@contrast/contrast 1.0.0

package/src/scan/scan.js

@@ -0,0 +1,126 @@
+const commonApi = require('../utils/commonApi.js')
+const fileUtils = require('../scan/fileUtils')
+const allowedFileTypes = ['.jar', '.war', '.js', '.zip']
+const i18n = require('i18n')
+const AdmZip = require('adm-zip')
+const oraWrapper = require('../utils/oraWrapper')
+const { supportedLanguages } = require('../constants/constants')
+
+const isFileAllowed = scanOption => {
+  let valid = false
+  allowedFileTypes.forEach(fileType => {
+    if (scanOption.endsWith(fileType)) {
+      valid = true
+    }
+  })
+  return valid
+}
+
+const sendScan = async config => {
+  if (!isFileAllowed(config.file)) {
+    console.log(i18n.__('scanErrorFileMessage'))
+    process.exit(9)
+  } else {
+    fileUtils.checkFilePermissions(config.file)
+    const client = commonApi.getHttpClient(config)
+
+    const startUploadSpinner = oraWrapper.returnOra(i18n.__('uploadingScan'))
+    oraWrapper.startSpinner(startUploadSpinner)
+
+    return await client
+      .sendArtifact(config)
+      .then(res => {
+        if (res.statusCode === 201) {
+          oraWrapper.succeedSpinner(
+            startUploadSpinner,
+            i18n.__('uploadingScanSuccessful')
+          )
+          if (config.verbose) {
+            console.log(i18n.__('responseMessage', res.body))
+          }
+          return res.body.id
+        } else {
+          oraWrapper.failSpinner(
+            startUploadSpinner,
+            i18n.__('uploadingScanFail')
+          )
+          process.exit(1)
+        }
+      })
+      .catch(err => {
+        console.log(err)
+      })
+  }
+}
+
+const zipValidator = configToUse => {
+  if (configToUse.file.endsWith('.zip')) {
+    let zipFileName = configToUse.file.split('/').pop()
+    try {
+      let zip = new AdmZip(configToUse.file)
+      let zipEntries = zip.getEntries()
+      zipEntries.forEach(function(zipEntry) {
+        if (
+          !zipEntry.entryName.includes('._') &&
+          !zipEntry.entryName.includes('/.')
+        ) {
+          if (!zipEntry.isDirectory) {
+            if (!zipEntry.entryName.endsWith('.js')) {
+              console.log(i18n.__('scanZipError', zipFileName))
+              process.exit(1)
+            }
+          }
+        }
+      })
+      configToUse.language = supportedLanguages.JAVASCRIPT
+    } catch {
+      console.log(i18n.__('zipFileException'))
+    }
+  }
+}
+
+const formatScanOutput = (overview, results) => {
+  console.log()
+  console.log('Here are your top priorities to fix')
+  console.log()
+
+  results.content.forEach(entry => {
+    console.log(entry.severity, 'ID:', entry.id)
+    console.log(
+      entry.ruleId,
+      'in',
+      entry.locations[0]?.physicalLocation.artifactLocation.uri,
+      '@',
+      entry.codeFlows[0]?.threadFlows[0]?.locations[0]?.location
+        ?.physicalLocation?.region?.startLine
+    )
+    console.log()
+  })
+
+  const totalVulnerabilities =
+    overview.critical +
+    overview.high +
+    overview.medium +
+    overview.low +
+    overview.note
+
+  console.log(`Found ${totalVulnerabilities} vulnerabilities`)
+  console.log(
+    i18n.__(
+      'foundDetailedVulnerabilities',
+      overview.critical,
+      overview.high,
+      overview.medium,
+      overview.low,
+      overview.note
+    )
+  )
+}
+
+module.exports = {
+  sendScan: sendScan,
+  allowedFileTypes: allowedFileTypes,
+  isFileAllowed: isFileAllowed,
+  formatScanOutput: formatScanOutput,
+  zipValidator: zipValidator
+}

package/src/scan/scanController.js

@@ -0,0 +1,69 @@
+const i18n = require('i18n')
+const {
+  returnOra,
+  startSpinner,
+  succeedSpinner
+} = require('../utils/oraWrapper')
+const populateProjectIdAndProjectName = require('./populateProjectIdAndProjectName')
+const scan = require('./scan')
+const scanResults = require('./scanResults')
+const autoDetection = require('./autoDetection')
+const paramHandler = require('../utils/paramsUtil/paramHandler')
+const fileFunctions = require('./fileUtils')
+
+const getTimeout = config => {
+  if (config.timeout) {
+    return config.timeout
+  } else {
+    if (config.verbose) {
+      console.log('Timeout set to 5 minutes')
+    }
+    return 300
+  }
+}
+
+const startScan = async () => {
+  let paramsAuth = paramHandler.getAuth()
+  let getScanSubCommands = paramHandler.getScanSubCommands()
+  const configToUse = { ...paramsAuth, ...getScanSubCommands }
+  if (configToUse.file === undefined || configToUse.file === null) {
+    await autoDetection.autoDetectFileAndLanguage(configToUse)
+  } else {
+    if (fileFunctions.fileExists(configToUse.file)) {
+      scan.zipValidator(configToUse)
+      autoDetection.assignLanguage([configToUse.file], configToUse)
+    } else {
+      console.log(i18n.__('fileNotExist'))
+      process.exit(0)
+    }
+  }
+
+  if (!configToUse.projectId) {
+    configToUse.projectId = await populateProjectIdAndProjectName.populateProjectId(
+      configToUse
+    )
+  }
+  const codeArtifactId = await scan.sendScan(configToUse)
+
+  if (!configToUse.ff) {
+    const startScanSpinner = returnOra('Contrast Scan started')
+    startSpinner(startScanSpinner)
+    const scanDetail = await scanResults.returnScanResults(
+      configToUse,
+      codeArtifactId,
+      getTimeout(configToUse),
+      startScanSpinner
+    )
+    const scanResultsInstances = await scanResults.returnScanResultsInstances(
+      configToUse,
+      scanDetail.id
+    )
+    succeedSpinner(startScanSpinner, 'Contrast Scan complete')
+    const projectOverview = await scanResults.returnScanProjectById(configToUse)
+    return { projectOverview, scanResultsInstances }
+  }
+}
+
+module.exports = {
+  startScan: startScan
+}

package/src/scan/scanResults.js

@@ -0,0 +1,96 @@
+const commonApi = require('../utils/commonApi')
+const requestUtils = require('../../src/utils/requestUtils')
+const i18n = require('i18n')
+const oraFunctions = require('../utils/oraWrapper')
+
+const getScanId = async (config, codeArtifactId, client) => {
+  return client
+    .getScanId(config, codeArtifactId)
+    .then(res => {
+      return res.body.id
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+const pollScanResults = async (config, scanId, client) => {
+  await requestUtils.sleep(5000)
+  return client
+    .getSpecificScanResult(config, scanId)
+    .then(res => {
+      return res
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+const returnScanResults = async (
+  config,
+  codeArtifactId,
+  timeout,
+  startScanSpinner
+) => {
+  const client = commonApi.getHttpClient(config)
+  let scanId = await getScanId(config, codeArtifactId, client)
+  let startTime = new Date()
+  let complete = false
+  while (!complete) {
+    let result = await pollScanResults(config, scanId, client)
+    if (JSON.stringify(result.statusCode) == 200) {
+      if (result.body.status === 'COMPLETED') {
+        complete = true
+        return result.body
+      }
+      if (result.body.status === 'FAILED') {
+        complete = true
+        oraFunctions.failSpinner(startScanSpinner, 'Contrast Scan Failed.')
+        process.exit(1)
+      }
+    }
+    let endTime = new Date() - startTime
+    if (requestUtils.millisToSeconds(endTime) > timeout) {
+      oraFunctions.failSpinner(
+        startScanSpinner,
+        'Contrast Scan timed out at the specified ' + timeout + ' seconds.'
+      )
+      console.log('Please try again, allowing more time.')
+      process.exit(1)
+    }
+  }
+}
+
+const returnScanResultsInstances = async (config, scanId) => {
+  const client = commonApi.getHttpClient(config)
+  let result
+  try {
+    result = await client.getScanResultsInstances(config, scanId)
+    if (JSON.stringify(result.statusCode) == 200) {
+      return result.body
+    }
+  } catch (e) {
+    console.log(e.message.toString())
+  }
+}
+
+const returnScanProjectById = async config => {
+  const client = commonApi.getHttpClient(config)
+  let result
+  try {
+    result = await client.getScanProjectById(config)
+    if (JSON.stringify(result.statusCode) == 200) {
+      return result.body
+    }
+  } catch (e) {
+    console.log(e.message.toString())
+  }
+}
+
+module.exports = {
+  getScanId: getScanId,
+  returnScanResults: returnScanResults,
+  pollScanResults: pollScanResults,
+  returnScanResultsInstances: returnScanResultsInstances,
+  returnScanProjectById: returnScanProjectById
+}

package/src/utils/commonApi.js

@@ -0,0 +1,54 @@
+const HttpClient = require('./../common/HTTPClient')
+const {
+  badRequestError,
+  unauthenticatedError,
+  forbiddenError,
+  proxyError,
+  hostWarningError,
+  genericError
+} = require('../common/errorHandling')
+
+const handleResponseErrors = (res, api, hostPresent) => {
+  if (res.statusCode === 400) {
+    api === 'catalogue' ? badRequestError(true) : badRequestError(false)
+  } else if (res.statusCode === 401) {
+    unauthenticatedError()
+  } else if (res.statusCode === 403) {
+    forbiddenError()
+  } else if (res.statusCode === 407) {
+    proxyError()
+  } else {
+    hostPresent === false ? hostWarningError() : genericError()
+  }
+}
+
+const getProtocol = host => {
+  const hasProtocol =
+    host.toLowerCase().includes('https://') ||
+    host.toLowerCase().includes('http://')
+  return hasProtocol ? host : 'https://' + host
+}
+
+const getPath = host => {
+  const hasContrastPath = host.toLowerCase().endsWith('/contrast')
+  return hasContrastPath
+    ? host.toLowerCase().substring(0, host.length - 9)
+    : host.replace(/\/*$/, '')
+}
+
+const getValidHost = host => {
+  const correctProtocol = getProtocol(host)
+  return getPath(correctProtocol)
+}
+
+const getHttpClient = config => {
+  return new HttpClient(config)
+}
+
+module.exports = {
+  getPath: getPath,
+  getValidHost: getValidHost,
+  getProtocol: getProtocol,
+  handleResponseErrors: handleResponseErrors,
+  getHttpClient: getHttpClient
+}

package/src/utils/filterProjectPath.js

@@ -0,0 +1,21 @@
+const path = require('path')
+
+function resolveFilePath(filepath) {
+  if (filepath[0] === '~') {
+    return path.join(process.env.HOME, filepath.slice(1))
+  }
+  return filepath
+}
+
+const returnProjectPath = () => {
+  if (process.env.PWD !== (undefined || null || 'undefined')) {
+    return process.env.PWD
+  } else {
+    return process.argv[process.argv.indexOf('--project_path') + 1]
+  }
+}
+
+module.exports = {
+  returnProjectPath: returnProjectPath,
+  resolveFilePath: resolveFilePath
+}

package/src/utils/getConfig.ts

@@ -0,0 +1,42 @@
+import Conf from 'conf'
+
+type ContrastConfOptions = Partial<{
+  version: string
+  host: string
+  apiKey: string
+  orgId: string
+  authHeader: string
+}>
+
+type ContrastConf = Conf<ContrastConfOptions>
+
+const localConfig = (name: string, version: string) => {
+  const config: ContrastConf = new Conf<ContrastConfOptions>({
+    configName: name
+  })
+  config.set('version', version)
+  if (!config.has('host')) {
+    config.set('host', 'https://ce.contrastsecurity.com/')
+  }
+  return config
+}
+
+const createConfigFromYaml = (yamlPath: string) => {
+  const yamlConfig = {}
+  return yamlConfig
+}
+
+const setConfigValues = (config: ContrastConf, values: ContrastConfOptions) => {
+  config.set('apiKey', values.apiKey)
+  config.set('organizationId', values.orgId)
+  config.set('authorization', values.authHeader)
+  values.host ? config.set('host', values.host) : null
+}
+
+export {
+  localConfig,
+  createConfigFromYaml,
+  setConfigValues,
+  ContrastConf,
+  ContrastConfOptions
+}

package/src/utils/oraWrapper.js

@@ -0,0 +1,24 @@
+const ora = require('ora')
+
+const returnOra = text => {
+  return ora(text)
+}
+
+const startSpinner = spinner => {
+  spinner.start()
+}
+
+const succeedSpinner = (spinner, text) => {
+  spinner.succeed(text)
+}
+
+const failSpinner = (spinner, text) => {
+  spinner.fail(text)
+}
+
+module.exports = {
+  returnOra,
+  startSpinner,
+  succeedSpinner,
+  failSpinner
+}

package/src/utils/paramsUtil/commandlineParams.js

@@ -0,0 +1,37 @@
+const cliOptions = require('../parsedCLIOptions')
+const parsedCLIOptions = cliOptions.getCommandLineArgs()
+
+const getAuth = () => {
+  let params = {}
+
+  params.apiKey = parsedCLIOptions['apiKey']
+  params.authorization = parsedCLIOptions['authorization']
+  params.host = parsedCLIOptions['host']
+  params.organizationId = parsedCLIOptions['organizationId']
+  return params
+}
+
+const getScanParams = () => {
+  let scanParams = {}
+  scanParams.help = parsedCLIOptions['help']
+  scanParams.file = parsedCLIOptions['file']
+  scanParams.language = parsedCLIOptions['language']
+    ? parsedCLIOptions['language'].toUpperCase()
+    : parsedCLIOptions['language']
+  scanParams.ff = parsedCLIOptions['ff']
+  scanParams.timeout = parsedCLIOptions['timeout']
+  scanParams.name = parsedCLIOptions['name']
+  scanParams.verbose = parsedCLIOptions['verbose']
+
+  // if no name, take the full file path and use it as the project name
+  if (!scanParams.name) {
+    scanParams.name = scanParams.file
+  }
+
+  return scanParams
+}
+
+module.exports = {
+  getScanParams: getScanParams,
+  getAuth: getAuth
+}

package/src/utils/paramsUtil/configStoreParams.js

@@ -0,0 +1,19 @@
+const validationCheck = require('../validationCheck')
+const commonApi = require('../commonApi')
+const config = require('../getConfig')
+const { APP_NAME, APP_VERSION } = require('../../constants/constants')
+
+const getAuth = () => {
+  const ContrastConf = config.localConfig(APP_NAME, APP_VERSION)
+  let ContrastConfToUse = {}
+  if (validationCheck.checkConfigHasRequiredValues(ContrastConf)) {
+    ContrastConfToUse.apiKey = ContrastConf.get('apiKey')
+    ContrastConfToUse.organizationId = ContrastConf.get('organizationId')
+    ContrastConfToUse.host = commonApi.getValidHost(ContrastConf.get('host'))
+    ContrastConfToUse.authorization = ContrastConf.get('authorization')
+    ContrastConfToUse.version = ContrastConf.get('version')
+  }
+  return ContrastConfToUse
+}
+
+module.exports = { getAuth: getAuth }

package/src/utils/paramsUtil/envVariableParams.js

@@ -0,0 +1,10 @@
+const getAuth = () => {
+  let params = {}
+  params.apiKey = process.env.CONTRAST__API__API_KEY
+  params.authorization = process.env.CONTRAST__API__AUTHORIZATION
+  params.host = process.env.CONTRAST__API__URL
+  params.organizationId = process.env.CONTRAST__API__ORGANIZATION_ID
+  return params
+}
+
+module.exports = { getAuth: getAuth }

package/src/utils/paramsUtil/paramHandler.js

@@ -0,0 +1,28 @@
+const commandlineAuth = require('./commandlineParams')
+const configStoreParams = require('./configStoreParams')
+const envVariableParams = require('./envVariableParams')
+const { validateAuthParams } = require('../validationCheck')
+const i18n = require('i18n')
+
+const getAuth = () => {
+  let commandLineAuthParamsAuth = commandlineAuth.getAuth()
+  let envVariableParamsAuth = envVariableParams.getAuth()
+  let configStoreParamsAuth = configStoreParams.getAuth()
+
+  if (validateAuthParams(commandLineAuthParamsAuth)) {
+    return commandLineAuthParamsAuth
+  } else if (validateAuthParams(envVariableParamsAuth)) {
+    return envVariableParamsAuth
+  } else if (validateAuthParams(configStoreParamsAuth)) {
+    return configStoreParamsAuth
+  } else {
+    console.log(i18n.__('configNotFound'))
+    process.exit(1)
+  }
+}
+
+const getScanSubCommands = () => {
+  return commandlineAuth.getScanParams()
+}
+
+module.exports = { getAuth: getAuth, getScanSubCommands: getScanSubCommands }

package/src/utils/parsedCLIOptions.js

@@ -0,0 +1,17 @@
+const constants = require('../constants')
+const commandLineArgs = require('command-line-args')
+
+const getCommandLineArgs = () => {
+  return commandLineArgs(
+    constants.commandLineDefinitions.scanOptionDefinitions,
+    {
+      partial: true,
+      camelCase: true,
+      caseInsensitive: true
+    }
+  )
+}
+
+module.exports = {
+  getCommandLineArgs: getCommandLineArgs
+}

package/src/utils/requestUtils.js

@@ -0,0 +1,22 @@
+const request = require('request')
+const Promise = require('bluebird')
+
+Promise.promisifyAll(request)
+
+function sendRequest({ options, method = 'put' }) {
+  return request[`${method}Async`](options.url, options)
+}
+
+const millisToSeconds = millis => {
+  return ((millis % 60000) / 1000).toFixed(0)
+}
+
+const sleep = ms => {
+  return new Promise(resolve => setTimeout(resolve, ms))
+}
+
+module.exports = {
+  sendRequest: sendRequest,
+  sleep: sleep,
+  millisToSeconds: millisToSeconds
+}

package/src/utils/validationCheck.js

@@ -0,0 +1,34 @@
+const checkConfigHasRequiredValues = store => {
+  return (
+    store.has('apiKey') &&
+    store.has('organizationId') &&
+    store.has('host') &&
+    store.has('authorization') &&
+    store.has('version')
+  )
+}
+
+const validateRequiredScanParams = params => {
+  return (
+    params.apiKey &&
+    params.organizationId &&
+    params.host &&
+    params.authorization &&
+    params.version
+  )
+}
+
+const validateAuthParams = params => {
+  return !!(
+    params.apiKey &&
+    params.organizationId &&
+    params.host &&
+    params.authorization
+  )
+}
+
+module.exports = {
+  checkConfigHasRequiredValues: checkConfigHasRequiredValues,
+  validateAuthParams: validateAuthParams,
+  validateRequiredScanParams: validateRequiredScanParams
+}