@contrast/contrast 1.0.13 → 1.0.15

package/src/audit/report/commonReportingFunctions.js

@@ -0,0 +1,432 @@
+const commonApi = require('../../utils/commonApi')
+const {
+  ReportCompositeKey,
+  ReportList,
+  ReportModelStructure
+} = require('./models/reportListModel')
+const { orderBy } = require('lodash')
+const chalk = require('chalk')
+const {
+  countVulnerableLibrariesBySeverity,
+  orderByHighestPriority,
+  findHighestSeverityCVE,
+  findNameAndVersion,
+  severityCountAllCVEs,
+  findCVESeverity
+} = require('./utils/reportUtils')
+const { SeverityCountModel } = require('./models/severityCountModel')
+const {
+  ReportOutputBodyModel,
+  ReportOutputHeaderModel,
+  ReportOutputModel
+} = require('./models/reportOutputModel')
+const {
+  CE_URL,
+  CRITICAL_COLOUR,
+  HIGH_COLOUR,
+  LOW_COLOUR,
+  MEDIUM_COLOUR,
+  NOTE_COLOUR
+} = require('../../constants/constants')
+const Table = require('cli-table3')
+const { ReportGuidanceModel } = require('./models/reportGuidanceModel')
+const i18n = require('i18n')
+
+const createSummaryMessageTop = (numberOfVulnerableLibraries, numberOfCves) => {
+  numberOfVulnerableLibraries === 1
+    ? console.log(`Found 1 vulnerable library containing ${numberOfCves} CVE`)
+    : console.log(
+        `Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVEs`
+      )
+}
+
+const createSummaryMessageBottom = numberOfVulnerableLibraries => {
+  numberOfVulnerableLibraries === 1
+    ? console.log(`Found 1 vulnerability`)
+    : console.log(`Found ${numberOfVulnerableLibraries} vulnerabilities`)
+}
+
+const getReport = async (config, reportId) => {
+  const client = commonApi.getHttpClient(config)
+  return client
+    .getReportById(config, reportId)
+    .then(res => {
+      if (res.statusCode === 200) {
+        return res.body
+      } else {
+        console.log(JSON.stringify(res.statusCode))
+        commonApi.handleResponseErrors(res, 'report')
+      }
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+const printVulnerabilityResponse = (
+  config,
+  vulnerableLibraries,
+  numberOfVulnerableLibraries,
+  numberOfCves,
+  guidance
+) => {
+  let hasSomeVulnerabilitiesReported = false
+  printFormattedOutput(
+    config,
+    vulnerableLibraries,
+    numberOfVulnerableLibraries,
+    numberOfCves,
+    guidance
+  )
+  if (Object.keys(vulnerableLibraries).length > 0) {
+    hasSomeVulnerabilitiesReported = true
+  }
+  return hasSomeVulnerabilitiesReported
+}
+
+const printFormattedOutput = (
+  config,
+  libraries,
+  numberOfVulnerableLibraries,
+  numberOfCves,
+  guidance
+) => {
+  createSummaryMessageTop(numberOfVulnerableLibraries, numberOfCves)
+  console.log()
+  const report = new ReportList()
+
+  for (const library of libraries) {
+    const { name, version } = findNameAndVersion(library, config)
+
+    const newOutputModel = new ReportModelStructure(
+      new ReportCompositeKey(
+        name,
+        version,
+        findHighestSeverityCVE(library.cveArray),
+        severityCountAllCVEs(
+          library.cveArray,
+          new SeverityCountModel()
+        ).getTotal
+      ),
+      library.cveArray
+    )
+    report.reportOutputList.push(newOutputModel)
+  }
+
+  const outputOrderedByLowestSeverityAndLowestNumOfCvesFirst = orderBy(
+    report.reportOutputList,
+    [
+      reportListItem => {
+        return reportListItem.compositeKey.highestSeverity.priority
+      },
+      reportListItem => {
+        return reportListItem.compositeKey.numberOfSeverities
+      }
+    ],
+    ['asc', 'desc']
+  )
+
+  let contrastHeaderNumCounter = 0
+  for (const reportModel of outputOrderedByLowestSeverityAndLowestNumOfCvesFirst) {
+    contrastHeaderNumCounter++
+    const { libraryName, libraryVersion, highestSeverity } =
+      reportModel.compositeKey
+    const numOfCVEs = reportModel.cveArray.length
+
+    const table = getReportTable()
+
+    const header = buildHeader(
+      highestSeverity,
+      contrastHeaderNumCounter,
+      libraryName,
+      libraryVersion,
+      numOfCVEs
+    )
+
+    const advice = gatherRemediationAdvice(
+      guidance,
+      libraryName,
+      libraryVersion
+    )
+
+    const body = buildBody(reportModel.cveArray, advice)
+
+    const reportOutputModel = new ReportOutputModel(header, body)
+
+    table.push(
+      reportOutputModel.body.issueMessage,
+      reportOutputModel.body.adviceMessage
+    )
+
+    console.log(
+      reportOutputModel.header.vulnMessage,
+      reportOutputModel.header.introducesMessage
+    )
+    console.log(table.toString() + '\n')
+  }
+
+  createSummaryMessageBottom(numberOfVulnerableLibraries)
+  const {
+    criticalMessage,
+    highMessage,
+    mediumMessage,
+    lowMessage,
+    noteMessage
+  } = buildFooter(outputOrderedByLowestSeverityAndLowestNumOfCvesFirst)
+  console.log(
+    `${criticalMessage} | ${highMessage} | ${mediumMessage} | ${lowMessage} | ${noteMessage}`
+  )
+
+  if (config.host !== CE_URL) {
+    console.log(
+      '\n' + chalk.bold('View your full dependency tree in Contrast:')
+    )
+    console.log(
+      `${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
+    )
+  }
+}
+
+function getReportTable() {
+  return new Table({
+    chars: {
+      top: '',
+      'top-mid': '',
+      'top-left': '',
+      'top-right': '',
+      bottom: '',
+      'bottom-mid': '',
+      'bottom-left': '',
+      'bottom-right': '',
+      left: '',
+      'left-mid': '',
+      mid: '',
+      'mid-mid': '',
+      right: '',
+      'right-mid': '',
+      middle: ' '
+    },
+    style: { 'padding-left': 0, 'padding-right': 0 },
+    colAligns: ['right'],
+    wordWrap: true,
+    colWidths: [12, 1, 100]
+  })
+}
+function buildHeader(
+  highestSeverity,
+  contrastHeaderNum,
+  libraryName,
+  version,
+  numOfCVEs
+) {
+  const vulnerabilityPluralised =
+    numOfCVEs > 1 ? 'vulnerabilities' : 'vulnerability'
+  const formattedHeaderNum = buildFormattedHeaderNum(contrastHeaderNum)
+
+  const headerColour = chalk.hex(highestSeverity.colour)
+  const headerNumAndSeverity = headerColour(
+    `${formattedHeaderNum} - [${highestSeverity.severity}]`
+  )
+  const libraryNameAndVersion = headerColour.bold(`${libraryName}-${version}`)
+  const vulnMessage = `${headerNumAndSeverity} ${libraryNameAndVersion}`
+
+  const introducesMessage = `introduces ${numOfCVEs} ${vulnerabilityPluralised}`
+
+  return new ReportOutputHeaderModel(vulnMessage, introducesMessage)
+}
+
+function buildBody(cveArray, advice) {
+  let assignPriorityToVulns = cveArray.map(result => findCVESeverity(result))
+
+  const issueMessage = getIssueRow(assignPriorityToVulns)
+
+  //todo different advice based on remediationGuidance being available or now
+  // console.log(advice)
+
+  const minOrMax = advice.maximum ? advice.maximum : advice.minimum
+  const displayAdvice = minOrMax
+    ? `Change to version ${chalk.bold(minOrMax)}`
+    : 'No recommendation is available according to our data. Upgrade to the latest stable is the best advice we can give.'
+
+  const adviceMessage = [chalk.bold('Advice'), ':', displayAdvice]
+
+  return new ReportOutputBodyModel(issueMessage, adviceMessage)
+}
+
+function getIssueRow(cveArray) {
+  orderByHighestPriority(cveArray)
+  const cveMessagesList = getIssueCveMsgList(cveArray)
+  const cveNumbers = getSeverityCounts(cveArray)
+  const numAndSeverityTypeDesc = getNumOfAndSeverityType(cveNumbers)
+  return [
+    chalk.bold('Issue'),
+    ':',
+    `${numAndSeverityTypeDesc} ${cveMessagesList.join(', ')}`
+  ]
+}
+
+function gatherRemediationAdvice(guidance, libraryName, libraryVersion) {
+  const guidanceModel = new ReportGuidanceModel()
+
+  const data = guidance[libraryName + '@' + libraryVersion]
+
+  if (data) {
+    guidanceModel.minimum = data.minUpgradeVersion
+    guidanceModel.maximum = data.maxUpgradeVersion
+  }
+
+  return guidanceModel
+}
+
+function buildFormattedHeaderNum(contrastHeaderNum) {
+  return `CONTRAST-${contrastHeaderNum.toString().padStart(3, '0')}`
+}
+
+function getNumOfAndSeverityType(cveNumbers) {
+  const { critical, high, medium, low, note } = cveNumbers
+
+  const criticalMsg = critical > 0 ? `${critical} Critical | ` : ''
+  const highMsg = high > 0 ? `${high} High | ` : ''
+  const mediumMsg = medium > 0 ? `${medium} Medium | ` : ''
+  const lowMsg = low > 0 ? `${low} Low | ` : ''
+  const noteMsg = note > 0 ? `${note} Note` : ''
+
+  //removes/trims whitespace to single spaces
+  return `${criticalMsg} ${highMsg} ${mediumMsg} ${lowMsg} ${noteMsg}`
+    .replace(/\s+/g, ' ')
+    .trim()
+}
+
+const buildFooter = reportModelStructure => {
+  const { critical, high, medium, low, note } =
+    countVulnerableLibrariesBySeverity(reportModelStructure)
+
+  const criticalMessage = chalk
+    .hex(CRITICAL_COLOUR)
+    .bold(`${critical} Critical`)
+  const highMessage = chalk.hex(HIGH_COLOUR).bold(`${high} High`)
+  const mediumMessage = chalk.hex(MEDIUM_COLOUR).bold(`${medium} Medium`)
+  const lowMessage = chalk.hex(LOW_COLOUR).bold(`${low} Low`)
+  const noteMessage = chalk.hex(NOTE_COLOUR).bold(`${note} Note`)
+
+  return {
+    criticalMessage,
+    highMessage,
+    mediumMessage,
+    lowMessage,
+    noteMessage
+  }
+}
+
+const getIssueCveMsgList = results => {
+  const cveMessages = []
+
+  results.forEach(reportSeverityModel => {
+    // @ts-ignore
+    const { colour, severity, name } = reportSeverityModel
+
+    const severityShorthand = chalk
+      .hex(colour)
+      .bold(`[${severity.charAt(0).toUpperCase()}]`)
+
+    const builtMessage = severityShorthand + name
+    cveMessages.push(builtMessage)
+  })
+  return cveMessages
+}
+
+const getSeverityCounts = results => {
+  const acc = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    note: 0,
+    total: 0
+  }
+  if (results && results.length > 0) {
+    results.forEach(i => {
+      acc[i.severity.toLowerCase()] += 1
+      acc.total += 1
+      return acc
+    })
+  }
+
+  return acc
+}
+
+const printNoVulnFoundMsg = () => {
+  console.log(i18n.__('scanNoVulnerabilitiesFound'))
+  console.log(i18n.__('scanNoVulnerabilitiesFoundSecureCode'))
+  console.log(i18n.__('scanNoVulnerabilitiesFoundGoodWork'))
+  console.log(chalk.bold(`Found 0 vulnerabilities`))
+  console.log(
+    i18n.__(
+      'foundDetailedVulnerabilities',
+      String(0),
+      String(0),
+      String(0),
+      String(0),
+      String(0)
+    )
+  )
+}
+const printVulnInfo = projectOverview => {
+  const totalVulnerabilities = projectOverview.total
+
+  createSummaryMessageBottom(totalVulnerabilities)
+  const formattedValues = severityFormatted(projectOverview)
+  console.log(
+    i18n.__(
+      'foundDetailedVulnerabilities',
+      String(formattedValues.criticalFormatted),
+      String(formattedValues.highFormatted),
+      String(formattedValues.mediumFormatted),
+      String(formattedValues.lowFormatted),
+      String(formattedValues.noteFormatted)
+    )
+  )
+}
+
+const severityFormatted = projectOverview => {
+  const criticalFormatted = chalk
+    .hex(CRITICAL_COLOUR)
+    .bold(`${projectOverview.critical} Critical`)
+  const highFormatted = chalk
+    .hex(HIGH_COLOUR)
+    .bold(`${projectOverview.high} High`)
+  const mediumFormatted = chalk
+    .hex(MEDIUM_COLOUR)
+    .bold(`${projectOverview.medium} Medium`)
+  const lowFormatted = chalk.hex(LOW_COLOUR).bold(`${projectOverview.low} Low`)
+  const noteFormatted = chalk
+    .hex(NOTE_COLOUR)
+    .bold(`${projectOverview.note} Note`)
+
+  return {
+    criticalFormatted,
+    highFormatted,
+    mediumFormatted,
+    lowFormatted,
+    noteFormatted
+  }
+}
+
+module.exports = {
+  createSummaryMessageTop,
+  getReport,
+  createSummaryMessageBottom,
+  printVulnerabilityResponse,
+  printFormattedOutput,
+  getReportTable,
+  buildHeader,
+  buildBody,
+  getIssueRow,
+  gatherRemediationAdvice,
+  buildFormattedHeaderNum,
+  getNumOfAndSeverityType,
+  getIssueCveMsgList,
+  getSeverityCounts,
+  printNoVulnFoundMsg,
+  printVulnInfo
+}

package/src/audit/report/models/reportSeverityModel.ts

@@ -1,18 +1,18 @@
 export class ReportSeverityModel {
   severity: string
   priority: number
-  outputColour: string
-  cveName: string
+  colour: string
+  name: string
 
   constructor(
     severity: string,
     priority: number,
-    outputColour: string,
-    cveName: string
+    colour: string,
+    name: string
   ) {
     this.severity = severity
     this.priority = priority
-    this.outputColour = outputColour
-    this.cveName = cveName
+    this.colour = colour
+    this.name = name
   }
 }

package/src/audit/report/reportingFeature.ts

@@ -1,5 +1,6 @@
 import {
   getReport,
+  printNoVulnFoundMsg,
   printVulnerabilityResponse
 } from './commonReportingFunctions'
 import {
@@ -58,22 +59,7 @@ export function formatVulnerabilityOutput(
   const numberOfVulnerableLibraries = vulnerableLibraries.length
 
   if (numberOfVulnerableLibraries === 0) {
-    console.log(i18n.__('scanNoVulnerabilitiesFound'))
-    console.log(i18n.__('scanNoVulnerabilitiesFoundSecureCode'))
-    console.log(i18n.__('scanNoVulnerabilitiesFoundGoodWork'))
-    console.log(
-      chalk.bold(`Found ${numberOfVulnerableLibraries} vulnerabilities`)
-    )
-    console.log(
-      i18n.__(
-        'foundDetailedVulnerabilities',
-        String(0),
-        String(0),
-        String(0),
-        String(0),
-        String(0)
-      )
-    )
+    printNoVulnFoundMsg()
     return [false, 0, [new SeverityCountModel()]]
   } else {
     let numberOfCves = 0

package/src/audit/report/utils/reportUtils.ts

@@ -30,14 +30,8 @@ export function findHighestSeverityCVE(cveArray: ReportCVEModel[]) {
   return orderBy(mappedToReportSeverityModels, cve => cve?.priority)[0]
 }
 
-export function findCVESeveritiesAndOrderByHighestPriority(
-  cves: ReportCVEModel[]
-) {
-  return orderBy(
-    cves.map(cve => findCVESeverity(cve)),
-    ['priority'],
-    ['asc']
-  )
+export function orderByHighestPriority(cves: ReportCVEModel[]) {
+  return orderBy(cves, ['priority'], ['asc'])
 }
 
 export function findCVESeverity(cve: ReportCVEModel) {

package/src/audit/save.js

@@ -8,7 +8,7 @@ const {
   SBOM_SPDX_FILE
 } = require('../constants/constants')
 
-async function auditSave(config) {
+async function auditSave(config, reportId) {
   let fileFormat
   switch (config.save) {
     case null:
@@ -23,11 +23,19 @@ async function auditSave(config) {
   }
 
   if (fileFormat) {
-    save.saveFile(
-      config,
-      fileFormat,
-      await sbom.generateSbom(config, fileFormat)
-    )
+    if (config.experimental) {
+      save.saveFile(
+        config,
+        fileFormat,
+        await sbom.generateSCASbom(config, fileFormat, reportId)
+      )
+    } else {
+      save.saveFile(
+        config,
+        fileFormat,
+        await sbom.generateSbom(config, fileFormat)
+      )
+    }
     const filename = `${config.applicationId}-sbom-${fileFormat}.json`
     if (fs.existsSync(filename)) {
       console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`)

package/src/commands/audit/help.ts

@@ -47,7 +47,9 @@ const auditUsageGuide = commandLineUsage([
       'language',
       'experimental',
       'app-groups',
-      'metadata'
+      'metadata',
+      'track',
+      'branch'
     ]
   },
   commonHelpLinks()

package/src/commands/scan/processScan.js

@@ -3,21 +3,13 @@ const { startScan } = require('../../scan/scanController')
 const { saveScanFile } = require('../../utils/saveFile')
 const { ScanResultsModel } = require('../../scan/models/scanResultsModel')
 const { formatScanOutput } = require('../../scan/formatScanOutput')
-const { processSca } = require('./sca/scaAnalysis')
 const common = require('../../common/fail')
 const { sendTelemetryConfigAsObject } = require('../../telemetry/telemetry')
 const chalk = require('chalk')
-const generalAPI = require('../../utils/generalAPI')
 
 const processScan = async (contrastConf, argv) => {
   let config = await scanConfig.getScanConfig(contrastConf, 'scan', argv)
   let output = undefined
-  config.mode = await generalAPI.getMode(config)
-
-  //try SCA analysis first
-  if (config.experimental) {
-    await processSca(config, argv)
-  }
 
   let scanResults = new ScanResultsModel(await startScan(config))
   await sendTelemetryConfigAsObject(

package/src/commands/scan/sca/scaAnalysis.js

@@ -1,7 +1,6 @@
 const autoDetection = require('../../../scan/autoDetection')
 const javaAnalysis = require('../../../scaAnalysis/java')
 const treeUpload = require('../../../scaAnalysis/common/treeUpload')
-const scaUpload = require('../../../scaAnalysis/common/scaServicesUpload')
 const auditController = require('../../audit/auditController')
 const {
   supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET }
@@ -28,10 +27,13 @@ const { dotNetAnalysis } = require('../../../scaAnalysis/dotnet')
 const { auditUsageGuide } = require('../../audit/help')
 const rootFile = require('../../../audit/languageAnalysisEngine/getProjectRootFilenames')
 const path = require('path')
-const generalAPI = require('../../../utils/generalAPI')
+const auditReport = require('../../../scaAnalysis/common/auditReport')
+const scaUpload = require('../../../scaAnalysis/common/scaServicesUpload')
+const settingsHelper = require('../../../utils/settingsHelper')
 
 const processSca = async config => {
-  config.mode = await generalAPI.getMode(config)
+  //checks to see whether to use old TS / new SCA path
+  config = await settingsHelper.getSettings(config)
 
   const startTime = performance.now()
   let filesFound
@@ -104,38 +106,56 @@ const processSca = async config => {
       config.applicationId = await auditController.dealWithNoAppId(config)
     }
 
-    // if (config.experimental) {
-    //   await scaUpload.scaTreeUpload(messageToSend, config)
-    // } else
-    // {
-    console.log('') //empty log for space before spinner
-    //send message to TS
-    const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
-    startSpinner(reportSpinner)
-    const snapshotResponse = await treeUpload.commonSendSnapShot(
-      messageToSend,
-      config
-    )
+    if (config.experimental) {
+      console.log('') //empty log for space before spinner
+      const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
+      startSpinner(reportSpinner)
+      const [reports, reportId] = await scaUpload.scaTreeUpload(
+        messageToSend,
+        config
+      )
 
-    //poll for completion
-    await pollForSnapshotCompletition(
-      config,
-      snapshotResponse.id,
-      reportSpinner
-    )
-    succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
+      auditReport.processAuditReport(config, reports[0])
+      succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
 
-    await vulnerabilityReportV2(config, snapshotResponse.id)
-    if (config.save !== undefined) {
-      await auditSave.auditSave(config)
-    }
-    const endTime = performance.now() - startTime
-    const scanDurationMs = endTime - startTime
+      if (config.save !== undefined) {
+        await auditSave.auditSave(config, reportId)
+      }
 
-    console.log(
-      `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
-    )
-    // }
+      const endTime = performance.now() - startTime
+      const scanDurationMs = endTime - startTime
+      console.log(
+        `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
+      )
+    } else {
+      console.log('') //empty log for space before spinner
+      //send message to TS
+      const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
+      startSpinner(reportSpinner)
+      const snapshotResponse = await treeUpload.commonSendSnapShot(
+        messageToSend,
+        config
+      )
+
+      //poll for completion
+      await pollForSnapshotCompletition(
+        config,
+        snapshotResponse.id,
+        reportSpinner
+      )
+      succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
+
+      await vulnerabilityReportV2(config, snapshotResponse.id)
+      if (config.save !== undefined) {
+        await auditSave.auditSave(config)
+      }
+      const endTime = performance.now() - startTime
+      const scanDurationMs = endTime - startTime
+
+      console.log(
+        `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
+      )
+    }
   } else {
     if (filesFound.length === 0) {
       console.log(i18n.__('languageAnalysisNoLanguage'))