@contrast/contrast 1.0.16 → 1.0.18

package/dist/constants/locales.js

@@ -3,19 +3,11 @@ const { lambda } = require('./lambda');
 const chalk = require('chalk');
 const en_locales = () => {
     return {
-        successHeader: 'SUCCESS',
-        snapshotSuccessMessage: 'Please go to the Contrast UI to view your dependency tree.',
         snapshotFailureHeader: 'FAIL',
         snapshotFailureMessage: 'Library analysis failed',
-        snapshotHostMessage: "No host supplied. Using default host 'app.contrastsecurity.com'. Please ensure this is correct.",
-        vulnerabilitiesSuccessMessage: 'Vulnerability data successfully retrieved',
         vulnerabilitiesFailureMessage: 'Unable to retrieve library vulnerabilities',
-        catchErrorMessage: 'Contrast UI error: ',
         dependenciesNote: 'Please Note: We currently only support projects with one .csproj AND *.package.lock.json',
-        languageAnalysisFailureMessage: 'SCA audit Failure',
-        languageAnalysisFactoryFailureHeader: 'FAIL',
         libraryAnalysisError: 'Please ensure the language parameter is set in accordance to the language specified on the project path.\nContrast CLI must be run in the same directory as the project manifest file OR the project_path parameter must be used to identify the directory containing the project manifest file.\n\nFor further information please read our usage guide, which can be accessed with the following command:\n\ncontrast-cli --help',
-        yamlMissingParametersHeader: 'Missing Parameters',
         genericErrorMessage: 'An error has occur please check your command again. For more information use the --help commands.',
         unauthenticatedErrorHeader: '401 error - Unauthenticated',
         unauthenticatedErrorMessage: 'Please check the following keys are correct:\n--organization-id, --api-key or --authorization',
@@ -26,87 +18,47 @@ const en_locales = () => {
         forbiddenRequestErrorMessage: 'You do not have permission to access this server.',
         proxyErrorHeader: '407 error - Proxy Authentication Required',
         proxyErrorMessage: 'Please provide valid authentication credentials for the proxy server.',
-        catalogueSuccessCommand: 'Application Created',
-        dotnetAnalysisFailure: '.NET analysis failed because: ',
-        dotnetReadLockfile: 'Failed to read the lock file @ %s because: ',
-        dotnetParseLockfile: "Failed to parse .NET lock file @ '%s' because: ",
-        dotnetParseProjectFile: "Failed to parse MSBuild project file @ '%s' because: ",
-        dotnetReadProjectFile: 'Failed to read the project file @ "%s" because: ',
-        javaAnalysisError: 'JAVA analysis failed because: ',
         javaParseProjectFile: 'Failed to parse mvn output because: ',
-        languageAnalysisMultipleLanguages1: 'Identified multiple languages for the project\n',
-        languageAnalysisMultipleLanguages2: 'Please specify which project file you would like analyzed with the %s CLI option.',
-        languageAnalysisProjectFiles: "Identified project language as '%s' but found multiple project files: %s. Please specify which project file you would like analyzed with the %s CLI option.",
         languageAnalysisHasNoLockFile: "Identified project language as '%s' but no project lock file was found.",
         languageAnalysisHasNoPackageJsonFile: 'Identified project language as javascript but no package.json file was found.',
         languageAnalysisHasMultipleLockFiles: "Identified project language as '%s' but multiple project lock files were found.",
         languageAnalysisProjectFileError: "Identified project language as '%s' but no project file was found.",
-        languageAnalysisProjectRootFileNameReadError: 'Failed to read the contents of the directory @ %s because: ',
-        languageAnalysisProjectRootFileNameMissingError: "%s isn't a file or directory",
         languageAnalysisProjectRootFileNameFailure: 'Failed to get information about the file or directory @ %s because: ',
-        languageAnalysisFailure: ' analysis failed because: ',
         languageAnalysisNoLanguage: 'We cannot detect a project, use -f <path> to specify a file or folder to analyze.',
         languageAnalysisNoLanguageHelpLine: `${chalk.bold('contrast audit --help')} for more information.`,
-        NodeAnalysisFailure: 'NODE analysis failed because: ',
-        phpAnalysisFailure: 'PHP analysis failed because: ',
         NodeParseNPM: 'Failed to parse NODE package-lock.json file because: ',
         phpParseComposerLock: "Failed to parse PHP composer.lock file @ '%s' because: ",
-        NodeReadNpmError: 'Failed to read the package-lock.json file @ "%s" because: ',
-        phpReadError: 'Failed to read the composer.lock file @ "%s" because: ',
         NodeParseYarn: 'Failed to parse yarn.lock version %s because: ',
         NodeParseYarn2: "Failed to parse Node yarn.lock version 2 @ '%s' because: ",
-        nodeReadProjectFileError: 'Failed to read the NODE project file @ "%s" because: ',
-        phpReadProjectFileError: 'Failed to read the PHP project file @ "%s" because: ',
         nodeReadYarnLockFileError: 'Failed to read the yarn.lock file @ "%s" because: ',
-        pythonAnalysisEngineError: 'Python analysis failed because: ',
-        pythonAnalysisEnginePipError: "Failed to parse python Pipfile.lock file @ '%s' because: ",
-        pythonAnalysisParseProjectFileError: 'Failed to parse python output "%s" because: ',
-        pythonAnalysisReadPipFileError: 'Failed to read the python Pipfile.lock file @ "%s" because: ',
-        pythonAnalysisReadPythonProjectFileError: 'Failed to read the python pipfile @ "%s" because: ',
-        rubyAnalysisEngineError: 'Ruby analysis failed because: ',
-        rubyAnalysisEngineParsedGemFileError: 'Failed to parse ruby output "%s" because: ',
-        rubyAnalysisEngineParsedGemLockFileError: 'Failed to parse ruby Gemfile.lock output because: ',
-        rubyAnalysisEngineReadGemFileError: 'Failed to read the ruby project file @ "%s" because: ',
-        rubyAnalysisEngineReadGemLockFileError: 'Failed to read the ruby Gemfile.lock @ "%s" because: ',
         constantsOptional: '(optional)',
-        constantsOptionalForCatalogue: '(optional for catalogue)',
         constantsRequired: '(required)',
-        constantsRequiredCatalogue: '(required for catalogue)',
+        constantsRequiredEnterprise: '(required for Contrast Enterprise)',
         constantsApiKey: 'An agent API key as provided by Contrast UI',
-        constantsAuthorization: 'Authorization credentials as provided by Contrast UI',
-        constantsOrganizationId: 'The ID of your organization',
-        constantsApplicationId: 'The ID of the application cataloged by Contrast UI',
-        constantsHostId: 'Provide the name of the host and optionally the port expressed as "<host>:<port>".',
-        constantsApplicationName: 'The name of the application cataloged by Contrast UI',
-        constantsCatalogueApplication: 'Provide this if you want to catalogue an application',
+        constantsAuthorization: 'An authorization header as provided by Contrast UI',
+        constantsOrganizationId: 'The ID of your organization as provided by Contrast UI',
+        constantsApplicationId: 'The ID of the application as provided by Contrast UI',
+        constantsHostId: 'host name e.g. https://app.contrastsecurity.com',
+        constantsApplicationName: 'The name of the application as provided by Contrast UI',
         failOptionErrorMessage: ' FAIL - CVEs have been detected that match at least the cve_severity option specified.',
         failOptionMessage: ' Use with contrast scan or contrast audit. Detects failures based on the severity level specified with the --severity command. For example, "contrast scan --fail --severity high". Returns all failures if no severity level is specified.',
-        constantsLanguage: 'Valid values are JAVA, DOTNET, NODE, PYTHON and RUBY. If there are multiple project configuration files in the project_path, language is also required.  Also, provide this when cataloguing an application',
         constantsFilePath: `Specify a directory or the file where dependencies are declared. (By default, CodeSec will search for project files in the current directory.)`,
-        constantsSilent: 'Silences JSON output.',
-        constantsAppGroups: 'Assign your application to one or more pre-existing groups when using the catalogue command. Group lists should be comma separated.',
-        constantsVersion: 'Displays CLI Version you are currently on.',
-        constantsProxyServer: 'Allows for connection via a proxy server. If authentication is required please provide the username and password with the protocol, host and port. For instance: "http://username:password@<host>:<port>".',
-        constantsHelp: 'Display this usage guide.',
+        constantsAppGroups: 'Assign your application to one or more pre-existing groups when on boarding an application. Group lists should be comma separated.',
+        constantsProxyServer: 'Allows for connection via a proxy server. If authentication is required please provide the username and password with the protocol, host and port. For instance: "https://username:password@<host>:<port>".',
         constantsGradleMultiProject: 'Specify the sub project within your gradle application.',
-        constantsScan: 'Upload java binaries to the static scan service',
-        constantsDoNotWaitForScan: 'Do not wait for the result of the scan',
+        constantsDoNotWaitForScan: 'Fire and forget. Do not wait for the result of the scan.',
         constantsProjectName: 'Contrast project name. If not specified, Contrast uses contrast.settings to identify the project or creates a project.',
         constantsProjectId: 'The ID associated with a scan project. Replace <ProjectID> with the ID for the scan project. To find the ID, select a scan project in Contrast and locate the last number in the URL.',
-        constantsReport: 'Display vulnerability information for this application',
-        constantsFail: 'Set the process to fail if this option is set in combination with --cve_severity.',
         failThresholdOptionErrorMessage: 'More than 0 vulnerabilities found',
         failSeverityOptionErrorMessage: ' FAIL - Results detected vulnerabilities over accepted severity level',
         constantsSeverity: 'Use with "contrast scan --fail --severity high" or "contrast audit --fail --severity high". Set the severity level to detect vulnerabilities or dependencies. Severity levels are critical, high, medium, low or note.',
-        constantsCount: 'The number of CVEs that must be exceeded to fail a build',
-        constantsHeader: 'CodeSec by Contrast Security',
+        constantsHeader: 'Contrast CLI',
         configHeader2: 'Config options',
         clearHeader: '-c, --clear',
         clearContent: 'Removes stored credentials',
         constantsPrerequisitesContentScanLanguages: 'Java, Javascript and .NET supported',
         constantsContrastContent: 'Use the ‘contrast’ command for fast and accurate security analysis of your applications, APIs, serverless functions, and libraries.',
         constantsContrastCategories: '\n Code: Java, .NET, .NET Core, JavaScript\n Serverless: AWS Lambda - Java, Python\n Libraries: Java, .NET, Node, Ruby, Python, Go, PHP\n',
-        constantsUsageGuideContentRecommendation: 'Our recommendation is that this is invoked as part of a CI pipeline so that running the cli is automated as part of your build process.',
         constantsPrerequisitesHeader: 'Pre-requisites',
         constantsAuthUsageHeader: 'Usage',
         constantsAuthUsageContents: 'contrast auth',
@@ -120,38 +72,26 @@ const en_locales = () => {
         constantsUsageCommandExample: 'contrast [command] [options]',
         constantsUsageCommandInfo: 'The file argument is optional. If no file is given, Contrast will search for a .jar, .war, .exe or .zip file in the working directory.\n',
         constantsUsageCommandInfo24Hours: 'Submitted files are encrypted during upload and deleted in 24 hours.',
-        constantsAnd: 'AND',
-        constantsJava: 'AND Maven build platform, including the dependency plugin. For a Gradle project, use build.gradle. A gradle-wrapper.properties file is also required. Kotlin is also supported requiring a build.gradle.kts file.',
-        constantsJavaNote: 'Note: Running "mvn dependency:tree" or "./gradlew dependencies" in the project directory locally must be successful.',
-        constantsJavaNoteGradle: 'We currently support v4.8 and upwards on Gradle projects',
-        constantsDotNet: 'MSBuild 15.0 or greater and have a packages.lock.json file are supported.',
-        constantsDotNetNote: 'Please Note: If the packages.lock.json file is not in place it can be generated by setting RestorePackagesWithLockFile to true within each *.csproj and running dotnet build',
-        constantsNode: '%s AND a lock file either %s or %s',
-        constantsRuby: 'gemfile AND gemfile.lock',
-        constantsPython: 'pipfile AND pipfile.lock',
-        constantsHowToRunHeader: 'How to run:',
-        constantsHowToRunDev1: 'Begin with contrast auth to authenticate the CLI to perform actions',
-        constantsHowToRunDev2: 'After successful auth try the following command: contrast scan -f "<file>"',
         constantsHowToRunDev3: 'Allowable languages are java (.jar and .war) and javascript (.js or .zip), if the language is not autodetected please use --language to specify',
         constantsOptions: 'Options',
-        constantsSpecialCharacterWarning: 'Please Note: Parameters may need to be quoted to avoid issues with special characters.',
         constantsProxyKey: 'Path to the Certificate Key',
         constantsProxyCert: 'Path to the Cert file',
         constantsProxyCaCert: 'Path to the CaCert file',
         goReadProjectFile: 'Failed to read the project file @ "%s" because: "%s"',
-        mavenDependencyTreeNonZero: 'Building maven dependancy tree failed with a non 0 exit code',
+        mavenDependencyTreeNonZero: 'Building maven dependency tree failed with a non 0 exit code',
         gradleWrapperUnavailable: 'Gradle wrapper not found in root of project. Please ensure gradlew or gradlew.bat is in root of the project.',
-        gradleDependencyTreeNonZero: "Building gradle dependancy tree failed with a non 0 exit code. \n Please check you have the correct version of Java installed to compile your project? \n If running against a muti module project ensure you are using the '--sub-project' flag",
+        gradleDependencyTreeNonZero: "Building gradle dependency tree failed with a non 0 exit code. \n Please check you have the correct version of Java installed to compile your project? \n If running against a muti module project ensure you are using the '--sub-project' flag",
         constantsMetadata: 'Define a set of key=value pairs (which conforms to RFC 2253) for specifying user-defined metadata associated with the application.',
         constantsTags: 'Apply labels to an application. Labels must be formatted as a comma-delimited list. Example - label1,label2,label3',
         constantsCode: 'Add the application code this application should use in the Contrast UI',
-        constantsIgnoreCertErrors: 'For EOP users with a local Teamserver install, this will bypass the SSL certificate and recognise a self signed certificate.',
+        constantsMavenSettingsPath: 'Path to maven settings',
+        constantsCertSelfSigned: 'For EOP users with a local Teamserver install, this will bypass the SSL certificate and recognise a self signed certificate.',
         constantsSave: 'Saves the Scan Results SARIF to file.',
         scanLabel: "adds a label to the scan - defaults to 'Started by CLI tool at current date'",
         constantsIgnoreDev: 'Excludes developer dependencies from the results. All dependencies are included by default.',
         constantsCommands: 'Commands',
         constantsScanOptions: 'Scan Options',
-        sbomRetrievalError: 'Unable to retrieve Software Bill of Materials (SBOM)',
+        constantsAdvancedOptions: 'Advanced',
         foundExistingProjectScan: 'Found existing project...',
         projectCreatedScan: 'Project created',
         uploadingScan: 'Uploading file to scan.',
@@ -182,8 +122,6 @@ const en_locales = () => {
         configName: 'config',
         helpName: 'help',
         scanOptionsLanguageSummary: 'Valid values are JAVA, JAVASCRIPT and DOTNET',
-        scanOptionsLanguageSummaryOptional: 'Language of file to send for analysis. ',
-        scanOptionsLanguageSummaryRequired: 'If you scan a .zip file or you use the --file option.',
         scanOptionsTimeoutSummary: 'Time in seconds to wait for scan to complete. Default value is 300 seconds.',
         scanOptionsFileNameSummary: 'Path of the file you want to scan. If no file is specified, Contrast searches for a .jar, .war, .exe or .zip file in the working directory.',
         scanOptionsVerboseSummary: ' Returns extended information to the terminal.',
@@ -203,12 +141,8 @@ const en_locales = () => {
             ' to learn more about the capabilities.',
         authWaitingMessage: 'Waiting for auth...',
         authTimedOutMessage: 'Auth Timed out, try again',
-        zipErrorScan: 'We only support zip files for JAVASCRIPT language, please set the flag --language JAVASCRIPT',
-        unknownFileErrorScan: 'Unsupported file selected for Scan.',
         foundScanFile: 'Found: %s',
         foundDetailedVulnerabilities: chalk.bold('%s') + ' | ' + chalk.bold('%s') + ' | %s | %s | %s ',
-        requiredParams: 'All required parameters are not present.',
-        timeoutScan: 'Timeout set to 5 minutes.',
         searchingScanFileDirectory: 'Searching for file to scan from %s...',
         searchingAuditFileDirectory: 'Searching for package manager files from %s...',
         scanHeader: 'Contrast Scan CLI',
@@ -216,11 +150,9 @@ const en_locales = () => {
         lambdaHeader: 'Contrast Lambda CLI',
         lambdaSummary: 'Performs static security scan on an AWS Lambda Function.\nProduces CVE (Vulnerable Dependencies) and Least Privilege violations/remediation results.',
         lambdaUsage: 'contrast lambda --function-name <function> [options]',
-        lambdaPrerequisitesContent: '',
         lambdaPrerequisitesContentLambdaLanguages: 'Supported runtimes: Java & Python',
         lambdaPrerequisitesContentLambdaDescriptionTitle: 'AWS Requirements\n',
         lambdaPrerequisitesContentLambdaDescription: 'Make sure you have the AWS credentials configured on your local environment. \nYou need the following AWS permissions configured on your IAM user:\n   - Lambda: GetFunction, GetLayerVersion, ListFunctions\n   - IAM: GetRolePolicy, GetPolicy, GetPolicyVersion, ListRolePolicies, ListAttachedRolePolicies',
-        scanFileNameOption: '-f, --file',
         lambdaFunctionNameOption: '-f, --function-name',
         lambdaListFunctionsOption: '-l, --list-functions',
         lambdaEndpointOption: '-e, --endpoint-url',
@@ -238,11 +170,9 @@ const en_locales = () => {
         lambdaVerbosSummery: 'Returns extended information to the terminal.',
         configNotFound: 'Configuration details not found. Try authenticating by using ‘contrast auth’.',
         redirectAuth: '\nOpening the authentication page in your web browser.\nSign in and complete the steps.\nReturn here to start using Contrast.\n\nIf your browser has trouble loading, try this:\n%s \n',
-        scanZipError: 'A .zip archive can be used for Javascript Scan. Archive found %s does not contain .JS files for Scan.',
         fileNotExist: 'File specified does not exist, please check and try again.',
         scanFileIsEmpty: 'File specified is empty. Please choose another.',
         fileHasWhiteSpacesError: 'File cannot have spaces, please rename or choose another file to Scan.',
-        zipFileException: 'Error reading zip file',
         connectionError: 'An error has occurred when trying to get the Project Id please check your internet connection or provide the Project Id manually',
         internalServerErrorHeader: '500 error - Internal server error',
         resourceLockedErrorHeader: '423 error - Resource is locked',
@@ -271,20 +201,19 @@ const en_locales = () => {
         scanNoVulnerabilitiesFoundGoodWork: '   Keep up the good work.',
         scanNoFiletypeSpecifiedForSave: 'Please specify file type to save results to, accepted value is SARIF',
         auditSBOMSaveSuccess: '\n Software Bill of Materials (SBOM) saved successfully',
-        auditNoFiletypeSpecifiedForSave: `\n ${chalk.yellow.bold('No file type specified for --save option to save audit results to. Use audit --help to see valid --save options.')}`,
         auditBadFiletypeSpecifiedForSave: `\n ${chalk.yellow.bold('Bad file type specified for --save option. Use audit --help to see valid --save options.')}`,
         auditServicesMessageForTS: 'View your vulnerable library list or full dependency tree in Contrast:',
-        auditReportWaiting: 'Waiting for report...',
-        auditReportFail: 'Report Retrieval Failed, please try again',
-        auditReportSuccessMessage: 'Report successfully retrieved',
         auditReportFailureMessage: 'Unable to generate library report',
         auditSCAAnalysisBegins: 'Contrast SCA audit started',
         auditSCAAnalysisComplete: 'Contrast audit complete',
-        commonHelpHeader: 'Need More Help?',
+        commonHelpHeader: 'Need More Help? NEW users',
+        commonHelpEnterpriseHeader: 'Existing Contrast Licensed user?',
         commonHelpCheckOutHeader: chalk.hex('#9DC184')('Check out:'),
         commonHelpCheckOutText: ' https://support.contrastsecurity.com',
         commonHelpLearnMoreHeader: chalk.hex('#9DC184')('Learn more at:'),
-        commonHelpLearnMoreText: ' https://developer.contrastsecurity.com',
+        commonHelpLearnMoreEnterpriseHeader: chalk.hex('#9DC184')('Read our docs:'),
+        commonHelpLearnMoreText: ' https://www.contrastsecurity.com/developer ',
+        commonHelpLearnMoreEnterpriseText: ' https://docs.contrastsecurity.com/en/run-contrast-cli.html ',
         commonHelpJoinDiscussionHeader: chalk.hex('#9DC184')('Join the discussion:'),
         commonHelpJoinDiscussionText: ' https://dev.to/codesec',
         ...lambda

package/dist/lambda/help.js

@@ -81,6 +81,7 @@ const lambdaUsageGuide = (0, command_line_usage_1.default)([
             { name: i18n_1.default.__('lambdaHelpOption'), summary: i18n_1.default.__('helpSummary') }
         ]
     },
-    (0, commonHelp_1.commonHelpLinks)()
+    (0, commonHelp_1.commonHelpLinks)()[0],
+    (0, commonHelp_1.commonHelpLinks)()[1]
 ]);
 exports.lambdaUsageGuide = lambdaUsageGuide;

package/dist/lambda/lambda.js

@@ -23,7 +23,7 @@ const oraWrapper_1 = __importDefault(require("../utils/oraWrapper"));
 const analytics_1 = require("./analytics");
 const types_1 = require("./types");
 const constants_2 = require("../constants/constants");
-const chalk_1 = __importDefault(require("chalk"));
+const commonHelp_1 = require("../common/commonHelp");
 const failedStates = [
     'UNSUPPORTED',
     'EXCLUDED',
@@ -110,7 +110,7 @@ const processLambda = async (argv) => {
         }
         await (0, analytics_1.postAnalytics)(endCommandAnalytics).catch((error) => {
         });
-        postRunMessage();
+        (0, commonHelp_1.postRunMessage)('lambda');
         if (errorMsg) {
             process.exit(1);
         }
@@ -193,8 +193,3 @@ const handleLambdaHelp = () => {
     printHelpMessage();
     process.exit(0);
 };
-const postRunMessage = () => {
-    console.log('\n' + chalk_1.default.underline.bold('Other Codesec Features:'));
-    console.log("'contrast scan' to run CodeSec’s industry leading SAST scanner");
-    console.log("'contrast audit' to find vulnerabilities in your open source dependencies\n");
-};

package/dist/scaAnalysis/java/analysis.js

@@ -1,8 +1,11 @@
 "use strict";
 const child_process = require('child_process');
+const spawn = require('cross-spawn');
 const path = require('path');
 const i18n = require('i18n');
 const fs = require('fs');
+const readLine = require('readline');
+const paramHandler = require('../../utils/paramsUtil/paramHandler');
 const MAVEN = 'maven';
 const GRADLE = 'gradle';
 const determineProjectTypeAndCwd = (files, config) => {
@@ -23,15 +26,20 @@ const determineProjectTypeAndCwd = (files, config) => {
 };
 const buildMaven = (config, projectData, timeout) => {
     let cmdStdout;
-    let mvn_settings = '';
     try {
+        let command = 'mvn';
+        let args = ['dependency:tree', '-B'];
         if (config.mavenSettingsPath) {
-            mvn_settings = ' -s ' + config.mavenSettingsPath;
+            args.push('-s');
+            args.push(config.mavenSettingsPath);
         }
-        cmdStdout = child_process.execSync('mvn dependency:tree -B' + mvn_settings, {
+        cmdStdout = spawn
+            .sync(command, args, {
+            env: process.env,
             cwd: projectData.cwd,
             timeout
-        });
+        })
+            .stdout.toString();
         return cmdStdout.toString();
     }
     catch (err) {
@@ -103,7 +111,34 @@ const getJavaBuildDeps = (config, files) => {
         console.log(err.message.toString());
     }
 };
+const agreementPrompt = async (config) => {
+    const rl = readLine.createInterface({
+        input: process.stdin,
+        output: process.stdout
+    });
+    return new Promise((resolve, reject) => {
+        rl.question('❔ Do you want to continue? Type Y or N', async (input) => {
+            if (input.toLowerCase() === 'yes' || input.toLowerCase() === 'y') {
+                config.javaAgreement = paramHandler.setAgreement(true);
+                rl.close();
+                resolve(config);
+            }
+            else if (input.toLowerCase() === 'no' || input.toLowerCase() === 'n') {
+                rl.close();
+                resolve(process.exit(1));
+            }
+            else {
+                rl.close();
+                console.log('Invalid Input: Exiting');
+                resolve(process.exit(1));
+            }
+        });
+    }).catch(e => {
+        throw e;
+    });
+};
 module.exports = {
     getJavaBuildDeps,
-    determineProjectTypeAndCwd
+    determineProjectTypeAndCwd,
+    agreementPrompt
 };

package/dist/scaAnalysis/java/index.js

@@ -3,10 +3,13 @@ const analysis = require('./analysis');
 const { parseBuildDeps } = require('./javaBuildDepsParser');
 const { createJavaTSMessage } = require('../common/formatMessage');
 const { parseDependenciesForSCAServices } = require('../common/scaParserForGoAndJava');
-const javaAnalysis = (config, languageFiles) => {
+const chalk = require('chalk');
+const _ = require('lodash');
+const javaAnalysis = async (config, languageFiles) => {
     languageFiles.JAVA.forEach(file => {
         file.replace('build.gradle.kts', 'build.gradle');
     });
+    await getAgreement(config);
     const javaDeps = buildJavaTree(config, languageFiles.JAVA);
     if (config.experimental) {
         return parseDependenciesForSCAServices(javaDeps);
@@ -15,10 +18,19 @@ const javaAnalysis = (config, languageFiles) => {
         return createJavaTSMessage(javaDeps);
     }
 };
+const getAgreement = async (config) => {
+    console.log(chalk.bold('Java project detected'));
+    console.log('Java analysis uses maven / gradle which are potentially susceptible to command injection. Be sure that the code you are running Contrast CLI on is trusted before continuing.');
+    if (!process.env.CI && !config?.javaAgreement) {
+        return await analysis.agreementPrompt(config);
+    }
+    return config;
+};
 const buildJavaTree = (config, files) => {
     const javaBuildDeps = analysis.getJavaBuildDeps(config, files);
     return parseBuildDeps(config, javaBuildDeps);
 };
 module.exports = {
-    javaAnalysis
+    javaAnalysis,
+    getAgreement
 };

package/dist/scan/autoDetection.js

@@ -1,8 +1,16 @@
 "use strict";
 const i18n = require('i18n');
 const fileFinder = require('./fileUtils');
-const rootFile = require('../audit/languageAnalysisEngine/getProjectRootFilenames');
-const path = require('path');
+const autoDetectFingerprintInfo = async (filePath) => {
+    let complexObj = await fileFinder.findAllFiles(filePath);
+    let result = [];
+    let count = 0;
+    complexObj.forEach(i => {
+        count++;
+        result.push({ filePath: i, id: count.toString() });
+    });
+    return result;
+};
 const autoDetectFileAndLanguage = async (configToUse) => {
     const entries = await fileFinder.findFile();
     if (entries.length === 1) {
@@ -43,6 +51,19 @@ const hasWhiteSpace = s => {
     const filename = s.split('/').pop();
     return filename.indexOf(' ') >= 0;
 };
+const dealWithMultiJava = filesFound => {
+    let hasMultiJava = filesFound.filter(data => {
+        return (Object.keys(data)[0] === 'JAVA' &&
+            Object.values(data)[0].includes('build.gradle') &&
+            Object.values(data)[0].includes('pom.xml'));
+    }).length > 0;
+    if (hasMultiJava) {
+        console.log('Multiple Java language dependency files detected');
+        console.log('Please use --file to audit one only. \nExample: contrast audit --file pom.xml');
+        process.exit(1);
+    }
+    return false;
+};
 const errorOnFileDetection = entries => {
     if (entries.length > 1) {
         console.log(i18n.__('searchingDirectoryScan'));
@@ -78,5 +99,7 @@ module.exports = {
     autoDetectFileAndLanguage,
     errorOnFileDetection,
     autoDetectAuditFilesAndLanguages,
-    errorOnAuditFileDetection
+    errorOnAuditFileDetection,
+    autoDetectFingerprintInfo,
+    dealWithMultiJava
 };

package/dist/scan/fileUtils.js

@@ -10,6 +10,28 @@ const findFile = async () => {
         onlyFiles: true
     });
 };
+const findAllFiles = async (filePath) => {
+    const result = await fg([
+        '**/pom.xml',
+        '**/build.gradle',
+        '**/build.gradle.kts',
+        '**/package.json',
+        '**/Pipfile',
+        '**/*.csproj',
+        '**/Gemfile',
+        '**/go.mod'
+    ], {
+        dot: false,
+        deep: 2,
+        onlyFiles: true,
+        absolute: true,
+        cwd: filePath ? filePath : process.cwd()
+    });
+    if (result.length > 0) {
+        return result;
+    }
+    return [];
+};
 const findFilesJava = async (languagesFound, filePath) => {
     const result = await fg(['**/pom.xml', '**/build.gradle', '**/build.gradle.kts'], {
         dot: false,
@@ -136,5 +158,6 @@ module.exports = {
     findFilesPhp,
     findFilesRuby,
     findFilesDotNet,
-    fileIsEmpty
+    fileIsEmpty,
+    findAllFiles
 };

package/dist/scan/help.js

@@ -29,14 +29,21 @@ const scanUsageGuide = commandLineUsage([
             'proxy',
             'help',
             'ff',
-            'ignore-cert-errors',
+            'cert-self-signed',
+            'key',
+            'cacert',
+            'cert',
             'verbose',
             'debug',
-            'experimental',
-            'application-name'
+            'experimental'
         ]
     },
-    commonHelpLinks()
+    {
+        header: i18n.__('constantsAdvancedOptions'),
+        optionList: constants.commandLineDefinitions.scanAdvancedOptionDefinitionsForHelp
+    },
+    commonHelpLinks()[0],
+    commonHelpLinks()[1]
 ]);
 module.exports = {
     scanUsageGuide

package/dist/scan/saveResults.js

@@ -3,7 +3,7 @@ const fs = require('fs');
 const writeResultsToFile = async (responseBody, name = 'results.sarif') => {
     try {
         fs.writeFileSync(name, JSON.stringify(responseBody, null, 2));
-        console.log(`Scan Results saved to ${name}`);
+        return name;
     }
     catch (err) {
         console.log('Error writing Scan Results to file');

package/dist/utils/commonApi.js

@@ -1,6 +1,6 @@
 "use strict";
 const HttpClient = require('./../common/HTTPClient');
-const { badRequestError, unauthenticatedError, forbiddenError, proxyError, genericError, maxAppError } = require('../common/errorHandling');
+const { badRequestError, unauthenticatedError, forbiddenError, proxyError, genericError, maxAppError, snapshotFailureError, vulnerabilitiesFailureError, reportFailureError, parametersError, invalidHostNameError } = require('../common/errorHandling');
 const handleResponseErrors = (res, api) => {
     if (res.statusCode === 400) {
         api === 'catalogue' ? badRequestError(true) : badRequestError(false);
@@ -17,7 +17,22 @@ const handleResponseErrors = (res, api) => {
     else if (res.statusCode === 412) {
         maxAppError();
     }
+    else if (res.statusCode === 301) {
+        invalidHostNameError(res.statusCode);
+    }
+    else if (res.statusCode === 302) {
+        parametersError(res.statusCode);
+    }
     else {
+        if (api === 'snapshot' || api === 'catalogue') {
+            snapshotFailureError();
+        }
+        if (api === 'vulnerabilities') {
+            vulnerabilitiesFailureError();
+        }
+        if (api === 'report') {
+            reportFailureError();
+        }
         console.log(res.statusCode);
         genericError(res);
     }

package/dist/utils/generalAPI.js

@@ -1,7 +1,6 @@
 "use strict";
 const { featuresTeamServer } = require('./capabilities');
 const semver = require('semver');
-const { handleResponseErrors } = require('../common/errorHandling');
 const commonApi = require('./commonApi');
 const { isNil } = require('lodash');
 const getGlobalProperties = async (config) => {
@@ -13,7 +12,7 @@ const getGlobalProperties = async (config) => {
             return res.body;
         }
         else {
-            handleResponseErrors(res, 'globalProperties');
+            commonApi.handleResponseErrors(res, 'globalProperties');
         }
     })
         .catch(err => {

package/dist/utils/paramsUtil/configStoreParams.js

@@ -15,4 +15,15 @@ const getAuth = () => {
     }
     return ContrastConfToUse;
 };
-module.exports = { getAuth: getAuth };
+const getAgreement = () => {
+    const ContrastConf = config.localConfig(APP_NAME, APP_VERSION);
+    let ContrastConfToUse = {};
+    ContrastConfToUse.javaAgreement = ContrastConf.get('javaAgreement');
+    return ContrastConfToUse;
+};
+const setAgreement = agreement => {
+    const ContrastConf = config.localConfig(APP_NAME, APP_VERSION);
+    ContrastConf.set('javaAgreement', agreement);
+    return agreement;
+};
+module.exports = { getAuth, getAgreement, setAgreement };

package/dist/utils/paramsUtil/paramHandler.js

@@ -22,4 +22,10 @@ const getAuth = params => {
         process.exit(1);
     }
 };
-module.exports = { getAuth: getAuth };
+const getAgreement = () => {
+    return configStoreParams.getAgreement();
+};
+const setAgreement = answer => {
+    return configStoreParams.setAgreement(answer);
+};
+module.exports = { getAuth, getAgreement, setAgreement };

package/dist/utils/saveFile.js

@@ -8,7 +8,8 @@ const saveScanFile = async (config, scanResults) => {
         const scanId = scanResults.scanDetail.id;
         const client = commonApi.getHttpClient(config);
         const rawResults = await client.getSpecificScanResultSarif(config, scanId);
-        await saveResults.writeResultsToFile(rawResults?.body);
+        const name = await saveResults.writeResultsToFile(rawResults?.body);
+        console.log(`Scan Results saved to ${name}`);
     }
     else {
         console.log(i18n.__('scanNoFiletypeSpecifiedForSave'));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "1.0.16",
+  "version": "1.0.18",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -54,6 +54,7 @@
     "command-line-args": "^5.2.1",
     "command-line-usage": "^6.1.3",
     "conf": "^10.1.2",
+    "cross-spawn": "^7.0.3",
     "dotenv": "^16.0.0",
     "fast-glob": "^3.2.11",
     "gradle-to-js": "^2.0.1",

package/src/audit/catalogueApplication/catalogueApplication.js

@@ -45,7 +45,7 @@ const tryRetrieveAppIdFromMessages = messages => {
 }
 
 module.exports = {
-  catalogueApplication: catalogueApplication,
+  catalogueApplication,
   doesMessagesContainAppId,
   tryRetrieveAppIdFromMessages
 }