@contrast/contrast 1.0.21 → 1.0.23

package/src/scaAnalysis/java/analysis.js

@@ -3,8 +3,6 @@ const spawn = require('cross-spawn')
 const path = require('path')
 const i18n = require('i18n')
 const fs = require('fs')
-const readLine = require('readline')
-const paramHandler = require('../../utils/paramsUtil/paramHandler')
 
 const MAVEN = 'maven'
 const GRADLE = 'gradle'
@@ -31,30 +29,31 @@ const determineProjectTypeAndCwd = (files, config) => {
 }
 
 const buildMaven = (config, projectData, timeout) => {
-  let cmdStdout
-  try {
-    let command = 'mvn'
-    let args = ['dependency:tree', '-B']
-    if (config.mavenSettingsPath) {
-      args.push('-s')
-      args.push(config.mavenSettingsPath)
-    }
-    // Allow users to provide a custom location for their settings.xml
+  let command = 'mvn'
+  let args = ['dependency:tree', '-B']
+  if (config.mavenSettingsPath) {
+    args.push('-s')
+    args.push(config.mavenSettingsPath)
+  }
 
-    cmdStdout = spawn
-      .sync(command, args, {
-        env: process.env,
-        cwd: projectData.cwd,
-        timeout
-      })
-      .stdout.toString()
+  // Allow users to provide a custom location for their settings.xml
+  const cmdDepTree = spawn.sync(command, args, {
+    env: process.env,
+    cwd: projectData.cwd,
+    timeout
+  })
 
-    return cmdStdout.toString()
-  } catch (err) {
-    throw new Error(
-      i18n.__('mavenDependencyTreeNonZero', projectData.cwd, `${err.message}`)
-    )
+  if (cmdDepTree.status !== 0) {
+    //if maven not found
+    if (config.debug && cmdDepTree.error.code === 'ENOENT') {
+      console.log(`ERROR: mvn not found`)
+      console.log('Please make sure mvn is installed and accessible')
+    }
+
+    throw new Error(i18n.__('mavenDependencyTreeNonZero', projectData.cwd))
   }
+
+  return cmdDepTree.stdout.toString()
 }
 
 const buildGradle = (config, projectData, timeout) => {
@@ -133,18 +132,14 @@ const getJavaBuildDeps = (config, files) => {
     projectType: undefined
   }
 
-  try {
-    const projectData = determineProjectTypeAndCwd(files, config)
-    if (projectData.projectType === MAVEN) {
-      output.mvnDependancyTreeOutput = buildMaven(config, projectData, timeout)
-    } else if (projectData.projectType === GRADLE) {
-      output.mvnDependancyTreeOutput = buildGradle(config, projectData, timeout)
-    }
-    output.projectType = projectData.projectType
-    return output
-  } catch (err) {
-    console.log(err.message.toString())
+  const projectData = determineProjectTypeAndCwd(files, config)
+  if (projectData.projectType === MAVEN) {
+    output.mvnDependancyTreeOutput = buildMaven(config, projectData, timeout)
+  } else if (projectData.projectType === GRADLE) {
+    output.mvnDependancyTreeOutput = buildGradle(config, projectData, timeout)
   }
+  output.projectType = projectData.projectType
+  return output
 }
 
 module.exports = {

package/src/scaAnalysis/java/index.js

@@ -11,12 +11,7 @@ const javaAnalysis = async (config, languageFiles) => {
   })
 
   const javaDeps = buildJavaTree(config, languageFiles.JAVA)
-
-  if (config.experimental) {
-    return parseDependenciesForSCAServices(javaDeps)
-  } else {
-    return createJavaTSMessage(javaDeps)
-  }
+  return createJavaTSMessage(javaDeps)
 }
 
 const buildJavaTree = (config, files) => {

package/src/scaAnalysis/javascript/analysis.js

@@ -44,48 +44,33 @@ const readYarn = async (config, languageFiles, nameOfFile) => {
   }
 }
 
-const parseNpmLockFile = async js => {
+const parseNpmLockFile = async npmLockFile => {
   try {
-    js.npmLockFile = JSON.parse(js.rawLockFileContents)
-    if (js.npmLockFile && js.npmLockFile.lockfileVersion > 1) {
-      const listOfTopDep = Object.keys(js.npmLockFile.dependencies)
-      Object.entries(js.npmLockFile.dependencies).forEach(([objKey, value]) => {
-        if (value.requires) {
-          const listOfRequiresDep = Object.keys(value.requires)
-          listOfRequiresDep.forEach(dep => {
-            if (!listOfTopDep.includes(dep)) {
-              addDepToLockFile(js, value['requires'], dep)
-            }
-          })
-        }
+    if (!npmLockFile.parsedPackages) {
+      npmLockFile.parsedPackages = {}
+    }
 
-        if (value.dependencies) {
-          Object.entries(value.dependencies).forEach(
-            ([objChildKey, childValue]) => {
-              if (childValue.requires) {
-                const listOfRequiresDep = Object.keys(childValue.requires)
-                listOfRequiresDep.forEach(dep => {
-                  if (!listOfTopDep.includes(dep)) {
-                    addDepToLockFile(js, childValue['requires'], dep)
-                  }
-                })
-              }
-            }
-          )
+    Object.entries(npmLockFile.packages).forEach(
+      ([packageKey, packageValue]) => {
+        if (packageKey.includes('node_modules/')) {
+          //remove object keys node modules prefixing
+          //e.g: node_modules/@aws-amplify/datastore/node_modules/uuid --> @aws-amplify/datastore/uuid
+          packageKey = packageKey.replace(/(node_modules\/)+/g, '')
         }
-      })
-      return js.npmLockFile
-    } else {
-      return js.npmLockFile
-    }
+
+        npmLockFile.parsedPackages[packageKey] = packageValue
+      }
+    )
+
+    //remove base project package - unneeded
+    delete npmLockFile.parsedPackages['']
+
+    return npmLockFile
   } catch (err) {
     throw new Error(i18n.__('NodeParseNPM') + `${err.message}`)
   }
 }
 
-const addDepToLockFile = (js, depObj, key) => {
-  return (js.npmLockFile.dependencies[key] = { version: depObj[key] })
-}
 const parseYarnLockFile = async js => {
   try {
     js.yarn.yarnLockFile = {}

package/src/scaAnalysis/javascript/index.js

@@ -14,9 +14,6 @@ const jsAnalysis = async (config, languageFiles) => {
 const buildNodeTree = async (config, files) => {
   let analysis = await readFiles(config, files)
   const rawNode = await parseFiles(config, files, analysis)
-  if (config.experimental) {
-    return scaServiceParser.parseJS(rawNode)
-  }
   return formatMessage.createJavaScriptTSMessage(rawNode)
 }
 
@@ -44,8 +41,34 @@ const readFiles = async (config, files) => {
 
 const parseFiles = async (config, files, js) => {
   if (files.includes('package-lock.json')) {
-    js.npmLockFile = await analysis.parseNpmLockFile(js)
+    const npmLockFile = JSON.parse(js.rawLockFileContents)
+
+    const currentLockFileVersion = npmLockFile.lockfileVersion
+    const generalRebuildMessage =
+      '\nPlease update to Node 16+ & NPM 8+ or 9+ and then rebuild your package files.' +
+      '\nMore info here: https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json'
+
+    if (currentLockFileVersion === 1) {
+      throw new Error(
+        `NPM lockfileVersion 1 is no longer supported. \n ${generalRebuildMessage}`
+      )
+    }
+
+    if (!currentLockFileVersion || !npmLockFile.packages) {
+      throw new Error(
+        `package-lock.json needs to be in the NPM v2 or v3 format. \n ${generalRebuildMessage}`
+      )
+    }
+
+    if (currentLockFileVersion === 3) {
+      throw new Error(
+        `NPM lockfileVersion 3 is only supported when using the '-e' flag.`
+      )
+    }
+
+    js.npmLockFile = await analysis.parseNpmLockFile(npmLockFile)
   }
+
   if (files.includes('yarn.lock')) {
     js = await analysis.parseYarnLockFile(js)
   }

package/src/scaAnalysis/javascript/scaServiceParser.js

@@ -77,7 +77,7 @@ const chooseLockFile = rawNode => {
   if (rawNode?.yarn?.yarnLockFile !== undefined) {
     return { lockFile: rawNode?.yarn?.yarnLockFile?.object, type: 'yarn' }
   } else if (rawNode.npmLockFile !== undefined) {
-    return { lockFile: rawNode?.npmLockFile?.dependencies, type: 'npm' }
+    return { lockFile: rawNode?.npmLockFile?.parsedPackages, type: 'npm' }
   } else {
     return undefined
   }
@@ -105,9 +105,9 @@ const createChildDependencies = (lockFileDep, currentDep) => {
 
 const createNPMChildDependencies = (lockFileDep, currentDep) => {
   let depArray = []
-  if (lockFileDep[currentDep]?.requires) {
+  if (lockFileDep[currentDep]?.dependencies) {
     for (const [key, value] of Object.entries(
-      lockFileDep[currentDep]?.requires
+      lockFileDep[currentDep]?.dependencies
     )) {
       depArray.push(key)
     }

package/src/scaAnalysis/php/index.js

@@ -1,16 +1,10 @@
 const { readFile, parseProjectFiles } = require('./analysis')
 const { createPhpTSMessage } = require('../common/formatMessage')
-const { parsePHPLockFileForScaServices } = require('./phpNewServicesMapper')
 
 const phpAnalysis = config => {
   let analysis = readFiles(config)
-
-  if (config.experimental) {
-    return parsePHPLockFileForScaServices(analysis.rawLockFileContents)
-  } else {
-    const phpDep = parseProjectFiles(analysis)
-    return createPhpTSMessage(phpDep)
-  }
+  const phpDep = parseProjectFiles(analysis)
+  return createPhpTSMessage(phpDep)
 }
 
 const readFiles = config => {

package/src/scaAnalysis/python/analysis.js

@@ -60,16 +60,10 @@ const checkForCorrectFiles = languageFiles => {
 
 const getPythonDeps = (config, languageFiles) => {
   try {
-    if (config.experimental) {
-      let pythonLockFileContents = readLockFile(config.file)
-      return scaPythonParser(pythonLockFileContents)
-    } else {
-      checkForCorrectFiles(languageFiles)
-      const parseProject = readAndParseProjectFile(config.file)
-      const parsePip = readAndParseLockFile(config.file)
-
-      return { pipfileLock: parsePip, pipfilDependanceies: parseProject }
-    }
+    checkForCorrectFiles(languageFiles)
+    const parseProject = readAndParseProjectFile(config.file)
+    const parsePip = readAndParseLockFile(config.file)
+    return { pipfileLock: parsePip, pipfilDependanceies: parseProject }
   } catch (err) {
     console.log(err.message.toString())
     process.exit(1)

package/src/scaAnalysis/python/index.js

@@ -3,12 +3,7 @@ const { getPythonDeps, secondaryParser } = require('./analysis')
 
 const pythonAnalysis = (config, languageFiles) => {
   const pythonDeps = getPythonDeps(config, languageFiles.PYTHON)
-
-  if (config.experimental) {
-    return pythonDeps
-  } else {
-    return createPythonTSMessage(pythonDeps)
-  }
+  return createPythonTSMessage(pythonDeps)
 }
 
 module.exports = {

package/src/scaAnalysis/ruby/analysis.js

@@ -6,17 +6,7 @@ const getRubyDeps = (config, languageFiles) => {
     checkForCorrectFiles(languageFiles)
     const parsedGem = readAndParseGemfile(config.file)
     const parsedLock = readAndParseGemLockFile(config.file)
-    if (config.experimental) {
-      const rubyArray = removeRedundantAndPopulateDefinedElements(
-        parsedLock.sources
-      )
-      let rubyTree = createRubyTree(rubyArray)
-      findChildrenDependencies(rubyTree)
-      processRootDependencies(parsedLock.dependencies, rubyTree)
-      return rubyTree
-    } else {
-      return { gemfilesDependanceies: parsedGem, gemfileLock: parsedLock }
-    }
+    return { gemfilesDependanceies: parsedGem, gemfileLock: parsedLock }
   } catch (err) {
     throw err
   }

package/src/scaAnalysis/ruby/index.js

@@ -3,12 +3,7 @@ const { createRubyTSMessage } = require('../common/formatMessage')
 
 const rubyAnalysis = (config, languageFiles) => {
   const rubyDeps = analysis.getRubyDeps(config, languageFiles.RUBY)
-
-  if (config.experimental) {
-    return rubyDeps
-  } else {
-    return createRubyTSMessage(rubyDeps)
-  }
+  return createRubyTSMessage(rubyDeps)
 }
 
 module.exports = {

package/src/scaAnalysis/scaAnalysis.js

@@ -26,18 +26,10 @@ const { rubyAnalysis } = require('./ruby')
 const { pythonAnalysis } = require('./python')
 const javaAnalysis = require('./java')
 const jsAnalysis = require('./javascript')
-const auditReport = require('./common/auditReport')
-const scaUpload = require('./common/scaServicesUpload')
-const settingsHelper = require('../utils/settingsHelper')
 const chalk = require('chalk')
-const saveResults = require('../scan/saveResults')
-const {
-  convertGenericToTypedReportModelSca
-} = require('./common/utils/reportUtilsSca')
 
 const processSca = async config => {
   //checks to see whether to use old TS / new SCA path
-  config = await settingsHelper.getSettings(config)
 
   const startTime = performance.now()
   let filesFound
@@ -72,18 +64,7 @@ const processSca = async config => {
     switch (Object.keys(filesFound[0])[0]) {
       case JAVA:
         config.language = JAVA
-
-        if (config.mode === 'repo') {
-          try {
-            return repoMode.buildRepo(config, filesFound[0])
-          } catch (e) {
-            throw new Error(
-              'Unable to build in repository mode. Check your project file'
-            )
-          }
-        } else {
-          messageToSend = await javaAnalysis.javaAnalysis(config, filesFound[0])
-        }
+        messageToSend = await javaAnalysis.javaAnalysis(config, filesFound[0])
         break
       case JAVASCRIPT:
         messageToSend = await jsAnalysis.jsAnalysis(config, filesFound[0])
@@ -106,18 +87,9 @@ const processSca = async config => {
         config.language = GO
         break
       case DOTNET:
-        if (config.experimental) {
-          console.log(
-            `${chalk.bold(
-              '\n.NET project found\n'
-            )} Language type is unsupported.`
-          )
-          return
-        } else {
-          messageToSend = dotNetAnalysis(config, filesFound[0])
-          config.language = DOTNET
-          break
-        }
+        messageToSend = dotNetAnalysis(config, filesFound[0])
+        config.language = DOTNET
+        break
       default:
         //something is wrong
         console.log('No supported language detected in project path')
@@ -127,63 +99,31 @@ const processSca = async config => {
     if (!config.applicationId) {
       config.applicationId = await auditController.dealWithNoAppId(config)
     }
+    console.log('') //empty log for space before spinner
+    //send message to TS
+    const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
+    startSpinner(reportSpinner)
+    const snapshotResponse = await treeUpload.commonSendSnapShot(
+      messageToSend,
+      config
+    )
 
-    if (config.experimental) {
-      console.log('') //empty log for space before spinner
-      const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
-      startSpinner(reportSpinner)
-      const { reportArray, reportId } = await scaUpload.scaTreeUpload(
-        messageToSend,
-        config
-      )
-
-      const reportModelLibraryList =
-        convertGenericToTypedReportModelSca(reportArray)
-      auditReport.processAuditReport(config, reportModelLibraryList)
-      succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
-
-      if (config.save !== undefined) {
-        await auditSave.auditSave(config, reportId)
-      } else {
-        console.log('Use contrast audit --save to generate an SBOM')
-      }
+    // poll for completion
+    await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner)
+    succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
 
-      const endTime = performance.now() - startTime
-      const scanDurationMs = endTime - startTime
-      console.log(
-        `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
-      )
+    await vulnerabilityReportV2(config, snapshotResponse.id)
+    if (config.save !== undefined) {
+      await auditSave.auditSave(config)
     } else {
-      console.log('') //empty log for space before spinner
-      //send message to TS
-      const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
-      startSpinner(reportSpinner)
-      const snapshotResponse = await treeUpload.commonSendSnapShot(
-        messageToSend,
-        config
-      )
-
-      // poll for completion
-      await pollForSnapshotCompletion(
-        config,
-        snapshotResponse.id,
-        reportSpinner
-      )
-      succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
-
-      await vulnerabilityReportV2(config, snapshotResponse.id)
-      if (config.save !== undefined) {
-        await auditSave.auditSave(config)
-      } else {
-        console.log('\nUse contrast audit --save to generate an SBOM')
-      }
-      const endTime = performance.now() - startTime
-      const scanDurationMs = endTime - startTime
-
-      console.log(
-        `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
-      )
+      console.log('\nUse contrast audit --save to generate an SBOM')
     }
+    const endTime = performance.now() - startTime
+    const scanDurationMs = endTime - startTime
+
+    console.log(
+      `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
+    )
   } else {
     if (filesFound.length === 0) {
       console.log(i18n.__('languageAnalysisNoLanguage'))

package/src/scan/help.js

@@ -4,6 +4,9 @@ const constants = require('../cliConstants')
 const { commonHelpLinks } = require('../common/commonHelp')
 
 const scanUsageGuide = commandLineUsage([
+  {
+    header: i18n.__('constantsHeader')
+  },
   {
     header: i18n.__('scanHeader')
   },

package/dist/utils/settingsHelper.js

@@ -1,24 +0,0 @@
-"use strict";
-const commonApi = require('./commonApi');
-const { getMode } = require('./generalAPI');
-const { SAAS, MODE_BUILD } = require('../constants/constants');
-const getSettings = async (config) => {
-    config.isEOP = (await getMode(config)).toUpperCase() === SAAS ? false : true;
-    config.mode = MODE_BUILD;
-    config.scaServices = await isSCAServicesAvailable(config);
-    return config;
-};
-const isSCAServicesAvailable = async (config) => {
-    const client = commonApi.getHttpClient(config);
-    return client
-        .scaServiceIngests(config)
-        .then(res => {
-        return res.statusCode !== 403;
-    })
-        .catch(err => {
-        console.log(err);
-    });
-};
-module.exports = {
-    getSettings
-};

package/src/utils/settingsHelper.js

@@ -1,26 +0,0 @@
-const commonApi = require('./commonApi')
-const { getMode } = require('./generalAPI')
-const { SAAS, MODE_BUILD } = require('../constants/constants')
-
-const getSettings = async config => {
-  config.isEOP = (await getMode(config)).toUpperCase() === SAAS ? false : true
-  config.mode = MODE_BUILD
-  config.scaServices = await isSCAServicesAvailable(config)
-  return config
-}
-
-const isSCAServicesAvailable = async config => {
-  const client = commonApi.getHttpClient(config)
-  return client
-    .scaServiceIngests(config)
-    .then(res => {
-      return res.statusCode !== 403
-    })
-    .catch(err => {
-      console.log(err)
-    })
-}
-
-module.exports = {
-  getSettings
-}