@contrast/contrast 1.0.14 → 1.0.16

package/dist/index.js

@@ -9,15 +9,15 @@ const processAudit_1 = require("./commands/audit/processAudit");
 const auth_1 = require("./commands/auth/auth");
 const config_1 = require("./commands/config/config");
 const processScan_1 = require("./commands/scan/processScan");
-const constants_1 = __importDefault(require("./constants"));
-const constants_2 = require("./constants/constants");
+const cliConstants_1 = __importDefault(require("./cliConstants"));
+const constants_1 = require("./constants/constants");
 const lambda_1 = require("./lambda/lambda");
 const getConfig_1 = require("./utils/getConfig");
 const versionChecker_1 = require("./common/versionChecker");
 const errorHandling_1 = require("./common/errorHandling");
 const telemetry_1 = require("./telemetry/telemetry");
-const { commandLineDefinitions: { mainUsageGuide, mainDefinition } } = constants_1.default;
-const config = (0, getConfig_1.localConfig)(constants_2.APP_NAME, constants_2.APP_VERSION);
+const { commandLineDefinitions: { mainUsageGuide, mainDefinition } } = cliConstants_1.default;
+const config = (0, getConfig_1.localConfig)(constants_1.APP_NAME, constants_1.APP_VERSION);
 const getMainOption = () => {
     const mainOptions = (0, command_line_args_1.default)(mainDefinition, {
         stopAtFirstUnknown: true,
@@ -40,7 +40,7 @@ const start = async () => {
             if (command === 'version' ||
                 argvMain.includes('--v') ||
                 argvMain.includes('--version')) {
-                console.log(constants_2.APP_VERSION);
+                console.log(constants_1.APP_VERSION);
                 await (0, versionChecker_1.findLatestCLIVersion)(config);
                 return;
             }

package/dist/sbom/generateSbom.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateSbom = void 0;
+exports.generateSCASbom = exports.generateSbom = void 0;
 const commonApi_1 = require("../utils/commonApi");
 const generateSbom = (config, type) => {
     const client = (0, commonApi_1.getHttpClient)(config);
@@ -19,3 +19,20 @@ const generateSbom = (config, type) => {
     });
 };
 exports.generateSbom = generateSbom;
+const generateSCASbom = (config, type, reportId) => {
+    const client = (0, commonApi_1.getHttpClient)(config);
+    return client
+        .getSCASbom(config, type, reportId)
+        .then((res) => {
+        if (res.statusCode === 200) {
+            return res.body;
+        }
+        else {
+            console.log('Unable to retrieve Software Bill of Materials (SBOM)');
+        }
+    })
+        .catch((err) => {
+        console.log(err);
+    });
+};
+exports.generateSCASbom = generateSCASbom;

package/dist/scaAnalysis/common/auditReport.js

@@ -5,6 +5,7 @@ const { assignBySeverity } = require('../../scan/formatScanOutput');
 const chalk = require('chalk');
 const { CE_URL } = require('../../constants/constants');
 const common = require('../../common/fail');
+const i18n = require('i18n');
 const processAuditReport = (config, results) => {
     let severityCounts = {};
     if (results !== undefined) {
@@ -66,8 +67,8 @@ const formatScaServicesReport = (config, results) => {
         console.log(table.toString() + '\n');
         printVulnInfo(projectOverviewCount);
         if (config.host !== CE_URL) {
-            console.log('\n' + chalk.bold('View your full dependency tree in Contrast:'));
-            console.log(`${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`);
+            console.log('\n' + chalk.bold(i18n.__('auditServicesMessageForTS')));
+            console.log(`${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs`);
         }
         return projectOverviewCount;
     }

package/dist/scaAnalysis/common/scaParserForGoAndJava.js

@@ -11,7 +11,7 @@ const parseDependenciesForSCAServices = dependencyTreeObject => {
                 group: unParsedDependencyTree[dependency].group,
                 version: unParsedDependencyTree[dependency].version,
                 directDependency: unParsedDependencyTree[dependency].type === 'direct',
-                isProduction: true,
+                productionDependency: true,
                 dependencies: subDeps
             };
             parsedDependencyTree[dependency] = parsedDependency;

package/dist/scaAnalysis/common/scaServicesUpload.js

@@ -13,6 +13,9 @@ const scaTreeUpload = async (analysis, config) => {
             version: APP_VERSION
         }
     };
+    if (config.branch) {
+        requestBody.branchName = config.branch;
+    }
     const client = commonApi.getHttpClient(config);
     const reportID = await client
         .scaServiceIngest(requestBody, config)
@@ -27,26 +30,30 @@ const scaTreeUpload = async (analysis, config) => {
         .catch(err => {
         throw err;
     });
-    console.log(' polling report');
+    if (config.debug) {
+        console.log(' polling report', reportID);
+    }
     let keepChecking = true;
     let res;
     while (keepChecking) {
         res = await client.scaServiceReportStatus(config, reportID).then(res => {
-            console.log(res.statusCode);
-            console.log(res.body);
-            if (res.body.status == 'COMPLETED') {
+            if (config.debug) {
+                console.log(res.statusCode);
+                console.log(res.body);
+            }
+            if (res.body.status === 'COMPLETED') {
                 keepChecking = false;
                 return client.scaServiceReport(config, reportID).then(res => {
-                    return res.body;
+                    return [res.body, reportID];
                 });
             }
         });
         if (!keepChecking) {
-            return res;
+            return [res, reportID];
         }
         await requestUtils.sleep(5000);
     }
-    return res;
+    return [res, reportID];
 };
 module.exports = {
     scaTreeUpload

package/dist/scaAnalysis/javascript/scaServiceParser.js

@@ -20,7 +20,7 @@ const npmCreateDepTree = (dependencyTree, combinedPackageJSONDep, packageLock, r
             name: key,
             version: getResolvedVersion(key, packageLock),
             group: null,
-            isProduction: checkIfInPackageJSON(rawNode.packageJSON.dependencies, key),
+            productionDependency: checkIfInPackageJSON(rawNode.packageJSON.dependencies, key),
             directDependency: checkIfInPackageJSON(combinedPackageJSONDep, key),
             dependencies: createNPMChildDependencies(packageLock, key)
         };
@@ -35,7 +35,7 @@ const yarnCreateDepTree = (dependencyTree, combinedPackageJSONDep, packageLock,
             name: gav,
             version: getResolvedVersion(key, packageLock),
             group: null,
-            isProduction: checkIfInPackageJSON(rawNode.packageJSON.dependencies, nag),
+            productionDependency: checkIfInPackageJSON(rawNode.packageJSON.dependencies, nag),
             directDependency: checkIfInPackageJSON(combinedPackageJSONDep, nag),
             dependencies: createChildDependencies(packageLock, key)
         };

package/dist/scaAnalysis/php/phpNewServicesMapper.js

@@ -5,7 +5,7 @@ const parsePHPLockFileForScaServices = phpLockFile => {
     const packagesDev = keyBy(phpLockFile['packages-dev'], 'name');
     return merge(buildDepTree(packages, true), buildDepTree(packagesDev, false));
 };
-const buildDepTree = (packages, isProduction) => {
+const buildDepTree = (packages, productionDependency) => {
     const dependencyTree = {};
     for (const packagesKey in packages) {
         const currentObj = packages[packagesKey];
@@ -16,7 +16,7 @@ const buildDepTree = (packages, isProduction) => {
             name: name,
             version: currentObj.version,
             directDependency: true,
-            isProduction: isProduction,
+            productionDependency: productionDependency,
             dependencies: []
         };
         const mergedChildDeps = merge(buildSubDepsIntoFlatStructure(currentObj.require), buildSubDepsIntoFlatStructure(currentObj['require-dev']));
@@ -39,7 +39,7 @@ const buildSubDepsIntoFlatStructure = childDeps => {
             name: name,
             version: version,
             directDependency: false,
-            isProduction: false,
+            productionDependency: false,
             dependencies: []
         };
     }

package/dist/scaAnalysis/python/analysis.js

@@ -32,7 +32,7 @@ const scaPythonParser = pythonDependencies => {
         pythonParsedDeps[key].version = pythonDependencies[key].version.replace('==', '');
         pythonParsedDeps[key].group = null;
         pythonParsedDeps[key].name = key;
-        pythonParsedDeps[key].isProduction = true;
+        pythonParsedDeps[key].productionDependency = true;
         pythonParsedDeps[key].dependencies = [];
         pythonParsedDeps[key].directDependency = true;
     }

package/dist/scaAnalysis/repoMode/gradleParser.js

@@ -0,0 +1,75 @@
+"use strict";
+const g2js = require('gradle-to-js/lib/parser');
+const readBuildGradleFile = async (project) => {
+    const gradleFilePath = project.cwd + '/build.gradle';
+    return await g2js.parseFile(gradleFilePath);
+};
+const filterGav = (groupId, artifactId, version, gradleJson) => {
+    if (groupId === '') {
+        if (artifactId.includes(':')) {
+            groupId = artifactId.split(':')[0].replace("'", '');
+        }
+    }
+    if (version === '') {
+        if (artifactId.includes(':')) {
+            artifactId.split(':').length > 2
+                ? (version = artifactId.split(':')[2].replace("'", ''))
+                : (version = null);
+        }
+    }
+    if (artifactId.split(':').length > 1) {
+        artifactId = artifactId.split(':')[1].replace("'", '');
+    }
+    if (version === null) {
+        version = getVersion(gradleJson, groupId);
+    }
+    return { groupId, artifactId, version };
+};
+const parseGradleJson = gradleJson => {
+    let deps = gradleJson.dependencies;
+    let dependencyTree = {};
+    if (deps === undefined) {
+        console.log('Unable to find any dependencies in your project file.');
+        process.exit(0);
+    }
+    for (let a in deps) {
+        let dependencyType = deps[a].type;
+        if (dependencyType === 'implementation') {
+            let groupId = deps[a].group;
+            let artifactId = deps[a].name;
+            let version = deps[a].version;
+            let filteredGav = filterGav(groupId, artifactId, version, gradleJson);
+            let depName = filteredGav.groupId +
+                '/' +
+                filteredGav.artifactId +
+                '@' +
+                filteredGav.version;
+            let parsedDependency = {
+                name: filteredGav.artifactId,
+                group: filteredGav.groupId,
+                version: filteredGav.version,
+                directDependency: true,
+                isProduction: true,
+                dependencies: []
+            };
+            dependencyTree[depName] = parsedDependency;
+        }
+    }
+    return dependencyTree;
+};
+const getVersion = (gradleJson, dependencyWithoutVersion) => {
+    let parentVersion = gradleJson.plugins[0].version;
+    let parentGroupName = gradleJson.plugins[0].id;
+    if (parentGroupName === dependencyWithoutVersion) {
+        return parentVersion;
+    }
+    else {
+        return null;
+    }
+};
+module.exports = {
+    readBuildGradleFile,
+    parseGradleJson,
+    getVersion,
+    filterGav
+};

package/dist/scaAnalysis/repoMode/index.js

@@ -0,0 +1,21 @@
+"use strict";
+const mavenParser = require('./mavenParser');
+const gradleParser = require('./gradleParser');
+const { determineProjectTypeAndCwd } = require('../java/analysis');
+const buildRepo = async (config, languageFiles) => {
+    const project = determineProjectTypeAndCwd(languageFiles.JAVA, config);
+    if (project.projectType === 'maven') {
+        let jsonPomFile = mavenParser.readPomFile(project);
+        mavenParser.parsePomFile(jsonPomFile);
+    }
+    else if (project.projectType === 'gradle') {
+        const gradleJson = gradleParser.readBuildGradleFile(project);
+        gradleParser.parseGradleJson(await gradleJson);
+    }
+    else {
+        console.log('Unable to read project files.');
+    }
+};
+module.exports = {
+    buildRepo
+};

package/dist/scaAnalysis/repoMode/mavenParser.js

@@ -0,0 +1,76 @@
+"use strict";
+const fs = require('fs');
+const xml2js = require('xml2js');
+const readPomFile = project => {
+    const mavenFilePath = project.cwd + '/pom.xml';
+    const projectFile = fs.readFileSync(mavenFilePath);
+    let jsonPomFile;
+    xml2js.parseString(projectFile, (err, result) => {
+        if (err) {
+            throw err;
+        }
+        const json = JSON.stringify(result, null);
+        jsonPomFile = JSON.parse(json);
+    });
+    return jsonPomFile;
+};
+const getFromVersionsTag = (dependencyName, versionIdentifier, jsonPomFile) => {
+    let formattedVersion = versionIdentifier.replace(/[{}]/g, '').replace('$', '');
+    if (jsonPomFile.project.properties[0].hasOwnProperty([formattedVersion])) {
+        return jsonPomFile.project.properties[0][formattedVersion][0];
+    }
+    else {
+        return null;
+    }
+};
+const parsePomFile = jsonPomFile => {
+    let dependencyTree = {};
+    let parsedVersion;
+    let dependencies;
+    jsonPomFile.project.hasOwnProperty('dependencies')
+        ? (dependencies = jsonPomFile.project.dependencies[0].dependency)
+        : (dependencies =
+            jsonPomFile.project.dependencyManagement[0].dependencies[0].dependency);
+    for (let x in dependencies) {
+        let dependencyObject = dependencies[x];
+        if (!dependencyObject.hasOwnProperty('version')) {
+            parsedVersion = getVersion(jsonPomFile, dependencyObject);
+        }
+        else {
+            dependencyObject.version[0].includes('${versions.')
+                ? (parsedVersion = getFromVersionsTag(dependencyObject.artifactId[0], dependencyObject.version[0], jsonPomFile))
+                : (parsedVersion = dependencyObject.version[0]);
+        }
+        let depName = dependencyObject.groupId +
+            '/' +
+            dependencyObject.artifactId +
+            '@' +
+            parsedVersion;
+        let parsedDependency = {
+            name: dependencyObject.artifactId[0],
+            group: dependencyObject.groupId[0],
+            version: parsedVersion,
+            directDependency: true,
+            productionDependency: true,
+            dependencies: []
+        };
+        dependencyTree[depName] = parsedDependency;
+    }
+    return dependencyTree;
+};
+const getVersion = (pomFile, dependencyWithoutVersion) => {
+    let parentVersion = pomFile.project.parent[0].version[0];
+    let parentGroupName = pomFile.project.parent[0].groupId[0];
+    if (parentGroupName === dependencyWithoutVersion.groupId[0]) {
+        return parentVersion;
+    }
+    else {
+        return null;
+    }
+};
+module.exports = {
+    readPomFile,
+    getVersion,
+    parsePomFile,
+    getFromVersionsTag
+};

package/dist/scaAnalysis/ruby/analysis.js

@@ -263,25 +263,25 @@ const removeRedundantAndPopulateDefinedElements = deps => {
             delete element.remote;
             delete element.platform;
             element.group = null;
-            element.isProduction = true;
+            element.productionDependency = true;
         }
         if (element.sourceType === 'GEM') {
             element.group = null;
-            element.isProduction = true;
+            element.productionDependency = true;
             delete element.sourceType;
             delete element.remote;
             delete element.platform;
         }
         if (element.sourceType === 'PATH') {
             element.group = null;
-            element.isProduction = true;
+            element.productionDependency = true;
             delete element.platform;
             delete element.sourceType;
             delete element.remote;
         }
         if (element.sourceType === 'BUNDLED WITH') {
             element.group = null;
-            element.isProduction = true;
+            element.productionDependency = true;
             delete element.sourceType;
             delete element.remote;
             delete element.branch;

package/dist/scan/help.js

@@ -1,7 +1,7 @@
 "use strict";
 const commandLineUsage = require('command-line-usage');
 const i18n = require('i18n');
-const constants = require('../constants');
+const constants = require('../cliConstants');
 const { commonHelpLinks } = require('../common/commonHelp');
 const scanUsageGuide = commandLineUsage([
     {

package/dist/scan/scanConfig.js

@@ -1,6 +1,6 @@
 "use strict";
 const paramHandler = require('../utils/paramsUtil/paramHandler');
-const constants = require('../constants.js');
+const constants = require('../cliConstants.js');
 const path = require('path');
 const { supportedLanguagesScan } = require('../constants/constants');
 const i18n = require('i18n');

package/dist/utils/commonApi.js

@@ -18,6 +18,7 @@ const handleResponseErrors = (res, api) => {
         maxAppError();
     }
     else {
+        console.log(res.statusCode);
         genericError(res);
     }
 };

package/dist/utils/settingsHelper.js

@@ -0,0 +1,24 @@
+"use strict";
+const commonApi = require('./commonApi');
+const { getMode } = require('./generalAPI');
+const { SAAS, MODE_BUILD } = require('../constants/constants');
+const getSettings = async (config) => {
+    config.isEOP = (await getMode(config)).toUpperCase() === SAAS ? false : true;
+    config.mode = MODE_BUILD;
+    config.scaServices = await isSCAServicesAvailable(config);
+    return config;
+};
+const isSCAServicesAvailable = async (config) => {
+    const client = commonApi.getHttpClient(config);
+    return client
+        .scaServiceIngests(config)
+        .then(res => {
+        return res.statusCode !== 403;
+    })
+        .catch(err => {
+        console.log(err);
+    });
+};
+module.exports = {
+    getSettings
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "1.0.14",
+  "version": "1.0.16",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -56,6 +56,7 @@
     "conf": "^10.1.2",
     "dotenv": "^16.0.0",
     "fast-glob": "^3.2.11",
+    "gradle-to-js": "^2.0.1",
     "i18n": "^0.14.2",
     "js-yaml": "^4.1.0",
     "lodash": "^4.17.21",

package/src/audit/languageAnalysisEngine/sendSnapshot.js

@@ -29,11 +29,7 @@ const getTimeout = config => {
   }
 }
 
-const pollForSnapshotCompletition = async (
-  config,
-  snapshotId,
-  reportSpinner
-) => {
+const pollForSnapshotCompletion = async (config, snapshotId, reportSpinner) => {
   const client = commonApi.getHttpClient(config)
   const startTime = performance.now()
   const timeout = getTimeout(config)
@@ -76,5 +72,5 @@ const pollForSnapshotCompletition = async (
 }
 
 module.exports = {
-  pollForSnapshotCompletition: pollForSnapshotCompletition
+  pollForSnapshotCompletion
 }

package/src/audit/report/commonReportingFunctions.js

@@ -256,13 +256,7 @@ function buildBody(cveArray, advice) {
 function getIssueRow(cveArray) {
   orderByHighestPriority(cveArray)
   const cveMessagesList = getIssueCveMsgList(cveArray)
-  const cveNumbers = getSeverityCounts(cveArray)
-  const numAndSeverityTypeDesc = getNumOfAndSeverityType(cveNumbers)
-  return [
-    chalk.bold('Issue'),
-    ':',
-    `${numAndSeverityTypeDesc} ${cveMessagesList.join(', ')}`
-  ]
+  return [chalk.bold('Issue'), ':', `${cveMessagesList.join(', ')}`]
 }
 
 function gatherRemediationAdvice(guidance, libraryName, libraryVersion) {
@@ -282,21 +276,6 @@ function buildFormattedHeaderNum(contrastHeaderNum) {
   return `CONTRAST-${contrastHeaderNum.toString().padStart(3, '0')}`
 }
 
-function getNumOfAndSeverityType(cveNumbers) {
-  const { critical, high, medium, low, note } = cveNumbers
-
-  const criticalMsg = critical > 0 ? `${critical} Critical | ` : ''
-  const highMsg = high > 0 ? `${high} High | ` : ''
-  const mediumMsg = medium > 0 ? `${medium} Medium | ` : ''
-  const lowMsg = low > 0 ? `${low} Low | ` : ''
-  const noteMsg = note > 0 ? `${note} Note` : ''
-
-  //removes/trims whitespace to single spaces
-  return `${criticalMsg} ${highMsg} ${mediumMsg} ${lowMsg} ${noteMsg}`
-    .replace(/\s+/g, ' ')
-    .trim()
-}
-
 const buildFooter = reportModelStructure => {
   const { critical, high, medium, low, note } =
     countVulnerableLibrariesBySeverity(reportModelStructure)
@@ -424,7 +403,6 @@ module.exports = {
   getIssueRow,
   gatherRemediationAdvice,
   buildFormattedHeaderNum,
-  getNumOfAndSeverityType,
   getIssueCveMsgList,
   getSeverityCounts,
   printNoVulnFoundMsg,

package/src/audit/save.js

@@ -8,7 +8,7 @@ const {
   SBOM_SPDX_FILE
 } = require('../constants/constants')
 
-async function auditSave(config) {
+async function auditSave(config, reportId) {
   let fileFormat
   switch (config.save) {
     case null:
@@ -23,11 +23,19 @@ async function auditSave(config) {
   }
 
   if (fileFormat) {
-    save.saveFile(
-      config,
-      fileFormat,
-      await sbom.generateSbom(config, fileFormat)
-    )
+    if (config.experimental) {
+      save.saveFile(
+        config,
+        fileFormat,
+        await sbom.generateSCASbom(config, fileFormat, reportId)
+      )
+    } else {
+      save.saveFile(
+        config,
+        fileFormat,
+        await sbom.generateSbom(config, fileFormat)
+      )
+    }
     const filename = `${config.applicationId}-sbom-${fileFormat}.json`
     if (fs.existsSync(filename)) {
       console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`)