@contrast/contrast 1.0.12 → 1.0.14

package/src/scaAnalysis/ruby/analysis.js

@@ -1,6 +1,27 @@
 const fs = require('fs')
 const i18n = require('i18n')
 
+const getRubyDeps = (config, languageFiles) => {
+  try {
+    checkForCorrectFiles(languageFiles)
+    const parsedGem = readAndParseGemfile(config.file)
+    const parsedLock = readAndParseGemLockFile(config.file)
+    if (config.experimental) {
+      const rubyArray = removeRedundantAndPopulateDefinedElements(
+        parsedLock.sources
+      )
+      let rubyTree = createRubyTree(rubyArray)
+      findChildrenDependencies(rubyTree)
+      processRootDependencies(parsedLock.dependencies, rubyTree)
+      return rubyTree
+    } else {
+      return { gemfilesDependanceies: parsedGem, gemfileLock: parsedLock }
+    }
+  } catch (err) {
+    throw err
+  }
+}
+
 const readAndParseGemfile = file => {
   const gemFile = fs.readFileSync(file + '/Gemfile', 'utf8')
   const rubyArray = gemFile.split('\n')
@@ -242,16 +263,119 @@ const buildSourceDependencyWithVersion = (
   return dependencies
 }
 
-const getRubyDeps = (config, languageFiles) => {
-  try {
-    checkForCorrectFiles(languageFiles)
-    const parsedGem = readAndParseGemfile(config.file)
-    const parsedLock = readAndParseGemLockFile(config.file)
+const processRootDependencies = (rootDependencies, rubyTree) => {
+  const getParentObjectByName = queryToken =>
+    Object.values(rubyTree).filter(({ name }) => name === queryToken)
 
-    return { gemfilesDependanceies: parsedGem, gemfileLock: parsedLock }
-  } catch (err) {
-    throw err
+  for (let parent in rootDependencies) {
+    let parentObject = getParentObjectByName(parent)
+
+    // ignore root dependencies that don't have a resolved version
+    if (parentObject[0]) {
+      let gav =
+        parentObject[0].group +
+        '/' +
+        parentObject[0].name +
+        '@' +
+        parentObject[0].version
+
+      rubyTree[gav] = parentObject[0]
+      rubyTree[gav].directDependency = true
+    }
+  }
+  return rubyTree
+}
+
+const createRubyTree = rubyArray => {
+  let rubyTree = {}
+  for (let x in rubyArray) {
+    let version = rubyArray[x].resolved
+
+    let gav = rubyArray[x].group + '/' + rubyArray[x].name + '@' + version
+    rubyTree[gav] = rubyArray[x]
+    rubyTree[gav].directDependency = false
+    rubyTree[gav].version = version
+
+    // add dependency array if none exists
+    if (!rubyTree[gav].dependencies) {
+      rubyTree[gav].dependencies = []
+    }
+
+    delete rubyTree[gav].resolved
+  }
+  return rubyTree
+}
+
+const findChildrenDependencies = rubyTree => {
+  for (let dep in rubyTree) {
+    let unResolvedChildDepsKey = Object.keys(rubyTree[dep].dependencies)
+    rubyTree[dep].dependencies = resolveVersionOfChildDependencies(
+      unResolvedChildDepsKey,
+      rubyTree
+    )
+  }
+}
+
+const resolveVersionOfChildDependencies = (
+  unResolvedChildDepsKey,
+  rubyObject
+) => {
+  const getParentObjectByName = queryToken =>
+    Object.values(rubyObject).filter(({ name }) => name === queryToken)
+  let resolvedChildrenDependencies = []
+  for (let childDep in unResolvedChildDepsKey) {
+    let childDependencyName = unResolvedChildDepsKey[childDep]
+    let parent = getParentObjectByName(childDependencyName)
+    resolvedChildrenDependencies.push(
+      'null/' + childDependencyName + '@' + parent[0].version
+    )
   }
+  return resolvedChildrenDependencies
+}
+
+const removeRedundantAndPopulateDefinedElements = deps => {
+  return deps.map(element => {
+    if (element.sourceType === 'GIT') {
+      delete element.sourceType
+      delete element.remote
+      delete element.platform
+
+      element.group = null
+      element.isProduction = true
+    }
+
+    if (element.sourceType === 'GEM') {
+      element.group = null
+      element.isProduction = true
+
+      delete element.sourceType
+      delete element.remote
+      delete element.platform
+    }
+
+    if (element.sourceType === 'PATH') {
+      element.group = null
+      element.isProduction = true
+
+      delete element.platform
+      delete element.sourceType
+      delete element.remote
+    }
+
+    if (element.sourceType === 'BUNDLED WITH') {
+      element.group = null
+      element.isProduction = true
+
+      delete element.sourceType
+      delete element.remote
+      delete element.branch
+      delete element.revision
+      delete element.depthLevel
+      delete element.specs
+      delete element.platform
+    }
+    return element
+  })
 }
 
 const checkForCorrectFiles = languageFiles => {
@@ -281,5 +405,9 @@ module.exports = {
   getPatchLevel,
   formatSourceArr,
   getSourceArray,
-  checkForCorrectFiles
+  checkForCorrectFiles,
+  removeRedundantAndPopulateDefinedElements,
+  createRubyTree,
+  findChildrenDependencies,
+  processRootDependencies
 }

package/src/scaAnalysis/ruby/index.js

@@ -3,7 +3,12 @@ const { createRubyTSMessage } = require('../common/formatMessage')
 
 const rubyAnalysis = (config, languageFiles) => {
   const rubyDeps = analysis.getRubyDeps(config, languageFiles.RUBY)
-  return createRubyTSMessage(rubyDeps)
+
+  if (config.experimental) {
+    return rubyDeps
+  } else {
+    return createRubyTSMessage(rubyDeps)
+  }
 }
 
 module.exports = {

package/src/scan/formatScanOutput.ts

@@ -15,11 +15,15 @@ import {
   MEDIUM_COLOUR,
   NOTE_COLOUR
 } from '../constants/constants'
+import {
+  getSeverityCounts,
+  printVulnInfo
+} from '../audit/report/commonReportingFunctions'
 
 export function formatScanOutput(scanResults: ScanResultsModel) {
   const { scanResultsInstances } = scanResults
 
-  const projectOverview = getProjectOverview(scanResultsInstances)
+  const projectOverview = getSeverityCounts(scanResultsInstances.content)
   if (scanResultsInstances.content.length === 0) {
     console.log(i18n.__('scanNoVulnerabilitiesFound'))
     console.log(i18n.__('scanNoVulnerabilitiesFoundSecureCode'))
@@ -108,47 +112,6 @@ export function formatScanOutput(scanResults: ScanResultsModel) {
   return projectOverview
 }
 
-function printVulnInfo(projectOverview: any) {
-  const totalVulnerabilities = projectOverview.total
-
-  const vulMessage =
-    totalVulnerabilities === 1 ? `vulnerability` : `vulnerabilities`
-  console.log(chalk.bold(`Found ${totalVulnerabilities} ${vulMessage}`))
-  console.log(
-    i18n.__(
-      'foundDetailedVulnerabilities',
-      String(projectOverview.critical),
-      String(projectOverview.high),
-      String(projectOverview.medium),
-      String(projectOverview.low),
-      String(projectOverview.note)
-    )
-  )
-}
-
-export function getProjectOverview(scanResultsInstances: ScanResultsInstances) {
-  const acc: any = {
-    critical: 0,
-    high: 0,
-    medium: 0,
-    low: 0,
-    note: 0,
-    total: 0
-  }
-  if (
-    scanResultsInstances?.content &&
-    scanResultsInstances.content.length > 0
-  ) {
-    scanResultsInstances.content.forEach((i: ResultContent) => {
-      acc[i.severity.toLowerCase()] += 1
-      acc.total += 1
-      return acc
-    })
-  }
-
-  return acc
-}
-
 export function formatLinks(objName: string, entry: any[]) {
   const line = chalk.bold(objName + '  : ')
   if (entry.length === 1) {

package/src/scan/scanResults.js

@@ -94,7 +94,7 @@ const returnScanResults = async (
         )
 
         const isCI = process.env.CONTRAST_CODESEC_CI
-          ? JSON.parse(process.env.CONTRAST_CODESEC_CI)
+          ? JSON.parse(process.env.CONTRAST_CODESEC_CI.toLowerCase())
           : false
         if (!isCI) {
           const retry = await retryScanPrompt()

package/src/{audit/languageAnalysisEngine/util → utils}/generalAPI.js

@@ -1,13 +1,13 @@
 const { featuresTeamServer } = require('./capabilities')
 const semver = require('semver')
-const { handleResponseErrors } = require('../../../common/errorHandling')
-const { getHttpClient } = require('../../../utils/commonApi')
+const { handleResponseErrors } = require('../common/errorHandling')
+const commonApi = require('./commonApi')
+const { isNil } = require('lodash')
 
 const getGlobalProperties = async config => {
-  const client = getHttpClient(config)
-
+  const client = commonApi.getHttpClient(config)
   return client
-    .getGlobalProperties(config)
+    .getGlobalProperties(config.host)
     .then(res => {
       if (res.statusCode === 200) {
         return res.body
@@ -20,6 +20,15 @@ const getGlobalProperties = async config => {
     })
 }
 
+const getMode = async config => {
+  const features = await getGlobalProperties(config)
+
+  if (!isNil(features?.mode)) {
+    return features.mode
+  }
+  return ''
+}
+
 const getFeatures = version => {
   const featuresEnabled = []
 
@@ -39,5 +48,6 @@ const isFeatureEnabled = (features, featureName) => {
 module.exports = {
   getGlobalProperties,
   getFeatures,
-  isFeatureEnabled
+  isFeatureEnabled,
+  getMode
 }

package/src/audit/report/commonReportingFunctions.ts

@@ -1,355 +0,0 @@
-import { getHttpClient, handleResponseErrors } from '../../utils/commonApi'
-import {
-  ReportCompositeKey,
-  ReportList,
-  ReportModelStructure
-} from './models/reportListModel'
-import { ReportSeverityModel } from './models/reportSeverityModel'
-import { orderBy } from 'lodash'
-import chalk from 'chalk'
-import { ReportCVEModel, ReportLibraryModel } from './models/reportLibraryModel'
-import {
-  countVulnerableLibrariesBySeverity,
-  findCVESeveritiesAndOrderByHighestPriority,
-  findHighestSeverityCVE,
-  findNameAndVersion,
-  severityCountAllCVEs
-} from './utils/reportUtils'
-import { SeverityCountModel } from './models/severityCountModel'
-import {
-  ReportOutputBodyModel,
-  ReportOutputHeaderModel,
-  ReportOutputModel
-} from './models/reportOutputModel'
-import {
-  CE_URL,
-  CRITICAL_COLOUR,
-  HIGH_COLOUR,
-  LOW_COLOUR,
-  MEDIUM_COLOUR,
-  NOTE_COLOUR
-} from '../../constants/constants'
-import Table from 'cli-table3'
-import { ReportGuidanceModel } from './models/reportGuidanceModel'
-
-export const createSummaryMessageTop = (
-  numberOfVulnerableLibraries: number,
-  numberOfCves: number
-) => {
-  numberOfVulnerableLibraries === 1
-    ? console.log(`Found 1 vulnerable library containing ${numberOfCves} CVE`)
-    : console.log(
-        `Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVEs`
-      )
-}
-
-export const createSummaryMessageBottom = (
-  numberOfVulnerableLibraries: number
-) => {
-  numberOfVulnerableLibraries === 1
-    ? console.log(`Found 1 vulnerable library`)
-    : console.log(`Found ${numberOfVulnerableLibraries} vulnerable libraries`)
-}
-
-export const getReport = async (config: any, reportId: string) => {
-  const client = getHttpClient(config)
-  return client
-    .getReportById(config, reportId)
-    .then((res: { statusCode: number; body: any }) => {
-      if (res.statusCode === 200) {
-        return res.body
-      } else {
-        console.log(JSON.stringify(res))
-        handleResponseErrors(res, 'report')
-      }
-    })
-    .catch((err: any) => {
-      console.log(err)
-    })
-}
-
-export const printVulnerabilityResponse = (
-  config: any,
-  vulnerableLibraries: ReportLibraryModel[],
-  numberOfVulnerableLibraries: number,
-  numberOfCves: number,
-  guidance: any
-) => {
-  let hasSomeVulnerabilitiesReported = false
-  printFormattedOutput(
-    config,
-    vulnerableLibraries,
-    numberOfVulnerableLibraries,
-    numberOfCves,
-    guidance
-  )
-  if (Object.keys(vulnerableLibraries).length > 0) {
-    hasSomeVulnerabilitiesReported = true
-  }
-  return hasSomeVulnerabilitiesReported
-}
-
-export const printFormattedOutput = (
-  config: any,
-  libraries: ReportLibraryModel[],
-  numberOfVulnerableLibraries: number,
-  numberOfCves: number,
-  guidance: any
-) => {
-  createSummaryMessageTop(numberOfVulnerableLibraries, numberOfCves)
-  console.log()
-  const report = new ReportList()
-
-  for (const library of libraries) {
-    const { name, version } = findNameAndVersion(library, config)
-
-    const newOutputModel = new ReportModelStructure(
-      new ReportCompositeKey(
-        name,
-        version,
-        findHighestSeverityCVE(library.cveArray) as ReportSeverityModel,
-        severityCountAllCVEs(
-          library.cveArray,
-          new SeverityCountModel()
-        ).getTotal
-      ),
-      library.cveArray
-    )
-    report.reportOutputList.push(newOutputModel)
-  }
-
-  const outputOrderedByLowestSeverityAndLowestNumOfCvesFirst = orderBy(
-    report.reportOutputList,
-    [
-      (reportListItem: ReportModelStructure) => {
-        return reportListItem.compositeKey.highestSeverity.priority
-      },
-      (reportListItem: ReportModelStructure) => {
-        return reportListItem.compositeKey.numberOfSeverities
-      }
-    ],
-    ['asc', 'desc']
-  )
-
-  let contrastHeaderNumCounter = 0
-  for (const reportModel of outputOrderedByLowestSeverityAndLowestNumOfCvesFirst) {
-    contrastHeaderNumCounter++
-    const { libraryName, libraryVersion, highestSeverity } =
-      reportModel.compositeKey
-    const numOfCVEs = reportModel.cveArray.length
-
-    const table = new Table({
-      chars: {
-        top: '',
-        'top-mid': '',
-        'top-left': '',
-        'top-right': '',
-        bottom: '',
-        'bottom-mid': '',
-        'bottom-left': '',
-        'bottom-right': '',
-        left: '',
-        'left-mid': '',
-        mid: '',
-        'mid-mid': '',
-        right: '',
-        'right-mid': '',
-        middle: ' '
-      },
-      style: { 'padding-left': 0, 'padding-right': 0 },
-      colAligns: ['right'],
-      wordWrap: true,
-      colWidths: [12, 1, 100]
-    })
-
-    const header = buildHeader(
-      highestSeverity,
-      contrastHeaderNumCounter,
-      libraryName,
-      libraryVersion,
-      numOfCVEs
-    )
-
-    const advice = gatherRemediationAdvice(
-      guidance,
-      libraryName,
-      libraryVersion
-    )
-
-    const body = buildBody(reportModel.cveArray, advice)
-
-    const reportOutputModel = new ReportOutputModel(header, body)
-
-    table.push(
-      reportOutputModel.body.issueMessage,
-      reportOutputModel.body.adviceMessage
-    )
-
-    console.log(
-      reportOutputModel.header.vulnMessage,
-      reportOutputModel.header.introducesMessage
-    )
-    console.log(table.toString() + '\n')
-  }
-
-  createSummaryMessageBottom(numberOfVulnerableLibraries)
-  const {
-    criticalMessage,
-    highMessage,
-    mediumMessage,
-    lowMessage,
-    noteMessage
-  } = buildFooter(outputOrderedByLowestSeverityAndLowestNumOfCvesFirst)
-  console.log(
-    `${criticalMessage} | ${highMessage} | ${mediumMessage} | ${lowMessage} | ${noteMessage}`
-  )
-
-  if (config.host !== CE_URL) {
-    console.log(
-      '\n' + chalk.bold('View your full dependency tree in Contrast:')
-    )
-    console.log(
-      `${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
-    )
-  }
-}
-
-export function buildHeader(
-  highestSeverity: ReportSeverityModel,
-  contrastHeaderNum: number,
-  libraryName: string,
-  version: string,
-  numOfCVEs: number
-) {
-  const vulnerabilityPluralised =
-    numOfCVEs > 1 ? 'vulnerabilities' : 'vulnerability'
-  const formattedHeaderNum = buildFormattedHeaderNum(contrastHeaderNum)
-
-  const headerColour = chalk.hex(highestSeverity.outputColour)
-  const headerNumAndSeverity = headerColour(
-    `${formattedHeaderNum} - [${highestSeverity.severity}]`
-  )
-  const libraryNameAndVersion = headerColour.bold(`${libraryName}-${version}`)
-  const vulnMessage = `${headerNumAndSeverity} ${libraryNameAndVersion}`
-
-  const introducesMessage = `introduces ${numOfCVEs} ${vulnerabilityPluralised}`
-
-  return new ReportOutputHeaderModel(vulnMessage, introducesMessage)
-}
-
-export function buildBody(
-  cveArray: ReportCVEModel[],
-  advice: ReportGuidanceModel
-) {
-  const cveMessages: string[] = []
-
-  findCVESeveritiesAndOrderByHighestPriority(cveArray).forEach(
-    reportSeverityModel => {
-      // @ts-ignore
-      const { outputColour, severity, cveName } = reportSeverityModel
-
-      const severityShorthand = chalk
-        .hex(outputColour)
-        .bold(`[${severity.charAt(0).toUpperCase()}]`)
-
-      const builtMessage = severityShorthand + cveName
-      cveMessages.push(builtMessage)
-    }
-  )
-
-  const numAndSeverityType = getNumOfAndSeverityType(cveArray)
-
-  const issueMessage = [
-    chalk.bold('Issue'),
-    ':',
-    `${numAndSeverityType} ${cveMessages.join(', ')}`
-  ]
-
-  //todo different advice based on remediationGuidance being available or now
-  // console.log(advice)
-
-  const minOrMax = advice.maximum ? advice.maximum : advice.minimum
-  const displayAdvice = minOrMax
-    ? `Change to version ${chalk.bold(minOrMax)}`
-    : 'No recommendation is available according to our data. Upgrade to the latest stable is the best advice we can give.'
-
-  const adviceMessage = [chalk.bold('Advice'), ':', displayAdvice]
-
-  return new ReportOutputBodyModel(issueMessage, adviceMessage)
-}
-
-export function gatherRemediationAdvice(
-  guidance: any,
-  libraryName: string,
-  libraryVersion: string
-) {
-  const guidanceModel = new ReportGuidanceModel()
-
-  const data = guidance[libraryName + '@' + libraryVersion]
-
-  if (data) {
-    guidanceModel.minimum = data.minUpgradeVersion
-    guidanceModel.maximum = data.maxUpgradeVersion
-  }
-
-  return guidanceModel
-}
-
-export function buildFormattedHeaderNum(contrastHeaderNum: number) {
-  return `CONTRAST-${contrastHeaderNum.toString().padStart(3, '0')}`
-}
-
-export function getNumOfAndSeverityType(cveArray: ReportCVEModel[]) {
-  const { critical, high, medium, low, note } = severityCountAllCVEs(
-    cveArray,
-    new SeverityCountModel()
-  )
-
-  const criticalNumCheck = critical > 0
-
-  const highNumCheck = high > 0
-  const highDivider = highNumCheck ? '|' : ''
-
-  const mediumNumCheck = medium > 0
-  const mediumDivider = mediumNumCheck ? '|' : ''
-
-  const lowNumCheck = low > 0
-  const lowDivider = lowNumCheck ? '|' : ''
-
-  const noteNumCheck = low > 0
-  const noteDivider = noteNumCheck ? '|' : ''
-
-  const criticalMessage = criticalNumCheck
-    ? `${critical} Critical ${highDivider}`
-    : ''
-  const highMessage = highNumCheck ? `${high} High ${mediumDivider}` : ''
-  const mediumMessage = mediumNumCheck ? `${medium} Medium ${lowDivider}` : ''
-  const lowMessage = lowNumCheck ? `${low} Low ${noteDivider}` : ''
-  const noteMessage = noteNumCheck ? `${note} Note` : ''
-
-  //removes/trims whitespace to single spaces
-  return `${criticalMessage} ${highMessage} ${mediumMessage} ${lowMessage} ${noteMessage}`
-    .replace(/\s+/g, ' ')
-    .trim()
-}
-
-const buildFooter = (reportModelStructure: ReportModelStructure[]) => {
-  const { critical, high, medium, low, note } =
-    countVulnerableLibrariesBySeverity(reportModelStructure)
-
-  const criticalMessage = chalk
-    .hex(CRITICAL_COLOUR)
-    .bold(`${critical} Critical`)
-  const highMessage = chalk.hex(HIGH_COLOUR).bold(`${high} High`)
-  const mediumMessage = chalk.hex(MEDIUM_COLOUR).bold(`${medium} Medium`)
-  const lowMessage = chalk.hex(LOW_COLOUR).bold(`${low} Low`)
-  const noteMessage = chalk.hex(NOTE_COLOUR).bold(`${note} Note`)
-
-  return {
-    criticalMessage,
-    highMessage,
-    mediumMessage,
-    lowMessage,
-    noteMessage
-  }
-}