@contrast/contrast 1.0.13 → 1.0.15

package/src/common/HTTPClient.js

@@ -246,6 +246,13 @@ HTTPClient.prototype.scaServiceReportStatus = function scaServiceReport(
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
+HTTPClient.prototype.scaServiceIngests = function scaServiceIngests(config) {
+  const options = _.cloneDeep(this.requestOptions)
+  let url = createScaServiceIngestsURL(config)
+  options.url = url
+  return requestUtils.sendRequest({ method: 'get', options })
+}
+
 HTTPClient.prototype.getReportById = function getReportById(config, reportId) {
   const options = _.cloneDeep(this.requestOptions)
   if (config.ignoreDev) {
@@ -370,6 +377,12 @@ HTTPClient.prototype.getSbom = function getSbom(config, type) {
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
+HTTPClient.prototype.getSCASbom = function getSbom(config, type, reportId) {
+  const options = _.cloneDeep(this.requestOptions)
+  options.url = createSCASbomUrl(config, type, reportId)
+  return requestUtils.sendRequest({ method: 'get', options })
+}
+
 HTTPClient.prototype.getLatestVersion = function getLatestVersion() {
   const options = _.cloneDeep(this.requestOptions)
   options.url =
@@ -447,15 +460,21 @@ function createSnapshotURL(config) {
 }
 
 function createScaServiceReportURL(config, reportId) {
-  return ``
+  return `${config.host}/Contrast/api/sca/organizations/${config.organizationId}/libraries/applications/${config.applicationId}/reports/${reportId}`
 }
 
 function createScaServiceReportStatusURL(config, reportId) {
-  return ``
+  return `${config.host}/Contrast/api/sca/organizations/${config.organizationId}/libraries/ingests/${reportId}/status`
+}
+
+function createScaServiceIngestsURL(config) {
+  return `${config.host}/Contrast/api/sca/organizations/${config.organizationId}/libraries/ingests`
 }
 
 function createScaServiceIngestURL(config) {
-  return ``
+  let baseUrl = `${config.host}/Contrast/api/sca/organizations/${config.organizationId}/libraries/ingests/tree`
+  baseUrl = config.track ? baseUrl.concat('?persist=true') : baseUrl
+  return baseUrl
 }
 
 const createAppCreateURL = config => {
@@ -492,6 +511,10 @@ function createSbomUrl(config, type) {
   return `${config.host}/Contrast/api/ng/${config.organizationId}/applications/${config.applicationId}/libraries/sbom/${type}`
 }
 
+function createSCASbomUrl(config, type, reportId) {
+  return `${config.host}/Contrast/api/sca/organizations/${config.organizationId}/libraries/applications/${config.applicationId}/sbom/${reportId}?toolType=${type}`
+}
+
 function createTelemetryEventUrl(config) {
   return `${config.host}/Contrast/api/sast/organizations/${config.organizationId}/cli`
 }

package/src/common/errorHandling.ts

@@ -38,8 +38,7 @@ const reportFailureError = () => {
   console.log(i18n.__('auditReportFailureMessage'))
 }
 
-const genericError = (missingCliOption: string) => {
-  console.log(missingCliOption)
+const genericError = () => {
   console.error(i18n.__('genericErrorMessage'))
   process.exit(1)
 }

package/src/constants/constants.js

@@ -14,7 +14,7 @@ const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
 // App
 const APP_NAME = 'contrast'
-const APP_VERSION = '1.0.13'
+const APP_VERSION = '1.0.15'
 const TIMEOUT = 120000
 const HIGH_COLOUR = '#ff9900'
 const CRITICAL_COLOUR = '#e35858'
@@ -34,6 +34,12 @@ const SBOM_CYCLONE_DX_FILE = 'cyclonedx'
 const SBOM_SPDX_FILE = 'spdx'
 const CE_URL = 'https://ce.contrastsecurity.com'
 
+//configuration
+const SAAS = 'SAAS'
+const EOP = 'EOP'
+const MODE_BUILD = 'BUILD'
+const MODE_REPO = 'REPO'
+
 module.exports = {
   supportedLanguages: { NODE, DOTNET, JAVA, RUBY, PYTHON, GO, PHP, JAVASCRIPT },
   supportedLanguagesScan: { JAVASCRIPT, DOTNET, JAVA },
@@ -59,5 +65,9 @@ module.exports = {
   LOW_PRIORITY,
   NOTE_PRIORITY,
   SBOM_CYCLONE_DX_FILE,
-  SBOM_SPDX_FILE
+  SBOM_SPDX_FILE,
+  SAAS,
+  EOP,
+  MODE_BUILD,
+  MODE_REPO
 }

package/src/constants/locales.js

@@ -122,6 +122,8 @@ const en_locales = () => {
       'Provide this if you want to catalogue an application',
     failOptionErrorMessage:
       ' FAIL - CVEs have been detected that match at least the cve_severity option specified.',
+    failOptionMessage:
+      ' Use with contrast scan or contrast audit. Detects failures based on the severity level specified with the --severity command. For example, "contrast scan --fail --severity high". Returns all failures if no severity level is specified.',
     constantsLanguage:
       'Valid values are JAVA, DOTNET, NODE, PYTHON and RUBY. If there are multiple project configuration files in the project_path, language is also required.  Also, provide this when cataloguing an application',
     constantsFilePath: `Specify a directory or the file where dependencies are declared. (By default, CodeSec will search for project files in the current directory.)`,
@@ -147,7 +149,7 @@ const en_locales = () => {
     failSeverityOptionErrorMessage:
       ' FAIL - Results detected vulnerabilities over accepted severity level',
     constantsSeverity:
-      'Allows the user to report libraries with vulnerabilities above a chosen severity level. For example, cve_severity medium only reports libraries with vulnerabilities at medium or higher severity. Values for level are high, medium or low.',
+      'Use with "contrast scan --fail --severity high" or "contrast audit --fail --severity high". Set the severity level to detect vulnerabilities or dependencies. Severity levels are critical, high, medium, low or note.',
     constantsCount: 'The number of CVEs that must be exceeded to fail a build',
     constantsHeader: 'CodeSec by Contrast Security',
     configHeader2: 'Config options',
@@ -170,7 +172,7 @@ const en_locales = () => {
     constantsConfigUsageContents: 'view / clear the configuration',
     constantsPrerequisitesContent:
       'To scan a Java project you will need a .jar or .war file for analysis\n' +
-      'To scan a Javascript project you will need a .js or.zip file for analysis\n' +
+      'To scan a Javascript project you will need a single .js or a .zip of  multiple .js files\n' +
       'To scan a .NET c# webforms project you will need a .exe or a .zip file for analysis\n',
     constantsUsage: 'Usage',
     constantsUsageCommandExample: 'contrast [command] [options]',
@@ -315,9 +317,22 @@ const en_locales = () => {
     scanOptionsFileNameSummary:
       'Path of the file you want to scan. If no file is specified, Contrast searches for a .jar, .war, .exe or .zip file in the working directory.',
     scanOptionsVerboseSummary: ' Returns extended information to the terminal.',
+    auditOptionsTrackSummary: ' Save the results to the UI.',
+    auditOptionsBranchSummary:
+      ' Set the branch name to associate the library results to.',
     authSuccessMessage: 'Authentication successful',
     runAuthSuccessMessage:
-      "Now you can use CodeSec by Contrast \nRun: \n'contrast scan' to run CodeSec’s industry leading SAST scanner \n'contrast audit' to find vulnerabilities in your open source dependencies \n'contrast lambda' to secure your AWS serverless functions\nor 'contrast help' to learn more about the capabilities.",
+      chalk.bold('CodeSec by Contrast') +
+      '\nScan, secure and ship your code in minutes for FREE. \n' +
+      chalk.bold('\nRun\n') +
+      chalk.bold('\ncontrast scan') +
+      " to run Contrast's industry leading SAST scanner. \nSupports Java, JavaScript and .Net \n" +
+      chalk.bold('\ncontrast audit') +
+      ' to find vulnerabilities in your open source dependencies.\nSupports Java, .NET, Node, Ruby, Python, Go and PHP \n' +
+      chalk.bold('\ncontrast lambda') +
+      ' to secure your AWS serverless functions. \nSupports Java and Python \n' +
+      chalk.bold('\ncontrast help') +
+      ' to learn more about the capabilities.',
     authWaitingMessage: 'Waiting for auth...',
     authTimedOutMessage: 'Auth Timed out, try again',
     zipErrorScan:
@@ -325,10 +340,7 @@ const en_locales = () => {
     unknownFileErrorScan: 'Unsupported file selected for Scan.',
     foundScanFile: 'Found: %s',
     foundDetailedVulnerabilities:
-      chalk.bold('%s Critical') +
-      ' | ' +
-      chalk.bold('%s High') +
-      ' | %s Medium | %s Low | %s Note',
+      chalk.bold('%s') + ' | ' + chalk.bold('%s') + ' | %s | %s | %s ',
     requiredParams: 'All required parameters are not present.',
     timeoutScan: 'Timeout set to 5 minutes.',
     searchingScanFileDirectory: 'Searching for file to scan from %s...',

package/src/constants.js

@@ -115,7 +115,7 @@ const scanOptionDefinitions = [
       '{bold ' +
       i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('failOptionErrorMessage')
+      i18n.__('failOptionMessage')
   },
   {
     name: 'severity',
@@ -247,7 +247,7 @@ const auditOptionDefinitions = [
       '{bold ' +
       i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('failOptionErrorMessage')
+      i18n.__('failOptionMessage')
   },
   {
     name: 'severity',
@@ -384,6 +384,38 @@ const auditOptionDefinitions = [
     name: 'help',
     alias: 'h',
     type: Boolean
+  },
+  {
+    name: 'debug',
+    alias: 'd',
+    type: Boolean
+  },
+  {
+    name: 'verbose',
+    alias: 'v',
+    type: Boolean,
+    description:
+      '{bold ' +
+      i18n.__('constantsOptional') +
+      '}:' +
+      i18n.__('scanOptionsVerboseSummary')
+  },
+  {
+    name: 'track',
+    type: Boolean,
+    description:
+      '{bold ' +
+      i18n.__('constantsOptional') +
+      '}:' +
+      i18n.__('auditOptionsTrackSummary')
+  },
+  {
+    name: 'branch',
+    description:
+      '{bold ' +
+      i18n.__('constantsOptional') +
+      '}:' +
+      i18n.__('auditOptionsBranchSummary')
   }
 ]
 

package/src/index.ts

@@ -95,9 +95,8 @@ const start = async () => {
           ? console.log(
               `Unknown Command: Did you mean "${foundCommand}"? \nUse "${foundCommand} --help" for the full list of options`
             )
-          : console.log(
-              `Unknown Command: ${command} \nUse --help for the full list`
-            )
+          : console.log(`\nUnknown Command: ${command} \n`)
+        console.log(mainUsageGuide)
         await sendTelemetryConfigAsConfObj(
           config,
           command,
@@ -106,9 +105,8 @@ const start = async () => {
           'undefined'
         )
       } else {
-        console.log(
-          `Unknown Command: ${command} \nUse --help for the full list`
-        )
+        console.log(`\nUnknown Command: ${command}\n`)
+        console.log(mainUsageGuide)
         await sendTelemetryConfigAsConfObj(
           config,
           command,

package/src/lambda/lambda.ts

@@ -126,7 +126,7 @@ const processLambda = async (argv: string[]) => {
 
 const getAvailableFunctions = async (lambdaOptions: LambdaOptions) => {
   const lambdas = await getAllLambdas(lambdaOptions)
-  printAvailableLambdas(lambdas, { runtimes: ['python', 'java'] })
+  printAvailableLambdas(lambdas, { runtimes: ['python', 'java', 'node'] })
 }
 
 const actualProcessLambda = async (lambdaOptions: LambdaOptions) => {

package/src/lambda/lambdaUtils.ts

@@ -11,7 +11,7 @@ import ora from '../utils/oraWrapper'
 import { LambdaOptions } from './lambda'
 import { log, getReadableFileSize } from './logUtils'
 
-type RuntimeLanguage = 'java' | 'python'
+type RuntimeLanguage = 'java' | 'python' | 'node'
 
 type FilterLambdas = {
   runtimes: RuntimeLanguage[]

package/src/sbom/generateSbom.ts

@@ -15,3 +15,23 @@ export const generateSbom = (config: any, type: string) => {
       console.log(err)
     })
 }
+
+export const generateSCASbom = (
+  config: any,
+  type: string,
+  reportId: string
+) => {
+  const client = getHttpClient(config)
+  return client
+    .getSCASbom(config, type, reportId)
+    .then((res: { statusCode: number; body: any }) => {
+      if (res.statusCode === 200) {
+        return res.body
+      } else {
+        console.log('Unable to retrieve Software Bill of Materials (SBOM)')
+      }
+    })
+    .catch((err: any) => {
+      console.log(err)
+    })
+}

package/src/scaAnalysis/common/auditReport.js

@@ -0,0 +1,108 @@
+const {
+  getSeverityCounts,
+  createSummaryMessageTop,
+  printVulnInfo,
+  getReportTable,
+  getIssueRow,
+  printNoVulnFoundMsg
+} = require('../../audit/report/commonReportingFunctions')
+const { orderBy } = require('lodash')
+const { assignBySeverity } = require('../../scan/formatScanOutput')
+const chalk = require('chalk')
+const { CE_URL } = require('../../constants/constants')
+const common = require('../../common/fail')
+
+const processAuditReport = (config, results) => {
+  let severityCounts = {}
+  if (results !== undefined) {
+    severityCounts = formatScaServicesReport(config, results)
+  }
+
+  if (config.fail) {
+    common.processFail(config, severityCounts)
+  }
+}
+const formatScaServicesReport = (config, results) => {
+  const projectOverviewCount = getSeverityCounts(results)
+
+  if (projectOverviewCount.total === 0) {
+    printNoVulnFoundMsg()
+    return projectOverviewCount
+  } else {
+    let total = 0
+    const numberOfCves = results.length
+    const table = getReportTable()
+    let contrastHeaderNumCounter = 0
+    let assignPriorityToResults = results.map(result =>
+      assignBySeverity(result, result)
+    )
+    const numberOfVulns = results
+      .map(result => result.vulnerabilities)
+      .reduce((a, b) => {
+        return (total += b.length)
+      }, 0)
+    const outputOrderedByLowestSeverityAndLowestNumOfCvesFirst = orderBy(
+      assignPriorityToResults,
+      [
+        reportListItem => {
+          return reportListItem.priority
+        },
+        reportListItem => {
+          return reportListItem.vulnerabilities.length
+        }
+      ],
+      ['asc', 'desc']
+    )
+
+    for (const result of outputOrderedByLowestSeverityAndLowestNumOfCvesFirst) {
+      contrastHeaderNumCounter++
+      const cvesNum = result.vulnerabilities.length
+      const grammaticallyCorrectVul =
+        result.vulnerabilities.length > 1 ? 'vulnerabilities' : 'vulnerability'
+
+      const headerColour = chalk.hex(result.colour)
+      const headerRow = [
+        headerColour(
+          `CONTRAST-${contrastHeaderNumCounter.toString().padStart(3, '0')}`
+        ),
+        headerColour(`-`),
+        headerColour(`[${result.severity}] `) +
+          headerColour.bold(`${result.artifactName}`) +
+          ` introduces ${cvesNum} ${grammaticallyCorrectVul}`
+      ]
+
+      const adviceRow = [
+        chalk.bold(`Advice`),
+        chalk.bold(`:`),
+        `Change to version ${result.remediationAdvice.latestStableVersion}`
+      ]
+
+      let assignPriorityToVulns = result.vulnerabilities.map(result =>
+        assignBySeverity(result, result)
+      )
+      const issueRow = getIssueRow(assignPriorityToVulns)
+
+      table.push(headerRow, issueRow, adviceRow)
+      console.log()
+    }
+
+    console.log()
+    createSummaryMessageTop(numberOfCves, numberOfVulns)
+    console.log(table.toString() + '\n')
+    printVulnInfo(projectOverviewCount)
+
+    if (config.host !== CE_URL) {
+      console.log(
+        '\n' + chalk.bold('View your full dependency tree in Contrast:')
+      )
+      console.log(
+        `${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
+      )
+    }
+    return projectOverviewCount
+  }
+}
+module.exports = {
+  formatScaServicesReport,
+  processAuditReport
+}

package/src/scaAnalysis/common/scaServicesUpload.js

@@ -7,13 +7,17 @@ const scaTreeUpload = async (analysis, config) => {
     applicationId: config.applicationId,
     dependencyTree: analysis,
     organizationId: config.organizationId,
-    language: 'NODE',
+    language: config.language,
     tool: {
       name: 'Contrast Codesec',
       version: APP_VERSION
     }
   }
 
+  if (config.branch) {
+    requestBody.branchName = config.branch
+  }
+
   const client = commonApi.getHttpClient(config)
   const reportID = await client
     .scaServiceIngest(requestBody, config)
@@ -27,26 +31,32 @@ const scaTreeUpload = async (analysis, config) => {
     .catch(err => {
       throw err
     })
+  if (config.debug) {
+    console.log(' polling report', reportID)
+  }
 
   let keepChecking = true
+  let res
   while (keepChecking) {
-    keepChecking = await client
-      .scaServiceReportStatus(config, reportID)
-      .then(res => {
+    res = await client.scaServiceReportStatus(config, reportID).then(res => {
+      if (config.debug) {
+        console.log(res.statusCode)
         console.log(res.body)
-        if (res.body.status == 'COMPLETED') {
-          client.scaServiceReport(config, reportID).then(res => {
-            console.log(res.statusCode)
-            console.log(res.body)
-          })
+      }
+      if (res.body.status === 'COMPLETED') {
+        keepChecking = false
+        return client.scaServiceReport(config, reportID).then(res => {
+          return [res.body, reportID]
+        })
+      }
+    })
 
-          return (keepChecking = false)
-        } else {
-          return (keepChecking = true)
-        }
-      })
+    if (!keepChecking) {
+      return [res, reportID]
+    }
     await requestUtils.sleep(5000)
   }
+  return [res, reportID]
 }
 
 module.exports = {

package/src/scan/formatScanOutput.ts

@@ -15,11 +15,15 @@ import {
   MEDIUM_COLOUR,
   NOTE_COLOUR
 } from '../constants/constants'
+import {
+  getSeverityCounts,
+  printVulnInfo
+} from '../audit/report/commonReportingFunctions'
 
 export function formatScanOutput(scanResults: ScanResultsModel) {
   const { scanResultsInstances } = scanResults
 
-  const projectOverview = getProjectOverview(scanResultsInstances)
+  const projectOverview = getSeverityCounts(scanResultsInstances.content)
   if (scanResultsInstances.content.length === 0) {
     console.log(i18n.__('scanNoVulnerabilitiesFound'))
     console.log(i18n.__('scanNoVulnerabilitiesFoundSecureCode'))
@@ -108,47 +112,6 @@ export function formatScanOutput(scanResults: ScanResultsModel) {
   return projectOverview
 }
 
-function printVulnInfo(projectOverview: any) {
-  const totalVulnerabilities = projectOverview.total
-
-  const vulMessage =
-    totalVulnerabilities === 1 ? `vulnerability` : `vulnerabilities`
-  console.log(chalk.bold(`Found ${totalVulnerabilities} ${vulMessage}`))
-  console.log(
-    i18n.__(
-      'foundDetailedVulnerabilities',
-      String(projectOverview.critical),
-      String(projectOverview.high),
-      String(projectOverview.medium),
-      String(projectOverview.low),
-      String(projectOverview.note)
-    )
-  )
-}
-
-export function getProjectOverview(scanResultsInstances: ScanResultsInstances) {
-  const acc: any = {
-    critical: 0,
-    high: 0,
-    medium: 0,
-    low: 0,
-    note: 0,
-    total: 0
-  }
-  if (
-    scanResultsInstances?.content &&
-    scanResultsInstances.content.length > 0
-  ) {
-    scanResultsInstances.content.forEach((i: ResultContent) => {
-      acc[i.severity.toLowerCase()] += 1
-      acc.total += 1
-      return acc
-    })
-  }
-
-  return acc
-}
-
 export function formatLinks(objName: string, entry: any[]) {
   const line = chalk.bold(objName + '  : ')
   if (entry.length === 1) {

package/src/utils/commonApi.js

@@ -20,6 +20,7 @@ const handleResponseErrors = (res, api) => {
   } else if (res.statusCode === 412) {
     maxAppError()
   } else {
+    console.log(res.statusCode)
     genericError(res)
   }
 }

package/src/utils/settingsHelper.js

@@ -0,0 +1,26 @@
+const commonApi = require('./commonApi')
+const { getMode } = require('./generalAPI')
+const { SAAS, MODE_BUILD } = require('../constants/constants')
+
+const getSettings = async config => {
+  config.isEOP = (await getMode(config)).toUpperCase() === SAAS ? false : true
+  config.mode = MODE_BUILD
+  config.scaServices = await isSCAServicesAvailable(config)
+  return config
+}
+
+const isSCAServicesAvailable = async config => {
+  const client = commonApi.getHttpClient(config)
+  return client
+    .scaServiceIngests(config)
+    .then(res => {
+      return res.statusCode !== 403
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+module.exports = {
+  getSettings
+}