@contrast/contrast 1.0.19 → 1.0.21

package/src/scaAnalysis/scaAnalysis.js

@@ -0,0 +1,206 @@
+const {
+  supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET }
+} = require('../constants/constants')
+const {
+  pollForSnapshotCompletion
+} = require('../audit/languageAnalysisEngine/sendSnapshot')
+const {
+  returnOra,
+  startSpinner,
+  succeedSpinner
+} = require('../utils/oraWrapper')
+const { vulnerabilityReportV2 } = require('../audit/report/reportingFeature')
+const autoDetection = require('../scan/autoDetection')
+const treeUpload = require('./common/treeUpload')
+const auditController = require('../commands/audit/auditController')
+const rootFile = require('../audit/languageAnalysisEngine/getProjectRootFilenames')
+const path = require('path')
+const i18n = require('i18n')
+const auditSave = require('../audit/save')
+const { auditUsageGuide } = require('../commands/audit/help')
+const repoMode = require('./repoMode')
+const { dotNetAnalysis } = require('./dotnet')
+const { goAnalysis } = require('./go/goAnalysis')
+const { phpAnalysis } = require('./php')
+const { rubyAnalysis } = require('./ruby')
+const { pythonAnalysis } = require('./python')
+const javaAnalysis = require('./java')
+const jsAnalysis = require('./javascript')
+const auditReport = require('./common/auditReport')
+const scaUpload = require('./common/scaServicesUpload')
+const settingsHelper = require('../utils/settingsHelper')
+const chalk = require('chalk')
+const saveResults = require('../scan/saveResults')
+const {
+  convertGenericToTypedReportModelSca
+} = require('./common/utils/reportUtilsSca')
+
+const processSca = async config => {
+  //checks to see whether to use old TS / new SCA path
+  config = await settingsHelper.getSettings(config)
+
+  const startTime = performance.now()
+  let filesFound
+
+  if (config.help) {
+    console.log(auditUsageGuide)
+    process.exit(0)
+  }
+
+  const projectStats = await rootFile.getProjectStats(config.file)
+  let pathWithFile = projectStats.isFile()
+
+  config.fileName = config.file
+  config.file = pathWithFile
+    ? rootFile.getDirectoryFromPathGiven(config.file).concat('/')
+    : config.file
+
+  filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config.file)
+
+  autoDetection.dealWithMultiJava(filesFound)
+
+  if (filesFound.length > 1 && pathWithFile) {
+    filesFound = filesFound.filter(i =>
+      Object.values(i)[0].includes(path.basename(config.fileName))
+    )
+  }
+
+  // files found looks like [ { javascript: [ Array ] } ]
+  //check we have the language and call the right analyser
+  let messageToSend = undefined
+  if (filesFound.length === 1) {
+    switch (Object.keys(filesFound[0])[0]) {
+      case JAVA:
+        config.language = JAVA
+
+        if (config.mode === 'repo') {
+          try {
+            return repoMode.buildRepo(config, filesFound[0])
+          } catch (e) {
+            throw new Error(
+              'Unable to build in repository mode. Check your project file'
+            )
+          }
+        } else {
+          messageToSend = await javaAnalysis.javaAnalysis(config, filesFound[0])
+        }
+        break
+      case JAVASCRIPT:
+        messageToSend = await jsAnalysis.jsAnalysis(config, filesFound[0])
+        config.language = NODE
+        break
+      case PYTHON:
+        messageToSend = pythonAnalysis(config, filesFound[0])
+        config.language = PYTHON
+        break
+      case RUBY:
+        messageToSend = rubyAnalysis(config, filesFound[0])
+        config.language = RUBY
+        break
+      case PHP:
+        messageToSend = phpAnalysis(config, filesFound[0])
+        config.language = PHP
+        break
+      case GO:
+        messageToSend = goAnalysis(config, filesFound[0])
+        config.language = GO
+        break
+      case DOTNET:
+        if (config.experimental) {
+          console.log(
+            `${chalk.bold(
+              '\n.NET project found\n'
+            )} Language type is unsupported.`
+          )
+          return
+        } else {
+          messageToSend = dotNetAnalysis(config, filesFound[0])
+          config.language = DOTNET
+          break
+        }
+      default:
+        //something is wrong
+        console.log('No supported language detected in project path')
+        return
+    }
+
+    if (!config.applicationId) {
+      config.applicationId = await auditController.dealWithNoAppId(config)
+    }
+
+    if (config.experimental) {
+      console.log('') //empty log for space before spinner
+      const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
+      startSpinner(reportSpinner)
+      const { reportArray, reportId } = await scaUpload.scaTreeUpload(
+        messageToSend,
+        config
+      )
+
+      const reportModelLibraryList =
+        convertGenericToTypedReportModelSca(reportArray)
+      auditReport.processAuditReport(config, reportModelLibraryList)
+      succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
+
+      if (config.save !== undefined) {
+        await auditSave.auditSave(config, reportId)
+      } else {
+        console.log('Use contrast audit --save to generate an SBOM')
+      }
+
+      const endTime = performance.now() - startTime
+      const scanDurationMs = endTime - startTime
+      console.log(
+        `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
+      )
+    } else {
+      console.log('') //empty log for space before spinner
+      //send message to TS
+      const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
+      startSpinner(reportSpinner)
+      const snapshotResponse = await treeUpload.commonSendSnapShot(
+        messageToSend,
+        config
+      )
+
+      // poll for completion
+      await pollForSnapshotCompletion(
+        config,
+        snapshotResponse.id,
+        reportSpinner
+      )
+      succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
+
+      await vulnerabilityReportV2(config, snapshotResponse.id)
+      if (config.save !== undefined) {
+        await auditSave.auditSave(config)
+      } else {
+        console.log('\nUse contrast audit --save to generate an SBOM')
+      }
+      const endTime = performance.now() - startTime
+      const scanDurationMs = endTime - startTime
+
+      console.log(
+        `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
+      )
+    }
+  } else {
+    if (filesFound.length === 0) {
+      console.log(i18n.__('languageAnalysisNoLanguage'))
+      console.log(i18n.__('languageAnalysisNoLanguageHelpLine'))
+      throw new Error()
+    } else {
+      console.log(chalk.bold(`\nMultiple language files detected \n`))
+      filesFound.forEach(file => {
+        console.log(`${Object.keys(file)[0]} : `, Object.values(file)[0])
+      })
+      throw new Error(
+        `Please use --file to audit one language only. \nExample: contrast audit --file package-lock.json`
+      )
+    }
+  }
+}
+
+module.exports = {
+  processSca
+}

package/src/scan/autoDetection.js

@@ -1,8 +1,8 @@
 const i18n = require('i18n')
 const fileFinder = require('./fileUtils')
 
-const autoDetectFingerprintInfo = async filePath => {
-  let complexObj = await fileFinder.findAllFiles(filePath)
+const autoDetectFingerprintInfo = async (filePath, depth) => {
+  let complexObj = await fileFinder.findAllFiles(filePath, depth)
   let result = []
   let count = 0
   complexObj.forEach(i => {

package/src/scan/fileUtils.js

@@ -11,7 +11,7 @@ const findFile = async () => {
   })
 }
 
-const findAllFiles = async filePath => {
+const findAllFiles = async (filePath, depth = 2) => {
   const result = await fg(
     [
       '**/pom.xml',
@@ -25,7 +25,7 @@ const findAllFiles = async filePath => {
     ],
     {
       dot: false,
-      deep: 2,
+      deep: depth,
       onlyFiles: true,
       absolute: true,
       cwd: filePath ? filePath : process.cwd()

package/src/scan/formatScanOutput.ts

@@ -1,7 +1,4 @@
-import {
-  ScanResultsInstances,
-  ScanResultsModel
-} from './models/scanResultsModel'
+import { ScanResultsModel } from './models/scanResultsModel'
 import i18n from 'i18n'
 import chalk from 'chalk'
 import { ResultContent } from './models/resultContentModel'
@@ -13,7 +10,8 @@ import {
   HIGH_COLOUR,
   LOW_COLOUR,
   MEDIUM_COLOUR,
-  NOTE_COLOUR
+  NOTE_COLOUR,
+  supportedLanguagesScan
 } from '../constants/constants'
 import {
   getSeverityCounts,
@@ -21,27 +19,28 @@ import {
 } from '../audit/report/commonReportingFunctions'
 
 export function formatScanOutput(scanResults: ScanResultsModel) {
-  const { scanResultsInstances } = scanResults
+  const { content } = scanResults.scanResultsInstances
+  const { language } = scanResults.scanDetail
 
-  const projectOverview = getSeverityCounts(scanResultsInstances.content)
-  if (scanResultsInstances.content.length === 0) {
+  const severityCounts = getSeverityCounts(content)
+  if (content.length === 0) {
     console.log(i18n.__('scanNoVulnerabilitiesFound'))
     console.log(i18n.__('scanNoVulnerabilitiesFoundSecureCode'))
     console.log(i18n.__('scanNoVulnerabilitiesFoundGoodWork'))
   } else {
     const message =
-      projectOverview.critical || projectOverview.high
+      severityCounts.critical || severityCounts.high
         ? 'Here are your top priorities to fix'
         : "No major issues, here's what we found"
     console.log(chalk.bold(message))
     console.log()
 
-    let defaultView = getDefaultView(scanResultsInstances.content)
+    const defaultView = getDefaultView(content, language)
 
     let count = 0
     defaultView.forEach(entry => {
       count++
-      let table = new Table({
+      const table = new Table({
         chars: {
           top: '',
           'top-mid': '',
@@ -64,6 +63,7 @@ export function formatScanOutput(scanResults: ScanResultsModel) {
         wordWrap: true,
         colWidths: [12, 1, 100]
       })
+
       let learnRow: string[] = []
       let adviceRow = []
       const headerColour = chalk.hex(entry.colour)
@@ -107,9 +107,9 @@ export function formatScanOutput(scanResults: ScanResultsModel) {
       console.log()
     })
   }
-  printVulnInfo(projectOverview)
+  printVulnInfo(severityCounts)
 
-  return projectOverview
+  return severityCounts
 }
 
 export function formatLinks(objName: string, entry: any[]) {
@@ -124,7 +124,7 @@ export function formatLinks(objName: string, entry: any[]) {
   }
 }
 
-export function getDefaultView(content: ResultContent[]) {
+export function getDefaultView(content: ResultContent[], language: string) {
   const groupTypeResults = [] as GroupedResultsModel[]
 
   content.forEach(resultEntry => {
@@ -136,8 +136,7 @@ export function getDefaultView(content: ResultContent[]) {
     groupResultsObj.learn = resultEntry.learn
     groupResultsObj.message = resultEntry.message?.text
       ? editVulName(resultEntry.message.text) +
-        ':' +
-        getSourceLineNumber(resultEntry)
+        doAddSourceLineNumber(resultEntry, language)
       : ''
     groupResultsObj.codePath = getLocationsSyncInfo(resultEntry)
     groupTypeResults.push(groupResultsObj)
@@ -146,9 +145,21 @@ export function getDefaultView(content: ResultContent[]) {
 
   return sortBy(groupTypeResults, ['priority'])
 }
+
+export function doAddSourceLineNumber(
+  resultEntry: ResultContent,
+  language: string
+) {
+  //only add source line num if not JS
+  return language !== supportedLanguagesScan.JAVASCRIPT
+    ? ':' + getSourceLineNumber(resultEntry)
+    : ''
+}
+
 export function editVulName(message: string) {
   return message.substring(message.indexOf(' in '))
 }
+
 export function getLocationsSyncInfo(resultEntry: ResultContent) {
   const locationsMessage =
     resultEntry.locations[0]?.physicalLocation?.artifactLocation?.uri || ''
@@ -165,7 +176,7 @@ export function getLocationsSyncInfo(resultEntry: ResultContent) {
 export function getSourceLineNumber(resultEntry: ResultContent) {
   const locationsLineNumber =
     resultEntry.locations[0]?.physicalLocation?.region?.startLine || ''
-  let codeFlowLineNumber = getCodeFlowInfo(resultEntry)
+  const codeFlowLineNumber = getCodeFlowInfo(resultEntry)
 
   return codeFlowLineNumber ? codeFlowLineNumber : locationsLineNumber
 }

package/src/scan/help.js

@@ -44,7 +44,8 @@ const scanUsageGuide = commandLineUsage([
       constants.commandLineDefinitions.scanAdvancedOptionDefinitionsForHelp
   },
   commonHelpLinks()[0],
-  commonHelpLinks()[1]
+  commonHelpLinks()[1],
+  commonHelpLinks()[2]
 ])
 
 module.exports = {

package/src/utils/getConfig.ts

@@ -8,7 +8,6 @@ type ContrastConfOptions = Partial<{
   orgId: string
   authHeader: string
   numOfRuns: number
-  javaAgreement: boolean
 }>
 
 type ContrastConf = Conf<ContrastConfOptions>

package/src/utils/paramsUtil/configStoreParams.js

@@ -16,17 +16,4 @@ const getAuth = () => {
   return ContrastConfToUse
 }
 
-const getAgreement = () => {
-  const ContrastConf = config.localConfig(APP_NAME, APP_VERSION)
-  let ContrastConfToUse = {}
-  ContrastConfToUse.javaAgreement = ContrastConf.get('javaAgreement')
-  return ContrastConfToUse
-}
-
-const setAgreement = agreement => {
-  const ContrastConf = config.localConfig(APP_NAME, APP_VERSION)
-  ContrastConf.set('javaAgreement', agreement)
-  return agreement
-}
-
-module.exports = { getAuth, getAgreement, setAgreement }
+module.exports = { getAuth }

package/src/utils/paramsUtil/paramHandler.js

@@ -21,12 +21,4 @@ const getAuth = params => {
   }
 }
 
-const getAgreement = () => {
-  return configStoreParams.getAgreement()
-}
-
-const setAgreement = answer => {
-  return configStoreParams.setAgreement(answer)
-}
-
-module.exports = { getAuth, getAgreement, setAgreement }
+module.exports = { getAuth }

package/dist/commands/scan/sca/scaAnalysis.js

@@ -1,155 +0,0 @@
-"use strict";
-const { supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET } } = require('../../../constants/constants');
-const { pollForSnapshotCompletion } = require('../../../audit/languageAnalysisEngine/sendSnapshot');
-const { returnOra, startSpinner, succeedSpinner } = require('../../../utils/oraWrapper');
-const { vulnerabilityReportV2 } = require('../../../audit/report/reportingFeature');
-const autoDetection = require('../../../scan/autoDetection');
-const treeUpload = require('../../../scaAnalysis/common/treeUpload');
-const auditController = require('../../audit/auditController');
-const rootFile = require('../../../audit/languageAnalysisEngine/getProjectRootFilenames');
-const path = require('path');
-const i18n = require('i18n');
-const auditSave = require('../../../audit/save');
-const { auditUsageGuide } = require('../../audit/help');
-const repoMode = require('../../../scaAnalysis/repoMode/index');
-const { dotNetAnalysis } = require('../../../scaAnalysis/dotnet');
-const { goAnalysis } = require('../../../scaAnalysis/go/goAnalysis');
-const { phpAnalysis } = require('../../../scaAnalysis/php/index');
-const { rubyAnalysis } = require('../../../scaAnalysis/ruby');
-const { pythonAnalysis } = require('../../../scaAnalysis/python');
-const javaAnalysis = require('../../../scaAnalysis/java');
-const jsAnalysis = require('../../../scaAnalysis/javascript');
-const auditReport = require('../../../scaAnalysis/common/auditReport');
-const scaUpload = require('../../../scaAnalysis/common/scaServicesUpload');
-const settingsHelper = require('../../../utils/settingsHelper');
-const chalk = require('chalk');
-const saveResults = require('../../../scan/saveResults');
-const processSca = async (config) => {
-    config = await settingsHelper.getSettings(config);
-    const startTime = performance.now();
-    let filesFound;
-    if (config.help) {
-        console.log(auditUsageGuide);
-        process.exit(0);
-    }
-    const projectStats = await rootFile.getProjectStats(config.file);
-    let pathWithFile = projectStats.isFile();
-    config.fileName = config.file;
-    config.file = pathWithFile
-        ? rootFile.getDirectoryFromPathGiven(config.file).concat('/')
-        : config.file;
-    if (config.fingerprint && config.experimental) {
-        let fingerprint = await autoDetection.autoDetectFingerprintInfo(config.file);
-        let idArray = fingerprint.map(x => x.id);
-        await saveResults.writeResultsToFile(fingerprint, 'fingerPrintInfo.json');
-        console.log(idArray);
-    }
-    else {
-        filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config.file);
-        autoDetection.dealWithMultiJava(filesFound);
-        if (filesFound.length > 1 && pathWithFile) {
-            filesFound = filesFound.filter(i => Object.values(i)[0].includes(path.basename(config.fileName)));
-        }
-        let messageToSend = undefined;
-        if (filesFound.length === 1) {
-            switch (Object.keys(filesFound[0])[0]) {
-                case JAVA:
-                    config.language = JAVA;
-                    if (config.mode === 'repo') {
-                        try {
-                            return repoMode.buildRepo(config, filesFound[0]);
-                        }
-                        catch (e) {
-                            throw new Error('Unable to build in repository mode. Check your project file');
-                        }
-                    }
-                    else {
-                        messageToSend = await javaAnalysis.javaAnalysis(config, filesFound[0]);
-                    }
-                    break;
-                case JAVASCRIPT:
-                    messageToSend = await jsAnalysis.jsAnalysis(config, filesFound[0]);
-                    config.language = NODE;
-                    break;
-                case PYTHON:
-                    messageToSend = pythonAnalysis(config, filesFound[0]);
-                    config.language = PYTHON;
-                    break;
-                case RUBY:
-                    messageToSend = rubyAnalysis(config, filesFound[0]);
-                    config.language = RUBY;
-                    break;
-                case PHP:
-                    messageToSend = phpAnalysis(config, filesFound[0]);
-                    config.language = PHP;
-                    break;
-                case GO:
-                    messageToSend = goAnalysis(config, filesFound[0]);
-                    config.language = GO;
-                    break;
-                case DOTNET:
-                    messageToSend = dotNetAnalysis(config, filesFound[0]);
-                    config.language = DOTNET;
-                    break;
-                default:
-                    console.log('No supported language detected in project path');
-                    return;
-            }
-            if (!config.applicationId) {
-                config.applicationId = await auditController.dealWithNoAppId(config);
-            }
-            if (config.experimental) {
-                console.log('');
-                const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'));
-                startSpinner(reportSpinner);
-                const [reports, reportId] = await scaUpload.scaTreeUpload(messageToSend, config);
-                auditReport.processAuditReport(config, reports[0]);
-                succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'));
-                if (config.save !== undefined) {
-                    await auditSave.auditSave(config, reportId);
-                }
-                else {
-                    console.log('Use contrast audit --save to generate an SBOM');
-                }
-                const endTime = performance.now() - startTime;
-                const scanDurationMs = endTime - startTime;
-                console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`);
-            }
-            else {
-                console.log('');
-                const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'));
-                startSpinner(reportSpinner);
-                const snapshotResponse = await treeUpload.commonSendSnapShot(messageToSend, config);
-                await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner);
-                succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'));
-                await vulnerabilityReportV2(config, snapshotResponse.id);
-                if (config.save !== undefined) {
-                    await auditSave.auditSave(config);
-                }
-                else {
-                    console.log('\nUse contrast audit --save to generate an SBOM');
-                }
-                const endTime = performance.now() - startTime;
-                const scanDurationMs = endTime - startTime;
-                console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`);
-            }
-        }
-        else {
-            if (filesFound.length === 0) {
-                console.log(i18n.__('languageAnalysisNoLanguage'));
-                console.log(i18n.__('languageAnalysisNoLanguageHelpLine'));
-                throw new Error();
-            }
-            else {
-                console.log(chalk.bold(`\nMultiple language files detected \n`));
-                filesFound.forEach(file => {
-                    console.log(`${Object.keys(file)[0]} : `, Object.values(file)[0]);
-                });
-                throw new Error(`Please use --file to audit one language only. \nExample: contrast audit --file package-lock.json`);
-            }
-        }
-    }
-};
-module.exports = {
-    processSca
-};