@contrast/contrast 1.0.19 → 1.0.20

package/dist/scaAnalysis/java/index.js

@@ -3,13 +3,10 @@ const analysis = require('./analysis');
 const { parseBuildDeps } = require('./javaBuildDepsParser');
 const { createJavaTSMessage } = require('../common/formatMessage');
 const { parseDependenciesForSCAServices } = require('../common/scaParserForGoAndJava');
-const chalk = require('chalk');
-const _ = require('lodash');
 const javaAnalysis = async (config, languageFiles) => {
     languageFiles.JAVA.forEach(file => {
         file.replace('build.gradle.kts', 'build.gradle');
     });
-    await getAgreement(config);
     const javaDeps = buildJavaTree(config, languageFiles.JAVA);
     if (config.experimental) {
         return parseDependenciesForSCAServices(javaDeps);
@@ -18,19 +15,10 @@ const javaAnalysis = async (config, languageFiles) => {
         return createJavaTSMessage(javaDeps);
     }
 };
-const getAgreement = async (config) => {
-    console.log(chalk.bold('Java project detected'));
-    console.log('Java analysis uses maven / gradle which are potentially susceptible to command injection. Be sure that the code you are running Contrast CLI on is trusted before continuing.');
-    if (!process.env.CI && !config?.javaAgreement) {
-        return await analysis.agreementPrompt(config);
-    }
-    return config;
-};
 const buildJavaTree = (config, files) => {
     const javaBuildDeps = analysis.getJavaBuildDeps(config, files);
     return parseBuildDeps(config, javaBuildDeps);
 };
 module.exports = {
-    javaAnalysis,
-    getAgreement
+    javaAnalysis
 };

package/dist/scan/formatScanOutput.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.assignBySeverity = exports.stripTags = exports.getCodeFlowInfo = exports.getSourceLineNumber = exports.getLocationsSyncInfo = exports.editVulName = exports.getDefaultView = exports.formatLinks = exports.formatScanOutput = void 0;
+exports.assignBySeverity = exports.stripTags = exports.getCodeFlowInfo = exports.getSourceLineNumber = exports.getLocationsSyncInfo = exports.editVulName = exports.doAddSourceLineNumber = exports.getDefaultView = exports.formatLinks = exports.formatScanOutput = void 0;
 const i18n_1 = __importDefault(require("i18n"));
 const chalk_1 = __importDefault(require("chalk"));
 const groupedResultsModel_1 = require("./models/groupedResultsModel");
@@ -12,24 +12,25 @@ const cli_table3_1 = __importDefault(require("cli-table3"));
 const constants_1 = require("../constants/constants");
 const commonReportingFunctions_1 = require("../audit/report/commonReportingFunctions");
 function formatScanOutput(scanResults) {
-    const { scanResultsInstances } = scanResults;
-    const projectOverview = (0, commonReportingFunctions_1.getSeverityCounts)(scanResultsInstances.content);
-    if (scanResultsInstances.content.length === 0) {
+    const { content } = scanResults.scanResultsInstances;
+    const { language } = scanResults.scanDetail;
+    const severityCounts = (0, commonReportingFunctions_1.getSeverityCounts)(content);
+    if (content.length === 0) {
         console.log(i18n_1.default.__('scanNoVulnerabilitiesFound'));
         console.log(i18n_1.default.__('scanNoVulnerabilitiesFoundSecureCode'));
         console.log(i18n_1.default.__('scanNoVulnerabilitiesFoundGoodWork'));
     }
     else {
-        const message = projectOverview.critical || projectOverview.high
+        const message = severityCounts.critical || severityCounts.high
             ? 'Here are your top priorities to fix'
             : "No major issues, here's what we found";
         console.log(chalk_1.default.bold(message));
         console.log();
-        let defaultView = getDefaultView(scanResultsInstances.content);
+        const defaultView = getDefaultView(content, language);
         let count = 0;
         defaultView.forEach(entry => {
             count++;
-            let table = new cli_table3_1.default({
+            const table = new cli_table3_1.default({
                 chars: {
                     top: '',
                     'top-mid': '',
@@ -90,8 +91,8 @@ function formatScanOutput(scanResults) {
             console.log();
         });
     }
-    (0, commonReportingFunctions_1.printVulnInfo)(projectOverview);
-    return projectOverview;
+    (0, commonReportingFunctions_1.printVulnInfo)(severityCounts);
+    return severityCounts;
 }
 exports.formatScanOutput = formatScanOutput;
 function formatLinks(objName, entry) {
@@ -107,7 +108,7 @@ function formatLinks(objName, entry) {
     }
 }
 exports.formatLinks = formatLinks;
-function getDefaultView(content) {
+function getDefaultView(content, language) {
     const groupTypeResults = [];
     content.forEach(resultEntry => {
         const groupResultsObj = new groupedResultsModel_1.GroupedResultsModel(resultEntry.ruleId);
@@ -118,8 +119,7 @@ function getDefaultView(content) {
         groupResultsObj.learn = resultEntry.learn;
         groupResultsObj.message = resultEntry.message?.text
             ? editVulName(resultEntry.message.text) +
-                ':' +
-                getSourceLineNumber(resultEntry)
+                doAddSourceLineNumber(resultEntry, language)
             : '';
         groupResultsObj.codePath = getLocationsSyncInfo(resultEntry);
         groupTypeResults.push(groupResultsObj);
@@ -128,6 +128,12 @@ function getDefaultView(content) {
     return (0, lodash_1.sortBy)(groupTypeResults, ['priority']);
 }
 exports.getDefaultView = getDefaultView;
+function doAddSourceLineNumber(resultEntry, language) {
+    return language !== constants_1.supportedLanguagesScan.JAVASCRIPT
+        ? ':' + getSourceLineNumber(resultEntry)
+        : '';
+}
+exports.doAddSourceLineNumber = doAddSourceLineNumber;
 function editVulName(message) {
     return message.substring(message.indexOf(' in '));
 }
@@ -143,7 +149,7 @@ function getLocationsSyncInfo(resultEntry) {
 exports.getLocationsSyncInfo = getLocationsSyncInfo;
 function getSourceLineNumber(resultEntry) {
     const locationsLineNumber = resultEntry.locations[0]?.physicalLocation?.region?.startLine || '';
-    let codeFlowLineNumber = getCodeFlowInfo(resultEntry);
+    const codeFlowLineNumber = getCodeFlowInfo(resultEntry);
     return codeFlowLineNumber ? codeFlowLineNumber : locationsLineNumber;
 }
 exports.getSourceLineNumber = getSourceLineNumber;

package/dist/utils/paramsUtil/configStoreParams.js

@@ -15,15 +15,4 @@ const getAuth = () => {
     }
     return ContrastConfToUse;
 };
-const getAgreement = () => {
-    const ContrastConf = config.localConfig(APP_NAME, APP_VERSION);
-    let ContrastConfToUse = {};
-    ContrastConfToUse.javaAgreement = ContrastConf.get('javaAgreement');
-    return ContrastConfToUse;
-};
-const setAgreement = agreement => {
-    const ContrastConf = config.localConfig(APP_NAME, APP_VERSION);
-    ContrastConf.set('javaAgreement', agreement);
-    return agreement;
-};
-module.exports = { getAuth, getAgreement, setAgreement };
+module.exports = { getAuth };

package/dist/utils/paramsUtil/paramHandler.js

@@ -22,10 +22,4 @@ const getAuth = params => {
         process.exit(1);
     }
 };
-const getAgreement = () => {
-    return configStoreParams.getAgreement();
-};
-const setAgreement = answer => {
-    return configStoreParams.setAgreement(answer);
-};
-module.exports = { getAuth, getAgreement, setAgreement };
+module.exports = { getAuth };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "1.0.19",
+  "version": "1.0.20",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -15,6 +15,10 @@
     {
       "name": "Andrew Shanks",
       "email": "andrew.shanks@contrastsecurity.com"
+    },
+    {
+      "name": "Oisín Cassidy",
+      "email": "oisin.cassidy@contrastsecurity.com"
     }
   ],
   "license": "ISC",

package/src/audit/report/commonReportingFunctions.js

@@ -108,7 +108,8 @@ const printFormattedOutput = (
           new SeverityCountModel()
         ).getTotal
       ),
-      library.cveArray
+      library.cveArray,
+      null
     )
     report.reportOutputList.push(newOutputModel)
   }
@@ -131,6 +132,7 @@ const printFormattedOutput = (
     contrastHeaderNumCounter++
     const { libraryName, libraryVersion, highestSeverity } =
       reportModel.compositeKey
+
     const numOfCVEs = reportModel.cveArray.length
 
     const table = getReportTable()
@@ -236,9 +238,11 @@ function buildHeader(
 }
 
 function buildBody(cveArray, advice) {
-  let assignPriorityToVulns = cveArray.map(result => findCVESeverity(result))
+  const orderedCvesWithSeverityAssigned = orderByHighestPriority(
+    cveArray.map(cve => findCVESeverity(cve))
+  )
 
-  const issueMessage = getIssueRow(assignPriorityToVulns)
+  const issueMessage = getIssueRow(orderedCvesWithSeverityAssigned)
 
   //todo different advice based on remediationGuidance being available or now
   // console.log(advice)
@@ -254,7 +258,6 @@ function buildBody(cveArray, advice) {
 }
 
 function getIssueRow(cveArray) {
-  orderByHighestPriority(cveArray)
   const cveMessagesList = getIssueCveMsgList(cveArray)
   return [chalk.bold('Issue'), ':', `${cveMessagesList.join(', ')}`]
 }
@@ -301,7 +304,6 @@ const getIssueCveMsgList = results => {
   const cveMessages = []
 
   results.forEach(reportSeverityModel => {
-    // @ts-ignore
     const { colour, severity, name } = reportSeverityModel
 
     const severityShorthand = chalk

package/src/audit/report/models/reportListModel.ts

@@ -1,5 +1,9 @@
 import { ReportSeverityModel } from './reportSeverityModel'
 import { ReportCVEModel } from './reportLibraryModel'
+import {
+  ScaReportRemediationAdviceModel,
+  ScaReportVulnerabilityModel
+} from '../../../scaAnalysis/common/models/ScaReportModel'
 
 export class ReportList {
   reportOutputList: ReportModelStructure[]
@@ -11,11 +15,17 @@ export class ReportList {
 
 export class ReportModelStructure {
   compositeKey: ReportCompositeKey
-  cveArray: ReportCVEModel[]
+  cveArray: ReportCVEModel[] | ScaReportVulnerabilityModel[]
+  remediationAdvice: ScaReportRemediationAdviceModel | null
 
-  constructor(compositeKey: ReportCompositeKey, cveArray: ReportCVEModel[]) {
+  constructor(
+    compositeKey: ReportCompositeKey,
+    cveArray: ReportCVEModel[] | ScaReportVulnerabilityModel[],
+    remediationAdvice: ScaReportRemediationAdviceModel | null
+  ) {
     this.compositeKey = compositeKey
     this.cveArray = cveArray
+    this.remediationAdvice = remediationAdvice
   }
 }
 

package/src/audit/report/reportingFeature.ts

@@ -87,7 +87,7 @@ export async function vulnerabilityReportV2(config: any, reportId: string) {
   const reportResponse = await getReport(config, reportId)
 
   if (reportResponse !== undefined) {
-    let output = formatVulnerabilityOutput(
+    const output = formatVulnerabilityOutput(
       reportResponse.vulnerabilities,
       config.applicationId,
       config,

package/src/audit/report/utils/reportUtils.ts

@@ -3,8 +3,7 @@ import {
   ReportLibraryModel
 } from '../models/reportLibraryModel'
 import { ReportSeverityModel } from '../models/reportSeverityModel'
-import languageAnalysisEngine from '../../../constants/constants'
-import {
+import languageAnalysisEngine, {
   CRITICAL_COLOUR,
   CRITICAL_PRIORITY,
   HIGH_COLOUR,
@@ -19,6 +18,7 @@ import {
 import { orderBy } from 'lodash'
 import { SeverityCountModel } from '../models/severityCountModel'
 import { ReportModelStructure } from '../models/reportListModel'
+
 const {
   supportedLanguages: { GO }
 } = languageAnalysisEngine
@@ -30,8 +30,8 @@ export function findHighestSeverityCVE(cveArray: ReportCVEModel[]) {
   return orderBy(mappedToReportSeverityModels, cve => cve?.priority)[0]
 }
 
-export function orderByHighestPriority(cves: ReportCVEModel[]) {
-  return orderBy(cves, ['priority'], ['asc'])
+export function orderByHighestPriority(severityModels: ReportSeverityModel[]) {
+  return orderBy(severityModels, ['priority'], ['asc'])
 }
 
 export function findCVESeverity(cve: ReportCVEModel) {

package/src/commands/audit/auditConfig.js

@@ -10,8 +10,7 @@ const getAuditConfig = async (contrastConf, command, argv) => {
     constants.commandLineDefinitions.auditOptionDefinitions
   )
   const paramsAuth = paramHandler.getAuth(auditParameters)
-  const javaAgreement = paramHandler.getAgreement()
-  return { ...paramsAuth, ...auditParameters, ...javaAgreement }
+  return { ...paramsAuth, ...auditParameters }
 }
 
 module.exports = {

package/src/commands/scan/sca/scaAnalysis.js

@@ -33,6 +33,9 @@ const scaUpload = require('../../../scaAnalysis/common/scaServicesUpload')
 const settingsHelper = require('../../../utils/settingsHelper')
 const chalk = require('chalk')
 const saveResults = require('../../../scan/saveResults')
+const {
+  convertGenericToTypedReportModelSca
+} = require('../../../scaAnalysis/common/utils/reportUtilsSca')
 
 const processSca = async config => {
   //checks to see whether to use old TS / new SCA path
@@ -133,12 +136,14 @@ const processSca = async config => {
         console.log('') //empty log for space before spinner
         const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
         startSpinner(reportSpinner)
-        const [reports, reportId] = await scaUpload.scaTreeUpload(
+        const { reportArray, reportId } = await scaUpload.scaTreeUpload(
           messageToSend,
           config
         )
 
-        auditReport.processAuditReport(config, reports[0])
+        const reportModelLibraryList =
+          convertGenericToTypedReportModelSca(reportArray)
+        auditReport.processAuditReport(config, reportModelLibraryList)
         succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
 
         if (config.save !== undefined) {

package/src/constants/constants.js

@@ -14,7 +14,7 @@ const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
 // App
 const APP_NAME = 'contrast'
-const APP_VERSION = '1.0.19'
+const APP_VERSION = '1.0.20'
 const TIMEOUT = 120000
 const HIGH_COLOUR = '#ff9900'
 const CRITICAL_COLOUR = '#e35858'

package/src/constants/locales.js

@@ -194,7 +194,10 @@ const en_locales = () => {
       chalk.bold('\ncontrast scan') +
       " to run Contrast's industry leading SAST scanner. \nSupports Java, JavaScript and .Net \n" +
       chalk.bold('\ncontrast audit') +
-      ' to find vulnerabilities in your open source dependencies.\nSupports Java, .NET, Node, Ruby, Python, Go and PHP \n' +
+      ' to find vulnerabilities in your open source dependencies.' +
+      '\nSupports Java, .NET, Node, Ruby, Python, Go and PHP.' +
+      '\nOur CLI runs native build tools to generate a complete dependency tree.' +
+      '\nIf you are running on untrusted code, consider running in a sandbox.\n' +
       chalk.bold('\ncontrast lambda') +
       ' to secure your AWS serverless functions. \nSupports Java and Python \n' +
       chalk.bold('\ncontrast help') +
@@ -259,7 +262,8 @@ const en_locales = () => {
     )} Maven build platform including the dependency plugin. 
     ${chalk.bold('Or')} build.gradle ${chalk.bold(
       'and'
-    )} gradle dependencies or ./gradlew dependencies must be supported`,
+    )} gradle dependencies or ./gradlew dependencies must be supported
+    If you are running on untrusted code, consider running in a sandbox.`,
     constantsAuditPrerequisitesContentDotNetMessage: `
     ${chalk.bold(
       '.NET framework and .NET core:'

package/src/scaAnalysis/common/auditReport.js

@@ -1,105 +1,50 @@
 const {
   getSeverityCounts,
-  createSummaryMessageTop,
-  printVulnInfo,
-  getReportTable,
-  getIssueRow,
   printNoVulnFoundMsg
 } = require('../../audit/report/commonReportingFunctions')
-const { orderBy } = require('lodash')
-const { assignBySeverity } = require('../../scan/formatScanOutput')
-const chalk = require('chalk')
-const { CE_URL } = require('../../constants/constants')
 const common = require('../../common/fail')
-const i18n = require('i18n')
+const { printFormattedOutputSca } = require('./commonReportingFunctionsSca')
 
-const processAuditReport = (config, results) => {
+const processAuditReport = (config, reportModelList) => {
   let severityCounts = {}
-  if (results !== undefined) {
-    severityCounts = formatScaServicesReport(config, results)
+  if (reportModelList !== undefined) {
+    severityCounts = formatScaServicesReport(config, reportModelList)
   }
 
   if (config.fail) {
     common.processFail(config, severityCounts)
   }
 }
-const formatScaServicesReport = (config, results) => {
-  const projectOverviewCount = getSeverityCounts(results)
+const formatScaServicesReport = (config, reportModelList) => {
+  const projectOverviewCount = getSeverityCounts(reportModelList)
 
   if (projectOverviewCount.total === 0) {
     printNoVulnFoundMsg()
-    return projectOverviewCount
   } else {
-    let total = 0
-    const numberOfCves = results.length
-    const table = getReportTable()
-    let contrastHeaderNumCounter = 0
-    let assignPriorityToResults = results.map(result =>
-      assignBySeverity(result, result)
-    )
-    const numberOfVulns = results
-      .map(result => result.vulnerabilities)
-      .reduce((a, b) => {
-        return (total += b.length)
-      }, 0)
-    const outputOrderedByLowestSeverityAndLowestNumOfCvesFirst = orderBy(
-      assignPriorityToResults,
-      [
-        reportListItem => {
-          return reportListItem.priority
-        },
-        reportListItem => {
-          return reportListItem.vulnerabilities.length
-        }
-      ],
-      ['asc', 'desc']
-    )
-
-    for (const result of outputOrderedByLowestSeverityAndLowestNumOfCvesFirst) {
-      contrastHeaderNumCounter++
-      const cvesNum = result.vulnerabilities.length
-      const grammaticallyCorrectVul =
-        result.vulnerabilities.length > 1 ? 'vulnerabilities' : 'vulnerability'
-
-      const headerColour = chalk.hex(result.colour)
-      const headerRow = [
-        headerColour(
-          `CONTRAST-${contrastHeaderNumCounter.toString().padStart(3, '0')}`
-        ),
-        headerColour(`-`),
-        headerColour(`[${result.severity}] `) +
-          headerColour.bold(`${result.artifactName}`) +
-          ` introduces ${cvesNum} ${grammaticallyCorrectVul}`
-      ]
+    const numberOfVulnerableLibraries = reportModelList.map(library => {
+      let count = 0
 
-      const adviceRow = [
-        chalk.bold(`Advice`),
-        chalk.bold(`:`),
-        `Change to version ${result.remediationAdvice.latestStableVersion}`
-      ]
+      if (library.vulnerabilities.length > 0) {
+        count++
+      }
 
-      let assignPriorityToVulns = result.vulnerabilities.map(result =>
-        assignBySeverity(result, result)
-      )
-      const issueRow = getIssueRow(assignPriorityToVulns)
+      return count
+    }).length
 
-      table.push(headerRow, issueRow, adviceRow)
-      console.log()
-    }
-
-    console.log()
-    createSummaryMessageTop(numberOfCves, numberOfVulns)
-    console.log(table.toString() + '\n')
-    printVulnInfo(projectOverviewCount)
+    let numberOfCves = reportModelList.reduce(
+      (count, current) => count + current.vulnerabilities.length,
+      0
+    )
 
-    if (config.host !== CE_URL) {
-      console.log('\n' + chalk.bold(i18n.__('auditServicesMessageForTS')))
-      console.log(
-        `${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs`
-      )
-    }
-    return projectOverviewCount
+    printFormattedOutputSca(
+      config,
+      reportModelList,
+      numberOfVulnerableLibraries,
+      numberOfCves
+    )
   }
+
+  return projectOverviewCount
 }
 module.exports = {
   formatScaServicesReport,