@contrast/contrast 1.0.12 → 1.0.13

package/src/commands/audit/processAudit.ts

@@ -3,6 +3,7 @@ import { auditUsageGuide } from './help'
 import { processSca } from '../scan/sca/scaAnalysis'
 import { sendTelemetryConfigAsObject } from '../../telemetry/telemetry'
 import { ContrastConf } from '../../utils/getConfig'
+import chalk from 'chalk'
 
 export type parameterInput = string[]
 
@@ -17,6 +18,7 @@ export const processAudit = async (
 
   const config = await getAuditConfig(contrastConf, 'audit', argv)
   await processSca(config)
+  postRunMessage()
   await sendTelemetryConfigAsObject(
     config,
     'audit',
@@ -30,3 +32,9 @@ export const processAudit = async (
 const printHelpMessage = () => {
   console.log(auditUsageGuide)
 }
+
+const postRunMessage = () => {
+  console.log('\n' + chalk.underline.bold('Other Codesec Features:'))
+  console.log("'contrast scan' to run CodeSec’s industry leading SAST scanner")
+  console.log("'contrast lambda' to secure your AWS serverless functions\n")
+}

package/src/commands/scan/processScan.js

@@ -6,10 +6,14 @@ const { formatScanOutput } = require('../../scan/formatScanOutput')
 const { processSca } = require('./sca/scaAnalysis')
 const common = require('../../common/fail')
 const { sendTelemetryConfigAsObject } = require('../../telemetry/telemetry')
+const chalk = require('chalk')
+const generalAPI = require('../../utils/generalAPI')
 
 const processScan = async (contrastConf, argv) => {
   let config = await scanConfig.getScanConfig(contrastConf, 'scan', argv)
   let output = undefined
+  config.mode = await generalAPI.getMode(config)
+
   //try SCA analysis first
   if (config.experimental) {
     await processSca(config, argv)
@@ -35,6 +39,16 @@ const processScan = async (contrastConf, argv) => {
   if (config.fail) {
     common.processFail(config, output)
   }
+
+  postRunMessage()
+}
+
+const postRunMessage = () => {
+  console.log('\n' + chalk.underline.bold('Other Codesec Features:'))
+  console.log(
+    "'contrast audit' to find vulnerabilities in your open source dependencies"
+  )
+  console.log("'contrast lambda' to secure your AWS serverless functions\n")
 }
 
 module.exports = {

package/src/commands/scan/sca/scaAnalysis.js

@@ -1,6 +1,7 @@
 const autoDetection = require('../../../scan/autoDetection')
 const javaAnalysis = require('../../../scaAnalysis/java')
 const treeUpload = require('../../../scaAnalysis/common/treeUpload')
+const scaUpload = require('../../../scaAnalysis/common/scaServicesUpload')
 const auditController = require('../../audit/auditController')
 const {
   supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET }
@@ -27,7 +28,11 @@ const { dotNetAnalysis } = require('../../../scaAnalysis/dotnet')
 const { auditUsageGuide } = require('../../audit/help')
 const rootFile = require('../../../audit/languageAnalysisEngine/getProjectRootFilenames')
 const path = require('path')
+const generalAPI = require('../../../utils/generalAPI')
+
 const processSca = async config => {
+  config.mode = await generalAPI.getMode(config)
+
   const startTime = performance.now()
   let filesFound
 
@@ -99,6 +104,10 @@ const processSca = async config => {
       config.applicationId = await auditController.dealWithNoAppId(config)
     }
 
+    // if (config.experimental) {
+    //   await scaUpload.scaTreeUpload(messageToSend, config)
+    // } else
+    // {
     console.log('') //empty log for space before spinner
     //send message to TS
     const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
@@ -126,6 +135,7 @@ const processSca = async config => {
     console.log(
       `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
     )
+    // }
   } else {
     if (filesFound.length === 0) {
       console.log(i18n.__('languageAnalysisNoLanguage'))

package/src/common/HTTPClient.js

@@ -171,9 +171,9 @@ HTTPClient.prototype.getScanProjectById = function getScanProjectById(config) {
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
-HTTPClient.prototype.getGlobalProperties = function getGlobalProperties() {
+HTTPClient.prototype.getGlobalProperties = function getGlobalProperties(host) {
   const options = _.cloneDeep(this.requestOptions)
-  let url = createGlobalPropertiesUrl(options.uri)
+  let url = createGlobalPropertiesUrl(host)
   options.url = url
   return requestUtils.sendRequest({ method: 'get', options })
 }
@@ -216,6 +216,36 @@ HTTPClient.prototype.sendSnapshot = function sendSnapshot(requestBody, config) {
   return requestUtils.sendRequest({ method: 'post', options })
 }
 
+HTTPClient.prototype.scaServiceIngest = function scaServiceIngest(
+  requestBody,
+  config
+) {
+  const options = _.cloneDeep(this.requestOptions)
+  let url = createScaServiceIngestURL(config)
+  options.url = url
+  options.body = requestBody
+  return requestUtils.sendRequest({ method: 'post', options })
+}
+HTTPClient.prototype.scaServiceReport = function scaServiceReport(
+  config,
+  reportId
+) {
+  const options = _.cloneDeep(this.requestOptions)
+  let url = createScaServiceReportURL(config, reportId)
+  options.url = url
+  return requestUtils.sendRequest({ method: 'get', options })
+}
+
+HTTPClient.prototype.scaServiceReportStatus = function scaServiceReport(
+  config,
+  reportId
+) {
+  const options = _.cloneDeep(this.requestOptions)
+  let url = createScaServiceReportStatusURL(config, reportId)
+  options.url = url
+  return requestUtils.sendRequest({ method: 'get', options })
+}
+
 HTTPClient.prototype.getReportById = function getReportById(config, reportId) {
   const options = _.cloneDeep(this.requestOptions)
   if (config.ignoreDev) {
@@ -416,6 +446,18 @@ function createSnapshotURL(config) {
   return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/snapshots`
 }
 
+function createScaServiceReportURL(config, reportId) {
+  return ``
+}
+
+function createScaServiceReportStatusURL(config, reportId) {
+  return ``
+}
+
+function createScaServiceIngestURL(config) {
+  return ``
+}
+
 const createAppCreateURL = config => {
   return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/create`
 }

package/src/common/fail.js

@@ -25,11 +25,15 @@ const isSeverityViolation = (severity, reportResults) => {
       count += reportResults.high + reportResults.critical
       break
     case 'medium':
-      count += reportResults.medium + reportResults.low + reportResults.critical
+      count +=
+        reportResults.medium + reportResults.high + reportResults.critical
       break
     case 'low':
       count +=
-        reportResults.high + reportResults.critical + reportResults.medium
+        reportResults.high +
+        reportResults.critical +
+        reportResults.medium +
+        reportResults.low
       break
     case 'note':
       if (reportResults.note == reportResults.total) {
@@ -51,7 +55,7 @@ const failPipeline = (message = '') => {
       ' *********************************\n' +
       i18n.__(message)
   )
-  process.exit(1)
+  process.exit(2)
 }
 
 const parseSeverity = severity => {

package/src/common/versionChecker.ts

@@ -6,7 +6,7 @@ import commonApi from '../utils/commonApi'
 import { constants } from 'http2'
 import { ContrastConf } from '../utils/getConfig'
 
-const getLatestVersion = async (config: any) => {
+export const getLatestVersion = async (config: ContrastConf) => {
   const client = commonApi.getHttpClient(config)
   try {
     const res = await client.getLatestVersion()
@@ -14,18 +14,28 @@ const getLatestVersion = async (config: any) => {
       return res.body
     }
   } catch (e) {
-    return
+    return undefined
   }
 }
 
 export async function findLatestCLIVersion(config: ContrastConf) {
   const isCI = process.env.CONTRAST_CODESEC_CI
-    ? JSON.parse(process.env.CONTRAST_CODESEC_CI)
+    ? JSON.parse(process.env.CONTRAST_CODESEC_CI.toLowerCase())
     : false
+
   if (!isCI) {
-    let latestCLIVersion: string = await getLatestVersion(config)
-    //strip key
-    latestCLIVersion = latestCLIVersion.substring(8)
+    let latestCLIVersion = await getLatestVersion(config)
+
+    if (latestCLIVersion === undefined) {
+      config.set('numOfRuns', 0)
+      console.log(
+        'Failed to retrieve latest version info. Continuing execution.'
+      )
+      return
+    }
+
+    //strip key and remove new lines
+    latestCLIVersion = latestCLIVersion.substring(8).replace('\n', '')
 
     if (semver.lt(APP_VERSION, latestCLIVersion)) {
       const updateAvailableMessage = `Update available ${chalk.yellow(

package/src/constants/constants.js

@@ -14,7 +14,7 @@ const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
 // App
 const APP_NAME = 'contrast'
-const APP_VERSION = '1.0.12'
+const APP_VERSION = '1.0.13'
 const TIMEOUT = 120000
 const HIGH_COLOUR = '#ff9900'
 const CRITICAL_COLOUR = '#e35858'

package/src/constants/locales.js

@@ -26,8 +26,7 @@ const en_locales = () => {
     unauthenticatedErrorMessage:
       'Please check the following keys are correct:\n--organization-id, --api-key or --authorization',
     badRequestErrorHeader: '400 error - Bad Request',
-    badRequestErrorMessage:
-      'Please check the following key is correct: \n--application-id',
+    badRequestErrorMessage: 'Please check your parameters and try again',
     badRequestCatalogueErrorMessage:
       'The application name already exists, please use a unique name',
     forbiddenRequestErrorHeader: '403 error - Forbidden',
@@ -318,7 +317,7 @@ const en_locales = () => {
     scanOptionsVerboseSummary: ' Returns extended information to the terminal.',
     authSuccessMessage: 'Authentication successful',
     runAuthSuccessMessage:
-      "Now you can use CodeSec by Contrast \nRun: \n'contrast scan' on your file \n'contrast audit' on a file or directory,\n'contrast lambda' on an AWS function.\nor 'contrast help' to learn more about the capabilities.",
+      "Now you can use CodeSec by Contrast \nRun: \n'contrast scan' to run CodeSec’s industry leading SAST scanner \n'contrast audit' to find vulnerabilities in your open source dependencies \n'contrast lambda' to secure your AWS serverless functions\nor 'contrast help' to learn more about the capabilities.",
     authWaitingMessage: 'Waiting for auth...',
     authTimedOutMessage: 'Auth Timed out, try again',
     zipErrorScan:

package/src/index.ts

@@ -15,7 +15,6 @@ import {
 } from './common/versionChecker'
 import { findCommandOnError } from './common/errorHandling'
 import { sendTelemetryConfigAsConfObj } from './telemetry/telemetry'
-
 const {
   commandLineDefinitions: { mainUsageGuide, mainDefinition }
 } = constants
@@ -58,7 +57,7 @@ const start = async () => {
       config.set('numOfRuns', config.get('numOfRuns') + 1)
 
       // @ts-ignore
-      if (config.get('numOfRuns') >= 1) {
+      if (config.get('numOfRuns') >= 10) {
         await findLatestCLIVersion(config)
         config.set('numOfRuns', 0)
       }

package/src/lambda/lambda.ts

@@ -17,6 +17,7 @@ import ora from '../utils/oraWrapper'
 import { postAnalytics } from './analytics'
 import { LambdaOptions, AnalyticsOption, StatusType, EventType } from './types'
 import { APP_VERSION } from '../constants/constants'
+import chalk from 'chalk'
 
 type ApiParams = {
   organizationId: string
@@ -114,6 +115,9 @@ const processLambda = async (argv: string[]) => {
     await postAnalytics(endCommandAnalytics).catch((error: Error) => {
       /* ignore */
     })
+
+    postRunMessage()
+
     if (errorMsg) {
       process.exit(1)
     }
@@ -221,4 +225,12 @@ const handleLambdaHelp = () => {
   process.exit(0)
 }
 
+const postRunMessage = () => {
+  console.log('\n' + chalk.underline.bold('Other Codesec Features:'))
+  console.log("'contrast scan' to run CodeSec’s industry leading SAST scanner")
+  console.log(
+    "'contrast audit' to find vulnerabilities in your open source dependencies\n"
+  )
+}
+
 export { processLambda, LambdaOptions, ApiParams, getAvailableFunctions }

package/src/scaAnalysis/common/scaServicesUpload.js

@@ -0,0 +1,54 @@
+const commonApi = require('../../utils/commonApi')
+const { APP_VERSION } = require('../../constants/constants')
+const requestUtils = require('../../utils/requestUtils')
+
+const scaTreeUpload = async (analysis, config) => {
+  const requestBody = {
+    applicationId: config.applicationId,
+    dependencyTree: analysis,
+    organizationId: config.organizationId,
+    language: 'NODE',
+    tool: {
+      name: 'Contrast Codesec',
+      version: APP_VERSION
+    }
+  }
+
+  const client = commonApi.getHttpClient(config)
+  const reportID = await client
+    .scaServiceIngest(requestBody, config)
+    .then(res => {
+      if (res.statusCode === 201) {
+        return res.body.libraryIngestJobId
+      } else {
+        throw new Error(res.statusCode + ` error ingesting dependencies`)
+      }
+    })
+    .catch(err => {
+      throw err
+    })
+
+  let keepChecking = true
+  while (keepChecking) {
+    keepChecking = await client
+      .scaServiceReportStatus(config, reportID)
+      .then(res => {
+        console.log(res.body)
+        if (res.body.status == 'COMPLETED') {
+          client.scaServiceReport(config, reportID).then(res => {
+            console.log(res.statusCode)
+            console.log(res.body)
+          })
+
+          return (keepChecking = false)
+        } else {
+          return (keepChecking = true)
+        }
+      })
+    await requestUtils.sleep(5000)
+  }
+}
+
+module.exports = {
+  scaTreeUpload
+}

package/src/scaAnalysis/javascript/index.js

@@ -1,6 +1,7 @@
 const analysis = require('./analysis')
 const i18n = require('i18n')
 const formatMessage = require('../common/formatMessage')
+const scaServiceParser = require('./scaServiceParser')
 
 const jsAnalysis = async (config, languageFiles) => {
   checkForCorrectFiles(languageFiles)
@@ -13,6 +14,9 @@ const jsAnalysis = async (config, languageFiles) => {
 const buildNodeTree = async (config, files) => {
   let analysis = await readFiles(config, files)
   const rawNode = await parseFiles(config, files, analysis)
+  if (config.experimental) {
+    return scaServiceParser.parseJS(rawNode)
+  }
   return formatMessage.createJavaScriptTSMessage(rawNode)
 }
 

package/src/scaAnalysis/javascript/scaServiceParser.js

@@ -0,0 +1,145 @@
+const parseJS = rawNode => {
+  let dependencyTree = {}
+  let combinedPackageJSONDep = {
+    ...rawNode.packageJSON?.dependencies,
+    ...rawNode.packageJSON?.devDependencies
+  }
+  let analyseLock = chooseLockFile(rawNode)
+
+  if (analyseLock.type === 'yarn') {
+    dependencyTree = yarnCreateDepTree(
+      dependencyTree,
+      combinedPackageJSONDep,
+      analyseLock.lockFile,
+      rawNode
+    )
+  }
+
+  if (analyseLock.type === 'npm') {
+    dependencyTree = npmCreateDepTree(
+      dependencyTree,
+      combinedPackageJSONDep,
+      analyseLock.lockFile,
+      rawNode
+    )
+  }
+
+  return dependencyTree
+}
+
+const npmCreateDepTree = (
+  dependencyTree,
+  combinedPackageJSONDep,
+  packageLock,
+  rawNode
+) => {
+  for (const [key, value] of Object.entries(packageLock)) {
+    dependencyTree[key] = {
+      name: key,
+      version: getResolvedVersion(key, packageLock),
+      group: null,
+      isProduction: checkIfInPackageJSON(rawNode.packageJSON.dependencies, key),
+      directDependency: checkIfInPackageJSON(combinedPackageJSONDep, key),
+      dependencies: createNPMChildDependencies(packageLock, key)
+    }
+  }
+  return dependencyTree
+}
+
+const yarnCreateDepTree = (
+  dependencyTree,
+  combinedPackageJSONDep,
+  packageLock,
+  rawNode
+) => {
+  for (const [key, value] of Object.entries(packageLock)) {
+    let gav = getNameFromGAV(key)
+    let nag = getDepNameWithoutVersion(key)
+    dependencyTree[key] = {
+      name: gav,
+      version: getResolvedVersion(key, packageLock),
+      group: null,
+      isProduction: checkIfInPackageJSON(rawNode.packageJSON.dependencies, nag),
+      directDependency: checkIfInPackageJSON(combinedPackageJSONDep, nag),
+      dependencies: createChildDependencies(packageLock, key)
+    }
+  }
+  return dependencyTree
+}
+
+const chooseLockFile = rawNode => {
+  if (rawNode?.yarn?.yarnLockFile !== undefined) {
+    return { lockFile: rawNode?.yarn?.yarnLockFile?.object, type: 'yarn' }
+  } else if (rawNode.npmLockFile !== undefined) {
+    return { lockFile: rawNode?.npmLockFile?.dependencies, type: 'npm' }
+  } else {
+    return undefined
+  }
+}
+
+const createKeyName = (dep, version) => {
+  return dep + '@' + version
+}
+
+const checkIfInPackageJSON = (list, dep) => {
+  return Object.keys(list).includes(dep)
+}
+
+const createChildDependencies = (lockFileDep, currentDep) => {
+  let depArray = []
+  if (lockFileDep[currentDep]?.dependencies) {
+    for (const [key, value] of Object.entries(
+      lockFileDep[currentDep]?.dependencies
+    )) {
+      depArray.push(createKeyName(key, value))
+    }
+  }
+  return depArray
+}
+
+const createNPMChildDependencies = (lockFileDep, currentDep) => {
+  let depArray = []
+  if (lockFileDep[currentDep]?.requires) {
+    for (const [key, value] of Object.entries(
+      lockFileDep[currentDep]?.requires
+    )) {
+      depArray.push(key)
+    }
+  }
+  return depArray
+}
+
+const getDepNameWithoutVersion = depKey => {
+  let dependency = depKey.split('@')
+  if (dependency.length - 1 > 1) {
+    return '@' + dependency[1]
+  }
+  return dependency[0]
+}
+
+const getNameFromGAV = depKey => {
+  let dependency = depKey.split('/')
+  if (dependency.length == 2) {
+    dependency = getDepNameWithoutVersion(dependency[1])
+    return dependency
+  }
+  if (dependency.length == 1) {
+    dependency = getDepNameWithoutVersion(depKey)
+    return dependency
+  }
+  //what should we do if there's no version? The service will fall over but do we want to throw error for only one wrong version?
+  return depKey
+}
+
+const getResolvedVersion = (depKey, packageLock) => {
+  return packageLock[depKey]?.version
+}
+
+module.exports = {
+  parseJS,
+  checkIfInPackageJSON,
+  getNameFromGAV,
+  getResolvedVersion,
+  chooseLockFile,
+  createNPMChildDependencies
+}