@contrast/contrast 1.0.22 → 2.0.0

package/src/scaAnalysis/common/scaServicesUpload.js

@@ -1,10 +1,20 @@
 const commonApi = require('../../utils/commonApi')
 const { APP_VERSION } = require('../../constants/constants')
 const requestUtils = require('../../utils/requestUtils')
+const { performance } = require('perf_hooks')
 
-const scaTreeUpload = async (analysis, config) => {
+const scaTreeUpload = async (analysis, config, reportSpinner) => {
+  if (config.projectId === '') {
+    console.log(
+      'We were unable to create/locate a project for this manifest, please try again or run with --debug for more information'
+    )
+    process.exit(1)
+  }
+
+  config.language = config.language === 'JAVASCRIPT' ? 'NODE' : config.language
+  const startTime = performance.now()
+  const timeout = commonApi.getTimeout(config)
   const requestBody = {
-    applicationId: config.applicationId,
     dependencyTree: analysis,
     organizationId: config.organizationId,
     language: config.language,
@@ -22,7 +32,7 @@ const scaTreeUpload = async (analysis, config) => {
   const reportID = await client
     .scaServiceIngest(requestBody, config)
     .then(res => {
-      if (res.statusCode === 201) {
+      if (res.statusCode === 201 || res.statusCode === 200) {
         return res.body.libraryIngestJobId
       } else {
         throw new Error(res.statusCode + ` error ingesting dependencies`)
@@ -40,21 +50,95 @@ const scaTreeUpload = async (analysis, config) => {
   while (keepChecking) {
     res = await client.scaServiceReportStatus(config, reportID).then(res => {
       if (config.debug) {
-        console.log(res.statusCode)
+        console.log('scaServiceReportStatus', res.statusCode)
         console.log(res.body)
       }
       if (res.body.status === 'COMPLETED') {
         keepChecking = false
         return client.scaServiceReport(config, reportID).then(res => {
           const reportBody = res.body
-          return { reportBody, reportID }
+          return { reportBody, reportId: reportID }
         })
       }
     })
 
     if (!keepChecking) {
-      return { reportArray: res.reportBody, reportID }
+      return { reportArray: res.reportBody, reportId: reportID }
     }
+
+    commonApi.handleTimeout(startTime, timeout, reportSpinner)
+
+    await requestUtils.sleep(5000)
+  }
+
+  return { reportArray: res, reportID }
+}
+
+const noProjectUpload = async (analysis, config, reportSpinner) => {
+  config.language = config.language === 'JAVASCRIPT' ? 'NODE' : config.language
+  const startTime = performance.now()
+  const timeout = commonApi.getTimeout(config)
+  const requestBody = {
+    dependencyTree: analysis,
+    language: config.language,
+    tool: {
+      name: 'Contrast Codesec',
+      version: APP_VERSION
+    }
+  }
+
+  if (config.branch) {
+    requestBody.branchName = config.branch
+  }
+
+  const client = commonApi.getHttpClient(config)
+  const reportID = await client
+    .noProjectIdUpload(requestBody, config)
+    .then(res => {
+      if (res.statusCode === 201 || res.statusCode === 200) {
+        return res.body.libraryIngestJobId
+      } else {
+        throw new Error(
+          res.statusCode + ` error ingesting dependencies with no project id`
+        )
+      }
+    })
+    .catch(err => {
+      throw err
+    })
+
+  if (config.debug) {
+    console.log(' polling report no project', reportID)
+  }
+
+  let keepChecking = true
+  let res
+  while (keepChecking) {
+    res = await client
+      .scaServiceNoProjectIdReportStatus(config, reportID)
+      .then(res => {
+        if (config.debug) {
+          console.log('\nscaServiceReportStatus')
+          console.log(res.statusCode)
+          console.log(res.body)
+        }
+        if (res.body.status === 'COMPLETED') {
+          keepChecking = false
+          return client
+            .scaServiceReportNoProjectId(config, reportID)
+            .then(res => {
+              const reportBody = res.body
+              return { reportBody, reportId: reportID }
+            })
+        }
+      })
+
+    if (!keepChecking) {
+      return { reportArray: res.reportBody, reportId: reportID }
+    }
+
+    commonApi.handleTimeout(startTime, timeout, reportSpinner)
+
     await requestUtils.sleep(5000)
   }
 
@@ -62,5 +146,6 @@ const scaTreeUpload = async (analysis, config) => {
 }
 
 module.exports = {
-  scaTreeUpload
+  scaTreeUpload,
+  noProjectUpload
 }

package/src/scaAnalysis/common/treeUpload.js

@@ -3,7 +3,7 @@ const { APP_VERSION } = require('../../constants/constants')
 
 const commonSendSnapShot = async (analysis, config) => {
   let requestBody = {}
-  config.experimental === true
+  config.legacy === false
     ? (requestBody = sendToSCAServices(config, analysis))
     : (requestBody = {
         appID: config.applicationId,

package/src/scaAnalysis/go/goAnalysis.js

@@ -11,7 +11,7 @@ const goAnalysis = config => {
     const parsedGoDependencies =
       goParseDeps.parseGoDependencies(rawGoDependencies)
 
-    if (config.experimental) {
+    if (config.legacy === false) {
       return parseDependenciesForSCAServices(parsedGoDependencies)
     } else {
       return createGoTSMessage(parsedGoDependencies)

package/src/scaAnalysis/java/analysis.js

@@ -3,8 +3,6 @@ const spawn = require('cross-spawn')
 const path = require('path')
 const i18n = require('i18n')
 const fs = require('fs')
-const readLine = require('readline')
-const paramHandler = require('../../utils/paramsUtil/paramHandler')
 
 const MAVEN = 'maven'
 const GRADLE = 'gradle'
@@ -31,30 +29,31 @@ const determineProjectTypeAndCwd = (files, config) => {
 }
 
 const buildMaven = (config, projectData, timeout) => {
-  let cmdStdout
-  try {
-    let command = 'mvn'
-    let args = ['dependency:tree', '-B']
-    if (config.mavenSettingsPath) {
-      args.push('-s')
-      args.push(config.mavenSettingsPath)
-    }
-    // Allow users to provide a custom location for their settings.xml
+  let command = 'mvn'
+  let args = ['dependency:tree', '-B']
+  if (config.mavenSettingsPath) {
+    args.push('-s')
+    args.push(config.mavenSettingsPath)
+  }
 
-    cmdStdout = spawn
-      .sync(command, args, {
-        env: process.env,
-        cwd: projectData.cwd,
-        timeout
-      })
-      .stdout.toString()
+  // Allow users to provide a custom location for their settings.xml
+  const cmdDepTree = spawn.sync(command, args, {
+    env: process.env,
+    cwd: projectData.cwd,
+    timeout
+  })
 
-    return cmdStdout.toString()
-  } catch (err) {
-    throw new Error(
-      i18n.__('mavenDependencyTreeNonZero', projectData.cwd, `${err.message}`)
-    )
+  if (cmdDepTree.status !== 0) {
+    //if maven not found
+    if (config.debug && cmdDepTree.error.code === 'ENOENT') {
+      console.log(`ERROR: mvn not found`)
+      console.log('Please make sure mvn is installed and accessible')
+    }
+
+    throw new Error(i18n.__('mavenDependencyTreeNonZero', projectData.cwd))
   }
+
+  return cmdDepTree.stdout.toString()
 }
 
 const buildGradle = (config, projectData, timeout) => {
@@ -133,18 +132,14 @@ const getJavaBuildDeps = (config, files) => {
     projectType: undefined
   }
 
-  try {
-    const projectData = determineProjectTypeAndCwd(files, config)
-    if (projectData.projectType === MAVEN) {
-      output.mvnDependancyTreeOutput = buildMaven(config, projectData, timeout)
-    } else if (projectData.projectType === GRADLE) {
-      output.mvnDependancyTreeOutput = buildGradle(config, projectData, timeout)
-    }
-    output.projectType = projectData.projectType
-    return output
-  } catch (err) {
-    console.log(err.message.toString())
+  const projectData = determineProjectTypeAndCwd(files, config)
+  if (projectData.projectType === MAVEN) {
+    output.mvnDependancyTreeOutput = buildMaven(config, projectData, timeout)
+  } else if (projectData.projectType === GRADLE) {
+    output.mvnDependancyTreeOutput = buildGradle(config, projectData, timeout)
   }
+  output.projectType = projectData.projectType
+  return output
 }
 
 module.exports = {

package/src/scaAnalysis/java/index.js

@@ -12,7 +12,7 @@ const javaAnalysis = async (config, languageFiles) => {
 
   const javaDeps = buildJavaTree(config, languageFiles.JAVA)
 
-  if (config.experimental) {
+  if (config.legacy === false) {
     return parseDependenciesForSCAServices(javaDeps)
   } else {
     return createJavaTSMessage(javaDeps)

package/src/scaAnalysis/javascript/index.js

@@ -14,8 +14,7 @@ const jsAnalysis = async (config, languageFiles) => {
 const buildNodeTree = async (config, files) => {
   let analysis = await readFiles(config, files)
   const rawNode = await parseFiles(config, files, analysis)
-
-  if (config.experimental) {
+  if (config.legacy === false) {
     return scaServiceParser.parseJS(rawNode)
   }
 
@@ -65,10 +64,8 @@ const parseFiles = async (config, files, js) => {
       )
     }
 
-    if (currentLockFileVersion === 3 && !config.experimental) {
-      throw new Error(
-        `NPM lockfileVersion 3 is only supported when using the '-e' flag.`
-      )
+    if (currentLockFileVersion === 3 && config.legacy) {
+      throw new Error(`NPM lockfileVersion 3 is not support with --legacy`)
     }
 
     js.npmLockFile = await analysis.parseNpmLockFile(npmLockFile)

package/src/scaAnalysis/legacy/legacyFlow.js

@@ -0,0 +1,48 @@
+const auditController = require('../../commands/audit/auditController')
+const {
+  returnOra,
+  startSpinner,
+  succeedSpinner
+} = require('../../utils/oraWrapper')
+const i18n = require('i18n')
+const treeUpload = require('../common/treeUpload')
+const {
+  pollForSnapshotCompletion
+} = require('../../audit/languageAnalysisEngine/sendSnapshot')
+const { vulnerabilityReportV2 } = require('../../audit/report/reportingFeature')
+const { auditSave } = require('../../audit/save')
+
+const legacyFlow = async (config, messageToSend) => {
+  const startTime = performance.now()
+  if (!config.applicationId) {
+    config.applicationId = await auditController.dealWithNoAppId(config)
+  }
+
+  console.log('') //empty log for space before spinner
+  //send message to TS
+  const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
+  startSpinner(reportSpinner)
+  const snapshotResponse = await treeUpload.commonSendSnapShot(
+    messageToSend,
+    config
+  )
+
+  // poll for completion
+  await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner)
+  succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
+
+  await vulnerabilityReportV2(config, snapshotResponse.id)
+  if (config.save !== undefined) {
+    await auditSave(config)
+  } else {
+    console.log('\nUse contrast audit --save to generate an SBOM')
+  }
+  const endTime = performance.now() - startTime
+  const scanDurationMs = endTime - startTime
+
+  console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`)
+}
+
+module.exports = {
+  legacyFlow
+}

package/src/scaAnalysis/php/index.js

@@ -5,7 +5,7 @@ const { parsePHPLockFileForScaServices } = require('./phpNewServicesMapper')
 const phpAnalysis = config => {
   let analysis = readFiles(config)
 
-  if (config.experimental) {
+  if (config.legacy === false) {
     return parsePHPLockFileForScaServices(analysis.rawLockFileContents)
   } else {
     const phpDep = parseProjectFiles(analysis)

package/src/scaAnalysis/processServicesFlow.js

@@ -0,0 +1,29 @@
+const projectConfig = require('../commands/github/projectGroup')
+const scaServicesUpload = require('../scaAnalysis/common/scaServicesUpload')
+const processUpload = async (analysis, config, reportSpinner) => {
+  let projectId = await projectConfig.getProjectIdByOrg(config)
+
+  if (projectId === '') {
+    if (config.track === true) {
+      await projectConfig.registerNewProjectGroup(config)
+      projectId = await projectConfig.getProjectIdByOrg(config)
+    }
+
+    if (config.track === false || config.track === undefined) {
+      return await scaServicesUpload.noProjectUpload(
+        analysis,
+        config,
+        reportSpinner
+      )
+    }
+  }
+
+  await projectConfig.registerProjectIdOnCliServices(config, projectId)
+  config.projectId = projectId
+
+  return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner)
+}
+
+module.exports = {
+  processUpload
+}

package/src/scaAnalysis/python/analysis.js

@@ -60,7 +60,7 @@ const checkForCorrectFiles = languageFiles => {
 
 const getPythonDeps = (config, languageFiles) => {
   try {
-    if (config.experimental) {
+    if (config.legacy === false) {
       let pythonLockFileContents = readLockFile(config.file)
       return scaPythonParser(pythonLockFileContents)
     } else {

package/src/scaAnalysis/python/index.js

@@ -4,7 +4,7 @@ const { getPythonDeps, secondaryParser } = require('./analysis')
 const pythonAnalysis = (config, languageFiles) => {
   const pythonDeps = getPythonDeps(config, languageFiles.PYTHON)
 
-  if (config.experimental) {
+  if (config.legacy === false) {
     return pythonDeps
   } else {
     return createPythonTSMessage(pythonDeps)

package/src/scaAnalysis/repoMode/index.js

@@ -7,10 +7,10 @@ const buildRepo = async (config, languageFiles) => {
 
   if (project.projectType === 'maven') {
     let jsonPomFile = mavenParser.readPomFile(project)
-    mavenParser.parsePomFile(jsonPomFile)
+    return mavenParser.parsePomFile(jsonPomFile)
   } else if (project.projectType === 'gradle') {
     const gradleJson = gradleParser.readBuildGradleFile(project)
-    gradleParser.parseGradleJson(await gradleJson)
+    return gradleParser.parseGradleJson(await gradleJson)
   } else {
     console.log('Unable to read project files.')
   }

package/src/scaAnalysis/ruby/analysis.js

@@ -6,7 +6,7 @@ const getRubyDeps = (config, languageFiles) => {
     checkForCorrectFiles(languageFiles)
     const parsedGem = readAndParseGemfile(config.file)
     const parsedLock = readAndParseGemLockFile(config.file)
-    if (config.experimental) {
+    if (config.legacy === false) {
       const rubyArray = removeRedundantAndPopulateDefinedElements(
         parsedLock.sources
       )

package/src/scaAnalysis/ruby/index.js

@@ -4,7 +4,7 @@ const { createRubyTSMessage } = require('../common/formatMessage')
 const rubyAnalysis = (config, languageFiles) => {
   const rubyDeps = analysis.getRubyDeps(config, languageFiles.RUBY)
 
-  if (config.experimental) {
+  if (config.legacy === false) {
     return rubyDeps
   } else {
     return createRubyTSMessage(rubyDeps)

package/src/scaAnalysis/scaAnalysis.js

@@ -1,18 +1,12 @@
 const {
   supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET }
 } = require('../constants/constants')
-const {
-  pollForSnapshotCompletion
-} = require('../audit/languageAnalysisEngine/sendSnapshot')
 const {
   returnOra,
   startSpinner,
   succeedSpinner
 } = require('../utils/oraWrapper')
-const { vulnerabilityReportV2 } = require('../audit/report/reportingFeature')
 const autoDetection = require('../scan/autoDetection')
-const treeUpload = require('./common/treeUpload')
-const auditController = require('../commands/audit/auditController')
 const rootFile = require('../audit/languageAnalysisEngine/getProjectRootFilenames')
 const path = require('path')
 const i18n = require('i18n')
@@ -27,19 +21,15 @@ const { pythonAnalysis } = require('./python')
 const javaAnalysis = require('./java')
 const jsAnalysis = require('./javascript')
 const auditReport = require('./common/auditReport')
-const scaUpload = require('./common/scaServicesUpload')
-const settingsHelper = require('../utils/settingsHelper')
+const processServices = require('./processServicesFlow')
 const chalk = require('chalk')
-const saveResults = require('../scan/saveResults')
 const {
   convertGenericToTypedReportModelSca
 } = require('./common/utils/reportUtilsSca')
+const projectConfig = require('../commands/github/projectGroup')
+const { legacyFlow } = require('./legacy/legacyFlow')
 
 const processSca = async config => {
-  //checks to see whether to use old TS / new SCA path
-  config = await settingsHelper.getSettings(config)
-
-  const startTime = performance.now()
   let filesFound
 
   if (config.help) {
@@ -72,10 +62,9 @@ const processSca = async config => {
     switch (Object.keys(filesFound[0])[0]) {
       case JAVA:
         config.language = JAVA
-
-        if (config.mode === 'repo') {
+        if (config.repo && !config.legacy) {
           try {
-            return repoMode.buildRepo(config, filesFound[0])
+            messageToSend = await repoMode.buildRepo(config, filesFound[0])
           } catch (e) {
             throw new Error(
               'Unable to build in repository mode. Check your project file'
@@ -106,7 +95,7 @@ const processSca = async config => {
         config.language = GO
         break
       case DOTNET:
-        if (config.experimental) {
+        if (config.legacy === false) {
           console.log(
             `${chalk.bold(
               '\n.NET project found\n'
@@ -124,65 +113,40 @@ const processSca = async config => {
         return
     }
 
-    if (!config.applicationId) {
-      config.applicationId = await auditController.dealWithNoAppId(config)
-    }
-
-    if (config.experimental) {
+    if (config.legacy === false) {
+      if (!config.name) {
+        config = await projectConfig.dealWithNoName(config)
+      }
+      const startTime = performance.now()
       console.log('') //empty log for space before spinner
       const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
       startSpinner(reportSpinner)
-      const { reportArray, reportId } = await scaUpload.scaTreeUpload(
+
+      let reportResponse = await processServices.processUpload(
         messageToSend,
-        config
+        config,
+        reportSpinner
       )
 
-      const reportModelLibraryList =
-        convertGenericToTypedReportModelSca(reportArray)
+      const reportModelLibraryList = convertGenericToTypedReportModelSca(
+        reportResponse.reportArray
+      )
       auditReport.processAuditReport(config, reportModelLibraryList)
-      succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
-
       if (config.save !== undefined) {
-        await auditSave.auditSave(config, reportId)
+        await auditSave.auditSave(config, reportResponse.reportId)
       } else {
         console.log('Use contrast audit --save to generate an SBOM')
       }
 
-      const endTime = performance.now() - startTime
-      const scanDurationMs = endTime - startTime
-      console.log(
-        `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
-      )
-    } else {
-      console.log('') //empty log for space before spinner
-      //send message to TS
-      const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
-      startSpinner(reportSpinner)
-      const snapshotResponse = await treeUpload.commonSendSnapShot(
-        messageToSend,
-        config
-      )
-
-      // poll for completion
-      await pollForSnapshotCompletion(
-        config,
-        snapshotResponse.id,
-        reportSpinner
-      )
       succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
 
-      await vulnerabilityReportV2(config, snapshotResponse.id)
-      if (config.save !== undefined) {
-        await auditSave.auditSave(config)
-      } else {
-        console.log('\nUse contrast audit --save to generate an SBOM')
-      }
       const endTime = performance.now() - startTime
       const scanDurationMs = endTime - startTime
-
       console.log(
         `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
       )
+    } else {
+      await legacyFlow(config, messageToSend)
     }
   } else {
     if (filesFound.length === 0) {

package/src/scan/autoDetection.js

@@ -1,6 +1,8 @@
 const i18n = require('i18n')
 const fileFinder = require('./fileUtils')
-
+const {
+  supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET }
+} = require('../constants/constants')
 const autoDetectFingerprintInfo = async (filePath, depth) => {
   let complexObj = await fileFinder.findAllFiles(filePath, depth)
   let result = []
@@ -13,6 +15,44 @@ const autoDetectFingerprintInfo = async (filePath, depth) => {
   return result
 }
 
+const detectPackageManager = async array => {
+  array.forEach(i => {
+    if (i.filePath.includes('pom.xml')) {
+      i['language'] = JAVA
+      i['packageManager'] = 'MAVEN'
+    }
+    if (i.filePath.includes('build.gradle.kts')) {
+      i['language'] = JAVA
+      i['packageManager'] = 'GRADLE'
+    }
+    if (i.filePath.includes('build.gradle')) {
+      i['language'] = JAVA
+      i['packageManager'] = 'GRADLE'
+    }
+    if (i.filePath.includes('package.json')) {
+      i['language'] = JAVASCRIPT
+      i['packageManager'] = 'NPM'
+    }
+    if (i.filePath.includes('yarn.lock')) {
+      i['language'] = JAVASCRIPT
+      i['packageManager'] = 'YARN'
+    }
+    if (i.filePath.includes('Pipfile')) {
+      i['language'] = PYTHON
+    }
+    if (i.filePath.includes('csproj')) {
+      i['language'] = DOTNET
+    }
+    if (i.filePath.includes('Gemfile')) {
+      i['language'] = RUBY
+    }
+    if (i.filePath.includes('go.mod')) {
+      i['language'] = GO
+    }
+  })
+  return array
+}
+
 const autoDetectFileAndLanguage = async configToUse => {
   const entries = await fileFinder.findFile()
 
@@ -67,7 +107,7 @@ const dealWithMultiJava = filesFound => {
   let hasMultiJava =
     filesFound.filter(data => {
       return (
-        Object.keys(data)[0] === 'JAVA' &&
+        Object.keys(data)[0] === JAVA &&
         Object.values(data)[0].includes('build.gradle') &&
         Object.values(data)[0].includes('pom.xml')
       )
@@ -119,5 +159,6 @@ module.exports = {
   autoDetectAuditFilesAndLanguages,
   errorOnAuditFileDetection,
   autoDetectFingerprintInfo,
-  dealWithMultiJava
+  dealWithMultiJava,
+  detectPackageManager
 }

package/src/scan/fileUtils.js

@@ -18,6 +18,7 @@ const findAllFiles = async (filePath, depth = 2) => {
       '**/build.gradle',
       '**/build.gradle.kts',
       '**/package.json',
+      '**/yarn.lock',
       '**/Pipfile',
       '**/*.csproj',
       '**/Gemfile',
@@ -38,19 +39,19 @@ const findAllFiles = async (filePath, depth = 2) => {
   return []
 }
 
-const findFilesJava = async (languagesFound, filePath) => {
+const findFilesJava = async (languagesFound, filePath, depth = 1) => {
   const result = await fg(
     ['**/pom.xml', '**/build.gradle', '**/build.gradle.kts'],
     {
       dot: false,
-      deep: 1,
+      deep: depth,
       onlyFiles: true,
       cwd: filePath ? filePath : process.cwd()
     }
   )
 
   if (result.length > 0) {
-    return languagesFound.push({ JAVA: result })
+    return languagesFound.push({ JAVA: result, language: 'JAVA' })
   }
   return languagesFound
 }
@@ -67,7 +68,7 @@ const findFilesJavascript = async (languagesFound, filePath) => {
   )
 
   if (result.length > 0) {
-    return languagesFound.push({ JAVASCRIPT: result })
+    return languagesFound.push({ JAVASCRIPT: result, language: 'JAVASCRIPT' })
   }
   return languagesFound
 }