@contrast/contrast 1.0.0

package/src/lambda/scanDetailCompletion.ts

@@ -0,0 +1,78 @@
+import { sleep } from '../utils/requestUtils'
+import { getHttpClient } from '../utils/commonApi'
+import { ApiParams } from './lambda'
+import HTTPClient from '../common/HTTPClient'
+import ora from '../utils/oraWrapper'
+import { CliError } from './cliError'
+import { ERRORS } from './constants'
+import { ContrastConf } from '../utils/getConfig'
+
+const MS_IN_MINUTE = 1000 * 60
+
+const getScanResources = async (
+  config: ContrastConf,
+  params: ApiParams,
+  scanId: string,
+  httpClient: HTTPClient
+) => {
+  const res = await httpClient.getScanResources(config, params, scanId)
+  const { statusCode, body } = res
+
+  if (statusCode === 200) {
+    return res
+  }
+
+  const { errorCode } = body || {}
+  throw new CliError(ERRORS.FAILED_TO_GET_SCAN, { statusCode, errorCode })
+}
+
+const pollScanUntilCompletion = async (
+  config: any,
+  timeoutInMinutes: number,
+  params: ApiParams,
+  scanId: string
+) => {
+  const client = getHttpClient(config)
+
+  const activeStatuses = ['PENDING', 'SCANNING', 'QUEUED']
+  const startedText = 'Scan started'
+  const maxEndTime = new Date().getTime() + timeoutInMinutes * MS_IN_MINUTE
+  const startScanSpinner = ora.returnOra(startedText)
+  ora.startSpinner(startScanSpinner)
+
+  await sleep(5000) // wait 5 sec before first polling
+
+  let complete = false
+  while (!complete) {
+    try {
+      const result = await exports.getScanResources(
+        config,
+        params,
+        scanId,
+        client
+      )
+      const { resources: scans } = result.body.data
+      const staticScans = scans?.filter((s: any) => s.scanType === 2)
+      complete = staticScans.some((s: any) => !activeStatuses.includes(s.state))
+
+      if (complete) {
+        ora.succeedSpinner(startScanSpinner, 'Scan Finished')
+        return scans
+      }
+
+      await sleep(2 * 1000)
+    } catch (error) {
+      ora.failSpinner(startScanSpinner, 'Scan Failed')
+      throw error
+    }
+
+    if (Date.now() >= maxEndTime) {
+      ora.failSpinner(startScanSpinner, 'Scan timed out')
+      throw new CliError(ERRORS.FAILED_TO_GET_SCAN, {
+        errorCode: 'waitingTimedOut'
+      })
+    }
+  }
+}
+
+export { pollScanUntilCompletion, getScanResources }

package/src/lambda/scanRequest.ts

@@ -0,0 +1,142 @@
+import i18n from 'i18n'
+import logSymbols from 'log-symbols'
+import chalk from 'chalk'
+import { parseARN } from './arn'
+import {
+  getLambdaClient,
+  getLambdaFunctionConfiguration,
+  getLambdaPolicies,
+  getLayersLinks
+} from './aws'
+import { toLowerKeys } from './utils'
+import { getHttpClient } from '../utils/commonApi'
+import { ApiParams, LambdaOptions } from './lambda'
+import { log, prettyPrintJson } from './logUtils'
+import { CliError } from './cliError'
+import { ERRORS } from './constants'
+
+const sendScanPostRequest = async (
+  config: any,
+  params: ApiParams,
+  functionsEvent: unknown,
+  showProgress = false
+) => {
+  const client = getHttpClient(config)
+
+  if (showProgress) {
+    // prettier-ignore
+    log(`${logSymbols.success} Sending Lambda Function scan request to Contrast`)
+  }
+
+  const res = await client.postFunctionScan(config, params, functionsEvent)
+  const { statusCode, body } = res
+
+  if (statusCode === 201) {
+    if (showProgress) {
+      log(`${logSymbols.success} Scan requested successfully`)
+    }
+
+    return body?.data?.scanId
+  }
+
+  let { errorCode } = body?.data || {}
+  const { data } = body?.data || {}
+
+  let description = ''
+  switch (errorCode) {
+    case 'not_supported_runtime':
+      description = i18n.__(
+        errorCode,
+        data?.runtime,
+        data?.supportedRuntimes.sort().join(' | ')
+      )
+      errorCode = false
+      break
+  }
+
+  throw new CliError(ERRORS.FAILED_TO_START_SCAN, {
+    statusCode,
+    errorCode,
+    data,
+    description
+  })
+}
+
+const createFunctionEvent = (
+  lambdaConfig: any,
+  layersLinks: any,
+  lambdaPolicies: any
+) => {
+  delete lambdaConfig.$metadata
+
+  const functionEvent = toLowerKeys(lambdaConfig.Configuration)
+  functionEvent['code'] = lambdaConfig.Code
+  functionEvent['rolePolicies'] = lambdaPolicies
+
+  if (layersLinks) {
+    functionEvent['layers'] = layersLinks
+  }
+
+  return { function: functionEvent }
+}
+
+const requestScanFunctionPost = async (
+  config: any,
+  lambdaOptions: LambdaOptions
+) => {
+  const { verbose, jsonOutput, functionName } = lambdaOptions
+  const lambdaClient = getLambdaClient(lambdaOptions)
+
+  if (!jsonOutput) {
+    // prettier-ignore
+    log(`${logSymbols.success} Fetching configuration and policies for Lambda Function ${chalk.bold(functionName)}`)
+  }
+
+  const lambdaConfig = await getLambdaFunctionConfiguration(
+    lambdaClient,
+    lambdaOptions
+  )
+  if (!lambdaConfig?.Configuration) {
+    throw new CliError(ERRORS.FAILED_TO_START_SCAN, {
+      errorCode: 'missingLambdaConfig'
+    })
+  }
+  const { Configuration } = lambdaConfig
+  const layersLinks = await getLayersLinks(lambdaClient, Configuration)
+  const lambdaPolicies = await getLambdaPolicies(Configuration, lambdaOptions)
+
+  const functionEvent = createFunctionEvent(
+    lambdaConfig,
+    layersLinks,
+    lambdaPolicies
+  )
+  const { FunctionArn: functionArn } = Configuration
+  if (!functionArn) {
+    throw new CliError(ERRORS.FAILED_TO_START_SCAN, {
+      errorCode: 'missingLambdaArn'
+    })
+  }
+
+  const parsedARN = parseARN(functionArn)
+  const params: ApiParams = {
+    organizationId: config.organizationId,
+    provider: 'aws',
+    accountId: parsedARN.accountId
+  }
+
+  if (verbose) {
+    log(`${logSymbols.success} Fetched configuration from AWS:`)
+    prettyPrintJson(functionEvent)
+  }
+
+  const scanId = await sendScanPostRequest(
+    config,
+    params,
+    functionEvent,
+    !jsonOutput
+  )
+
+  return { scanId, params, functionArn }
+}
+
+export { sendScanPostRequest, requestScanFunctionPost, createFunctionEvent }

package/src/lambda/scanResults.ts

@@ -0,0 +1,29 @@
+import { getHttpClient } from '../utils/commonApi'
+import { CliError } from './cliError'
+import { ERRORS } from './constants'
+import { ApiParams } from './lambda'
+
+const getScanResults = async (
+  config: any,
+  params: ApiParams,
+  scanId: string,
+  functionArn: string
+) => {
+  const client = getHttpClient(config)
+
+  const { statusCode, body } = await client.getFunctionScanResults(
+    config,
+    params,
+    scanId,
+    functionArn
+  )
+
+  if (statusCode === 200) {
+    return body
+  }
+
+  const { errorCode } = body || {}
+  throw new CliError(ERRORS.FAILED_TO_GET_RESULTS, { statusCode, errorCode })
+}
+
+export { getScanResults }

package/src/lambda/utils.ts

@@ -0,0 +1,125 @@
+import chalk from 'chalk'
+import { capitalize, groupBy, minBy, sortBy } from 'lodash'
+import { log } from './logUtils'
+
+const groupByCVE = ({ title }: any) =>
+  title.substring(0, title.indexOf('[') - 1)
+
+const groupByDependency = ({ title }: any) =>
+  title.substring(title.indexOf('[') + 1, title.indexOf(']'))
+
+const prettyPrintResults = (results: any[]) => {
+  log('')
+
+  //filter out any vulnerabs which is not least privilege or dependencies- cli does not handle other vulnerabs yet
+  const vulnerabs = results.filter(r => r.category === 1 || r.category === 4)
+  const sortBySeverity = sortBy(vulnerabs, ['severity', 'title'])
+  const notDependencies = sortBySeverity.filter(r => r.category !== 1)
+  const dependencies = sortBySeverity.filter(r => r.category === 1)
+  const dependenciesByLibrary = groupBy(dependencies, groupByDependency)
+  const dependenciesCount = Object.keys(dependenciesByLibrary).length
+
+  notDependencies.forEach(printVulnerability)
+
+  const prevIndex = notDependencies.length + 1
+  Object.entries(dependenciesByLibrary).forEach(([library, group], i) => {
+    const maxSeverity = minBy(group, 'severity')
+    const allCves = group.map(groupByCVE)
+
+    log(prevIndex + i)
+    log(
+      `${chalk.bold(capitalize(maxSeverity.severityText))} | ${chalk.bold(
+        'Vulnerable dependency'
+      )} ${library} has ${group.length} known CVEs`
+    )
+    log(allCves.join(', '))
+    if (maxSeverity.remediation?.description) {
+      log(
+        `${chalk.bold('Recommendation:')} ${
+          maxSeverity.remediation.description
+        }`
+      )
+    }
+    log('')
+  })
+
+  const resultCount = notDependencies.length + dependenciesCount
+  const groupByType = groupBy(notDependencies, ['categoryText'])
+  const summary = Object.values(groupByType).map(
+    group => `${group.length} ${capitalize(group[0].categoryText)}`
+  )
+  log(`Found ${resultCount} vulnerabilities`, { bold: true })
+  summary.push(`${dependenciesCount} Dependencies`)
+
+  log(chalk.bold(summary.join(' | ')))
+}
+
+const underlineLinks = (text: string) => {
+  if (!text) {
+    return text
+  }
+
+  const urlRegex = /(https?:\/\/[^\s]+)/g
+  return text.replace(urlRegex, chalk.underline('$1'))
+}
+
+const printVulnerability = (vulnerability: any, index: number) => {
+  log(index + 1)
+  const descriptionWithLinks = underlineLinks(vulnerability.description)
+  log(
+    `${chalk.bold(capitalize(vulnerability.severityText))} | ${chalk.bold(
+      vulnerability.title
+    )} ${descriptionWithLinks}`
+  )
+
+  const category = vulnerability?.categoryText
+  switch (category) {
+    case 'PERMISSIONS':
+      printLeastPrivilegeRemediation(vulnerability)
+      break
+    default:
+      printRemediation(vulnerability)
+  }
+  log('')
+}
+
+const printLeastPrivilegeRemediation = (vulnerability: any) => {
+  log(
+    `${chalk.bold(
+      'Recommendation:'
+    )} Replace the existing policies with the following`
+  )
+
+  const violatingPolicies =
+    vulnerability?.evidence?.leastPrivilege?.violatingPolicies || []
+
+  violatingPolicies
+    .filter((vp: any) => vp?.suggestedPolicy?.suggestedPolicyCode?.length)
+    .map((vp: any) => vp?.suggestedPolicy?.suggestedPolicyCode)
+    .forEach((policies: any) => {
+      policies.forEach((policy: any) => {
+        console.log(policy.snippet)
+      })
+    })
+}
+
+const printRemediation = (vulnerability: any) => {
+  log(`Remediation - ${vulnerability?.remediation?.description || 'Unknown'}`)
+}
+
+function toLowerKeys(obj: Record<string, unknown>) {
+  return Object.keys(obj).reduce((accumulator, key) => {
+    const new_key = `${key[0].toLowerCase()}${key.slice(1)}`
+    accumulator[new_key] = obj[key]
+    return accumulator
+  }, {} as Record<string, unknown>)
+}
+
+export { toLowerKeys, prettyPrintResults }
+
+export const exportedForTesting = {
+  printLeastPrivilegeRemediation,
+  printRemediation,
+  printVulnerability,
+  underlineLinks
+}

package/src/scan/autoDetection.js

@@ -0,0 +1,77 @@
+const i18n = require('i18n')
+const { zipValidator } = require('./scan')
+const fileFinder = require('./fileUtils')
+const { supportedLanguages } = require('../constants/constants')
+
+const autoDetectFileAndLanguage = async configToUse => {
+  const entries = await fileFinder.findFile()
+
+  if (entries.length === 1) {
+    console.log(i18n.__('foundScanFile', entries[0]))
+
+    if (hasWhiteSpace(entries[0])) {
+      console.log(i18n.__('fileHasWhiteSpacesError'))
+      process.exit(1)
+    }
+
+    configToUse.file = entries[0]
+    if (configToUse.name === undefined) {
+      configToUse.name = entries[0]
+    }
+    zipValidator(configToUse)
+    assignLanguage(entries, configToUse)
+  } else {
+    errorOnFileDetection(entries)
+  }
+}
+
+const hasWhiteSpace = s => {
+  const filename = s.split('/').pop()
+  return filename.indexOf(' ') >= 0
+}
+
+const errorOnFileDetection = entries => {
+  if (entries.length > 1) {
+    console.log(i18n.__('searchingDirectoryScan'))
+    for (let file in entries) {
+      console.log('-', entries[file])
+    }
+    console.log('')
+    console.log(i18n.__('specifyFileScanError'))
+  } else {
+    console.log(i18n.__('noFileFoundScan'))
+    console.log('')
+    console.log(i18n.__('specifyFileScanError'))
+  }
+  process.exit(1)
+}
+
+const assignLanguage = (entries, configToUse) => {
+  let split = entries[0].split('.')
+  const fileType = split[split.length - 1]
+  if (fileType === 'war' || fileType === 'jar') {
+    console.log('Language is Java')
+    configToUse.language = 'JAVA'
+  } else if (fileType === 'dll') {
+    console.log('Language is Dotnet')
+    configToUse.language = 'DOTNET'
+  } else if (fileType === 'js') {
+    console.log('Language is Javascript')
+    configToUse.language = supportedLanguages.JAVASCRIPT
+  } else if (fileType === 'zip') {
+    if (configToUse.language !== supportedLanguages.JAVASCRIPT) {
+      console.log(i18n.__('zipErrorScan'))
+      process.exit(1)
+    }
+    console.log('Language is Javascript within zip file')
+  } else {
+    console.log(i18n.__('unknownFileErrorScan'))
+    process.exit(1)
+  }
+}
+
+module.exports = {
+  autoDetectFileAndLanguage,
+  assignLanguage,
+  errorOnFileDetection
+}

package/src/scan/fileUtils.js

@@ -0,0 +1,33 @@
+const fg = require('fast-glob')
+const fs = require('fs')
+const i18n = require('i18n')
+
+const findFile = async () => {
+  console.log(i18n.__('searchingScanFileDirectory', process.cwd()))
+  return fg(['**/*.jar', '**/*.war', '**/*.zip', '**/*.dll'], {
+    dot: false,
+    deep: 3,
+    onlyFiles: true
+  })
+}
+
+const checkFilePermissions = file => {
+  let readableFile = false
+  try {
+    fs.accessSync(file, fs.constants.R_OK)
+    return (readableFile = true) // testing purposes
+  } catch (err) {
+    console.log('Invalid permissions found on ', file)
+    process.exit(0)
+  }
+}
+
+const fileExists = path => {
+  return fs.existsSync(path)
+}
+
+module.exports = {
+  findFile,
+  fileExists,
+  checkFilePermissions
+}

package/src/scan/help.js

@@ -0,0 +1,74 @@
+const commandLineUsage = require('command-line-usage')
+const i18n = require('i18n')
+
+const scanUsageGuide = commandLineUsage([
+  {
+    header: i18n.__('scanHeader')
+  },
+  {
+    header: i18n.__('constantsPrerequisitesHeader'),
+    content: [
+      '{bold ' + i18n.__('constantsPrerequisitesContentScanLanguages') + '}',
+      i18n.__('constantsPrerequisitesContent'),
+      '',
+      i18n.__('constantsUsageCommandInfo'),
+      i18n.__('constantsUsageCommandInfo24Hours')
+    ]
+  },
+  {
+    header: i18n.__('constantsScanOptions'),
+    content: [
+      {
+        name: i18n.__('scanOptionsFileName'),
+        summary:
+          '{italic ' +
+          i18n.__('constantsOptional') +
+          '}: ' +
+          i18n.__('scanOptionsFileNameSummary')
+      },
+      {
+        name: i18n.__('scanOptionsLanguage'),
+        summary:
+          '{italic ' +
+          i18n.__('constantsOptional') +
+          '}: ' +
+          i18n.__('scanOptionsLanguageSummaryOptional') +
+          '{italic ' +
+          i18n.__('constantsRequired') +
+          '}: ' +
+          i18n.__('scanOptionsLanguageSummaryRequired')
+      },
+      {
+        name: i18n.__('scanOptionsName'),
+        summary:
+          '{italic ' +
+          i18n.__('constantsOptional') +
+          '}: ' +
+          i18n.__('scanOptionsNameSummary')
+      },
+      {
+        name: i18n.__('scanOptionsTimeout'),
+        summary:
+          '{italic ' +
+          i18n.__('constantsOptional') +
+          '}: ' +
+          i18n.__('scanOptionsTimeoutSummary')
+      },
+      {
+        name: i18n.__('scanOptionsVerbose'),
+        summary:
+          '{italic ' +
+          i18n.__('constantsOptional') +
+          '}: ' +
+          i18n.__('scanOptionsVerboseSummary')
+      }
+    ]
+  },
+  {
+    content: '{underline https://www.contrastsecurity.com}'
+  }
+])
+
+module.exports = {
+  scanUsageGuide
+}

package/src/scan/populateProjectIdAndProjectName.js

@@ -0,0 +1,62 @@
+const commonApi = require('../utils/commonApi.js')
+const i18n = require('i18n')
+
+const populateProjectId = async config => {
+  const client = commonApi.getHttpClient(config)
+  let proj = await createProjectId(config, client)
+  if (proj === undefined) {
+    proj = await getExistingProjectIdByName(config, client).then(res => {
+      return res
+    })
+  }
+
+  return proj
+}
+
+const createProjectId = async (config, client) => {
+  return client
+    .createProjectId(config)
+    .then(res => {
+      if (res.statusCode === 409) {
+        console.log(i18n.__('foundExistingProjectScan'))
+        return
+      }
+
+      if (res.statusCode === 201) {
+        console.log(i18n.__('projectCreatedScan'))
+        if (config.verbose) {
+          console.log(i18n.__('populateProjectIdMessage', res.body.id))
+        }
+        return res.body.id
+      }
+    })
+    .catch(err => {
+      if (config.verbose) {
+        console.log(err)
+      }
+      console.log(i18n.__('connectionError'))
+      process.exit(0)
+    })
+}
+
+const getExistingProjectIdByName = async (config, client) => {
+  return client
+    .getProjectIdByName(config)
+    .then(res => {
+      if (res.statusCode === 200) {
+        if (config.verbose) {
+          console.log(
+            i18n.__('populateProjectIdMessage', res.body.content[0].id)
+          )
+        }
+        return res.body.content[0].id
+      }
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+module.exports = {
+  populateProjectId: populateProjectId
+}