@contrast/contrast 1.0.2 → 1.0.3

package/src/constants/locales.js

@@ -172,13 +172,19 @@ const en_locales = () => {
     constantsSeverity:
       'Combined with the --report command, allows the user to report libraries with vulnerabilities above a chosen severity level. For example, cve_severity medium only reports libraries with vulnerabilities at medium or higher severity. Values for level are high, medium or low.',
     constantsCount: "The number of CVE's that must be exceeded to fail a build",
-    constantsHeader: 'Contrast CLI',
+    constantsHeader: 'CodeSec by Contrast Security',
     constantsPrerequisitesContentScanLanguages: 'Java & JavaScript supported',
     constantsContrastContent:
-      'Use the Contrast CLI, the fastest and most accurate code scan, to help find and eliminate security bugs in your code.',
+      'Use the Contrast CLI to run a scan(Java, JavaScript and .NET ) or lambda command (Java and Python) to find your vulnerabilities and start securing your code.',
     constantsUsageGuideContentRecommendation:
       'Our recommendation is that this is invoked as part of a CI pipeline so that running the cli is automated as part of your build process.',
     constantsPrerequisitesHeader: 'Pre-requisites',
+    constantsAuthUsageHeader: 'Usage',
+    constantsAuthUsageContents: 'contrast auth',
+    constantsAuthHeaderContents:
+      'Authorize with external identity provider to perform scans on code',
+    configHeader: 'Config',
+    constantsConfigUsageContents: 'view / clear the configuration',
     constantsPrerequisitesContent:
       'To scan a Java project you will need a .jar or .war file for analysis\n' +
       'To scan a Javascript project you will need a .js or.zip file for analysis\n' +
@@ -186,7 +192,7 @@ const en_locales = () => {
     constantsUsage: 'Usage',
     constantsUsageCommandExample: 'contrast [command] [options]',
     constantsUsageCommandInfo:
-      'The file argument is optional. If no file is given, Contrast will search for a .jar, .war, .js, .exe or .zip file in the working directory.\n',
+      'The file argument is optional. If no file is given, Contrast will search for a .jar, .war, .exe or .zip file in the working directory.\n',
     constantsUsageCommandInfo24Hours:
       'Submitted files are encrypted during upload and deleted in 24 hours.',
     constantsAnd: 'AND',
@@ -296,8 +302,7 @@ const en_locales = () => {
       'We only accept the following file types: \nJava - .jar, .war \nJavaScript - .js or .zip files',
     helpAuthSummary:
       'Authenticate Contrast using your Github or Google account',
-    helpScanSummary:
-      'Searches for a .jar, .war, .js or .zip file in the working directory, uploads for analysis and returns the results',
+    helpScanSummary: 'Perform static analysis on binaries / code artifacts',
     helpLambdaSummary: 'Perform scan on AWS Lambda functions',
     helpVersionSummary: 'Displays version of Contrast CLI',
     helpConfigSummary: 'Displays stored credentials',
@@ -308,6 +313,7 @@ const en_locales = () => {
     versionName: 'version',
     configName: 'config',
     helpName: 'help',
+    scanOptionsLanguageSummary: 'Valid values are JAVA, JAVASCRIPT and DOTNET',
     scanOptionsLanguageSummaryOptional:
       'Language of file to send for analysis. ',
     scanOptionsLanguageSummaryRequired:
@@ -315,7 +321,7 @@ const en_locales = () => {
     scanOptionsTimeoutSummary:
       'Time in seconds to wait for scan to complete. Default value is 300 seconds.',
     scanOptionsFileNameSummary:
-      'Path of the file you want to scan. If no file is specified, Contrast searches for a .jar, .war, .js, .exe or .zip file in the working directory.',
+      'Path of the file you want to scan. If no file is specified, Contrast searches for a .jar, .war, .exe or .zip file in the working directory.',
     scanOptionsVerboseSummary: ' Returns extended information to the terminal.',
     authSuccessMessage: 'Authentication successful',
     runAuthSuccessMessage:
@@ -326,7 +332,7 @@ const en_locales = () => {
     zipErrorScan:
       'We only support zip files for JAVASCRIPT language, please set the flag --language JAVASCRIPT',
     unknownFileErrorScan: 'Unsupported file selected for Scan.',
-    foundScanFile: 'found: %s',
+    foundScanFile: 'Found: %s',
     foundDetailedVulnerabilities:
       chalk.bold('%s Critical') +
       ' | ' +
@@ -336,6 +342,7 @@ const en_locales = () => {
     timeoutScan: 'Timeout set to 5 minutes.',
     searchingScanFileDirectory: 'Searching for file to scan from %s...',
     scanHeader: 'Contrast Scan CLI',
+    authHeader: 'Auth',
     lambdaHeader: 'Contrast lambda help',
     lambdaSummary:
       'Performs static security scan on an AWS Lambda Function.\nProduces CVE (Vulnerable Dependencies) and Least Privilege violations/remediation results.',
@@ -406,7 +413,15 @@ const en_locales = () => {
       'saves the output in specified format Txt text, sbom',
     scanNoVulnerabilitiesFound: '👏 No vulnerabilities found',
     scanNoFiletypeSpecifiedForSave:
-      'Please specify file type to save results to',
+      'Please specify file type to save results to, accepted value is SARIF',
+    auditSBOMSaveSuccess:
+      '\n Software Bill of Materials (SBOM) saved successfully',
+    auditNoFiletypeSpecifiedForSave: `\n ${chalk.yellow.bold(
+      'No file type specified for --save option to save audit results to. Use audit --help to see valid --save options.'
+    )}`,
+    auditBadFiletypeSpecifiedForSave: `\n ${chalk.yellow.bold(
+      'Bad file type specified for --save option. Use audit --help to see valid --save options.'
+    )}`,
     ...lambda
   }
 }

package/src/constants.js

@@ -20,6 +20,15 @@ const scanOptionDefinitions = [
       '}: ' +
       i18n.__('constantsProjectName')
   },
+  {
+    name: 'language',
+    alias: 'l',
+    description:
+      '{bold ' +
+      i18n.__('constantsOptional') +
+      '}: ' +
+      i18n.__('scanOptionsLanguageSummary')
+  },
   {
     name: 'file',
     alias: 'f',
@@ -75,7 +84,6 @@ const scanOptionDefinitions = [
   },
   {
     name: 'host',
-    alias: 'h',
     description:
       '{bold ' +
       i18n.__('constantsRequired') +
@@ -126,6 +134,7 @@ const scanOptionDefinitions = [
   },
   {
     name: 'help',
+    alias: 'h',
     type: Boolean
   },
   {
@@ -135,6 +144,29 @@ const scanOptionDefinitions = [
   }
 ]
 
+const authOptionDefinitions = [
+  {
+    name: 'help',
+    alias: 'h',
+    type: Boolean
+  }
+]
+
+const configOptionDefinitions = [
+  {
+    name: 'help',
+    alias: 'h',
+    type: Boolean,
+    description: 'Help text'
+  },
+  {
+    name: 'clear',
+    alias: 'c',
+    type: Boolean,
+    description: 'Clear the currently stored config'
+  }
+]
+
 const auditOptionDefinitions = [
   {
     name: 'application-id',
@@ -291,6 +323,7 @@ const mainUsageGuide = commandLineUsage([
     header: i18n.__('constantsCommands'),
     content: [
       { name: i18n.__('authName'), summary: i18n.__('helpAuthSummary') },
+      { name: i18n.__('scanName'), summary: i18n.__('helpScanSummary') },
       { name: i18n.__('lambdaName'), summary: i18n.__('helpLambdaSummary') },
       { name: i18n.__('versionName'), summary: i18n.__('helpVersionSummary') },
       { name: i18n.__('configName'), summary: i18n.__('helpConfigSummary') },
@@ -309,6 +342,8 @@ module.exports = {
     mainUsageGuide,
     mainDefinition,
     scanOptionDefinitions,
-    auditOptionDefinitions
+    auditOptionDefinitions,
+    authOptionDefinitions,
+    configOptionDefinitions
   }
 }

package/src/index.ts

@@ -7,8 +7,11 @@ import constants from './constants'
 import { APP_NAME, APP_VERSION } from './constants/constants'
 import { processLambda } from './lambda/lambda'
 import { localConfig } from './utils/getConfig'
-import findLatestCLIVersion from './common/findLatestCLIVersion'
-import { approximateCommandOnError } from './common/errorHandling'
+import {
+  findLatestCLIVersion,
+  isCorrectNodeVersion
+} from './common/versionChecker'
+import { findCommandOnError } from './common/errorHandling'
 
 const {
   commandLineDefinitions: { mainUsageGuide, mainDefinition }
@@ -31,49 +34,73 @@ const getMainOption = () => {
 }
 
 const start = async () => {
-  const { mainOptions, argv: argvMain } = getMainOption()
-  const command =
-    mainOptions.command != undefined ? mainOptions.command.toLowerCase() : ''
-  if (
-    command === 'version' ||
-    argvMain.includes('--v') ||
-    argvMain.includes('--version')
-  ) {
-    console.log(APP_VERSION)
-    return
-  }
+  if (await isCorrectNodeVersion(process.version)) {
+    const { mainOptions, argv: argvMain } = getMainOption()
+    const command =
+      mainOptions.command != undefined ? mainOptions.command.toLowerCase() : ''
+    if (
+      command === 'version' ||
+      argvMain.includes('--v') ||
+      argvMain.includes('--version')
+    ) {
+      console.log(APP_VERSION)
+      await findLatestCLIVersion()
+      return
+    }
 
-  await findLatestCLIVersion()
+    // @ts-ignore
+    config.set('numOfRuns', config.get('numOfRuns') + 1)
 
-  if (command === 'config') {
-    return processConfig(argvMain, config)
-  }
+    // @ts-ignore
+    if (config.get('numOfRuns') >= 5) {
+      // @ts-ignore
+      await findLatestCLIVersion()
+      config.set('numOfRuns', 0)
+    }
 
-  if (command === 'auth') {
-    return await processAuth(config)
-  }
+    if (command === 'config') {
+      return processConfig(argvMain, config)
+    }
 
-  if (command === 'lambda') {
-    return await processLambda(argvMain)
-  }
+    if (command === 'auth') {
+      return await processAuth(argvMain, config)
+    }
 
-  if (command === 'scan') {
-    return await processScan(argvMain)
-  }
+    if (command === 'lambda') {
+      return await processLambda(argvMain)
+    }
 
-  if (command === 'audit') {
-    return await processAudit(argvMain)
-  }
+    if (command === 'scan') {
+      return await processScan(argvMain)
+    }
+
+    if (command === 'audit') {
+      return await processAudit(argvMain)
+    }
 
-  if (
-    command === 'help' ||
-    argvMain.includes('--help') ||
-    Object.keys(mainOptions).length === 0
-  ) {
-    console.log(mainUsageGuide)
+    if (
+      command === 'help' ||
+      argvMain.includes('--help') ||
+      Object.keys(mainOptions).length === 0
+    ) {
+      console.log(mainUsageGuide)
+    } else if (mainOptions._unknown !== undefined) {
+      const foundCommand = findCommandOnError(mainOptions._unknown)
+
+      foundCommand
+        ? console.log(
+            `Unknown Command: Did you mean "${foundCommand}"? \nUse "${foundCommand} --help" for the full list of options`
+          )
+        : console.log(
+            `Unknown Command: ${command} \nUse --help for the full list`
+          )
+    } else {
+      console.log(`Unknown Command: ${command} \nUse --help for the full list`)
+    }
+    process.exit(9)
   } else {
     console.log(
-      'Unknown Command: ' + command + ' \nUse --help for the full list'
+      'Contrast supports Node versions >=16.13.2 <17. Please use one of those versions.'
     )
     process.exit(9)
   }

package/src/sbom/generateSbom.ts

@@ -0,0 +1,17 @@
+import { getHttpClient } from '../utils/commonApi'
+
+export default function generateSbom(config: any) {
+  const client = getHttpClient(config)
+  return client
+    .getSbom(config)
+    .then((res: { statusCode: number; body: any }) => {
+      if (res.statusCode === 200) {
+        return res.body
+      } else {
+        console.log('Unable to retrieve Software Bill of Materials (SBOM)')
+      }
+    })
+    .catch((err: any) => {
+      console.log(err)
+    })
+}

package/src/scan/help.js

@@ -21,14 +21,16 @@ const scanUsageGuide = commandLineUsage([
     optionList: constants.commandLineDefinitions.scanOptionDefinitions,
     hide: [
       'project-id',
-      'language',
       'organization-id',
       'api-key',
       'authorization',
       'host',
       'proxy',
+      'help',
       'ff',
-      'ignore-cert-errors'
+      'ignore-cert-errors',
+      'verbose',
+      'debug'
     ]
   },
   {

package/src/scan/populateProjectIdAndProjectName.js

@@ -23,6 +23,7 @@ const createProjectId = async (config, client) => {
       }
       if (res.statusCode === 403) {
         console.log(i18n.__('permissionsError'))
+        process.exit(1)
         return
       }
 

package/src/scan/saveResults.js

@@ -1,15 +1,14 @@
 const fs = require('fs')
 
-const writeResultsToFile = (responseBody, name = 'results.sarif') => {
-  fs.writeFile(name, JSON.stringify(responseBody, null, 2), err => {
-    if (err) {
-      console.log('Error writing Scan Results to file')
-    } else {
-      console.log(`Scan Results saved to ${name}`)
-    }
-  })
+const writeResultsToFile = async (responseBody, name = 'results.sarif') => {
+  try {
+    fs.writeFileSync(name, JSON.stringify(responseBody, null, 2))
+    console.log(`Scan Results saved to ${name}`)
+  } catch (err) {
+    console.log('Error writing Scan Results to file')
+  }
 }
 
 module.exports = {
-  writeResultsToFile
+  writeResultsToFile: writeResultsToFile
 }

package/src/scan/scan.js

@@ -58,6 +58,7 @@ const sendScan = async config => {
           )
           if (res.statusCode === 403) {
             console.log(i18n.__('permissionsError'))
+            process.exit(1)
           }
           console.log(i18n.__('genericServiceError', res.statusCode))
           process.exit(1)
@@ -94,6 +95,16 @@ const formatScanOutput = (overview, results) => {
         console.log(`\t ${count}. ${lineInfo}`)
         count++
       })
+
+      if (entry?.cwe && entry?.cwe.length > 0) {
+        formatLinks('cwe', entry.cwe)
+      }
+      if (entry?.reference && entry?.reference.length > 0) {
+        formatLinks('reference', entry.reference)
+      }
+      if (entry?.owasp && entry?.owasp.length > 0) {
+        formatLinks('owasp', entry.owasp)
+      }
       console.log(chalk.bold('How to fix:'))
       console.log(entry.recommendation)
       console.log()
@@ -106,7 +117,9 @@ const formatScanOutput = (overview, results) => {
       overview.low +
       overview.note
 
-    console.log(chalk.bold(`Found ${totalVulnerabilities} vulnerabilities`))
+    let vulMessage =
+      totalVulnerabilities === 1 ? `vulnerability` : `vulnerabilities`
+    console.log(chalk.bold(`Found ${totalVulnerabilities} ${vulMessage}`))
     console.log(
       i18n.__(
         'foundDetailedVulnerabilities',
@@ -120,6 +133,14 @@ const formatScanOutput = (overview, results) => {
   }
 }
 
+const formatLinks = (objName, entry) => {
+  console.log(chalk.bold(objName + ':'))
+  entry.forEach(link => {
+    console.log(link)
+  })
+  console.log()
+}
+
 const getGroups = content => {
   const groupTypeSet = new Set(content.map(({ ruleId }) => ruleId))
   let groupTypeResults = []
@@ -127,12 +148,18 @@ const getGroups = content => {
     let groupResultsObj = {
       ruleId: groupName,
       lineInfoSet: new Set(),
+      cwe: '',
+      owasp: '',
+      reference: '',
       recommendation: '',
       severity: ''
     }
     content.forEach(resultEntry => {
       if (resultEntry.ruleId === groupName) {
         groupResultsObj.severity = resultEntry.severity
+        groupResultsObj.cwe = resultEntry.cwe
+        groupResultsObj.owasp = resultEntry.owasp
+        groupResultsObj.reference = resultEntry.reference
         groupResultsObj.recommendation = resultEntry.recommendation
           ? stripMustacheTags(resultEntry.recommendation)
           : 'No Recommendations Data Found'
@@ -163,5 +190,6 @@ module.exports = {
   allowedFileTypes: allowedFileTypes,
   isFileAllowed: isFileAllowed,
   stripMustacheTags: stripMustacheTags,
-  formatScanOutput: formatScanOutput
+  formatScanOutput: formatScanOutput,
+  formatLinks: formatLinks
 }

package/src/scan/scanConfig.js

@@ -2,14 +2,34 @@ const paramHandler = require('../utils/paramsUtil/paramHandler')
 const constants = require('../../src/constants.js')
 const parsedCLIOptions = require('../../src/utils/parsedCLIOptions')
 const path = require('path')
+const {
+  supportedLanguages
+} = require('../audit/languageAnalysisEngine/constants')
+const i18n = require('i18n')
+const { scanUsageGuide } = require('./help')
 
 const getScanConfig = argv => {
   let scanParams = parsedCLIOptions.getCommandLineArgsCustom(
     argv,
     constants.commandLineDefinitions.scanOptionDefinitions
   )
+
+  if (scanParams.help) {
+    printHelpMessage()
+    process.exit(0)
+  }
+
   const paramsAuth = paramHandler.getAuth(scanParams)
 
+  if (scanParams.language) {
+    scanParams.language = scanParams.language.toUpperCase()
+    if (!Object.values(supportedLanguages).includes(scanParams.language)) {
+      console.log(`Did not recognise --language ${scanParams.language}`)
+      console.log(i18n.__('constantsHowToRunDev3'))
+      process.exit(0)
+    }
+  }
+
   // if no name, take the full file path and use it as the project name
   if (!scanParams.name && scanParams.file) {
     scanParams.name = getFileName(scanParams.file)
@@ -23,7 +43,12 @@ const getFileName = file => {
   return file.split(path.sep).pop()
 }
 
+const printHelpMessage = () => {
+  console.log(scanUsageGuide)
+}
+
 module.exports = {
   getScanConfig,
-  getFileName
+  getFileName,
+  printHelpMessage
 }

package/src/scan/scanController.js

@@ -9,6 +9,7 @@ const scan = require('./scan')
 const scanResults = require('./scanResults')
 const autoDetection = require('./autoDetection')
 const fileFunctions = require('./fileUtils')
+const { performance } = require('perf_hooks')
 
 const getTimeout = config => {
   if (config.timeout) {
@@ -25,7 +26,7 @@ const fileAndLanguageLogic = async configToUse => {
   if (configToUse.file) {
     if (!fileFunctions.fileExists(configToUse.file)) {
       console.log(i18n.__('fileNotExist'))
-      process.exit(0)
+      process.exit(1)
     }
     return configToUse
   } else {
@@ -36,6 +37,7 @@ const fileAndLanguageLogic = async configToUse => {
 }
 
 const startScan = async configToUse => {
+  const startTime = performance.now()
   await fileAndLanguageLogic(configToUse)
 
   if (!configToUse.projectId) {
@@ -46,7 +48,7 @@ const startScan = async configToUse => {
   const codeArtifactId = await scan.sendScan(configToUse)
 
   if (!configToUse.ff) {
-    const startScanSpinner = returnOra('Contrast Scan started')
+    const startScanSpinner = returnOra('🚀 Contrast Scan started')
     startSpinner(startScanSpinner)
     const scanDetail = await scanResults.returnScanResults(
       configToUse,
@@ -58,7 +60,12 @@ const startScan = async configToUse => {
       configToUse,
       scanDetail.id
     )
+    const endTime = performance.now()
+    const scanDurationMs = endTime - startTime
     succeedSpinner(startScanSpinner, 'Contrast Scan complete')
+    console.log(
+      `----- Scan completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
+    )
     const projectOverview = await scanResults.returnScanProjectById(configToUse)
     return { projectOverview, scanDetail, scanResultsInstances }
   }

package/src/scan/scanResults.js

@@ -2,6 +2,7 @@ const commonApi = require('../utils/commonApi')
 const requestUtils = require('../../src/utils/requestUtils')
 const oraFunctions = require('../utils/oraWrapper')
 const _ = require('lodash')
+const i18n = require('i18n')
 
 const getScanId = async (config, codeArtifactId, client) => {
   return client
@@ -48,6 +49,15 @@ const returnScanResults = async (
           complete = true
           oraFunctions.failSpinner(startScanSpinner, 'Contrast Scan Failed.')
           console.log(result.body.errorMessage)
+          if (
+            result.body.errorMessage ===
+            'Unable to determine language for code artifact'
+          ) {
+            console.log(
+              'Try scanning again using --language param. ',
+              i18n.__('scanOptionsLanguageSummary')
+            )
+          }
           process.exit(1)
         }
       }

package/src/utils/getConfig.ts

@@ -6,6 +6,7 @@ type ContrastConfOptions = Partial<{
   apiKey: string
   orgId: string
   authHeader: string
+  numOfRuns: number
 }>
 
 type ContrastConf = Conf<ContrastConfOptions>
@@ -15,6 +16,7 @@ const localConfig = (name: string, version: string) => {
     configName: name
   })
   config.set('version', version)
+
   if (!config.has('host')) {
     config.set('host', 'https://ce.contrastsecurity.com/')
   }

package/src/utils/requestUtils.js

@@ -8,7 +8,7 @@ function sendRequest({ options, method = 'put' }) {
 }
 
 const millisToSeconds = millis => {
-  return ((millis % 60000) / 1000).toFixed(0)
+  return (millis / 1000).toFixed(0)
 }
 
 const sleep = ms => {

package/src/utils/saveFile.js

@@ -0,0 +1,19 @@
+const { SARIF_FILE } = require('../constants/constants')
+const commonApi = require('./commonApi')
+const saveResults = require('../scan/saveResults')
+const i18n = require('i18n')
+
+const saveScanFile = async (config, scanResults) => {
+  if (config.save === null || config.save.toUpperCase() === SARIF_FILE) {
+    const scanId = scanResults.scanDetail.id
+    const client = commonApi.getHttpClient(config)
+    const rawResults = await client.getSpecificScanResultSarif(config, scanId)
+    await saveResults.writeResultsToFile(rawResults?.body)
+  } else {
+    console.log(i18n.__('scanNoFiletypeSpecifiedForSave'))
+  }
+}
+
+module.exports = {
+  saveScanFile: saveScanFile
+}

package/src/common/findLatestCLIVersion.ts

@@ -1,27 +0,0 @@
-import latestVersion from 'latest-version'
-import { APP_VERSION } from '../constants/constants'
-import boxen from 'boxen'
-import chalk from 'chalk'
-import semver from 'semver'
-
-export default async function findLatestCLIVersion() {
-  const latestCLIVersion = await latestVersion('@contrast/contrast')
-
-  if (semver.lt(APP_VERSION, latestCLIVersion)) {
-    const updateAvailableMessage = `Update available ${chalk.yellow(
-      APP_VERSION
-    )} → ${chalk.green(latestCLIVersion)}`
-
-    const updateAvailableCommand = `Run ${chalk.cyan(
-      'npm i @contrast/contrast'
-    )} to update`
-
-    console.log(
-      boxen(`${updateAvailableMessage}\n${updateAvailableCommand}`, {
-        margin: 1,
-        padding: 1,
-        align: 'center'
-      })
-    )
-  }
-}