@contrast/contrast 1.0.12 → 1.0.14

package/src/common/HTTPClient.js

@@ -171,9 +171,9 @@ HTTPClient.prototype.getScanProjectById = function getScanProjectById(config) {
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
-HTTPClient.prototype.getGlobalProperties = function getGlobalProperties() {
+HTTPClient.prototype.getGlobalProperties = function getGlobalProperties(host) {
   const options = _.cloneDeep(this.requestOptions)
-  let url = createGlobalPropertiesUrl(options.uri)
+  let url = createGlobalPropertiesUrl(host)
   options.url = url
   return requestUtils.sendRequest({ method: 'get', options })
 }
@@ -216,6 +216,36 @@ HTTPClient.prototype.sendSnapshot = function sendSnapshot(requestBody, config) {
   return requestUtils.sendRequest({ method: 'post', options })
 }
 
+HTTPClient.prototype.scaServiceIngest = function scaServiceIngest(
+  requestBody,
+  config
+) {
+  const options = _.cloneDeep(this.requestOptions)
+  let url = createScaServiceIngestURL(config)
+  options.url = url
+  options.body = requestBody
+  return requestUtils.sendRequest({ method: 'post', options })
+}
+HTTPClient.prototype.scaServiceReport = function scaServiceReport(
+  config,
+  reportId
+) {
+  const options = _.cloneDeep(this.requestOptions)
+  let url = createScaServiceReportURL(config, reportId)
+  options.url = url
+  return requestUtils.sendRequest({ method: 'get', options })
+}
+
+HTTPClient.prototype.scaServiceReportStatus = function scaServiceReport(
+  config,
+  reportId
+) {
+  const options = _.cloneDeep(this.requestOptions)
+  let url = createScaServiceReportStatusURL(config, reportId)
+  options.url = url
+  return requestUtils.sendRequest({ method: 'get', options })
+}
+
 HTTPClient.prototype.getReportById = function getReportById(config, reportId) {
   const options = _.cloneDeep(this.requestOptions)
   if (config.ignoreDev) {
@@ -416,6 +446,18 @@ function createSnapshotURL(config) {
   return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/snapshots`
 }
 
+function createScaServiceReportURL(config, reportId) {
+  return ``
+}
+
+function createScaServiceReportStatusURL(config, reportId) {
+  return ``
+}
+
+function createScaServiceIngestURL(config) {
+  return ``
+}
+
 const createAppCreateURL = config => {
   return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/create`
 }

package/src/common/errorHandling.ts

@@ -38,8 +38,7 @@ const reportFailureError = () => {
   console.log(i18n.__('auditReportFailureMessage'))
 }
 
-const genericError = (missingCliOption: string) => {
-  console.log(missingCliOption)
+const genericError = () => {
   console.error(i18n.__('genericErrorMessage'))
   process.exit(1)
 }

package/src/common/fail.js

@@ -25,11 +25,15 @@ const isSeverityViolation = (severity, reportResults) => {
       count += reportResults.high + reportResults.critical
       break
     case 'medium':
-      count += reportResults.medium + reportResults.low + reportResults.critical
+      count +=
+        reportResults.medium + reportResults.high + reportResults.critical
       break
     case 'low':
       count +=
-        reportResults.high + reportResults.critical + reportResults.medium
+        reportResults.high +
+        reportResults.critical +
+        reportResults.medium +
+        reportResults.low
       break
     case 'note':
       if (reportResults.note == reportResults.total) {
@@ -51,7 +55,7 @@ const failPipeline = (message = '') => {
       ' *********************************\n' +
       i18n.__(message)
   )
-  process.exit(1)
+  process.exit(2)
 }
 
 const parseSeverity = severity => {

package/src/common/versionChecker.ts

@@ -6,7 +6,7 @@ import commonApi from '../utils/commonApi'
 import { constants } from 'http2'
 import { ContrastConf } from '../utils/getConfig'
 
-const getLatestVersion = async (config: any) => {
+export const getLatestVersion = async (config: ContrastConf) => {
   const client = commonApi.getHttpClient(config)
   try {
     const res = await client.getLatestVersion()
@@ -14,18 +14,28 @@ const getLatestVersion = async (config: any) => {
       return res.body
     }
   } catch (e) {
-    return
+    return undefined
   }
 }
 
 export async function findLatestCLIVersion(config: ContrastConf) {
   const isCI = process.env.CONTRAST_CODESEC_CI
-    ? JSON.parse(process.env.CONTRAST_CODESEC_CI)
+    ? JSON.parse(process.env.CONTRAST_CODESEC_CI.toLowerCase())
     : false
+
   if (!isCI) {
-    let latestCLIVersion: string = await getLatestVersion(config)
-    //strip key
-    latestCLIVersion = latestCLIVersion.substring(8)
+    let latestCLIVersion = await getLatestVersion(config)
+
+    if (latestCLIVersion === undefined) {
+      config.set('numOfRuns', 0)
+      console.log(
+        'Failed to retrieve latest version info. Continuing execution.'
+      )
+      return
+    }
+
+    //strip key and remove new lines
+    latestCLIVersion = latestCLIVersion.substring(8).replace('\n', '')
 
     if (semver.lt(APP_VERSION, latestCLIVersion)) {
       const updateAvailableMessage = `Update available ${chalk.yellow(

package/src/constants/constants.js

@@ -14,7 +14,7 @@ const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
 // App
 const APP_NAME = 'contrast'
-const APP_VERSION = '1.0.12'
+const APP_VERSION = '1.0.14'
 const TIMEOUT = 120000
 const HIGH_COLOUR = '#ff9900'
 const CRITICAL_COLOUR = '#e35858'

package/src/constants/locales.js

@@ -26,8 +26,7 @@ const en_locales = () => {
     unauthenticatedErrorMessage:
       'Please check the following keys are correct:\n--organization-id, --api-key or --authorization',
     badRequestErrorHeader: '400 error - Bad Request',
-    badRequestErrorMessage:
-      'Please check the following key is correct: \n--application-id',
+    badRequestErrorMessage: 'Please check your parameters and try again',
     badRequestCatalogueErrorMessage:
       'The application name already exists, please use a unique name',
     forbiddenRequestErrorHeader: '403 error - Forbidden',
@@ -123,6 +122,8 @@ const en_locales = () => {
       'Provide this if you want to catalogue an application',
     failOptionErrorMessage:
       ' FAIL - CVEs have been detected that match at least the cve_severity option specified.',
+    failOptionMessage:
+      ' Use with contrast scan or contrast audit. Detects failures based on the severity level specified with the --severity command. For example, "contrast scan --fail --severity high". Returns all failures if no severity level is specified.',
     constantsLanguage:
       'Valid values are JAVA, DOTNET, NODE, PYTHON and RUBY. If there are multiple project configuration files in the project_path, language is also required.  Also, provide this when cataloguing an application',
     constantsFilePath: `Specify a directory or the file where dependencies are declared. (By default, CodeSec will search for project files in the current directory.)`,
@@ -148,7 +149,7 @@ const en_locales = () => {
     failSeverityOptionErrorMessage:
       ' FAIL - Results detected vulnerabilities over accepted severity level',
     constantsSeverity:
-      'Allows the user to report libraries with vulnerabilities above a chosen severity level. For example, cve_severity medium only reports libraries with vulnerabilities at medium or higher severity. Values for level are high, medium or low.',
+      'Use with "contrast scan --fail --severity high" or "contrast audit --fail --severity high". Set the severity level to detect vulnerabilities or dependencies. Severity levels are critical, high, medium, low or note.',
     constantsCount: 'The number of CVEs that must be exceeded to fail a build',
     constantsHeader: 'CodeSec by Contrast Security',
     configHeader2: 'Config options',
@@ -171,7 +172,7 @@ const en_locales = () => {
     constantsConfigUsageContents: 'view / clear the configuration',
     constantsPrerequisitesContent:
       'To scan a Java project you will need a .jar or .war file for analysis\n' +
-      'To scan a Javascript project you will need a .js or.zip file for analysis\n' +
+      'To scan a Javascript project you will need a single .js or a .zip of  multiple .js files\n' +
       'To scan a .NET c# webforms project you will need a .exe or a .zip file for analysis\n',
     constantsUsage: 'Usage',
     constantsUsageCommandExample: 'contrast [command] [options]',
@@ -318,7 +319,17 @@ const en_locales = () => {
     scanOptionsVerboseSummary: ' Returns extended information to the terminal.',
     authSuccessMessage: 'Authentication successful',
     runAuthSuccessMessage:
-      "Now you can use CodeSec by Contrast \nRun: \n'contrast scan' on your file \n'contrast audit' on a file or directory,\n'contrast lambda' on an AWS function.\nor 'contrast help' to learn more about the capabilities.",
+      chalk.bold('CodeSec by Contrast') +
+      '\nScan, secure and ship your code in minutes for FREE. \n' +
+      chalk.bold('\nRun\n') +
+      chalk.bold('\ncontrast scan') +
+      " to run Contrast's industry leading SAST scanner. \nSupports Java, JavaScript and .Net \n" +
+      chalk.bold('\ncontrast audit') +
+      ' to find vulnerabilities in your open source dependencies.\nSupports Java, .NET, Node, Ruby, Python, Go and PHP \n' +
+      chalk.bold('\ncontrast lambda') +
+      ' to secure your AWS serverless functions. \nSupports Java and Python \n' +
+      chalk.bold('\ncontrast help') +
+      ' to learn more about the capabilities.',
     authWaitingMessage: 'Waiting for auth...',
     authTimedOutMessage: 'Auth Timed out, try again',
     zipErrorScan:
@@ -326,10 +337,7 @@ const en_locales = () => {
     unknownFileErrorScan: 'Unsupported file selected for Scan.',
     foundScanFile: 'Found: %s',
     foundDetailedVulnerabilities:
-      chalk.bold('%s Critical') +
-      ' | ' +
-      chalk.bold('%s High') +
-      ' | %s Medium | %s Low | %s Note',
+      chalk.bold('%s') + ' | ' + chalk.bold('%s') + ' | %s | %s | %s ',
     requiredParams: 'All required parameters are not present.',
     timeoutScan: 'Timeout set to 5 minutes.',
     searchingScanFileDirectory: 'Searching for file to scan from %s...',

package/src/constants.js

@@ -115,7 +115,7 @@ const scanOptionDefinitions = [
       '{bold ' +
       i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('failOptionErrorMessage')
+      i18n.__('failOptionMessage')
   },
   {
     name: 'severity',
@@ -247,7 +247,7 @@ const auditOptionDefinitions = [
       '{bold ' +
       i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('failOptionErrorMessage')
+      i18n.__('failOptionMessage')
   },
   {
     name: 'severity',

package/src/index.ts

@@ -15,7 +15,6 @@ import {
 } from './common/versionChecker'
 import { findCommandOnError } from './common/errorHandling'
 import { sendTelemetryConfigAsConfObj } from './telemetry/telemetry'
-
 const {
   commandLineDefinitions: { mainUsageGuide, mainDefinition }
 } = constants
@@ -58,7 +57,7 @@ const start = async () => {
       config.set('numOfRuns', config.get('numOfRuns') + 1)
 
       // @ts-ignore
-      if (config.get('numOfRuns') >= 1) {
+      if (config.get('numOfRuns') >= 10) {
         await findLatestCLIVersion(config)
         config.set('numOfRuns', 0)
       }
@@ -96,9 +95,8 @@ const start = async () => {
           ? console.log(
               `Unknown Command: Did you mean "${foundCommand}"? \nUse "${foundCommand} --help" for the full list of options`
             )
-          : console.log(
-              `Unknown Command: ${command} \nUse --help for the full list`
-            )
+          : console.log(`\nUnknown Command: ${command} \n`)
+        console.log(mainUsageGuide)
         await sendTelemetryConfigAsConfObj(
           config,
           command,
@@ -107,9 +105,8 @@ const start = async () => {
           'undefined'
         )
       } else {
-        console.log(
-          `Unknown Command: ${command} \nUse --help for the full list`
-        )
+        console.log(`\nUnknown Command: ${command}\n`)
+        console.log(mainUsageGuide)
         await sendTelemetryConfigAsConfObj(
           config,
           command,

package/src/lambda/lambda.ts

@@ -17,6 +17,7 @@ import ora from '../utils/oraWrapper'
 import { postAnalytics } from './analytics'
 import { LambdaOptions, AnalyticsOption, StatusType, EventType } from './types'
 import { APP_VERSION } from '../constants/constants'
+import chalk from 'chalk'
 
 type ApiParams = {
   organizationId: string
@@ -114,6 +115,9 @@ const processLambda = async (argv: string[]) => {
     await postAnalytics(endCommandAnalytics).catch((error: Error) => {
       /* ignore */
     })
+
+    postRunMessage()
+
     if (errorMsg) {
       process.exit(1)
     }
@@ -122,7 +126,7 @@ const processLambda = async (argv: string[]) => {
 
 const getAvailableFunctions = async (lambdaOptions: LambdaOptions) => {
   const lambdas = await getAllLambdas(lambdaOptions)
-  printAvailableLambdas(lambdas, { runtimes: ['python', 'java'] })
+  printAvailableLambdas(lambdas, { runtimes: ['python', 'java', 'node'] })
 }
 
 const actualProcessLambda = async (lambdaOptions: LambdaOptions) => {
@@ -221,4 +225,12 @@ const handleLambdaHelp = () => {
   process.exit(0)
 }
 
+const postRunMessage = () => {
+  console.log('\n' + chalk.underline.bold('Other Codesec Features:'))
+  console.log("'contrast scan' to run CodeSec’s industry leading SAST scanner")
+  console.log(
+    "'contrast audit' to find vulnerabilities in your open source dependencies\n"
+  )
+}
+
 export { processLambda, LambdaOptions, ApiParams, getAvailableFunctions }

package/src/lambda/lambdaUtils.ts

@@ -11,7 +11,7 @@ import ora from '../utils/oraWrapper'
 import { LambdaOptions } from './lambda'
 import { log, getReadableFileSize } from './logUtils'
 
-type RuntimeLanguage = 'java' | 'python'
+type RuntimeLanguage = 'java' | 'python' | 'node'
 
 type FilterLambdas = {
   runtimes: RuntimeLanguage[]

package/src/scaAnalysis/common/auditReport.js

@@ -0,0 +1,108 @@
+const {
+  getSeverityCounts,
+  createSummaryMessageTop,
+  printVulnInfo,
+  getReportTable,
+  getIssueRow,
+  printNoVulnFoundMsg
+} = require('../../audit/report/commonReportingFunctions')
+const { orderBy } = require('lodash')
+const { assignBySeverity } = require('../../scan/formatScanOutput')
+const chalk = require('chalk')
+const { CE_URL } = require('../../constants/constants')
+const common = require('../../common/fail')
+
+const processAuditReport = (config, results) => {
+  let severityCounts = {}
+  if (results !== undefined) {
+    severityCounts = formatScaServicesReport(config, results)
+  }
+
+  if (config.fail) {
+    common.processFail(config, severityCounts)
+  }
+}
+const formatScaServicesReport = (config, results) => {
+  const projectOverviewCount = getSeverityCounts(results)
+
+  if (projectOverviewCount.total === 0) {
+    printNoVulnFoundMsg()
+    return projectOverviewCount
+  } else {
+    let total = 0
+    const numberOfCves = results.length
+    const table = getReportTable()
+    let contrastHeaderNumCounter = 0
+    let assignPriorityToResults = results.map(result =>
+      assignBySeverity(result, result)
+    )
+    const numberOfVulns = results
+      .map(result => result.vulnerabilities)
+      .reduce((a, b) => {
+        return (total += b.length)
+      }, 0)
+    const outputOrderedByLowestSeverityAndLowestNumOfCvesFirst = orderBy(
+      assignPriorityToResults,
+      [
+        reportListItem => {
+          return reportListItem.priority
+        },
+        reportListItem => {
+          return reportListItem.vulnerabilities.length
+        }
+      ],
+      ['asc', 'desc']
+    )
+
+    for (const result of outputOrderedByLowestSeverityAndLowestNumOfCvesFirst) {
+      contrastHeaderNumCounter++
+      const cvesNum = result.vulnerabilities.length
+      const grammaticallyCorrectVul =
+        result.vulnerabilities.length > 1 ? 'vulnerabilities' : 'vulnerability'
+
+      const headerColour = chalk.hex(result.colour)
+      const headerRow = [
+        headerColour(
+          `CONTRAST-${contrastHeaderNumCounter.toString().padStart(3, '0')}`
+        ),
+        headerColour(`-`),
+        headerColour(`[${result.severity}] `) +
+          headerColour.bold(`${result.artifactName}`) +
+          ` introduces ${cvesNum} ${grammaticallyCorrectVul}`
+      ]
+
+      const adviceRow = [
+        chalk.bold(`Advice`),
+        chalk.bold(`:`),
+        `Change to version ${result.remediationAdvice.latestStableVersion}`
+      ]
+
+      let assignPriorityToVulns = result.vulnerabilities.map(result =>
+        assignBySeverity(result, result)
+      )
+      const issueRow = getIssueRow(assignPriorityToVulns)
+
+      table.push(headerRow, issueRow, adviceRow)
+      console.log()
+    }
+
+    console.log()
+    createSummaryMessageTop(numberOfCves, numberOfVulns)
+    console.log(table.toString() + '\n')
+    printVulnInfo(projectOverviewCount)
+
+    if (config.host !== CE_URL) {
+      console.log(
+        '\n' + chalk.bold('View your full dependency tree in Contrast:')
+      )
+      console.log(
+        `${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
+      )
+    }
+    return projectOverviewCount
+  }
+}
+module.exports = {
+  formatScaServicesReport,
+  processAuditReport
+}

package/src/scaAnalysis/common/scaServicesUpload.js

@@ -0,0 +1,56 @@
+const commonApi = require('../../utils/commonApi')
+const { APP_VERSION } = require('../../constants/constants')
+const requestUtils = require('../../utils/requestUtils')
+
+const scaTreeUpload = async (analysis, config) => {
+  const requestBody = {
+    applicationId: config.applicationId,
+    dependencyTree: analysis,
+    organizationId: config.organizationId,
+    language: config.language,
+    tool: {
+      name: 'Contrast Codesec',
+      version: APP_VERSION
+    }
+  }
+
+  const client = commonApi.getHttpClient(config)
+  const reportID = await client
+    .scaServiceIngest(requestBody, config)
+    .then(res => {
+      if (res.statusCode === 201) {
+        return res.body.libraryIngestJobId
+      } else {
+        throw new Error(res.statusCode + ` error ingesting dependencies`)
+      }
+    })
+    .catch(err => {
+      throw err
+    })
+  console.log(' polling report')
+
+  let keepChecking = true
+  let res
+  while (keepChecking) {
+    res = await client.scaServiceReportStatus(config, reportID).then(res => {
+      console.log(res.statusCode)
+      console.log(res.body)
+      if (res.body.status == 'COMPLETED') {
+        keepChecking = false
+        return client.scaServiceReport(config, reportID).then(res => {
+          return res.body
+        })
+      }
+    })
+
+    if (!keepChecking) {
+      return res
+    }
+    await requestUtils.sleep(5000)
+  }
+  return res
+}
+
+module.exports = {
+  scaTreeUpload
+}

package/src/scaAnalysis/javascript/index.js

@@ -1,6 +1,7 @@
 const analysis = require('./analysis')
 const i18n = require('i18n')
 const formatMessage = require('../common/formatMessage')
+const scaServiceParser = require('./scaServiceParser')
 
 const jsAnalysis = async (config, languageFiles) => {
   checkForCorrectFiles(languageFiles)
@@ -13,6 +14,9 @@ const jsAnalysis = async (config, languageFiles) => {
 const buildNodeTree = async (config, files) => {
   let analysis = await readFiles(config, files)
   const rawNode = await parseFiles(config, files, analysis)
+  if (config.experimental) {
+    return scaServiceParser.parseJS(rawNode)
+  }
   return formatMessage.createJavaScriptTSMessage(rawNode)
 }
 

package/src/scaAnalysis/javascript/scaServiceParser.js

@@ -0,0 +1,145 @@
+const parseJS = rawNode => {
+  let dependencyTree = {}
+  let combinedPackageJSONDep = {
+    ...rawNode.packageJSON?.dependencies,
+    ...rawNode.packageJSON?.devDependencies
+  }
+  let analyseLock = chooseLockFile(rawNode)
+
+  if (analyseLock.type === 'yarn') {
+    dependencyTree = yarnCreateDepTree(
+      dependencyTree,
+      combinedPackageJSONDep,
+      analyseLock.lockFile,
+      rawNode
+    )
+  }
+
+  if (analyseLock.type === 'npm') {
+    dependencyTree = npmCreateDepTree(
+      dependencyTree,
+      combinedPackageJSONDep,
+      analyseLock.lockFile,
+      rawNode
+    )
+  }
+
+  return dependencyTree
+}
+
+const npmCreateDepTree = (
+  dependencyTree,
+  combinedPackageJSONDep,
+  packageLock,
+  rawNode
+) => {
+  for (const [key, value] of Object.entries(packageLock)) {
+    dependencyTree[key] = {
+      name: key,
+      version: getResolvedVersion(key, packageLock),
+      group: null,
+      isProduction: checkIfInPackageJSON(rawNode.packageJSON.dependencies, key),
+      directDependency: checkIfInPackageJSON(combinedPackageJSONDep, key),
+      dependencies: createNPMChildDependencies(packageLock, key)
+    }
+  }
+  return dependencyTree
+}
+
+const yarnCreateDepTree = (
+  dependencyTree,
+  combinedPackageJSONDep,
+  packageLock,
+  rawNode
+) => {
+  for (const [key, value] of Object.entries(packageLock)) {
+    let gav = getNameFromGAV(key)
+    let nag = getDepNameWithoutVersion(key)
+    dependencyTree[key] = {
+      name: gav,
+      version: getResolvedVersion(key, packageLock),
+      group: null,
+      isProduction: checkIfInPackageJSON(rawNode.packageJSON.dependencies, nag),
+      directDependency: checkIfInPackageJSON(combinedPackageJSONDep, nag),
+      dependencies: createChildDependencies(packageLock, key)
+    }
+  }
+  return dependencyTree
+}
+
+const chooseLockFile = rawNode => {
+  if (rawNode?.yarn?.yarnLockFile !== undefined) {
+    return { lockFile: rawNode?.yarn?.yarnLockFile?.object, type: 'yarn' }
+  } else if (rawNode.npmLockFile !== undefined) {
+    return { lockFile: rawNode?.npmLockFile?.dependencies, type: 'npm' }
+  } else {
+    return undefined
+  }
+}
+
+const createKeyName = (dep, version) => {
+  return dep + '@' + version
+}
+
+const checkIfInPackageJSON = (list, dep) => {
+  return Object.keys(list).includes(dep)
+}
+
+const createChildDependencies = (lockFileDep, currentDep) => {
+  let depArray = []
+  if (lockFileDep[currentDep]?.dependencies) {
+    for (const [key, value] of Object.entries(
+      lockFileDep[currentDep]?.dependencies
+    )) {
+      depArray.push(createKeyName(key, value))
+    }
+  }
+  return depArray
+}
+
+const createNPMChildDependencies = (lockFileDep, currentDep) => {
+  let depArray = []
+  if (lockFileDep[currentDep]?.requires) {
+    for (const [key, value] of Object.entries(
+      lockFileDep[currentDep]?.requires
+    )) {
+      depArray.push(key)
+    }
+  }
+  return depArray
+}
+
+const getDepNameWithoutVersion = depKey => {
+  let dependency = depKey.split('@')
+  if (dependency.length - 1 > 1) {
+    return '@' + dependency[1]
+  }
+  return dependency[0]
+}
+
+const getNameFromGAV = depKey => {
+  let dependency = depKey.split('/')
+  if (dependency.length == 2) {
+    dependency = getDepNameWithoutVersion(dependency[1])
+    return dependency
+  }
+  if (dependency.length == 1) {
+    dependency = getDepNameWithoutVersion(depKey)
+    return dependency
+  }
+  //what should we do if there's no version? The service will fall over but do we want to throw error for only one wrong version?
+  return depKey
+}
+
+const getResolvedVersion = (depKey, packageLock) => {
+  return packageLock[depKey]?.version
+}
+
+module.exports = {
+  parseJS,
+  checkIfInPackageJSON,
+  getNameFromGAV,
+  getResolvedVersion,
+  chooseLockFile,
+  createNPMChildDependencies
+}