@contrast/contrast 1.0.20 → 1.0.22

package/src/lambda/scanRequest.ts

@@ -14,12 +14,22 @@ import { ApiParams, LambdaOptions } from './lambda'
 import { log, prettyPrintJson } from './logUtils'
 import { CliError } from './cliError'
 import { ERRORS } from './constants'
+import { sleep } from '../utils/requestUtils'
 
-const sendScanPostRequest = async (
+const MAX_RETRIES = 2
+
+const sendScanPostRequest: (
   config: any,
   params: ApiParams,
   functionsEvent: unknown,
-  showProgress = false
+  showProgress?: boolean,
+  retryNumber?: number
+) => any = async (
+  config,
+  params,
+  functionsEvent,
+  showProgress = false,
+  retryNumber = 0
 ) => {
   const client = getHttpClient(config)
 
@@ -50,6 +60,21 @@ const sendScanPostRequest = async (
       })
       errorCode = false
       break
+    case 'not_supported_lambda':
+      description = i18n.__(errorCode)
+      errorCode = false
+      break
+    default:
+      if (retryNumber < MAX_RETRIES) {
+        await sleep(3 * 1000)
+        return sendScanPostRequest(
+          config,
+          params,
+          functionsEvent,
+          showProgress,
+          retryNumber + 1
+        )
+      }
   }
 
   throw new CliError(ERRORS.FAILED_TO_START_SCAN, {

package/src/scaAnalysis/common/treeUpload.js

@@ -18,6 +18,13 @@ const commonSendSnapShot = async (analysis, config) => {
       if (res.statusCode === 201) {
         return res.body
       } else {
+        if (res.statusCode === 403) {
+          throw new Error(
+            `🛑 Contrast audit failed \nPlease check you have the right permissions and the application ${
+              config.applicationName ? config.applicationName : ''
+            } has not been archived.`.replace(/ +(?= )/g, '')
+          )
+        }
         throw new Error(res.statusCode + ` error processing dependencies`)
       }
     })

package/src/scaAnalysis/javascript/analysis.js

@@ -44,48 +44,33 @@ const readYarn = async (config, languageFiles, nameOfFile) => {
   }
 }
 
-const parseNpmLockFile = async js => {
+const parseNpmLockFile = async npmLockFile => {
   try {
-    js.npmLockFile = JSON.parse(js.rawLockFileContents)
-    if (js.npmLockFile && js.npmLockFile.lockfileVersion > 1) {
-      const listOfTopDep = Object.keys(js.npmLockFile.dependencies)
-      Object.entries(js.npmLockFile.dependencies).forEach(([objKey, value]) => {
-        if (value.requires) {
-          const listOfRequiresDep = Object.keys(value.requires)
-          listOfRequiresDep.forEach(dep => {
-            if (!listOfTopDep.includes(dep)) {
-              addDepToLockFile(js, value['requires'], dep)
-            }
-          })
-        }
+    if (!npmLockFile.parsedPackages) {
+      npmLockFile.parsedPackages = {}
+    }
 
-        if (value.dependencies) {
-          Object.entries(value.dependencies).forEach(
-            ([objChildKey, childValue]) => {
-              if (childValue.requires) {
-                const listOfRequiresDep = Object.keys(childValue.requires)
-                listOfRequiresDep.forEach(dep => {
-                  if (!listOfTopDep.includes(dep)) {
-                    addDepToLockFile(js, childValue['requires'], dep)
-                  }
-                })
-              }
-            }
-          )
+    Object.entries(npmLockFile.packages).forEach(
+      ([packageKey, packageValue]) => {
+        if (packageKey.includes('node_modules/')) {
+          //remove object keys node modules prefixing
+          //e.g: node_modules/@aws-amplify/datastore/node_modules/uuid --> @aws-amplify/datastore/uuid
+          packageKey = packageKey.replace(/(node_modules\/)+/g, '')
         }
-      })
-      return js.npmLockFile
-    } else {
-      return js.npmLockFile
-    }
+
+        npmLockFile.parsedPackages[packageKey] = packageValue
+      }
+    )
+
+    //remove base project package - unneeded
+    delete npmLockFile.parsedPackages['']
+
+    return npmLockFile
   } catch (err) {
     throw new Error(i18n.__('NodeParseNPM') + `${err.message}`)
   }
 }
 
-const addDepToLockFile = (js, depObj, key) => {
-  return (js.npmLockFile.dependencies[key] = { version: depObj[key] })
-}
 const parseYarnLockFile = async js => {
   try {
     js.yarn.yarnLockFile = {}

package/src/scaAnalysis/javascript/index.js

@@ -14,9 +14,11 @@ const jsAnalysis = async (config, languageFiles) => {
 const buildNodeTree = async (config, files) => {
   let analysis = await readFiles(config, files)
   const rawNode = await parseFiles(config, files, analysis)
+
   if (config.experimental) {
     return scaServiceParser.parseJS(rawNode)
   }
+
   return formatMessage.createJavaScriptTSMessage(rawNode)
 }
 
@@ -44,8 +46,34 @@ const readFiles = async (config, files) => {
 
 const parseFiles = async (config, files, js) => {
   if (files.includes('package-lock.json')) {
-    js.npmLockFile = await analysis.parseNpmLockFile(js)
+    const npmLockFile = JSON.parse(js.rawLockFileContents)
+
+    const currentLockFileVersion = npmLockFile.lockfileVersion
+    const generalRebuildMessage =
+      '\nPlease update to Node 16+ & NPM 8+ or 9+ and then rebuild your package files.' +
+      '\nMore info here: https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json'
+
+    if (currentLockFileVersion === 1) {
+      throw new Error(
+        `NPM lockfileVersion 1 is no longer supported. \n ${generalRebuildMessage}`
+      )
+    }
+
+    if (!currentLockFileVersion || !npmLockFile.packages) {
+      throw new Error(
+        `package-lock.json needs to be in the NPM v2 or v3 format. \n ${generalRebuildMessage}`
+      )
+    }
+
+    if (currentLockFileVersion === 3 && !config.experimental) {
+      throw new Error(
+        `NPM lockfileVersion 3 is only supported when using the '-e' flag.`
+      )
+    }
+
+    js.npmLockFile = await analysis.parseNpmLockFile(npmLockFile)
   }
+
   if (files.includes('yarn.lock')) {
     js = await analysis.parseYarnLockFile(js)
   }

package/src/scaAnalysis/javascript/scaServiceParser.js

@@ -77,7 +77,7 @@ const chooseLockFile = rawNode => {
   if (rawNode?.yarn?.yarnLockFile !== undefined) {
     return { lockFile: rawNode?.yarn?.yarnLockFile?.object, type: 'yarn' }
   } else if (rawNode.npmLockFile !== undefined) {
-    return { lockFile: rawNode?.npmLockFile?.dependencies, type: 'npm' }
+    return { lockFile: rawNode?.npmLockFile?.parsedPackages, type: 'npm' }
   } else {
     return undefined
   }
@@ -105,9 +105,9 @@ const createChildDependencies = (lockFileDep, currentDep) => {
 
 const createNPMChildDependencies = (lockFileDep, currentDep) => {
   let depArray = []
-  if (lockFileDep[currentDep]?.requires) {
+  if (lockFileDep[currentDep]?.dependencies) {
     for (const [key, value] of Object.entries(
-      lockFileDep[currentDep]?.requires
+      lockFileDep[currentDep]?.dependencies
     )) {
       depArray.push(key)
     }

package/src/scaAnalysis/scaAnalysis.js

@@ -0,0 +1,206 @@
+const {
+  supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET }
+} = require('../constants/constants')
+const {
+  pollForSnapshotCompletion
+} = require('../audit/languageAnalysisEngine/sendSnapshot')
+const {
+  returnOra,
+  startSpinner,
+  succeedSpinner
+} = require('../utils/oraWrapper')
+const { vulnerabilityReportV2 } = require('../audit/report/reportingFeature')
+const autoDetection = require('../scan/autoDetection')
+const treeUpload = require('./common/treeUpload')
+const auditController = require('../commands/audit/auditController')
+const rootFile = require('../audit/languageAnalysisEngine/getProjectRootFilenames')
+const path = require('path')
+const i18n = require('i18n')
+const auditSave = require('../audit/save')
+const { auditUsageGuide } = require('../commands/audit/help')
+const repoMode = require('./repoMode')
+const { dotNetAnalysis } = require('./dotnet')
+const { goAnalysis } = require('./go/goAnalysis')
+const { phpAnalysis } = require('./php')
+const { rubyAnalysis } = require('./ruby')
+const { pythonAnalysis } = require('./python')
+const javaAnalysis = require('./java')
+const jsAnalysis = require('./javascript')
+const auditReport = require('./common/auditReport')
+const scaUpload = require('./common/scaServicesUpload')
+const settingsHelper = require('../utils/settingsHelper')
+const chalk = require('chalk')
+const saveResults = require('../scan/saveResults')
+const {
+  convertGenericToTypedReportModelSca
+} = require('./common/utils/reportUtilsSca')
+
+const processSca = async config => {
+  //checks to see whether to use old TS / new SCA path
+  config = await settingsHelper.getSettings(config)
+
+  const startTime = performance.now()
+  let filesFound
+
+  if (config.help) {
+    console.log(auditUsageGuide)
+    process.exit(0)
+  }
+
+  const projectStats = await rootFile.getProjectStats(config.file)
+  let pathWithFile = projectStats.isFile()
+
+  config.fileName = config.file
+  config.file = pathWithFile
+    ? rootFile.getDirectoryFromPathGiven(config.file).concat('/')
+    : config.file
+
+  filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config.file)
+
+  autoDetection.dealWithMultiJava(filesFound)
+
+  if (filesFound.length > 1 && pathWithFile) {
+    filesFound = filesFound.filter(i =>
+      Object.values(i)[0].includes(path.basename(config.fileName))
+    )
+  }
+
+  // files found looks like [ { javascript: [ Array ] } ]
+  //check we have the language and call the right analyser
+  let messageToSend = undefined
+  if (filesFound.length === 1) {
+    switch (Object.keys(filesFound[0])[0]) {
+      case JAVA:
+        config.language = JAVA
+
+        if (config.mode === 'repo') {
+          try {
+            return repoMode.buildRepo(config, filesFound[0])
+          } catch (e) {
+            throw new Error(
+              'Unable to build in repository mode. Check your project file'
+            )
+          }
+        } else {
+          messageToSend = await javaAnalysis.javaAnalysis(config, filesFound[0])
+        }
+        break
+      case JAVASCRIPT:
+        messageToSend = await jsAnalysis.jsAnalysis(config, filesFound[0])
+        config.language = NODE
+        break
+      case PYTHON:
+        messageToSend = pythonAnalysis(config, filesFound[0])
+        config.language = PYTHON
+        break
+      case RUBY:
+        messageToSend = rubyAnalysis(config, filesFound[0])
+        config.language = RUBY
+        break
+      case PHP:
+        messageToSend = phpAnalysis(config, filesFound[0])
+        config.language = PHP
+        break
+      case GO:
+        messageToSend = goAnalysis(config, filesFound[0])
+        config.language = GO
+        break
+      case DOTNET:
+        if (config.experimental) {
+          console.log(
+            `${chalk.bold(
+              '\n.NET project found\n'
+            )} Language type is unsupported.`
+          )
+          return
+        } else {
+          messageToSend = dotNetAnalysis(config, filesFound[0])
+          config.language = DOTNET
+          break
+        }
+      default:
+        //something is wrong
+        console.log('No supported language detected in project path')
+        return
+    }
+
+    if (!config.applicationId) {
+      config.applicationId = await auditController.dealWithNoAppId(config)
+    }
+
+    if (config.experimental) {
+      console.log('') //empty log for space before spinner
+      const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
+      startSpinner(reportSpinner)
+      const { reportArray, reportId } = await scaUpload.scaTreeUpload(
+        messageToSend,
+        config
+      )
+
+      const reportModelLibraryList =
+        convertGenericToTypedReportModelSca(reportArray)
+      auditReport.processAuditReport(config, reportModelLibraryList)
+      succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
+
+      if (config.save !== undefined) {
+        await auditSave.auditSave(config, reportId)
+      } else {
+        console.log('Use contrast audit --save to generate an SBOM')
+      }
+
+      const endTime = performance.now() - startTime
+      const scanDurationMs = endTime - startTime
+      console.log(
+        `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
+      )
+    } else {
+      console.log('') //empty log for space before spinner
+      //send message to TS
+      const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
+      startSpinner(reportSpinner)
+      const snapshotResponse = await treeUpload.commonSendSnapShot(
+        messageToSend,
+        config
+      )
+
+      // poll for completion
+      await pollForSnapshotCompletion(
+        config,
+        snapshotResponse.id,
+        reportSpinner
+      )
+      succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
+
+      await vulnerabilityReportV2(config, snapshotResponse.id)
+      if (config.save !== undefined) {
+        await auditSave.auditSave(config)
+      } else {
+        console.log('\nUse contrast audit --save to generate an SBOM')
+      }
+      const endTime = performance.now() - startTime
+      const scanDurationMs = endTime - startTime
+
+      console.log(
+        `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
+      )
+    }
+  } else {
+    if (filesFound.length === 0) {
+      console.log(i18n.__('languageAnalysisNoLanguage'))
+      console.log(i18n.__('languageAnalysisNoLanguageHelpLine'))
+      throw new Error()
+    } else {
+      console.log(chalk.bold(`\nMultiple language files detected \n`))
+      filesFound.forEach(file => {
+        console.log(`${Object.keys(file)[0]} : `, Object.values(file)[0])
+      })
+      throw new Error(
+        `Please use --file to audit one language only. \nExample: contrast audit --file package-lock.json`
+      )
+    }
+  }
+}
+
+module.exports = {
+  processSca
+}

package/src/scan/autoDetection.js

@@ -1,8 +1,8 @@
 const i18n = require('i18n')
 const fileFinder = require('./fileUtils')
 
-const autoDetectFingerprintInfo = async filePath => {
-  let complexObj = await fileFinder.findAllFiles(filePath)
+const autoDetectFingerprintInfo = async (filePath, depth) => {
+  let complexObj = await fileFinder.findAllFiles(filePath, depth)
   let result = []
   let count = 0
   complexObj.forEach(i => {

package/src/scan/fileUtils.js

@@ -11,7 +11,7 @@ const findFile = async () => {
   })
 }
 
-const findAllFiles = async filePath => {
+const findAllFiles = async (filePath, depth = 2) => {
   const result = await fg(
     [
       '**/pom.xml',
@@ -25,7 +25,7 @@ const findAllFiles = async filePath => {
     ],
     {
       dot: false,
-      deep: 2,
+      deep: depth,
       onlyFiles: true,
       absolute: true,
       cwd: filePath ? filePath : process.cwd()

package/src/scan/help.js

@@ -4,6 +4,9 @@ const constants = require('../cliConstants')
 const { commonHelpLinks } = require('../common/commonHelp')
 
 const scanUsageGuide = commandLineUsage([
+  {
+    header: i18n.__('constantsHeader')
+  },
   {
     header: i18n.__('scanHeader')
   },
@@ -44,7 +47,8 @@ const scanUsageGuide = commandLineUsage([
       constants.commandLineDefinitions.scanAdvancedOptionDefinitionsForHelp
   },
   commonHelpLinks()[0],
-  commonHelpLinks()[1]
+  commonHelpLinks()[1],
+  commonHelpLinks()[2]
 ])
 
 module.exports = {

package/src/utils/settingsHelper.js

@@ -12,9 +12,9 @@ const getSettings = async config => {
 const isSCAServicesAvailable = async config => {
   const client = commonApi.getHttpClient(config)
   return client
-    .scaServiceIngests(config)
+    .scaServiceHealth(config)
     .then(res => {
-      return res.statusCode !== 403
+      return res.body.status === 'UP'
     })
     .catch(err => {
       console.log(err)

package/dist/commands/scan/sca/scaAnalysis.js

@@ -1,157 +0,0 @@
-"use strict";
-const { supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET } } = require('../../../constants/constants');
-const { pollForSnapshotCompletion } = require('../../../audit/languageAnalysisEngine/sendSnapshot');
-const { returnOra, startSpinner, succeedSpinner } = require('../../../utils/oraWrapper');
-const { vulnerabilityReportV2 } = require('../../../audit/report/reportingFeature');
-const autoDetection = require('../../../scan/autoDetection');
-const treeUpload = require('../../../scaAnalysis/common/treeUpload');
-const auditController = require('../../audit/auditController');
-const rootFile = require('../../../audit/languageAnalysisEngine/getProjectRootFilenames');
-const path = require('path');
-const i18n = require('i18n');
-const auditSave = require('../../../audit/save');
-const { auditUsageGuide } = require('../../audit/help');
-const repoMode = require('../../../scaAnalysis/repoMode/index');
-const { dotNetAnalysis } = require('../../../scaAnalysis/dotnet');
-const { goAnalysis } = require('../../../scaAnalysis/go/goAnalysis');
-const { phpAnalysis } = require('../../../scaAnalysis/php/index');
-const { rubyAnalysis } = require('../../../scaAnalysis/ruby');
-const { pythonAnalysis } = require('../../../scaAnalysis/python');
-const javaAnalysis = require('../../../scaAnalysis/java');
-const jsAnalysis = require('../../../scaAnalysis/javascript');
-const auditReport = require('../../../scaAnalysis/common/auditReport');
-const scaUpload = require('../../../scaAnalysis/common/scaServicesUpload');
-const settingsHelper = require('../../../utils/settingsHelper');
-const chalk = require('chalk');
-const saveResults = require('../../../scan/saveResults');
-const { convertGenericToTypedReportModelSca } = require('../../../scaAnalysis/common/utils/reportUtilsSca');
-const processSca = async (config) => {
-    config = await settingsHelper.getSettings(config);
-    const startTime = performance.now();
-    let filesFound;
-    if (config.help) {
-        console.log(auditUsageGuide);
-        process.exit(0);
-    }
-    const projectStats = await rootFile.getProjectStats(config.file);
-    let pathWithFile = projectStats.isFile();
-    config.fileName = config.file;
-    config.file = pathWithFile
-        ? rootFile.getDirectoryFromPathGiven(config.file).concat('/')
-        : config.file;
-    if (config.fingerprint && config.experimental) {
-        let fingerprint = await autoDetection.autoDetectFingerprintInfo(config.file);
-        let idArray = fingerprint.map(x => x.id);
-        await saveResults.writeResultsToFile(fingerprint, 'fingerPrintInfo.json');
-        console.log(idArray);
-    }
-    else {
-        filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config.file);
-        autoDetection.dealWithMultiJava(filesFound);
-        if (filesFound.length > 1 && pathWithFile) {
-            filesFound = filesFound.filter(i => Object.values(i)[0].includes(path.basename(config.fileName)));
-        }
-        let messageToSend = undefined;
-        if (filesFound.length === 1) {
-            switch (Object.keys(filesFound[0])[0]) {
-                case JAVA:
-                    config.language = JAVA;
-                    if (config.mode === 'repo') {
-                        try {
-                            return repoMode.buildRepo(config, filesFound[0]);
-                        }
-                        catch (e) {
-                            throw new Error('Unable to build in repository mode. Check your project file');
-                        }
-                    }
-                    else {
-                        messageToSend = await javaAnalysis.javaAnalysis(config, filesFound[0]);
-                    }
-                    break;
-                case JAVASCRIPT:
-                    messageToSend = await jsAnalysis.jsAnalysis(config, filesFound[0]);
-                    config.language = NODE;
-                    break;
-                case PYTHON:
-                    messageToSend = pythonAnalysis(config, filesFound[0]);
-                    config.language = PYTHON;
-                    break;
-                case RUBY:
-                    messageToSend = rubyAnalysis(config, filesFound[0]);
-                    config.language = RUBY;
-                    break;
-                case PHP:
-                    messageToSend = phpAnalysis(config, filesFound[0]);
-                    config.language = PHP;
-                    break;
-                case GO:
-                    messageToSend = goAnalysis(config, filesFound[0]);
-                    config.language = GO;
-                    break;
-                case DOTNET:
-                    messageToSend = dotNetAnalysis(config, filesFound[0]);
-                    config.language = DOTNET;
-                    break;
-                default:
-                    console.log('No supported language detected in project path');
-                    return;
-            }
-            if (!config.applicationId) {
-                config.applicationId = await auditController.dealWithNoAppId(config);
-            }
-            if (config.experimental) {
-                console.log('');
-                const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'));
-                startSpinner(reportSpinner);
-                const { reportArray, reportId } = await scaUpload.scaTreeUpload(messageToSend, config);
-                const reportModelLibraryList = convertGenericToTypedReportModelSca(reportArray);
-                auditReport.processAuditReport(config, reportModelLibraryList);
-                succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'));
-                if (config.save !== undefined) {
-                    await auditSave.auditSave(config, reportId);
-                }
-                else {
-                    console.log('Use contrast audit --save to generate an SBOM');
-                }
-                const endTime = performance.now() - startTime;
-                const scanDurationMs = endTime - startTime;
-                console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`);
-            }
-            else {
-                console.log('');
-                const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'));
-                startSpinner(reportSpinner);
-                const snapshotResponse = await treeUpload.commonSendSnapShot(messageToSend, config);
-                await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner);
-                succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'));
-                await vulnerabilityReportV2(config, snapshotResponse.id);
-                if (config.save !== undefined) {
-                    await auditSave.auditSave(config);
-                }
-                else {
-                    console.log('\nUse contrast audit --save to generate an SBOM');
-                }
-                const endTime = performance.now() - startTime;
-                const scanDurationMs = endTime - startTime;
-                console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`);
-            }
-        }
-        else {
-            if (filesFound.length === 0) {
-                console.log(i18n.__('languageAnalysisNoLanguage'));
-                console.log(i18n.__('languageAnalysisNoLanguageHelpLine'));
-                throw new Error();
-            }
-            else {
-                console.log(chalk.bold(`\nMultiple language files detected \n`));
-                filesFound.forEach(file => {
-                    console.log(`${Object.keys(file)[0]} : `, Object.values(file)[0]);
-                });
-                throw new Error(`Please use --file to audit one language only. \nExample: contrast audit --file package-lock.json`);
-            }
-        }
-    }
-};
-module.exports = {
-    processSca
-};