@contrast/contrast 1.0.17 → 1.0.18

package/dist/scaAnalysis/java/index.js

@@ -21,8 +21,7 @@ const javaAnalysis = async (config, languageFiles) => {
 const getAgreement = async (config) => {
     console.log(chalk.bold('Java project detected'));
     console.log('Java analysis uses maven / gradle which are potentially susceptible to command injection. Be sure that the code you are running Contrast CLI on is trusted before continuing.');
-    if (_.isNil(!process.env.CI) && _.isNil(!config.javaAgreement)) {
-        console.log('should print');
+    if (!process.env.CI && !config?.javaAgreement) {
         return await analysis.agreementPrompt(config);
     }
     return config;

package/dist/scan/autoDetection.js

@@ -51,6 +51,19 @@ const hasWhiteSpace = s => {
     const filename = s.split('/').pop();
     return filename.indexOf(' ') >= 0;
 };
+const dealWithMultiJava = filesFound => {
+    let hasMultiJava = filesFound.filter(data => {
+        return (Object.keys(data)[0] === 'JAVA' &&
+            Object.values(data)[0].includes('build.gradle') &&
+            Object.values(data)[0].includes('pom.xml'));
+    }).length > 0;
+    if (hasMultiJava) {
+        console.log('Multiple Java language dependency files detected');
+        console.log('Please use --file to audit one only. \nExample: contrast audit --file pom.xml');
+        process.exit(1);
+    }
+    return false;
+};
 const errorOnFileDetection = entries => {
     if (entries.length > 1) {
         console.log(i18n.__('searchingDirectoryScan'));
@@ -87,5 +100,6 @@ module.exports = {
     errorOnFileDetection,
     autoDetectAuditFilesAndLanguages,
     errorOnAuditFileDetection,
-    autoDetectFingerprintInfo
+    autoDetectFingerprintInfo,
+    dealWithMultiJava
 };

package/dist/scan/help.js

@@ -29,13 +29,19 @@ const scanUsageGuide = commandLineUsage([
             'proxy',
             'help',
             'ff',
-            'ignore-cert-errors',
+            'cert-self-signed',
+            'key',
+            'cacert',
+            'cert',
             'verbose',
             'debug',
-            'experimental',
-            'application-name'
+            'experimental'
         ]
     },
+    {
+        header: i18n.__('constantsAdvancedOptions'),
+        optionList: constants.commandLineDefinitions.scanAdvancedOptionDefinitionsForHelp
+    },
     commonHelpLinks()[0],
     commonHelpLinks()[1]
 ]);

package/dist/utils/commonApi.js

@@ -1,6 +1,6 @@
 "use strict";
 const HttpClient = require('./../common/HTTPClient');
-const { badRequestError, unauthenticatedError, forbiddenError, proxyError, genericError, maxAppError, snapshotFailureError, vulnerabilitiesFailureError, reportFailureError } = require('../common/errorHandling');
+const { badRequestError, unauthenticatedError, forbiddenError, proxyError, genericError, maxAppError, snapshotFailureError, vulnerabilitiesFailureError, reportFailureError, parametersError, invalidHostNameError } = require('../common/errorHandling');
 const handleResponseErrors = (res, api) => {
     if (res.statusCode === 400) {
         api === 'catalogue' ? badRequestError(true) : badRequestError(false);
@@ -17,6 +17,12 @@ const handleResponseErrors = (res, api) => {
     else if (res.statusCode === 412) {
         maxAppError();
     }
+    else if (res.statusCode === 301) {
+        invalidHostNameError(res.statusCode);
+    }
+    else if (res.statusCode === 302) {
+        parametersError(res.statusCode);
+    }
     else {
         if (api === 'snapshot' || api === 'catalogue') {
             snapshotFailureError();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "1.0.17",
+  "version": "1.0.18",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {

package/src/cliConstants.js

@@ -11,7 +11,7 @@ i18n.configure({
   defaultLocale: 'en'
 })
 
-const sharedOptionDefinitions = [
+const sharedCertOptionDefinitions = [
   {
     name: 'proxy',
     description:
@@ -45,46 +45,55 @@ const sharedOptionDefinitions = [
       i18n.__('constantsProxyCert')
   },
   {
-    name: 'ignore-cert-errors',
+    name: 'cert-self-signed',
     type: Boolean,
     description:
       '{bold ' +
       i18n.__('constantsOptional') +
       '}:' +
-      i18n.__('constantsIgnoreCertErrors')
+      i18n.__('constantsCertSelfSigned')
   }
 ]
 
-// CLI options that we will allow and handle
-const scanOptionDefinitions = [
-  ...sharedOptionDefinitions,
+const sharedConnectionOptionDefinitions = [
   {
-    name: 'name',
-    alias: 'n',
+    name: 'organization-id',
+    alias: 'o',
     description:
       '{bold ' +
-      i18n.__('constantsOptional') +
+      i18n.__('constantsRequiredEnterprise') +
       '}: ' +
-      i18n.__('constantsProjectName')
+      i18n.__('constantsOrganizationId')
   },
   {
-    name: 'language',
-    alias: 'l',
+    name: 'api-key',
     description:
       '{bold ' +
-      i18n.__('constantsOptional') +
+      i18n.__('constantsRequiredEnterprise') +
       '}: ' +
-      i18n.__('scanOptionsLanguageSummary')
+      i18n.__('constantsApiKey')
   },
   {
-    name: 'file',
-    alias: 'f',
+    name: 'authorization',
     description:
       '{bold ' +
-      i18n.__('constantsOptional') +
+      i18n.__('constantsRequiredEnterprise') +
       '}: ' +
-      i18n.__('scanOptionsFileNameSummary')
+      i18n.__('constantsAuthorization')
   },
+  {
+    name: 'host',
+    description:
+      '{bold ' +
+      i18n.__('constantsRequiredEnterprise') +
+      '}: ' +
+      i18n.__('constantsHostId')
+  }
+]
+
+const scanAdvancedOptionDefinitionsForHelp = [
+  ...sharedConnectionOptionDefinitions,
+  ...sharedCertOptionDefinitions,
   {
     name: 'project-id',
     alias: 'p',
@@ -95,55 +104,60 @@ const scanOptionDefinitions = [
       i18n.__('constantsProjectId')
   },
   {
-    name: 'project-path',
+    name: 'language',
+    alias: 'l',
     description:
       '{bold ' +
       i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('constantsProjectPath')
+      i18n.__('scanOptionsLanguageSummary')
   },
   {
-    name: 'timeout',
-    alias: 't',
-    type: Number,
+    name: 'ff',
+    type: Boolean,
     description:
       '{bold ' +
       i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('scanOptionsTimeoutSummary')
+      i18n.__('constantsDoNotWaitForScan')
   },
   {
-    name: 'organization-id',
-    alias: 'o',
+    name: 'label',
     description:
-      '{bold ' +
-      i18n.__('constantsRequired') +
-      '}: ' +
-      i18n.__('constantsOrganizationId')
-  },
+      '{bold ' + i18n.__('constantsOptional') + '}:' + i18n.__('scanLabel')
+  }
+]
+
+// CLI options that we will allow and handle
+const scanOptionDefinitions = [
+  ...scanAdvancedOptionDefinitionsForHelp,
   {
-    name: 'api-key',
+    name: 'name',
+    alias: 'n',
     description:
       '{bold ' +
-      i18n.__('constantsRequired') +
+      i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('constantsApiKey')
+      i18n.__('constantsProjectName')
   },
   {
-    name: 'authorization',
+    name: 'file',
+    alias: 'f',
     description:
       '{bold ' +
-      i18n.__('constantsRequired') +
+      i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('constantsAuthorization')
+      i18n.__('scanOptionsFileNameSummary')
   },
   {
-    name: 'host',
+    name: 'timeout',
+    alias: 't',
+    type: Number,
     description:
       '{bold ' +
-      i18n.__('constantsRequired') +
+      i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('constantsHostId')
+      i18n.__('scanOptionsTimeoutSummary')
   },
   {
     name: 'fail',
@@ -163,15 +177,6 @@ const scanOptionDefinitions = [
       '}: ' +
       i18n.__('constantsSeverity')
   },
-  {
-    name: 'ff',
-    type: Boolean,
-    description:
-      '{bold ' +
-      i18n.__('constantsOptional') +
-      '}: ' +
-      i18n.__('constantsDoNotWaitForScan')
-  },
   {
     name: 'verbose',
     alias: 'v',
@@ -188,11 +193,6 @@ const scanOptionDefinitions = [
     description:
       '{bold ' + i18n.__('constantsOptional') + '}:' + i18n.__('constantsSave')
   },
-  {
-    name: 'label',
-    description:
-      '{bold ' + i18n.__('constantsOptional') + '}:' + i18n.__('scanLabel')
-  },
   {
     name: 'help',
     alias: 'h',
@@ -207,14 +207,6 @@ const scanOptionDefinitions = [
     name: 'experimental',
     alias: 'e',
     type: Boolean
-  },
-  {
-    name: 'application-name',
-    description:
-      '{bold ' +
-      i18n.__('constantsOptional') +
-      '}: ' +
-      i18n.__('constantsApplicationName')
   }
 ]
 
@@ -241,8 +233,9 @@ const configOptionDefinitions = [
   }
 ]
 
-const auditOptionDefinitions = [
-  ...sharedOptionDefinitions,
+const auditAdvancedOptionDefinitionsForHelp = [
+  ...sharedConnectionOptionDefinitions,
+  ...sharedCertOptionDefinitions,
   {
     name: 'application-id',
     description:
@@ -259,39 +252,11 @@ const auditOptionDefinitions = [
       '}: ' +
       i18n.__('constantsApplicationName')
   },
-  {
-    name: 'file',
-    alias: 'f',
-    defaultValue: process.cwd().concat('/'),
-    description:
-      '{bold ' +
-      i18n.__('constantsOptional') +
-      '}: ' +
-      i18n.__('constantsFilePath')
-  },
-  {
-    name: 'fail',
-    type: Boolean,
-    description:
-      '{bold ' +
-      i18n.__('constantsOptional') +
-      '}: ' +
-      i18n.__('failOptionMessage')
-  },
-  {
-    name: 'severity',
-    type: severity => parseSeverity(severity),
-    description:
-      '{bold ' +
-      i18n.__('constantsOptional') +
-      '}: ' +
-      i18n.__('constantsSeverity')
-  },
   {
     name: 'app-groups',
     description:
       '{bold ' +
-      i18n.__('constantsOptionalForCatalogue') +
+      i18n.__('constantsOptional') +
       '}: ' +
       i18n.__('constantsAppGroups')
   },
@@ -322,54 +287,58 @@ const auditOptionDefinitions = [
       '{bold ' + i18n.__('constantsOptional') + '}: ' + i18n.__('constantsCode')
   },
   {
-    name: 'ignore-dev',
-    type: Boolean,
-    alias: 'i',
+    name: 'maven-settings-path',
     description:
       '{bold ' +
       i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('constantsIgnoreDev')
-  },
-  {
-    name: 'maven-settings-path'
-  },
-  {
-    name: 'fingerprint',
-    type: Boolean
-  },
+      i18n.__('constantsMavenSettingsPath')
+  }
+]
+
+const auditOptionDefinitions = [
+  ...auditAdvancedOptionDefinitionsForHelp,
   {
-    name: 'organization-id',
-    alias: 'o',
+    name: 'file',
+    alias: 'f',
+    defaultValue: process.cwd().concat('/'),
     description:
       '{bold ' +
-      i18n.__('constantsRequired') +
+      i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('constantsOrganizationId')
+      i18n.__('constantsFilePath')
   },
   {
-    name: 'api-key',
+    name: 'fail',
+    type: Boolean,
     description:
       '{bold ' +
-      i18n.__('constantsRequired') +
+      i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('constantsApiKey')
+      i18n.__('failOptionMessage')
   },
   {
-    name: 'authorization',
+    name: 'severity',
+    type: severity => parseSeverity(severity),
     description:
       '{bold ' +
-      i18n.__('constantsRequired') +
+      i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('constantsAuthorization')
+      i18n.__('constantsSeverity')
   },
   {
-    name: 'host',
+    name: 'ignore-dev',
+    type: Boolean,
+    alias: 'i',
     description:
       '{bold ' +
-      i18n.__('constantsRequired') +
+      i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('constantsHostId')
+      i18n.__('constantsIgnoreDev')
+  },
+  {
+    name: 'fingerprint',
+    type: Boolean
   },
   {
     name: 'save',
@@ -459,6 +428,10 @@ const mainUsageGuide = commandLineUsage([
       { name: i18n.__('helpName'), summary: i18n.__('helpSummary') }
     ]
   },
+  {
+    header: i18n.__('constantsAdvancedOptions'),
+    optionList: sharedCertOptionDefinitions
+  },
   {
     header: i18n.__('configHeader2'),
     content: [
@@ -478,6 +451,8 @@ module.exports = {
     scanOptionDefinitions,
     auditOptionDefinitions,
     authOptionDefinitions,
-    configOptionDefinitions
+    configOptionDefinitions,
+    scanAdvancedOptionDefinitionsForHelp,
+    auditAdvancedOptionDefinitionsForHelp
   }
 }

package/src/commands/audit/help.js

@@ -34,9 +34,12 @@ const auditUsageGuide = commandLineUsage([
       'authorization',
       'host',
       'proxy',
+      'cert',
+      'cacert',
+      'key',
       'help',
       'ff',
-      'ignore-cert-errors',
+      'cert-self-signed',
       'verbose',
       'debug',
       'experimental',
@@ -49,9 +52,15 @@ const auditUsageGuide = commandLineUsage([
       'app-groups',
       'metadata',
       'track',
-      'fingerprint'
+      'fingerprint',
+      'branch'
     ]
   },
+  {
+    header: i18n.__('constantsAdvancedOptions'),
+    optionList:
+      constants.commandLineDefinitions.auditAdvancedOptionDefinitionsForHelp
+  },
   commonHelpLinks()[0],
   commonHelpLinks()[1]
 ])

package/src/commands/scan/sca/scaAnalysis.js

@@ -64,6 +64,8 @@ const processSca = async config => {
       config.file
     )
 
+    autoDetection.dealWithMultiJava(filesFound)
+
     if (filesFound.length > 1 && pathWithFile) {
       filesFound = filesFound.filter(i =>
         Object.values(i)[0].includes(path.basename(config.fileName))

package/src/common/HTTPClient.js

@@ -6,7 +6,7 @@ const { AUTH_CALLBACK_URL } = require('../constants/constants')
 function HTTPClient(config) {
   const apiKey = config.apiKey
   const authToken = config.authorization
-  this.rejectUnauthorized = !config.ignoreCertErrors
+  this.rejectUnauthorized = !config.certSelfSigned
 
   const superApiKey = config.superApiKey
   const superAuthToken = config.superAuthorization

package/src/common/errorHandling.js

@@ -48,6 +48,22 @@ const maxAppError = () => {
   process.exit(1)
 }
 
+const parametersError = () => {
+  generalError(
+    `Values not recognised`,
+    'Check your command & keys again for hidden characters.\nFor more information use contrast help.'
+  )
+  process.exit(1)
+}
+
+const invalidHostNameError = () => {
+  generalError(
+    `Invalid host`,
+    'Check that the host parameter does not include a trailing "/".'
+  )
+  process.exit(1)
+}
+
 const failOptionError = () => {
   console.log(
     '\n ******************************** ' +
@@ -122,5 +138,7 @@ module.exports = {
   snapshotFailureError,
   vulnerabilitiesFailureError,
   reportFailureError,
-  maxAppError
+  maxAppError,
+  parametersError,
+  invalidHostNameError
 }

package/src/constants/constants.js

@@ -14,7 +14,7 @@ const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
 // App
 const APP_NAME = 'contrast'
-const APP_VERSION = '1.0.17'
+const APP_VERSION = '1.0.18'
 const TIMEOUT = 120000
 const HIGH_COLOUR = '#ff9900'
 const CRITICAL_COLOUR = '#e35858'