoProjectFilename = filename => filename === 'go.mod';
+const deduceLanguage = filename => {
+    const deducedLanguages = [];
+    if (isJavaMavenProjectFilename(filename)) {
+        deducedLanguages.push({ language: JAVA, projectFilename: filename });
+    }
+    if (isJavaGradleProjectFilename(filename)) {
+        deducedLanguages.push({ language: JAVA, projectFilename: filename });
+    }
+    if (isNodeProjectFilename(filename)) {
+        deducedLanguages.push({ language: NODE, projectFilename: filename });
+    }
+    if (isDotNetProjectFilename(filename)) {
+        deducedLanguages.push({ language: DOTNET, projectFilename: filename });
+    }
+    if (isRubyProjectFilename(filename)) {
+        deducedLanguages.push({ language: RUBY, projectFilename: filename });
+    }
+    if (isPythonProjectFilename(filename)) {
+        deducedLanguages.push({ language: PYTHON, projectFilename: filename });
+    }
+    if (isPhpProjectFilename(filename)) {
+        deducedLanguages.push({ language: PHP, projectFilename: filename });
+    }
+    if (isDotNetLockFilename(filename)) {
+        deducedLanguages.push({ language: DOTNET, lockFilename: filename });
+    }
+    if (isNodeLockFilename(filename)) {
+        deducedLanguages.push({ language: NODE, lockFilename: filename });
+    }
+    if (isRubyLockFilename(filename)) {
+        deducedLanguages.push({ language: RUBY, lockFilename: filename });
+    }
+    if (isPipfileLockLockFilename(filename)) {
+        deducedLanguages.push({ language: PYTHON, lockFilename: filename });
+    }
+    if (isPhpLockFilename(filename)) {
+        deducedLanguages.push({ language: PHP, lockFilename: filename });
+    }
+    if (isGoProjectFilename(filename)) {
+        deducedLanguages.push({ language: GO, projectFilename: filename });
+    }
+    return deducedLanguages;
+};
+const reduceIdentifiedLanguages = identifiedLanguages => identifiedLanguages.reduce((accumulator, identifiedLanguageInfo) => {
+    const { language, projectFilename, lockFilename } = identifiedLanguageInfo;
+    if (!(language in accumulator)) {
+        accumulator[language] = { projectFilenames: [], lockFilenames: [] };
+    }
+    if (projectFilename) {
+        accumulator[language].projectFilenames.push(projectFilename);
+    }
+    else {
+        accumulator[language].lockFilenames.push(lockFilename);
+    }
+    return accumulator;
+}, {});
+module.exports = exports = (analysis, next) => {
+    const { projectPath, languageAnalysis, config } = analysis;
+    let identifiedLanguages = languageAnalysis.projectRootFilenames.reduce((accumulator, filename) => {
+        const deducedLanguages = deduceLanguage(filename);
+        return [...accumulator, ...deducedLanguages];
+    }, []);
+    if (Object.keys(identifiedLanguages).length === 0) {
+        next(new Error(i18n.__('languageAnalysisNoLanguage', projectPath)));
+        return;
+    }
+    let language = config.language;
+    if (language === undefined) {
+        languageAnalysis.identifiedLanguages = reduceIdentifiedLanguages(identifiedLanguages);
+    }
+    else {
+        let refinedIdentifiedLanguages = [];
+        for (let x in identifiedLanguages) {
+            if (identifiedLanguages[x].language === language.toUpperCase() ||
+                (identifiedLanguages[x].language === NODE &&
+                    language.toUpperCase() === JAVASCRIPT)) {
+                refinedIdentifiedLanguages.push(identifiedLanguages[x]);
+            }
+        }
+        if (refinedIdentifiedLanguages.length === 0) {
+            console.log(`Could not detect language as specified: ${config.language}`);
+            process.exit(1);
+        }
+        languageAnalysis.identifiedLanguages = reduceIdentifiedLanguages(refinedIdentifiedLanguages);
+    }
+    next();
+};
+exports.isJavaMavenProjectFilename = isJavaMavenProjectFilename;
+exports.isJavaGradleProjectFilename = isJavaGradleProjectFilename;
+exports.isNodeProjectFilename = isNodeProjectFilename;
+exports.isDotNetProjectFilename = isDotNetProjectFilename;
+exports.isDotNetLockFilename = isDotNetLockFilename;
+exports.isGoProjectFilename = isGoProjectFilename;
+exports.isPhpProjectFilename = isPhpProjectFilename;
+exports.isPhpLockFilename = isPhpLockFilename;
+exports.deduceLanguage = deduceLanguage;
+exports.reduceIdentifiedLanguages = reduceIdentifiedLanguages;

package/dist/audit/languageAnalysisEngine/report/checkIgnoreDevDep.js

@@ -0,0 +1,17 @@
+"use strict";
+const { getGlobalProperties, getFeatures, isFeatureEnabled } = require('../util/generalAPI');
+const { CLI_IGNORE_DEV_DEPS } = require('../util/capabilities');
+const checkDevDeps = async (config) => {
+    const shouldIgnoreDev = config.ignoreDev;
+    const globalProperties = await getGlobalProperties();
+    const features = getFeatures(globalProperties.internal_version);
+    const isfeatureEnabled = isFeatureEnabled(features, CLI_IGNORE_DEV_DEPS);
+    let ignoreDevUrl = false;
+    if (shouldIgnoreDev) {
+        ignoreDevUrl = isfeatureEnabled;
+    }
+    return ignoreDevUrl;
+};
+module.exports = {
+    checkDevDeps
+};