@contrast/contrast 1.0.13 → 1.0.15

package/dist/constants/constants.js

@@ -12,7 +12,7 @@ const MEDIUM = 'MEDIUM';
 const HIGH = 'HIGH';
 const CRITICAL = 'CRITICAL';
 const APP_NAME = 'contrast';
-const APP_VERSION = '1.0.13';
+const APP_VERSION = '1.0.15';
 const TIMEOUT = 120000;
 const HIGH_COLOUR = '#ff9900';
 const CRITICAL_COLOUR = '#e35858';
@@ -30,6 +30,10 @@ const SARIF_FILE = 'SARIF';
 const SBOM_CYCLONE_DX_FILE = 'cyclonedx';
 const SBOM_SPDX_FILE = 'spdx';
 const CE_URL = 'https://ce.contrastsecurity.com';
+const SAAS = 'SAAS';
+const EOP = 'EOP';
+const MODE_BUILD = 'BUILD';
+const MODE_REPO = 'REPO';
 module.exports = {
     supportedLanguages: { NODE, DOTNET, JAVA, RUBY, PYTHON, GO, PHP, JAVASCRIPT },
     supportedLanguagesScan: { JAVASCRIPT, DOTNET, JAVA },
@@ -55,5 +59,9 @@ module.exports = {
     LOW_PRIORITY,
     NOTE_PRIORITY,
     SBOM_CYCLONE_DX_FILE,
-    SBOM_SPDX_FILE
+    SBOM_SPDX_FILE,
+    SAAS,
+    EOP,
+    MODE_BUILD,
+    MODE_REPO
 };

package/dist/constants/locales.js

@@ -80,6 +80,7 @@ const en_locales = () => {
         constantsApplicationName: 'The name of the application cataloged by Contrast UI',
         constantsCatalogueApplication: 'Provide this if you want to catalogue an application',
         failOptionErrorMessage: ' FAIL - CVEs have been detected that match at least the cve_severity option specified.',
+        failOptionMessage: ' Use with contrast scan or contrast audit. Detects failures based on the severity level specified with the --severity command. For example, "contrast scan --fail --severity high". Returns all failures if no severity level is specified.',
         constantsLanguage: 'Valid values are JAVA, DOTNET, NODE, PYTHON and RUBY. If there are multiple project configuration files in the project_path, language is also required.  Also, provide this when cataloguing an application',
         constantsFilePath: `Specify a directory or the file where dependencies are declared. (By default, CodeSec will search for project files in the current directory.)`,
         constantsSilent: 'Silences JSON output.',
@@ -96,7 +97,7 @@ const en_locales = () => {
         constantsFail: 'Set the process to fail if this option is set in combination with --cve_severity.',
         failThresholdOptionErrorMessage: 'More than 0 vulnerabilities found',
         failSeverityOptionErrorMessage: ' FAIL - Results detected vulnerabilities over accepted severity level',
-        constantsSeverity: 'Allows the user to report libraries with vulnerabilities above a chosen severity level. For example, cve_severity medium only reports libraries with vulnerabilities at medium or higher severity. Values for level are high, medium or low.',
+        constantsSeverity: 'Use with "contrast scan --fail --severity high" or "contrast audit --fail --severity high". Set the severity level to detect vulnerabilities or dependencies. Severity levels are critical, high, medium, low or note.',
         constantsCount: 'The number of CVEs that must be exceeded to fail a build',
         constantsHeader: 'CodeSec by Contrast Security',
         configHeader2: 'Config options',
@@ -113,7 +114,7 @@ const en_locales = () => {
         configHeader: 'Config',
         constantsConfigUsageContents: 'view / clear the configuration',
         constantsPrerequisitesContent: 'To scan a Java project you will need a .jar or .war file for analysis\n' +
-            'To scan a Javascript project you will need a .js or.zip file for analysis\n' +
+            'To scan a Javascript project you will need a single .js or a .zip of  multiple .js files\n' +
             'To scan a .NET c# webforms project you will need a .exe or a .zip file for analysis\n',
         constantsUsage: 'Usage',
         constantsUsageCommandExample: 'contrast [command] [options]',
@@ -212,17 +213,26 @@ const en_locales = () => {
         scanOptionsTimeoutSummary: 'Time in seconds to wait for scan to complete. Default value is 300 seconds.',
         scanOptionsFileNameSummary: 'Path of the file you want to scan. If no file is specified, Contrast searches for a .jar, .war, .exe or .zip file in the working directory.',
         scanOptionsVerboseSummary: ' Returns extended information to the terminal.',
+        auditOptionsTrackSummary: ' Save the results to the UI.',
+        auditOptionsBranchSummary: ' Set the branch name to associate the library results to.',
         authSuccessMessage: 'Authentication successful',
-        runAuthSuccessMessage: "Now you can use CodeSec by Contrast \nRun: \n'contrast scan' to run CodeSec’s industry leading SAST scanner \n'contrast audit' to find vulnerabilities in your open source dependencies \n'contrast lambda' to secure your AWS serverless functions\nor 'contrast help' to learn more about the capabilities.",
+        runAuthSuccessMessage: chalk.bold('CodeSec by Contrast') +
+            '\nScan, secure and ship your code in minutes for FREE. \n' +
+            chalk.bold('\nRun\n') +
+            chalk.bold('\ncontrast scan') +
+            " to run Contrast's industry leading SAST scanner. \nSupports Java, JavaScript and .Net \n" +
+            chalk.bold('\ncontrast audit') +
+            ' to find vulnerabilities in your open source dependencies.\nSupports Java, .NET, Node, Ruby, Python, Go and PHP \n' +
+            chalk.bold('\ncontrast lambda') +
+            ' to secure your AWS serverless functions. \nSupports Java and Python \n' +
+            chalk.bold('\ncontrast help') +
+            ' to learn more about the capabilities.',
         authWaitingMessage: 'Waiting for auth...',
         authTimedOutMessage: 'Auth Timed out, try again',
         zipErrorScan: 'We only support zip files for JAVASCRIPT language, please set the flag --language JAVASCRIPT',
         unknownFileErrorScan: 'Unsupported file selected for Scan.',
         foundScanFile: 'Found: %s',
-        foundDetailedVulnerabilities: chalk.bold('%s Critical') +
-            ' | ' +
-            chalk.bold('%s High') +
-            ' | %s Medium | %s Low | %s Note',
+        foundDetailedVulnerabilities: chalk.bold('%s') + ' | ' + chalk.bold('%s') + ' | %s | %s | %s ',
         requiredParams: 'All required parameters are not present.',
         timeoutScan: 'Timeout set to 5 minutes.',
         searchingScanFileDirectory: 'Searching for file to scan from %s...',

package/dist/constants.js

@@ -101,7 +101,7 @@ const scanOptionDefinitions = [
         description: '{bold ' +
             i18n.__('constantsOptional') +
             '}: ' +
-            i18n.__('failOptionErrorMessage')
+            i18n.__('failOptionMessage')
     },
     {
         name: 'severity',
@@ -219,7 +219,7 @@ const auditOptionDefinitions = [
         description: '{bold ' +
             i18n.__('constantsOptional') +
             '}: ' +
-            i18n.__('failOptionErrorMessage')
+            i18n.__('failOptionMessage')
     },
     {
         name: 'severity',
@@ -341,6 +341,35 @@ const auditOptionDefinitions = [
         name: 'help',
         alias: 'h',
         type: Boolean
+    },
+    {
+        name: 'debug',
+        alias: 'd',
+        type: Boolean
+    },
+    {
+        name: 'verbose',
+        alias: 'v',
+        type: Boolean,
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}:' +
+            i18n.__('scanOptionsVerboseSummary')
+    },
+    {
+        name: 'track',
+        type: Boolean,
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}:' +
+            i18n.__('auditOptionsTrackSummary')
+    },
+    {
+        name: 'branch',
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}:' +
+            i18n.__('auditOptionsBranchSummary')
     }
 ];
 const mainUsageGuide = commandLineUsage([

package/dist/index.js

@@ -73,11 +73,13 @@ const start = async () => {
                 const foundCommand = (0, errorHandling_1.findCommandOnError)(mainOptions._unknown);
                 foundCommand
                     ? console.log(`Unknown Command: Did you mean "${foundCommand}"? \nUse "${foundCommand} --help" for the full list of options`)
-                    : console.log(`Unknown Command: ${command} \nUse --help for the full list`);
+                    : console.log(`\nUnknown Command: ${command} \n`);
+                console.log(mainUsageGuide);
                 await (0, telemetry_1.sendTelemetryConfigAsConfObj)(config, command, argvMain, 'FAILURE', 'undefined');
             }
             else {
-                console.log(`Unknown Command: ${command} \nUse --help for the full list`);
+                console.log(`\nUnknown Command: ${command}\n`);
+                console.log(mainUsageGuide);
                 await (0, telemetry_1.sendTelemetryConfigAsConfObj)(config, command, argvMain, 'FAILURE', 'undefined');
             }
             process.exit(9);

package/dist/lambda/lambda.js

@@ -119,7 +119,7 @@ const processLambda = async (argv) => {
 exports.processLambda = processLambda;
 const getAvailableFunctions = async (lambdaOptions) => {
     const lambdas = await (0, lambdaUtils_1.getAllLambdas)(lambdaOptions);
-    (0, lambdaUtils_1.printAvailableLambdas)(lambdas, { runtimes: ['python', 'java'] });
+    (0, lambdaUtils_1.printAvailableLambdas)(lambdas, { runtimes: ['python', 'java', 'node'] });
 };
 exports.getAvailableFunctions = getAvailableFunctions;
 const actualProcessLambda = async (lambdaOptions) => {

package/dist/sbom/generateSbom.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateSbom = void 0;
+exports.generateSCASbom = exports.generateSbom = void 0;
 const commonApi_1 = require("../utils/commonApi");
 const generateSbom = (config, type) => {
     const client = (0, commonApi_1.getHttpClient)(config);
@@ -19,3 +19,20 @@ const generateSbom = (config, type) => {
     });
 };
 exports.generateSbom = generateSbom;
+const generateSCASbom = (config, type, reportId) => {
+    const client = (0, commonApi_1.getHttpClient)(config);
+    return client
+        .getSCASbom(config, type, reportId)
+        .then((res) => {
+        if (res.statusCode === 200) {
+            return res.body;
+        }
+        else {
+            console.log('Unable to retrieve Software Bill of Materials (SBOM)');
+        }
+    })
+        .catch((err) => {
+        console.log(err);
+    });
+};
+exports.generateSCASbom = generateSCASbom;

package/dist/scaAnalysis/common/auditReport.js

@@ -0,0 +1,78 @@
+"use strict";
+const { getSeverityCounts, createSummaryMessageTop, printVulnInfo, getReportTable, getIssueRow, printNoVulnFoundMsg } = require('../../audit/report/commonReportingFunctions');
+const { orderBy } = require('lodash');
+const { assignBySeverity } = require('../../scan/formatScanOutput');
+const chalk = require('chalk');
+const { CE_URL } = require('../../constants/constants');
+const common = require('../../common/fail');
+const processAuditReport = (config, results) => {
+    let severityCounts = {};
+    if (results !== undefined) {
+        severityCounts = formatScaServicesReport(config, results);
+    }
+    if (config.fail) {
+        common.processFail(config, severityCounts);
+    }
+};
+const formatScaServicesReport = (config, results) => {
+    const projectOverviewCount = getSeverityCounts(results);
+    if (projectOverviewCount.total === 0) {
+        printNoVulnFoundMsg();
+        return projectOverviewCount;
+    }
+    else {
+        let total = 0;
+        const numberOfCves = results.length;
+        const table = getReportTable();
+        let contrastHeaderNumCounter = 0;
+        let assignPriorityToResults = results.map(result => assignBySeverity(result, result));
+        const numberOfVulns = results
+            .map(result => result.vulnerabilities)
+            .reduce((a, b) => {
+            return (total += b.length);
+        }, 0);
+        const outputOrderedByLowestSeverityAndLowestNumOfCvesFirst = orderBy(assignPriorityToResults, [
+            reportListItem => {
+                return reportListItem.priority;
+            },
+            reportListItem => {
+                return reportListItem.vulnerabilities.length;
+            }
+        ], ['asc', 'desc']);
+        for (const result of outputOrderedByLowestSeverityAndLowestNumOfCvesFirst) {
+            contrastHeaderNumCounter++;
+            const cvesNum = result.vulnerabilities.length;
+            const grammaticallyCorrectVul = result.vulnerabilities.length > 1 ? 'vulnerabilities' : 'vulnerability';
+            const headerColour = chalk.hex(result.colour);
+            const headerRow = [
+                headerColour(`CONTRAST-${contrastHeaderNumCounter.toString().padStart(3, '0')}`),
+                headerColour(`-`),
+                headerColour(`[${result.severity}] `) +
+                    headerColour.bold(`${result.artifactName}`) +
+                    ` introduces ${cvesNum} ${grammaticallyCorrectVul}`
+            ];
+            const adviceRow = [
+                chalk.bold(`Advice`),
+                chalk.bold(`:`),
+                `Change to version ${result.remediationAdvice.latestStableVersion}`
+            ];
+            let assignPriorityToVulns = result.vulnerabilities.map(result => assignBySeverity(result, result));
+            const issueRow = getIssueRow(assignPriorityToVulns);
+            table.push(headerRow, issueRow, adviceRow);
+            console.log();
+        }
+        console.log();
+        createSummaryMessageTop(numberOfCves, numberOfVulns);
+        console.log(table.toString() + '\n');
+        printVulnInfo(projectOverviewCount);
+        if (config.host !== CE_URL) {
+            console.log('\n' + chalk.bold('View your full dependency tree in Contrast:'));
+            console.log(`${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`);
+        }
+        return projectOverviewCount;
+    }
+};
+module.exports = {
+    formatScaServicesReport,
+    processAuditReport
+};

package/dist/scaAnalysis/common/scaServicesUpload.js

@@ -7,12 +7,15 @@ const scaTreeUpload = async (analysis, config) => {
         applicationId: config.applicationId,
         dependencyTree: analysis,
         organizationId: config.organizationId,
-        language: 'NODE',
+        language: config.language,
         tool: {
             name: 'Contrast Codesec',
             version: APP_VERSION
         }
     };
+    if (config.branch) {
+        requestBody.branchName = config.branch;
+    }
     const client = commonApi.getHttpClient(config);
     const reportID = await client
         .scaServiceIngest(requestBody, config)
@@ -27,25 +30,30 @@ const scaTreeUpload = async (analysis, config) => {
         .catch(err => {
         throw err;
     });
+    if (config.debug) {
+        console.log(' polling report', reportID);
+    }
     let keepChecking = true;
+    let res;
     while (keepChecking) {
-        keepChecking = await client
-            .scaServiceReportStatus(config, reportID)
-            .then(res => {
-            console.log(res.body);
-            if (res.body.status == 'COMPLETED') {
-                client.scaServiceReport(config, reportID).then(res => {
-                    console.log(res.statusCode);
-                    console.log(res.body);
-                });
-                return (keepChecking = false);
+        res = await client.scaServiceReportStatus(config, reportID).then(res => {
+            if (config.debug) {
+                console.log(res.statusCode);
+                console.log(res.body);
             }
-            else {
-                return (keepChecking = true);
+            if (res.body.status === 'COMPLETED') {
+                keepChecking = false;
+                return client.scaServiceReport(config, reportID).then(res => {
+                    return [res.body, reportID];
+                });
             }
         });
+        if (!keepChecking) {
+            return [res, reportID];
+        }
         await requestUtils.sleep(5000);
     }
+    return [res, reportID];
 };
 module.exports = {
     scaTreeUpload

package/dist/scan/formatScanOutput.js

@@ -3,16 +3,17 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.assignBySeverity = exports.stripTags = exports.getCodeFlowInfo = exports.getSourceLineNumber = exports.getLocationsSyncInfo = exports.editVulName = exports.getDefaultView = exports.formatLinks = exports.getProjectOverview = exports.formatScanOutput = void 0;
+exports.assignBySeverity = exports.stripTags = exports.getCodeFlowInfo = exports.getSourceLineNumber = exports.getLocationsSyncInfo = exports.editVulName = exports.getDefaultView = exports.formatLinks = exports.formatScanOutput = void 0;
 const i18n_1 = __importDefault(require("i18n"));
 const chalk_1 = __importDefault(require("chalk"));
 const groupedResultsModel_1 = require("./models/groupedResultsModel");
 const lodash_1 = require("lodash");
 const cli_table3_1 = __importDefault(require("cli-table3"));
 const constants_1 = require("../constants/constants");
+const commonReportingFunctions_1 = require("../audit/report/commonReportingFunctions");
 function formatScanOutput(scanResults) {
     const { scanResultsInstances } = scanResults;
-    const projectOverview = getProjectOverview(scanResultsInstances);
+    const projectOverview = (0, commonReportingFunctions_1.getSeverityCounts)(scanResultsInstances.content);
     if (scanResultsInstances.content.length === 0) {
         console.log(i18n_1.default.__('scanNoVulnerabilitiesFound'));
         console.log(i18n_1.default.__('scanNoVulnerabilitiesFoundSecureCode'));
@@ -89,36 +90,10 @@ function formatScanOutput(scanResults) {
             console.log();
         });
     }
-    printVulnInfo(projectOverview);
+    (0, commonReportingFunctions_1.printVulnInfo)(projectOverview);
     return projectOverview;
 }
 exports.formatScanOutput = formatScanOutput;
-function printVulnInfo(projectOverview) {
-    const totalVulnerabilities = projectOverview.total;
-    const vulMessage = totalVulnerabilities === 1 ? `vulnerability` : `vulnerabilities`;
-    console.log(chalk_1.default.bold(`Found ${totalVulnerabilities} ${vulMessage}`));
-    console.log(i18n_1.default.__('foundDetailedVulnerabilities', String(projectOverview.critical), String(projectOverview.high), String(projectOverview.medium), String(projectOverview.low), String(projectOverview.note)));
-}
-function getProjectOverview(scanResultsInstances) {
-    const acc = {
-        critical: 0,
-        high: 0,
-        medium: 0,
-        low: 0,
-        note: 0,
-        total: 0
-    };
-    if (scanResultsInstances?.content &&
-        scanResultsInstances.content.length > 0) {
-        scanResultsInstances.content.forEach((i) => {
-            acc[i.severity.toLowerCase()] += 1;
-            acc.total += 1;
-            return acc;
-        });
-    }
-    return acc;
-}
-exports.getProjectOverview = getProjectOverview;
 function formatLinks(objName, entry) {
     const line = chalk_1.default.bold(objName + '  : ');
     if (entry.length === 1) {

package/dist/utils/commonApi.js

@@ -18,6 +18,7 @@ const handleResponseErrors = (res, api) => {
         maxAppError();
     }
     else {
+        console.log(res.statusCode);
         genericError(res);
     }
 };

package/dist/utils/settingsHelper.js

@@ -0,0 +1,24 @@
+"use strict";
+const commonApi = require('./commonApi');
+const { getMode } = require('./generalAPI');
+const { SAAS, MODE_BUILD } = require('../constants/constants');
+const getSettings = async (config) => {
+    config.isEOP = (await getMode(config)).toUpperCase() === SAAS ? false : true;
+    config.mode = MODE_BUILD;
+    config.scaServices = await isSCAServicesAvailable(config);
+    return config;
+};
+const isSCAServicesAvailable = async (config) => {
+    const client = commonApi.getHttpClient(config);
+    return client
+        .scaServiceIngests(config)
+        .then(res => {
+        return res.statusCode !== 403;
+    })
+        .catch(err => {
+        console.log(err);
+    });
+};
+module.exports = {
+    getSettings
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "1.0.13",
+  "version": "1.0.15",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -25,7 +25,10 @@
     "test-int-scan": "jest ./test-integration/scan",
     "test-int-audit": "jest test-integration/audit",
     "test-int-audit-reports": "jest test-integration/audit/audit-language-reports.spec.js",
+    "test-int-scan-errors": "jest test-integration/scan/scanLocalErrors.spec.js",
+    "test-int-scan-reports": "jest test-integration/scan/scanReport.spec.js",
     "test-int-audit-features": "jest test-integration/audit/auditFeatures/",
+    "test-int-audit-experimental": "jest test-integration/audit/audit-experimental.spec.js",
     "format": "prettier --write \"**/*.{ts,tsx,js,json,md,yml}\" .eslintrc.*",
     "check-format": "prettier --check \"**/*.{ts,tsx,js,json,md,yml}\" .eslintrc.*",
     "coverage-local": "nyc --reporter=text mocha './test/**/*.spec.js'",