npm - @contrast/contrast - Versions diffs - 1.0.16 → 1.0.17 - Mend

@contrast/contrast 1.0.16 → 1.0.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

package/dist/audit/catalogueApplication/catalogueApplication.js +1 -1
package/dist/cliConstants.js +6 -1
package/dist/commands/audit/auditConfig.js +10 -12
package/dist/commands/audit/auditController.js +12 -16
package/dist/commands/audit/help.js +24 -26
package/dist/commands/audit/processAudit.js +16 -22
package/dist/commands/audit/saveFile.js +3 -9
package/dist/commands/scan/processScan.js +5 -7
package/dist/commands/scan/sca/scaAnalysis.js +104 -88
package/dist/common/commonHelp.js +35 -17
package/dist/common/errorHandling.js +28 -57
package/dist/common/versionChecker.js +24 -27
package/dist/constants/constants.js +1 -1
package/dist/constants/locales.js +6 -3
package/dist/lambda/help.js +2 -1
package/dist/lambda/lambda.js +2 -7
package/dist/scaAnalysis/java/analysis.js +40 -5
package/dist/scaAnalysis/java/index.js +15 -2
package/dist/scan/autoDetection.js +12 -3
package/dist/scan/fileUtils.js +24 -1
package/dist/scan/help.js +2 -1
package/dist/scan/saveResults.js +1 -1
package/dist/utils/commonApi.js +10 -1
package/dist/utils/generalAPI.js +1 -2
package/dist/utils/paramsUtil/configStoreParams.js +12 -1
package/dist/utils/paramsUtil/paramHandler.js +7 -1
package/dist/utils/saveFile.js +2 -1
package/package.json +2 -1
package/src/audit/catalogueApplication/catalogueApplication.js +1 -1
package/src/cliConstants.js +6 -1
package/src/commands/audit/auditConfig.js +19 -0
package/src/commands/audit/{auditController.ts → auditController.js} +17 -12
package/src/commands/audit/{help.ts → help.js} +10 -7
package/src/commands/audit/processAudit.js +37 -0
package/src/commands/audit/{saveFile.ts → saveFile.js} +2 -2
package/src/commands/scan/processScan.js +4 -10
package/src/commands/scan/sca/scaAnalysis.js +134 -116
package/src/common/commonHelp.js +43 -0
package/src/common/{errorHandling.ts → errorHandling.js} +6 -31
package/src/common/{versionChecker.ts → versionChecker.js} +15 -10
package/src/constants/constants.js +1 -1
package/src/constants/locales.js +7 -3
package/src/lambda/help.ts +2 -1
package/src/lambda/lambda.ts +2 -10
package/src/scaAnalysis/java/analysis.js +43 -10
package/src/scaAnalysis/java/index.js +19 -2
package/src/scan/autoDetection.js +14 -3
package/src/scan/fileUtils.js +29 -1
package/src/scan/help.js +2 -1
package/src/scan/saveResults.js +1 -1
package/src/utils/commonApi.js +13 -1
package/src/utils/generalAPI.js +1 -2
package/src/utils/getConfig.ts +1 -0
package/src/utils/paramsUtil/configStoreParams.js +14 -1
package/src/utils/paramsUtil/paramHandler.js +9 -1
package/src/utils/saveFile.js +2 -1
package/src/commands/audit/auditConfig.ts +0 -21
package/src/commands/audit/processAudit.ts +0 -40
package/src/common/commonHelp.ts +0 -13

package/src/lambda/lambda.ts CHANGED Viewed

@@ -17,7 +17,7 @@ import ora from '../utils/oraWrapper'
 import { postAnalytics } from './analytics'
 import { LambdaOptions, AnalyticsOption, StatusType, EventType } from './types'
 import { APP_VERSION } from '../constants/constants'
-import chalk from 'chalk'
+import { postRunMessage } from '../common/commonHelp'
 type ApiParams = {
   organizationId: string
@@ -116,7 +116,7 @@ const processLambda = async (argv: string[]) => {
       /* ignore */
     })
-    postRunMessage()
+    postRunMessage('lambda')
     if (errorMsg) {
       process.exit(1)
@@ -225,12 +225,4 @@ const handleLambdaHelp = () => {
   process.exit(0)
 }
-const postRunMessage = () => {
-  console.log('\n' + chalk.underline.bold('Other Codesec Features:'))
-  console.log("'contrast scan' to run CodeSec’s industry leading SAST scanner")
-  console.log(
-    "'contrast audit' to find vulnerabilities in your open source dependencies\n"
-  )
-}
 export { processLambda, LambdaOptions, ApiParams, getAvailableFunctions }

package/src/scaAnalysis/java/analysis.js CHANGED Viewed

@@ -1,7 +1,10 @@
 const child_process = require('child_process')
+const spawn = require('cross-spawn')
 const path = require('path')
 const i18n = require('i18n')
 const fs = require('fs')
+const readLine = require('readline')
+const paramHandler = require('../../utils/paramsUtil/paramHandler')
 const MAVEN = 'maven'
 const GRADLE = 'gradle'
@@ -29,20 +32,23 @@ const determineProjectTypeAndCwd = (files, config) => {
 const buildMaven = (config, projectData, timeout) => {
   let cmdStdout
-  let mvn_settings = ''
   try {
-    // Allow users to provide a custom location for their settings.xml
+    let command = 'mvn'
+    let args = ['dependency:tree', '-B']
     if (config.mavenSettingsPath) {
-      mvn_settings = ' -s ' + config.mavenSettingsPath
+      args.push('-s')
+      args.push(config.mavenSettingsPath)
     }
-    cmdStdout = child_process.execSync(
-      'mvn dependency:tree -B' + mvn_settings,
-      {
+    // Allow users to provide a custom location for their settings.xml
+    cmdStdout = spawn
+      .sync(command, args, {
+        env: process.env,
         cwd: projectData.cwd,
         timeout
-      }
-    )
+      })
+      .stdout.toString()
     return cmdStdout.toString()
   } catch (err) {
     throw new Error(
@@ -141,7 +147,34 @@ const getJavaBuildDeps = (config, files) => {
   }
 }
+const agreementPrompt = async config => {
+  const rl = readLine.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  })
+  return new Promise((resolve, reject) => {
+    rl.question('❔ Do you want to continue? Type Y or N', async input => {
+      if (input.toLowerCase() === 'yes' || input.toLowerCase() === 'y') {
+        config.javaAgreement = paramHandler.setAgreement(true)
+        rl.close()
+        resolve(config)
+      } else if (input.toLowerCase() === 'no' || input.toLowerCase() === 'n') {
+        rl.close()
+        resolve(process.exit(1))
+      } else {
+        rl.close()
+        console.log('Invalid Input: Exiting')
+        resolve(process.exit(1))
+      }
+    })
+  }).catch(e => {
+    throw e
+  })
+}
 module.exports = {
   getJavaBuildDeps,
-  determineProjectTypeAndCwd
+  determineProjectTypeAndCwd,
+  agreementPrompt
 }

package/src/scaAnalysis/java/index.js CHANGED Viewed

@@ -4,12 +4,16 @@ const { createJavaTSMessage } = require('../common/formatMessage')
 const {
   parseDependenciesForSCAServices
 } = require('../common/scaParserForGoAndJava')
+const chalk = require('chalk')
+const _ = require('lodash')
-const javaAnalysis = (config, languageFiles) => {
+const javaAnalysis = async (config, languageFiles) => {
   languageFiles.JAVA.forEach(file => {
     file.replace('build.gradle.kts', 'build.gradle')
   })
+  await getAgreement(config)
   const javaDeps = buildJavaTree(config, languageFiles.JAVA)
   if (config.experimental) {
@@ -19,11 +23,24 @@ const javaAnalysis = (config, languageFiles) => {
   }
 }
+const getAgreement = async config => {
+  console.log(chalk.bold('Java project detected'))
+  console.log(
+    'Java analysis uses maven / gradle which are potentially susceptible to command injection. Be sure that the code you are running Contrast CLI on is trusted before continuing.'
+  )
+  if (_.isNil(!process.env.CI) && _.isNil(!config.javaAgreement)) {
+    console.log('should print')
+    return await analysis.agreementPrompt(config)
+  }
+  return config
+}
 const buildJavaTree = (config, files) => {
   const javaBuildDeps = analysis.getJavaBuildDeps(config, files)
   return parseBuildDeps(config, javaBuildDeps)
 }
 module.exports = {
-  javaAnalysis
+  javaAnalysis,
+  getAgreement
 }

package/src/scan/autoDetection.js CHANGED Viewed

@@ -1,7 +1,17 @@
 const i18n = require('i18n')
 const fileFinder = require('./fileUtils')
-const rootFile = require('../audit/languageAnalysisEngine/getProjectRootFilenames')
-const path = require('path')
+const autoDetectFingerprintInfo = async filePath => {
+  let complexObj = await fileFinder.findAllFiles(filePath)
+  let result = []
+  let count = 0
+  complexObj.forEach(i => {
+    count++
+    result.push({ filePath: i, id: count.toString() })
+  })
+  return result
+}
 const autoDetectFileAndLanguage = async configToUse => {
   const entries = await fileFinder.findFile()
@@ -88,5 +98,6 @@ module.exports = {
   autoDetectFileAndLanguage,
   errorOnFileDetection,
   autoDetectAuditFilesAndLanguages,
-  errorOnAuditFileDetection
+  errorOnAuditFileDetection,
+  autoDetectFingerprintInfo
 }

package/src/scan/fileUtils.js CHANGED Viewed

@@ -11,6 +11,33 @@ const findFile = async () => {
   })
 }
+const findAllFiles = async filePath => {
+  const result = await fg(
+    [
+      '**/pom.xml',
+      '**/build.gradle',
+      '**/build.gradle.kts',
+      '**/package.json',
+      '**/Pipfile',
+      '**/*.csproj',
+      '**/Gemfile',
+      '**/go.mod'
+    ],
+    {
+      dot: false,
+      deep: 2,
+      onlyFiles: true,
+      absolute: true,
+      cwd: filePath ? filePath : process.cwd()
+    }
+  )
+  if (result.length > 0) {
+    return result
+  }
+  return []
+}
 const findFilesJava = async (languagesFound, filePath) => {
   const result = await fg(
     ['**/pom.xml', '**/build.gradle', '**/build.gradle.kts'],
@@ -159,5 +186,6 @@ module.exports = {
   findFilesPhp,
   findFilesRuby,
   findFilesDotNet,
-  fileIsEmpty
+  fileIsEmpty,
+  findAllFiles
 }

package/src/scan/help.js CHANGED Viewed

@@ -36,7 +36,8 @@ const scanUsageGuide = commandLineUsage([
       'application-name'
     ]
   },
-  commonHelpLinks()
+  commonHelpLinks()[0],
+  commonHelpLinks()[1]
 ])
 module.exports = {

package/src/scan/saveResults.js CHANGED Viewed

@@ -3,7 +3,7 @@ const fs = require('fs')
 const writeResultsToFile = async (responseBody, name = 'results.sarif') => {
   try {
     fs.writeFileSync(name, JSON.stringify(responseBody, null, 2))
-    console.log(`Scan Results saved to ${name}`)
+    return name
   } catch (err) {
     console.log('Error writing Scan Results to file')
   }

package/src/utils/commonApi.js CHANGED Viewed

@@ -5,7 +5,10 @@ const {
   forbiddenError,
   proxyError,
   genericError,
-  maxAppError
+  maxAppError,
+  snapshotFailureError,
+  vulnerabilitiesFailureError,
+  reportFailureError
 } = require('../common/errorHandling')
 const handleResponseErrors = (res, api) => {
@@ -20,6 +23,15 @@ const handleResponseErrors = (res, api) => {
   } else if (res.statusCode === 412) {
     maxAppError()
   } else {
+    if (api === 'snapshot' || api === 'catalogue') {
+      snapshotFailureError()
+    }
+    if (api === 'vulnerabilities') {
+      vulnerabilitiesFailureError()
+    }
+    if (api === 'report') {
+      reportFailureError()
+    }
     console.log(res.statusCode)
     genericError(res)
   }

package/src/utils/generalAPI.js CHANGED Viewed

@@ -1,6 +1,5 @@
 const { featuresTeamServer } = require('./capabilities')
 const semver = require('semver')
-const { handleResponseErrors } = require('../common/errorHandling')
 const commonApi = require('./commonApi')
 const { isNil } = require('lodash')
@@ -12,7 +11,7 @@ const getGlobalProperties = async config => {
       if (res.statusCode === 200) {
         return res.body
       } else {
-        handleResponseErrors(res, 'globalProperties')
+        commonApi.handleResponseErrors(res, 'globalProperties')
       }
     })
     .catch(err => {

package/src/utils/getConfig.ts CHANGED Viewed

@@ -8,6 +8,7 @@ type ContrastConfOptions = Partial<{
   orgId: string
   authHeader: string
   numOfRuns: number
+  javaAgreement: boolean
 }>
 type ContrastConf = Conf<ContrastConfOptions>

package/src/utils/paramsUtil/configStoreParams.js CHANGED Viewed

@@ -16,4 +16,17 @@ const getAuth = () => {
   return ContrastConfToUse
 }
-module.exports = { getAuth: getAuth }
+const getAgreement = () => {
+  const ContrastConf = config.localConfig(APP_NAME, APP_VERSION)
+  let ContrastConfToUse = {}
+  ContrastConfToUse.javaAgreement = ContrastConf.get('javaAgreement')
+  return ContrastConfToUse
+}
+const setAgreement = agreement => {
+  const ContrastConf = config.localConfig(APP_NAME, APP_VERSION)
+  ContrastConf.set('javaAgreement', agreement)
+  return agreement
+}
+module.exports = { getAuth, getAgreement, setAgreement }

package/src/utils/paramsUtil/paramHandler.js CHANGED Viewed

@@ -21,4 +21,12 @@ const getAuth = params => {
   }
 }
-module.exports = { getAuth: getAuth }
+const getAgreement = () => {
+  return configStoreParams.getAgreement()
+}
+const setAgreement = answer => {
+  return configStoreParams.setAgreement(answer)
+}
+module.exports = { getAuth, getAgreement, setAgreement }

package/src/utils/saveFile.js CHANGED Viewed

@@ -8,7 +8,8 @@ const saveScanFile = async (config, scanResults) => {
     const scanId = scanResults.scanDetail.id
     const client = commonApi.getHttpClient(config)
     const rawResults = await client.getSpecificScanResultSarif(config, scanId)
-    await saveResults.writeResultsToFile(rawResults?.body)
+    const name = await saveResults.writeResultsToFile(rawResults?.body)
+    console.log(`Scan Results saved to ${name}`)
   } else {
     console.log(i18n.__('scanNoFiletypeSpecifiedForSave'))
   }

package/src/commands/audit/auditConfig.ts DELETED Viewed

@@ -1,21 +0,0 @@
-import paramHandler from '../../utils/paramsUtil/paramHandler'
-import constants from '../../cliConstants'
-import { getCommandLineArgsCustom } from '../../utils/parsedCLIOptions'
-import { ContrastConf } from '../../utils/getConfig'
-export const getAuditConfig = async (
-  contrastConf: ContrastConf,
-  command: string,
-  argv: string[]
-): Promise<{ [key: string]: string }> => {
-  const auditParameters = await getCommandLineArgsCustom(
-    contrastConf,
-    command,
-    argv,
-    constants.commandLineDefinitions.auditOptionDefinitions
-  )
-  const paramsAuth = paramHandler.getAuth(auditParameters)
-  // @ts-ignore
-  return { ...paramsAuth, ...auditParameters }
-}

package/src/commands/audit/processAudit.ts DELETED Viewed

@@ -1,40 +0,0 @@
-import { getAuditConfig } from './auditConfig'
-import { auditUsageGuide } from './help'
-import { processSca } from '../scan/sca/scaAnalysis'
-import { sendTelemetryConfigAsObject } from '../../telemetry/telemetry'
-import { ContrastConf } from '../../utils/getConfig'
-import chalk from 'chalk'
-export type parameterInput = string[]
-export const processAudit = async (
-  contrastConf: ContrastConf,
-  argv: parameterInput
-) => {
-  if (argv.indexOf('--help') != -1) {
-    printHelpMessage()
-    process.exit(0)
-  }
-  const config = await getAuditConfig(contrastConf, 'audit', argv)
-  await processSca(config)
-  postRunMessage()
-  await sendTelemetryConfigAsObject(
-    config,
-    'audit',
-    argv,
-    'SUCCESS',
-    // @ts-ignore
-    config.language
-  )
-}
-const printHelpMessage = () => {
-  console.log(auditUsageGuide)
-}
-const postRunMessage = () => {
-  console.log('\n' + chalk.underline.bold('Other Codesec Features:'))
-  console.log("'contrast scan' to run CodeSec’s industry leading SAST scanner")
-  console.log("'contrast lambda' to secure your AWS serverless functions\n")
-}

package/src/common/commonHelp.ts DELETED Viewed

@@ -1,13 +0,0 @@
-import i18n from 'i18n'
-export function commonHelpLinks() {
-  return {
-    header: i18n.__('commonHelpHeader'),
-    content: [
-      i18n.__('commonHelpCheckOutHeader') + i18n.__('commonHelpCheckOutText'),
-      i18n.__('commonHelpLearnMoreHeader') + i18n.__('commonHelpLearnMoreText'),
-      i18n.__('commonHelpJoinDiscussionHeader') +
-        i18n.__('commonHelpJoinDiscussionText')
-    ]
-  }
-}