@contrast/contrast 1.0.1 → 1.0.4

package/src/audit/languageAnalysisEngine/report/reportingFeature.ts

@@ -0,0 +1,56 @@
+import {
+  createLibraryHeader,
+  getReport,
+  printVulnerabilityResponse
+} from './commonReportingFunctions'
+import {
+  convertGenericToTypedLibraries,
+  severityCount
+} from './utils/reportUtils'
+
+export async function vulnerabilityReport(
+  analysis: any,
+  applicationId: string,
+  reportId: string
+) {
+  const reportResponse = await getReport(analysis.config, reportId)
+
+  if (reportResponse !== undefined) {
+    const id = applicationId
+    const name = analysis.config.applicationName
+    formatVulnerabilityOutput(
+      reportResponse.vulnerabilities,
+      id,
+      name,
+      analysis.config
+    )
+  }
+}
+
+export function formatVulnerabilityOutput(
+  libraryVulnerabilityResponse: any,
+  id: string,
+  name: string,
+  config: any
+) {
+  const vulnerableLibraries = convertGenericToTypedLibraries(
+    libraryVulnerabilityResponse
+  )
+
+  const numberOfVulnerableLibraries = vulnerableLibraries.length
+  let numberOfCves = 0
+  vulnerableLibraries.forEach(lib => (numberOfCves += lib.cveArray.length))
+
+  createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves, name)
+
+  const hasSomeVulnerabilitiesReported = printVulnerabilityResponse(
+    vulnerableLibraries,
+    config
+  )
+
+  return [
+    hasSomeVulnerabilitiesReported,
+    numberOfCves,
+    severityCount(vulnerableLibraries)
+  ]
+}

package/src/audit/languageAnalysisEngine/report/utils/reportUtils.ts

@@ -0,0 +1,110 @@
+import {
+  ReportCVEModel,
+  ReportLibraryModel
+} from '../models/reportLibraryModel'
+import { ReportSeverityModel } from '../models/reportSeverityModel'
+import languageAnalysisEngine from '../../../languageAnalysisEngine/constants'
+const {
+  supportedLanguages: { GO }
+} = languageAnalysisEngine
+
+export function findHighestSeverityCVE(cveArray: ReportCVEModel[]) {
+  if (
+    cveArray.find(
+      cve =>
+        cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL'
+    )
+  ) {
+    return new ReportSeverityModel('CRITICAL', 1)
+  } else if (
+    cveArray.find(
+      cve => cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH'
+    )
+  ) {
+    return new ReportSeverityModel('HIGH', 2)
+  } else if (
+    cveArray.find(
+      cve => cve.cvss3SeverityCode === 'MEDIUM' || cve.severityCode === 'MEDIUM'
+    )
+  ) {
+    return new ReportSeverityModel('MEDIUM', 3)
+  } else if (
+    cveArray.find(
+      cve => cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW'
+    )
+  ) {
+    return new ReportSeverityModel('LOW', 4)
+  } else if (
+    cveArray.find(
+      cve => cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE'
+    )
+  ) {
+    return new ReportSeverityModel('NOTE', 5)
+  }
+}
+
+export function convertGenericToTypedLibraries(libraries: any) {
+  return Object.entries(libraries).map(([name, cveArray]) => {
+    return new ReportLibraryModel(name, cveArray as ReportCVEModel[])
+  })
+}
+
+export function severityCount(vulnerableLibraries: ReportLibraryModel[]) {
+  const severityCount = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    note: 0
+  }
+
+  vulnerableLibraries.forEach(lib => {
+    lib.cveArray.forEach(cve => {
+      if (
+        cve.cvss3SeverityCode === 'CRITICAL' ||
+        cve.severityCode === 'CRITICAL'
+      ) {
+        severityCount['critical'] += 1
+      } else if (
+        cve.cvss3SeverityCode === 'HIGH' ||
+        cve.severityCode === 'HIGH'
+      ) {
+        severityCount['high'] += 1
+      } else if (
+        cve.cvss3SeverityCode === 'MEDIUM' ||
+        cve.severityCode === 'MEDIUM'
+      ) {
+        severityCount['medium'] += 1
+      } else if (
+        cve.cvss3SeverityCode === 'LOW' ||
+        cve.severityCode === 'LOW'
+      ) {
+        severityCount['low'] += 1
+      } else if (
+        cve.cvss3SeverityCode === 'NOTE' ||
+        cve.severityCode === 'NOTE'
+      ) {
+        severityCount['note'] += 1
+      }
+    })
+  })
+
+  return severityCount
+}
+
+export function findNameAndVersion(library: ReportLibraryModel, config: any) {
+  if (config.language.toUpperCase() === GO) {
+    const nameVersion = library.name.split('@')
+    const name = nameVersion[0]
+    const version = nameVersion[1]
+
+    return { name, version }
+  } else {
+    const splitLibraryName = library.name.split('/')
+    const nameVersion = splitLibraryName[1].split('@')
+    const name = nameVersion[0]
+    const version = nameVersion[1]
+
+    return { name, version }
+  }
+}

package/src/audit/languageAnalysisEngine/sendSnapshot.js

@@ -34,7 +34,9 @@ const newSendSnapShot = async (analysis, applicationId) => {
       //   console.log(prettyjson.render(requestBody))
       // }
       if (res.statusCode === 201) {
-        displaySnapshotSuccessMessage(analysis.config)
+        if (analysis.config.host !== 'https://ce.contrastsecurity.com/') {
+          displaySnapshotSuccessMessage(analysis.config)
+        }
         return res.body
       } else {
         handleResponseErrors(res, 'snapshot')

package/src/commands/audit/auditController.ts

@@ -1,7 +1,8 @@
 import { catalogueApplication } from '../../audit/catalogueApplication/catalogueApplication'
 import commonApi from '../../audit/languageAnalysisEngine/commonApi'
+
 const identifyLanguageAE = require('./../../audit/languageAnalysisEngine')
-const languageFactory = require('./../../audit/languageAnalysisEngine/langugageAnalysisFactory')
+const languageFactory = require('../../audit/languageAnalysisEngine/languageAnalysisFactory')
 
 const dealWithNoAppId = async (config: { [x: string]: string }) => {
   let appID
@@ -10,10 +11,18 @@ const dealWithNoAppId = async (config: { [x: string]: string }) => {
     if (!appID && config.applicationName) {
       return await catalogueApplication(config)
     }
+    // @ts-ignore
   } catch (e) {
-    console.log(e)
+    // @ts-ignore
+    if (e.toString().includes('tunneling socket could not be established')) {
+      // @ts-ignore
+      console.log(e.message)
+      console.log(
+        'There seems to be an issue with your proxy, please check and try again'
+      )
+    }
+    process.exit(1)
   }
-  console.log(appID)
   return appID
 }
 

package/src/commands/audit/processAudit.ts

@@ -11,7 +11,6 @@ export const processAudit = async (argv: parameterInput) => {
   }
   const config = getAuditConfig(argv)
   const auditResults = await startAudit(config)
-  //report here
 }
 
 const printHelpMessage = () => {

package/src/commands/audit/saveFile.ts

@@ -0,0 +1,6 @@
+import fs from 'fs'
+
+export default function saveFile(config: any, rawResults: any) {
+  const fileName = `${config.applicationId}-sbom-cyclonedx.json`
+  fs.writeFileSync(fileName, JSON.stringify(rawResults))
+}

package/src/commands/auth/auth.js

@@ -11,8 +11,21 @@ const {
   succeedSpinner
 } = require('../../utils/oraWrapper')
 const { TIMEOUT, AUTH_UI_URL } = require('../../constants/constants')
+const parsedCLIOptions = require('../../utils/parsedCLIOptions')
+const constants = require('../../constants')
+const commandLineUsage = require('command-line-usage')
+
+const processAuth = async (argv, config) => {
+  let authParams = parsedCLIOptions.getCommandLineArgsCustom(
+    argv,
+    constants.commandLineDefinitions.authOptionDefinitions
+  )
+
+  if (authParams.help) {
+    console.log(authUsageGuide)
+    process.exit(0)
+  }
 
-const processAuth = async config => {
   const token = uuidv4()
   const url = `${AUTH_UI_URL}/?token=${token}`
 
@@ -68,6 +81,17 @@ const pollAuthResult = async (token, client) => {
     })
 }
 
+const authUsageGuide = commandLineUsage([
+  {
+    header: i18n.__('authHeader'),
+    content: [i18n.__('constantsAuthHeaderContents')]
+  },
+  {
+    header: i18n.__('constantsAuthUsageHeader'),
+    content: [i18n.__('constantsAuthUsageContents')]
+  }
+])
+
 module.exports = {
   processAuth: processAuth
 }

package/src/commands/config/config.js

@@ -1,15 +1,19 @@
-const commandLineArgs = require('command-line-args')
+const parsedCLIOptions = require('../../utils/parsedCLIOptions')
+const constants = require('../../constants')
+const commandLineUsage = require('command-line-usage')
+const i18n = require('i18n')
 
 const processConfig = (argv, config) => {
-  const options = [{ name: 'clear', alias: 'c', type: Boolean }]
-
   try {
-    const configOptions = commandLineArgs(options, {
+    let configParams = parsedCLIOptions.getCommandLineArgsCustom(
       argv,
-      caseInsensitive: true,
-      camelCase: true
-    })
-    if (configOptions.clear) {
+      constants.commandLineDefinitions.configOptionDefinitions
+    )
+    if (configParams.help) {
+      console.log(configUsageGuide)
+      process.exit(0)
+    }
+    if (configParams.clear) {
       config.clear()
     } else {
       console.log(JSON.parse(JSON.stringify(config.store)))
@@ -20,6 +24,16 @@ const processConfig = (argv, config) => {
   }
 }
 
+const configUsageGuide = commandLineUsage([
+  {
+    header: i18n.__('configHeader')
+  },
+  {
+    content: [i18n.__('constantsConfigUsageContents')],
+    optionList: constants.commandLineDefinitions.configOptionDefinitions
+  }
+])
+
 module.exports = {
   processConfig: processConfig
 }

package/src/commands/scan/processScan.js

@@ -1,44 +1,23 @@
 const { startScan } = require('../../scan/scanController')
-const { formatScanOutput } = require('../../scan/scan')
 const { scanUsageGuide } = require('../../scan/help')
 const scanConfig = require('../../scan/scanConfig')
-const saveResults = require('../../scan/saveResults')
-const commonApi = require('../../utils/commonApi')
-const i18n = require('i18n')
+const { saveScanFile } = require('../../utils/saveFile')
+const { ScanResultsModel } = require('../../scan/models/scanResultsModel')
+const { formatScanOutput } = require('../../scan/scan')
 
 const processScan = async argvMain => {
-  if (argvMain.indexOf('--help') !== -1) {
-    printHelpMessage()
-    process.exit(1)
-  }
-
   let config = scanConfig.getScanConfig(argvMain)
 
-  let scanResults = await startScan(config)
+  let scanResults = new ScanResultsModel(await startScan(config))
   if (scanResults) {
-    formatScanOutput(
-      scanResults?.projectOverview,
-      scanResults?.scanResultsInstances
-    )
+    formatScanOutput(scanResults)
   }
 
-  if (config.save) {
-    if (config.save.toLowerCase() === 'sarif') {
-      const scanId = scanResults.scanDetail.id
-      const client = commonApi.getHttpClient(config)
-      const rawResults = await client.getSpecificScanResultSarif(config, scanId)
-      saveResults.writeResultsToFile(rawResults?.body)
-    } else {
-      console.log(i18n.__('scanNoFiletypeSpecifiedForSave'))
-    }
+  if (config.save !== undefined) {
+    await saveScanFile(config, scanResults)
   }
 }
 
-const printHelpMessage = () => {
-  console.log(scanUsageGuide)
-}
-
 module.exports = {
-  processScan,
-  printHelpMessage
+  processScan
 }

package/src/common/HTTPClient.js

@@ -106,7 +106,9 @@ HTTPClient.prototype.getScanId = function getScanId(config, codeArtifactId) {
   options.url = url
   options.body = {
     codeArtifactId: codeArtifactId,
-    label: `Started by CLI tool at ${new Date().toString()}`
+    label: config.label
+      ? config.label
+      : `Started by CLI tool at ${new Date().toString()}`
   }
   return requestUtils.sendRequest({ method: 'post', options })
 }
@@ -130,6 +132,9 @@ HTTPClient.prototype.createProjectId = function createProjectId(config) {
     name: config.name,
     archived: 'false'
   }
+  if (config.language) {
+    options.body.language = config.language
+  }
   options.url = createHarmonyProjectsUrl(config)
   return requestUtils.sendRequest({ method: 'post', options })
 }
@@ -185,6 +190,9 @@ HTTPClient.prototype.catalogueCommand = function catalogueCommand(config) {
 }
 
 HTTPClient.prototype.sendSnapshot = function sendSnapshot(requestBody, config) {
+  if (config.language.toUpperCase() === 'RUBY') {
+    console.log('sendSnapshot requestBody', requestBody.snapshot.ruby)
+  }
   const options = _.cloneDeep(this.requestOptions)
   let url = createSnapshotURL(config)
   options.url = url
@@ -192,32 +200,22 @@ HTTPClient.prototype.sendSnapshot = function sendSnapshot(requestBody, config) {
   return requestUtils.sendRequest({ method: 'post', options })
 }
 
-HTTPClient.prototype.getReport = function getReport(config) {
+HTTPClient.prototype.getReportById = function getReportById(config, reportId) {
   const options = _.cloneDeep(this.requestOptions)
-  let url = createReportUrl(config)
-  options.url = url
-
-  return requestUtils.sendRequest({ method: 'get', options })
-}
-
-HTTPClient.prototype.getSpecificReport = function getSpecificReport(
-  config,
-  reportId
-) {
-  const options = _.cloneDeep(this.requestOptions)
-  let url = createSpecificReportUrl(config, reportId)
-  options.url = url
-
+  if (config.ignoreDev) {
+    options.url = createSpecificReportWithProdUrl(config, reportId)
+  } else {
+    options.url = createSpecificReportUrl(config, reportId)
+  }
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
 HTTPClient.prototype.getLibraryVulnerabilities = function getLibraryVulnerabilities(
-  requestBody,
-  config
+  config,
+  requestBody
 ) {
   const options = _.cloneDeep(this.requestOptions)
-  let url = createLibraryVulnerabilitiesUrl(config)
-  options.url = url
+  options.url = createLibraryVulnerabilitiesUrl(config)
   options.body = requestBody
 
   return requestUtils.sendRequest({ method: 'put', options })
@@ -230,16 +228,16 @@ HTTPClient.prototype.getAppId = function getAppId(config) {
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
-HTTPClient.prototype.getDependencyTree = function getReport(
-  orgUuid,
-  appId,
-  reportId
-) {
-  const options = _.cloneDeep(this.requestOptions)
-  let url = createGetDependencyTree(options.uri, orgUuid, appId, reportId)
-  options.url = url
-  return requestUtils.sendRequest({ method: 'get', options })
-}
+// HTTPClient.prototype.getDependencyTree = function getReport(
+//   orgUuid,
+//   appId,
+//   reportId
+// ) {
+//   const options = _.cloneDeep(this.requestOptions)
+//   let url = createGetDependencyTree(options.uri, orgUuid, appId, reportId)
+//   options.url = url
+//   return requestUtils.sendRequest({ method: 'get', options })
+// }
 
 // serverless - lambda
 function getServerlessHost(config = {}) {
@@ -317,6 +315,12 @@ HTTPClient.prototype.checkLibrary = function checkLibrary(data) {
   return requestUtils.sendRequest({ method: 'post', options })
 }
 
+HTTPClient.prototype.getSbom = function getSbom(config) {
+  const options = _.cloneDeep(this.requestOptions)
+  options.url = createSbomCycloneDXUrl(config)
+  return requestUtils.sendRequest({ method: 'get', options })
+}
+
 // scan
 const createGetScanIdURL = config => {
   return `${config.host}/Contrast/api/sast/v1/organizations/${config.organizationId}/projects/${config.projectId}/scans/`
@@ -370,20 +374,22 @@ function createLibraryVulnerabilitiesUrl(config) {
   return `${config.host}/Contrast/api/ng/${config.organizationId}/libraries/artifactsByGroupNameVersion`
 }
 
-function createReportUrl(config) {
-  return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/reports`
+function createSpecificReportUrl(config, reportId) {
+  return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/reports/${reportId}`
 }
 
-function createSpecificReportUrl(config, reportId) {
-  return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/reports/${reportId}?nodesToInclude=PROD`
+function createSpecificReportWithProdUrl(config, reportId) {
+  return createSpecificReportUrl(config, reportId).concat(
+    `?nodesToInclude=PROD`
+  )
 }
 
 function createDataUrl() {
   return `https://ardy.contrastsecurity.com/production`
 }
 
-const createGetDependencyTree = (protocol, orgUuid, appId, reportId) => {
-  return `${protocol}/Contrast/api/ng/sca/organizations/${orgUuid}/applications/${appId}/reports/${reportId}`
+function createSbomCycloneDXUrl(config) {
+  return `${config.host}/Contrast/api/ng/${config.organizationId}/applications/${config.applicationId}/libraries/sbom/cyclonedx`
 }
 
 module.exports = HTTPClient

package/src/common/errorHandling.ts

@@ -72,6 +72,7 @@ const badRequestError = (catalogue: boolean) => {
 
 const forbiddenError = () => {
   generalError('forbiddenRequestErrorHeader', 'forbiddenRequestErrorMessage')
+  process.exit(1)
 }
 
 const proxyError = () => {
@@ -104,7 +105,7 @@ const getErrorMessage = (header: string, message?: string) => {
   const multiLine = message?.includes('\n')
   let finalMessage = ''
 
-  // i18n split the line if it includes "\n"
+  // i18n split the line if it includes '\n'
   if (multiLine) {
     finalMessage = `\n${message}`
   } else if (message) {
@@ -119,6 +120,31 @@ const generalError = (header: string, message?: string) => {
   console.log(finalMessage)
 }
 
+const findCommandOnError = (unknownOptions: string[]) => {
+  const commandKeywords = {
+    auth: 'auth',
+    audit: 'audit',
+    scan: 'scan',
+    lambda: 'lambda',
+    config: 'config'
+  }
+
+  const containsCommandKeyword = unknownOptions.some(
+    // @ts-ignore
+    command => commandKeywords[command]
+  )
+
+  if (containsCommandKeyword) {
+    const foundCommands = unknownOptions.filter(
+      // @ts-ignore
+      command => commandKeywords[command]
+    )
+
+    //return the first command found
+    return foundCommands[0]
+  }
+}
+
 export {
   genericError,
   unauthenticatedError,
@@ -130,5 +156,6 @@ export {
   generalError,
   getErrorMessage,
   handleResponseErrors,
-  libraryAnalysisError
+  libraryAnalysisError,
+  findCommandOnError
 }

package/src/common/versionChecker.ts

@@ -0,0 +1,41 @@
+import latestVersion from 'latest-version'
+import { APP_VERSION } from '../constants/constants'
+import boxen from 'boxen'
+import chalk from 'chalk'
+import semver from 'semver'
+
+export async function findLatestCLIVersion(updateMessageHidden: boolean) {
+  if (!updateMessageHidden) {
+    const latestCLIVersion = await latestVersion('@contrast/contrast')
+
+    if (semver.lt(APP_VERSION, latestCLIVersion)) {
+      const updateAvailableMessage = `Update available ${chalk.yellow(
+        APP_VERSION
+      )} → ${chalk.green(latestCLIVersion)}`
+
+      const npmUpdateAvailableCommand = `Run ${chalk.cyan(
+        'npm i @contrast/contrast -g'
+      )} to update via npm`
+
+      const homebrewUpdateAvailableCommand = `Run ${chalk.cyan(
+        'brew install contrastsecurity/tap/contrast'
+      )} to update via brew`
+
+      console.log(
+        boxen(
+          `${updateAvailableMessage}\n${npmUpdateAvailableCommand}\n\n${homebrewUpdateAvailableCommand}`,
+          {
+            titleAlignment: 'center',
+            margin: 1,
+            padding: 1,
+            align: 'center'
+          }
+        )
+      )
+    }
+  }
+}
+
+export async function isCorrectNodeVersion(currentVersion: string) {
+  return semver.satisfies(currentVersion, '>=16.13.2 <17')
+}

package/src/constants/constants.js

@@ -8,17 +8,17 @@ const GO = 'GO'
 // we set the langauge as Node instead of PHP since we're using the Node engine in TS
 const PHP = 'PHP'
 const JAVASCRIPT = 'JAVASCRIPT'
-
 const LOW = 'LOW'
 const MEDIUM = 'MEDIUM'
 const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
-
 const APP_NAME = 'contrast'
-const APP_VERSION = '1.0.1'
+const APP_VERSION = '1.0.4'
 const TIMEOUT = 120000
+
 const AUTH_UI_URL = 'https://cli-auth.contrastsecurity.com'
 const AUTH_CALLBACK_URL = 'https://cli-auth-api.contrastsecurity.com'
+const SARIF_FILE = 'SARIF'
 
 module.exports = {
   supportedLanguages: { NODE, DOTNET, JAVA, RUBY, PYTHON, GO, PHP, JAVASCRIPT },
@@ -30,5 +30,6 @@ module.exports = {
   APP_NAME,
   TIMEOUT,
   AUTH_UI_URL,
-  AUTH_CALLBACK_URL
+  AUTH_CALLBACK_URL,
+  SARIF_FILE
 }

package/src/constants/lambda.js

@@ -36,11 +36,13 @@ const lambda = {
   loadingFunctionList: 'Loading lambda function list',
   functionsFound: '{{count}} functions found',
   noFunctionsFound: 'No functions found',
-  failedToLoadFunctions: 'Faled to load lambda functions',
+  failedToLoadFunctions: 'Failed to load lambda functions',
   availableForScan: '{{icon}} {{count}} available for scan',
   runtimeCount: '----- {{runtime}} ({{count}}) -----',
 
   // ====== print vulnerabilities ===== //
+  gatherResults: 'Gathering results...',
+  doneGatherResults: 'Done gathering results',
   whatHappenedTitle: 'What happened:',
   whatHappenedItem: '{{policy}} have:\n{{comments}}\n',
   recommendation: 'Recommendation:',