@contrast/contrast 1.0.19 → 1.0.21

package/dist/scaAnalysis/common/models/ScaReportModel.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ScaReportRemediationAdviceModel = exports.ScaReportVulnerabilityModel = exports.ScaReportModel = void 0;
+class ScaReportModel {
+    constructor(library) {
+        this.uuid = library.uuid;
+        this.groupName = library.groupName;
+        this.artifactName = library.artifactName;
+        this.version = library.version;
+        this.hash = library.hash;
+        this.fileName = library.fileName;
+        this.libraryLanguage = library.libraryLanguage;
+        this.vulnerable = library.vulnerable;
+        this.privateLibrary = library.privateLibrary;
+        this.severity = library.severity;
+        this.releaseDate = library.releaseDate;
+        this.latestVersionReleaseDate = library.latestVersionReleaseDate;
+        this.latestVersion = library.latestVersion;
+        this.versionsBehind = library.versionsBehind;
+        this.vulnerabilities = library.vulnerabilities;
+        this.remediationAdvice = library.remediationAdvice;
+    }
+}
+exports.ScaReportModel = ScaReportModel;
+class ScaReportVulnerabilityModel {
+    constructor(name, description, cvss2Vector, severityValue, severity, cvss3Vector, cvss3SeverityValue, cvss3Severity, hasCvss3) {
+        this.name = name;
+        this.description = description;
+        this.cvss2Vector = cvss2Vector;
+        this.severityValue = severityValue;
+        this.severity = severity;
+        this.cvss3Vector = cvss3Vector;
+        this.cvss3SeverityValue = cvss3SeverityValue;
+        this.cvss3Severity = cvss3Severity;
+        this.hasCvss3 = hasCvss3;
+    }
+}
+exports.ScaReportVulnerabilityModel = ScaReportVulnerabilityModel;
+class ScaReportRemediationAdviceModel {
+    constructor(closestStableVersion, latestStableVersion) {
+        this.closestStableVersion = closestStableVersion;
+        this.latestStableVersion = latestStableVersion;
+    }
+}
+exports.ScaReportRemediationAdviceModel = ScaReportRemediationAdviceModel;

package/dist/scaAnalysis/common/scaServicesUpload.js

@@ -44,16 +44,17 @@ const scaTreeUpload = async (analysis, config) => {
             if (res.body.status === 'COMPLETED') {
                 keepChecking = false;
                 return client.scaServiceReport(config, reportID).then(res => {
-                    return [res.body, reportID];
+                    const reportBody = res.body;
+                    return { reportBody, reportID };
                 });
             }
         });
         if (!keepChecking) {
-            return [res, reportID];
+            return { reportArray: res.reportBody, reportID };
         }
         await requestUtils.sleep(5000);
     }
-    return [res, reportID];
+    return { reportArray: res, reportID };
 };
 module.exports = {
     scaTreeUpload

package/dist/scaAnalysis/common/utils/reportUtilsSca.js

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.severityCountSingleCVESca = exports.severityCountAllCVEsSca = exports.severityCountAllLibrariesSca = exports.convertGenericToTypedReportModelSca = exports.findCVESeveritySca = exports.orderByHighestPrioritySca = exports.findHighestSeverityCVESca = void 0;
+const lodash_1 = require("lodash");
+const constants_1 = require("../../../constants/constants");
+const reportSeverityModel_1 = require("../../../audit/report/models/reportSeverityModel");
+const ScaReportModel_1 = require("../models/ScaReportModel");
+function findHighestSeverityCVESca(cveArray) {
+    const mappedToReportSeverityModels = cveArray.map(cve => findCVESeveritySca(cve));
+    return (0, lodash_1.orderBy)(mappedToReportSeverityModels, cve => cve?.priority)[0];
+}
+exports.findHighestSeverityCVESca = findHighestSeverityCVESca;
+function orderByHighestPrioritySca(reportSeverityModel) {
+    return (0, lodash_1.orderBy)(reportSeverityModel, ['priority'], ['asc']);
+}
+exports.orderByHighestPrioritySca = orderByHighestPrioritySca;
+function findCVESeveritySca(vulnerabilityModel) {
+    const { name } = vulnerabilityModel;
+    if (vulnerabilityModel.cvss3Severity === 'CRITICAL' ||
+        vulnerabilityModel.severity === 'CRITICAL') {
+        return new reportSeverityModel_1.ReportSeverityModel('CRITICAL', constants_1.CRITICAL_PRIORITY, constants_1.CRITICAL_COLOUR, name);
+    }
+    else if (vulnerabilityModel.cvss3Severity === 'HIGH' ||
+        vulnerabilityModel.severity === 'HIGH') {
+        return new reportSeverityModel_1.ReportSeverityModel('HIGH', constants_1.HIGH_PRIORITY, constants_1.HIGH_COLOUR, name);
+    }
+    else if (vulnerabilityModel.cvss3Severity === 'MEDIUM' ||
+        vulnerabilityModel.severity === 'MEDIUM') {
+        return new reportSeverityModel_1.ReportSeverityModel('MEDIUM', constants_1.MEDIUM_PRIORITY, constants_1.MEDIUM_COLOUR, name);
+    }
+    else if (vulnerabilityModel.cvss3Severity === 'LOW' ||
+        vulnerabilityModel.severity === 'LOW') {
+        return new reportSeverityModel_1.ReportSeverityModel('LOW', constants_1.LOW_PRIORITY, constants_1.LOW_COLOUR, name);
+    }
+    else if (vulnerabilityModel.cvss3Severity === 'NOTE' ||
+        vulnerabilityModel.severity === 'NOTE') {
+        return new reportSeverityModel_1.ReportSeverityModel('NOTE', constants_1.NOTE_PRIORITY, constants_1.NOTE_COLOUR, name);
+    }
+}
+exports.findCVESeveritySca = findCVESeveritySca;
+function convertGenericToTypedReportModelSca(reportArray) {
+    return reportArray.map((library) => {
+        return new ScaReportModel_1.ScaReportModel(library);
+    });
+}
+exports.convertGenericToTypedReportModelSca = convertGenericToTypedReportModelSca;
+function severityCountAllLibrariesSca(vulnerableLibraries, severityCount) {
+    vulnerableLibraries.forEach(lib => severityCountAllCVEsSca(lib.vulnerabilities, severityCount));
+    return severityCount;
+}
+exports.severityCountAllLibrariesSca = severityCountAllLibrariesSca;
+function severityCountAllCVEsSca(cveArray, severityCount) {
+    const severityCountInner = severityCount;
+    cveArray.forEach(cve => severityCountSingleCVESca(cve, severityCountInner));
+    return severityCountInner;
+}
+exports.severityCountAllCVEsSca = severityCountAllCVEsSca;
+function severityCountSingleCVESca(cve, severityCount) {
+    if (cve.cvss3Severity === 'CRITICAL' || cve.severity === 'CRITICAL') {
+        severityCount.critical += 1;
+    }
+    else if (cve.cvss3Severity === 'HIGH' || cve.severity === 'HIGH') {
+        severityCount.high += 1;
+    }
+    else if (cve.cvss3Severity === 'MEDIUM' || cve.severity === 'MEDIUM') {
+        severityCount.medium += 1;
+    }
+    else if (cve.cvss3Severity === 'LOW' || cve.severity === 'LOW') {
+        severityCount.low += 1;
+    }
+    else if (cve.cvss3Severity === 'NOTE' || cve.severity === 'NOTE') {
+        severityCount.note += 1;
+    }
+    return severityCount;
+}
+exports.severityCountSingleCVESca = severityCountSingleCVESca;

package/dist/scaAnalysis/java/analysis.js

@@ -111,34 +111,7 @@ const getJavaBuildDeps = (config, files) => {
         console.log(err.message.toString());
     }
 };
-const agreementPrompt = async (config) => {
-    const rl = readLine.createInterface({
-        input: process.stdin,
-        output: process.stdout
-    });
-    return new Promise((resolve, reject) => {
-        rl.question('❔ Do you want to continue? Type Y or N', async (input) => {
-            if (input.toLowerCase() === 'yes' || input.toLowerCase() === 'y') {
-                config.javaAgreement = paramHandler.setAgreement(true);
-                rl.close();
-                resolve(config);
-            }
-            else if (input.toLowerCase() === 'no' || input.toLowerCase() === 'n') {
-                rl.close();
-                resolve(process.exit(1));
-            }
-            else {
-                rl.close();
-                console.log('Invalid Input: Exiting');
-                resolve(process.exit(1));
-            }
-        });
-    }).catch(e => {
-        throw e;
-    });
-};
 module.exports = {
     getJavaBuildDeps,
-    determineProjectTypeAndCwd,
-    agreementPrompt
+    determineProjectTypeAndCwd
 };

package/dist/scaAnalysis/java/index.js

@@ -3,13 +3,10 @@ const analysis = require('./analysis');
 const { parseBuildDeps } = require('./javaBuildDepsParser');
 const { createJavaTSMessage } = require('../common/formatMessage');
 const { parseDependenciesForSCAServices } = require('../common/scaParserForGoAndJava');
-const chalk = require('chalk');
-const _ = require('lodash');
 const javaAnalysis = async (config, languageFiles) => {
     languageFiles.JAVA.forEach(file => {
         file.replace('build.gradle.kts', 'build.gradle');
     });
-    await getAgreement(config);
     const javaDeps = buildJavaTree(config, languageFiles.JAVA);
     if (config.experimental) {
         return parseDependenciesForSCAServices(javaDeps);
@@ -18,19 +15,10 @@ const javaAnalysis = async (config, languageFiles) => {
         return createJavaTSMessage(javaDeps);
     }
 };
-const getAgreement = async (config) => {
-    console.log(chalk.bold('Java project detected'));
-    console.log('Java analysis uses maven / gradle which are potentially susceptible to command injection. Be sure that the code you are running Contrast CLI on is trusted before continuing.');
-    if (!process.env.CI && !config?.javaAgreement) {
-        return await analysis.agreementPrompt(config);
-    }
-    return config;
-};
 const buildJavaTree = (config, files) => {
     const javaBuildDeps = analysis.getJavaBuildDeps(config, files);
     return parseBuildDeps(config, javaBuildDeps);
 };
 module.exports = {
-    javaAnalysis,
-    getAgreement
+    javaAnalysis
 };

package/dist/scaAnalysis/scaAnalysis.js

@@ -0,0 +1,155 @@
+"use strict";
+const { supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET } } = require('../constants/constants');
+const { pollForSnapshotCompletion } = require('../audit/languageAnalysisEngine/sendSnapshot');
+const { returnOra, startSpinner, succeedSpinner } = require('../utils/oraWrapper');
+const { vulnerabilityReportV2 } = require('../audit/report/reportingFeature');
+const autoDetection = require('../scan/autoDetection');
+const treeUpload = require('./common/treeUpload');
+const auditController = require('../commands/audit/auditController');
+const rootFile = require('../audit/languageAnalysisEngine/getProjectRootFilenames');
+const path = require('path');
+const i18n = require('i18n');
+const auditSave = require('../audit/save');
+const { auditUsageGuide } = require('../commands/audit/help');
+const repoMode = require('./repoMode');
+const { dotNetAnalysis } = require('./dotnet');
+const { goAnalysis } = require('./go/goAnalysis');
+const { phpAnalysis } = require('./php');
+const { rubyAnalysis } = require('./ruby');
+const { pythonAnalysis } = require('./python');
+const javaAnalysis = require('./java');
+const jsAnalysis = require('./javascript');
+const auditReport = require('./common/auditReport');
+const scaUpload = require('./common/scaServicesUpload');
+const settingsHelper = require('../utils/settingsHelper');
+const chalk = require('chalk');
+const saveResults = require('../scan/saveResults');
+const { convertGenericToTypedReportModelSca } = require('./common/utils/reportUtilsSca');
+const processSca = async (config) => {
+    config = await settingsHelper.getSettings(config);
+    const startTime = performance.now();
+    let filesFound;
+    if (config.help) {
+        console.log(auditUsageGuide);
+        process.exit(0);
+    }
+    const projectStats = await rootFile.getProjectStats(config.file);
+    let pathWithFile = projectStats.isFile();
+    config.fileName = config.file;
+    config.file = pathWithFile
+        ? rootFile.getDirectoryFromPathGiven(config.file).concat('/')
+        : config.file;
+    filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config.file);
+    autoDetection.dealWithMultiJava(filesFound);
+    if (filesFound.length > 1 && pathWithFile) {
+        filesFound = filesFound.filter(i => Object.values(i)[0].includes(path.basename(config.fileName)));
+    }
+    let messageToSend = undefined;
+    if (filesFound.length === 1) {
+        switch (Object.keys(filesFound[0])[0]) {
+            case JAVA:
+                config.language = JAVA;
+                if (config.mode === 'repo') {
+                    try {
+                        return repoMode.buildRepo(config, filesFound[0]);
+                    }
+                    catch (e) {
+                        throw new Error('Unable to build in repository mode. Check your project file');
+                    }
+                }
+                else {
+                    messageToSend = await javaAnalysis.javaAnalysis(config, filesFound[0]);
+                }
+                break;
+            case JAVASCRIPT:
+                messageToSend = await jsAnalysis.jsAnalysis(config, filesFound[0]);
+                config.language = NODE;
+                break;
+            case PYTHON:
+                messageToSend = pythonAnalysis(config, filesFound[0]);
+                config.language = PYTHON;
+                break;
+            case RUBY:
+                messageToSend = rubyAnalysis(config, filesFound[0]);
+                config.language = RUBY;
+                break;
+            case PHP:
+                messageToSend = phpAnalysis(config, filesFound[0]);
+                config.language = PHP;
+                break;
+            case GO:
+                messageToSend = goAnalysis(config, filesFound[0]);
+                config.language = GO;
+                break;
+            case DOTNET:
+                if (config.experimental) {
+                    console.log(`${chalk.bold('\n.NET project found\n')} Language type is unsupported.`);
+                    return;
+                }
+                else {
+                    messageToSend = dotNetAnalysis(config, filesFound[0]);
+                    config.language = DOTNET;
+                    break;
+                }
+            default:
+                console.log('No supported language detected in project path');
+                return;
+        }
+        if (!config.applicationId) {
+            config.applicationId = await auditController.dealWithNoAppId(config);
+        }
+        if (config.experimental) {
+            console.log('');
+            const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'));
+            startSpinner(reportSpinner);
+            const { reportArray, reportId } = await scaUpload.scaTreeUpload(messageToSend, config);
+            const reportModelLibraryList = convertGenericToTypedReportModelSca(reportArray);
+            auditReport.processAuditReport(config, reportModelLibraryList);
+            succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'));
+            if (config.save !== undefined) {
+                await auditSave.auditSave(config, reportId);
+            }
+            else {
+                console.log('Use contrast audit --save to generate an SBOM');
+            }
+            const endTime = performance.now() - startTime;
+            const scanDurationMs = endTime - startTime;
+            console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`);
+        }
+        else {
+            console.log('');
+            const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'));
+            startSpinner(reportSpinner);
+            const snapshotResponse = await treeUpload.commonSendSnapShot(messageToSend, config);
+            await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner);
+            succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'));
+            await vulnerabilityReportV2(config, snapshotResponse.id);
+            if (config.save !== undefined) {
+                await auditSave.auditSave(config);
+            }
+            else {
+                console.log('\nUse contrast audit --save to generate an SBOM');
+            }
+            const endTime = performance.now() - startTime;
+            const scanDurationMs = endTime - startTime;
+            console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`);
+        }
+    }
+    else {
+        if (filesFound.length === 0) {
+            console.log(i18n.__('languageAnalysisNoLanguage'));
+            console.log(i18n.__('languageAnalysisNoLanguageHelpLine'));
+            throw new Error();
+        }
+        else {
+            console.log(chalk.bold(`\nMultiple language files detected \n`));
+            filesFound.forEach(file => {
+                console.log(`${Object.keys(file)[0]} : `, Object.values(file)[0]);
+            });
+            throw new Error(`Please use --file to audit one language only. \nExample: contrast audit --file package-lock.json`);
+        }
+    }
+};
+module.exports = {
+    processSca
+};

package/dist/scan/autoDetection.js

@@ -1,8 +1,8 @@
 "use strict";
 const i18n = require('i18n');
 const fileFinder = require('./fileUtils');
-const autoDetectFingerprintInfo = async (filePath) => {
-    let complexObj = await fileFinder.findAllFiles(filePath);
+const autoDetectFingerprintInfo = async (filePath, depth) => {
+    let complexObj = await fileFinder.findAllFiles(filePath, depth);
     let result = [];
     let count = 0;
     complexObj.forEach(i => {

package/dist/scan/fileUtils.js

@@ -10,7 +10,7 @@ const findFile = async () => {
         onlyFiles: true
     });
 };
-const findAllFiles = async (filePath) => {
+const findAllFiles = async (filePath, depth = 2) => {
     const result = await fg([
         '**/pom.xml',
         '**/build.gradle',
@@ -22,7 +22,7 @@ const findAllFiles = async (filePath) => {
         '**/go.mod'
     ], {
         dot: false,
-        deep: 2,
+        deep: depth,
         onlyFiles: true,
         absolute: true,
         cwd: filePath ? filePath : process.cwd()

package/dist/scan/formatScanOutput.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.assignBySeverity = exports.stripTags = exports.getCodeFlowInfo = exports.getSourceLineNumber = exports.getLocationsSyncInfo = exports.editVulName = exports.getDefaultView = exports.formatLinks = exports.formatScanOutput = void 0;
+exports.assignBySeverity = exports.stripTags = exports.getCodeFlowInfo = exports.getSourceLineNumber = exports.getLocationsSyncInfo = exports.editVulName = exports.doAddSourceLineNumber = exports.getDefaultView = exports.formatLinks = exports.formatScanOutput = void 0;
 const i18n_1 = __importDefault(require("i18n"));
 const chalk_1 = __importDefault(require("chalk"));
 const groupedResultsModel_1 = require("./models/groupedResultsModel");
@@ -12,24 +12,25 @@ const cli_table3_1 = __importDefault(require("cli-table3"));
 const constants_1 = require("../constants/constants");
 const commonReportingFunctions_1 = require("../audit/report/commonReportingFunctions");
 function formatScanOutput(scanResults) {
-    const { scanResultsInstances } = scanResults;
-    const projectOverview = (0, commonReportingFunctions_1.getSeverityCounts)(scanResultsInstances.content);
-    if (scanResultsInstances.content.length === 0) {
+    const { content } = scanResults.scanResultsInstances;
+    const { language } = scanResults.scanDetail;
+    const severityCounts = (0, commonReportingFunctions_1.getSeverityCounts)(content);
+    if (content.length === 0) {
         console.log(i18n_1.default.__('scanNoVulnerabilitiesFound'));
         console.log(i18n_1.default.__('scanNoVulnerabilitiesFoundSecureCode'));
         console.log(i18n_1.default.__('scanNoVulnerabilitiesFoundGoodWork'));
     }
     else {
-        const message = projectOverview.critical || projectOverview.high
+        const message = severityCounts.critical || severityCounts.high
             ? 'Here are your top priorities to fix'
             : "No major issues, here's what we found";
         console.log(chalk_1.default.bold(message));
         console.log();
-        let defaultView = getDefaultView(scanResultsInstances.content);
+        const defaultView = getDefaultView(content, language);
         let count = 0;
         defaultView.forEach(entry => {
             count++;
-            let table = new cli_table3_1.default({
+            const table = new cli_table3_1.default({
                 chars: {
                     top: '',
                     'top-mid': '',
@@ -90,8 +91,8 @@ function formatScanOutput(scanResults) {
             console.log();
         });
     }
-    (0, commonReportingFunctions_1.printVulnInfo)(projectOverview);
-    return projectOverview;
+    (0, commonReportingFunctions_1.printVulnInfo)(severityCounts);
+    return severityCounts;
 }
 exports.formatScanOutput = formatScanOutput;
 function formatLinks(objName, entry) {
@@ -107,7 +108,7 @@ function formatLinks(objName, entry) {
     }
 }
 exports.formatLinks = formatLinks;
-function getDefaultView(content) {
+function getDefaultView(content, language) {
     const groupTypeResults = [];
     content.forEach(resultEntry => {
         const groupResultsObj = new groupedResultsModel_1.GroupedResultsModel(resultEntry.ruleId);
@@ -118,8 +119,7 @@ function getDefaultView(content) {
         groupResultsObj.learn = resultEntry.learn;
         groupResultsObj.message = resultEntry.message?.text
             ? editVulName(resultEntry.message.text) +
-                ':' +
-                getSourceLineNumber(resultEntry)
+                doAddSourceLineNumber(resultEntry, language)
             : '';
         groupResultsObj.codePath = getLocationsSyncInfo(resultEntry);
         groupTypeResults.push(groupResultsObj);
@@ -128,6 +128,12 @@ function getDefaultView(content) {
     return (0, lodash_1.sortBy)(groupTypeResults, ['priority']);
 }
 exports.getDefaultView = getDefaultView;
+function doAddSourceLineNumber(resultEntry, language) {
+    return language !== constants_1.supportedLanguagesScan.JAVASCRIPT
+        ? ':' + getSourceLineNumber(resultEntry)
+        : '';
+}
+exports.doAddSourceLineNumber = doAddSourceLineNumber;
 function editVulName(message) {
     return message.substring(message.indexOf(' in '));
 }
@@ -143,7 +149,7 @@ function getLocationsSyncInfo(resultEntry) {
 exports.getLocationsSyncInfo = getLocationsSyncInfo;
 function getSourceLineNumber(resultEntry) {
     const locationsLineNumber = resultEntry.locations[0]?.physicalLocation?.region?.startLine || '';
-    let codeFlowLineNumber = getCodeFlowInfo(resultEntry);
+    const codeFlowLineNumber = getCodeFlowInfo(resultEntry);
     return codeFlowLineNumber ? codeFlowLineNumber : locationsLineNumber;
 }
 exports.getSourceLineNumber = getSourceLineNumber;

package/dist/scan/help.js

@@ -43,7 +43,8 @@ const scanUsageGuide = commandLineUsage([
         optionList: constants.commandLineDefinitions.scanAdvancedOptionDefinitionsForHelp
     },
     commonHelpLinks()[0],
-    commonHelpLinks()[1]
+    commonHelpLinks()[1],
+    commonHelpLinks()[2]
 ]);
 module.exports = {
     scanUsageGuide

package/dist/utils/paramsUtil/configStoreParams.js

@@ -15,15 +15,4 @@ const getAuth = () => {
     }
     return ContrastConfToUse;
 };
-const getAgreement = () => {
-    const ContrastConf = config.localConfig(APP_NAME, APP_VERSION);
-    let ContrastConfToUse = {};
-    ContrastConfToUse.javaAgreement = ContrastConf.get('javaAgreement');
-    return ContrastConfToUse;
-};
-const setAgreement = agreement => {
-    const ContrastConf = config.localConfig(APP_NAME, APP_VERSION);
-    ContrastConf.set('javaAgreement', agreement);
-    return agreement;
-};
-module.exports = { getAuth, getAgreement, setAgreement };
+module.exports = { getAuth };

package/dist/utils/paramsUtil/paramHandler.js

@@ -22,10 +22,4 @@ const getAuth = params => {
         process.exit(1);
     }
 };
-const getAgreement = () => {
-    return configStoreParams.getAgreement();
-};
-const setAgreement = answer => {
-    return configStoreParams.setAgreement(answer);
-};
-module.exports = { getAuth, getAgreement, setAgreement };
+module.exports = { getAuth };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "1.0.19",
+  "version": "1.0.21",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -15,6 +15,10 @@
     {
       "name": "Andrew Shanks",
       "email": "andrew.shanks@contrastsecurity.com"
+    },
+    {
+      "name": "Oisín Cassidy",
+      "email": "oisin.cassidy@contrastsecurity.com"
     }
   ],
   "license": "ISC",

package/src/audit/report/commonReportingFunctions.js

@@ -108,7 +108,8 @@ const printFormattedOutput = (
           new SeverityCountModel()
         ).getTotal
       ),
-      library.cveArray
+      library.cveArray,
+      null
     )
     report.reportOutputList.push(newOutputModel)
   }
@@ -131,6 +132,7 @@ const printFormattedOutput = (
     contrastHeaderNumCounter++
     const { libraryName, libraryVersion, highestSeverity } =
       reportModel.compositeKey
+
     const numOfCVEs = reportModel.cveArray.length
 
     const table = getReportTable()
@@ -236,9 +238,11 @@ function buildHeader(
 }
 
 function buildBody(cveArray, advice) {
-  let assignPriorityToVulns = cveArray.map(result => findCVESeverity(result))
+  const orderedCvesWithSeverityAssigned = orderByHighestPriority(
+    cveArray.map(cve => findCVESeverity(cve))
+  )
 
-  const issueMessage = getIssueRow(assignPriorityToVulns)
+  const issueMessage = getIssueRow(orderedCvesWithSeverityAssigned)
 
   //todo different advice based on remediationGuidance being available or now
   // console.log(advice)
@@ -254,7 +258,6 @@ function buildBody(cveArray, advice) {
 }
 
 function getIssueRow(cveArray) {
-  orderByHighestPriority(cveArray)
   const cveMessagesList = getIssueCveMsgList(cveArray)
   return [chalk.bold('Issue'), ':', `${cveMessagesList.join(', ')}`]
 }
@@ -301,7 +304,6 @@ const getIssueCveMsgList = results => {
   const cveMessages = []
 
   results.forEach(reportSeverityModel => {
-    // @ts-ignore
     const { colour, severity, name } = reportSeverityModel
 
     const severityShorthand = chalk

package/src/audit/report/models/reportListModel.ts

@@ -1,5 +1,9 @@
 import { ReportSeverityModel } from './reportSeverityModel'
 import { ReportCVEModel } from './reportLibraryModel'
+import {
+  ScaReportRemediationAdviceModel,
+  ScaReportVulnerabilityModel
+} from '../../../scaAnalysis/common/models/ScaReportModel'
 
 export class ReportList {
   reportOutputList: ReportModelStructure[]
@@ -11,11 +15,17 @@ export class ReportList {
 
 export class ReportModelStructure {
   compositeKey: ReportCompositeKey
-  cveArray: ReportCVEModel[]
+  cveArray: ReportCVEModel[] | ScaReportVulnerabilityModel[]
+  remediationAdvice: ScaReportRemediationAdviceModel | null
 
-  constructor(compositeKey: ReportCompositeKey, cveArray: ReportCVEModel[]) {
+  constructor(
+    compositeKey: ReportCompositeKey,
+    cveArray: ReportCVEModel[] | ScaReportVulnerabilityModel[],
+    remediationAdvice: ScaReportRemediationAdviceModel | null
+  ) {
     this.compositeKey = compositeKey
     this.cveArray = cveArray
+    this.remediationAdvice = remediationAdvice
   }
 }
 

package/src/audit/report/reportingFeature.ts

@@ -87,7 +87,7 @@ export async function vulnerabilityReportV2(config: any, reportId: string) {
   const reportResponse = await getReport(config, reportId)
 
   if (reportResponse !== undefined) {
-    let output = formatVulnerabilityOutput(
+    const output = formatVulnerabilityOutput(
       reportResponse.vulnerabilities,
       config.applicationId,
       config,