@contrast/contrast 1.0.10 → 1.0.11

package/src/audit/languageAnalysisEngine/report/commonReportingFunctions.ts

@@ -29,6 +29,7 @@ import {
   NOTE_COLOUR
 } from '../../../constants/constants'
 import Table from 'cli-table3'
+import { ReportGuidanceModel } from './models/reportGuidanceModel'
 
 export const createSummaryMessage = (
   numberOfVulnerableLibraries: number,
@@ -160,7 +161,11 @@ export const printFormattedOutput = (
       numOfCVEs
     )
 
-    const advice = gatherRemediationAdvice(guidance, reportModel)
+    const advice = gatherRemediationAdvice(
+      guidance,
+      libraryName,
+      libraryVersion
+    )
 
     const body = buildBody(reportModel.cveArray, advice)
 
@@ -168,7 +173,6 @@ export const printFormattedOutput = (
 
     table.push(
       reportOutputModel.body.issueMessage,
-      reportOutputModel.body.issueMessageCves,
       reportOutputModel.body.adviceMessage
     )
 
@@ -203,18 +207,22 @@ export function buildHeader(
     numOfCVEs > 1 ? 'vulnerabilities' : 'vulnerability'
   const formattedHeaderNum = buildFormattedHeaderNum(contrastHeaderNum)
 
-  const vulnMessage = chalk
-    .hex(highestSeverity.outputColour)
-    .bold(
-      `${formattedHeaderNum} - [${highestSeverity.severity}] ${libraryName}-${version}`
-    )
+  const headerColour = chalk.hex(highestSeverity.outputColour)
+  const headerNumAndSeverity = headerColour(
+    `${formattedHeaderNum} - [${highestSeverity.severity}]`
+  )
+  const libraryNameAndVersion = headerColour.bold(`${libraryName}-${version}`)
+  const vulnMessage = `${headerNumAndSeverity} ${libraryNameAndVersion}`
 
   const introducesMessage = `introduces ${numOfCVEs} ${vulnerabilityPluralised}`
 
   return new ReportOutputHeaderModel(vulnMessage, introducesMessage)
 }
 
-export function buildBody(cveArray: ReportCVEModel[], advice: any) {
+export function buildBody(
+  cveArray: ReportCVEModel[],
+  advice: ReportGuidanceModel
+) {
   const cveMessages: string[] = []
 
   findCVESeveritiesAndOrderByHighestPriority(cveArray).forEach(
@@ -233,46 +241,40 @@ export function buildBody(cveArray: ReportCVEModel[], advice: any) {
 
   const numAndSeverityType = getNumOfAndSeverityType(cveArray)
 
-  const issueMessage = [chalk.bold('Issue'), ':', `${numAndSeverityType}`]
-
-  const issueMessageCves = ['', '', cveMessages.join(', ')]
+  const issueMessage = [
+    chalk.bold('Issue'),
+    ':',
+    `${numAndSeverityType} ${cveMessages.join(', ')}`
+  ]
 
   //todo different advice based on remediationGuidance being available or now
   // console.log(advice)
 
-  const displayAdvice = advice?.minimum
-    ? `Update to version ${chalk.bold(advice.minimum)}`
-    : `Update to latest version`
+  const minOrMax = advice.maximum ? advice.maximum : advice.minimum
+  const displayAdvice = minOrMax
+    ? `Change to version ${chalk.bold(minOrMax)}`
+    : 'No recommendation is available according to our data. Upgrade to the latest stable is the best advice we can give.'
 
   const adviceMessage = [chalk.bold('Advice'), ':', displayAdvice]
 
-  return new ReportOutputBodyModel(
-    issueMessage,
-    issueMessageCves,
-    adviceMessage
-  )
+  return new ReportOutputBodyModel(issueMessage, adviceMessage)
 }
 
-export function gatherRemediationAdvice(guidance: any, reportModel: any) {
-  const guidanceData = {
-    minimum: undefined,
-    maximum: undefined,
-    latest: undefined
-  }
+export function gatherRemediationAdvice(
+  guidance: any,
+  libraryName: string,
+  libraryVersion: string
+) {
+  const guidanceModel = new ReportGuidanceModel()
 
-  const data =
-    guidance[
-      reportModel.compositeKey.libraryName +
-        '@' +
-        reportModel.compositeKey.libraryVersion
-    ]
+  const data = guidance[libraryName + '@' + libraryVersion]
 
   if (data) {
-    guidanceData.minimum = data.minUpgradeVersion
-    guidanceData.maximum = data.maxUpgradeVersion
+    guidanceModel.minimum = data.minUpgradeVersion
+    guidanceModel.maximum = data.maxUpgradeVersion
   }
 
-  return guidanceData
+  return guidanceModel
 }
 
 export function buildFormattedHeaderNum(contrastHeaderNum: number) {
@@ -285,11 +287,27 @@ export function getNumOfAndSeverityType(cveArray: ReportCVEModel[]) {
     new SeverityCountModel()
   )
 
-  const criticalMessage = critical > 0 ? `${critical} Critical` : ''
-  const highMessage = high > 0 ? `${high} High` : ''
-  const mediumMessage = medium > 0 ? `${medium} Medium` : ''
-  const lowMessage = low > 0 ? `${low} Low` : ''
-  const noteMessage = note > 0 ? `${note} Note` : ''
+  const criticalNumCheck = critical > 0
+
+  const highNumCheck = high > 0
+  const highDivider = highNumCheck ? '|' : ''
+
+  const mediumNumCheck = medium > 0
+  const mediumDivider = mediumNumCheck ? '|' : ''
+
+  const lowNumCheck = low > 0
+  const lowDivider = lowNumCheck ? '|' : ''
+
+  const noteNumCheck = low > 0
+  const noteDivider = noteNumCheck ? '|' : ''
+
+  const criticalMessage = criticalNumCheck
+    ? `${critical} Critical ${highDivider}`
+    : ''
+  const highMessage = highNumCheck ? `${high} High ${mediumDivider}` : ''
+  const mediumMessage = mediumNumCheck ? `${medium} Medium ${lowDivider}` : ''
+  const lowMessage = lowNumCheck ? `${low} Low ${noteDivider}` : ''
+  const noteMessage = noteNumCheck ? `${note} Note` : ''
 
   //removes/trims whitespace to single spaces
   return `${criticalMessage} ${highMessage} ${mediumMessage} ${lowMessage} ${noteMessage}`

package/src/audit/languageAnalysisEngine/report/models/reportGuidanceModel.ts

@@ -0,0 +1,5 @@
+export class ReportGuidanceModel {
+  minimum?: string
+  maximum?: string
+  latest?: string
+}

package/src/audit/languageAnalysisEngine/report/models/reportOutputModel.ts

@@ -20,16 +20,10 @@ export class ReportOutputHeaderModel {
 
 export class ReportOutputBodyModel {
   issueMessage: string[]
-  issueMessageCves: string[]
   adviceMessage: string[]
 
-  constructor(
-    issueMessage: string[],
-    issueMessageCves: string[],
-    adviceMessage: string[]
-  ) {
+  constructor(issueMessage: string[], adviceMessage: string[]) {
     this.issueMessage = issueMessage
-    this.issueMessageCves = issueMessageCves
     this.adviceMessage = adviceMessage
   }
 }

package/src/audit/languageAnalysisEngine/report/models/severityCountModel.ts

@@ -4,6 +4,7 @@ export class SeverityCountModel {
   medium!: number
   low!: number
   note!: number
+  total!: number
 
   //needed as default to stop NaN when new object constructed
   constructor() {
@@ -12,6 +13,7 @@ export class SeverityCountModel {
     this.medium = 0
     this.low = 0
     this.note = 0
+    this.total = 0
   }
 
   get getTotal(): number {

package/src/audit/languageAnalysisEngine/report/reportingFeature.ts

@@ -9,6 +9,8 @@ import {
 import i18n from 'i18n'
 import chalk from 'chalk'
 import * as constants from '../../../constants/constants'
+import { SeverityCountModel } from './models/severityCountModel'
+import * as common from '../../../common/fail'
 
 export function convertKeysToStandardFormat(config: any, guidance: any) {
   let convertedGuidance = guidance
@@ -72,6 +74,7 @@ export function formatVulnerabilityOutput(
         String(0)
       )
     )
+    return [false, 0, [new SeverityCountModel()]]
   } else {
     let numberOfCves = 0
     vulnerableLibraries.forEach(lib => (numberOfCves += lib.cveArray.length))
@@ -83,12 +86,13 @@ export function formatVulnerabilityOutput(
       numberOfCves,
       guidance
     )
-
-    return [
-      hasSomeVulnerabilitiesReported,
-      numberOfCves,
-      severityCountAllLibraries(vulnerableLibraries)
-    ]
+    let severityCount = new SeverityCountModel()
+    severityCount = severityCountAllLibraries(
+      vulnerableLibraries,
+      severityCount
+    )
+    severityCount.total = severityCount.getTotal
+    return [hasSomeVulnerabilitiesReported, numberOfCves, severityCount]
   }
 }
 
@@ -97,8 +101,7 @@ export async function vulnerabilityReportV2(config: any, reportId: string) {
   const reportResponse = await getReport(config, reportId)
 
   if (reportResponse !== undefined) {
-    const name = config.applicationName
-    formatVulnerabilityOutput(
+    let output = formatVulnerabilityOutput(
       reportResponse.vulnerabilities,
       config.applicationId,
       config,
@@ -106,5 +109,9 @@ export async function vulnerabilityReportV2(config: any, reportId: string) {
         ? reportResponse.remediationGuidance
         : {}
     )
+
+    if (config.fail) {
+      common.processFail(config, output[2])
+    }
   }
 }

package/src/audit/languageAnalysisEngine/report/utils/reportUtils.ts

@@ -75,9 +75,9 @@ export function convertGenericToTypedLibraryVulns(libraries: any) {
 }
 
 export function severityCountAllLibraries(
-  vulnerableLibraries: ReportLibraryModel[]
+  vulnerableLibraries: ReportLibraryModel[],
+  severityCount: SeverityCountModel
 ) {
-  const severityCount = new SeverityCountModel()
   vulnerableLibraries.forEach(lib =>
     severityCountAllCVEs(lib.cveArray, severityCount)
   )

package/src/commands/audit/auditConfig.ts

@@ -1,9 +1,16 @@
 import paramHandler from '../../utils/paramsUtil/paramHandler'
 import constants from '../../constants'
-import cliOptions from '../../utils/parsedCLIOptions'
+import { getCommandLineArgsCustom } from '../../utils/parsedCLIOptions'
+import { ContrastConf } from '../../utils/getConfig'
 
-export const getAuditConfig = (argv: string[]): { [key: string]: string } => {
-  const auditParameters = cliOptions.getCommandLineArgsCustom(
+export const getAuditConfig = async (
+  contrastConf: ContrastConf,
+  command: string,
+  argv: string[]
+): Promise<{ [key: string]: string }> => {
+  const auditParameters = await getCommandLineArgsCustom(
+    contrastConf,
+    command,
     argv,
     constants.commandLineDefinitions.auditOptionDefinitions
   )

package/src/commands/audit/processAudit.ts

@@ -1,16 +1,30 @@
 import { getAuditConfig } from './auditConfig'
 import { auditUsageGuide } from './help'
 import { processSca } from '../scan/sca/scaAnalysis'
+import { sendTelemetryConfigAsObject } from '../../telemetry/telemetry'
+import { ContrastConf } from '../../utils/getConfig'
 
 export type parameterInput = string[]
 
-export const processAudit = async (argv: parameterInput) => {
+export const processAudit = async (
+  contrastConf: ContrastConf,
+  argv: parameterInput
+) => {
   if (argv.indexOf('--help') != -1) {
     printHelpMessage()
     process.exit(0)
   }
-  const config = getAuditConfig(argv)
+
+  const config = await getAuditConfig(contrastConf, 'audit', argv)
   await processSca(config)
+  await sendTelemetryConfigAsObject(
+    config,
+    'audit',
+    argv,
+    'SUCCESS',
+    // @ts-ignore
+    config.language
+  )
 }
 
 const printHelpMessage = () => {

package/src/commands/auth/auth.js

@@ -16,7 +16,9 @@ const constants = require('../../constants')
 const commandLineUsage = require('command-line-usage')
 
 const processAuth = async (argv, config) => {
-  let authParams = parsedCLIOptions.getCommandLineArgsCustom(
+  let authParams = await parsedCLIOptions.getCommandLineArgsCustom(
+    config,
+    'auth',
     argv,
     constants.commandLineDefinitions.authOptionDefinitions
   )

package/src/commands/config/config.js

@@ -3,9 +3,11 @@ const constants = require('../../constants')
 const commandLineUsage = require('command-line-usage')
 const i18n = require('i18n')
 
-const processConfig = (argv, config) => {
+const processConfig = async (argv, config) => {
   try {
-    let configParams = parsedCLIOptions.getCommandLineArgsCustom(
+    let configParams = await parsedCLIOptions.getCommandLineArgsCustom(
+      config,
+      'config',
       argv,
       constants.commandLineDefinitions.configOptionDefinitions
     )

package/src/commands/scan/processScan.js

@@ -4,23 +4,37 @@ const { saveScanFile } = require('../../utils/saveFile')
 const { ScanResultsModel } = require('../../scan/models/scanResultsModel')
 const { formatScanOutput } = require('../../scan/formatScanOutput')
 const { processSca } = require('./sca/scaAnalysis')
+const common = require('../../common/fail')
+const { sendTelemetryConfigAsObject } = require('../../telemetry/telemetry')
 
-const processScan = async argvMain => {
-  let config = scanConfig.getScanConfig(argvMain)
+const processScan = async (contrastConf, argv) => {
+  let config = await scanConfig.getScanConfig(contrastConf, 'scan', argv)
+  let output = undefined
   //try SCA analysis first
   if (config.experimental) {
-    await processSca(config)
+    await processSca(config, argv)
   }
 
   let scanResults = new ScanResultsModel(await startScan(config))
+  await sendTelemetryConfigAsObject(
+    config,
+    'scan',
+    argv,
+    'SUCCESS',
+    scanResults.scanDetail.language
+  )
 
   if (scanResults.scanResultsInstances !== undefined) {
-    formatScanOutput(scanResults)
+    output = formatScanOutput(scanResults)
   }
 
   if (config.save !== undefined) {
     await saveScanFile(config, scanResults)
   }
+
+  if (config.fail) {
+    common.processFail(config, output)
+  }
 }
 
 module.exports = {

package/src/commands/scan/sca/scaAnalysis.js

@@ -24,16 +24,22 @@ const {
 } = require('../../../audit/languageAnalysisEngine/report/reportingFeature')
 const auditSave = require('../../../audit/save')
 const { dotNetAnalysis } = require('../../../scaAnalysis/dotnet')
+const { auditUsageGuide } = require('../../audit/help')
 const rootFile = require('../../../audit/languageAnalysisEngine/getProjectRootFilenames')
 const path = require('path')
 const processSca = async config => {
   const startTime = performance.now()
   let filesFound
 
+  if (config.help) {
+    console.log(auditUsageGuide)
+    process.exit(0)
+  }
+
   const projectStats = await rootFile.getProjectStats(config.file)
   let pathWithFile = projectStats.isFile()
 
-  let fileName = config.file
+  config.fileName = config.file
   config.file = pathWithFile
     ? rootFile.getDirectoryFromPathGiven(config.file).concat('/')
     : config.file
@@ -42,7 +48,7 @@ const processSca = async config => {
 
   if (filesFound.length > 1 && pathWithFile) {
     filesFound = filesFound.filter(i =>
-      Object.values(i)[0].includes(path.basename(fileName))
+      Object.values(i)[0].includes(path.basename(config.fileName))
     )
   }
 
@@ -127,7 +133,9 @@ const processSca = async config => {
       throw new Error()
     } else {
       throw new Error(
-        'multiple language files detected, please use --file to specify a directory or the file where dependencies are declared'
+        `multiple language files detected \n` +
+          JSON.stringify(filesFound) +
+          `\nplease use --file to audit one language only. Example: contrast audit --file package-lock.json`
       )
     }
   }

package/src/common/HTTPClient.js

@@ -346,6 +346,16 @@ HTTPClient.prototype.getLatestVersion = function getLatestVersion() {
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
+HTTPClient.prototype.postTelemetry = function postTelemetry(
+  config,
+  requestBody
+) {
+  const options = _.cloneDeep(this.requestOptions)
+  options.url = createTelemetryEventUrl(config)
+  options.body = requestBody
+  return requestUtils.sendRequest({ method: 'post', options })
+}
+
 // analytics
 
 HTTPClient.prototype.postAnalyticsFunction = function (config, provider, body) {
@@ -439,6 +449,10 @@ function createSbomUrl(config, type) {
   return `${config.host}/Contrast/api/ng/${config.organizationId}/applications/${config.applicationId}/libraries/sbom/${type}`
 }
 
+function createTelemetryEventUrl(config) {
+  return `${config.host}/Contrast/api/sast/organizations/${config.organizationId}/cli`
+}
+
 module.exports = HTTPClient
 module.exports.pollForAuthUrl = pollForAuthUrl
 module.exports.getServerlessHost = getServerlessHost

package/src/common/fail.js

@@ -0,0 +1,75 @@
+const i18n = require('i18n')
+
+const processFail = (config, reportResults) => {
+  if (config.severity !== undefined) {
+    if (
+      reportResults[config.severity] !== undefined &&
+      isSeverityViolation(config.severity, reportResults)
+    ) {
+      failPipeline('failSeverityOptionErrorMessage')
+    }
+  }
+
+  if (config.severity === undefined && reportResults.total > 0) {
+    failPipeline('failThresholdOptionErrorMessage')
+  }
+}
+
+const isSeverityViolation = (severity, reportResults) => {
+  let count = 0
+  switch (severity) {
+    case 'critical':
+      count += reportResults.critical
+      break
+    case 'high':
+      count += reportResults.high + reportResults.critical
+      break
+    case 'medium':
+      count += reportResults.medium + reportResults.low + reportResults.critical
+      break
+    case 'low':
+      count +=
+        reportResults.high + reportResults.critical + reportResults.medium
+      break
+    case 'note':
+      if (reportResults.note == reportResults.total) {
+        count = 0
+      } else {
+        count = reportResults.total
+      }
+      break
+    default:
+      count = 0
+  }
+  return count > 0
+}
+
+const failPipeline = (message = '') => {
+  console.log(
+    '\n ******************************** ' +
+      i18n.__('snapshotFailureHeader') +
+      ' *********************************\n' +
+      i18n.__(message)
+  )
+  process.exit(1)
+}
+
+const parseSeverity = severity => {
+  const severities = ['NOTE', 'LOW', 'MEDIUM', 'HIGH', 'CRITICAL']
+  if (severities.includes(severity.toUpperCase())) {
+    return severity.toLowerCase()
+  } else {
+    console.log(
+      severity +
+        ' Not recognised as a severity type please use LOW, MEDIUM, HIGH, CRITICAL, NOTE'
+    )
+    return undefined
+  }
+}
+
+module.exports = {
+  failPipeline,
+  processFail,
+  isSeverityViolation,
+  parseSeverity
+}

package/src/common/versionChecker.ts

@@ -20,7 +20,7 @@ const getLatestVersion = async (config: any) => {
 
 // @ts-ignore
 export async function findLatestCLIVersion(config: ContrastConf) {
-  const messageHidden = config.get('updateMessageHidden') as boolean
+  const messageHidden = config.get('isCI') as boolean
 
   if (!messageHidden) {
     let latestCLIVersion: string = await getLatestVersion(config)

package/src/constants/constants.js

@@ -14,7 +14,7 @@ const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
 // App
 const APP_NAME = 'contrast'
-const APP_VERSION = '1.0.10'
+const APP_VERSION = '1.0.11'
 const TIMEOUT = 120000
 const HIGH_COLOUR = '#ff9900'
 const CRITICAL_COLOUR = '#e35858'

package/src/constants/locales.js

@@ -121,9 +121,11 @@ const en_locales = () => {
       'The name of the application cataloged by Contrast UI',
     constantsCatalogueApplication:
       'Provide this if you want to catalogue an application',
+    failOptionErrorMessage:
+      ' FAIL - CVEs have been detected that match at least the cve_severity option specified.',
     constantsLanguage:
       'Valid values are JAVA, DOTNET, NODE, PYTHON and RUBY. If there are multiple project configuration files in the project_path, language is also required.  Also, provide this when cataloguing an application',
-    constantsFilePath: `Path of the file you want to perform an SCA audit on. If no folder is specified, Contrast searches for dependency files in the working directory.`,
+    constantsFilePath: `Specify a directory or the file where dependencies are declared. (By default, CodeSec will search for project files in the current directory.)`,
     constantsSilent: 'Silences JSON output.',
     constantsAppGroups:
       'Assign your application to one or more pre-existing groups when using the catalogue command. Group lists should be comma separated.',
@@ -142,8 +144,9 @@ const en_locales = () => {
     constantsReport: 'Display vulnerability information for this application',
     constantsFail:
       'Set the process to fail if this option is set in combination with --cve_severity.',
-    failOptionErrorMessage:
-      ' FAIL - CVEs have been detected that match at least the cve_severity or cve_threshold option specified.',
+    failThresholdOptionErrorMessage: 'More than 0 vulnerabilities found',
+    failSeverityOptionErrorMessage:
+      ' FAIL - Results detected vulnerabilities over accepted severity level',
     constantsSeverity:
       'Allows the user to report libraries with vulnerabilities above a chosen severity level. For example, cve_severity medium only reports libraries with vulnerabilities at medium or higher severity. Values for level are high, medium or low.',
     constantsCount: 'The number of CVEs that must be exceeded to fail a build',
@@ -414,7 +417,8 @@ const en_locales = () => {
     auditOptionsSaveDescription:
       'Generate and save an SBOM (Software Bill of Materials)\n',
     auditOptionsSaveOptionsDescription:
-      'Valid options are: spdx, cyclonedx (cycloneDX is the default format)',
+      'Valid options are: --save spdx and --save cyclonedx (CycloneDX is the default format.)',
+    exceededFreeTier: `It looks like you are really loving CodeSec! \nYou have reached the monthly scan limit on the FREE tier. \nPlease contact sales@contrastsecurity.com to upgrade.`,
     scanNotCompleted:
       'Scan not completed. Check for framework and language support here: %s',
     auditNotCompleted: 'audit not completed.  Please try again',