@contrast/contrast 1.0.20 → 1.0.22

package/dist/cliConstants.js

@@ -186,6 +186,7 @@ const scanOptionDefinitions = [
 ];
 const authOptionDefinitions = [
     ...sharedConnectionOptionDefinitions,
+    ...sharedCertOptionDefinitions,
     {
         name: 'help',
         alias: 'h',
@@ -296,10 +297,6 @@ const auditOptionDefinitions = [
             '}: ' +
             i18n.__('constantsIgnoreDev')
     },
-    {
-        name: 'fingerprint',
-        type: Boolean
-    },
     {
         name: 'save',
         alias: 's',
@@ -358,6 +355,14 @@ const auditOptionDefinitions = [
             i18n.__('auditOptionsBranchSummary')
     }
 ];
+const fingerprintOptionDefinitions = [
+    ...auditOptionDefinitions,
+    {
+        name: 'depth',
+        type: Number,
+        description: '{bold ' + i18n.__('constantsOptional') + '}: ' + i18n.__('depthOption')
+    }
+];
 const mainUsageGuide = commandLineUsage([
     {
         header: i18n.__('constantsHeader'),
@@ -374,12 +379,13 @@ const mainUsageGuide = commandLineUsage([
         header: i18n.__('constantsCommands'),
         content: [
             { name: i18n.__('authName'), summary: i18n.__('helpAuthSummary') },
+            { name: i18n.__('configName'), summary: i18n.__('helpConfigSummary') },
+            { name: i18n.__('versionName'), summary: i18n.__('helpVersionSummary') },
+            { name: i18n.__('auditName'), summary: i18n.__('helpAuditSummary') },
             { name: i18n.__('scanName'), summary: i18n.__('helpScanSummary') },
             { name: i18n.__('lambdaName'), summary: i18n.__('helpLambdaSummary') },
-            { name: i18n.__('auditName'), summary: i18n.__('helpAuditSummary') },
-            { name: i18n.__('versionName'), summary: i18n.__('helpVersionSummary') },
-            { name: i18n.__('configName'), summary: i18n.__('helpConfigSummary') },
-            { name: i18n.__('helpName'), summary: i18n.__('helpSummary') }
+            { name: i18n.__('helpName'), summary: i18n.__('helpSummary') },
+            { name: i18n.__('learnName'), summary: i18n.__('helpLearnSummary') }
         ]
     },
     {
@@ -393,7 +399,8 @@ const mainUsageGuide = commandLineUsage([
         ]
     },
     commonHelpLinks()[0],
-    commonHelpLinks()[1]
+    commonHelpLinks()[1],
+    commonHelpLinks()[2]
 ]);
 const mainDefinition = [{ name: 'command', defaultOption: true }];
 module.exports = {
@@ -401,6 +408,7 @@ module.exports = {
         mainUsageGuide,
         mainDefinition,
         scanOptionDefinitions,
+        fingerprintOptionDefinitions,
         auditOptionDefinitions,
         authOptionDefinitions,
         configOptionDefinitions,

package/dist/commands/audit/help.js

@@ -4,6 +4,9 @@ const i18n = require('i18n');
 const constants = require('../../cliConstants');
 const { commonHelpLinks } = require('../../common/commonHelp');
 const auditUsageGuide = commandLineUsage([
+    {
+        header: i18n.__('constantsHeader')
+    },
     {
         header: i18n.__('auditHeader'),
         content: [i18n.__('auditHeaderMessage')]
@@ -61,7 +64,8 @@ const auditUsageGuide = commandLineUsage([
         optionList: constants.commandLineDefinitions.auditAdvancedOptionDefinitionsForHelp
     },
     commonHelpLinks()[0],
-    commonHelpLinks()[1]
+    commonHelpLinks()[1],
+    commonHelpLinks()[2]
 ]);
 module.exports = {
     auditUsageGuide

package/dist/commands/audit/processAudit.js

@@ -1,7 +1,7 @@
 "use strict";
 const auditConfig = require('./auditConfig');
 const { auditUsageGuide } = require('./help');
-const scaController = require('../scan/sca/scaAnalysis');
+const scaController = require('../../scaAnalysis/scaAnalysis');
 const { sendTelemetryConfigAsObject } = require('../../telemetry/telemetry');
 const { postRunMessage } = require('../../common/commonHelp');
 const processAudit = async (contrastConf, argvMain) => {

package/dist/commands/auth/auth.js

@@ -81,6 +81,11 @@ const authUsageGuide = commandLineUsage([
     {
         header: i18n.__('constantsAuthUsageHeader'),
         content: [i18n.__('constantsAuthUsageContents')]
+    },
+    {
+        header: i18n.__('constantsAdvancedOptions'),
+        optionList: constants.commandLineDefinitions.authOptionDefinitions,
+        hide: ['organization-id', 'api-key', 'authorization', 'host']
     }
 ]);
 const checkForCustomCredentials = authParams => {

package/dist/commands/fingerprint/fingerprintConfig.js

@@ -0,0 +1,12 @@
+"use strict";
+const parsedCLIOptions = require('../../utils/parsedCLIOptions');
+const constants = require('../../cliConstants');
+const paramHandler = require('../../utils/paramsUtil/paramHandler');
+const getFingerprintConfig = async (contrastConf, command, argv) => {
+    const fingerprintParameters = await parsedCLIOptions.getCommandLineArgsCustom(contrastConf, command, argv, constants.commandLineDefinitions.fingerprintOptionDefinitions);
+    const paramsAuth = paramHandler.getAuth(fingerprintParameters);
+    return { ...paramsAuth, ...fingerprintParameters };
+};
+module.exports = {
+    getFingerprintConfig
+};

package/dist/commands/fingerprint/processFingerprint.js

@@ -0,0 +1,14 @@
+"use strict";
+const fingerprintConfig = require('./fingerprintConfig');
+const autoDetection = require('../../scan/autoDetection');
+const saveResults = require('../../scan/saveResults');
+const processFingerprint = async (contrastConf, argvMain) => {
+    const config = await fingerprintConfig.getFingerprintConfig(contrastConf, 'fingerprint', argvMain);
+    let fingerprint = await autoDetection.autoDetectFingerprintInfo(config.file, config.depth);
+    let idArray = fingerprint.map(x => x.id);
+    await saveResults.writeResultsToFile(fingerprint, 'fingerPrintInfo.json');
+    return console.log(idArray);
+};
+module.exports = {
+    processFingerprint
+};

package/dist/commands/learn/learn.js

@@ -0,0 +1,9 @@
+"use strict";
+const open = require('open');
+async function openLearnPage() {
+    const url = 'https://www.contrastsecurity.com/developer/learn';
+    return open(url);
+}
+module.exports = {
+    openLearnPage
+};

package/dist/commands/learn/processLearn.js

@@ -0,0 +1,10 @@
+"use strict";
+const { openLearnPage } = require('./learn');
+async function processLearn() {
+    console.log('Opening Contrast’s Secure Code Learning Hub...');
+    console.log('If the page does not open you can open it directly via https://www.contrastsecurity.com/developer/learn');
+    return openLearnPage();
+}
+module.exports = {
+    processLearn
+};

package/dist/common/HTTPClient.js

@@ -191,6 +191,12 @@ HTTPClient.prototype.scaServiceIngests = function scaServiceIngests(config) {
     options.url = url;
     return requestUtils.sendRequest({ method: 'get', options });
 };
+HTTPClient.prototype.scaServiceHealth = function scaServiceIngests(config) {
+    const options = _.cloneDeep(this.requestOptions);
+    let url = createScaServiceHealthURL(config);
+    options.url = url;
+    return requestUtils.sendRequest({ method: 'get', options });
+};
 HTTPClient.prototype.getReportById = function getReportById(config, reportId) {
     const options = _.cloneDeep(this.requestOptions);
     if (config.ignoreDev) {
@@ -342,6 +348,9 @@ function createScaServiceReportStatusURL(config, reportId) {
 function createScaServiceIngestsURL(config) {
     return `${config.host}/Contrast/api/sca/organizations/${config.organizationId}/applications/${config.applicationId}/libraries/ingests`;
 }
+function createScaServiceHealthURL(config) {
+    return `${config.host}/Contrast/api/sca/organizations/${config.organizationId}/health`;
+}
 function createScaServiceIngestURL(config) {
     let baseUrl = `${config.host}/Contrast/api/sca/organizations/${config.organizationId}/applications/${config.applicationId}/libraries/ingests/tree`;
     baseUrl = config.track ? baseUrl.concat('?persist=true') : baseUrl;

package/dist/common/commonHelp.js

@@ -19,17 +19,24 @@ const commonHelpLinks = () => {
                 i18n.__('commonHelpLearnMoreEnterpriseHeader') +
                     i18n.__('commonHelpLearnMoreEnterpriseText')
             ]
+        },
+        {
+            content: [
+                i18n.__('commonHelpLearnHeader') + i18n.__('commonHelpLearnText')
+            ]
         }
     ];
 };
 const postRunMessage = commandName => {
     console.log('\n' + chalk.underline.bold('Other Features:'));
     if (commandName !== 'scan')
-        console.log("'contrast scan' to run Contrasts’ industry leading SAST scanner");
+        console.log("'contrast scan' to run Contrast's industry leading SAST scanner");
     if (commandName !== 'audit')
         console.log("'contrast audit' to find vulnerabilities in your open source dependencies");
     if (commandName !== 'lambda')
         console.log("'contrast lambda' to secure your AWS serverless functions");
+    if (commandName !== 'learn')
+        console.log("'contrast learn' launches Contrast's Secure Code Learning Hub.");
 };
 module.exports = {
     commonHelpLinks,

package/dist/constants/constants.js

@@ -12,7 +12,7 @@ const MEDIUM = 'MEDIUM';
 const HIGH = 'HIGH';
 const CRITICAL = 'CRITICAL';
 const APP_NAME = 'contrast';
-const APP_VERSION = '1.0.20';
+const APP_VERSION = '1.0.22';
 const TIMEOUT = 120000;
 const HIGH_COLOUR = '#ff9900';
 const CRITICAL_COLOUR = '#e35858';

package/dist/constants/lambda.js

@@ -48,6 +48,7 @@ const lambda = {
     internal_error: 'Internal error',
     inactive_account: 'Scanning a function of an inactive account is not supported',
     not_supported_runtime: 'Scanning resource of runtime "{{runtime}}" is not supported.\nSupported runtimes: {{supportedRuntimes}}',
+    not_supported_lambda: 'This function cannot be scanned',
     not_supported_onboard_account: 'Scanning a function of onboard account is not supported',
     scan_lock: 'Other scan is still running. Please wait until the previous scan finishes',
     unsupported: 'unsupported',

package/dist/constants/locales.js

@@ -1,6 +1,7 @@
 "use strict";
 const { lambda } = require('./lambda');
 const chalk = require('chalk');
+const { APP_VERSION } = require('./constants');
 const en_locales = () => {
     return {
         snapshotFailureHeader: 'FAIL',
@@ -52,7 +53,7 @@ const en_locales = () => {
         failThresholdOptionErrorMessage: 'More than 0 vulnerabilities found',
         failSeverityOptionErrorMessage: ' FAIL - Results detected vulnerabilities over accepted severity level',
         constantsSeverity: 'Use with "contrast scan --fail --severity high" or "contrast audit --fail --severity high". Set the severity level to detect vulnerabilities or dependencies. Severity levels are critical, high, medium, low or note.',
-        constantsHeader: 'Contrast CLI',
+        constantsHeader: `Contrast CLI @ v${APP_VERSION}`,
         configHeader2: 'Config options',
         clearHeader: '-c, --clear',
         clearContent: 'Removes stored credentials',
@@ -107,10 +108,10 @@ const en_locales = () => {
         genericServiceError: 'returned with status code %s',
         permissionsError: 'You do not have the correct permissions here. \n Contact support@contrastsecurity.com to get this fixed.',
         scanErrorFileMessage: 'We only accept the following file types: \nJava - .jar, .war \nJavaScript - .js or .zip files',
-        helpAuthSummary: 'Authenticate Contrast using your Github or Google account',
-        helpAuditSummary: 'Searches for a suitable file in the working directory to perform a security audit of dependencies and returns the results. [Contrast audit --help (for options).]',
-        helpScanSummary: 'Searches for a .jar, .war, .js, or .zip file in the working directory, uploads files for analysis, and returns the results. [For further help/options, enter scan --help]',
-        helpLambdaSummary: 'Performs a static security scan on an AWS lambda function. lambda --help (for options)',
+        helpAuthSummary: 'Authenticate Contrast using your Github or Google account OR include credentials if you are an existing licensed Contrast user.',
+        helpAuditSummary: 'Searches for a suitable file in the working directory to perform a security audit of dependencies and returns the results. \n[audit --help for options] Java, .NET, Node, Ruby, Python, Go, PHP are supported. ',
+        helpScanSummary: 'Searches for a .jar, .war, .js, or .zip file in the working directory, uploads files for analysis, and returns the results. \n[scan --help for options] Java, .NET, .NET Core, JavaScript are supported. ',
+        helpLambdaSummary: 'Performs a static security scan on an AWS lambda function. [lambda --help for options] AWS Lambda - Java & Python are supported. ',
         helpVersionSummary: 'Displays version of Contrast CLI',
         helpConfigSummary: 'Displays stored credentials',
         helpSummary: 'Displays usage guide',
@@ -121,6 +122,10 @@ const en_locales = () => {
         versionName: 'version',
         configName: 'config',
         helpName: 'help',
+        learnName: 'learn',
+        helpLearnSummary: 'Launches Contrast’s Secure Code Learning Hub.',
+        fingerprintName: 'assess repo to see how many languages it can detect. For use in pipeline only.',
+        depthOption: 'can set how deep in the file system the cli looks for language files',
         scanOptionsLanguageSummary: 'Valid values are JAVA, JAVASCRIPT and DOTNET',
         scanOptionsTimeoutSummary: 'Time in seconds to wait for scan to complete. Default value is 300 seconds.',
         scanOptionsFileNameSummary: 'Path of the file you want to scan. If no file is specified, Contrast searches for a .jar, .war, .exe or .zip file in the working directory.',
@@ -136,7 +141,7 @@ const en_locales = () => {
             chalk.bold('\ncontrast audit') +
             ' to find vulnerabilities in your open source dependencies.' +
             '\nSupports Java, .NET, Node, Ruby, Python, Go and PHP.' +
-            '\nOur CLI runs native build tools to generate a complete dependency tree.' +
+            '\n\nOur CLI runs native build tools to generate a complete dependency tree.' +
             '\nIf you are running on untrusted code, consider running in a sandbox.\n' +
             chalk.bold('\ncontrast lambda') +
             ' to secure your AWS serverless functions. \nSupports Java and Python \n' +
@@ -148,7 +153,7 @@ const en_locales = () => {
         foundDetailedVulnerabilities: chalk.bold('%s') + ' | ' + chalk.bold('%s') + ' | %s | %s | %s ',
         searchingScanFileDirectory: 'Searching for file to scan from %s...',
         searchingAuditFileDirectory: 'Searching for package manager files from %s...',
-        scanHeader: 'Contrast Scan CLI',
+        scanHeader: `Contrast Scan CLI`,
         authHeader: 'Auth',
         lambdaHeader: 'Contrast Lambda CLI',
         lambdaSummary: 'Performs static security scan on an AWS Lambda Function.\nProduces CVE (Vulnerable Dependencies) and Least Privilege violations/remediation results.',
@@ -179,7 +184,7 @@ const en_locales = () => {
         connectionError: 'An error has occurred when trying to get the Project Id please check your internet connection or provide the Project Id manually',
         internalServerErrorHeader: '500 error - Internal server error',
         resourceLockedErrorHeader: '423 error - Resource is locked',
-        auditHeader: 'Contrast audit help',
+        auditHeader: 'Contrast Audit CLI',
         auditHeaderMessage: "Use 'contrast audit' to analyze a project’s dependencies for vulnerabilities.",
         constantsAuditPrerequisitesContentSupportedLanguages: 'Supported languages and their requirements are:',
         constantsAuditPrerequisitesJavaContentMessage: `
@@ -219,12 +224,15 @@ const en_locales = () => {
         commonHelpLearnMoreText: ' https://www.contrastsecurity.com/developer ',
         commonHelpLearnMoreEnterpriseText: ' https://docs.contrastsecurity.com/en/run-contrast-cli.html ',
         commonHelpJoinDiscussionHeader: chalk.hex('#9DC184')('Join the discussion:'),
-        commonHelpJoinDiscussionText: ' https://dev.to/codesec',
+        commonHelpJoinDiscussionText: ' https://www.contrastsecurity.com/developer/community',
+        commonHelpLearnHeader: chalk.hex('#ffe599')('\r  Want to UP your game?') +
+            " type 'contrast learn'",
+        commonHelpLearnText: `\n💰 Advance your security knowledge and become an ${chalk.hex('#ffd966')('All-star coder')} ⭐  with ${chalk.bold('Contrast Secure Code Learning Hub.')} 😺`,
         authCommand: {
             credentialsAccepted: {
-                title: 'Credentials accepted',
-                body: 'Now run contrast audit, lambda or scan',
-                extra: 'Or contrast help for full list of commands'
+                title: '✔ Credentials successfully saved',
+                body: `\n${chalk.bold('Contrast CLI')}`,
+                extra: 'Scan, secure and ship your code in minutes.'
             },
             credentialsMissing: {
                 title: 'Credentials missing',

package/dist/index.js

@@ -9,6 +9,7 @@ const processAudit_1 = require("./commands/audit/processAudit");
 const auth_1 = require("./commands/auth/auth");
 const config_1 = require("./commands/config/config");
 const processScan_1 = require("./commands/scan/processScan");
+const processFingerprint_1 = require("./commands/fingerprint/processFingerprint");
 const cliConstants_1 = __importDefault(require("./cliConstants"));
 const constants_1 = require("./constants/constants");
 const lambda_1 = require("./lambda/lambda");
@@ -16,6 +17,7 @@ const getConfig_1 = require("./utils/getConfig");
 const versionChecker_1 = require("./common/versionChecker");
 const errorHandling_1 = require("./common/errorHandling");
 const telemetry_1 = require("./telemetry/telemetry");
+const processLearn_1 = require("./commands/learn/processLearn");
 const { commandLineDefinitions: { mainUsageGuide, mainDefinition } } = cliConstants_1.default;
 const config = (0, getConfig_1.localConfig)(constants_1.APP_NAME, constants_1.APP_VERSION);
 const getMainOption = () => {
@@ -64,6 +66,12 @@ const start = async () => {
             if (command === 'audit') {
                 return await (0, processAudit_1.processAudit)(config, argvMain);
             }
+            if (command === 'learn') {
+                return (0, processLearn_1.processLearn)();
+            }
+            if (command === 'fingerprint') {
+                return await (0, processFingerprint_1.processFingerprint)(config, argvMain);
+            }
             if (command === 'help' ||
                 argvMain.includes('--help') ||
                 Object.keys(mainOptions).length === 0) {

package/dist/lambda/help.js

@@ -8,6 +8,9 @@ const command_line_usage_1 = __importDefault(require("command-line-usage"));
 const i18n_1 = __importDefault(require("i18n"));
 const commonHelp_1 = require("../common/commonHelp");
 const lambdaUsageGuide = (0, command_line_usage_1.default)([
+    {
+        header: i18n_1.default.__('constantsHeader')
+    },
     {
         header: i18n_1.default.__('lambdaHeader'),
         content: [i18n_1.default.__('lambdaSummary')]
@@ -82,6 +85,7 @@ const lambdaUsageGuide = (0, command_line_usage_1.default)([
         ]
     },
     (0, commonHelp_1.commonHelpLinks)()[0],
-    (0, commonHelp_1.commonHelpLinks)()[1]
+    (0, commonHelp_1.commonHelpLinks)()[1],
+    (0, commonHelp_1.commonHelpLinks)()[2]
 ]);
 exports.lambdaUsageGuide = lambdaUsageGuide;

package/dist/lambda/scanRequest.js

@@ -14,7 +14,9 @@ const commonApi_1 = require("../utils/commonApi");
 const logUtils_1 = require("./logUtils");
 const cliError_1 = require("./cliError");
 const constants_1 = require("./constants");
-const sendScanPostRequest = async (config, params, functionsEvent, showProgress = false) => {
+const requestUtils_1 = require("../utils/requestUtils");
+const MAX_RETRIES = 2;
+const sendScanPostRequest = async (config, params, functionsEvent, showProgress = false, retryNumber = 0) => {
     const client = (0, commonApi_1.getHttpClient)(config);
     if (showProgress) {
         (0, logUtils_1.log)(i18n_1.default.__('sendingScanRequest', { icon: log_symbols_1.default.success }));
@@ -38,6 +40,15 @@ const sendScanPostRequest = async (config, params, functionsEvent, showProgress
             });
             errorCode = false;
             break;
+        case 'not_supported_lambda':
+            description = i18n_1.default.__(errorCode);
+            errorCode = false;
+            break;
+        default:
+            if (retryNumber < MAX_RETRIES) {
+                await (0, requestUtils_1.sleep)(3 * 1000);
+                return sendScanPostRequest(config, params, functionsEvent, showProgress, retryNumber + 1);
+            }
     }
     throw new cliError_1.CliError(constants_1.ERRORS.FAILED_TO_START_SCAN, {
         statusCode,

package/dist/scaAnalysis/common/treeUpload.js

@@ -18,6 +18,9 @@ const commonSendSnapShot = async (analysis, config) => {
             return res.body;
         }
         else {
+            if (res.statusCode === 403) {
+                throw new Error(`🛑 Contrast audit failed \nPlease check you have the right permissions and the application ${config.applicationName ? config.applicationName : ''} has not been archived.`.replace(/ +(?= )/g, ''));
+            }
             throw new Error(res.statusCode + ` error processing dependencies`);
         }
     })

package/dist/scaAnalysis/javascript/analysis.js

@@ -32,46 +32,24 @@ const readYarn = async (config, languageFiles, nameOfFile) => {
         throw new Error(i18n.__('nodeReadYarnLockFileError') + `${err.message}`);
     }
 };
-const parseNpmLockFile = async (js) => {
+const parseNpmLockFile = async (npmLockFile) => {
     try {
-        js.npmLockFile = JSON.parse(js.rawLockFileContents);
-        if (js.npmLockFile && js.npmLockFile.lockfileVersion > 1) {
-            const listOfTopDep = Object.keys(js.npmLockFile.dependencies);
-            Object.entries(js.npmLockFile.dependencies).forEach(([objKey, value]) => {
-                if (value.requires) {
-                    const listOfRequiresDep = Object.keys(value.requires);
-                    listOfRequiresDep.forEach(dep => {
-                        if (!listOfTopDep.includes(dep)) {
-                            addDepToLockFile(js, value['requires'], dep);
-                        }
-                    });
-                }
-                if (value.dependencies) {
-                    Object.entries(value.dependencies).forEach(([objChildKey, childValue]) => {
-                        if (childValue.requires) {
-                            const listOfRequiresDep = Object.keys(childValue.requires);
-                            listOfRequiresDep.forEach(dep => {
-                                if (!listOfTopDep.includes(dep)) {
-                                    addDepToLockFile(js, childValue['requires'], dep);
-                                }
-                            });
-                        }
-                    });
-                }
-            });
-            return js.npmLockFile;
-        }
-        else {
-            return js.npmLockFile;
+        if (!npmLockFile.parsedPackages) {
+            npmLockFile.parsedPackages = {};
         }
+        Object.entries(npmLockFile.packages).forEach(([packageKey, packageValue]) => {
+            if (packageKey.includes('node_modules/')) {
+                packageKey = packageKey.replace(/(node_modules\/)+/g, '');
+            }
+            npmLockFile.parsedPackages[packageKey] = packageValue;
+        });
+        delete npmLockFile.parsedPackages[''];
+        return npmLockFile;
     }
     catch (err) {
         throw new Error(i18n.__('NodeParseNPM') + `${err.message}`);
     }
 };
-const addDepToLockFile = (js, depObj, key) => {
-    return (js.npmLockFile.dependencies[key] = { version: depObj[key] });
-};
 const parseYarnLockFile = async (js) => {
     try {
         js.yarn.yarnLockFile = {};

package/dist/scaAnalysis/javascript/index.js

@@ -32,7 +32,20 @@ const readFiles = async (config, files) => {
 };
 const parseFiles = async (config, files, js) => {
     if (files.includes('package-lock.json')) {
-        js.npmLockFile = await analysis.parseNpmLockFile(js);
+        const npmLockFile = JSON.parse(js.rawLockFileContents);
+        const currentLockFileVersion = npmLockFile.lockfileVersion;
+        const generalRebuildMessage = '\nPlease update to Node 16+ & NPM 8+ or 9+ and then rebuild your package files.' +
+            '\nMore info here: https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json';
+        if (currentLockFileVersion === 1) {
+            throw new Error(`NPM lockfileVersion 1 is no longer supported. \n ${generalRebuildMessage}`);
+        }
+        if (!currentLockFileVersion || !npmLockFile.packages) {
+            throw new Error(`package-lock.json needs to be in the NPM v2 or v3 format. \n ${generalRebuildMessage}`);
+        }
+        if (currentLockFileVersion === 3 && !config.experimental) {
+            throw new Error(`NPM lockfileVersion 3 is only supported when using the '-e' flag.`);
+        }
+        js.npmLockFile = await analysis.parseNpmLockFile(npmLockFile);
     }
     if (files.includes('yarn.lock')) {
         js = await analysis.parseYarnLockFile(js);

package/dist/scaAnalysis/javascript/scaServiceParser.js

@@ -47,7 +47,7 @@ const chooseLockFile = rawNode => {
         return { lockFile: rawNode?.yarn?.yarnLockFile?.object, type: 'yarn' };
     }
     else if (rawNode.npmLockFile !== undefined) {
-        return { lockFile: rawNode?.npmLockFile?.dependencies, type: 'npm' };
+        return { lockFile: rawNode?.npmLockFile?.parsedPackages, type: 'npm' };
     }
     else {
         return undefined;
@@ -70,8 +70,8 @@ const createChildDependencies = (lockFileDep, currentDep) => {
 };
 const createNPMChildDependencies = (lockFileDep, currentDep) => {
     let depArray = [];
-    if (lockFileDep[currentDep]?.requires) {
-        for (const [key, value] of Object.entries(lockFileDep[currentDep]?.requires)) {
+    if (lockFileDep[currentDep]?.dependencies) {
+        for (const [key, value] of Object.entries(lockFileDep[currentDep]?.dependencies)) {
             depArray.push(key);
         }
     }