@contrast/contrast 1.0.2 → 1.0.5

package/dist/scan/scanController.js

@@ -6,6 +6,7 @@ const scan = require('./scan');
 const scanResults = require('./scanResults');
 const autoDetection = require('./autoDetection');
 const fileFunctions = require('./fileUtils');
+const { performance } = require('perf_hooks');
 const getTimeout = config => {
     if (config.timeout) {
         return config.timeout;
@@ -21,7 +22,7 @@ const fileAndLanguageLogic = async (configToUse) => {
     if (configToUse.file) {
         if (!fileFunctions.fileExists(configToUse.file)) {
             console.log(i18n.__('fileNotExist'));
-            process.exit(0);
+            process.exit(1);
         }
         return configToUse;
     }
@@ -32,19 +33,22 @@ const fileAndLanguageLogic = async (configToUse) => {
     }
 };
 const startScan = async (configToUse) => {
+    const startTime = performance.now();
     await fileAndLanguageLogic(configToUse);
     if (!configToUse.projectId) {
         configToUse.projectId = await populateProjectIdAndProjectName.populateProjectId(configToUse);
     }
     const codeArtifactId = await scan.sendScan(configToUse);
     if (!configToUse.ff) {
-        const startScanSpinner = returnOra('Contrast Scan started');
+        const startScanSpinner = returnOra('🚀 Contrast Scan started');
         startSpinner(startScanSpinner);
         const scanDetail = await scanResults.returnScanResults(configToUse, codeArtifactId, getTimeout(configToUse), startScanSpinner);
         const scanResultsInstances = await scanResults.returnScanResultsInstances(configToUse, scanDetail.id);
+        const endTime = performance.now();
+        const scanDurationMs = endTime - startTime;
         succeedSpinner(startScanSpinner, 'Contrast Scan complete');
-        const projectOverview = await scanResults.returnScanProjectById(configToUse);
-        return { projectOverview, scanDetail, scanResultsInstances };
+        console.log(`----- Scan completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`);
+        return { scanDetail, scanResultsInstances };
     }
 };
 module.exports = {

package/dist/scan/scanResults.js

@@ -3,6 +3,7 @@ const commonApi = require('../utils/commonApi');
 const requestUtils = require('../../src/utils/requestUtils');
 const oraFunctions = require('../utils/oraWrapper');
 const _ = require('lodash');
+const i18n = require('i18n');
 const getScanId = async (config, codeArtifactId, client) => {
     return client
         .getScanId(config, codeArtifactId)
@@ -39,8 +40,12 @@ const returnScanResults = async (config, codeArtifactId, timeout, startScanSpinn
                 }
                 if (result.body.status === 'FAILED') {
                     complete = true;
-                    oraFunctions.failSpinner(startScanSpinner, 'Contrast Scan Failed.');
-                    console.log(result.body.errorMessage);
+                    oraFunctions.failSpinner(startScanSpinner, i18n.__('scanNotCompleted', 'https://docs.contrastsecurity.com/en/binary-package-preparation.html'));
+                    result.body.errorMessage ? console.log(result.body.errorMessage) : '';
+                    if (result.body.errorMessage ===
+                        'Unable to determine language for code artifact') {
+                        console.log('Try scanning again using --language param. ', i18n.__('scanOptionsLanguageSummary'));
+                    }
                     process.exit(1);
                 }
             }
@@ -66,23 +71,9 @@ const returnScanResultsInstances = async (config, scanId) => {
         console.log(e.message.toString());
     }
 };
-const returnScanProjectById = async (config) => {
-    const client = commonApi.getHttpClient(config);
-    let result;
-    try {
-        result = await client.getScanProjectById(config);
-        if (JSON.stringify(result.statusCode) == 200) {
-            return result.body;
-        }
-    }
-    catch (e) {
-        console.log(e.message.toString());
-    }
-};
 module.exports = {
     getScanId: getScanId,
     returnScanResults: returnScanResults,
     pollScanResults: pollScanResults,
-    returnScanResultsInstances: returnScanResultsInstances,
-    returnScanProjectById: returnScanProjectById
+    returnScanResultsInstances: returnScanResultsInstances
 };

package/dist/utils/getConfig.js

@@ -10,6 +10,9 @@ const localConfig = (name, version) => {
         configName: name
     });
     config.set('version', version);
+    if (process.env.CONTRAST_CODSEC_DISABLE_UPDATE_MESSAGE) {
+        config.set('updateMessageHidden', JSON.parse(process.env.CONTRAST_CODSEC_DISABLE_UPDATE_MESSAGE.toLowerCase()));
+    }
     if (!config.has('host')) {
         config.set('host', 'https://ce.contrastsecurity.com/');
     }

package/dist/utils/requestUtils.js

@@ -6,7 +6,7 @@ function sendRequest({ options, method = 'put' }) {
     return request[`${method}Async`](options.url, options);
 }
 const millisToSeconds = millis => {
-    return ((millis % 60000) / 1000).toFixed(0);
+    return (millis / 1000).toFixed(0);
 };
 const sleep = ms => {
     return new Promise(resolve => setTimeout(resolve, ms));

package/dist/utils/saveFile.js

@@ -0,0 +1,19 @@
+"use strict";
+const { SARIF_FILE } = require('../constants/constants');
+const commonApi = require('./commonApi');
+const saveResults = require('../scan/saveResults');
+const i18n = require('i18n');
+const saveScanFile = async (config, scanResults) => {
+    if (config.save === null || config.save.toUpperCase() === SARIF_FILE) {
+        const scanId = scanResults.scanDetail.id;
+        const client = commonApi.getHttpClient(config);
+        const rawResults = await client.getSpecificScanResultSarif(config, scanId);
+        await saveResults.writeResultsToFile(rawResults?.body);
+    }
+    else {
+        console.log(i18n.__('scanNoFiletypeSpecifiedForSave'));
+    }
+};
+module.exports = {
+    saveScanFile: saveScanFile
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "1.0.2",
+  "version": "1.0.5",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -35,7 +35,7 @@
     "dev": "npx ts-node src/index.ts"
   },
   "engines": {
-    "node": ">=16.13.2 <17"
+    "node": ">=16"
   },
   "dependencies": {
     "@aws-sdk/client-iam": "^3.78.0",
@@ -45,6 +45,7 @@
     "bluebird": "^3.7.2",
     "boxen": "5.1.2",
     "chalk": "4.1.2",
+    "cli-table3": "^0.6.2",
     "command-line-args": "^5.2.1",
     "command-line-usage": "^6.1.3",
     "conf": "^10.1.2",

package/src/audit/autodetection/autoDetectLanguage.ts

@@ -0,0 +1,40 @@
+/* eslint-disable  @typescript-eslint/no-explicit-any */
+import i18n from 'i18n'
+import {
+  reduceIdentifiedLanguages,
+  deduceLanguage
+} from '../languageAnalysisEngine/reduceIdentifiedLanguages'
+
+import { getProjectRootFilenames } from '../languageAnalysisEngine/getProjectRootFilenames'
+
+export function identifyLanguages(config: any) {
+  const { projectPath } = config
+  const projectRootFilenames = getProjectRootFilenames(projectPath)
+
+  const identifiedLanguages = projectRootFilenames.reduce(
+    (accumulator: any, filename: string) => {
+      const deducedLanguages = deduceLanguage(filename)
+      return [...accumulator, ...deducedLanguages]
+    },
+    []
+  )
+
+  if (Object.keys(identifiedLanguages).length === 0) {
+    throw new Error(i18n.__('languageAnalysisNoLanguage', projectPath))
+  }
+
+  return reduceIdentifiedLanguages(identifiedLanguages)
+}
+
+export function determineProjectLanguage(
+  reducedLanguages: Record<string, string>
+) {
+  const reducedLanguagesKeys = Object.keys(reducedLanguages)
+  if (reducedLanguagesKeys.length === 1) {
+    return reducedLanguagesKeys[0]
+  } else {
+    throw new Error(
+      'Detected multiple languages. Please specify a single language using --language'
+    )
+  }
+}

package/src/audit/catalogueApplication/catalogueApplication.js

@@ -1,21 +1,8 @@
 const i18n = require('i18n')
 const { getHttpClient, handleResponseErrors } = require('../../utils/commonApi')
 
-const locationOfApp = (config, appId) => {
-  return `${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${appId}`
-}
-
-const displaySuccessMessage = (config, appId) => {
-  console.log(
-    '\n **************************' +
-      i18n.__('successHeader') +
-      '************************** \n'
-  )
-  console.log('\n' + i18n.__('catalogueSuccessCommand') + appId + '\n')
-  console.log(locationOfApp(config, appId))
-  console.log(
-    '\n *********************************************************** \n'
-  )
+const displaySuccessMessage = () => {
+  console.log(i18n.__('catalogueSuccessCommand'))
 }
 
 const catalogueApplication = async config => {
@@ -25,9 +12,10 @@ const catalogueApplication = async config => {
     .catalogueCommand(config)
     .then(res => {
       if (res.statusCode === 201) {
-        displaySuccessMessage(config, res.body.application.app_id)
+        //displaySuccessMessage(config, res.body.application.app_id)
         appId = res.body.application.app_id
       } else {
+        // console.log(res.statusCode)
         handleResponseErrors(res, 'catalogue')
       }
     })

package/src/audit/languageAnalysisEngine/{langugageAnalysisFactory.js → languageAnalysisFactory.js}

@@ -10,9 +10,17 @@ const pythonAE = require('../pythonAnalysisEngine')
 const phpAE = require('../phpAnalysisEngine')
 const goAE = require('../goAnalysisEngine')
 const { vulnerabilityReport } = require('./report/reportingFeature')
-const { vulnReportWithoutDevDep } = require('./report/newReportingFeature')
-const { checkDevDeps } = require('./report/checkIgnoreDevDep')
 const { newSendSnapShot } = require('../languageAnalysisEngine/sendSnapshot')
+const fs = require('fs')
+const chalk = require('chalk')
+const saveFile = require('../../commands/audit/saveFile').default
+const generateSbom = require('../../sbom/generateSbom').default
+const {
+  failSpinner,
+  returnOra,
+  startSpinner,
+  succeedSpinner
+} = require('../../utils/oraWrapper')
 
 module.exports = exports = (err, analysis) => {
   const { identifiedLanguageInfo } = analysis.languageAnalysis
@@ -43,25 +51,15 @@ module.exports = exports = (err, analysis) => {
       return process.exit(5)
     }
 
-    console.log('\n **************CONTRAST OSS ANALYSIS BEGINS**************')
+    const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
+    startSpinner(reportSpinner)
     const snapshotResponse = await newSendSnapShot(analysis, catalogueAppId)
+    succeedSpinner(reportSpinner, 'Contrast SCA analysis complete')
 
-    if (config.report) {
-      const ignoreDevUrl = await checkDevDeps(config)
-      if (ignoreDevUrl) {
-        await vulnReportWithoutDevDep(
-          analysis,
-          catalogueAppId,
-          snapshotResponse.id,
-          config
-        )
-      } else {
-        await vulnerabilityReport(analysis, catalogueAppId, config)
-      }
-    }
-    console.log(
-      '\n ***************CONTRAST OSS ANALYSIS COMPLETE************** \n'
-    )
+    await vulnerabilityReport(analysis, catalogueAppId, snapshotResponse.id)
+
+    //should be moved to processAudit.ts once promises implemented
+    await auditSave(config)
   }
 
   if (identifiedLanguageInfo.language === DOTNET) {
@@ -92,3 +90,27 @@ module.exports = exports = (err, analysis) => {
     goAE(identifiedLanguageInfo, analysis.config, langCallback)
   }
 }
+
+async function auditSave(config) {
+  //should be moved to processAudit.ts once promises implemented
+  if (config.save) {
+    if (config.save.toLowerCase() === 'sbom') {
+      saveFile(config, await generateSbom(config))
+
+      const filename = `${config.applicationId}-sbom-cyclonedx.json`
+      if (fs.existsSync(filename)) {
+        console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`)
+      } else {
+        console.log(
+          chalk.yellow.bold(
+            `\n Unable to save ${filename} Software Bill of Materials (SBOM)`
+          )
+        )
+      }
+    } else {
+      console.log(i18n.__('auditBadFiletypeSpecifiedForSave'))
+    }
+  } else if (config.save === null) {
+    console.log(i18n.__('auditNoFiletypeSpecifiedForSave'))
+  }
+}

package/src/audit/languageAnalysisEngine/reduceIdentifiedLanguages.js

@@ -28,6 +28,76 @@ const isRubyLockFilename = filename => filename === 'Gemfile.lock'
 const isPipfileLockLockFilename = filename => filename === 'Pipfile.lock'
 const isGoProjectFilename = filename => filename === 'go.mod'
 
+const deduceLanguageScaAnalysis = filenames => {
+  const deducedLanguages = []
+  let language = ''
+
+  filenames.forEach(filename => {
+    // Check for project filenames...
+    if (isJavaMavenProjectFilename(filename)) {
+      deducedLanguages.push(filename)
+      language = JAVA
+    }
+
+    if (isJavaGradleProjectFilename(filename)) {
+      deducedLanguages.push(filename)
+      language = JAVA
+    }
+
+    if (isNodeProjectFilename(filename)) {
+      deducedLanguages.push(filename)
+      language = NODE
+    }
+    //
+    // if (isDotNetProjectFilename(filename)) {
+    //   deducedLanguages.push({language: DOTNET, projectFilename: filename})
+    // }
+    //
+    // if (isRubyProjectFilename(filename)) {
+    //   deducedLanguages.push({language: RUBY, projectFilename: filename})
+    // }
+    //
+    // if (isPythonProjectFilename(filename)) {
+    //   deducedLanguages.push({language: PYTHON, projectFilename: filename})
+    // }
+    //
+    // if (isPhpProjectFilename(filename)) {
+    //   deducedLanguages.push({language: PHP, projectFilename: filename})
+    // }
+    //
+    // // Check for lock filenames...
+    // if (isDotNetLockFilename(filename)) {
+    //   deducedLanguages.push({language: DOTNET, lockFilename: filename})
+    // }
+    //
+    if (isNodeLockFilename(filename)) {
+      deducedLanguages.push(filename)
+      language = node
+    }
+    //
+    // if (isRubyLockFilename(filename)) {
+    //   deducedLanguages.push({language: RUBY, lockFilename: filename})
+    // }
+    //
+    // // this is pipfileLock rather than python lock as there can be different python locks
+    // if (isPipfileLockLockFilename(filename)) {
+    //   deducedLanguages.push({language: PYTHON, lockFilename: filename})
+    // }
+    //
+    // if (isPhpLockFilename(filename)) {
+    //   deducedLanguages.push({language: PHP, lockFilename: filename})
+    // }
+    //
+    // // go does not have a lockfile, it should have a go.mod file containing the modules
+    // if (isGoProjectFilename(filename)) {
+    //   deducedLanguages.push({language: GO, projectFilename: filename})
+    // }
+  })
+  let identifiedLanguages = { [language]: deducedLanguages }
+
+  return identifiedLanguages
+}
+
 const deduceLanguage = filename => {
   const deducedLanguages = []
 
@@ -175,3 +245,4 @@ exports.isPhpProjectFilename = isPhpProjectFilename
 exports.isPhpLockFilename = isPhpLockFilename
 exports.deduceLanguage = deduceLanguage
 exports.reduceIdentifiedLanguages = reduceIdentifiedLanguages
+exports.deduceLanguageScaAnalysis = deduceLanguageScaAnalysis

package/src/audit/languageAnalysisEngine/report/commonReportingFunctions.ts

@@ -0,0 +1,105 @@
+import { getHttpClient, handleResponseErrors } from '../../../utils/commonApi'
+import {
+  ReportCompositeKey,
+  ReportList,
+  ReportModelStructure
+} from './models/reportListModel'
+import { ReportSeverityModel } from './models/reportSeverityModel'
+import { orderBy } from 'lodash'
+import chalk from 'chalk'
+import { ReportLibraryModel } from './models/reportLibraryModel'
+import { findHighestSeverityCVE, findNameAndVersion } from './utils/reportUtils'
+
+export const createLibraryHeader = (
+  id: string,
+  numberOfVulnerableLibraries: number,
+  numberOfCves: number
+) => {
+  numberOfVulnerableLibraries === 1
+    ? console.log(
+        ` Found 1 vulnerable library containing ${numberOfCves} CVE's`
+      )
+    : console.log(
+        ` Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVE's `
+      )
+}
+
+export const getReport = async (config: any, reportId: string) => {
+  const client = getHttpClient(config)
+  return client
+    .getReportById(config, reportId)
+    .then((res: { statusCode: number; body: any }) => {
+      if (res.statusCode === 200) {
+        return res.body
+      } else {
+        console.log('config-------------------')
+        console.log(config)
+        console.log('reportId----------------')
+        console.log(reportId)
+        console.log(JSON.stringify(res))
+        handleResponseErrors(res, 'report')
+      }
+    })
+    .catch((err: any) => {
+      console.log(err)
+    })
+}
+
+export const printVulnerabilityResponse = (
+  vulnerabilities: ReportLibraryModel[],
+  config: any
+) => {
+  let hasSomeVulnerabilitiesReported = false
+  printFormattedOutput(vulnerabilities, config)
+  if (Object.keys(vulnerabilities).length > 0) {
+    hasSomeVulnerabilitiesReported = true
+  }
+  return hasSomeVulnerabilitiesReported
+}
+
+export const printFormattedOutput = (
+  libraries: ReportLibraryModel[],
+  config: any
+) => {
+  const report = new ReportList()
+
+  for (const library of libraries) {
+    const { name, version } = findNameAndVersion(library, config)
+
+    const newOutputModel = new ReportModelStructure(
+      new ReportCompositeKey(
+        name,
+        version,
+        findHighestSeverityCVE(library.cveArray) as ReportSeverityModel
+      ),
+      library.cveArray
+    )
+
+    report.reportOutputList.push(newOutputModel)
+  }
+
+  const orderedOutputList = orderBy(
+    report.reportOutputList,
+    reportListItem => reportListItem.compositeKey.highestSeverity.priority
+  )
+
+  for (const reportModel of orderedOutputList) {
+    const name = reportModel.compositeKey.libraryName
+    const version = reportModel.compositeKey.libraryVersion
+    const highestSeverity = reportModel.compositeKey.highestSeverity.severity
+
+    const numOfCVEs = reportModel.cveArray.length
+
+    const cveNames: string[] = []
+
+    reportModel.cveArray.forEach(cve => cveNames.push(cve.name as string))
+
+    const boldHeader = chalk.bold(`${highestSeverity} | Vulnerable Library`)
+    const cvePluralised = numOfCVEs > 1 ? 'CVEs' : 'CVE'
+    console.log(
+      `\n ${boldHeader} ${name} (${version}) has ${numOfCVEs} known ${cvePluralised}`
+    )
+    console.log(` ${cveNames.join(', ')}`)
+    console.log(chalk.bold(' How to fix: Update to latest version'))
+  }
+}

package/src/audit/languageAnalysisEngine/report/models/reportLibraryModel.ts

@@ -0,0 +1,30 @@
+export class ReportLibraryModel {
+  name: string
+  cveArray: ReportCVEModel[]
+
+  constructor (name: string, cveArray: ReportCVEModel[]){
+    this.name = name
+    this.cveArray = cveArray
+  }
+}
+
+export class ReportCVEModel {
+  name?: string
+  description?: string
+  authentication?: string
+  references?: []
+  severityCode?: string
+  cvss3SeverityCode?: string
+
+  constructor (
+    name: string,
+    description: string,
+    severityCode: string,
+    cvss3SeverityCode: string
+  ){
+    this.name = name
+    this.description = description
+    this.severityCode = severityCode
+    this.cvss3SeverityCode = cvss3SeverityCode
+  }
+}

package/src/audit/languageAnalysisEngine/report/models/reportListModel.ts

@@ -0,0 +1,32 @@
+import {ReportSeverityModel} from "./reportSeverityModel";
+import {ReportCVEModel} from "./reportLibraryModel";
+
+export class ReportList {
+  reportOutputList: ReportModelStructure[]
+
+  constructor (){
+    this.reportOutputList = []
+  }
+}
+
+export class ReportModelStructure {
+  compositeKey: ReportCompositeKey;
+  cveArray: ReportCVEModel[];
+
+  constructor (compositeKey: ReportCompositeKey, cveArray: ReportCVEModel[]){
+    this.compositeKey = compositeKey
+    this.cveArray = cveArray
+  }
+}
+
+export class ReportCompositeKey {
+  libraryName!: string;
+  libraryVersion!: string;
+  highestSeverity!: ReportSeverityModel;
+
+  constructor (libraryName: string, libraryVersion: string, highestSeverity: ReportSeverityModel){
+    this.libraryName = libraryName
+    this.libraryVersion = libraryVersion
+    this.highestSeverity = highestSeverity
+  }
+}

package/src/audit/languageAnalysisEngine/report/models/reportSeverityModel.ts

@@ -0,0 +1,9 @@
+export class ReportSeverityModel {
+  severity!: string
+  priority!: number
+
+  constructor(severity: string, priority: number) {
+    this.severity = severity
+    this.priority = priority
+  }
+}

package/src/audit/languageAnalysisEngine/report/reportingFeature.ts

@@ -0,0 +1,56 @@
+import {
+  createLibraryHeader,
+  getReport,
+  printVulnerabilityResponse
+} from './commonReportingFunctions'
+import {
+  convertGenericToTypedLibraries,
+  severityCount
+} from './utils/reportUtils'
+
+export async function vulnerabilityReport(
+  analysis: any,
+  applicationId: string,
+  reportId: string
+) {
+  const reportResponse = await getReport(analysis.config, reportId)
+
+  if (reportResponse !== undefined) {
+    const id = applicationId
+    const name = analysis.config.applicationName
+    formatVulnerabilityOutput(
+      reportResponse.vulnerabilities,
+      id,
+      name,
+      analysis.config
+    )
+  }
+}
+
+export function formatVulnerabilityOutput(
+  libraryVulnerabilityResponse: any,
+  id: string,
+  name: string,
+  config: any
+) {
+  const vulnerableLibraries = convertGenericToTypedLibraries(
+    libraryVulnerabilityResponse
+  )
+
+  const numberOfVulnerableLibraries = vulnerableLibraries.length
+  let numberOfCves = 0
+  vulnerableLibraries.forEach(lib => (numberOfCves += lib.cveArray.length))
+
+  createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves)
+
+  const hasSomeVulnerabilitiesReported = printVulnerabilityResponse(
+    vulnerableLibraries,
+    config
+  )
+
+  return [
+    hasSomeVulnerabilitiesReported,
+    numberOfCves,
+    severityCount(vulnerableLibraries)
+  ]
+}