@contrast/contrast 1.0.10 → 1.0.13

package/src/commands/audit/processAudit.ts

@@ -1,18 +1,40 @@
 import { getAuditConfig } from './auditConfig'
 import { auditUsageGuide } from './help'
 import { processSca } from '../scan/sca/scaAnalysis'
+import { sendTelemetryConfigAsObject } from '../../telemetry/telemetry'
+import { ContrastConf } from '../../utils/getConfig'
+import chalk from 'chalk'
 
 export type parameterInput = string[]
 
-export const processAudit = async (argv: parameterInput) => {
+export const processAudit = async (
+  contrastConf: ContrastConf,
+  argv: parameterInput
+) => {
   if (argv.indexOf('--help') != -1) {
     printHelpMessage()
     process.exit(0)
   }
-  const config = getAuditConfig(argv)
+
+  const config = await getAuditConfig(contrastConf, 'audit', argv)
   await processSca(config)
+  postRunMessage()
+  await sendTelemetryConfigAsObject(
+    config,
+    'audit',
+    argv,
+    'SUCCESS',
+    // @ts-ignore
+    config.language
+  )
 }
 
 const printHelpMessage = () => {
   console.log(auditUsageGuide)
 }
+
+const postRunMessage = () => {
+  console.log('\n' + chalk.underline.bold('Other Codesec Features:'))
+  console.log("'contrast scan' to run CodeSec’s industry leading SAST scanner")
+  console.log("'contrast lambda' to secure your AWS serverless functions\n")
+}

package/src/commands/auth/auth.js

@@ -16,7 +16,9 @@ const constants = require('../../constants')
 const commandLineUsage = require('command-line-usage')
 
 const processAuth = async (argv, config) => {
-  let authParams = parsedCLIOptions.getCommandLineArgsCustom(
+  let authParams = await parsedCLIOptions.getCommandLineArgsCustom(
+    config,
+    'auth',
     argv,
     constants.commandLineDefinitions.authOptionDefinitions
   )

package/src/commands/config/config.js

@@ -3,9 +3,11 @@ const constants = require('../../constants')
 const commandLineUsage = require('command-line-usage')
 const i18n = require('i18n')
 
-const processConfig = (argv, config) => {
+const processConfig = async (argv, config) => {
   try {
-    let configParams = parsedCLIOptions.getCommandLineArgsCustom(
+    let configParams = await parsedCLIOptions.getCommandLineArgsCustom(
+      config,
+      'config',
       argv,
       constants.commandLineDefinitions.configOptionDefinitions
     )

package/src/commands/scan/processScan.js

@@ -4,23 +4,51 @@ const { saveScanFile } = require('../../utils/saveFile')
 const { ScanResultsModel } = require('../../scan/models/scanResultsModel')
 const { formatScanOutput } = require('../../scan/formatScanOutput')
 const { processSca } = require('./sca/scaAnalysis')
+const common = require('../../common/fail')
+const { sendTelemetryConfigAsObject } = require('../../telemetry/telemetry')
+const chalk = require('chalk')
+const generalAPI = require('../../utils/generalAPI')
+
+const processScan = async (contrastConf, argv) => {
+  let config = await scanConfig.getScanConfig(contrastConf, 'scan', argv)
+  let output = undefined
+  config.mode = await generalAPI.getMode(config)
 
-const processScan = async argvMain => {
-  let config = scanConfig.getScanConfig(argvMain)
   //try SCA analysis first
   if (config.experimental) {
-    await processSca(config)
+    await processSca(config, argv)
   }
 
   let scanResults = new ScanResultsModel(await startScan(config))
+  await sendTelemetryConfigAsObject(
+    config,
+    'scan',
+    argv,
+    'SUCCESS',
+    scanResults.scanDetail.language
+  )
 
   if (scanResults.scanResultsInstances !== undefined) {
-    formatScanOutput(scanResults)
+    output = formatScanOutput(scanResults)
   }
 
   if (config.save !== undefined) {
     await saveScanFile(config, scanResults)
   }
+
+  if (config.fail) {
+    common.processFail(config, output)
+  }
+
+  postRunMessage()
+}
+
+const postRunMessage = () => {
+  console.log('\n' + chalk.underline.bold('Other Codesec Features:'))
+  console.log(
+    "'contrast audit' to find vulnerabilities in your open source dependencies"
+  )
+  console.log("'contrast lambda' to secure your AWS serverless functions\n")
 }
 
 module.exports = {

package/src/commands/scan/sca/scaAnalysis.js

@@ -1,6 +1,7 @@
 const autoDetection = require('../../../scan/autoDetection')
 const javaAnalysis = require('../../../scaAnalysis/java')
 const treeUpload = require('../../../scaAnalysis/common/treeUpload')
+const scaUpload = require('../../../scaAnalysis/common/scaServicesUpload')
 const auditController = require('../../audit/auditController')
 const {
   supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET }
@@ -21,19 +22,29 @@ const {
 const i18n = require('i18n')
 const {
   vulnerabilityReportV2
-} = require('../../../audit/languageAnalysisEngine/report/reportingFeature')
+} = require('../../../audit/report/reportingFeature')
 const auditSave = require('../../../audit/save')
 const { dotNetAnalysis } = require('../../../scaAnalysis/dotnet')
+const { auditUsageGuide } = require('../../audit/help')
 const rootFile = require('../../../audit/languageAnalysisEngine/getProjectRootFilenames')
 const path = require('path')
+const generalAPI = require('../../../utils/generalAPI')
+
 const processSca = async config => {
+  config.mode = await generalAPI.getMode(config)
+
   const startTime = performance.now()
   let filesFound
 
+  if (config.help) {
+    console.log(auditUsageGuide)
+    process.exit(0)
+  }
+
   const projectStats = await rootFile.getProjectStats(config.file)
   let pathWithFile = projectStats.isFile()
 
-  let fileName = config.file
+  config.fileName = config.file
   config.file = pathWithFile
     ? rootFile.getDirectoryFromPathGiven(config.file).concat('/')
     : config.file
@@ -42,7 +53,7 @@ const processSca = async config => {
 
   if (filesFound.length > 1 && pathWithFile) {
     filesFound = filesFound.filter(i =>
-      Object.values(i)[0].includes(path.basename(fileName))
+      Object.values(i)[0].includes(path.basename(config.fileName))
     )
   }
 
@@ -71,7 +82,7 @@ const processSca = async config => {
         messageToSend = rubyAnalysis(config, filesFound[0])
         config.language = RUBY
         break
-      case 'PHP':
+      case PHP:
         messageToSend = phpAnalysis.phpAnalysis(config, filesFound[0])
         config.language = PHP
         break
@@ -93,6 +104,10 @@ const processSca = async config => {
       config.applicationId = await auditController.dealWithNoAppId(config)
     }
 
+    // if (config.experimental) {
+    //   await scaUpload.scaTreeUpload(messageToSend, config)
+    // } else
+    // {
     console.log('') //empty log for space before spinner
     //send message to TS
     const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
@@ -120,6 +135,7 @@ const processSca = async config => {
     console.log(
       `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
     )
+    // }
   } else {
     if (filesFound.length === 0) {
       console.log(i18n.__('languageAnalysisNoLanguage'))
@@ -127,7 +143,9 @@ const processSca = async config => {
       throw new Error()
     } else {
       throw new Error(
-        'multiple language files detected, please use --file to specify a directory or the file where dependencies are declared'
+        `multiple language files detected \n` +
+          JSON.stringify(filesFound) +
+          `\nplease use --file to audit one language only. Example: contrast audit --file package-lock.json`
       )
     }
   }

package/src/common/HTTPClient.js

@@ -171,9 +171,9 @@ HTTPClient.prototype.getScanProjectById = function getScanProjectById(config) {
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
-HTTPClient.prototype.getGlobalProperties = function getGlobalProperties() {
+HTTPClient.prototype.getGlobalProperties = function getGlobalProperties(host) {
   const options = _.cloneDeep(this.requestOptions)
-  let url = createGlobalPropertiesUrl(options.uri)
+  let url = createGlobalPropertiesUrl(host)
   options.url = url
   return requestUtils.sendRequest({ method: 'get', options })
 }
@@ -212,9 +212,40 @@ HTTPClient.prototype.sendSnapshot = function sendSnapshot(requestBody, config) {
   let url = createSnapshotURL(config)
   options.url = url
   options.body = requestBody
+
   return requestUtils.sendRequest({ method: 'post', options })
 }
 
+HTTPClient.prototype.scaServiceIngest = function scaServiceIngest(
+  requestBody,
+  config
+) {
+  const options = _.cloneDeep(this.requestOptions)
+  let url = createScaServiceIngestURL(config)
+  options.url = url
+  options.body = requestBody
+  return requestUtils.sendRequest({ method: 'post', options })
+}
+HTTPClient.prototype.scaServiceReport = function scaServiceReport(
+  config,
+  reportId
+) {
+  const options = _.cloneDeep(this.requestOptions)
+  let url = createScaServiceReportURL(config, reportId)
+  options.url = url
+  return requestUtils.sendRequest({ method: 'get', options })
+}
+
+HTTPClient.prototype.scaServiceReportStatus = function scaServiceReport(
+  config,
+  reportId
+) {
+  const options = _.cloneDeep(this.requestOptions)
+  let url = createScaServiceReportStatusURL(config, reportId)
+  options.url = url
+  return requestUtils.sendRequest({ method: 'get', options })
+}
+
 HTTPClient.prototype.getReportById = function getReportById(config, reportId) {
   const options = _.cloneDeep(this.requestOptions)
   if (config.ignoreDev) {
@@ -346,6 +377,16 @@ HTTPClient.prototype.getLatestVersion = function getLatestVersion() {
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
+HTTPClient.prototype.postTelemetry = function postTelemetry(
+  config,
+  requestBody
+) {
+  const options = _.cloneDeep(this.requestOptions)
+  options.url = createTelemetryEventUrl(config)
+  options.body = requestBody
+  return requestUtils.sendRequest({ method: 'post', options })
+}
+
 // analytics
 
 HTTPClient.prototype.postAnalyticsFunction = function (config, provider, body) {
@@ -405,6 +446,18 @@ function createSnapshotURL(config) {
   return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/snapshots`
 }
 
+function createScaServiceReportURL(config, reportId) {
+  return ``
+}
+
+function createScaServiceReportStatusURL(config, reportId) {
+  return ``
+}
+
+function createScaServiceIngestURL(config) {
+  return ``
+}
+
 const createAppCreateURL = config => {
   return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/create`
 }
@@ -439,6 +492,10 @@ function createSbomUrl(config, type) {
   return `${config.host}/Contrast/api/ng/${config.organizationId}/applications/${config.applicationId}/libraries/sbom/${type}`
 }
 
+function createTelemetryEventUrl(config) {
+  return `${config.host}/Contrast/api/sast/organizations/${config.organizationId}/cli`
+}
+
 module.exports = HTTPClient
 module.exports.pollForAuthUrl = pollForAuthUrl
 module.exports.getServerlessHost = getServerlessHost

package/src/common/commonHelp.ts

@@ -0,0 +1,13 @@
+import i18n from 'i18n'
+
+export function commonHelpLinks() {
+  return {
+    header: i18n.__('commonHelpHeader'),
+    content: [
+      i18n.__('commonHelpCheckOutHeader') + i18n.__('commonHelpCheckOutText'),
+      i18n.__('commonHelpLearnMoreHeader') + i18n.__('commonHelpLearnMoreText'),
+      i18n.__('commonHelpJoinDiscussionHeader') +
+        i18n.__('commonHelpJoinDiscussionText')
+    ]
+  }
+}

package/src/common/fail.js

@@ -0,0 +1,79 @@
+const i18n = require('i18n')
+
+const processFail = (config, reportResults) => {
+  if (config.severity !== undefined) {
+    if (
+      reportResults[config.severity] !== undefined &&
+      isSeverityViolation(config.severity, reportResults)
+    ) {
+      failPipeline('failSeverityOptionErrorMessage')
+    }
+  }
+
+  if (config.severity === undefined && reportResults.total > 0) {
+    failPipeline('failThresholdOptionErrorMessage')
+  }
+}
+
+const isSeverityViolation = (severity, reportResults) => {
+  let count = 0
+  switch (severity) {
+    case 'critical':
+      count += reportResults.critical
+      break
+    case 'high':
+      count += reportResults.high + reportResults.critical
+      break
+    case 'medium':
+      count +=
+        reportResults.medium + reportResults.high + reportResults.critical
+      break
+    case 'low':
+      count +=
+        reportResults.high +
+        reportResults.critical +
+        reportResults.medium +
+        reportResults.low
+      break
+    case 'note':
+      if (reportResults.note == reportResults.total) {
+        count = 0
+      } else {
+        count = reportResults.total
+      }
+      break
+    default:
+      count = 0
+  }
+  return count > 0
+}
+
+const failPipeline = (message = '') => {
+  console.log(
+    '\n ******************************** ' +
+      i18n.__('snapshotFailureHeader') +
+      ' *********************************\n' +
+      i18n.__(message)
+  )
+  process.exit(2)
+}
+
+const parseSeverity = severity => {
+  const severities = ['NOTE', 'LOW', 'MEDIUM', 'HIGH', 'CRITICAL']
+  if (severities.includes(severity.toUpperCase())) {
+    return severity.toLowerCase()
+  } else {
+    console.log(
+      severity +
+        ' Not recognised as a severity type please use LOW, MEDIUM, HIGH, CRITICAL, NOTE'
+    )
+    return undefined
+  }
+}
+
+module.exports = {
+  failPipeline,
+  processFail,
+  isSeverityViolation,
+  parseSeverity
+}

package/src/common/versionChecker.ts

@@ -6,7 +6,7 @@ import commonApi from '../utils/commonApi'
 import { constants } from 'http2'
 import { ContrastConf } from '../utils/getConfig'
 
-const getLatestVersion = async (config: any) => {
+export const getLatestVersion = async (config: ContrastConf) => {
   const client = commonApi.getHttpClient(config)
   try {
     const res = await client.getLatestVersion()
@@ -14,18 +14,28 @@ const getLatestVersion = async (config: any) => {
       return res.body
     }
   } catch (e) {
-    return
+    return undefined
   }
 }
 
-// @ts-ignore
 export async function findLatestCLIVersion(config: ContrastConf) {
-  const messageHidden = config.get('updateMessageHidden') as boolean
+  const isCI = process.env.CONTRAST_CODESEC_CI
+    ? JSON.parse(process.env.CONTRAST_CODESEC_CI.toLowerCase())
+    : false
 
-  if (!messageHidden) {
-    let latestCLIVersion: string = await getLatestVersion(config)
-    //strip key
-    latestCLIVersion = latestCLIVersion.substring(8)
+  if (!isCI) {
+    let latestCLIVersion = await getLatestVersion(config)
+
+    if (latestCLIVersion === undefined) {
+      config.set('numOfRuns', 0)
+      console.log(
+        'Failed to retrieve latest version info. Continuing execution.'
+      )
+      return
+    }
+
+    //strip key and remove new lines
+    latestCLIVersion = latestCLIVersion.substring(8).replace('\n', '')
 
     if (semver.lt(APP_VERSION, latestCLIVersion)) {
       const updateAvailableMessage = `Update available ${chalk.yellow(

package/src/constants/constants.js

@@ -14,7 +14,7 @@ const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
 // App
 const APP_NAME = 'contrast'
-const APP_VERSION = '1.0.10'
+const APP_VERSION = '1.0.13'
 const TIMEOUT = 120000
 const HIGH_COLOUR = '#ff9900'
 const CRITICAL_COLOUR = '#e35858'
@@ -32,7 +32,7 @@ const AUTH_CALLBACK_URL = 'https://cli-auth-api.contrastsecurity.com'
 const SARIF_FILE = 'SARIF'
 const SBOM_CYCLONE_DX_FILE = 'cyclonedx'
 const SBOM_SPDX_FILE = 'spdx'
-const CE_URL = 'https://ce.contrastsecurity.com/'
+const CE_URL = 'https://ce.contrastsecurity.com'
 
 module.exports = {
   supportedLanguages: { NODE, DOTNET, JAVA, RUBY, PYTHON, GO, PHP, JAVASCRIPT },

package/src/constants/locales.js

@@ -26,8 +26,7 @@ const en_locales = () => {
     unauthenticatedErrorMessage:
       'Please check the following keys are correct:\n--organization-id, --api-key or --authorization',
     badRequestErrorHeader: '400 error - Bad Request',
-    badRequestErrorMessage:
-      'Please check the following key is correct: \n--application-id',
+    badRequestErrorMessage: 'Please check your parameters and try again',
     badRequestCatalogueErrorMessage:
       'The application name already exists, please use a unique name',
     forbiddenRequestErrorHeader: '403 error - Forbidden',
@@ -121,9 +120,11 @@ const en_locales = () => {
       'The name of the application cataloged by Contrast UI',
     constantsCatalogueApplication:
       'Provide this if you want to catalogue an application',
+    failOptionErrorMessage:
+      ' FAIL - CVEs have been detected that match at least the cve_severity option specified.',
     constantsLanguage:
       'Valid values are JAVA, DOTNET, NODE, PYTHON and RUBY. If there are multiple project configuration files in the project_path, language is also required.  Also, provide this when cataloguing an application',
-    constantsFilePath: `Path of the file you want to perform an SCA audit on. If no folder is specified, Contrast searches for dependency files in the working directory.`,
+    constantsFilePath: `Specify a directory or the file where dependencies are declared. (By default, CodeSec will search for project files in the current directory.)`,
     constantsSilent: 'Silences JSON output.',
     constantsAppGroups:
       'Assign your application to one or more pre-existing groups when using the catalogue command. Group lists should be comma separated.',
@@ -142,8 +143,9 @@ const en_locales = () => {
     constantsReport: 'Display vulnerability information for this application',
     constantsFail:
       'Set the process to fail if this option is set in combination with --cve_severity.',
-    failOptionErrorMessage:
-      ' FAIL - CVEs have been detected that match at least the cve_severity or cve_threshold option specified.',
+    failThresholdOptionErrorMessage: 'More than 0 vulnerabilities found',
+    failSeverityOptionErrorMessage:
+      ' FAIL - Results detected vulnerabilities over accepted severity level',
     constantsSeverity:
       'Allows the user to report libraries with vulnerabilities above a chosen severity level. For example, cve_severity medium only reports libraries with vulnerabilities at medium or higher severity. Values for level are high, medium or low.',
     constantsCount: 'The number of CVEs that must be exceeded to fail a build',
@@ -315,7 +317,7 @@ const en_locales = () => {
     scanOptionsVerboseSummary: ' Returns extended information to the terminal.',
     authSuccessMessage: 'Authentication successful',
     runAuthSuccessMessage:
-      "Now you can use CodeSec by Contrast \nRun: \n'contrast scan' on your file \n'contrast audit' on a file or directory,\n'contrast lambda' on an AWS function.\nor 'contrast help' to learn more about the capabilities.",
+      "Now you can use CodeSec by Contrast \nRun: \n'contrast scan' to run CodeSec’s industry leading SAST scanner \n'contrast audit' to find vulnerabilities in your open source dependencies \n'contrast lambda' to secure your AWS serverless functions\nor 'contrast help' to learn more about the capabilities.",
     authWaitingMessage: 'Waiting for auth...',
     authTimedOutMessage: 'Auth Timed out, try again',
     zipErrorScan:
@@ -414,7 +416,8 @@ const en_locales = () => {
     auditOptionsSaveDescription:
       'Generate and save an SBOM (Software Bill of Materials)\n',
     auditOptionsSaveOptionsDescription:
-      'Valid options are: spdx, cyclonedx (cycloneDX is the default format)',
+      'Valid options are: --save spdx and --save cyclonedx (CycloneDX is the default format.)',
+    exceededFreeTier: `It looks like you are really loving CodeSec! \nYou have reached the monthly scan limit on the FREE tier. \nPlease contact sales@contrastsecurity.com to upgrade.`,
     scanNotCompleted:
       'Scan not completed. Check for framework and language support here: %s',
     auditNotCompleted: 'audit not completed.  Please try again',
@@ -437,6 +440,15 @@ const en_locales = () => {
     auditReportFailureMessage: 'Unable to generate library report',
     auditSCAAnalysisBegins: 'Contrast SCA audit started',
     auditSCAAnalysisComplete: 'Contrast audit complete',
+    commonHelpHeader: 'Need More Help?',
+    commonHelpCheckOutHeader: chalk.hex('#9DC184')('Check out:'),
+    commonHelpCheckOutText: ' https://support.contrastsecurity.com',
+    commonHelpLearnMoreHeader: chalk.hex('#9DC184')('Learn more at:'),
+    commonHelpLearnMoreText: ' https://developer.contrastsecurity.com',
+    commonHelpJoinDiscussionHeader: chalk.hex('#9DC184')(
+      'Join the discussion:'
+    ),
+    commonHelpJoinDiscussionText: ' https://dev.to/codesec',
     ...lambda
   }
 }

package/src/constants.js

@@ -1,6 +1,8 @@
 const commandLineUsage = require('command-line-usage')
 const i18n = require('i18n')
 const { en_locales } = require('./constants/locales.js')
+const { parseSeverity } = require('./common/fail')
+const { commonHelpLinks } = require('./common/commonHelp')
 
 i18n.configure({
   staticCatalog: {
@@ -106,6 +108,24 @@ const scanOptionDefinitions = [
       '}: ' +
       i18n.__('constantsProxyServer')
   },
+  {
+    name: 'fail',
+    type: Boolean,
+    description:
+      '{bold ' +
+      i18n.__('constantsOptional') +
+      '}: ' +
+      i18n.__('failOptionErrorMessage')
+  },
+  {
+    name: 'severity',
+    type: severity => parseSeverity(severity),
+    description:
+      '{bold ' +
+      i18n.__('constantsOptional') +
+      '}: ' +
+      i18n.__('constantsSeverity')
+  },
   {
     name: 'ff',
     type: Boolean,
@@ -220,6 +240,24 @@ const auditOptionDefinitions = [
       '}: ' +
       i18n.__('constantsFilePath')
   },
+  {
+    name: 'fail',
+    type: Boolean,
+    description:
+      '{bold ' +
+      i18n.__('constantsOptional') +
+      '}: ' +
+      i18n.__('failOptionErrorMessage')
+  },
+  {
+    name: 'severity',
+    type: severity => parseSeverity(severity),
+    description:
+      '{bold ' +
+      i18n.__('constantsOptional') +
+      '}: ' +
+      i18n.__('constantsSeverity')
+  },
   {
     name: 'app-groups',
     description:
@@ -257,6 +295,7 @@ const auditOptionDefinitions = [
   {
     name: 'ignore-dev',
     type: Boolean,
+    alias: 'i',
     description:
       '{bold ' +
       i18n.__('constantsOptional') +
@@ -293,7 +332,6 @@ const auditOptionDefinitions = [
   },
   {
     name: 'host',
-    alias: 'h',
     description:
       '{bold ' +
       i18n.__('constantsRequired') +
@@ -341,6 +379,11 @@ const auditOptionDefinitions = [
       i18n.__('constantsOptional') +
       '}: ' +
       i18n.__('scanOptionsTimeoutSummary')
+  },
+  {
+    name: 'help',
+    alias: 'h',
+    type: Boolean
   }
 ]
 
@@ -368,16 +411,13 @@ const mainUsageGuide = commandLineUsage([
       { name: i18n.__('helpName'), summary: i18n.__('helpSummary') }
     ]
   },
-  {
-    content:
-      '{underline https://developer.contrastsecurity.com/} \n For technical support head to {underline https://support.contrastsecurity.com}'
-  },
   {
     header: i18n.__('configHeader2'),
     content: [
       { name: i18n.__('clearHeader'), summary: i18n.__('clearContent') }
     ]
-  }
+  },
+  commonHelpLinks()
 ])
 
 const mainDefinition = [{ name: 'command', defaultOption: true }]