@contrast/contrast 1.0.22 → 2.0.0

package/README.md

@@ -1,152 +1,35 @@
-# CodeSec by Contrast Security
+# Contrast CLI
 
-CodeSec delivers:
+Use the ‘contrast’ command for fast and accurate security analysis of your applications, APIs, serverless functions, and libraries.
 
-- The fastest and most accurate SAST scanner.
-- Immediate and actionable results — scan code and serverless environments.
-- A frictionless and seamless sign-in process with GitHub or Google Account. From start to finish in minutes.
-- By running a scan on your lambda functions, you can find: Least privilege identity and access management (IAM) vulnerabilities (over permissive policies) and remediation.
+## Supported
 
-## Install
+<p><b>Code</b>: Java, .NET, .NET Core, JavaScript</p>
+<p><b>Serverless</b>: AWS Lambda - Java, Python</p>
+<p><b>Libraries</b>: Java, .NET, Node, Ruby, Python, Go, PHP</p>
 
-```shell
-npm install --location=global @contrast/contrast
-```
-
-## Authenticate
-
-Authenticate by entering contrast auth in the terminal.
-
-In the resulting browser window, log in and authenticate with your GitHub or Google credentials.
-
-## Run a scan
-
-### SAST scan
+## What can I do?
 
-#### Scan Requirements
+<p><code>contrast audit</code> to run a security audit of your dependencies and see results.</p>
+<p><code>contrast scan</code> to run Contrast's industry leading SAST scanner and see results.</p>
+<p><code>contrast lambda</code> to secure your AWS serverless functions.</p>
+<p><code>contrast learn</code> launches Contrast's Secure Code Learning Hub.</p>
+<p><code>contrast help</code> for full list of commands, options & support.</p>
 
-Make sure you have the correct file types to scan.
+### New CodeSec user?
 
-- Upload a .jar or .war file to scan a Java project for analysis
-- Upload a .js or .zip file to scan a JavaScript project for analysis
-- Upload a .exe. or .zip file to scan a .NET c# web forms project
-
-Start scanning
-
-Use the Contrast scan command `contrast scan`
-
-### Lambda function scan
-
-#### Lambda Requirements
-
-- Currently supports Java and Python functions on AWS.
-  Configure AWS credentials on your local environment by running the commands with your credentials:
+Get going:
 
 ```shell
-export AWS_DEFAULT_REGION=<YOUR_AWS_REGION>
-export AWS_ACCESS_KEY_ID=<YOUR_ACCESS_KEY_ID>
-export AWS_SECRET_ACCESS_KEY=<YOUR_SECRET_ACCESS_KEY>
+npm install --location=global @contrast/contrast@1
 ```
 
-- AWS credentials should be available on your local configure (usually **~/.aws/credentials**). You have an option to run a lambda scan with your aws-profile to pass --profile. You also can export different credentials.
-
-- These permissions are required to gather all required information on an AWS Lambda to use the `contrast lambda` command:
-
-  - Lambda: [GetFunction](https://docs.aws.amazon.com/lambda/latest/dg/API_GetFunction.html) | [GetLayerVersion](https://docs.aws.amazon.com/lambda/latest/dg/API_GetLayerVersion.html) | [ListFunctions](https://docs.aws.amazon.com/lambda/latest/dg/API_ListFunctions.html)
-  - IAM: [GetRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRolePolicy.html) | [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html) | [GetPolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicyVersion.html) | [ListRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html) | [ListAttachedRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html)
-
-### Start scanning
-
-Use contrast lambda to scan your AWS Lambda functions.
-`contrast lambda --function-name MyFunctionName --region my-aws-region`
-
-## Contrast commands
-
-### auth
-
-Authenticate Contrast using your GitHub or Google account. A new browser window will open for login.
-
-**Usage:** `contrast auth`
-
-### config
-
-Displays stored credentials.
-
-**Usage:** `contrast config`
-
-**Options:**
-
-- **-c, --clear** - Removes stored credentials.
+<p>Read more: https://www.contrastsecurity.com/developer/codesec</p>
 
-### scan
+### Contrast existing Enterprise user?
 
-Performs a security SAST scan.
-
-**Usage:** `contrast scan [option]`
-
-**Options:**
-
-- **contrast scan --file**
-
-  - Path of the file you want to scan. Contrast searches for a .jar, .war, .js. or .zip file in the working directory if a file is not specified.
-  - Alias: **--f**
-
-- **contrast scan --name**
-
-  - Contrast project name. If not specified, Contrast uses contrast.settings to identify the project or creates a project.
-  - Alias: **–n**
-
-- **contrast scan --save**
-
-  - Download the results to a Static Analysis Results Interchange Format (SARIF) file. The file is downloaded to the current working directory with a default name of results.sarif. You can view the file with any text editor.
-  - Alias: **-s**
-
-- **contrast scan --timeout**
-  - Time in seconds to wait for the scan to complete. Default value is 300 seconds.
-  - Alias: **-t**
-
-### lambda
-
-Name of AWS lambda function to scan.
-
-**Usage:** `contrast lambda --function-name`
-
-**Options:**
-
-- **contrast lambda --list-functions**
-  Lists all available lambda functions to scan.
-
-- **contrast lambda --function-name --endpoint-url**
-  AWS Endpoint override. Similar to AWS CLI.
-  Alias: **-e**
-
-- **contrast lambda --function-name --region**
-  Region override. Defaults to AWS_DEFAULT_REGION. Similar to AWS CLI.
-  Alias: **-r**
-
-- **contrast lambda --function-name --profile**
-  AWS configuration profile override. Similar to AWS CLI.
-  Alias: **-p**
-
-- **contrast lambda --function-name --json**
-  Return response in JSON (versus default human-readable format).
-  Alias: **-j**
-
-- **contrast lambda -–function-name -–verbose**
-  Returns extended information to the terminal.
-  Alias: **-v**
-
-- **contrast lambda --function-name -–help**
-  Displays usage guide.
-  Alias: **-h**
-
-### help
-
-Displays usage guide. To list detailed help for any CLI command, add the -h or --help flag to the command.
-**Usage:** `contrast scan --help`
-Alias: **-h**
-
-### version
+```shell
+npm install --location=global @contrast/contrast@2
+```
 
-Displays version of Contrast CLI.
-**Usage:** `contrast version` Alias: **-v**, **--version**
+Read more: https://docs.contrastsecurity.com/en/install-contrast-cli.html

package/dist/audit/languageAnalysisEngine/sendSnapshot.js

@@ -17,21 +17,10 @@ const pollSnapshotResults = async (config, snapshotId, client) => {
         console.log(err);
     });
 };
-const getTimeout = config => {
-    if (config.timeout) {
-        return config.timeout;
-    }
-    else {
-        if (config.verbose) {
-            console.log('Timeout set to 5 minutes');
-        }
-        return 300;
-    }
-};
 const pollForSnapshotCompletion = async (config, snapshotId, reportSpinner) => {
     const client = commonApi.getHttpClient(config);
     const startTime = performance.now();
-    const timeout = getTimeout(config);
+    const timeout = commonApi.getTimeout(config);
     let complete = false;
     if (!_.isNil(snapshotId)) {
         while (!complete) {
@@ -52,13 +41,7 @@ const pollForSnapshotCompletion = async (config, snapshotId, reportSpinner) => {
                     process.exit(1);
                 }
             }
-            const endTime = performance.now() - startTime;
-            if (requestUtils.millisToSeconds(endTime) > timeout) {
-                oraFunctions.failSpinner(reportSpinner, 'Contrast audit timed out at the specified timeout of ' +
-                    timeout +
-                    ' seconds.');
-                throw new Error('You can update the timeout using --timeout');
-            }
+            commonApi.handleTimeout(startTime, timeout, reportSpinner);
         }
     }
 };

package/dist/audit/report/commonReportingFunctions.js

@@ -122,7 +122,7 @@ function buildHeader(highestSeverity, contrastHeaderNum, libraryName, version, n
 function buildBody(cveArray, advice) {
     const orderedCvesWithSeverityAssigned = orderByHighestPriority(cveArray.map(cve => findCVESeverity(cve)));
     const issueMessage = getIssueRow(orderedCvesWithSeverityAssigned);
-    const minOrMax = advice.maximum ? advice.maximum : advice.minimum;
+    const minOrMax = advice.minimum ? advice.minimum : advice.maximum;
     const displayAdvice = minOrMax
         ? `Change to version ${chalk.bold(minOrMax)}`
         : 'No recommendation is available according to our data. Upgrade to the latest stable is the best advice we can give.';

package/dist/audit/save.js

@@ -7,6 +7,7 @@ const sbom = require('../sbom/generateSbom');
 const { SBOM_CYCLONE_DX_FILE, SBOM_SPDX_FILE } = require('../constants/constants');
 async function auditSave(config, reportId) {
     let fileFormat;
+    config.save = config.save ? config.save.toUpperCase() : config.save;
     switch (config.save) {
         case null:
         case SBOM_CYCLONE_DX_FILE:
@@ -19,18 +20,28 @@ async function auditSave(config, reportId) {
             break;
     }
     if (fileFormat) {
-        if (config.experimental) {
-            save.saveFile(config, fileFormat, await sbom.generateSCASbom(config, fileFormat, reportId));
+        if (config.legacy === false) {
+            const sbomResponse = await sbom.generateSCASbom(config, fileFormat, reportId);
+            if (sbomResponse) {
+                save.saveFile(config, fileFormat, sbomResponse);
+            }
         }
         else {
-            save.saveFile(config, fileFormat, await sbom.generateSbom(config, fileFormat));
+            const sbomResponse = await sbom.generateSbom(config, fileFormat);
+            if (sbomResponse) {
+                save.saveFile(config, fileFormat, sbomResponse);
+            }
         }
-        const filename = `${config.applicationId}-sbom-${fileFormat}.json`;
+        let fileStart = config.legacy ? config.applicationId : config.projectId;
+        if (fileStart === undefined) {
+            fileStart = 'my';
+        }
+        const filename = `${fileStart}-sbom-${fileFormat}.json`;
         if (fs.existsSync(filename)) {
             console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`);
         }
         else {
-            console.log(chalk.yellow.bold(`\n Unable to save ${filename} Software Bill of Materials (SBOM)`));
+            console.log(chalk.yellow.bold(`\nUnable to save ${filename} Software Bill of Materials (SBOM)`));
         }
     }
     else {

package/dist/cliConstants.js

@@ -224,6 +224,13 @@ const auditAdvancedOptionDefinitionsForHelp = [
             '}: ' +
             i18n.__('constantsApplicationName')
     },
+    {
+        name: 'name',
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}: ' +
+            i18n.__('constantsProjectName')
+    },
     {
         name: 'app-groups',
         description: '{bold ' +
@@ -353,6 +360,23 @@ const auditOptionDefinitions = [
             i18n.__('constantsOptional') +
             '}:' +
             i18n.__('auditOptionsBranchSummary')
+    },
+    {
+        name: 'legacy',
+        alias: 'l',
+        type: Boolean,
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}:' +
+            i18n.__('auditOptionsLegacySummary')
+    },
+    {
+        name: 'repo',
+        type: Boolean,
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}:' +
+            i18n.__('auditOptionsRepoSummary')
     }
 ];
 const fingerprintOptionDefinitions = [
@@ -361,6 +385,11 @@ const fingerprintOptionDefinitions = [
         name: 'depth',
         type: Number,
         description: '{bold ' + i18n.__('constantsOptional') + '}: ' + i18n.__('depthOption')
+    },
+    {
+        name: 'repoUrl',
+        type: String,
+        description: ''
     }
 ];
 const mainUsageGuide = commandLineUsage([

package/dist/commands/audit/auditController.js

@@ -39,5 +39,6 @@ const removeLastChar = str => {
     return str.substring(0, str.length - 1);
 };
 module.exports = {
-    dealWithNoAppId
+    dealWithNoAppId,
+    getAppName
 };

package/dist/commands/audit/help.js

@@ -51,12 +51,12 @@ const auditUsageGuide = commandLineUsage([
             'code',
             'maven-settings-path',
             'language',
-            'experimental',
             'app-groups',
             'metadata',
-            'track',
             'fingerprint',
-            'branch'
+            'branch',
+            'repo',
+            'name'
         ]
     },
     {

package/dist/commands/audit/processAudit.js

@@ -4,12 +4,14 @@ const { auditUsageGuide } = require('./help');
 const scaController = require('../../scaAnalysis/scaAnalysis');
 const { sendTelemetryConfigAsObject } = require('../../telemetry/telemetry');
 const { postRunMessage } = require('../../common/commonHelp');
+const settingsHelper = require('../../utils/settingsHelper');
 const processAudit = async (contrastConf, argvMain) => {
     if (argvMain.indexOf('--help') !== -1) {
         printHelpMessage();
         process.exit(0);
     }
-    const config = await auditConfig.getAuditConfig(contrastConf, 'audit', argvMain);
+    let config = await auditConfig.getAuditConfig(contrastConf, 'audit', argvMain);
+    config = await settingsHelper.getSettings(config);
     await scaController.processSca(config);
     if (!config.fingerprint) {
         postRunMessage('audit');

package/dist/commands/audit/saveFile.js

@@ -1,7 +1,11 @@
 "use strict";
 const fs = require('fs');
 const saveFile = (config, type, rawResults) => {
-    const fileName = `${config.applicationId}-sbom-${type}.json`;
+    let fileStart = config.legacy ? config.applicationId : config.projectId;
+    if (fileStart === undefined) {
+        fileStart = 'my';
+    }
+    const fileName = `${fileStart}-sbom-${type}.json`;
     fs.writeFileSync(fileName, JSON.stringify(rawResults));
 };
 module.exports = {

package/dist/commands/github/projectGroup.js

@@ -0,0 +1,164 @@
+"use strict";
+const commonApi = require('../../utils/commonApi');
+const { getAppName } = require('../audit/auditController');
+const getProjectIdByOrg = async (config) => {
+    const client = await commonApi.getHttpClient(config);
+    config.language = config.language === 'NODE' ? 'JAVASCRIPT' : config.language;
+    let projectId = '';
+    let projectByOrg = await retrieveProjectByOrganization(config, client);
+    if (projectByOrg?.length > 0) {
+        projectId = getProjectIdFromArray(config, projectByOrg);
+    }
+    return projectId;
+};
+const registerNewProjectGroup = async (config) => {
+    let projectId = '';
+    let body = {
+        organizationId: config.organizationId,
+        name: config.name ? config.name : config.file,
+        repositoryId: null,
+        type: 'CLI'
+    };
+    const client = await commonApi.getHttpClient(config);
+    body.projects = createProjects([config]);
+    let projectGroupInfo = await client
+        .registerProjectGroup(config, body)
+        .then(res => {
+        if (config.debug || config.verbose) {
+            console.log('\nRegister ProjectGroup');
+            console.log(res.statusCode);
+            console.log(res.body);
+        }
+        if (res.statusCode === 201 || res.statusCode === 200) {
+            if (config.debug || config.verbose) {
+                console.log('registerProjectGroup - response');
+                console.log('response', res.body);
+            }
+            return res?.body?.projectGroupId;
+        }
+        if (res.statusCode === 409) {
+            return [];
+        }
+    })
+        .catch(err => {
+        console.log('\nError Registering Project Group');
+        console.log(err.statusCode);
+    });
+    return projectGroupInfo;
+};
+const createProjects = params => {
+    let projectsArray = [];
+    let projects = {};
+    params.forEach(param => {
+        projects = {
+            path: param.file,
+            name: param.name ? param.name : param.file,
+            source: 'SCA',
+            language: param.language,
+            packageManager: 'MAVEN',
+            target: 'SCA',
+            sourceId: ''
+        };
+        projectsArray.push(projects);
+    });
+    return projectsArray;
+};
+const getExistingGroupProjectId = (config, projectGroupsInfoEx) => {
+    let existingGroupProjectId = '';
+    projectGroupsInfoEx.forEach(i => {
+        if (i.name === config.name) {
+            existingGroupProjectId = i.projectGroupId;
+        }
+    });
+    return existingGroupProjectId;
+};
+const getProjectIdFromArray = (config, array) => {
+    let projectId = '';
+    array?.forEach(i => {
+        if (i.name === config.name) {
+            projectId = i.projectId;
+        }
+    });
+    return projectId;
+};
+const registerProjectIdOnCliServices = async (config, projectId) => {
+    const client = commonApi.getHttpClient(config);
+    let cliServicesBody = {
+        projectId: projectId,
+        name: config.name
+    };
+    let result = await client
+        .registerOnCliServices(config, cliServicesBody)
+        .then(res => {
+        if (config.debug || config.verbose) {
+            console.log('\nregistration on cli services');
+            console.log(res.statusCode);
+        }
+        if (res.statusCode === 201 || res.statusCode === 200) {
+            return res.body;
+        }
+        else {
+            return [];
+        }
+    });
+    return result;
+};
+const retrieveExistingProjectIdWithProjectGroupId = async (config, client, projectGroupId) => {
+    let groups = await client
+        .retrieveExistingProjectIdByProjectGroupId(config, projectGroupId)
+        .then(res => {
+        if (config.debug || config.verbose) {
+            console.log('\nRetrieve Existing ProjectId By ProjectGroupId');
+            console.log(res.statusCode);
+            console.log(res.body);
+        }
+        if (res.statusCode === 200) {
+            return res.body;
+        }
+        else {
+            return [];
+        }
+    });
+    return getProjectIdFromArray(config, groups);
+};
+const retrieveProjectByOrganization = async (config, client) => {
+    return await client.retrieveProjectByOrganizationId(config).then(res => {
+        if (config.debug || config.verbose) {
+            console.log('\nRetrieve Project By OrganizationId');
+            console.log(res.statusCode);
+            console.log(res.body);
+        }
+        if (res.statusCode === 201 || res.statusCode === 200) {
+            return res.body;
+        }
+        else {
+            return [];
+        }
+    });
+};
+const retrieveExistingProjectGroups = async (config, client) => {
+    return await client.retrieveExistingProjectGroupsByOrg(config).then(res => {
+        if (res.statusCode === 201 || res.statusCode === 200) {
+            return res.body;
+        }
+        else {
+            return [];
+        }
+    });
+};
+const dealWithNoName = async (config) => {
+    try {
+        config.name = getAppName(config.file);
+    }
+    catch (e) {
+        console.log(e.message.toString());
+        process.exit(1);
+    }
+    return config;
+};
+module.exports = {
+    getProjectIdByOrg,
+    registerProjectIdOnCliServices,
+    dealWithNoName,
+    registerNewProjectGroup
+};