@contrast/contrast 1.0.17 → 1.0.18

package/src/constants/locales.js

@@ -3,23 +3,13 @@ const chalk = require('chalk')
 
 const en_locales = () => {
   return {
-    successHeader: 'SUCCESS',
-    snapshotSuccessMessage:
-      'Please go to the Contrast UI to view your dependency tree.',
     snapshotFailureHeader: 'FAIL',
     snapshotFailureMessage: 'Library analysis failed',
-    snapshotHostMessage:
-      "No host supplied. Using default host 'app.contrastsecurity.com'. Please ensure this is correct.",
-    vulnerabilitiesSuccessMessage: 'Vulnerability data successfully retrieved',
     vulnerabilitiesFailureMessage: 'Unable to retrieve library vulnerabilities',
-    catchErrorMessage: 'Contrast UI error: ',
     dependenciesNote:
       'Please Note: We currently only support projects with one .csproj AND *.package.lock.json',
-    languageAnalysisFailureMessage: 'SCA audit Failure',
-    languageAnalysisFactoryFailureHeader: 'FAIL',
     libraryAnalysisError:
       'Please ensure the language parameter is set in accordance to the language specified on the project path.\nContrast CLI must be run in the same directory as the project manifest file OR the project_path parameter must be used to identify the directory containing the project manifest file.\n\nFor further information please read our usage guide, which can be accessed with the following command:\n\ncontrast-cli --help',
-    yamlMissingParametersHeader: 'Missing Parameters',
     genericErrorMessage:
       'An error has occur please check your command again. For more information use the --help commands.',
     unauthenticatedErrorHeader: '401 error - Unauthenticated',
@@ -35,21 +25,7 @@ const en_locales = () => {
     proxyErrorHeader: '407 error - Proxy Authentication Required',
     proxyErrorMessage:
       'Please provide valid authentication credentials for the proxy server.',
-    catalogueSuccessCommand: 'Application Created',
-    dotnetAnalysisFailure: '.NET analysis failed because: ',
-    dotnetReadLockfile: 'Failed to read the lock file @ %s because: ',
-    dotnetParseLockfile: "Failed to parse .NET lock file @ '%s' because: ",
-    dotnetParseProjectFile:
-      "Failed to parse MSBuild project file @ '%s' because: ",
-    dotnetReadProjectFile: 'Failed to read the project file @ "%s" because: ',
-    javaAnalysisError: 'JAVA analysis failed because: ',
     javaParseProjectFile: 'Failed to parse mvn output because: ',
-    languageAnalysisMultipleLanguages1:
-      'Identified multiple languages for the project\n',
-    languageAnalysisMultipleLanguages2:
-      'Please specify which project file you would like analyzed with the %s CLI option.',
-    languageAnalysisProjectFiles:
-      "Identified project language as '%s' but found multiple project files: %s. Please specify which project file you would like analyzed with the %s CLI option.",
     languageAnalysisHasNoLockFile:
       "Identified project language as '%s' but no project lock file was found.",
     languageAnalysisHasNoPackageJsonFile:
@@ -58,100 +34,56 @@ const en_locales = () => {
       "Identified project language as '%s' but multiple project lock files were found.",
     languageAnalysisProjectFileError:
       "Identified project language as '%s' but no project file was found.",
-    languageAnalysisProjectRootFileNameReadError:
-      'Failed to read the contents of the directory @ %s because: ',
-    languageAnalysisProjectRootFileNameMissingError:
-      "%s isn't a file or directory",
     languageAnalysisProjectRootFileNameFailure:
       'Failed to get information about the file or directory @ %s because: ',
-    languageAnalysisFailure: ' analysis failed because: ',
     languageAnalysisNoLanguage:
       'We cannot detect a project, use -f <path> to specify a file or folder to analyze.',
     languageAnalysisNoLanguageHelpLine: `${chalk.bold(
       'contrast audit --help'
     )} for more information.`,
-    NodeAnalysisFailure: 'NODE analysis failed because: ',
-    phpAnalysisFailure: 'PHP analysis failed because: ',
     NodeParseNPM: 'Failed to parse NODE package-lock.json file because: ',
     phpParseComposerLock:
       "Failed to parse PHP composer.lock file @ '%s' because: ",
-    NodeReadNpmError:
-      'Failed to read the package-lock.json file @ "%s" because: ',
-    phpReadError: 'Failed to read the composer.lock file @ "%s" because: ',
     NodeParseYarn: 'Failed to parse yarn.lock version %s because: ',
     NodeParseYarn2: "Failed to parse Node yarn.lock version 2 @ '%s' because: ",
-    nodeReadProjectFileError:
-      'Failed to read the NODE project file @ "%s" because: ',
-    phpReadProjectFileError:
-      'Failed to read the PHP project file @ "%s" because: ',
     nodeReadYarnLockFileError:
       'Failed to read the yarn.lock file @ "%s" because: ',
-    pythonAnalysisEngineError: 'Python analysis failed because: ',
-    pythonAnalysisEnginePipError:
-      "Failed to parse python Pipfile.lock file @ '%s' because: ",
-    pythonAnalysisParseProjectFileError:
-      'Failed to parse python output "%s" because: ',
-    pythonAnalysisReadPipFileError:
-      'Failed to read the python Pipfile.lock file @ "%s" because: ',
-    pythonAnalysisReadPythonProjectFileError:
-      'Failed to read the python pipfile @ "%s" because: ',
-    rubyAnalysisEngineError: 'Ruby analysis failed because: ',
-    rubyAnalysisEngineParsedGemFileError:
-      'Failed to parse ruby output "%s" because: ',
-    rubyAnalysisEngineParsedGemLockFileError:
-      'Failed to parse ruby Gemfile.lock output because: ',
-    rubyAnalysisEngineReadGemFileError:
-      'Failed to read the ruby project file @ "%s" because: ',
-    rubyAnalysisEngineReadGemLockFileError:
-      'Failed to read the ruby Gemfile.lock @ "%s" because: ',
     constantsOptional: '(optional)',
-    constantsOptionalForCatalogue: '(optional for catalogue)',
     constantsRequired: '(required)',
-    constantsRequiredCatalogue: '(required for catalogue)',
+    constantsRequiredEnterprise: '(required for Contrast Enterprise)',
     constantsApiKey: 'An agent API key as provided by Contrast UI',
     constantsAuthorization:
-      'Authorization credentials as provided by Contrast UI',
-    constantsOrganizationId: 'The ID of your organization',
+      'An authorization header as provided by Contrast UI',
+    constantsOrganizationId:
+      'The ID of your organization as provided by Contrast UI',
     constantsApplicationId:
-      'The ID of the application cataloged by Contrast UI',
-    constantsHostId:
-      'Provide the name of the host and optionally the port expressed as "<host>:<port>".',
+      'The ID of the application as provided by Contrast UI',
+    constantsHostId: 'host name e.g. https://app.contrastsecurity.com',
     constantsApplicationName:
-      'The name of the application cataloged by Contrast UI',
-    constantsCatalogueApplication:
-      'Provide this if you want to catalogue an application',
+      'The name of the application as provided by Contrast UI',
     failOptionErrorMessage:
       ' FAIL - CVEs have been detected that match at least the cve_severity option specified.',
     failOptionMessage:
       ' Use with contrast scan or contrast audit. Detects failures based on the severity level specified with the --severity command. For example, "contrast scan --fail --severity high". Returns all failures if no severity level is specified.',
-    constantsLanguage:
-      'Valid values are JAVA, DOTNET, NODE, PYTHON and RUBY. If there are multiple project configuration files in the project_path, language is also required.  Also, provide this when cataloguing an application',
     constantsFilePath: `Specify a directory or the file where dependencies are declared. (By default, CodeSec will search for project files in the current directory.)`,
-    constantsSilent: 'Silences JSON output.',
     constantsAppGroups:
-      'Assign your application to one or more pre-existing groups when using the catalogue command. Group lists should be comma separated.',
-    constantsVersion: 'Displays CLI Version you are currently on.',
+      'Assign your application to one or more pre-existing groups when on boarding an application. Group lists should be comma separated.',
     constantsProxyServer:
-      'Allows for connection via a proxy server. If authentication is required please provide the username and password with the protocol, host and port. For instance: "http://username:password@<host>:<port>".',
-    constantsHelp: 'Display this usage guide.',
+      'Allows for connection via a proxy server. If authentication is required please provide the username and password with the protocol, host and port. For instance: "https://username:password@<host>:<port>".',
     constantsGradleMultiProject:
       'Specify the sub project within your gradle application.',
-    constantsScan: 'Upload java binaries to the static scan service',
-    constantsDoNotWaitForScan: 'Do not wait for the result of the scan',
+    constantsDoNotWaitForScan:
+      'Fire and forget. Do not wait for the result of the scan.',
     constantsProjectName:
       'Contrast project name. If not specified, Contrast uses contrast.settings to identify the project or creates a project.',
     constantsProjectId:
       'The ID associated with a scan project. Replace <ProjectID> with the ID for the scan project. To find the ID, select a scan project in Contrast and locate the last number in the URL.',
-    constantsReport: 'Display vulnerability information for this application',
-    constantsFail:
-      'Set the process to fail if this option is set in combination with --cve_severity.',
     failThresholdOptionErrorMessage: 'More than 0 vulnerabilities found',
     failSeverityOptionErrorMessage:
       ' FAIL - Results detected vulnerabilities over accepted severity level',
     constantsSeverity:
       'Use with "contrast scan --fail --severity high" or "contrast audit --fail --severity high". Set the severity level to detect vulnerabilities or dependencies. Severity levels are critical, high, medium, low or note.',
-    constantsCount: 'The number of CVEs that must be exceeded to fail a build',
-    constantsHeader: 'CodeSec by Contrast Security',
+    constantsHeader: 'Contrast CLI',
     configHeader2: 'Config options',
     clearHeader: '-c, --clear',
     clearContent: 'Removes stored credentials',
@@ -161,8 +93,6 @@ const en_locales = () => {
       'Use the ‘contrast’ command for fast and accurate security analysis of your applications, APIs, serverless functions, and libraries.',
     constantsContrastCategories:
       '\n Code: Java, .NET, .NET Core, JavaScript\n Serverless: AWS Lambda - Java, Python\n Libraries: Java, .NET, Node, Ruby, Python, Go, PHP\n',
-    constantsUsageGuideContentRecommendation:
-      'Our recommendation is that this is invoked as part of a CI pipeline so that running the cli is automated as part of your build process.',
     constantsPrerequisitesHeader: 'Pre-requisites',
     constantsAuthUsageHeader: 'Usage',
     constantsAuthUsageContents: 'contrast auth',
@@ -180,30 +110,9 @@ const en_locales = () => {
       'The file argument is optional. If no file is given, Contrast will search for a .jar, .war, .exe or .zip file in the working directory.\n',
     constantsUsageCommandInfo24Hours:
       'Submitted files are encrypted during upload and deleted in 24 hours.',
-    constantsAnd: 'AND',
-    constantsJava:
-      'AND Maven build platform, including the dependency plugin. For a Gradle project, use build.gradle. A gradle-wrapper.properties file is also required. Kotlin is also supported requiring a build.gradle.kts file.',
-    constantsJavaNote:
-      'Note: Running "mvn dependency:tree" or "./gradlew dependencies" in the project directory locally must be successful.',
-    constantsJavaNoteGradle:
-      'We currently support v4.8 and upwards on Gradle projects',
-    constantsDotNet:
-      'MSBuild 15.0 or greater and have a packages.lock.json file are supported.',
-    constantsDotNetNote:
-      'Please Note: If the packages.lock.json file is not in place it can be generated by setting RestorePackagesWithLockFile to true within each *.csproj and running dotnet build',
-    constantsNode: '%s AND a lock file either %s or %s',
-    constantsRuby: 'gemfile AND gemfile.lock',
-    constantsPython: 'pipfile AND pipfile.lock',
-    constantsHowToRunHeader: 'How to run:',
-    constantsHowToRunDev1:
-      'Begin with contrast auth to authenticate the CLI to perform actions',
-    constantsHowToRunDev2:
-      'After successful auth try the following command: contrast scan -f "<file>"',
     constantsHowToRunDev3:
       'Allowable languages are java (.jar and .war) and javascript (.js or .zip), if the language is not autodetected please use --language to specify',
     constantsOptions: 'Options',
-    constantsSpecialCharacterWarning:
-      'Please Note: Parameters may need to be quoted to avoid issues with special characters.',
     constantsProxyKey: 'Path to the Certificate Key',
     constantsProxyCert: 'Path to the Cert file',
     constantsProxyCaCert: 'Path to the CaCert file',
@@ -220,7 +129,8 @@ const en_locales = () => {
       'Apply labels to an application. Labels must be formatted as a comma-delimited list. Example - label1,label2,label3',
     constantsCode:
       'Add the application code this application should use in the Contrast UI',
-    constantsIgnoreCertErrors:
+    constantsMavenSettingsPath: 'Path to maven settings',
+    constantsCertSelfSigned:
       'For EOP users with a local Teamserver install, this will bypass the SSL certificate and recognise a self signed certificate.',
     constantsSave: 'Saves the Scan Results SARIF to file.',
     scanLabel:
@@ -229,7 +139,7 @@ const en_locales = () => {
       'Excludes developer dependencies from the results. All dependencies are included by default.',
     constantsCommands: 'Commands',
     constantsScanOptions: 'Scan Options',
-    sbomRetrievalError: 'Unable to retrieve Software Bill of Materials (SBOM)',
+    constantsAdvancedOptions: 'Advanced',
     foundExistingProjectScan: 'Found existing project...',
     projectCreatedScan: 'Project created',
     uploadingScan: 'Uploading file to scan.',
@@ -268,10 +178,6 @@ const en_locales = () => {
     configName: 'config',
     helpName: 'help',
     scanOptionsLanguageSummary: 'Valid values are JAVA, JAVASCRIPT and DOTNET',
-    scanOptionsLanguageSummaryOptional:
-      'Language of file to send for analysis. ',
-    scanOptionsLanguageSummaryRequired:
-      'If you scan a .zip file or you use the --file option.',
     scanOptionsTimeoutSummary:
       'Time in seconds to wait for scan to complete. Default value is 300 seconds.',
     scanOptionsFileNameSummary:
@@ -295,14 +201,9 @@ const en_locales = () => {
       ' to learn more about the capabilities.',
     authWaitingMessage: 'Waiting for auth...',
     authTimedOutMessage: 'Auth Timed out, try again',
-    zipErrorScan:
-      'We only support zip files for JAVASCRIPT language, please set the flag --language JAVASCRIPT',
-    unknownFileErrorScan: 'Unsupported file selected for Scan.',
     foundScanFile: 'Found: %s',
     foundDetailedVulnerabilities:
       chalk.bold('%s') + ' | ' + chalk.bold('%s') + ' | %s | %s | %s ',
-    requiredParams: 'All required parameters are not present.',
-    timeoutScan: 'Timeout set to 5 minutes.',
     searchingScanFileDirectory: 'Searching for file to scan from %s...',
     searchingAuditFileDirectory:
       'Searching for package manager files from %s...',
@@ -312,13 +213,11 @@ const en_locales = () => {
     lambdaSummary:
       'Performs static security scan on an AWS Lambda Function.\nProduces CVE (Vulnerable Dependencies) and Least Privilege violations/remediation results.',
     lambdaUsage: 'contrast lambda --function-name <function> [options]',
-    lambdaPrerequisitesContent: '',
     lambdaPrerequisitesContentLambdaLanguages:
       'Supported runtimes: Java & Python',
     lambdaPrerequisitesContentLambdaDescriptionTitle: 'AWS Requirements\n',
     lambdaPrerequisitesContentLambdaDescription:
       'Make sure you have the AWS credentials configured on your local environment. \nYou need the following AWS permissions configured on your IAM user:\n   - Lambda: GetFunction, GetLayerVersion, ListFunctions\n   - IAM: GetRolePolicy, GetPolicy, GetPolicyVersion, ListRolePolicies, ListAttachedRolePolicies',
-    scanFileNameOption: '-f, --file',
     lambdaFunctionNameOption: '-f, --function-name',
     lambdaListFunctionsOption: '-l, --list-functions',
     lambdaEndpointOption: '-e, --endpoint-url',
@@ -341,13 +240,10 @@ const en_locales = () => {
       'Configuration details not found. Try authenticating by using ‘contrast auth’.',
     redirectAuth:
       '\nOpening the authentication page in your web browser.\nSign in and complete the steps.\nReturn here to start using Contrast.\n\nIf your browser has trouble loading, try this:\n%s \n',
-    scanZipError:
-      'A .zip archive can be used for Javascript Scan. Archive found %s does not contain .JS files for Scan.',
     fileNotExist: 'File specified does not exist, please check and try again.',
     scanFileIsEmpty: 'File specified is empty. Please choose another.',
     fileHasWhiteSpacesError:
       'File cannot have spaces, please rename or choose another file to Scan.',
-    zipFileException: 'Error reading zip file',
     connectionError:
       'An error has occurred when trying to get the Project Id please check your internet connection or provide the Project Id manually',
     internalServerErrorHeader: '500 error - Internal server error',
@@ -400,22 +296,16 @@ const en_locales = () => {
       'Please specify file type to save results to, accepted value is SARIF',
     auditSBOMSaveSuccess:
       '\n Software Bill of Materials (SBOM) saved successfully',
-    auditNoFiletypeSpecifiedForSave: `\n ${chalk.yellow.bold(
-      'No file type specified for --save option to save audit results to. Use audit --help to see valid --save options.'
-    )}`,
     auditBadFiletypeSpecifiedForSave: `\n ${chalk.yellow.bold(
       'Bad file type specified for --save option. Use audit --help to see valid --save options.'
     )}`,
     auditServicesMessageForTS:
       'View your vulnerable library list or full dependency tree in Contrast:',
-    auditReportWaiting: 'Waiting for report...',
-    auditReportFail: 'Report Retrieval Failed, please try again',
-    auditReportSuccessMessage: 'Report successfully retrieved',
     auditReportFailureMessage: 'Unable to generate library report',
     auditSCAAnalysisBegins: 'Contrast SCA audit started',
     auditSCAAnalysisComplete: 'Contrast audit complete',
-    commonHelpHeader: 'Need More Help?',
-    commonHelpEnterpriseHeader: 'Existing Contrast user?',
+    commonHelpHeader: 'Need More Help? NEW users',
+    commonHelpEnterpriseHeader: 'Existing Contrast Licensed user?',
     commonHelpCheckOutHeader: chalk.hex('#9DC184')('Check out:'),
     commonHelpCheckOutText: ' https://support.contrastsecurity.com',
     commonHelpLearnMoreHeader: chalk.hex('#9DC184')('Learn more at:'),

package/src/scaAnalysis/java/index.js

@@ -28,8 +28,8 @@ const getAgreement = async config => {
   console.log(
     'Java analysis uses maven / gradle which are potentially susceptible to command injection. Be sure that the code you are running Contrast CLI on is trusted before continuing.'
   )
-  if (_.isNil(!process.env.CI) && _.isNil(!config.javaAgreement)) {
-    console.log('should print')
+
+  if (!process.env.CI && !config?.javaAgreement) {
     return await analysis.agreementPrompt(config)
   }
   return config

package/src/scan/autoDetection.js

@@ -63,6 +63,25 @@ const hasWhiteSpace = s => {
   return filename.indexOf(' ') >= 0
 }
 
+const dealWithMultiJava = filesFound => {
+  let hasMultiJava =
+    filesFound.filter(data => {
+      return (
+        Object.keys(data)[0] === 'JAVA' &&
+        Object.values(data)[0].includes('build.gradle') &&
+        Object.values(data)[0].includes('pom.xml')
+      )
+    }).length > 0
+  if (hasMultiJava) {
+    console.log('Multiple Java language dependency files detected')
+    console.log(
+      'Please use --file to audit one only. \nExample: contrast audit --file pom.xml'
+    )
+    process.exit(1)
+  }
+  return false
+}
+
 const errorOnFileDetection = entries => {
   if (entries.length > 1) {
     console.log(i18n.__('searchingDirectoryScan'))
@@ -99,5 +118,6 @@ module.exports = {
   errorOnFileDetection,
   autoDetectAuditFilesAndLanguages,
   errorOnAuditFileDetection,
-  autoDetectFingerprintInfo
+  autoDetectFingerprintInfo,
+  dealWithMultiJava
 }

package/src/scan/help.js

@@ -29,13 +29,20 @@ const scanUsageGuide = commandLineUsage([
       'proxy',
       'help',
       'ff',
-      'ignore-cert-errors',
+      'cert-self-signed',
+      'key',
+      'cacert',
+      'cert',
       'verbose',
       'debug',
-      'experimental',
-      'application-name'
+      'experimental'
     ]
   },
+  {
+    header: i18n.__('constantsAdvancedOptions'),
+    optionList:
+      constants.commandLineDefinitions.scanAdvancedOptionDefinitionsForHelp
+  },
   commonHelpLinks()[0],
   commonHelpLinks()[1]
 ])

package/src/utils/commonApi.js

@@ -8,7 +8,9 @@ const {
   maxAppError,
   snapshotFailureError,
   vulnerabilitiesFailureError,
-  reportFailureError
+  reportFailureError,
+  parametersError,
+  invalidHostNameError
 } = require('../common/errorHandling')
 
 const handleResponseErrors = (res, api) => {
@@ -22,6 +24,10 @@ const handleResponseErrors = (res, api) => {
     proxyError()
   } else if (res.statusCode === 412) {
     maxAppError()
+  } else if (res.statusCode === 301) {
+    invalidHostNameError(res.statusCode)
+  } else if (res.statusCode === 302) {
+    parametersError(res.statusCode)
   } else {
     if (api === 'snapshot' || api === 'catalogue') {
       snapshotFailureError()