@contrast/contrast 1.0.19 → 1.0.20

package/src/scaAnalysis/common/commonReportingFunctionsSca.js

@@ -0,0 +1,276 @@
+const {
+  ReportList,
+  ReportModelStructure,
+  ReportCompositeKey
+} = require('../../audit/report/models/reportListModel')
+const {
+  countVulnerableLibrariesBySeverity
+} = require('../../audit/report/utils/reportUtils')
+const {
+  SeverityCountModel
+} = require('../../audit/report/models/severityCountModel')
+const { orderBy } = require('lodash')
+const {
+  ReportOutputModel,
+  ReportOutputHeaderModel,
+  ReportOutputBodyModel
+} = require('../../audit/report/models/reportOutputModel')
+const {
+  CE_URL,
+  CRITICAL_COLOUR,
+  HIGH_COLOUR,
+  MEDIUM_COLOUR,
+  LOW_COLOUR,
+  NOTE_COLOUR
+} = require('../../constants/constants')
+const chalk = require('chalk')
+const Table = require('cli-table3')
+const {
+  findHighestSeverityCVESca,
+  severityCountAllCVEsSca,
+  findCVESeveritySca,
+  orderByHighestPrioritySca
+} = require('./utils/reportUtilsSca')
+const {
+  buildFormattedHeaderNum
+} = require('../../audit/report/commonReportingFunctions')
+
+const createSummaryMessageTop = (numberOfVulnerableLibraries, numberOfCves) => {
+  numberOfVulnerableLibraries === 1
+    ? console.log(
+        `\n\nFound 1 vulnerable library containing ${numberOfCves} CVE`
+      )
+    : console.log(
+        `\n\nFound ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVEs`
+      )
+}
+
+const createSummaryMessageBottom = numberOfVulnerableLibraries => {
+  numberOfVulnerableLibraries === 1
+    ? console.log(`Found 1 vulnerability`)
+    : console.log(`Found ${numberOfVulnerableLibraries} vulnerabilities`)
+}
+
+const printFormattedOutputSca = (
+  config,
+  reportModelList,
+  numberOfVulnerableLibraries,
+  numberOfCves
+) => {
+  createSummaryMessageTop(numberOfVulnerableLibraries, numberOfCves)
+  console.log()
+  const report = new ReportList()
+
+  for (const library of reportModelList) {
+    const { artifactName, version, vulnerabilities, remediationAdvice } =
+      library
+
+    const newOutputModel = new ReportModelStructure(
+      new ReportCompositeKey(
+        artifactName,
+        version,
+        findHighestSeverityCVESca(vulnerabilities),
+        severityCountAllCVEsSca(
+          vulnerabilities,
+          new SeverityCountModel()
+        ).getTotal
+      ),
+      vulnerabilities,
+      remediationAdvice
+    )
+    report.reportOutputList.push(newOutputModel)
+  }
+
+  const outputOrderedByLowestSeverityAndLowestNumOfCvesFirst = orderBy(
+    report.reportOutputList,
+    [
+      reportListItem => {
+        return reportListItem.compositeKey.highestSeverity.priority
+      },
+      reportListItem => {
+        return reportListItem.compositeKey.numberOfSeverities
+      }
+    ],
+    ['asc', 'desc']
+  )
+
+  let contrastHeaderNumCounter = 0
+  for (const reportModel of outputOrderedByLowestSeverityAndLowestNumOfCvesFirst) {
+    contrastHeaderNumCounter++
+    const { libraryName, libraryVersion, highestSeverity } =
+      reportModel.compositeKey
+
+    const { cveArray, remediationAdvice } = reportModel
+
+    const numOfCVEs = reportModel.cveArray.length
+
+    const table = getReportTable()
+
+    const header = buildHeader(
+      highestSeverity,
+      contrastHeaderNumCounter,
+      libraryName,
+      libraryVersion,
+      numOfCVEs
+    )
+
+    const body = buildBody(cveArray, remediationAdvice)
+
+    const reportOutputModel = new ReportOutputModel(header, body)
+
+    table.push(
+      reportOutputModel.body.issueMessage,
+      reportOutputModel.body.adviceMessage
+    )
+
+    console.log(
+      reportOutputModel.header.vulnMessage,
+      reportOutputModel.header.introducesMessage
+    )
+    console.log(table.toString() + '\n')
+  }
+
+  createSummaryMessageBottom(numberOfVulnerableLibraries)
+  const {
+    criticalMessage,
+    highMessage,
+    mediumMessage,
+    lowMessage,
+    noteMessage
+  } = buildFooter(outputOrderedByLowestSeverityAndLowestNumOfCvesFirst)
+  console.log(
+    `${criticalMessage} | ${highMessage} | ${mediumMessage} | ${lowMessage} | ${noteMessage}`
+  )
+
+  if (config.host !== CE_URL) {
+    console.log(
+      '\n' + chalk.bold('View your full dependency tree in Contrast:')
+    )
+    console.log(
+      `${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
+    )
+  }
+}
+
+function getReportTable() {
+  return new Table({
+    chars: {
+      top: '',
+      'top-mid': '',
+      'top-left': '',
+      'top-right': '',
+      bottom: '',
+      'bottom-mid': '',
+      'bottom-left': '',
+      'bottom-right': '',
+      left: '',
+      'left-mid': '',
+      mid: '',
+      'mid-mid': '',
+      right: '',
+      'right-mid': '',
+      middle: ' '
+    },
+    style: { 'padding-left': 0, 'padding-right': 0 },
+    colAligns: ['right'],
+    wordWrap: true,
+    colWidths: [12, 1, 100]
+  })
+}
+
+function buildHeader(
+  highestSeverity,
+  contrastHeaderNum,
+  libraryName,
+  version,
+  numOfCVEs
+) {
+  const vulnerabilityPluralised =
+    numOfCVEs > 1 ? 'vulnerabilities' : 'vulnerability'
+  const formattedHeaderNum = buildFormattedHeaderNum(contrastHeaderNum)
+
+  const headerColour = chalk.hex(highestSeverity.colour)
+  const headerNumAndSeverity = headerColour(
+    `${formattedHeaderNum} - [${highestSeverity.severity}]`
+  )
+  const libraryNameAndVersion = headerColour.bold(`${libraryName}-${version}`)
+  const vulnMessage = `${headerNumAndSeverity} ${libraryNameAndVersion}`
+
+  const introducesMessage = `introduces ${numOfCVEs} ${vulnerabilityPluralised}`
+
+  return new ReportOutputHeaderModel(vulnMessage, introducesMessage)
+}
+
+function buildBody(cveArray, advice) {
+  const orderedCvesWithSeverityAssigned = orderByHighestPrioritySca(
+    cveArray.map(cve => findCVESeveritySca(cve))
+  )
+  const issueMessage = getIssueRow(orderedCvesWithSeverityAssigned)
+  const adviceMessage = getAdviceRow(advice)
+
+  return new ReportOutputBodyModel(issueMessage, adviceMessage)
+}
+
+function getIssueRow(cveArray) {
+  const cveMessagesList = getIssueCveMsgList(cveArray)
+  return [chalk.bold('Issue'), ':', `${cveMessagesList.join(', ')}`]
+}
+
+function getAdviceRow(advice) {
+  const latestOrClosest = advice.latestStableVersion
+    ? advice.latestStableVersion
+    : advice.closestStableVersion
+  const displayAdvice = latestOrClosest
+    ? `Change to version ${chalk.bold(latestOrClosest)}`
+    : 'No recommendation is available according to our data. Upgrade to the latest stable is the best advice we can give.'
+
+  return [chalk.bold(`Advice`), chalk.bold(`:`), `${displayAdvice}`]
+}
+
+const buildFooter = reportModelStructure => {
+  const { critical, high, medium, low, note } =
+    countVulnerableLibrariesBySeverity(reportModelStructure)
+
+  const criticalMessage = chalk
+    .hex(CRITICAL_COLOUR)
+    .bold(`${critical} Critical`)
+  const highMessage = chalk.hex(HIGH_COLOUR).bold(`${high} High`)
+  const mediumMessage = chalk.hex(MEDIUM_COLOUR).bold(`${medium} Medium`)
+  const lowMessage = chalk.hex(LOW_COLOUR).bold(`${low} Low`)
+  const noteMessage = chalk.hex(NOTE_COLOUR).bold(`${note} Note`)
+
+  return {
+    criticalMessage,
+    highMessage,
+    mediumMessage,
+    lowMessage,
+    noteMessage
+  }
+}
+
+const getIssueCveMsgList = reportSeverityModels => {
+  const cveMessages = []
+  reportSeverityModels.forEach(reportSeverityModel => {
+    const { colour, severity, name } = reportSeverityModel
+
+    const severityShorthand = chalk
+      .hex(colour)
+      .bold(`[${severity.charAt(0).toUpperCase()}]`)
+
+    const builtMessage = severityShorthand + name
+    cveMessages.push(builtMessage)
+  })
+  return cveMessages
+}
+
+module.exports = {
+  createSummaryMessageTop,
+  createSummaryMessageBottom,
+  printFormattedOutputSca,
+  getReportTable,
+  buildHeader,
+  buildBody,
+  getIssueRow,
+  buildFormattedHeaderNum,
+  getIssueCveMsgList
+}

package/src/scaAnalysis/common/models/ScaReportModel.ts

@@ -0,0 +1,81 @@
+export class ScaReportModel {
+  uuid: string
+  groupName: string
+  artifactName: string
+  version: string
+  hash: string
+  fileName: string
+  libraryLanguage: string
+  vulnerable: boolean
+  privateLibrary: boolean
+  severity: string
+  releaseDate: string
+  latestVersionReleaseDate: string
+  latestVersion: string
+  versionsBehind: number
+  vulnerabilities: ScaReportVulnerabilityModel[]
+  remediationAdvice: ScaReportRemediationAdviceModel
+
+  constructor(library: any) {
+    this.uuid = library.uuid
+    this.groupName = library.groupName
+    this.artifactName = library.artifactName
+    this.version = library.version
+    this.hash = library.hash
+    this.fileName = library.fileName
+    this.libraryLanguage = library.libraryLanguage
+    this.vulnerable = library.vulnerable
+    this.privateLibrary = library.privateLibrary
+    this.severity = library.severity
+    this.releaseDate = library.releaseDate
+    this.latestVersionReleaseDate = library.latestVersionReleaseDate
+    this.latestVersion = library.latestVersion
+    this.versionsBehind = library.versionsBehind
+    this.vulnerabilities = library.vulnerabilities
+    this.remediationAdvice = library.remediationAdvice
+  }
+}
+
+export class ScaReportVulnerabilityModel {
+  name: string
+  description: string
+  cvss2Vector: string
+  severityValue: number
+  severity: string
+  cvss3Vector: string
+  cvss3SeverityValue: number
+  cvss3Severity: string
+  hasCvss3: boolean
+
+  constructor(
+    name: string,
+    description: string,
+    cvss2Vector: string,
+    severityValue: number,
+    severity: string,
+    cvss3Vector: string,
+    cvss3SeverityValue: number,
+    cvss3Severity: string,
+    hasCvss3: boolean
+  ) {
+    this.name = name
+    this.description = description
+    this.cvss2Vector = cvss2Vector
+    this.severityValue = severityValue
+    this.severity = severity
+    this.cvss3Vector = cvss3Vector
+    this.cvss3SeverityValue = cvss3SeverityValue
+    this.cvss3Severity = cvss3Severity
+    this.hasCvss3 = hasCvss3
+  }
+}
+
+export class ScaReportRemediationAdviceModel {
+  closestStableVersion: string
+  latestStableVersion: string
+
+  constructor(closestStableVersion: string, latestStableVersion: string) {
+    this.closestStableVersion = closestStableVersion
+    this.latestStableVersion = latestStableVersion
+  }
+}

package/src/scaAnalysis/common/scaServicesUpload.js

@@ -46,17 +46,19 @@ const scaTreeUpload = async (analysis, config) => {
       if (res.body.status === 'COMPLETED') {
         keepChecking = false
         return client.scaServiceReport(config, reportID).then(res => {
-          return [res.body, reportID]
+          const reportBody = res.body
+          return { reportBody, reportID }
         })
       }
     })
 
     if (!keepChecking) {
-      return [res, reportID]
+      return { reportArray: res.reportBody, reportID }
     }
     await requestUtils.sleep(5000)
   }
-  return [res, reportID]
+
+  return { reportArray: res, reportID }
 }
 
 module.exports = {

package/src/scaAnalysis/common/utils/reportUtilsSca.ts

@@ -0,0 +1,123 @@
+import { orderBy } from 'lodash'
+import {
+  CRITICAL_COLOUR,
+  CRITICAL_PRIORITY,
+  HIGH_COLOUR,
+  HIGH_PRIORITY,
+  LOW_COLOUR,
+  LOW_PRIORITY,
+  MEDIUM_COLOUR,
+  MEDIUM_PRIORITY,
+  NOTE_COLOUR,
+  NOTE_PRIORITY
+} from '../../../constants/constants'
+import { ReportSeverityModel } from '../../../audit/report/models/reportSeverityModel'
+import { SeverityCountModel } from '../../../audit/report/models/severityCountModel'
+import {
+  ScaReportModel,
+  ScaReportVulnerabilityModel
+} from '../models/ScaReportModel'
+
+export function findHighestSeverityCVESca(
+  cveArray: ScaReportVulnerabilityModel[]
+) {
+  const mappedToReportSeverityModels = cveArray.map(cve =>
+    findCVESeveritySca(cve)
+  )
+
+  //order and get first
+  return orderBy(mappedToReportSeverityModels, cve => cve?.priority)[0]
+}
+
+export function orderByHighestPrioritySca(
+  reportSeverityModel: ReportSeverityModel[]
+) {
+  return orderBy(reportSeverityModel, ['priority'], ['asc'])
+}
+
+export function findCVESeveritySca(
+  vulnerabilityModel: ScaReportVulnerabilityModel
+) {
+  const { name } = vulnerabilityModel
+
+  if (
+    vulnerabilityModel.cvss3Severity === 'CRITICAL' ||
+    vulnerabilityModel.severity === 'CRITICAL'
+  ) {
+    return new ReportSeverityModel(
+      'CRITICAL',
+      CRITICAL_PRIORITY,
+      CRITICAL_COLOUR,
+      name
+    )
+  } else if (
+    vulnerabilityModel.cvss3Severity === 'HIGH' ||
+    vulnerabilityModel.severity === 'HIGH'
+  ) {
+    return new ReportSeverityModel('HIGH', HIGH_PRIORITY, HIGH_COLOUR, name)
+  } else if (
+    vulnerabilityModel.cvss3Severity === 'MEDIUM' ||
+    vulnerabilityModel.severity === 'MEDIUM'
+  ) {
+    return new ReportSeverityModel(
+      'MEDIUM',
+      MEDIUM_PRIORITY,
+      MEDIUM_COLOUR,
+      name
+    )
+  } else if (
+    vulnerabilityModel.cvss3Severity === 'LOW' ||
+    vulnerabilityModel.severity === 'LOW'
+  ) {
+    return new ReportSeverityModel('LOW', LOW_PRIORITY, LOW_COLOUR, name)
+  } else if (
+    vulnerabilityModel.cvss3Severity === 'NOTE' ||
+    vulnerabilityModel.severity === 'NOTE'
+  ) {
+    return new ReportSeverityModel('NOTE', NOTE_PRIORITY, NOTE_COLOUR, name)
+  }
+}
+
+export function convertGenericToTypedReportModelSca(reportArray: any) {
+  return reportArray.map((library: any) => {
+    return new ScaReportModel(library)
+  })
+}
+
+export function severityCountAllLibrariesSca(
+  vulnerableLibraries: ScaReportModel[],
+  severityCount: SeverityCountModel
+) {
+  vulnerableLibraries.forEach(lib =>
+    severityCountAllCVEsSca(lib.vulnerabilities, severityCount)
+  )
+  return severityCount
+}
+
+export function severityCountAllCVEsSca(
+  cveArray: ScaReportVulnerabilityModel[],
+  severityCount: SeverityCountModel
+) {
+  const severityCountInner = severityCount
+  cveArray.forEach(cve => severityCountSingleCVESca(cve, severityCountInner))
+  return severityCountInner
+}
+
+export function severityCountSingleCVESca(
+  cve: ScaReportVulnerabilityModel,
+  severityCount: SeverityCountModel
+) {
+  if (cve.cvss3Severity === 'CRITICAL' || cve.severity === 'CRITICAL') {
+    severityCount.critical += 1
+  } else if (cve.cvss3Severity === 'HIGH' || cve.severity === 'HIGH') {
+    severityCount.high += 1
+  } else if (cve.cvss3Severity === 'MEDIUM' || cve.severity === 'MEDIUM') {
+    severityCount.medium += 1
+  } else if (cve.cvss3Severity === 'LOW' || cve.severity === 'LOW') {
+    severityCount.low += 1
+  } else if (cve.cvss3Severity === 'NOTE' || cve.severity === 'NOTE') {
+    severityCount.note += 1
+  }
+
+  return severityCount
+}

package/src/scaAnalysis/java/analysis.js

@@ -147,34 +147,7 @@ const getJavaBuildDeps = (config, files) => {
   }
 }
 
-const agreementPrompt = async config => {
-  const rl = readLine.createInterface({
-    input: process.stdin,
-    output: process.stdout
-  })
-
-  return new Promise((resolve, reject) => {
-    rl.question('❔ Do you want to continue? Type Y or N', async input => {
-      if (input.toLowerCase() === 'yes' || input.toLowerCase() === 'y') {
-        config.javaAgreement = paramHandler.setAgreement(true)
-        rl.close()
-        resolve(config)
-      } else if (input.toLowerCase() === 'no' || input.toLowerCase() === 'n') {
-        rl.close()
-        resolve(process.exit(1))
-      } else {
-        rl.close()
-        console.log('Invalid Input: Exiting')
-        resolve(process.exit(1))
-      }
-    })
-  }).catch(e => {
-    throw e
-  })
-}
-
 module.exports = {
   getJavaBuildDeps,
-  determineProjectTypeAndCwd,
-  agreementPrompt
+  determineProjectTypeAndCwd
 }

package/src/scaAnalysis/java/index.js

@@ -4,16 +4,12 @@ const { createJavaTSMessage } = require('../common/formatMessage')
 const {
   parseDependenciesForSCAServices
 } = require('../common/scaParserForGoAndJava')
-const chalk = require('chalk')
-const _ = require('lodash')
 
 const javaAnalysis = async (config, languageFiles) => {
   languageFiles.JAVA.forEach(file => {
     file.replace('build.gradle.kts', 'build.gradle')
   })
 
-  await getAgreement(config)
-
   const javaDeps = buildJavaTree(config, languageFiles.JAVA)
 
   if (config.experimental) {
@@ -23,24 +19,11 @@ const javaAnalysis = async (config, languageFiles) => {
   }
 }
 
-const getAgreement = async config => {
-  console.log(chalk.bold('Java project detected'))
-  console.log(
-    'Java analysis uses maven / gradle which are potentially susceptible to command injection. Be sure that the code you are running Contrast CLI on is trusted before continuing.'
-  )
-
-  if (!process.env.CI && !config?.javaAgreement) {
-    return await analysis.agreementPrompt(config)
-  }
-  return config
-}
-
 const buildJavaTree = (config, files) => {
   const javaBuildDeps = analysis.getJavaBuildDeps(config, files)
   return parseBuildDeps(config, javaBuildDeps)
 }
 
 module.exports = {
-  javaAnalysis,
-  getAgreement
+  javaAnalysis
 }

package/src/scan/formatScanOutput.ts

@@ -1,7 +1,4 @@
-import {
-  ScanResultsInstances,
-  ScanResultsModel
-} from './models/scanResultsModel'
+import { ScanResultsModel } from './models/scanResultsModel'
 import i18n from 'i18n'
 import chalk from 'chalk'
 import { ResultContent } from './models/resultContentModel'
@@ -13,7 +10,8 @@ import {
   HIGH_COLOUR,
   LOW_COLOUR,
   MEDIUM_COLOUR,
-  NOTE_COLOUR
+  NOTE_COLOUR,
+  supportedLanguagesScan
 } from '../constants/constants'
 import {
   getSeverityCounts,
@@ -21,27 +19,28 @@ import {
 } from '../audit/report/commonReportingFunctions'
 
 export function formatScanOutput(scanResults: ScanResultsModel) {
-  const { scanResultsInstances } = scanResults
+  const { content } = scanResults.scanResultsInstances
+  const { language } = scanResults.scanDetail
 
-  const projectOverview = getSeverityCounts(scanResultsInstances.content)
-  if (scanResultsInstances.content.length === 0) {
+  const severityCounts = getSeverityCounts(content)
+  if (content.length === 0) {
     console.log(i18n.__('scanNoVulnerabilitiesFound'))
     console.log(i18n.__('scanNoVulnerabilitiesFoundSecureCode'))
     console.log(i18n.__('scanNoVulnerabilitiesFoundGoodWork'))
   } else {
     const message =
-      projectOverview.critical || projectOverview.high
+      severityCounts.critical || severityCounts.high
         ? 'Here are your top priorities to fix'
         : "No major issues, here's what we found"
     console.log(chalk.bold(message))
     console.log()
 
-    let defaultView = getDefaultView(scanResultsInstances.content)
+    const defaultView = getDefaultView(content, language)
 
     let count = 0
     defaultView.forEach(entry => {
       count++
-      let table = new Table({
+      const table = new Table({
         chars: {
           top: '',
           'top-mid': '',
@@ -64,6 +63,7 @@ export function formatScanOutput(scanResults: ScanResultsModel) {
         wordWrap: true,
         colWidths: [12, 1, 100]
       })
+
       let learnRow: string[] = []
       let adviceRow = []
       const headerColour = chalk.hex(entry.colour)
@@ -107,9 +107,9 @@ export function formatScanOutput(scanResults: ScanResultsModel) {
       console.log()
     })
   }
-  printVulnInfo(projectOverview)
+  printVulnInfo(severityCounts)
 
-  return projectOverview
+  return severityCounts
 }
 
 export function formatLinks(objName: string, entry: any[]) {
@@ -124,7 +124,7 @@ export function formatLinks(objName: string, entry: any[]) {
   }
 }
 
-export function getDefaultView(content: ResultContent[]) {
+export function getDefaultView(content: ResultContent[], language: string) {
   const groupTypeResults = [] as GroupedResultsModel[]
 
   content.forEach(resultEntry => {
@@ -136,8 +136,7 @@ export function getDefaultView(content: ResultContent[]) {
     groupResultsObj.learn = resultEntry.learn
     groupResultsObj.message = resultEntry.message?.text
       ? editVulName(resultEntry.message.text) +
-        ':' +
-        getSourceLineNumber(resultEntry)
+        doAddSourceLineNumber(resultEntry, language)
       : ''
     groupResultsObj.codePath = getLocationsSyncInfo(resultEntry)
     groupTypeResults.push(groupResultsObj)
@@ -146,9 +145,21 @@ export function getDefaultView(content: ResultContent[]) {
 
   return sortBy(groupTypeResults, ['priority'])
 }
+
+export function doAddSourceLineNumber(
+  resultEntry: ResultContent,
+  language: string
+) {
+  //only add source line num if not JS
+  return language !== supportedLanguagesScan.JAVASCRIPT
+    ? ':' + getSourceLineNumber(resultEntry)
+    : ''
+}
+
 export function editVulName(message: string) {
   return message.substring(message.indexOf(' in '))
 }
+
 export function getLocationsSyncInfo(resultEntry: ResultContent) {
   const locationsMessage =
     resultEntry.locations[0]?.physicalLocation?.artifactLocation?.uri || ''
@@ -165,7 +176,7 @@ export function getLocationsSyncInfo(resultEntry: ResultContent) {
 export function getSourceLineNumber(resultEntry: ResultContent) {
   const locationsLineNumber =
     resultEntry.locations[0]?.physicalLocation?.region?.startLine || ''
-  let codeFlowLineNumber = getCodeFlowInfo(resultEntry)
+  const codeFlowLineNumber = getCodeFlowInfo(resultEntry)
 
   return codeFlowLineNumber ? codeFlowLineNumber : locationsLineNumber
 }