@contrast/contrast 1.0.2 → 1.0.5

package/src/audit/languageAnalysisEngine/report/utils/reportUtils.ts

@@ -0,0 +1,110 @@
+import {
+  ReportCVEModel,
+  ReportLibraryModel
+} from '../models/reportLibraryModel'
+import { ReportSeverityModel } from '../models/reportSeverityModel'
+import languageAnalysisEngine from '../../../languageAnalysisEngine/constants'
+const {
+  supportedLanguages: { GO }
+} = languageAnalysisEngine
+
+export function findHighestSeverityCVE(cveArray: ReportCVEModel[]) {
+  if (
+    cveArray.find(
+      cve =>
+        cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL'
+    )
+  ) {
+    return new ReportSeverityModel('CRITICAL', 1)
+  } else if (
+    cveArray.find(
+      cve => cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH'
+    )
+  ) {
+    return new ReportSeverityModel('HIGH', 2)
+  } else if (
+    cveArray.find(
+      cve => cve.cvss3SeverityCode === 'MEDIUM' || cve.severityCode === 'MEDIUM'
+    )
+  ) {
+    return new ReportSeverityModel('MEDIUM', 3)
+  } else if (
+    cveArray.find(
+      cve => cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW'
+    )
+  ) {
+    return new ReportSeverityModel('LOW', 4)
+  } else if (
+    cveArray.find(
+      cve => cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE'
+    )
+  ) {
+    return new ReportSeverityModel('NOTE', 5)
+  }
+}
+
+export function convertGenericToTypedLibraries(libraries: any) {
+  return Object.entries(libraries).map(([name, cveArray]) => {
+    return new ReportLibraryModel(name, cveArray as ReportCVEModel[])
+  })
+}
+
+export function severityCount(vulnerableLibraries: ReportLibraryModel[]) {
+  const severityCount = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    note: 0
+  }
+
+  vulnerableLibraries.forEach(lib => {
+    lib.cveArray.forEach(cve => {
+      if (
+        cve.cvss3SeverityCode === 'CRITICAL' ||
+        cve.severityCode === 'CRITICAL'
+      ) {
+        severityCount['critical'] += 1
+      } else if (
+        cve.cvss3SeverityCode === 'HIGH' ||
+        cve.severityCode === 'HIGH'
+      ) {
+        severityCount['high'] += 1
+      } else if (
+        cve.cvss3SeverityCode === 'MEDIUM' ||
+        cve.severityCode === 'MEDIUM'
+      ) {
+        severityCount['medium'] += 1
+      } else if (
+        cve.cvss3SeverityCode === 'LOW' ||
+        cve.severityCode === 'LOW'
+      ) {
+        severityCount['low'] += 1
+      } else if (
+        cve.cvss3SeverityCode === 'NOTE' ||
+        cve.severityCode === 'NOTE'
+      ) {
+        severityCount['note'] += 1
+      }
+    })
+  })
+
+  return severityCount
+}
+
+export function findNameAndVersion(library: ReportLibraryModel, config: any) {
+  if (config.language.toUpperCase() === GO) {
+    const nameVersion = library.name.split('@')
+    const name = nameVersion[0]
+    const version = nameVersion[1]
+
+    return { name, version }
+  } else {
+    const splitLibraryName = library.name.split('/')
+    const nameVersion = splitLibraryName[1].split('@')
+    const name = nameVersion[0]
+    const version = nameVersion[1]
+
+    return { name, version }
+  }
+}

package/src/audit/languageAnalysisEngine/sendSnapshot.js

@@ -1,23 +1,8 @@
-const prettyjson = require('prettyjson')
-const i18n = require('i18n')
 const { getHttpClient } = require('../../utils/commonApi')
 const { handleResponseErrors } = require('../../common/errorHandling')
 const { APP_VERSION } = require('../../constants/constants')
 
-function displaySnapshotSuccessMessage(config) {
-  console.log(
-    '\n **************************' +
-      i18n.__('successHeader') +
-      '************************** '
-  )
-  console.log('\n' + i18n.__('snapshotSuccessMessage') + '\n')
-  console.log(
-    ` ${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
-  )
-  console.log('\n ***********************************************************')
-}
-
-const newSendSnapShot = async (analysis, applicationId) => {
+const newSendSnapShot = async analysis => {
   const analysisLanguage = analysis.config.language.toLowerCase()
   const requestBody = {
     appID: analysis.config.applicationId,
@@ -30,11 +15,7 @@ const newSendSnapShot = async (analysis, applicationId) => {
   return client
     .sendSnapshot(requestBody, analysis.config)
     .then(res => {
-      // if (!analysis.config.silent) {
-      //   console.log(prettyjson.render(requestBody))
-      // }
       if (res.statusCode === 201) {
-        displaySnapshotSuccessMessage(analysis.config)
         return res.body
       } else {
         handleResponseErrors(res, 'snapshot')
@@ -46,6 +27,5 @@ const newSendSnapShot = async (analysis, applicationId) => {
 }
 
 module.exports = {
-  newSendSnapShot: newSendSnapShot,
-  displaySnapshotSuccessMessage: displaySnapshotSuccessMessage
+  newSendSnapShot: newSendSnapShot
 }

package/src/commands/audit/auditConfig.ts

@@ -2,6 +2,10 @@ import paramHandler from '../../utils/paramsUtil/paramHandler'
 import constants from '../../constants'
 import cliOptions from '../../utils/parsedCLIOptions'
 import languageAnalysisEngine from '../../audit/languageAnalysisEngine/constants'
+import {
+  determineProjectLanguage,
+  identifyLanguages
+} from '../../audit/autodetection/autoDetectLanguage'
 
 const {
   supportedLanguages: { NODE, JAVASCRIPT }
@@ -18,9 +22,14 @@ export const getAuditConfig = (argv: string[]): { [key: string]: string } => {
     auditParameters.language === undefined ||
     auditParameters.language === null
   ) {
-    //error no language
-    console.log('error, --language parameter is required')
-    process.exit(1)
+    try {
+      auditParameters.language = determineProjectLanguage(
+        identifyLanguages(auditParameters)
+      )
+    } catch (err: any) {
+      console.log(err.message)
+      process.exit(1)
+    }
   } else if (auditParameters.language.toUpperCase() === JAVASCRIPT) {
     auditParameters.language = NODE.toLowerCase()
   }

package/src/commands/audit/auditController.ts

@@ -1,19 +1,35 @@
 import { catalogueApplication } from '../../audit/catalogueApplication/catalogueApplication'
 import commonApi from '../../audit/languageAnalysisEngine/commonApi'
+
 const identifyLanguageAE = require('./../../audit/languageAnalysisEngine')
-const languageFactory = require('./../../audit/languageAnalysisEngine/langugageAnalysisFactory')
+const languageFactory = require('../../audit/languageAnalysisEngine/languageAnalysisFactory')
+const { v4: uuidv4 } = require('uuid')
 
-const dealWithNoAppId = async (config: { [x: string]: string }) => {
-  let appID
+export const dealWithNoAppId = async (config: { [x: string]: string }) => {
+  let appID: string
   try {
+    // @ts-ignore
     appID = await commonApi.returnAppId(config)
+    // console.log('appid', appID)
     if (!appID && config.applicationName) {
       return await catalogueApplication(config)
     }
+    if (!appID && !config.applicationName) {
+      config.applicationName = uuidv4()
+      return await catalogueApplication(config)
+    }
+    // @ts-ignore
   } catch (e) {
-    console.log(e)
+    // @ts-ignore
+    if (e.toString().includes('tunneling socket could not be established')) {
+      // @ts-ignore
+      console.log(e.message)
+      console.log(
+        'There seems to be an issue with your proxy, please check and try again'
+      )
+    }
+    process.exit(1)
   }
-  console.log(appID)
   return appID
 }
 

package/src/commands/audit/processAudit.ts

@@ -10,8 +10,10 @@ export const processAudit = async (argv: parameterInput) => {
     process.exit(1)
   }
   const config = getAuditConfig(argv)
+
+  // console.log(config)
+
   const auditResults = await startAudit(config)
-  //report here
 }
 
 const printHelpMessage = () => {

package/src/commands/audit/saveFile.ts

@@ -0,0 +1,6 @@
+import fs from 'fs'
+
+export default function saveFile(config: any, rawResults: any) {
+  const fileName = `${config.applicationId}-sbom-cyclonedx.json`
+  fs.writeFileSync(fileName, JSON.stringify(rawResults))
+}

package/src/commands/auth/auth.js

@@ -11,8 +11,21 @@ const {
   succeedSpinner
 } = require('../../utils/oraWrapper')
 const { TIMEOUT, AUTH_UI_URL } = require('../../constants/constants')
+const parsedCLIOptions = require('../../utils/parsedCLIOptions')
+const constants = require('../../constants')
+const commandLineUsage = require('command-line-usage')
+
+const processAuth = async (argv, config) => {
+  let authParams = parsedCLIOptions.getCommandLineArgsCustom(
+    argv,
+    constants.commandLineDefinitions.authOptionDefinitions
+  )
+
+  if (authParams.help) {
+    console.log(authUsageGuide)
+    process.exit(0)
+  }
 
-const processAuth = async config => {
   const token = uuidv4()
   const url = `${AUTH_UI_URL}/?token=${token}`
 
@@ -68,6 +81,17 @@ const pollAuthResult = async (token, client) => {
     })
 }
 
+const authUsageGuide = commandLineUsage([
+  {
+    header: i18n.__('authHeader'),
+    content: [i18n.__('constantsAuthHeaderContents')]
+  },
+  {
+    header: i18n.__('constantsAuthUsageHeader'),
+    content: [i18n.__('constantsAuthUsageContents')]
+  }
+])
+
 module.exports = {
   processAuth: processAuth
 }

package/src/commands/config/config.js

@@ -1,15 +1,19 @@
-const commandLineArgs = require('command-line-args')
+const parsedCLIOptions = require('../../utils/parsedCLIOptions')
+const constants = require('../../constants')
+const commandLineUsage = require('command-line-usage')
+const i18n = require('i18n')
 
 const processConfig = (argv, config) => {
-  const options = [{ name: 'clear', alias: 'c', type: Boolean }]
-
   try {
-    const configOptions = commandLineArgs(options, {
+    let configParams = parsedCLIOptions.getCommandLineArgsCustom(
       argv,
-      caseInsensitive: true,
-      camelCase: true
-    })
-    if (configOptions.clear) {
+      constants.commandLineDefinitions.configOptionDefinitions
+    )
+    if (configParams.help) {
+      console.log(configUsageGuide)
+      process.exit(0)
+    }
+    if (configParams.clear) {
       config.clear()
     } else {
       console.log(JSON.parse(JSON.stringify(config.store)))
@@ -20,6 +24,16 @@ const processConfig = (argv, config) => {
   }
 }
 
+const configUsageGuide = commandLineUsage([
+  {
+    header: i18n.__('configHeader')
+  },
+  {
+    content: [i18n.__('constantsConfigUsageContents')],
+    optionList: constants.commandLineDefinitions.configOptionDefinitions
+  }
+])
+
 module.exports = {
   processConfig: processConfig
 }

package/src/commands/scan/processScan.js

@@ -1,44 +1,28 @@
-const { startScan } = require('../../scan/scanController')
-const { formatScanOutput } = require('../../scan/scan')
-const { scanUsageGuide } = require('../../scan/help')
 const scanConfig = require('../../scan/scanConfig')
-const saveResults = require('../../scan/saveResults')
-const commonApi = require('../../utils/commonApi')
-const i18n = require('i18n')
+const { startScan } = require('../../scan/scanController')
+const { saveScanFile } = require('../../utils/saveFile')
+const { ScanResultsModel } = require('../../scan/models/scanResultsModel')
+const { formatScanOutput } = require('../../scan/formatScanOutput')
+const { processSca } = require('./sca/scaAnalysis')
 
 const processScan = async argvMain => {
-  if (argvMain.indexOf('--help') !== -1) {
-    printHelpMessage()
-    process.exit(1)
-  }
-
   let config = scanConfig.getScanConfig(argvMain)
+  // console.log(config)
+  //try SCA analysis first
+  if (config.experimental) {
+    await processSca(config)
+  }
 
-  let scanResults = await startScan(config)
+  let scanResults = new ScanResultsModel(await startScan(config))
   if (scanResults) {
-    formatScanOutput(
-      scanResults?.projectOverview,
-      scanResults?.scanResultsInstances
-    )
+    formatScanOutput(scanResults)
   }
 
-  if (config.save) {
-    if (config.save.toLowerCase() === 'sarif') {
-      const scanId = scanResults.scanDetail.id
-      const client = commonApi.getHttpClient(config)
-      const rawResults = await client.getSpecificScanResultSarif(config, scanId)
-      saveResults.writeResultsToFile(rawResults?.body)
-    } else {
-      console.log(i18n.__('scanNoFiletypeSpecifiedForSave'))
-    }
+  if (config.save !== undefined) {
+    await saveScanFile(config, scanResults)
   }
 }
 
-const printHelpMessage = () => {
-  console.log(scanUsageGuide)
-}
-
 module.exports = {
-  processScan,
-  printHelpMessage
+  processScan
 }

package/src/commands/scan/sca/scaAnalysis.js

@@ -0,0 +1,73 @@
+const autoDetection = require('../../../scan/autoDetection')
+const { javaAnalysis } = require('../../../scaAnalysis/java')
+const { commonSendSnapShot } = require('../../../scaAnalysis/common/treeUpload')
+const {
+  manualDetectAuditFilesAndLanguages
+} = require('../../../scan/autoDetection')
+const { dealWithNoAppId } = require('../../audit/auditController')
+const {
+  supportedLanguages: { JAVA }
+} = require('../../../audit/languageAnalysisEngine/constants')
+
+const processSca = async config => {
+  let filesFound
+  if (config.projectPath) {
+    filesFound = await manualDetectAuditFilesAndLanguages(config.projectPath)
+  } else {
+    filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config)
+  }
+
+  // files found looks like [ { javascript: [ Array ] } ]
+  //check we have the language and call the right analyser
+  //refactor new analyser and see if we can clean it up
+  let messageToSend = undefined
+  if (filesFound.length === 1) {
+    switch (Object.keys(filesFound[0])[0]) {
+      case JAVA:
+        messageToSend = await javaAnalysis(config, filesFound[0])
+        config.language = JAVA
+        break
+      // case 'javascript':
+      //     // code block
+      //     break;
+      // case 'dotnet':
+      //     // code block
+      //     break;
+      // case 'python':
+      //     // code block
+      //     break;
+      // case 'ruby':
+      //     // code block
+      //     break;
+      // case 'php':
+      //     // code block
+      //     break;
+      // case 'go':
+      //     // code block
+      //     break;
+      default:
+        //something is wrong
+        console.log('language detected not supported')
+        return
+    }
+
+    if (!config.applicationId) {
+      config.applicationId = await dealWithNoAppId(config)
+    }
+    //send message to TS
+    console.log('processing dependencies')
+    const response = await commonSendSnapShot(messageToSend, config)
+  } else {
+    if (filesFound.length === 0) {
+      console.log('no compatible dependency files detected. Continuing...')
+    } else {
+      console.log(
+        'multiple language files detected, please use --project-path to specify a directory or the file where dependencies are declared'
+      )
+    }
+  }
+}
+
+module.exports = {
+  processSca
+}

package/src/common/HTTPClient.js

@@ -106,7 +106,9 @@ HTTPClient.prototype.getScanId = function getScanId(config, codeArtifactId) {
   options.url = url
   options.body = {
     codeArtifactId: codeArtifactId,
-    label: `Started by CLI tool at ${new Date().toString()}`
+    label: config.label
+      ? config.label
+      : `Started by CLI tool at ${new Date().toString()}`
   }
   return requestUtils.sendRequest({ method: 'post', options })
 }
@@ -130,6 +132,9 @@ HTTPClient.prototype.createProjectId = function createProjectId(config) {
     name: config.name,
     archived: 'false'
   }
+  if (config.language) {
+    options.body.language = config.language
+  }
   options.url = createHarmonyProjectsUrl(config)
   return requestUtils.sendRequest({ method: 'post', options })
 }
@@ -185,6 +190,9 @@ HTTPClient.prototype.catalogueCommand = function catalogueCommand(config) {
 }
 
 HTTPClient.prototype.sendSnapshot = function sendSnapshot(requestBody, config) {
+  if (config.language.toUpperCase() === 'RUBY') {
+    //console.log('sendSnapshot requestBody', requestBody.snapshot.ruby)
+  }
   const options = _.cloneDeep(this.requestOptions)
   let url = createSnapshotURL(config)
   options.url = url
@@ -192,32 +200,22 @@ HTTPClient.prototype.sendSnapshot = function sendSnapshot(requestBody, config) {
   return requestUtils.sendRequest({ method: 'post', options })
 }
 
-HTTPClient.prototype.getReport = function getReport(config) {
+HTTPClient.prototype.getReportById = function getReportById(config, reportId) {
   const options = _.cloneDeep(this.requestOptions)
-  let url = createReportUrl(config)
-  options.url = url
-
-  return requestUtils.sendRequest({ method: 'get', options })
-}
-
-HTTPClient.prototype.getSpecificReport = function getSpecificReport(
-  config,
-  reportId
-) {
-  const options = _.cloneDeep(this.requestOptions)
-  let url = createSpecificReportUrl(config, reportId)
-  options.url = url
-
+  if (config.ignoreDev) {
+    options.url = createSpecificReportWithProdUrl(config, reportId)
+  } else {
+    options.url = createSpecificReportUrl(config, reportId)
+  }
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
 HTTPClient.prototype.getLibraryVulnerabilities = function getLibraryVulnerabilities(
-  requestBody,
-  config
+  config,
+  requestBody
 ) {
   const options = _.cloneDeep(this.requestOptions)
-  let url = createLibraryVulnerabilitiesUrl(config)
-  options.url = url
+  options.url = createLibraryVulnerabilitiesUrl(config)
   options.body = requestBody
 
   return requestUtils.sendRequest({ method: 'put', options })
@@ -230,16 +228,16 @@ HTTPClient.prototype.getAppId = function getAppId(config) {
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
-HTTPClient.prototype.getDependencyTree = function getReport(
-  orgUuid,
-  appId,
-  reportId
-) {
-  const options = _.cloneDeep(this.requestOptions)
-  let url = createGetDependencyTree(options.uri, orgUuid, appId, reportId)
-  options.url = url
-  return requestUtils.sendRequest({ method: 'get', options })
-}
+// HTTPClient.prototype.getDependencyTree = function getReport(
+//   orgUuid,
+//   appId,
+//   reportId
+// ) {
+//   const options = _.cloneDeep(this.requestOptions)
+//   let url = createGetDependencyTree(options.uri, orgUuid, appId, reportId)
+//   options.url = url
+//   return requestUtils.sendRequest({ method: 'get', options })
+// }
 
 // serverless - lambda
 function getServerlessHost(config = {}) {
@@ -317,6 +315,12 @@ HTTPClient.prototype.checkLibrary = function checkLibrary(data) {
   return requestUtils.sendRequest({ method: 'post', options })
 }
 
+HTTPClient.prototype.getSbom = function getSbom(config) {
+  const options = _.cloneDeep(this.requestOptions)
+  options.url = createSbomCycloneDXUrl(config)
+  return requestUtils.sendRequest({ method: 'get', options })
+}
+
 // scan
 const createGetScanIdURL = config => {
   return `${config.host}/Contrast/api/sast/v1/organizations/${config.organizationId}/projects/${config.projectId}/scans/`
@@ -370,20 +374,22 @@ function createLibraryVulnerabilitiesUrl(config) {
   return `${config.host}/Contrast/api/ng/${config.organizationId}/libraries/artifactsByGroupNameVersion`
 }
 
-function createReportUrl(config) {
-  return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/reports`
+function createSpecificReportUrl(config, reportId) {
+  return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/reports/${reportId}`
 }
 
-function createSpecificReportUrl(config, reportId) {
-  return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/reports/${reportId}?nodesToInclude=PROD`
+function createSpecificReportWithProdUrl(config, reportId) {
+  return createSpecificReportUrl(config, reportId).concat(
+    `?nodesToInclude=PROD`
+  )
 }
 
 function createDataUrl() {
   return `https://ardy.contrastsecurity.com/production`
 }
 
-const createGetDependencyTree = (protocol, orgUuid, appId, reportId) => {
-  return `${protocol}/Contrast/api/ng/sca/organizations/${orgUuid}/applications/${appId}/reports/${reportId}`
+function createSbomCycloneDXUrl(config) {
+  return `${config.host}/Contrast/api/ng/${config.organizationId}/applications/${config.applicationId}/libraries/sbom/cyclonedx`
 }
 
 module.exports = HTTPClient