@contrast/contrast 1.0.13 → 1.0.14

package/src/audit/report/utils/reportUtils.ts

@@ -30,14 +30,8 @@ export function findHighestSeverityCVE(cveArray: ReportCVEModel[]) {
   return orderBy(mappedToReportSeverityModels, cve => cve?.priority)[0]
 }
 
-export function findCVESeveritiesAndOrderByHighestPriority(
-  cves: ReportCVEModel[]
-) {
-  return orderBy(
-    cves.map(cve => findCVESeverity(cve)),
-    ['priority'],
-    ['asc']
-  )
+export function orderByHighestPriority(cves: ReportCVEModel[]) {
+  return orderBy(cves, ['priority'], ['asc'])
 }
 
 export function findCVESeverity(cve: ReportCVEModel) {

package/src/commands/scan/sca/scaAnalysis.js

@@ -1,7 +1,6 @@
 const autoDetection = require('../../../scan/autoDetection')
 const javaAnalysis = require('../../../scaAnalysis/java')
 const treeUpload = require('../../../scaAnalysis/common/treeUpload')
-const scaUpload = require('../../../scaAnalysis/common/scaServicesUpload')
 const auditController = require('../../audit/auditController')
 const {
   supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET }
@@ -105,9 +104,9 @@ const processSca = async config => {
     }
 
     // if (config.experimental) {
-    //   await scaUpload.scaTreeUpload(messageToSend, config)
-    // } else
-    // {
+    //   // const reports = await scaUpload.scaTreeUpload(messageToSend, config)
+    //   auditReport.processAuditReport(config, 'reports')
+    // } else {
     console.log('') //empty log for space before spinner
     //send message to TS
     const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))

package/src/common/errorHandling.ts

@@ -38,8 +38,7 @@ const reportFailureError = () => {
   console.log(i18n.__('auditReportFailureMessage'))
 }
 
-const genericError = (missingCliOption: string) => {
-  console.log(missingCliOption)
+const genericError = () => {
   console.error(i18n.__('genericErrorMessage'))
   process.exit(1)
 }

package/src/constants/constants.js

@@ -14,7 +14,7 @@ const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
 // App
 const APP_NAME = 'contrast'
-const APP_VERSION = '1.0.13'
+const APP_VERSION = '1.0.14'
 const TIMEOUT = 120000
 const HIGH_COLOUR = '#ff9900'
 const CRITICAL_COLOUR = '#e35858'

package/src/constants/locales.js

@@ -122,6 +122,8 @@ const en_locales = () => {
       'Provide this if you want to catalogue an application',
     failOptionErrorMessage:
       ' FAIL - CVEs have been detected that match at least the cve_severity option specified.',
+    failOptionMessage:
+      ' Use with contrast scan or contrast audit. Detects failures based on the severity level specified with the --severity command. For example, "contrast scan --fail --severity high". Returns all failures if no severity level is specified.',
     constantsLanguage:
       'Valid values are JAVA, DOTNET, NODE, PYTHON and RUBY. If there are multiple project configuration files in the project_path, language is also required.  Also, provide this when cataloguing an application',
     constantsFilePath: `Specify a directory or the file where dependencies are declared. (By default, CodeSec will search for project files in the current directory.)`,
@@ -147,7 +149,7 @@ const en_locales = () => {
     failSeverityOptionErrorMessage:
       ' FAIL - Results detected vulnerabilities over accepted severity level',
     constantsSeverity:
-      'Allows the user to report libraries with vulnerabilities above a chosen severity level. For example, cve_severity medium only reports libraries with vulnerabilities at medium or higher severity. Values for level are high, medium or low.',
+      'Use with "contrast scan --fail --severity high" or "contrast audit --fail --severity high". Set the severity level to detect vulnerabilities or dependencies. Severity levels are critical, high, medium, low or note.',
     constantsCount: 'The number of CVEs that must be exceeded to fail a build',
     constantsHeader: 'CodeSec by Contrast Security',
     configHeader2: 'Config options',
@@ -170,7 +172,7 @@ const en_locales = () => {
     constantsConfigUsageContents: 'view / clear the configuration',
     constantsPrerequisitesContent:
       'To scan a Java project you will need a .jar or .war file for analysis\n' +
-      'To scan a Javascript project you will need a .js or.zip file for analysis\n' +
+      'To scan a Javascript project you will need a single .js or a .zip of  multiple .js files\n' +
       'To scan a .NET c# webforms project you will need a .exe or a .zip file for analysis\n',
     constantsUsage: 'Usage',
     constantsUsageCommandExample: 'contrast [command] [options]',
@@ -317,7 +319,17 @@ const en_locales = () => {
     scanOptionsVerboseSummary: ' Returns extended information to the terminal.',
     authSuccessMessage: 'Authentication successful',
     runAuthSuccessMessage:
-      "Now you can use CodeSec by Contrast \nRun: \n'contrast scan' to run CodeSec’s industry leading SAST scanner \n'contrast audit' to find vulnerabilities in your open source dependencies \n'contrast lambda' to secure your AWS serverless functions\nor 'contrast help' to learn more about the capabilities.",
+      chalk.bold('CodeSec by Contrast') +
+      '\nScan, secure and ship your code in minutes for FREE. \n' +
+      chalk.bold('\nRun\n') +
+      chalk.bold('\ncontrast scan') +
+      " to run Contrast's industry leading SAST scanner. \nSupports Java, JavaScript and .Net \n" +
+      chalk.bold('\ncontrast audit') +
+      ' to find vulnerabilities in your open source dependencies.\nSupports Java, .NET, Node, Ruby, Python, Go and PHP \n' +
+      chalk.bold('\ncontrast lambda') +
+      ' to secure your AWS serverless functions. \nSupports Java and Python \n' +
+      chalk.bold('\ncontrast help') +
+      ' to learn more about the capabilities.',
     authWaitingMessage: 'Waiting for auth...',
     authTimedOutMessage: 'Auth Timed out, try again',
     zipErrorScan:
@@ -325,10 +337,7 @@ const en_locales = () => {
     unknownFileErrorScan: 'Unsupported file selected for Scan.',
     foundScanFile: 'Found: %s',
     foundDetailedVulnerabilities:
-      chalk.bold('%s Critical') +
-      ' | ' +
-      chalk.bold('%s High') +
-      ' | %s Medium | %s Low | %s Note',
+      chalk.bold('%s') + ' | ' + chalk.bold('%s') + ' | %s | %s | %s ',
     requiredParams: 'All required parameters are not present.',
     timeoutScan: 'Timeout set to 5 minutes.',
     searchingScanFileDirectory: 'Searching for file to scan from %s...',

package/src/constants.js

@@ -115,7 +115,7 @@ const scanOptionDefinitions = [
       '{bold ' +
       i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('failOptionErrorMessage')
+      i18n.__('failOptionMessage')
   },
   {
     name: 'severity',
@@ -247,7 +247,7 @@ const auditOptionDefinitions = [
       '{bold ' +
       i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('failOptionErrorMessage')
+      i18n.__('failOptionMessage')
   },
   {
     name: 'severity',

package/src/index.ts

@@ -95,9 +95,8 @@ const start = async () => {
           ? console.log(
               `Unknown Command: Did you mean "${foundCommand}"? \nUse "${foundCommand} --help" for the full list of options`
             )
-          : console.log(
-              `Unknown Command: ${command} \nUse --help for the full list`
-            )
+          : console.log(`\nUnknown Command: ${command} \n`)
+        console.log(mainUsageGuide)
         await sendTelemetryConfigAsConfObj(
           config,
           command,
@@ -106,9 +105,8 @@ const start = async () => {
           'undefined'
         )
       } else {
-        console.log(
-          `Unknown Command: ${command} \nUse --help for the full list`
-        )
+        console.log(`\nUnknown Command: ${command}\n`)
+        console.log(mainUsageGuide)
         await sendTelemetryConfigAsConfObj(
           config,
           command,

package/src/lambda/lambda.ts

@@ -126,7 +126,7 @@ const processLambda = async (argv: string[]) => {
 
 const getAvailableFunctions = async (lambdaOptions: LambdaOptions) => {
   const lambdas = await getAllLambdas(lambdaOptions)
-  printAvailableLambdas(lambdas, { runtimes: ['python', 'java'] })
+  printAvailableLambdas(lambdas, { runtimes: ['python', 'java', 'node'] })
 }
 
 const actualProcessLambda = async (lambdaOptions: LambdaOptions) => {

package/src/lambda/lambdaUtils.ts

@@ -11,7 +11,7 @@ import ora from '../utils/oraWrapper'
 import { LambdaOptions } from './lambda'
 import { log, getReadableFileSize } from './logUtils'
 
-type RuntimeLanguage = 'java' | 'python'
+type RuntimeLanguage = 'java' | 'python' | 'node'
 
 type FilterLambdas = {
   runtimes: RuntimeLanguage[]

package/src/scaAnalysis/common/auditReport.js

@@ -0,0 +1,108 @@
+const {
+  getSeverityCounts,
+  createSummaryMessageTop,
+  printVulnInfo,
+  getReportTable,
+  getIssueRow,
+  printNoVulnFoundMsg
+} = require('../../audit/report/commonReportingFunctions')
+const { orderBy } = require('lodash')
+const { assignBySeverity } = require('../../scan/formatScanOutput')
+const chalk = require('chalk')
+const { CE_URL } = require('../../constants/constants')
+const common = require('../../common/fail')
+
+const processAuditReport = (config, results) => {
+  let severityCounts = {}
+  if (results !== undefined) {
+    severityCounts = formatScaServicesReport(config, results)
+  }
+
+  if (config.fail) {
+    common.processFail(config, severityCounts)
+  }
+}
+const formatScaServicesReport = (config, results) => {
+  const projectOverviewCount = getSeverityCounts(results)
+
+  if (projectOverviewCount.total === 0) {
+    printNoVulnFoundMsg()
+    return projectOverviewCount
+  } else {
+    let total = 0
+    const numberOfCves = results.length
+    const table = getReportTable()
+    let contrastHeaderNumCounter = 0
+    let assignPriorityToResults = results.map(result =>
+      assignBySeverity(result, result)
+    )
+    const numberOfVulns = results
+      .map(result => result.vulnerabilities)
+      .reduce((a, b) => {
+        return (total += b.length)
+      }, 0)
+    const outputOrderedByLowestSeverityAndLowestNumOfCvesFirst = orderBy(
+      assignPriorityToResults,
+      [
+        reportListItem => {
+          return reportListItem.priority
+        },
+        reportListItem => {
+          return reportListItem.vulnerabilities.length
+        }
+      ],
+      ['asc', 'desc']
+    )
+
+    for (const result of outputOrderedByLowestSeverityAndLowestNumOfCvesFirst) {
+      contrastHeaderNumCounter++
+      const cvesNum = result.vulnerabilities.length
+      const grammaticallyCorrectVul =
+        result.vulnerabilities.length > 1 ? 'vulnerabilities' : 'vulnerability'
+
+      const headerColour = chalk.hex(result.colour)
+      const headerRow = [
+        headerColour(
+          `CONTRAST-${contrastHeaderNumCounter.toString().padStart(3, '0')}`
+        ),
+        headerColour(`-`),
+        headerColour(`[${result.severity}] `) +
+          headerColour.bold(`${result.artifactName}`) +
+          ` introduces ${cvesNum} ${grammaticallyCorrectVul}`
+      ]
+
+      const adviceRow = [
+        chalk.bold(`Advice`),
+        chalk.bold(`:`),
+        `Change to version ${result.remediationAdvice.latestStableVersion}`
+      ]
+
+      let assignPriorityToVulns = result.vulnerabilities.map(result =>
+        assignBySeverity(result, result)
+      )
+      const issueRow = getIssueRow(assignPriorityToVulns)
+
+      table.push(headerRow, issueRow, adviceRow)
+      console.log()
+    }
+
+    console.log()
+    createSummaryMessageTop(numberOfCves, numberOfVulns)
+    console.log(table.toString() + '\n')
+    printVulnInfo(projectOverviewCount)
+
+    if (config.host !== CE_URL) {
+      console.log(
+        '\n' + chalk.bold('View your full dependency tree in Contrast:')
+      )
+      console.log(
+        `${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
+      )
+    }
+    return projectOverviewCount
+  }
+}
+module.exports = {
+  formatScaServicesReport,
+  processAuditReport
+}

package/src/scaAnalysis/common/scaServicesUpload.js

@@ -7,7 +7,7 @@ const scaTreeUpload = async (analysis, config) => {
     applicationId: config.applicationId,
     dependencyTree: analysis,
     organizationId: config.organizationId,
-    language: 'NODE',
+    language: config.language,
     tool: {
       name: 'Contrast Codesec',
       version: APP_VERSION
@@ -27,26 +27,28 @@ const scaTreeUpload = async (analysis, config) => {
     .catch(err => {
       throw err
     })
+  console.log(' polling report')
 
   let keepChecking = true
+  let res
   while (keepChecking) {
-    keepChecking = await client
-      .scaServiceReportStatus(config, reportID)
-      .then(res => {
-        console.log(res.body)
-        if (res.body.status == 'COMPLETED') {
-          client.scaServiceReport(config, reportID).then(res => {
-            console.log(res.statusCode)
-            console.log(res.body)
-          })
+    res = await client.scaServiceReportStatus(config, reportID).then(res => {
+      console.log(res.statusCode)
+      console.log(res.body)
+      if (res.body.status == 'COMPLETED') {
+        keepChecking = false
+        return client.scaServiceReport(config, reportID).then(res => {
+          return res.body
+        })
+      }
+    })
 
-          return (keepChecking = false)
-        } else {
-          return (keepChecking = true)
-        }
-      })
+    if (!keepChecking) {
+      return res
+    }
     await requestUtils.sleep(5000)
   }
+  return res
 }
 
 module.exports = {

package/src/scan/formatScanOutput.ts

@@ -15,11 +15,15 @@ import {
   MEDIUM_COLOUR,
   NOTE_COLOUR
 } from '../constants/constants'
+import {
+  getSeverityCounts,
+  printVulnInfo
+} from '../audit/report/commonReportingFunctions'
 
 export function formatScanOutput(scanResults: ScanResultsModel) {
   const { scanResultsInstances } = scanResults
 
-  const projectOverview = getProjectOverview(scanResultsInstances)
+  const projectOverview = getSeverityCounts(scanResultsInstances.content)
   if (scanResultsInstances.content.length === 0) {
     console.log(i18n.__('scanNoVulnerabilitiesFound'))
     console.log(i18n.__('scanNoVulnerabilitiesFoundSecureCode'))
@@ -108,47 +112,6 @@ export function formatScanOutput(scanResults: ScanResultsModel) {
   return projectOverview
 }
 
-function printVulnInfo(projectOverview: any) {
-  const totalVulnerabilities = projectOverview.total
-
-  const vulMessage =
-    totalVulnerabilities === 1 ? `vulnerability` : `vulnerabilities`
-  console.log(chalk.bold(`Found ${totalVulnerabilities} ${vulMessage}`))
-  console.log(
-    i18n.__(
-      'foundDetailedVulnerabilities',
-      String(projectOverview.critical),
-      String(projectOverview.high),
-      String(projectOverview.medium),
-      String(projectOverview.low),
-      String(projectOverview.note)
-    )
-  )
-}
-
-export function getProjectOverview(scanResultsInstances: ScanResultsInstances) {
-  const acc: any = {
-    critical: 0,
-    high: 0,
-    medium: 0,
-    low: 0,
-    note: 0,
-    total: 0
-  }
-  if (
-    scanResultsInstances?.content &&
-    scanResultsInstances.content.length > 0
-  ) {
-    scanResultsInstances.content.forEach((i: ResultContent) => {
-      acc[i.severity.toLowerCase()] += 1
-      acc.total += 1
-      return acc
-    })
-  }
-
-  return acc
-}
-
 export function formatLinks(objName: string, entry: any[]) {
   const line = chalk.bold(objName + '  : ')
   if (entry.length === 1) {