@contrast/contrast 1.0.21 → 1.0.23

package/dist/audit/report/commonReportingFunctions.js

@@ -122,7 +122,7 @@ function buildHeader(highestSeverity, contrastHeaderNum, libraryName, version, n
 function buildBody(cveArray, advice) {
     const orderedCvesWithSeverityAssigned = orderByHighestPriority(cveArray.map(cve => findCVESeverity(cve)));
     const issueMessage = getIssueRow(orderedCvesWithSeverityAssigned);
-    const minOrMax = advice.maximum ? advice.maximum : advice.minimum;
+    const minOrMax = advice.minimum ? advice.minimum : advice.maximum;
     const displayAdvice = minOrMax
         ? `Change to version ${chalk.bold(minOrMax)}`
         : 'No recommendation is available according to our data. Upgrade to the latest stable is the best advice we can give.';

package/dist/audit/save.js

@@ -19,18 +19,24 @@ async function auditSave(config, reportId) {
             break;
     }
     if (fileFormat) {
-        if (config.experimental) {
-            save.saveFile(config, fileFormat, await sbom.generateSCASbom(config, fileFormat, reportId));
+        if (config.legacy === false) {
+            const sbomResponse = await sbom.generateSCASbom(config, fileFormat, reportId);
+            if (sbomResponse) {
+                save.saveFile(config, fileFormat, sbomResponse);
+            }
         }
         else {
-            save.saveFile(config, fileFormat, await sbom.generateSbom(config, fileFormat));
+            const sbomResponse = await sbom.generateSbom(config, fileFormat);
+            if (sbomResponse) {
+                save.saveFile(config, fileFormat, sbomResponse);
+            }
         }
         const filename = `${config.applicationId}-sbom-${fileFormat}.json`;
         if (fs.existsSync(filename)) {
             console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`);
         }
         else {
-            console.log(chalk.yellow.bold(`\n Unable to save ${filename} Software Bill of Materials (SBOM)`));
+            console.log(chalk.yellow.bold(`\nUnable to save ${filename} Software Bill of Materials (SBOM)`));
         }
     }
     else {

package/dist/cliConstants.js

@@ -186,6 +186,7 @@ const scanOptionDefinitions = [
 ];
 const authOptionDefinitions = [
     ...sharedConnectionOptionDefinitions,
+    ...sharedCertOptionDefinitions,
     {
         name: 'help',
         alias: 'h',
@@ -378,11 +379,11 @@ const mainUsageGuide = commandLineUsage([
         header: i18n.__('constantsCommands'),
         content: [
             { name: i18n.__('authName'), summary: i18n.__('helpAuthSummary') },
+            { name: i18n.__('configName'), summary: i18n.__('helpConfigSummary') },
+            { name: i18n.__('versionName'), summary: i18n.__('helpVersionSummary') },
+            { name: i18n.__('auditName'), summary: i18n.__('helpAuditSummary') },
             { name: i18n.__('scanName'), summary: i18n.__('helpScanSummary') },
             { name: i18n.__('lambdaName'), summary: i18n.__('helpLambdaSummary') },
-            { name: i18n.__('auditName'), summary: i18n.__('helpAuditSummary') },
-            { name: i18n.__('versionName'), summary: i18n.__('helpVersionSummary') },
-            { name: i18n.__('configName'), summary: i18n.__('helpConfigSummary') },
             { name: i18n.__('helpName'), summary: i18n.__('helpSummary') },
             { name: i18n.__('learnName'), summary: i18n.__('helpLearnSummary') }
         ]

package/dist/commands/audit/help.js

@@ -4,6 +4,9 @@ const i18n = require('i18n');
 const constants = require('../../cliConstants');
 const { commonHelpLinks } = require('../../common/commonHelp');
 const auditUsageGuide = commandLineUsage([
+    {
+        header: i18n.__('constantsHeader')
+    },
     {
         header: i18n.__('auditHeader'),
         content: [i18n.__('auditHeaderMessage')]
@@ -48,7 +51,6 @@ const auditUsageGuide = commandLineUsage([
             'code',
             'maven-settings-path',
             'language',
-            'experimental',
             'app-groups',
             'metadata',
             'track',

package/dist/commands/audit/processAudit.js

@@ -9,7 +9,7 @@ const processAudit = async (contrastConf, argvMain) => {
         printHelpMessage();
         process.exit(0);
     }
-    const config = await auditConfig.getAuditConfig(contrastConf, 'audit', argvMain);
+    let config = await auditConfig.getAuditConfig(contrastConf, 'audit', argvMain);
     await scaController.processSca(config);
     if (!config.fingerprint) {
         postRunMessage('audit');

package/dist/commands/auth/auth.js

@@ -81,6 +81,11 @@ const authUsageGuide = commandLineUsage([
     {
         header: i18n.__('constantsAuthUsageHeader'),
         content: [i18n.__('constantsAuthUsageContents')]
+    },
+    {
+        header: i18n.__('constantsAdvancedOptions'),
+        optionList: constants.commandLineDefinitions.authOptionDefinitions,
+        hide: ['organization-id', 'api-key', 'authorization', 'host']
     }
 ]);
 const checkForCustomCredentials = authParams => {

package/dist/commands/learn/processLearn.js

@@ -1,7 +1,7 @@
 "use strict";
 const { openLearnPage } = require('./learn');
 async function processLearn() {
-    console.log('Opening develop central...');
+    console.log('Opening Contrast’s Secure Code Learning Hub...');
     console.log('If the page does not open you can open it directly via https://www.contrastsecurity.com/developer/learn');
     return openLearnPage();
 }

package/dist/common/HTTPClient.js

@@ -191,6 +191,12 @@ HTTPClient.prototype.scaServiceIngests = function scaServiceIngests(config) {
     options.url = url;
     return requestUtils.sendRequest({ method: 'get', options });
 };
+HTTPClient.prototype.scaServiceHealth = function scaServiceIngests(config) {
+    const options = _.cloneDeep(this.requestOptions);
+    let url = createScaServiceHealthURL(config);
+    options.url = url;
+    return requestUtils.sendRequest({ method: 'get', options });
+};
 HTTPClient.prototype.getReportById = function getReportById(config, reportId) {
     const options = _.cloneDeep(this.requestOptions);
     if (config.ignoreDev) {
@@ -342,6 +348,9 @@ function createScaServiceReportStatusURL(config, reportId) {
 function createScaServiceIngestsURL(config) {
     return `${config.host}/Contrast/api/sca/organizations/${config.organizationId}/applications/${config.applicationId}/libraries/ingests`;
 }
+function createScaServiceHealthURL(config) {
+    return `${config.host}/Contrast/api/sca/organizations/${config.organizationId}/health`;
+}
 function createScaServiceIngestURL(config) {
     let baseUrl = `${config.host}/Contrast/api/sca/organizations/${config.organizationId}/applications/${config.applicationId}/libraries/ingests/tree`;
     baseUrl = config.track ? baseUrl.concat('?persist=true') : baseUrl;

package/dist/constants/constants.js

@@ -12,7 +12,7 @@ const MEDIUM = 'MEDIUM';
 const HIGH = 'HIGH';
 const CRITICAL = 'CRITICAL';
 const APP_NAME = 'contrast';
-const APP_VERSION = '1.0.21';
+const APP_VERSION = '1.0.23';
 const TIMEOUT = 120000;
 const HIGH_COLOUR = '#ff9900';
 const CRITICAL_COLOUR = '#e35858';

package/dist/constants/lambda.js

@@ -48,6 +48,7 @@ const lambda = {
     internal_error: 'Internal error',
     inactive_account: 'Scanning a function of an inactive account is not supported',
     not_supported_runtime: 'Scanning resource of runtime "{{runtime}}" is not supported.\nSupported runtimes: {{supportedRuntimes}}',
+    not_supported_lambda: 'This function cannot be scanned',
     not_supported_onboard_account: 'Scanning a function of onboard account is not supported',
     scan_lock: 'Other scan is still running. Please wait until the previous scan finishes',
     unsupported: 'unsupported',

package/dist/constants/locales.js

@@ -1,6 +1,7 @@
 "use strict";
 const { lambda } = require('./lambda');
 const chalk = require('chalk');
+const { APP_VERSION } = require('./constants');
 const en_locales = () => {
     return {
         snapshotFailureHeader: 'FAIL',
@@ -52,7 +53,7 @@ const en_locales = () => {
         failThresholdOptionErrorMessage: 'More than 0 vulnerabilities found',
         failSeverityOptionErrorMessage: ' FAIL - Results detected vulnerabilities over accepted severity level',
         constantsSeverity: 'Use with "contrast scan --fail --severity high" or "contrast audit --fail --severity high". Set the severity level to detect vulnerabilities or dependencies. Severity levels are critical, high, medium, low or note.',
-        constantsHeader: 'Contrast CLI',
+        constantsHeader: `Contrast CLI @ v${APP_VERSION}`,
         configHeader2: 'Config options',
         clearHeader: '-c, --clear',
         clearContent: 'Removes stored credentials',
@@ -107,10 +108,10 @@ const en_locales = () => {
         genericServiceError: 'returned with status code %s',
         permissionsError: 'You do not have the correct permissions here. \n Contact support@contrastsecurity.com to get this fixed.',
         scanErrorFileMessage: 'We only accept the following file types: \nJava - .jar, .war \nJavaScript - .js or .zip files',
-        helpAuthSummary: 'Authenticate Contrast using your Github or Google account',
-        helpAuditSummary: 'Searches for a suitable file in the working directory to perform a security audit of dependencies and returns the results. [Contrast audit --help (for options).]',
-        helpScanSummary: 'Searches for a .jar, .war, .js, or .zip file in the working directory, uploads files for analysis, and returns the results. [For further help/options, enter scan --help]',
-        helpLambdaSummary: 'Performs a static security scan on an AWS lambda function. lambda --help (for options)',
+        helpAuthSummary: 'Authenticate Contrast using your Github or Google account OR include credentials if you are an existing licensed Contrast user.',
+        helpAuditSummary: 'Searches for a suitable file in the working directory to perform a security audit of dependencies and returns the results. \n[audit --help for options] Java, .NET, Node, Ruby, Python, Go, PHP are supported. ',
+        helpScanSummary: 'Searches for a .jar, .war, .js, or .zip file in the working directory, uploads files for analysis, and returns the results. \n[scan --help for options] Java, .NET, .NET Core, JavaScript are supported. ',
+        helpLambdaSummary: 'Performs a static security scan on an AWS lambda function. [lambda --help for options] AWS Lambda - Java & Python are supported. ',
         helpVersionSummary: 'Displays version of Contrast CLI',
         helpConfigSummary: 'Displays stored credentials',
         helpSummary: 'Displays usage guide',
@@ -122,7 +123,7 @@ const en_locales = () => {
         configName: 'config',
         helpName: 'help',
         learnName: 'learn',
-        helpLearnSummary: 'launches Contrast’s Secure Code Learning Hub.',
+        helpLearnSummary: 'Launches Contrast’s Secure Code Learning Hub.',
         fingerprintName: 'assess repo to see how many languages it can detect. For use in pipeline only.',
         depthOption: 'can set how deep in the file system the cli looks for language files',
         scanOptionsLanguageSummary: 'Valid values are JAVA, JAVASCRIPT and DOTNET',
@@ -140,7 +141,7 @@ const en_locales = () => {
             chalk.bold('\ncontrast audit') +
             ' to find vulnerabilities in your open source dependencies.' +
             '\nSupports Java, .NET, Node, Ruby, Python, Go and PHP.' +
-            '\nOur CLI runs native build tools to generate a complete dependency tree.' +
+            '\n\nOur CLI runs native build tools to generate a complete dependency tree.' +
             '\nIf you are running on untrusted code, consider running in a sandbox.\n' +
             chalk.bold('\ncontrast lambda') +
             ' to secure your AWS serverless functions. \nSupports Java and Python \n' +
@@ -152,7 +153,7 @@ const en_locales = () => {
         foundDetailedVulnerabilities: chalk.bold('%s') + ' | ' + chalk.bold('%s') + ' | %s | %s | %s ',
         searchingScanFileDirectory: 'Searching for file to scan from %s...',
         searchingAuditFileDirectory: 'Searching for package manager files from %s...',
-        scanHeader: 'Contrast Scan CLI',
+        scanHeader: `Contrast Scan CLI`,
         authHeader: 'Auth',
         lambdaHeader: 'Contrast Lambda CLI',
         lambdaSummary: 'Performs static security scan on an AWS Lambda Function.\nProduces CVE (Vulnerable Dependencies) and Least Privilege violations/remediation results.',
@@ -183,7 +184,7 @@ const en_locales = () => {
         connectionError: 'An error has occurred when trying to get the Project Id please check your internet connection or provide the Project Id manually',
         internalServerErrorHeader: '500 error - Internal server error',
         resourceLockedErrorHeader: '423 error - Resource is locked',
-        auditHeader: 'Contrast audit help',
+        auditHeader: 'Contrast Audit CLI',
         auditHeaderMessage: "Use 'contrast audit' to analyze a project’s dependencies for vulnerabilities.",
         constantsAuditPrerequisitesContentSupportedLanguages: 'Supported languages and their requirements are:',
         constantsAuditPrerequisitesJavaContentMessage: `
@@ -224,14 +225,14 @@ const en_locales = () => {
         commonHelpLearnMoreEnterpriseText: ' https://docs.contrastsecurity.com/en/run-contrast-cli.html ',
         commonHelpJoinDiscussionHeader: chalk.hex('#9DC184')('Join the discussion:'),
         commonHelpJoinDiscussionText: ' https://www.contrastsecurity.com/developer/community',
-        commonHelpLearnHeader: chalk.hex('#ffe599')('\rWant to UP your game?') +
+        commonHelpLearnHeader: chalk.hex('#ffe599')('\r  Want to UP your game?') +
             " type 'contrast learn'",
-        commonHelpLearnText: `\n🎓 Advance your security knowledge and become an ${chalk.hex('#ffd966')('All-star coder')} ⭐  with ${chalk.bold('Contrast Secure Code Learning Hub.')} 😺`,
+        commonHelpLearnText: `\n💰 Advance your security knowledge and become an ${chalk.hex('#ffd966')('All-star coder')} ⭐  with ${chalk.bold('Contrast Secure Code Learning Hub.')} 😺`,
         authCommand: {
             credentialsAccepted: {
-                title: 'Credentials accepted',
-                body: 'Now run contrast audit, lambda or scan',
-                extra: 'Or contrast help for full list of commands'
+                title: '✔ Credentials successfully saved',
+                body: `\n${chalk.bold('Contrast CLI')}`,
+                extra: 'Scan, secure and ship your code in minutes.'
             },
             credentialsMissing: {
                 title: 'Credentials missing',

package/dist/lambda/help.js

@@ -8,6 +8,9 @@ const command_line_usage_1 = __importDefault(require("command-line-usage"));
 const i18n_1 = __importDefault(require("i18n"));
 const commonHelp_1 = require("../common/commonHelp");
 const lambdaUsageGuide = (0, command_line_usage_1.default)([
+    {
+        header: i18n_1.default.__('constantsHeader')
+    },
     {
         header: i18n_1.default.__('lambdaHeader'),
         content: [i18n_1.default.__('lambdaSummary')]

package/dist/lambda/scanRequest.js

@@ -14,7 +14,9 @@ const commonApi_1 = require("../utils/commonApi");
 const logUtils_1 = require("./logUtils");
 const cliError_1 = require("./cliError");
 const constants_1 = require("./constants");
-const sendScanPostRequest = async (config, params, functionsEvent, showProgress = false) => {
+const requestUtils_1 = require("../utils/requestUtils");
+const MAX_RETRIES = 2;
+const sendScanPostRequest = async (config, params, functionsEvent, showProgress = false, retryNumber = 0) => {
     const client = (0, commonApi_1.getHttpClient)(config);
     if (showProgress) {
         (0, logUtils_1.log)(i18n_1.default.__('sendingScanRequest', { icon: log_symbols_1.default.success }));
@@ -38,6 +40,15 @@ const sendScanPostRequest = async (config, params, functionsEvent, showProgress
             });
             errorCode = false;
             break;
+        case 'not_supported_lambda':
+            description = i18n_1.default.__(errorCode);
+            errorCode = false;
+            break;
+        default:
+            if (retryNumber < MAX_RETRIES) {
+                await (0, requestUtils_1.sleep)(3 * 1000);
+                return sendScanPostRequest(config, params, functionsEvent, showProgress, retryNumber + 1);
+            }
     }
     throw new cliError_1.CliError(constants_1.ERRORS.FAILED_TO_START_SCAN, {
         statusCode,

package/dist/sbom/generateSbom.js

@@ -10,8 +10,14 @@ const generateSbom = (config, type) => {
         if (res.statusCode === 200) {
             return res.body;
         }
+        else if (res.statusCode === 403) {
+            console.log('\nUnable to retrieve Software Bill of Materials (SBOM)');
+            console.log(`Please ensure OSS is enabled for your organization - org-id ${config.organizationId} and app ${config.applicationId}`);
+            return undefined;
+        }
         else {
             console.log('Unable to retrieve Software Bill of Materials (SBOM)');
+            return undefined;
         }
     })
         .catch((err) => {
@@ -29,6 +35,7 @@ const generateSCASbom = (config, type, reportId) => {
         }
         else {
             console.log('Unable to retrieve Software Bill of Materials (SBOM)');
+            return undefined;
         }
     })
         .catch((err) => {

package/dist/scaAnalysis/common/commonReportingFunctionsSca.js

@@ -104,9 +104,9 @@ function getIssueRow(cveArray) {
     return [chalk.bold('Issue'), ':', `${cveMessagesList.join(', ')}`];
 }
 function getAdviceRow(advice) {
-    const latestOrClosest = advice.latestStableVersion
-        ? advice.latestStableVersion
-        : advice.closestStableVersion;
+    const latestOrClosest = advice.closestStableVersion
+        ? advice.closestStableVersion
+        : advice.latestStableVersion;
     const displayAdvice = latestOrClosest
         ? `Change to version ${chalk.bold(latestOrClosest)}`
         : 'No recommendation is available according to our data. Upgrade to the latest stable is the best advice we can give.';

package/dist/scaAnalysis/common/treeUpload.js

@@ -3,13 +3,11 @@ const commonApi = require('../../utils/commonApi');
 const { APP_VERSION } = require('../../constants/constants');
 const commonSendSnapShot = async (analysis, config) => {
     let requestBody = {};
-    config.experimental === true
-        ? (requestBody = sendToSCAServices(config, analysis))
-        : (requestBody = {
-            appID: config.applicationId,
-            cliVersion: APP_VERSION,
-            snapshot: analysis
-        });
+    requestBody = {
+        appID: config.applicationId,
+        cliVersion: APP_VERSION,
+        snapshot: analysis
+    };
     const client = commonApi.getHttpClient(config);
     return client
         .sendSnapshot(requestBody, config)
@@ -18,6 +16,9 @@ const commonSendSnapShot = async (analysis, config) => {
             return res.body;
         }
         else {
+            if (res.statusCode === 403) {
+                throw new Error(`🛑 Contrast audit failed \nPlease check you have the right permissions and the application ${config.applicationName ? config.applicationName : ''} has not been archived.`.replace(/ +(?= )/g, ''));
+            }
             throw new Error(res.statusCode + ` error processing dependencies`);
         }
     })
@@ -25,18 +26,6 @@ const commonSendSnapShot = async (analysis, config) => {
         throw err;
     });
 };
-const sendToSCAServices = (config, analysis) => {
-    return {
-        applicationId: config.applicationId,
-        dependencyTree: analysis,
-        organizationId: config.organizationId,
-        language: config.language,
-        tool: {
-            name: 'Contrast Codesec',
-            version: APP_VERSION
-        }
-    };
-};
 module.exports = {
     commonSendSnapShot
 };

package/dist/scaAnalysis/go/goAnalysis.js

@@ -7,12 +7,7 @@ const goAnalysis = config => {
     try {
         const rawGoDependencies = goReadDepFile.getGoDependencies(config);
         const parsedGoDependencies = goParseDeps.parseGoDependencies(rawGoDependencies);
-        if (config.experimental) {
-            return parseDependenciesForSCAServices(parsedGoDependencies);
-        }
-        else {
-            return createGoTSMessage(parsedGoDependencies);
-        }
+        return createGoTSMessage(parsedGoDependencies);
     }
     catch (e) {
         console.log(e.message.toString());

package/dist/scaAnalysis/java/analysis.js

@@ -4,8 +4,6 @@ const spawn = require('cross-spawn');
 const path = require('path');
 const i18n = require('i18n');
 const fs = require('fs');
-const readLine = require('readline');
-const paramHandler = require('../../utils/paramsUtil/paramHandler');
 const MAVEN = 'maven';
 const GRADLE = 'gradle';
 const determineProjectTypeAndCwd = (files, config) => {
@@ -25,26 +23,25 @@ const determineProjectTypeAndCwd = (files, config) => {
     return projectData;
 };
 const buildMaven = (config, projectData, timeout) => {
-    let cmdStdout;
-    try {
-        let command = 'mvn';
-        let args = ['dependency:tree', '-B'];
-        if (config.mavenSettingsPath) {
-            args.push('-s');
-            args.push(config.mavenSettingsPath);
-        }
-        cmdStdout = spawn
-            .sync(command, args, {
-            env: process.env,
-            cwd: projectData.cwd,
-            timeout
-        })
-            .stdout.toString();
-        return cmdStdout.toString();
+    let command = 'mvn';
+    let args = ['dependency:tree', '-B'];
+    if (config.mavenSettingsPath) {
+        args.push('-s');
+        args.push(config.mavenSettingsPath);
     }
-    catch (err) {
-        throw new Error(i18n.__('mavenDependencyTreeNonZero', projectData.cwd, `${err.message}`));
+    const cmdDepTree = spawn.sync(command, args, {
+        env: process.env,
+        cwd: projectData.cwd,
+        timeout
+    });
+    if (cmdDepTree.status !== 0) {
+        if (config.debug && cmdDepTree.error.code === 'ENOENT') {
+            console.log(`ERROR: mvn not found`);
+            console.log('Please make sure mvn is installed and accessible');
+        }
+        throw new Error(i18n.__('mavenDependencyTreeNonZero', projectData.cwd));
     }
+    return cmdDepTree.stdout.toString();
 };
 const buildGradle = (config, projectData, timeout) => {
     let cmdStdout;
@@ -96,20 +93,15 @@ const getJavaBuildDeps = (config, files) => {
         mvnDependancyTreeOutput: undefined,
         projectType: undefined
     };
-    try {
-        const projectData = determineProjectTypeAndCwd(files, config);
-        if (projectData.projectType === MAVEN) {
-            output.mvnDependancyTreeOutput = buildMaven(config, projectData, timeout);
-        }
-        else if (projectData.projectType === GRADLE) {
-            output.mvnDependancyTreeOutput = buildGradle(config, projectData, timeout);
-        }
-        output.projectType = projectData.projectType;
-        return output;
+    const projectData = determineProjectTypeAndCwd(files, config);
+    if (projectData.projectType === MAVEN) {
+        output.mvnDependancyTreeOutput = buildMaven(config, projectData, timeout);
     }
-    catch (err) {
-        console.log(err.message.toString());
+    else if (projectData.projectType === GRADLE) {
+        output.mvnDependancyTreeOutput = buildGradle(config, projectData, timeout);
     }
+    output.projectType = projectData.projectType;
+    return output;
 };
 module.exports = {
     getJavaBuildDeps,

package/dist/scaAnalysis/java/index.js

@@ -8,12 +8,7 @@ const javaAnalysis = async (config, languageFiles) => {
         file.replace('build.gradle.kts', 'build.gradle');
     });
     const javaDeps = buildJavaTree(config, languageFiles.JAVA);
-    if (config.experimental) {
-        return parseDependenciesForSCAServices(javaDeps);
-    }
-    else {
-        return createJavaTSMessage(javaDeps);
-    }
+    return createJavaTSMessage(javaDeps);
 };
 const buildJavaTree = (config, files) => {
     const javaBuildDeps = analysis.getJavaBuildDeps(config, files);

package/dist/scaAnalysis/javascript/analysis.js

@@ -32,46 +32,24 @@ const readYarn = async (config, languageFiles, nameOfFile) => {
         throw new Error(i18n.__('nodeReadYarnLockFileError') + `${err.message}`);
     }
 };
-const parseNpmLockFile = async (js) => {
+const parseNpmLockFile = async (npmLockFile) => {
     try {
-        js.npmLockFile = JSON.parse(js.rawLockFileContents);
-        if (js.npmLockFile && js.npmLockFile.lockfileVersion > 1) {
-            const listOfTopDep = Object.keys(js.npmLockFile.dependencies);
-            Object.entries(js.npmLockFile.dependencies).forEach(([objKey, value]) => {
-                if (value.requires) {
-                    const listOfRequiresDep = Object.keys(value.requires);
-                    listOfRequiresDep.forEach(dep => {
-                        if (!listOfTopDep.includes(dep)) {
-                            addDepToLockFile(js, value['requires'], dep);
-                        }
-                    });
-                }
-                if (value.dependencies) {
-                    Object.entries(value.dependencies).forEach(([objChildKey, childValue]) => {
-                        if (childValue.requires) {
-                            const listOfRequiresDep = Object.keys(childValue.requires);
-                            listOfRequiresDep.forEach(dep => {
-                                if (!listOfTopDep.includes(dep)) {
-                                    addDepToLockFile(js, childValue['requires'], dep);
-                                }
-                            });
-                        }
-                    });
-                }
-            });
-            return js.npmLockFile;
-        }
-        else {
-            return js.npmLockFile;
+        if (!npmLockFile.parsedPackages) {
+            npmLockFile.parsedPackages = {};
         }
+        Object.entries(npmLockFile.packages).forEach(([packageKey, packageValue]) => {
+            if (packageKey.includes('node_modules/')) {
+                packageKey = packageKey.replace(/(node_modules\/)+/g, '');
+            }
+            npmLockFile.parsedPackages[packageKey] = packageValue;
+        });
+        delete npmLockFile.parsedPackages[''];
+        return npmLockFile;
     }
     catch (err) {
         throw new Error(i18n.__('NodeParseNPM') + `${err.message}`);
     }
 };
-const addDepToLockFile = (js, depObj, key) => {
-    return (js.npmLockFile.dependencies[key] = { version: depObj[key] });
-};
 const parseYarnLockFile = async (js) => {
     try {
         js.yarn.yarnLockFile = {};

package/dist/scaAnalysis/javascript/index.js

@@ -13,9 +13,6 @@ const jsAnalysis = async (config, languageFiles) => {
 const buildNodeTree = async (config, files) => {
     let analysis = await readFiles(config, files);
     const rawNode = await parseFiles(config, files, analysis);
-    if (config.experimental) {
-        return scaServiceParser.parseJS(rawNode);
-    }
     return formatMessage.createJavaScriptTSMessage(rawNode);
 };
 const readFiles = async (config, files) => {
@@ -32,7 +29,20 @@ const readFiles = async (config, files) => {
 };
 const parseFiles = async (config, files, js) => {
     if (files.includes('package-lock.json')) {
-        js.npmLockFile = await analysis.parseNpmLockFile(js);
+        const npmLockFile = JSON.parse(js.rawLockFileContents);
+        const currentLockFileVersion = npmLockFile.lockfileVersion;
+        const generalRebuildMessage = '\nPlease update to Node 16+ & NPM 8+ or 9+ and then rebuild your package files.' +
+            '\nMore info here: https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json';
+        if (currentLockFileVersion === 1) {
+            throw new Error(`NPM lockfileVersion 1 is no longer supported. \n ${generalRebuildMessage}`);
+        }
+        if (!currentLockFileVersion || !npmLockFile.packages) {
+            throw new Error(`package-lock.json needs to be in the NPM v2 or v3 format. \n ${generalRebuildMessage}`);
+        }
+        if (currentLockFileVersion === 3) {
+            throw new Error(`NPM lockfileVersion 3 is only supported when using the '-e' flag.`);
+        }
+        js.npmLockFile = await analysis.parseNpmLockFile(npmLockFile);
     }
     if (files.includes('yarn.lock')) {
         js = await analysis.parseYarnLockFile(js);

package/dist/scaAnalysis/javascript/scaServiceParser.js

@@ -47,7 +47,7 @@ const chooseLockFile = rawNode => {
         return { lockFile: rawNode?.yarn?.yarnLockFile?.object, type: 'yarn' };
     }
     else if (rawNode.npmLockFile !== undefined) {
-        return { lockFile: rawNode?.npmLockFile?.dependencies, type: 'npm' };
+        return { lockFile: rawNode?.npmLockFile?.parsedPackages, type: 'npm' };
     }
     else {
         return undefined;
@@ -70,8 +70,8 @@ const createChildDependencies = (lockFileDep, currentDep) => {
 };
 const createNPMChildDependencies = (lockFileDep, currentDep) => {
     let depArray = [];
-    if (lockFileDep[currentDep]?.requires) {
-        for (const [key, value] of Object.entries(lockFileDep[currentDep]?.requires)) {
+    if (lockFileDep[currentDep]?.dependencies) {
+        for (const [key, value] of Object.entries(lockFileDep[currentDep]?.dependencies)) {
             depArray.push(key);
         }
     }

package/dist/scaAnalysis/php/index.js

@@ -1,16 +1,10 @@
 "use strict";
 const { readFile, parseProjectFiles } = require('./analysis');
 const { createPhpTSMessage } = require('../common/formatMessage');
-const { parsePHPLockFileForScaServices } = require('./phpNewServicesMapper');
 const phpAnalysis = config => {
     let analysis = readFiles(config);
-    if (config.experimental) {
-        return parsePHPLockFileForScaServices(analysis.rawLockFileContents);
-    }
-    else {
-        const phpDep = parseProjectFiles(analysis);
-        return createPhpTSMessage(phpDep);
-    }
+    const phpDep = parseProjectFiles(analysis);
+    return createPhpTSMessage(phpDep);
 };
 const readFiles = config => {
     let php = {};

package/dist/scaAnalysis/python/analysis.js

@@ -48,16 +48,10 @@ const checkForCorrectFiles = languageFiles => {
 };
 const getPythonDeps = (config, languageFiles) => {
     try {
-        if (config.experimental) {
-            let pythonLockFileContents = readLockFile(config.file);
-            return scaPythonParser(pythonLockFileContents);
-        }
-        else {
-            checkForCorrectFiles(languageFiles);
-            const parseProject = readAndParseProjectFile(config.file);
-            const parsePip = readAndParseLockFile(config.file);
-            return { pipfileLock: parsePip, pipfilDependanceies: parseProject };
-        }
+        checkForCorrectFiles(languageFiles);
+        const parseProject = readAndParseProjectFile(config.file);
+        const parsePip = readAndParseLockFile(config.file);
+        return { pipfileLock: parsePip, pipfilDependanceies: parseProject };
     }
     catch (err) {
         console.log(err.message.toString());