@contrast/contrast 1.0.0

package/README.md

@@ -0,0 +1,109 @@
+# Contrast Command Line Interface
+
+Install Contrast, authenticate, and then start running a Lambda scan.
+This version supports **Java** and **Python** functions on AWS.
+
+## Requirements
+
+- AWS credentials should be **available** on your local configure (usually `~/.aws/credentials`)
+- You have an option run lambda scan with your aws-profile to pass `--profile`
+- You also can export differnt credentials
+
+```shell
+export AWS_DEFAULT_REGION=<YOUR_AWS_REGION>
+export AWS_ACCESS_KEY_ID=<YOUR_ACCESS_KEY_ID>
+export AWS_SECRET_ACCESS_KEY=<YOUR_SECRET_ACCESS_KEY>
+```
+
+These permissions are required to gather all required information on an AWS Lambda to use the `contrast lambda` command:
+
+- Lambda: [GetFunction](https://docs.aws.amazon.com/lambda/latest/dg/API_GetFunction.html), [GetLayerVersion](https://docs.aws.amazon.com/lambda/latest/dg/API_GetLayerVersion.html)
+- IAM: [GetRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRolePolicy.html), [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html), [GetPolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicyVersion.html), [ListRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html), [ListAttachedRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html)
+
+Policy example:
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetPolicyVersion",
+                "iam:GetPolicy",
+                "lambda:GetLayerVersion",
+                "lambda:GetFunction",
+                "iam:ListAttachedRolePolicies",
+                "iam:ListRolePolicies",
+                "iam:GetRolePolicy"
+            ],
+            "Resource": [
+                "arn:aws:lambda:*:YOUR_ACCOUNT:layer:*:*",
+                "arn:aws:lambda:*:YOUR_ACCOUNT:function:*",
+                "arn:aws:iam::YOUR_ACCOUNT:role/*",
+                "arn:aws:iam::YOUR_ACCOUNT:policy/*"
+            ]
+        }
+    ]
+}
+```
+
+## Installation via Homebrew
+
+- `brew tap Contrast-Security-OSS/homebrew-contrast`
+- `brew install contrast`
+
+### Install NPM / YARN
+
+- `npm i -g @contrast/contrast`
+- `yarn global add @contrast/contrast`
+
+### Install with binaries
+
+- Go to [https://pkg.contrastsecurity.com/ui/repos/tree/General/cli](https://pkg.contrastsecurity.com/ui/repos/tree/General/cli)
+- Select your operating system and download the package
+- You must allow **execute permissions** on the file depending on your OS
+
+| Architecture | Link                                                                                                                                                                           |
+| ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| macOS        | [https://pkg.contrastsecurity.com/ui/repos/tree/General/cli/1.0.0/mac/contrast](https://pkg.contrastsecurity.com/ui/repos/tree/General/cli/1.0.0/mac/contrast)                 |
+| Linux        | [https://pkg.contrastsecurity.com/ui/repos/tree/General/cli/1.0.0/linux/contrast](https://pkg.contrastsecurity.com/ui/repos/tree/General/cli/1.0.0/linux/contrast)             |
+| Windows      | [https://pkg.contrastsecurity.com/ui/repos/tree/General/cli/1.0.0/windows/contrast.exe](https://pkg.contrastsecurity.com/ui/repos/tree/General/cli/1.0.0/windows/contrast.exe) |
+
+## Usage
+
+- `contrast [command] [option]`
+- `contrast lambda --function-name <function> [options]`
+
+## Running a scan on a Lambda function
+
+1. `contrast auth`
+   Authenticate by entering contrast auth in the terminal.
+   In the resulting browser window, log in and authenticate with your GitHub or Google credentials.
+2. `contrast lambda --function-name <YOUR_FUNCTION_NAME> --region <AWS_REGION>`
+
+More infromation
+
+- `contrast lambda --help`
+
+## Commands
+
+- `auth` - Authenticate Contrast using your `Github` or `Google` account
+- `lambda` - Perform scan on AWS Lambda function
+- `version` - Displays version of Contrast CLI
+- `config` - Displays stored credentials (`–c, --clear` - Removes stored credentials)
+- `help` - Displays usage guide
+
+## Example of Running
+
+```shell
+contrast lambda --function-name myFunctionName
+contrast lambda -f myFunctionName --region eu-cental-1
+contrast lambda -f myFunctionName --region eu-cental-1 --profile myDevProfile
+contrast lambda -f myFunctionName -v -j -r eu-cental-1 -p myDevProfile
+contrast lambda --function-name myFunctionName --verbose --json-output --region eu-cental-1 --profile myDevProfile
+```
+
+## Example of Results
+
+![image](https://user-images.githubusercontent.com/289035/165555050-e9a709c9-f2a9-4edc-a064-8208445238bc.png)

package/bin/contrast.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+require('../dist/index.js')

package/dist/commands/auth/auth.js

@@ -0,0 +1,61 @@
+"use strict";
+const { v4: uuidv4 } = require('uuid');
+const { setConfigValues } = require('../../utils/getConfig');
+const open = require('open');
+const commonApi = require('../../utils/commonApi');
+const { sleep } = require('../../utils/requestUtils');
+const i18n = require('i18n');
+const { returnOra, startSpinner, failSpinner, succeedSpinner } = require('../../utils/oraWrapper');
+const { TIMEOUT, AUTH_UI_URL } = require('../../constants/constants');
+const processAuth = async (config) => {
+    const token = uuidv4();
+    const url = `${AUTH_UI_URL}/?token=${token}`;
+    console.log(i18n.__('redirectAuth', url));
+    try {
+        await setTimeout(() => {
+            open(url);
+        }, 0);
+        const result = await isAuthComplete(token, TIMEOUT, config);
+        if (result) {
+            setConfigValues(config, result);
+        }
+        return;
+    }
+    finally {
+    }
+};
+const isAuthComplete = async (token, timeout, config) => {
+    const authSpinner = returnOra(i18n.__('authWaitingMessage'));
+    startSpinner(authSpinner);
+    const client = commonApi.getHttpClient(config);
+    let startTime = new Date();
+    let complete = false;
+    while (!complete) {
+        let result = await pollAuthResult(token, client);
+        if (result.statusCode === 200) {
+            succeedSpinner(authSpinner, i18n.__('authSuccessMessage'));
+            console.log(i18n.__('runScanMessage'));
+            return result.body;
+        }
+        let endTime = new Date() - startTime;
+        if (endTime > timeout) {
+            failSpinner(authSpinner, i18n.__('authTimedOutMessage'));
+            process.exit(1);
+            return;
+        }
+    }
+};
+const pollAuthResult = async (token, client) => {
+    await sleep(5000);
+    return client
+        .pollForAuth(token)
+        .then(res => {
+        return res;
+    })
+        .catch(err => {
+        console.log(err);
+    });
+};
+module.exports = {
+    processAuth: processAuth
+};

package/dist/commands/config/config.js

@@ -0,0 +1,24 @@
+"use strict";
+const commandLineArgs = require('command-line-args');
+const processConfig = (argv, config) => {
+    const options = [{ name: 'clear', alias: 'c', type: Boolean }];
+    try {
+        const configOptions = commandLineArgs(options, {
+            argv,
+            caseInsensitive: true,
+            camelCase: true
+        });
+        if (configOptions.clear) {
+            config.clear();
+        }
+        else {
+            console.log(JSON.parse(JSON.stringify(config.store)));
+        }
+    }
+    catch (e) {
+        console.log(e.message.toString());
+    }
+};
+module.exports = {
+    processConfig: processConfig
+};

package/dist/commands/scan/processScan.js

@@ -0,0 +1,23 @@
+"use strict";
+const { startScan } = require('../../scan/scanController');
+const paramHandler = require('../../utils/paramsUtil/paramHandler');
+const { formatScanOutput } = require('../../scan/scan');
+const { scanUsageGuide } = require('../../scan/help');
+const processScan = async () => {
+    let getScanSubCommands = paramHandler.getScanSubCommands();
+    if (getScanSubCommands.help) {
+        printHelpMessage();
+        process.exit(1);
+    }
+    let scanResults = await startScan();
+    if (scanResults) {
+        formatScanOutput(scanResults?.projectOverview, scanResults?.scanResultsInstances);
+    }
+};
+const printHelpMessage = () => {
+    console.log(scanUsageGuide);
+};
+module.exports = {
+    processScan,
+    printHelpMessage
+};

package/dist/common/HTTPClient.js

@@ -0,0 +1,192 @@
+"use strict";
+const _ = require('lodash');
+const fs = require('fs');
+const requestUtils = require('./../utils/requestUtils');
+const { AUTH_CALLBACK_URL } = require('../constants/constants');
+function HTTPClient(config) {
+    const apiKey = config.apiKey;
+    const authToken = config.authorization;
+    const superApiKey = config.super_api_key;
+    const superAuthToken = config.super_authorization;
+    this.requestOptions = {
+        forever: true,
+        json: true,
+        rejectUnauthorized: this.rejectUnauthorized,
+        uri: config.host,
+        followRedirect: false,
+        headers: {
+            'Content-Type': 'application/json; charset=utf-8',
+            Authorization: authToken,
+            'API-Key': apiKey,
+            SuperAuthorization: superAuthToken,
+            'Super-API-Key': superApiKey
+        }
+    };
+    if (config.proxy) {
+        this.requestOptions.proxy = config.proxy;
+    }
+    this.maybeAddCertsToRequest(config);
+}
+HTTPClient.prototype.maybeAddCertsToRequest = function (config) {
+    const caCertFilePath = config.cacert;
+    if (caCertFilePath) {
+        const caFileContent = fs.readFileSync(caCertFilePath);
+        if (caFileContent instanceof Error) {
+            throw new Error(`Unable to read CA from config option contrast.api.certificate.ca_file='${caCertFilePath}', msg: ${caFileContent.message}`);
+        }
+        this.requestOptions.ca = caFileContent;
+    }
+    const certPath = config.cert;
+    if (certPath) {
+        const certFile = fs.readFileSync(certPath);
+        if (certFile instanceof Error) {
+            throw new Error(`Unable to read Certificate PEM file from config option contrast.api.certificate.cert_file='${certPath}', msg: ${certFile.message}`);
+        }
+        this.requestOptions.cert = certFile;
+    }
+    const keyPath = config.key;
+    if (keyPath) {
+        const keyFile = fs.readFileSync(keyPath);
+        if (keyFile instanceof Error) {
+            throw new Error(`Unable to read Key PEM file from config option contrast.api.certificate.key_file='${keyPath}', msg: ${keyFile.message}`);
+        }
+        this.requestOptions.key = keyFile;
+    }
+};
+HTTPClient.prototype.getScanResultsInstances = function getScanResultsInstances(config, scanId) {
+    const options = _.cloneDeep(this.requestOptions);
+    let url = createScanResultsInstancesURL(config, scanId);
+    options.url = url;
+    return requestUtils.sendRequest({ method: 'get', options });
+};
+HTTPClient.prototype.getSpecificScanResult = function getSpecificScanResult(config, scanId) {
+    const options = _.cloneDeep(this.requestOptions);
+    let url = createSpecificScanResultURL(config, scanId);
+    options.url = url;
+    return requestUtils.sendRequest({ method: 'get', options });
+};
+HTTPClient.prototype.getScanId = function getScanId(config, codeArtifactId) {
+    const options = _.cloneDeep(this.requestOptions);
+    let url = createGetScanIdURL(config);
+    options.url = url;
+    options.body = {
+        codeArtifactId: codeArtifactId,
+        label: `Started by CLI tool at ${new Date().toString()}`
+    };
+    return requestUtils.sendRequest({ method: 'post', options });
+};
+HTTPClient.prototype.sendArtifact = async function sendArtifact(config) {
+    const options = _.cloneDeep(this.requestOptions);
+    let formData = {
+        filename: fs.createReadStream(config.file)
+    };
+    options.formData = formData;
+    options.headers['Content-Type'] = 'multipart/form-data';
+    options.url = createHarmonyUrl(config);
+    return requestUtils.sendRequest({ method: 'post', options });
+};
+HTTPClient.prototype.createProjectId = function createProjectId(config) {
+    const options = _.cloneDeep(this.requestOptions);
+    options.body = {
+        name: config.name,
+        archived: 'false',
+        language: config.language
+    };
+    options.url = createHarmonyProjectsUrl(config);
+    return requestUtils.sendRequest({ method: 'post', options });
+};
+HTTPClient.prototype.getProjectIdByName = function getProjectIdByName(config) {
+    const options = _.cloneDeep(this.requestOptions);
+    options.url = createHarmonyProjectsUrl(config) + '?name=' + config.name;
+    return requestUtils.sendRequest({ method: 'get', options });
+};
+HTTPClient.prototype.getScanProjectById = function getScanProjectById(config) {
+    const options = _.cloneDeep(this.requestOptions);
+    options.url = createScanProjectUrl(config);
+    return requestUtils.sendRequest({ method: 'get', options });
+};
+HTTPClient.prototype.getGlobalProperties = function getGlobalProperties() {
+    const options = _.cloneDeep(this.requestOptions);
+    let url = createGlobalPropertiesUrl(options.uri);
+    options.url = url;
+    return requestUtils.sendRequest({ method: 'get', options });
+};
+HTTPClient.prototype.pollForAuth = function pollForAuth(token) {
+    const options = _.cloneDeep(this.requestOptions);
+    let url = pollForAuthUrl();
+    options.url = url;
+    let requestBody = {};
+    requestBody.token = token;
+    options.body = requestBody;
+    return requestUtils.sendRequest({ method: 'post', options });
+};
+function getServerlessHost(config = {}) {
+    const originalHost = config?.host || config?.get('host');
+    const host = originalHost?.endsWith('/')
+        ? originalHost.slice(0, -1)
+        : originalHost;
+    return `${host}/Contrast/api/serverless`;
+}
+function createScanFunctionPostUrl(config, params) {
+    const url = getServerlessHost(config);
+    const { provider, accountId, organizationId } = params;
+    return `${url}/organizations/${organizationId}/providers/${provider}/accounts/${accountId}/function-scan`;
+}
+function createScanResourcesGetUrl(config, params, scanId) {
+    const url = getServerlessHost(config);
+    const { provider, accountId, organizationId } = params;
+    const encodedScanId = encodeURIComponent(scanId);
+    return `${url}/organizations/${organizationId}/providers/${provider}/accounts/${accountId}/scans/${encodedScanId}/resources`;
+}
+function createScanResultsGetUrl(config, params, scanId, functionArn) {
+    const url = getServerlessHost(config);
+    const encodedScanId = encodeURIComponent(scanId);
+    const encodedFunctionArn = encodeURIComponent(functionArn);
+    const { provider, accountId, organizationId } = params;
+    return `${url}/organizations/${organizationId}/providers/${provider}/accounts/${accountId}/scans/${encodedScanId}/resources/${encodedFunctionArn}/results`;
+}
+HTTPClient.prototype.postFunctionScan = async function postFunctionScan(config, parameters, body) {
+    const url = createScanFunctionPostUrl(config, parameters);
+    const options = { ...this.requestOptions, body, url };
+    return requestUtils.sendRequest({ method: 'post', options });
+};
+HTTPClient.prototype.getScanResources = async function getScanResources(config, parameters, scanId) {
+    const url = createScanResourcesGetUrl(config, parameters, scanId);
+    const options = { ...this.requestOptions, url };
+    return requestUtils.sendRequest({ method: 'get', options });
+};
+HTTPClient.prototype.getFunctionScanResults = async function getFunctionScanResults(config, parameters, scanId, functionArn) {
+    const url = createScanResultsGetUrl(config, parameters, scanId, functionArn);
+    const options = { ...this.requestOptions, url };
+    return requestUtils.sendRequest({ method: 'get', options });
+};
+const createGetScanIdURL = config => {
+    return `${config.host}/Contrast/api/sast/v1/organizations/${config.organizationId}/projects/${config.projectId}/scans/`;
+};
+const createScanResultsInstancesURL = (config, scanId) => {
+    return `${config.host}/Contrast/api/sast/v1/organizations/${config.organizationId}/projects/${config.projectId}/scans/${scanId}/result-instances?sort=severity,asc`;
+};
+const createRawOutputURL = (config, codeArtifactId) => {
+    return `${config.host}/Contrast/api/sast/v1/organizations/${config.organizationId}/projects/${config.projectId}/scans/${codeArtifactId}/raw-output`;
+};
+const createSpecificScanResultURL = (config, scanId) => {
+    return `${config.host}/Contrast/api/sast/v1/organizations/${config.organizationId}/projects/${config.projectId}/scans/${scanId}`;
+};
+function createHarmonyUrl(config) {
+    return `${config.host}/Contrast/api/sast/v1/organizations/${config.organizationId}/projects/${config.projectId}/code-artifacts`;
+}
+function createHarmonyProjectsUrl(config) {
+    return `${config.host}/Contrast/api/sast/v1/organizations/${config.organizationId}/projects`;
+}
+function createScanProjectUrl(config) {
+    return `${config.host}/Contrast/api/sast/v1/organizations/${config.organizationId}/projects/${config.projectId}`;
+}
+const createGlobalPropertiesUrl = protocol => {
+    return `${protocol}/Contrast/api/ng/global/properties`;
+};
+const pollForAuthUrl = () => {
+    return `${AUTH_CALLBACK_URL}/auth/credentials`;
+};
+module.exports = HTTPClient;
+module.exports.pollForAuthUrl = pollForAuthUrl;
+module.exports.getServerlessHost = getServerlessHost;

package/dist/common/errorHandling.js

@@ -0,0 +1,60 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getErrorMessage = exports.generalError = exports.hostWarningError = exports.failOptionError = exports.proxyError = exports.forbiddenError = exports.badRequestError = exports.unauthenticatedError = exports.genericError = void 0;
+const i18n_1 = __importDefault(require("i18n"));
+const genericError = (missingCliOption) => {
+    console.log(`*************************** ${i18n_1.default.__('yamlMissingParametersHeader')} ***************************\n${missingCliOption}`);
+    console.error(i18n_1.default.__('yamlMissingParametersMessage'));
+    process.exit(1);
+};
+exports.genericError = genericError;
+const unauthenticatedError = () => {
+    generalError('unauthenticatedErrorHeader', 'unauthenticatedErrorMessage');
+};
+exports.unauthenticatedError = unauthenticatedError;
+const badRequestError = (catalogue) => {
+    catalogue === true
+        ? generalError('badRequestErrorHeader', 'badRequestCatalogueErrorMessage')
+        : generalError('badRequestErrorHeader', 'badRequestErrorMessage');
+};
+exports.badRequestError = badRequestError;
+const forbiddenError = () => {
+    generalError('forbiddenRequestErrorHeader', 'forbiddenRequestErrorMessage');
+};
+exports.forbiddenError = forbiddenError;
+const proxyError = () => {
+    generalError('proxyErrorHeader', 'proxyErrorMessage');
+};
+exports.proxyError = proxyError;
+const hostWarningError = () => {
+    console.log(i18n_1.default.__('snapshotHostMessage'));
+};
+exports.hostWarningError = hostWarningError;
+const failOptionError = () => {
+    console.log('\n ******************************** ' +
+        i18n_1.default.__('snapshotFailureHeader') +
+        ' ********************************\n' +
+        i18n_1.default.__('failOptionErrorMessage'));
+};
+exports.failOptionError = failOptionError;
+const getErrorMessage = (header, message) => {
+    const title = `******************************** ${i18n_1.default.__(header)} ********************************`;
+    const multiLine = message?.includes('\n');
+    let finalMessage = '';
+    if (multiLine) {
+        finalMessage = `\n${message}`;
+    }
+    else if (message) {
+        finalMessage = `\n${i18n_1.default.__(message)}`;
+    }
+    return `${title}${finalMessage}`;
+};
+exports.getErrorMessage = getErrorMessage;
+const generalError = (header, message) => {
+    const finalMessage = getErrorMessage(header, message);
+    console.log(finalMessage);
+};
+exports.generalError = generalError;

package/dist/constants/constants.js

@@ -0,0 +1,30 @@
+"use strict";
+const NODE = 'NODE';
+const DOTNET = 'DOTNET';
+const JAVA = 'JAVA';
+const RUBY = 'RUBY';
+const PYTHON = 'PYTHON';
+const GO = 'GO';
+const PHP = 'PHP';
+const JAVASCRIPT = 'JAVASCRIPT';
+const LOW = 'LOW';
+const MEDIUM = 'MEDIUM';
+const HIGH = 'HIGH';
+const CRITICAL = 'CRITICAL';
+const APP_NAME = 'contrast';
+const APP_VERSION = '1.0.0';
+const TIMEOUT = 120000;
+const AUTH_UI_URL = 'https://cli-auth.contrastsecurity.com';
+const AUTH_CALLBACK_URL = 'https://cli-auth-api.contrastsecurity.com';
+module.exports = {
+    supportedLanguages: { NODE, DOTNET, JAVA, RUBY, PYTHON, GO, PHP, JAVASCRIPT },
+    LOW,
+    MEDIUM,
+    HIGH,
+    CRITICAL,
+    APP_VERSION,
+    APP_NAME,
+    TIMEOUT,
+    AUTH_UI_URL,
+    AUTH_CALLBACK_URL
+};

package/dist/constants/lambda.js

@@ -0,0 +1,31 @@
+"use strict";
+const lambda = {
+    failedToStartScan: 'Failed to start scan',
+    failedToParseArn: 'Failed to parse ARN',
+    failedToGetScan: 'Failed to get scan',
+    missingLambdaConfig: 'Missing Lambda Configuration',
+    missingLambdaArn: 'Missing Lambda ARN',
+    validationFailed: 'Request validation failed',
+    missingFunctionName: 'Required parameter --function-name is missing.\nRun command with --help to see usage',
+    failedToGetResults: 'Failed to get results',
+    missingResults: 'Missing vulnerabilities',
+    missingParameter: 'Required function parameter is missing',
+    awsError: 'AWS error',
+    missingFlagArguments: 'The following flags are missing an arguments:\n%s',
+    notSupportedFlags: 'The following flags are not supported:\n%s\nRun command with --help to see usage',
+    something_went_wrong: 'Something went wrong',
+    not_found_404: '404 error - Not found',
+    internal_error: 'Internal error',
+    inactive_account: 'Scanning a function of an inactive account is not supported',
+    not_supported_runtime: 'Scanning resource of runtime "%s" is not supported.\nSupported runtimes: %s',
+    not_supported_onboard_account: 'Scanning a function of onboard account is not supported',
+    scan_lock: 'Other scan is still running. Please wait until the previous scan finishes',
+    unsupported: 'unsupported',
+    excluded: 'excluded',
+    canceled: 'canceled',
+    failed: 'failed',
+    dismissed: 'dismissed'
+};
+module.exports = {
+    lambda
+};