@contrast/contrast 1.0.13 → 1.0.14

package/dist/scaAnalysis/common/auditReport.js

@@ -0,0 +1,78 @@
+"use strict";
+const { getSeverityCounts, createSummaryMessageTop, printVulnInfo, getReportTable, getIssueRow, printNoVulnFoundMsg } = require('../../audit/report/commonReportingFunctions');
+const { orderBy } = require('lodash');
+const { assignBySeverity } = require('../../scan/formatScanOutput');
+const chalk = require('chalk');
+const { CE_URL } = require('../../constants/constants');
+const common = require('../../common/fail');
+const processAuditReport = (config, results) => {
+    let severityCounts = {};
+    if (results !== undefined) {
+        severityCounts = formatScaServicesReport(config, results);
+    }
+    if (config.fail) {
+        common.processFail(config, severityCounts);
+    }
+};
+const formatScaServicesReport = (config, results) => {
+    const projectOverviewCount = getSeverityCounts(results);
+    if (projectOverviewCount.total === 0) {
+        printNoVulnFoundMsg();
+        return projectOverviewCount;
+    }
+    else {
+        let total = 0;
+        const numberOfCves = results.length;
+        const table = getReportTable();
+        let contrastHeaderNumCounter = 0;
+        let assignPriorityToResults = results.map(result => assignBySeverity(result, result));
+        const numberOfVulns = results
+            .map(result => result.vulnerabilities)
+            .reduce((a, b) => {
+            return (total += b.length);
+        }, 0);
+        const outputOrderedByLowestSeverityAndLowestNumOfCvesFirst = orderBy(assignPriorityToResults, [
+            reportListItem => {
+                return reportListItem.priority;
+            },
+            reportListItem => {
+                return reportListItem.vulnerabilities.length;
+            }
+        ], ['asc', 'desc']);
+        for (const result of outputOrderedByLowestSeverityAndLowestNumOfCvesFirst) {
+            contrastHeaderNumCounter++;
+            const cvesNum = result.vulnerabilities.length;
+            const grammaticallyCorrectVul = result.vulnerabilities.length > 1 ? 'vulnerabilities' : 'vulnerability';
+            const headerColour = chalk.hex(result.colour);
+            const headerRow = [
+                headerColour(`CONTRAST-${contrastHeaderNumCounter.toString().padStart(3, '0')}`),
+                headerColour(`-`),
+                headerColour(`[${result.severity}] `) +
+                    headerColour.bold(`${result.artifactName}`) +
+                    ` introduces ${cvesNum} ${grammaticallyCorrectVul}`
+            ];
+            const adviceRow = [
+                chalk.bold(`Advice`),
+                chalk.bold(`:`),
+                `Change to version ${result.remediationAdvice.latestStableVersion}`
+            ];
+            let assignPriorityToVulns = result.vulnerabilities.map(result => assignBySeverity(result, result));
+            const issueRow = getIssueRow(assignPriorityToVulns);
+            table.push(headerRow, issueRow, adviceRow);
+            console.log();
+        }
+        console.log();
+        createSummaryMessageTop(numberOfCves, numberOfVulns);
+        console.log(table.toString() + '\n');
+        printVulnInfo(projectOverviewCount);
+        if (config.host !== CE_URL) {
+            console.log('\n' + chalk.bold('View your full dependency tree in Contrast:'));
+            console.log(`${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`);
+        }
+        return projectOverviewCount;
+    }
+};
+module.exports = {
+    formatScaServicesReport,
+    processAuditReport
+};

package/dist/scaAnalysis/common/scaServicesUpload.js

@@ -7,7 +7,7 @@ const scaTreeUpload = async (analysis, config) => {
         applicationId: config.applicationId,
         dependencyTree: analysis,
         organizationId: config.organizationId,
-        language: 'NODE',
+        language: config.language,
         tool: {
             name: 'Contrast Codesec',
             version: APP_VERSION
@@ -27,25 +27,26 @@ const scaTreeUpload = async (analysis, config) => {
         .catch(err => {
         throw err;
     });
+    console.log(' polling report');
     let keepChecking = true;
+    let res;
     while (keepChecking) {
-        keepChecking = await client
-            .scaServiceReportStatus(config, reportID)
-            .then(res => {
+        res = await client.scaServiceReportStatus(config, reportID).then(res => {
+            console.log(res.statusCode);
             console.log(res.body);
             if (res.body.status == 'COMPLETED') {
-                client.scaServiceReport(config, reportID).then(res => {
-                    console.log(res.statusCode);
-                    console.log(res.body);
+                keepChecking = false;
+                return client.scaServiceReport(config, reportID).then(res => {
+                    return res.body;
                 });
-                return (keepChecking = false);
-            }
-            else {
-                return (keepChecking = true);
             }
         });
+        if (!keepChecking) {
+            return res;
+        }
         await requestUtils.sleep(5000);
     }
+    return res;
 };
 module.exports = {
     scaTreeUpload

package/dist/scan/formatScanOutput.js

@@ -3,16 +3,17 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.assignBySeverity = exports.stripTags = exports.getCodeFlowInfo = exports.getSourceLineNumber = exports.getLocationsSyncInfo = exports.editVulName = exports.getDefaultView = exports.formatLinks = exports.getProjectOverview = exports.formatScanOutput = void 0;
+exports.assignBySeverity = exports.stripTags = exports.getCodeFlowInfo = exports.getSourceLineNumber = exports.getLocationsSyncInfo = exports.editVulName = exports.getDefaultView = exports.formatLinks = exports.formatScanOutput = void 0;
 const i18n_1 = __importDefault(require("i18n"));
 const chalk_1 = __importDefault(require("chalk"));
 const groupedResultsModel_1 = require("./models/groupedResultsModel");
 const lodash_1 = require("lodash");
 const cli_table3_1 = __importDefault(require("cli-table3"));
 const constants_1 = require("../constants/constants");
+const commonReportingFunctions_1 = require("../audit/report/commonReportingFunctions");
 function formatScanOutput(scanResults) {
     const { scanResultsInstances } = scanResults;
-    const projectOverview = getProjectOverview(scanResultsInstances);
+    const projectOverview = (0, commonReportingFunctions_1.getSeverityCounts)(scanResultsInstances.content);
     if (scanResultsInstances.content.length === 0) {
         console.log(i18n_1.default.__('scanNoVulnerabilitiesFound'));
         console.log(i18n_1.default.__('scanNoVulnerabilitiesFoundSecureCode'));
@@ -89,36 +90,10 @@ function formatScanOutput(scanResults) {
             console.log();
         });
     }
-    printVulnInfo(projectOverview);
+    (0, commonReportingFunctions_1.printVulnInfo)(projectOverview);
     return projectOverview;
 }
 exports.formatScanOutput = formatScanOutput;
-function printVulnInfo(projectOverview) {
-    const totalVulnerabilities = projectOverview.total;
-    const vulMessage = totalVulnerabilities === 1 ? `vulnerability` : `vulnerabilities`;
-    console.log(chalk_1.default.bold(`Found ${totalVulnerabilities} ${vulMessage}`));
-    console.log(i18n_1.default.__('foundDetailedVulnerabilities', String(projectOverview.critical), String(projectOverview.high), String(projectOverview.medium), String(projectOverview.low), String(projectOverview.note)));
-}
-function getProjectOverview(scanResultsInstances) {
-    const acc = {
-        critical: 0,
-        high: 0,
-        medium: 0,
-        low: 0,
-        note: 0,
-        total: 0
-    };
-    if (scanResultsInstances?.content &&
-        scanResultsInstances.content.length > 0) {
-        scanResultsInstances.content.forEach((i) => {
-            acc[i.severity.toLowerCase()] += 1;
-            acc.total += 1;
-            return acc;
-        });
-    }
-    return acc;
-}
-exports.getProjectOverview = getProjectOverview;
 function formatLinks(objName, entry) {
     const line = chalk_1.default.bold(objName + '  : ');
     if (entry.length === 1) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "1.0.13",
+  "version": "1.0.14",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -25,7 +25,10 @@
     "test-int-scan": "jest ./test-integration/scan",
     "test-int-audit": "jest test-integration/audit",
     "test-int-audit-reports": "jest test-integration/audit/audit-language-reports.spec.js",
+    "test-int-scan-errors": "jest test-integration/scan/scanLocalErrors.spec.js",
+    "test-int-scan-reports": "jest test-integration/scan/scanReport.spec.js",
     "test-int-audit-features": "jest test-integration/audit/auditFeatures/",
+    "test-int-audit-experimental": "jest test-integration/audit/audit-experimental.spec.js",
     "format": "prettier --write \"**/*.{ts,tsx,js,json,md,yml}\" .eslintrc.*",
     "check-format": "prettier --check \"**/*.{ts,tsx,js,json,md,yml}\" .eslintrc.*",
     "coverage-local": "nyc --reporter=text mocha './test/**/*.spec.js'",

package/src/audit/report/commonReportingFunctions.js

@@ -0,0 +1,432 @@
+const commonApi = require('../../utils/commonApi')
+const {
+  ReportCompositeKey,
+  ReportList,
+  ReportModelStructure
+} = require('./models/reportListModel')
+const { orderBy } = require('lodash')
+const chalk = require('chalk')
+const {
+  countVulnerableLibrariesBySeverity,
+  orderByHighestPriority,
+  findHighestSeverityCVE,
+  findNameAndVersion,
+  severityCountAllCVEs,
+  findCVESeverity
+} = require('./utils/reportUtils')
+const { SeverityCountModel } = require('./models/severityCountModel')
+const {
+  ReportOutputBodyModel,
+  ReportOutputHeaderModel,
+  ReportOutputModel
+} = require('./models/reportOutputModel')
+const {
+  CE_URL,
+  CRITICAL_COLOUR,
+  HIGH_COLOUR,
+  LOW_COLOUR,
+  MEDIUM_COLOUR,
+  NOTE_COLOUR
+} = require('../../constants/constants')
+const Table = require('cli-table3')
+const { ReportGuidanceModel } = require('./models/reportGuidanceModel')
+const i18n = require('i18n')
+
+const createSummaryMessageTop = (numberOfVulnerableLibraries, numberOfCves) => {
+  numberOfVulnerableLibraries === 1
+    ? console.log(`Found 1 vulnerable library containing ${numberOfCves} CVE`)
+    : console.log(
+        `Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVEs`
+      )
+}
+
+const createSummaryMessageBottom = numberOfVulnerableLibraries => {
+  numberOfVulnerableLibraries === 1
+    ? console.log(`Found 1 vulnerability`)
+    : console.log(`Found ${numberOfVulnerableLibraries} vulnerabilities`)
+}
+
+const getReport = async (config, reportId) => {
+  const client = commonApi.getHttpClient(config)
+  return client
+    .getReportById(config, reportId)
+    .then(res => {
+      if (res.statusCode === 200) {
+        return res.body
+      } else {
+        console.log(JSON.stringify(res.statusCode))
+        commonApi.handleResponseErrors(res, 'report')
+      }
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+const printVulnerabilityResponse = (
+  config,
+  vulnerableLibraries,
+  numberOfVulnerableLibraries,
+  numberOfCves,
+  guidance
+) => {
+  let hasSomeVulnerabilitiesReported = false
+  printFormattedOutput(
+    config,
+    vulnerableLibraries,
+    numberOfVulnerableLibraries,
+    numberOfCves,
+    guidance
+  )
+  if (Object.keys(vulnerableLibraries).length > 0) {
+    hasSomeVulnerabilitiesReported = true
+  }
+  return hasSomeVulnerabilitiesReported
+}
+
+const printFormattedOutput = (
+  config,
+  libraries,
+  numberOfVulnerableLibraries,
+  numberOfCves,
+  guidance
+) => {
+  createSummaryMessageTop(numberOfVulnerableLibraries, numberOfCves)
+  console.log()
+  const report = new ReportList()
+
+  for (const library of libraries) {
+    const { name, version } = findNameAndVersion(library, config)
+
+    const newOutputModel = new ReportModelStructure(
+      new ReportCompositeKey(
+        name,
+        version,
+        findHighestSeverityCVE(library.cveArray),
+        severityCountAllCVEs(
+          library.cveArray,
+          new SeverityCountModel()
+        ).getTotal
+      ),
+      library.cveArray
+    )
+    report.reportOutputList.push(newOutputModel)
+  }
+
+  const outputOrderedByLowestSeverityAndLowestNumOfCvesFirst = orderBy(
+    report.reportOutputList,
+    [
+      reportListItem => {
+        return reportListItem.compositeKey.highestSeverity.priority
+      },
+      reportListItem => {
+        return reportListItem.compositeKey.numberOfSeverities
+      }
+    ],
+    ['asc', 'desc']
+  )
+
+  let contrastHeaderNumCounter = 0
+  for (const reportModel of outputOrderedByLowestSeverityAndLowestNumOfCvesFirst) {
+    contrastHeaderNumCounter++
+    const { libraryName, libraryVersion, highestSeverity } =
+      reportModel.compositeKey
+    const numOfCVEs = reportModel.cveArray.length
+
+    const table = getReportTable()
+
+    const header = buildHeader(
+      highestSeverity,
+      contrastHeaderNumCounter,
+      libraryName,
+      libraryVersion,
+      numOfCVEs
+    )
+
+    const advice = gatherRemediationAdvice(
+      guidance,
+      libraryName,
+      libraryVersion
+    )
+
+    const body = buildBody(reportModel.cveArray, advice)
+
+    const reportOutputModel = new ReportOutputModel(header, body)
+
+    table.push(
+      reportOutputModel.body.issueMessage,
+      reportOutputModel.body.adviceMessage
+    )
+
+    console.log(
+      reportOutputModel.header.vulnMessage,
+      reportOutputModel.header.introducesMessage
+    )
+    console.log(table.toString() + '\n')
+  }
+
+  createSummaryMessageBottom(numberOfVulnerableLibraries)
+  const {
+    criticalMessage,
+    highMessage,
+    mediumMessage,
+    lowMessage,
+    noteMessage
+  } = buildFooter(outputOrderedByLowestSeverityAndLowestNumOfCvesFirst)
+  console.log(
+    `${criticalMessage} | ${highMessage} | ${mediumMessage} | ${lowMessage} | ${noteMessage}`
+  )
+
+  if (config.host !== CE_URL) {
+    console.log(
+      '\n' + chalk.bold('View your full dependency tree in Contrast:')
+    )
+    console.log(
+      `${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
+    )
+  }
+}
+
+function getReportTable() {
+  return new Table({
+    chars: {
+      top: '',
+      'top-mid': '',
+      'top-left': '',
+      'top-right': '',
+      bottom: '',
+      'bottom-mid': '',
+      'bottom-left': '',
+      'bottom-right': '',
+      left: '',
+      'left-mid': '',
+      mid: '',
+      'mid-mid': '',
+      right: '',
+      'right-mid': '',
+      middle: ' '
+    },
+    style: { 'padding-left': 0, 'padding-right': 0 },
+    colAligns: ['right'],
+    wordWrap: true,
+    colWidths: [12, 1, 100]
+  })
+}
+function buildHeader(
+  highestSeverity,
+  contrastHeaderNum,
+  libraryName,
+  version,
+  numOfCVEs
+) {
+  const vulnerabilityPluralised =
+    numOfCVEs > 1 ? 'vulnerabilities' : 'vulnerability'
+  const formattedHeaderNum = buildFormattedHeaderNum(contrastHeaderNum)
+
+  const headerColour = chalk.hex(highestSeverity.colour)
+  const headerNumAndSeverity = headerColour(
+    `${formattedHeaderNum} - [${highestSeverity.severity}]`
+  )
+  const libraryNameAndVersion = headerColour.bold(`${libraryName}-${version}`)
+  const vulnMessage = `${headerNumAndSeverity} ${libraryNameAndVersion}`
+
+  const introducesMessage = `introduces ${numOfCVEs} ${vulnerabilityPluralised}`
+
+  return new ReportOutputHeaderModel(vulnMessage, introducesMessage)
+}
+
+function buildBody(cveArray, advice) {
+  let assignPriorityToVulns = cveArray.map(result => findCVESeverity(result))
+
+  const issueMessage = getIssueRow(assignPriorityToVulns)
+
+  //todo different advice based on remediationGuidance being available or now
+  // console.log(advice)
+
+  const minOrMax = advice.maximum ? advice.maximum : advice.minimum
+  const displayAdvice = minOrMax
+    ? `Change to version ${chalk.bold(minOrMax)}`
+    : 'No recommendation is available according to our data. Upgrade to the latest stable is the best advice we can give.'
+
+  const adviceMessage = [chalk.bold('Advice'), ':', displayAdvice]
+
+  return new ReportOutputBodyModel(issueMessage, adviceMessage)
+}
+
+function getIssueRow(cveArray) {
+  orderByHighestPriority(cveArray)
+  const cveMessagesList = getIssueCveMsgList(cveArray)
+  const cveNumbers = getSeverityCounts(cveArray)
+  const numAndSeverityTypeDesc = getNumOfAndSeverityType(cveNumbers)
+  return [
+    chalk.bold('Issue'),
+    ':',
+    `${numAndSeverityTypeDesc} ${cveMessagesList.join(', ')}`
+  ]
+}
+
+function gatherRemediationAdvice(guidance, libraryName, libraryVersion) {
+  const guidanceModel = new ReportGuidanceModel()
+
+  const data = guidance[libraryName + '@' + libraryVersion]
+
+  if (data) {
+    guidanceModel.minimum = data.minUpgradeVersion
+    guidanceModel.maximum = data.maxUpgradeVersion
+  }
+
+  return guidanceModel
+}
+
+function buildFormattedHeaderNum(contrastHeaderNum) {
+  return `CONTRAST-${contrastHeaderNum.toString().padStart(3, '0')}`
+}
+
+function getNumOfAndSeverityType(cveNumbers) {
+  const { critical, high, medium, low, note } = cveNumbers
+
+  const criticalMsg = critical > 0 ? `${critical} Critical | ` : ''
+  const highMsg = high > 0 ? `${high} High | ` : ''
+  const mediumMsg = medium > 0 ? `${medium} Medium | ` : ''
+  const lowMsg = low > 0 ? `${low} Low | ` : ''
+  const noteMsg = note > 0 ? `${note} Note` : ''
+
+  //removes/trims whitespace to single spaces
+  return `${criticalMsg} ${highMsg} ${mediumMsg} ${lowMsg} ${noteMsg}`
+    .replace(/\s+/g, ' ')
+    .trim()
+}
+
+const buildFooter = reportModelStructure => {
+  const { critical, high, medium, low, note } =
+    countVulnerableLibrariesBySeverity(reportModelStructure)
+
+  const criticalMessage = chalk
+    .hex(CRITICAL_COLOUR)
+    .bold(`${critical} Critical`)
+  const highMessage = chalk.hex(HIGH_COLOUR).bold(`${high} High`)
+  const mediumMessage = chalk.hex(MEDIUM_COLOUR).bold(`${medium} Medium`)
+  const lowMessage = chalk.hex(LOW_COLOUR).bold(`${low} Low`)
+  const noteMessage = chalk.hex(NOTE_COLOUR).bold(`${note} Note`)
+
+  return {
+    criticalMessage,
+    highMessage,
+    mediumMessage,
+    lowMessage,
+    noteMessage
+  }
+}
+
+const getIssueCveMsgList = results => {
+  const cveMessages = []
+
+  results.forEach(reportSeverityModel => {
+    // @ts-ignore
+    const { colour, severity, name } = reportSeverityModel
+
+    const severityShorthand = chalk
+      .hex(colour)
+      .bold(`[${severity.charAt(0).toUpperCase()}]`)
+
+    const builtMessage = severityShorthand + name
+    cveMessages.push(builtMessage)
+  })
+  return cveMessages
+}
+
+const getSeverityCounts = results => {
+  const acc = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    note: 0,
+    total: 0
+  }
+  if (results && results.length > 0) {
+    results.forEach(i => {
+      acc[i.severity.toLowerCase()] += 1
+      acc.total += 1
+      return acc
+    })
+  }
+
+  return acc
+}
+
+const printNoVulnFoundMsg = () => {
+  console.log(i18n.__('scanNoVulnerabilitiesFound'))
+  console.log(i18n.__('scanNoVulnerabilitiesFoundSecureCode'))
+  console.log(i18n.__('scanNoVulnerabilitiesFoundGoodWork'))
+  console.log(chalk.bold(`Found 0 vulnerabilities`))
+  console.log(
+    i18n.__(
+      'foundDetailedVulnerabilities',
+      String(0),
+      String(0),
+      String(0),
+      String(0),
+      String(0)
+    )
+  )
+}
+const printVulnInfo = projectOverview => {
+  const totalVulnerabilities = projectOverview.total
+
+  createSummaryMessageBottom(totalVulnerabilities)
+  const formattedValues = severityFormatted(projectOverview)
+  console.log(
+    i18n.__(
+      'foundDetailedVulnerabilities',
+      String(formattedValues.criticalFormatted),
+      String(formattedValues.highFormatted),
+      String(formattedValues.mediumFormatted),
+      String(formattedValues.lowFormatted),
+      String(formattedValues.noteFormatted)
+    )
+  )
+}
+
+const severityFormatted = projectOverview => {
+  const criticalFormatted = chalk
+    .hex(CRITICAL_COLOUR)
+    .bold(`${projectOverview.critical} Critical`)
+  const highFormatted = chalk
+    .hex(HIGH_COLOUR)
+    .bold(`${projectOverview.high} High`)
+  const mediumFormatted = chalk
+    .hex(MEDIUM_COLOUR)
+    .bold(`${projectOverview.medium} Medium`)
+  const lowFormatted = chalk.hex(LOW_COLOUR).bold(`${projectOverview.low} Low`)
+  const noteFormatted = chalk
+    .hex(NOTE_COLOUR)
+    .bold(`${projectOverview.note} Note`)
+
+  return {
+    criticalFormatted,
+    highFormatted,
+    mediumFormatted,
+    lowFormatted,
+    noteFormatted
+  }
+}
+
+module.exports = {
+  createSummaryMessageTop,
+  getReport,
+  createSummaryMessageBottom,
+  printVulnerabilityResponse,
+  printFormattedOutput,
+  getReportTable,
+  buildHeader,
+  buildBody,
+  getIssueRow,
+  gatherRemediationAdvice,
+  buildFormattedHeaderNum,
+  getNumOfAndSeverityType,
+  getIssueCveMsgList,
+  getSeverityCounts,
+  printNoVulnFoundMsg,
+  printVulnInfo
+}

package/src/audit/report/models/reportSeverityModel.ts

@@ -1,18 +1,18 @@
 export class ReportSeverityModel {
   severity: string
   priority: number
-  outputColour: string
-  cveName: string
+  colour: string
+  name: string
 
   constructor(
     severity: string,
     priority: number,
-    outputColour: string,
-    cveName: string
+    colour: string,
+    name: string
   ) {
     this.severity = severity
     this.priority = priority
-    this.outputColour = outputColour
-    this.cveName = cveName
+    this.colour = colour
+    this.name = name
   }
 }

package/src/audit/report/reportingFeature.ts

@@ -1,5 +1,6 @@
 import {
   getReport,
+  printNoVulnFoundMsg,
   printVulnerabilityResponse
 } from './commonReportingFunctions'
 import {
@@ -58,22 +59,7 @@ export function formatVulnerabilityOutput(
   const numberOfVulnerableLibraries = vulnerableLibraries.length
 
   if (numberOfVulnerableLibraries === 0) {
-    console.log(i18n.__('scanNoVulnerabilitiesFound'))
-    console.log(i18n.__('scanNoVulnerabilitiesFoundSecureCode'))
-    console.log(i18n.__('scanNoVulnerabilitiesFoundGoodWork'))
-    console.log(
-      chalk.bold(`Found ${numberOfVulnerableLibraries} vulnerabilities`)
-    )
-    console.log(
-      i18n.__(
-        'foundDetailedVulnerabilities',
-        String(0),
-        String(0),
-        String(0),
-        String(0),
-        String(0)
-      )
-    )
+    printNoVulnFoundMsg()
     return [false, 0, [new SeverityCountModel()]]
   } else {
     let numberOfCves = 0