@contrast/contrast 1.0.1 → 1.0.4

package/.prettierignore

@@ -1,2 +1,4 @@
 test/commands/**
 dist/**
+test/errorHandling.spec.ts
+**/models

package/README.md

@@ -1,33 +1,46 @@
-# Contrast Command Line Interface
+# CodeSec by Contrast Security
 
-- [About Contrast CLI](#about-contrast-cli)
-- [Requirements](#requirements)
-- [Step 1 – Install](#step-1--install)
-  - [Installation via Homebrew](#installation-via-homebrew)
-  - [Install NPM / YARN](#install-npm--yarn)
-  - [Install with binaries](#install-with-binaries)
-- [Step 2 – Authenticate](#step-2--authenticate)
-- [Step 3 – Scan](#step-3--scan)
-  - [Usage](#usage)
-  - [Commands](#commands)
-  - [Examples of usage](#examples-of-usage)
-- [Example of Results](#example-of-results)
-  - [Dependencies Vulnerabilities](#dependencies-vulnerabilities)
-  - [Least Privilege](#least-privilege)
+CodeSec delivers:
 
-## About Contrast CLI
+- The fastest and most accurate SAST scanner.
+- Immediate and actionable results — scan code and serverless environments.
+- A frictionless and seamless sign-in process with GitHub or Google Account. From start to finish in minutes.
+- By running a scan on your lambda functions, you can find: Least privilege identity and access management (IAM) vulnerabilities (over permissive policies) and remediation.
 
-Contrast CLI helps you find & fix security issues on AWS lambda functions (supports **Java** and **Python**)  
-By running a scan on your lambda functions, you can find:
+## Install
 
-- Least privilege identity and access management (IAM) vulnerabilities (over permissive policies) and remediation
-- The Common Vulnerabilities and Exposures (CVE) from your libraries (Vulnerable Dependencies) and remediation
+```shell
+npm install -g @contrast/contrast
+```
+
+## Authenticate
+
+Authenticate by entering contrast auth in the terminal.
+
+In the resulting browser window, log in and authenticate with your GitHub or Google credentials.
+
+## Run a scan
+
+### SAST scan
+
+#### Scan Requirements
+
+Make sure you have the correct file types to scan.
 
-## Requirements
+- Upload a .jar or .war file to scan a Java project for analysis
+- Upload a .js or .zip file to scan a JavaScript project for analysis
+- Upload a .exe. or .zip file to scan a .NET c# web forms project
 
-- AWS credentials should be **available** on your local configure (usually `~/.aws/credentials`)
-- You have an option run lambda scan with your aws-profile to pass `--profile`
-- You also can export different credentials
+Start scanning
+
+Use the Contrast scan command `contrast scan`
+
+### Lambda function scan
+
+#### Lambda Requirements
+
+- Currently supports Java and Python functions on AWS.
+  Configure AWS credentials on your local environment by running the commands with your credentials:
 
 ```shell
 export AWS_DEFAULT_REGION=<YOUR_AWS_REGION>
@@ -35,148 +48,105 @@ export AWS_ACCESS_KEY_ID=<YOUR_ACCESS_KEY_ID>
 export AWS_SECRET_ACCESS_KEY=<YOUR_SECRET_ACCESS_KEY>
 ```
 
-These permissions are required to gather all required information on an AWS Lambda to use the `contrast lambda` command:
-
-- Lambda: [GetFunction](https://docs.aws.amazon.com/lambda/latest/dg/API_GetFunction.html) | [GetLayerVersion](https://docs.aws.amazon.com/lambda/latest/dg/API_GetLayerVersion.html)
-- IAM: [GetRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRolePolicy.html) | [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html) | [GetPolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicyVersion.html) | [ListRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html) | [ListAttachedRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html)
-
-Policy example:
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "VisualEditor0",
-      "Effect": "Allow",
-      "Action": [
-        "iam:GetPolicyVersion",
-        "iam:GetPolicy",
-        "lambda:GetLayerVersion",
-        "lambda:GetFunction",
-        "iam:ListAttachedRolePolicies",
-        "iam:ListRolePolicies",
-        "iam:GetRolePolicy"
-      ],
-      "Resource": [
-        "arn:aws:lambda:*:YOUR_ACCOUNT:layer:*:*",
-        "arn:aws:lambda:*:YOUR_ACCOUNT:function:*",
-        "arn:aws:iam::YOUR_ACCOUNT:role/*",
-        "arn:aws:iam::YOUR_ACCOUNT:policy/*"
-      ]
-    }
-  ]
-}
-```
+- AWS credentials should be available on your local configure (usually **~/.aws/credentials**). You have an option to run a lambda scan with your aws-profile to pass --profile. You also can export different credentials.
 
-## Step 1 – Install
+- These permissions are required to gather all required information on an AWS Lambda to use the `contrast lambda` command:
 
-### Installation via Homebrew
+  - Lambda: [GetFunction](https://docs.aws.amazon.com/lambda/latest/dg/API_GetFunction.html) | [GetLayerVersion](https://docs.aws.amazon.com/lambda/latest/dg/API_GetLayerVersion.html)
+  - IAM: [GetRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRolePolicy.html) | [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html) | [GetPolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicyVersion.html) | [ListRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html) | [ListAttachedRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html)
 
-- `brew tap Contrast-Security-OSS/homebrew-contrast`
-- `brew install contrast`
+### Start scanning
 
-### Install NPM / YARN
+Use contrast lambda to scan your AWS Lambda functions.
+`contrast lambda --function-name MyFunctionName --region my-aws-region`
 
-- `npm install -g @contrast/contrast`
-- `yarn global add @contrast/contrast`
+## Contrast commands
 
-### Install with binaries
+### auth
 
-- Go to [https://pkg.contrastsecurity.com/ui/repos/tree/General/cli](https://pkg.contrastsecurity.com/ui/repos/tree/General/cli)
-- Select your operating system and download the package
-- You must allow **execute permissions** on the file depending on your OS
+Authenticate Contrast using your GitHub or Google account. A new browser window will open for login.
 
-| Architecture | Link                                                                                                                                                                           |
-| ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| macOS        | [https://pkg.contrastsecurity.com/ui/repos/tree/General/cli/1.0.0/mac/contrast](https://pkg.contrastsecurity.com/ui/repos/tree/General/cli/1.0.0/mac/contrast)                 |
-| Linux        | [https://pkg.contrastsecurity.com/ui/repos/tree/General/cli/1.0.0/linux/contrast](https://pkg.contrastsecurity.com/ui/repos/tree/General/cli/1.0.0/linux/contrast)             |
-| Windows      | [https://pkg.contrastsecurity.com/ui/repos/tree/General/cli/1.0.0/windows/contrast.exe](https://pkg.contrastsecurity.com/ui/repos/tree/General/cli/1.0.0/windows/contrast.exe) |
+**Usage:** `contrast auth`
 
-## Step 2 – Authenticate
+### config
 
-Authenticate using your existing [GitHub](https://github.com/) or [Google](https://www.google.com/) account.
+Displays stored credentials.
 
-```shell
-contrast auth
-```
+**Usage:** `contrast config`
 
-## Step 3 – Scan
+**Options:**
 
-Use contrast lambda to scan your AWS Lambda functions:
+- **-c, --clear** - Removes stored credentials.
 
-```shell
-contrast lambda --function-name MyFunctionName --region my-aws-region
-```
+### scan
 
-### Usage
+Performs a security SAST scan.
 
-- `contrast [command] [option]`
-- `contrast lambda --list-functions`
-- `contrast lambda --function-name <function> [options]`
-- `contrast lambda --help`
+**Usage:** `contrast scan [option]`
 
-### Commands
+**Options:**
 
-- `auth` - Authenticate Contrast using your `Github` or `Google` account
-- `lambda` - Perform scan on AWS Lambda function
-  - `--function-name` - Name of AWS lambda function to scan
-  - `--list-functions` - List all available lambda functions to scan
-  - `--endpoint-url` (optional) - AWS Endpoint override, works like in AWS CLI
-  - `--region` (optional) - Region override, default to AWS_DEAFAULT_REGION env var, works like in AWS CLI
-  - `--profile` (optional) - AWS configuration profile override, works like in AWS CLI
-  - `--json-output` (optional) - Return response in JSON (versus default human readable format)
-  - `--verbose` (optional) - Returns extended information to the terminal
-  - `--help` Displays usage guide
-- `version` - Displays version of Contrast CLI
-- `config` - Displays stored credentials
-  - `config --clear` - Removes stored credentials
-- `help` - Displays usage guide
+- **contrast scan --file**
 
-### Examples of usage
+  - Path of the file you want to scan. Contrast searches for a .jar, .war, .js. or .zip file in the working directory if a file is not specified.
+  - Alias: **--f**
 
-show help for lambda
+- **contrast scan --name**
 
-```shell
-contrast lambda --help
-```
+  - Contrast project name. If not specified, Contrast uses contrast.settings to identify the project or creates a project.
+  - Alias: **–n**
 
-get list of all available functions for scan
+- **contrast scan --save**
 
-```shell
-contrast lambda --list-functions
-```
+  - Download the results to a Static Analysis Results Interchange Format (SARIF) file. The file is downloaded to the current working directory with a default name of results.sarif. You can view the file with any text editor.
+  - Alias: **-s**
 
-scan lambda function in specific region
+- **contrast scan --timeout**
+  - Time in seconds to wait for the scan to complete. Default value is 300 seconds.
+  - Alias: **-t**
 
-```shell
-contrast lambda -f myFunctionName --region eu-cental-1
-```
+### lambda
 
-scan lambda function with different profile
+Name of AWS lambda function to scan.
 
-```shell
-contrast lambda -f myFunctionName --profile myDevProfile
-```
+**Usage:** `contrast lambda --function-name`
 
-scan lambda function with full details in json format
+**Options:**
 
-```shell
-contrast lambda -f myFunctionName --json-output
-```
+- **contrast lambda --list-functions**
+  Lists all available lambda functions to scan.
 
-scan lambda function with all possible flags
+- **contrast lambda --function-name --endpoint-url**
+  AWS Endpoint override. Similar to AWS CLI.
+  Alias: **-e**
 
-```shell
-contrast lambda -f myFunctionName --region eu-cental-1 --profile myDevProfile --endpoint-url https://adbb-94-188-169-138.eu.ngrok.io/ --verbose --json-output
-```
+- **contrast lambda --function-name --region**
+  Region override. Defaults to AWS_DEFAULT_REGION. Similar to AWS CLI.
+  Alias: **-r**
+
+- **contrast lambda --function-name --profile**
+  AWS configuration profile override. Similar to AWS CLI.
+  Alias: **-p**
+
+- **contrast lambda --function-name --json**
+  Return response in JSON (versus default human-readable format).
+  Alias: **-j**
+
+- **contrast lambda -–function-name -–verbose**
+  Returns extended information to the terminal.
+  Alias: **-v**
 
-## Example of Results
+- **contrast lambda --function-name -–help**
+  Displays usage guide.
+  Alias: **-h**
 
-### Dependency vulnerabilities
+### help
 
-![image](https://user-images.githubusercontent.com/289035/166472066-fa4a179c-cbef-436f-bc8e-9cbb8a4b465e.png)
+Displays usage guide. To list detailed help for any CLI command, add the -h or --help flag to the command.
+**Usage:** `contrast scan --help`
+Alias: **-h**
 
-### Least Privilege
+### version
 
-![image](https://user-images.githubusercontent.com/289035/166480331-54ec133f-3379-4023-9fe4-c0db352c5b16.png)
+Displays version of Contrast CLI.
+**Usage:** `contrast version` Alias: **-v**, **--version**

package/dist/audit/languageAnalysisEngine/{langugageAnalysisFactory.js → languageAnalysisFactory.js}

@@ -9,9 +9,11 @@ const pythonAE = require('../pythonAnalysisEngine');
 const phpAE = require('../phpAnalysisEngine');
 const goAE = require('../goAnalysisEngine');
 const { vulnerabilityReport } = require('./report/reportingFeature');
-const { vulnReportWithoutDevDep } = require('./report/newReportingFeature');
-const { checkDevDeps } = require('./report/checkIgnoreDevDep');
 const { newSendSnapShot } = require('../languageAnalysisEngine/sendSnapshot');
+const fs = require('fs');
+const chalk = require('chalk');
+const saveFile = require('../../commands/audit/saveFile').default;
+const generateSbom = require('../../sbom/generateSbom').default;
 module.exports = exports = (err, analysis) => {
     const { identifiedLanguageInfo } = analysis.languageAnalysis;
     const catalogueAppId = analysis.languageAnalysis.appId;
@@ -35,15 +37,8 @@ module.exports = exports = (err, analysis) => {
         }
         console.log('\n **************CONTRAST OSS ANALYSIS BEGINS**************');
         const snapshotResponse = await newSendSnapShot(analysis, catalogueAppId);
-        if (config.report) {
-            const ignoreDevUrl = await checkDevDeps(config);
-            if (ignoreDevUrl) {
-                await vulnReportWithoutDevDep(analysis, catalogueAppId, snapshotResponse.id, config);
-            }
-            else {
-                await vulnerabilityReport(analysis, catalogueAppId, config);
-            }
-        }
+        await vulnerabilityReport(analysis, catalogueAppId, snapshotResponse.id);
+        await auditSave(config);
         console.log('\n ***************CONTRAST OSS ANALYSIS COMPLETE************** \n');
     };
     if (identifiedLanguageInfo.language === DOTNET) {
@@ -68,3 +63,23 @@ module.exports = exports = (err, analysis) => {
         goAE(identifiedLanguageInfo, analysis.config, langCallback);
     }
 };
+async function auditSave(config) {
+    if (config.save) {
+        if (config.save.toLowerCase() === 'sbom') {
+            saveFile(config, await generateSbom(config));
+            const filename = `${config.applicationId}-sbom-cyclonedx.json`;
+            if (fs.existsSync(filename)) {
+                console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`);
+            }
+            else {
+                console.log(chalk.yellow.bold(`\n Unable to save ${filename} Software Bill of Materials (SBOM)`));
+            }
+        }
+        else {
+            console.log(i18n.__('auditBadFiletypeSpecifiedForSave'));
+        }
+    }
+    else if (config.save === null) {
+        console.log(i18n.__('auditNoFiletypeSpecifiedForSave'));
+    }
+}

package/dist/audit/languageAnalysisEngine/report/commonReportingFunctions.js

@@ -1,257 +1,85 @@
 "use strict";
-const i18n = require('i18n');
-const { getHttpClient } = require('../../../utils/commonApi');
-function displaySuccessMessageReport() {
-    console.log('\n' + i18n.__('reportSuccessMessage'));
-}
-function getAllDependenciesArray(packageJson) {
-    const { dependencies, optionalDependencies, devDependencies, peerDependencies } = packageJson;
-    const allDep = {
-        ...dependencies,
-        ...devDependencies,
-        ...optionalDependencies,
-        ...peerDependencies
-    };
-    return Object.entries(allDep);
-}
-function checkIfDepIsScoped(arrDep) {
-    let count = 0;
-    arrDep.forEach(([key, value]) => {
-        if (!key.startsWith('@')) {
-            console.log(` WARNING not scoped: ${key}:${value}`);
-            count++;
-        }
-    });
-    return count;
-}
-const dependencyRiskReport = async (packageJson, config) => {
-    const arrDep = getAllDependenciesArray(packageJson);
-    const unRegisteredDeps = await checkIfDepIsRegisteredOnNPM(arrDep, config);
-    let scopedCount = checkIfDepIsScoped(unRegisteredDeps);
-    return {
-        scopedCount: scopedCount,
-        unRegisteredCount: unRegisteredDeps.length
-    };
-};
-const checkIfDepIsRegisteredOnNPM = async (arrDep, config) => {
-    let promises = [];
-    let unRegisteredDeps = [];
-    const client = getHttpClient(config);
-    for (const [index, element] of arrDep) {
-        const query = `query artifactByGAV($name: String!, $language: String!, $groupName: String, $version: String!, $nameCheck: Boolean) {
-    artifact: exactVersion(name: $name, language: $language, groupName: $groupName, version: $version, nameCheck: $nameCheck) {
-        version
-        cves {
-            baseScore
-        }}}`;
-        const data = {
-            query: query,
-            variables: {
-                name: index,
-                version: element,
-                language: 'node',
-                nameCheck: true
-            }
-        };
-        promises.push(client.checkLibrary(data));
-    }
-    await Promise.all(promises).then(response => {
-        response.forEach(res => {
-            const libName = JSON.parse(res.request.body);
-            if (res.statusCode === 200) {
-                if (res.body.data.artifact == null) {
-                    unRegisteredDeps.push([
-                        libName.variables.name,
-                        libName.variables.version
-                    ]);
-                }
-            }
-        });
-    });
-    if (unRegisteredDeps.length !== 0) {
-        console.log('\n Dependencies Risk Report', '\n\n Private libraries that are not scoped. We recommend these libraries are reviewed and the scope claimed to prevent dependency confusion breaches');
-    }
-    return unRegisteredDeps;
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.printFormattedOutput = exports.printVulnerabilityResponse = exports.getReport = exports.createLibraryHeader = void 0;
+const i18n_1 = __importDefault(require("i18n"));
+const commonApi_1 = require("../../../utils/commonApi");
+const reportListModel_1 = require("./models/reportListModel");
+const lodash_1 = require("lodash");
+const chalk_1 = __importDefault(require("chalk"));
+const reportUtils_1 = require("./utils/reportUtils");
+const oraWrapper_1 = require("../../../utils/oraWrapper");
 const createLibraryHeader = (id, numberOfVulnerableLibraries, numberOfCves, name) => {
     name
-        ? console.log(` Application Name: ${name} | Application ID: ${id}`)
+        ? console.log(`\n Application Name: ${name} | Application ID: ${id}`)
         : console.log(` Application ID: ${id}`);
-    console.log(` Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVE's`);
-};
-const breakPipeline = () => {
-    failOptionError();
-    process.exit(1);
-};
-const parameterOptions = hasSomeVulnerabilitiesReported => {
-    const inputtedCLIOptions = cliOptions.getCommandLineArgs();
-    let cveSeverityOption = inputtedCLIOptions['cve_severity'];
-    let fail = inputtedCLIOptions['fail'];
-    let cve_threshold = inputtedCLIOptions['cve_threshold'];
-    let expr;
-    if (cveSeverityOption && fail && cve_threshold) {
-        expr = 'SeverityAndThreshold';
-    }
-    else if (!cveSeverityOption && fail && cve_threshold) {
-        expr = 'ThresholdOnly';
-    }
-    else if (!cve_threshold && fail && hasSomeVulnerabilitiesReported[0]) {
-        expr = 'FailOnly';
-    }
-    return expr;
-};
-const analyseReportOptions = hasSomeVulnerabilitiesReported => {
-    const inputtedCLIOptions = cliOptions.getCommandLineArgs();
-    let cve_threshold = inputtedCLIOptions['cve_threshold'];
-    let cveSeverity;
-    let criticalSeverity;
-    let highSeverity;
-    let mediumSeverity;
-    let lowSeverity;
-    switch (parameterOptions(hasSomeVulnerabilitiesReported)) {
-        case 'SeverityAndThreshold':
-            cveSeverity = inputtedCLIOptions['cve_severity'].severity;
-            criticalSeverity = hasSomeVulnerabilitiesReported[2].critical;
-            highSeverity = hasSomeVulnerabilitiesReported[2].high;
-            mediumSeverity = hasSomeVulnerabilitiesReported[2].medium;
-            lowSeverity = hasSomeVulnerabilitiesReported[2].low;
-            if (cveSeverity === 'HIGH') {
-                if (cve_threshold < highSeverity + criticalSeverity) {
-                    breakPipeline();
-                }
-            }
-            if (cveSeverity === 'MEDIUM') {
-                if (cve_threshold < mediumSeverity + highSeverity) {
-                    breakPipeline();
-                }
-            }
-            if (cveSeverity === 'LOW') {
-                if (cve_threshold < lowSeverity + mediumSeverity + highSeverity) {
-                    breakPipeline();
-                }
-            }
-            break;
-        case 'ThresholdOnly':
-            if (cve_threshold < hasSomeVulnerabilitiesReported[1]) {
-                breakPipeline();
-            }
-            break;
-        case 'FailOnly':
-            breakPipeline();
-            break;
-    }
+    numberOfVulnerableLibraries === 1
+        ? console.log('\n **************************' +
+            ` Found 1 vulnerable library containing ${numberOfCves} CVE's` +
+            '************************** ')
+        : console.log('\n **************************' +
+            ` Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVE's ` +
+            '************************** ');
 };
-const getReport = async (applicationId) => {
-    const userParams = await util.getParams(applicationId);
-    const addParams = agent.getAdditionalParams();
-    const protocol = getValidHost(userParams.host);
-    const client = commonApi.getHttpClient(userParams, protocol, addParams);
+exports.createLibraryHeader = createLibraryHeader;
+const getReport = async (config, reportId) => {
+    const client = (0, commonApi_1.getHttpClient)(config);
+    const reportSpinner = (0, oraWrapper_1.returnOra)(i18n_1.default.__('auditReportWaiting'));
+    reportSpinner.indent = 1;
+    (0, oraWrapper_1.startSpinner)(reportSpinner);
     return client
-        .getReport(userParams)
-        .then(res => {
+        .getReportById(config, reportId)
+        .then((res) => {
         if (res.statusCode === 200) {
-            displaySuccessMessageReport();
+            (0, oraWrapper_1.succeedSpinner)(reportSpinner, i18n_1.default.__('auditReportSuccessMessage'));
             return res.body;
         }
         else {
-            handleResponseErrors(res, 'report');
+            (0, oraWrapper_1.failSpinner)(reportSpinner, i18n_1.default.__('auditReportFail'));
+            console.log('config-------------------');
+            console.log(config);
+            console.log('reportId----------------');
+            console.log(reportId);
+            console.log(JSON.stringify(res));
+            (0, commonApi_1.handleResponseErrors)(res, 'report');
         }
     })
-        .catch(err => {
+        .catch((err) => {
         console.log(err);
     });
 };
-const printVulnerabilityResponse = (severity, filteredVulns, vulnerabilities) => {
+exports.getReport = getReport;
+const printVulnerabilityResponse = (vulnerabilities, config) => {
     let hasSomeVulnerabilitiesReported = false;
-    if (severity) {
-        returnCveData(filteredVulns);
-        if (Object.keys(filteredVulns).length > 0)
-            hasSomeVulnerabilitiesReported = true;
-    }
-    else {
-        returnCveData(vulnerabilities);
-        if (Object.keys(vulnerabilities).length > 0)
-            hasSomeVulnerabilitiesReported = true;
+    (0, exports.printFormattedOutput)(vulnerabilities, config);
+    if (Object.keys(vulnerabilities).length > 0) {
+        hasSomeVulnerabilitiesReported = true;
     }
     return hasSomeVulnerabilitiesReported;
 };
-const returnCveData = libraries => {
-    console.log('\n ************************************************************');
-    for (const [key, value] of Object.entries(libraries)) {
-        const parts = key.split('/');
-        const nameVersion = parts[1].split('@');
-        const group = parts[0];
-        const name = nameVersion[0];
-        const version = nameVersion[1];
-        const libName = group !== 'null'
-            ? `${group}/${name}/${version} is vulnerable`
-            : `${name}/${version} is vulnerable`;
-        console.log('\n\n ' + libName);
-        value.forEach(vuln => {
-            let sevCode = vuln.severityCode || vuln.severity_code;
-            console.log('\n ' + vuln.name + ' ' + sevCode + '\n ' + vuln.description);
-        });
-    }
-};
-function searchHighCVEs(vuln) {
-    let sevCode = vuln.severityCode || vuln.severity_code;
-    if (sevCode === 'HIGH') {
-        return vuln;
-    }
-}
-function searchMediumCVEs(vuln) {
-    let sevCode = vuln.severityCode || vuln.severity_code;
-    if (sevCode === 'HIGH' || sevCode === 'MEDIUM') {
-        return vuln;
+exports.printVulnerabilityResponse = printVulnerabilityResponse;
+const printFormattedOutput = (libraries, config) => {
+    const report = new reportListModel_1.ReportList();
+    for (const library of libraries) {
+        const { name, version } = (0, reportUtils_1.findNameAndVersion)(library, config);
+        const newOutputModel = new reportListModel_1.ReportModelStructure(new reportListModel_1.ReportCompositeKey(name, version, (0, reportUtils_1.findHighestSeverityCVE)(library.cveArray)), library.cveArray);
+        report.reportOutputList.push(newOutputModel);
     }
-}
-function searchLowCVEs(vuln) {
-    let sevCode = vuln.severityCode || vuln.severity_code;
-    if (sevCode === 'HIGH' || sevCode === 'MEDIUM' || sevCode === 'LOW') {
-        return vuln;
+    const orderedOutputList = (0, lodash_1.orderBy)(report.reportOutputList, reportListItem => reportListItem.compositeKey.highestSeverity.priority);
+    for (const reportModel of orderedOutputList) {
+        const name = reportModel.compositeKey.libraryName;
+        const version = reportModel.compositeKey.libraryVersion;
+        const highestSeverity = reportModel.compositeKey.highestSeverity.severity;
+        const numOfCVEs = reportModel.cveArray.length;
+        const cveNames = [];
+        reportModel.cveArray.forEach(cve => cveNames.push(cve.name));
+        const boldHeader = chalk_1.default.bold(`${highestSeverity} | Vulnerable Library`);
+        const cvePluralised = numOfCVEs > 1 ? 'CVEs' : 'CVE';
+        console.log(`\n ${boldHeader} ${name} (${version}) has ${numOfCVEs} known ${cvePluralised}`);
+        console.log(` ${cveNames.join(', ')}`);
+        console.log(chalk_1.default.bold(' How to fix: Update to latest version'));
     }
-}
-const filterVulnerabilitiesBySeverity = (severity, vulnerabilities) => {
-    let filteredVulns = [];
-    if (severity) {
-        for (let x in vulnerabilities) {
-            if (severity.severity === 'HIGH') {
-                let highVulnerability = vulnerabilities[x].filter(searchHighCVEs);
-                if (highVulnerability.length > 0) {
-                    filteredVulns[x] = highVulnerability;
-                }
-            }
-            else if (severity.severity === 'MEDIUM') {
-                let mediumVulnerability = vulnerabilities[x].filter(searchMediumCVEs);
-                if (mediumVulnerability.length > 0) {
-                    filteredVulns[x] = mediumVulnerability;
-                }
-            }
-            else if (severity.severity === 'LOW') {
-                let lowVulnerability = vulnerabilities[x].filter(searchLowCVEs);
-                if (lowVulnerability.length > 0) {
-                    filteredVulns[x] = lowVulnerability;
-                }
-            }
-        }
-    }
-    return filteredVulns;
-};
-module.exports = {
-    displaySuccessMessageReport: displaySuccessMessageReport,
-    getAllDependenciesArray: getAllDependenciesArray,
-    dependencyRiskReport: dependencyRiskReport,
-    createLibraryHeader: createLibraryHeader,
-    breakPipeline: breakPipeline,
-    parameterOptions: parameterOptions,
-    analyseReportOptions: analyseReportOptions,
-    getReport: getReport,
-    checkIfDepIsScoped: checkIfDepIsScoped,
-    checkIfDepIsRegisteredOnNPM: checkIfDepIsRegisteredOnNPM,
-    filterVulnerabilitiesBySeverity: filterVulnerabilitiesBySeverity,
-    searchLowCVEs: searchLowCVEs,
-    searchMediumCVEs: searchMediumCVEs,
-    searchHighCVEs: searchHighCVEs,
-    returnCveData: returnCveData,
-    printVulnerabilityResponse: printVulnerabilityResponse
 };
+exports.printFormattedOutput = printFormattedOutput;