npm - @contrast/contrast - Versions diffs - 1.0.23 → 2.0.0 - Mend

@contrast/contrast 1.0.23 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (71) hide show

package/README.md +21 -138
package/dist/audit/languageAnalysisEngine/sendSnapshot.js +2 -19
package/dist/audit/save.js +6 -1
package/dist/cliConstants.js +29 -0
package/dist/commands/audit/auditController.js +2 -1
package/dist/commands/audit/help.js +3 -2
package/dist/commands/audit/processAudit.js +2 -0
package/dist/commands/audit/saveFile.js +5 -1
package/dist/commands/github/projectGroup.js +164 -0
package/dist/common/HTTPClient.js +165 -13
package/dist/constants/constants.js +3 -5
package/dist/constants/locales.js +7 -3
package/dist/index.js +0 -4
package/dist/lambda/lambda.js +3 -1
package/dist/scaAnalysis/common/commonReportingFunctionsSca.js +3 -3
package/dist/scaAnalysis/common/scaServicesUpload.js +77 -7
package/dist/scaAnalysis/common/treeUpload.js +19 -5
package/dist/scaAnalysis/go/goAnalysis.js +6 -1
package/dist/scaAnalysis/java/index.js +6 -1
package/dist/scaAnalysis/javascript/index.js +5 -2
package/dist/scaAnalysis/legacy/legacyFlow.js +33 -0
package/dist/scaAnalysis/php/index.js +8 -2
package/dist/scaAnalysis/processServicesFlow.js +21 -0
package/dist/scaAnalysis/python/analysis.js +10 -4
package/dist/scaAnalysis/python/index.js +6 -1
package/dist/scaAnalysis/repoMode/index.js +2 -2
package/dist/scaAnalysis/ruby/analysis.js +10 -1
package/dist/scaAnalysis/ruby/index.js +6 -1
package/dist/scaAnalysis/scaAnalysis.js +47 -25
package/dist/scan/autoDetection.js +41 -2
package/dist/scan/fileUtils.js +5 -4
package/dist/utils/commonApi.js +26 -1
package/dist/utils/settingsHelper.js +14 -0
package/package.json +8 -5
package/src/audit/languageAnalysisEngine/sendSnapshot.js +3 -22
package/src/audit/save.js +10 -1
package/src/cliConstants.js +32 -0
package/src/commands/audit/auditController.js +2 -1
package/src/commands/audit/help.js +3 -2
package/src/commands/audit/processAudit.js +2 -0
package/src/commands/audit/saveFile.js +6 -1
package/src/commands/github/projectGroup.js +187 -0
package/src/common/HTTPClient.js +221 -13
package/src/constants/constants.js +3 -5
package/src/constants/locales.js +9 -3
package/src/index.ts +0 -5
package/src/lambda/lambda.ts +3 -1
package/src/lambda/lambdaUtils.ts +1 -1
package/src/scaAnalysis/common/commonReportingFunctionsSca.js +3 -3
package/src/scaAnalysis/common/scaServicesUpload.js +92 -7
package/src/scaAnalysis/common/treeUpload.js +20 -5
package/src/scaAnalysis/go/goAnalysis.js +6 -1
package/src/scaAnalysis/java/index.js +6 -1
package/src/scaAnalysis/javascript/index.js +6 -4
package/src/scaAnalysis/legacy/legacyFlow.js +48 -0
package/src/scaAnalysis/php/index.js +8 -2
package/src/scaAnalysis/processServicesFlow.js +29 -0
package/src/scaAnalysis/python/analysis.js +10 -4
package/src/scaAnalysis/python/index.js +6 -1
package/src/scaAnalysis/repoMode/index.js +2 -2
package/src/scaAnalysis/ruby/analysis.js +11 -1
package/src/scaAnalysis/ruby/index.js +6 -1
package/src/scaAnalysis/scaAnalysis.js +61 -37
package/src/scan/autoDetection.js +44 -3
package/src/scan/fileUtils.js +5 -4
package/src/utils/commonApi.js +29 -1
package/src/utils/settingsHelper.js +16 -0
package/dist/commands/fingerprint/processFingerprint.js +0 -14
package/src/commands/fingerprint/processFingerprint.js +0 -21
/package/dist/commands/{fingerprint → github}/fingerprintConfig.js +0 -0
/package/src/commands/{fingerprint → github}/fingerprintConfig.js +0 -0

package/README.md CHANGED Viewed

@@ -1,152 +1,35 @@
-# CodeSec by Contrast Security
+# Contrast CLI
-CodeSec delivers:
+Use the ‘contrast’ command for fast and accurate security analysis of your applications, APIs, serverless functions, and libraries.
-- The fastest and most accurate SAST scanner.
-- Immediate and actionable results — scan code and serverless environments.
-- A frictionless and seamless sign-in process with GitHub or Google Account. From start to finish in minutes.
-- By running a scan on your lambda functions, you can find: Least privilege identity and access management (IAM) vulnerabilities (over permissive policies) and remediation.
+## Supported
-## Install
+<p><b>Code</b>: Java, .NET, .NET Core, JavaScript</p>
+<p><b>Serverless</b>: AWS Lambda - Java, Python</p>
+<p><b>Libraries</b>: Java, .NET, Node, Ruby, Python, Go, PHP</p>
-```shell
-npm install --location=global @contrast/contrast
-```
-## Authenticate
-Authenticate by entering contrast auth in the terminal.
-In the resulting browser window, log in and authenticate with your GitHub or Google credentials.
-## Run a scan
-### SAST scan
+## What can I do?
-#### Scan Requirements
+<p><code>contrast audit</code> to run a security audit of your dependencies and see results.</p>
+<p><code>contrast scan</code> to run Contrast's industry leading SAST scanner and see results.</p>
+<p><code>contrast lambda</code> to secure your AWS serverless functions.</p>
+<p><code>contrast learn</code> launches Contrast's Secure Code Learning Hub.</p>
+<p><code>contrast help</code> for full list of commands, options & support.</p>
-Make sure you have the correct file types to scan.
+### New CodeSec user?
-- Upload a .jar or .war file to scan a Java project for analysis
-- Upload a .js or .zip file to scan a JavaScript project for analysis
-- Upload a .exe. or .zip file to scan a .NET c# web forms project
-Start scanning
-Use the Contrast scan command `contrast scan`
-### Lambda function scan
-#### Lambda Requirements
-- Currently supports Java and Python functions on AWS.
-  Configure AWS credentials on your local environment by running the commands with your credentials:
+Get going:
 ```shell
-export AWS_DEFAULT_REGION=<YOUR_AWS_REGION>
-export AWS_ACCESS_KEY_ID=<YOUR_ACCESS_KEY_ID>
-export AWS_SECRET_ACCESS_KEY=<YOUR_SECRET_ACCESS_KEY>
+npm install --location=global @contrast/contrast@1
 ```
-- AWS credentials should be available on your local configure (usually **~/.aws/credentials**). You have an option to run a lambda scan with your aws-profile to pass --profile. You also can export different credentials.
-- These permissions are required to gather all required information on an AWS Lambda to use the `contrast lambda` command:
-  - Lambda: [GetFunction](https://docs.aws.amazon.com/lambda/latest/dg/API_GetFunction.html) | [GetLayerVersion](https://docs.aws.amazon.com/lambda/latest/dg/API_GetLayerVersion.html) | [ListFunctions](https://docs.aws.amazon.com/lambda/latest/dg/API_ListFunctions.html)
-  - IAM: [GetRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRolePolicy.html) | [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html) | [GetPolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicyVersion.html) | [ListRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html) | [ListAttachedRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html)
-### Start scanning
-Use contrast lambda to scan your AWS Lambda functions.
-`contrast lambda --function-name MyFunctionName --region my-aws-region`
-## Contrast commands
-### auth
-Authenticate Contrast using your GitHub or Google account. A new browser window will open for login.
-**Usage:** `contrast auth`
-### config
-Displays stored credentials.
-**Usage:** `contrast config`
-**Options:**
-- **-c, --clear** - Removes stored credentials.
+<p>Read more: https://www.contrastsecurity.com/developer/codesec</p>
-### scan
+### Contrast existing Enterprise user?
-Performs a security SAST scan.
-**Usage:** `contrast scan [option]`
-**Options:**
-- **contrast scan --file**
-  - Path of the file you want to scan. Contrast searches for a .jar, .war, .js. or .zip file in the working directory if a file is not specified.
-  - Alias: **--f**
-- **contrast scan --name**
-  - Contrast project name. If not specified, Contrast uses contrast.settings to identify the project or creates a project.
-  - Alias: **–n**
-- **contrast scan --save**
-  - Download the results to a Static Analysis Results Interchange Format (SARIF) file. The file is downloaded to the current working directory with a default name of results.sarif. You can view the file with any text editor.
-  - Alias: **-s**
-- **contrast scan --timeout**
-  - Time in seconds to wait for the scan to complete. Default value is 300 seconds.
-  - Alias: **-t**
-### lambda
-Name of AWS lambda function to scan.
-**Usage:** `contrast lambda --function-name`
-**Options:**
-- **contrast lambda --list-functions**
-  Lists all available lambda functions to scan.
-- **contrast lambda --function-name --endpoint-url**
-  AWS Endpoint override. Similar to AWS CLI.
-  Alias: **-e**
-- **contrast lambda --function-name --region**
-  Region override. Defaults to AWS_DEFAULT_REGION. Similar to AWS CLI.
-  Alias: **-r**
-- **contrast lambda --function-name --profile**
-  AWS configuration profile override. Similar to AWS CLI.
-  Alias: **-p**
-- **contrast lambda --function-name --json**
-  Return response in JSON (versus default human-readable format).
-  Alias: **-j**
-- **contrast lambda -–function-name -–verbose**
-  Returns extended information to the terminal.
-  Alias: **-v**
-- **contrast lambda --function-name -–help**
-  Displays usage guide.
-  Alias: **-h**
-### help
-Displays usage guide. To list detailed help for any CLI command, add the -h or --help flag to the command.
-**Usage:** `contrast scan --help`
-Alias: **-h**
-### version
+```shell
+npm install --location=global @contrast/contrast@2
+```
-Displays version of Contrast CLI.
-**Usage:** `contrast version` Alias: **-v**, **--version**
+Read more: https://docs.contrastsecurity.com/en/install-contrast-cli.html

package/dist/audit/languageAnalysisEngine/sendSnapshot.js CHANGED Viewed

@@ -17,21 +17,10 @@ const pollSnapshotResults = async (config, snapshotId, client) => {
         console.log(err);
     });
 };
-const getTimeout = config => {
-    if (config.timeout) {
-        return config.timeout;
-    }
-    else {
-        if (config.verbose) {
-            console.log('Timeout set to 5 minutes');
-        }
-        return 300;
-    }
-};
 const pollForSnapshotCompletion = async (config, snapshotId, reportSpinner) => {
     const client = commonApi.getHttpClient(config);
     const startTime = performance.now();
-    const timeout = getTimeout(config);
+    const timeout = commonApi.getTimeout(config);
     let complete = false;
     if (!_.isNil(snapshotId)) {
         while (!complete) {
@@ -52,13 +41,7 @@ const pollForSnapshotCompletion = async (config, snapshotId, reportSpinner) => {
                     process.exit(1);
                 }
             }
-            const endTime = performance.now() - startTime;
-            if (requestUtils.millisToSeconds(endTime) > timeout) {
-                oraFunctions.failSpinner(reportSpinner, 'Contrast audit timed out at the specified timeout of ' +
-                    timeout +
-                    ' seconds.');
-                throw new Error('You can update the timeout using --timeout');
-            }
+            commonApi.handleTimeout(startTime, timeout, reportSpinner);
         }
     }
 };

package/dist/audit/save.js CHANGED Viewed

@@ -7,6 +7,7 @@ const sbom = require('../sbom/generateSbom');
 const { SBOM_CYCLONE_DX_FILE, SBOM_SPDX_FILE } = require('../constants/constants');
 async function auditSave(config, reportId) {
     let fileFormat;
+    config.save = config.save ? config.save.toUpperCase() : config.save;
     switch (config.save) {
         case null:
         case SBOM_CYCLONE_DX_FILE:
@@ -31,7 +32,11 @@ async function auditSave(config, reportId) {
                 save.saveFile(config, fileFormat, sbomResponse);
             }
         }
-        const filename = `${config.applicationId}-sbom-${fileFormat}.json`;
+        let fileStart = config.legacy ? config.applicationId : config.projectId;
+        if (fileStart === undefined) {
+            fileStart = 'my';
+        }
+        const filename = `${fileStart}-sbom-${fileFormat}.json`;
         if (fs.existsSync(filename)) {
             console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`);
         }

package/dist/cliConstants.js CHANGED Viewed

@@ -224,6 +224,13 @@ const auditAdvancedOptionDefinitionsForHelp = [
             '}: ' +
             i18n.__('constantsApplicationName')
     },
+    {
+        name: 'name',
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}: ' +
+            i18n.__('constantsProjectName')
+    },
     {
         name: 'app-groups',
         description: '{bold ' +
@@ -353,6 +360,23 @@ const auditOptionDefinitions = [
             i18n.__('constantsOptional') +
             '}:' +
             i18n.__('auditOptionsBranchSummary')
+    },
+    {
+        name: 'legacy',
+        alias: 'l',
+        type: Boolean,
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}:' +
+            i18n.__('auditOptionsLegacySummary')
+    },
+    {
+        name: 'repo',
+        type: Boolean,
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}:' +
+            i18n.__('auditOptionsRepoSummary')
     }
 ];
 const fingerprintOptionDefinitions = [
@@ -361,6 +385,11 @@ const fingerprintOptionDefinitions = [
         name: 'depth',
         type: Number,
         description: '{bold ' + i18n.__('constantsOptional') + '}: ' + i18n.__('depthOption')
+    },
+    {
+        name: 'repoUrl',
+        type: String,
+        description: ''
     }
 ];
 const mainUsageGuide = commandLineUsage([

package/dist/commands/audit/auditController.js CHANGED Viewed

@@ -39,5 +39,6 @@ const removeLastChar = str => {
     return str.substring(0, str.length - 1);
 };
 module.exports = {
-    dealWithNoAppId
+    dealWithNoAppId,
+    getAppName
 };

package/dist/commands/audit/help.js CHANGED Viewed

@@ -53,9 +53,10 @@ const auditUsageGuide = commandLineUsage([
             'language',
             'app-groups',
             'metadata',
-            'track',
             'fingerprint',
-            'branch'
+            'branch',
+            'repo',
+            'name'
         ]
     },
     {

package/dist/commands/audit/processAudit.js CHANGED Viewed

@@ -4,12 +4,14 @@ const { auditUsageGuide } = require('./help');
 const scaController = require('../../scaAnalysis/scaAnalysis');
 const { sendTelemetryConfigAsObject } = require('../../telemetry/telemetry');
 const { postRunMessage } = require('../../common/commonHelp');
+const settingsHelper = require('../../utils/settingsHelper');
 const processAudit = async (contrastConf, argvMain) => {
     if (argvMain.indexOf('--help') !== -1) {
         printHelpMessage();
         process.exit(0);
     }
     let config = await auditConfig.getAuditConfig(contrastConf, 'audit', argvMain);
+    config = await settingsHelper.getSettings(config);
     await scaController.processSca(config);
     if (!config.fingerprint) {
         postRunMessage('audit');

package/dist/commands/audit/saveFile.js CHANGED Viewed

@@ -1,7 +1,11 @@
 "use strict";
 const fs = require('fs');
 const saveFile = (config, type, rawResults) => {
-    const fileName = `${config.applicationId}-sbom-${type}.json`;
+    let fileStart = config.legacy ? config.applicationId : config.projectId;
+    if (fileStart === undefined) {
+        fileStart = 'my';
+    }
+    const fileName = `${fileStart}-sbom-${type}.json`;
     fs.writeFileSync(fileName, JSON.stringify(rawResults));
 };
 module.exports = {

package/dist/commands/github/projectGroup.js ADDED Viewed

@@ -0,0 +1,164 @@
+"use strict";
+const commonApi = require('../../utils/commonApi');
+const { getAppName } = require('../audit/auditController');
+const getProjectIdByOrg = async (config) => {
+    const client = await commonApi.getHttpClient(config);
+    config.language = config.language === 'NODE' ? 'JAVASCRIPT' : config.language;
+    let projectId = '';
+    let projectByOrg = await retrieveProjectByOrganization(config, client);
+    if (projectByOrg?.length > 0) {
+        projectId = getProjectIdFromArray(config, projectByOrg);
+    }
+    return projectId;
+};
+const registerNewProjectGroup = async (config) => {
+    let projectId = '';
+    let body = {
+        organizationId: config.organizationId,
+        name: config.name ? config.name : config.file,
+        repositoryId: null,
+        type: 'CLI'
+    };
+    const client = await commonApi.getHttpClient(config);
+    body.projects = createProjects([config]);
+    let projectGroupInfo = await client
+        .registerProjectGroup(config, body)
+        .then(res => {
+        if (config.debug || config.verbose) {
+            console.log('\nRegister ProjectGroup');
+            console.log(res.statusCode);
+            console.log(res.body);
+        }
+        if (res.statusCode === 201 || res.statusCode === 200) {
+            if (config.debug || config.verbose) {
+                console.log('registerProjectGroup - response');
+                console.log('response', res.body);
+            }
+            return res?.body?.projectGroupId;
+        }
+        if (res.statusCode === 409) {
+            return [];
+        }
+    })
+        .catch(err => {
+        console.log('\nError Registering Project Group');
+        console.log(err.statusCode);
+    });
+    return projectGroupInfo;
+};
+const createProjects = params => {
+    let projectsArray = [];
+    let projects = {};
+    params.forEach(param => {
+        projects = {
+            path: param.file,
+            name: param.name ? param.name : param.file,
+            source: 'SCA',
+            language: param.language,
+            packageManager: 'MAVEN',
+            target: 'SCA',
+            sourceId: ''
+        };
+        projectsArray.push(projects);
+    });
+    return projectsArray;
+};
+const getExistingGroupProjectId = (config, projectGroupsInfoEx) => {
+    let existingGroupProjectId = '';
+    projectGroupsInfoEx.forEach(i => {
+        if (i.name === config.name) {
+            existingGroupProjectId = i.projectGroupId;
+        }
+    });
+    return existingGroupProjectId;
+};
+const getProjectIdFromArray = (config, array) => {
+    let projectId = '';
+    array?.forEach(i => {
+        if (i.name === config.name) {
+            projectId = i.projectId;
+        }
+    });
+    return projectId;
+};
+const registerProjectIdOnCliServices = async (config, projectId) => {
+    const client = commonApi.getHttpClient(config);
+    let cliServicesBody = {
+        projectId: projectId,
+        name: config.name
+    };
+    let result = await client
+        .registerOnCliServices(config, cliServicesBody)
+        .then(res => {
+        if (config.debug || config.verbose) {
+            console.log('\nregistration on cli services');
+            console.log(res.statusCode);
+        }
+        if (res.statusCode === 201 || res.statusCode === 200) {
+            return res.body;
+        }
+        else {
+            return [];
+        }
+    });
+    return result;
+};
+const retrieveExistingProjectIdWithProjectGroupId = async (config, client, projectGroupId) => {
+    let groups = await client
+        .retrieveExistingProjectIdByProjectGroupId(config, projectGroupId)
+        .then(res => {
+        if (config.debug || config.verbose) {
+            console.log('\nRetrieve Existing ProjectId By ProjectGroupId');
+            console.log(res.statusCode);
+            console.log(res.body);
+        }
+        if (res.statusCode === 200) {
+            return res.body;
+        }
+        else {
+            return [];
+        }
+    });
+    return getProjectIdFromArray(config, groups);
+};
+const retrieveProjectByOrganization = async (config, client) => {
+    return await client.retrieveProjectByOrganizationId(config).then(res => {
+        if (config.debug || config.verbose) {
+            console.log('\nRetrieve Project By OrganizationId');
+            console.log(res.statusCode);
+            console.log(res.body);
+        }
+        if (res.statusCode === 201 || res.statusCode === 200) {
+            return res.body;
+        }
+        else {
+            return [];
+        }
+    });
+};
+const retrieveExistingProjectGroups = async (config, client) => {
+    return await client.retrieveExistingProjectGroupsByOrg(config).then(res => {
+        if (res.statusCode === 201 || res.statusCode === 200) {
+            return res.body;
+        }
+        else {
+            return [];
+        }
+    });
+};
+const dealWithNoName = async (config) => {
+    try {
+        config.name = getAppName(config.file);
+    }
+    catch (e) {
+        console.log(e.message.toString());
+        process.exit(1);
+    }
+    return config;
+};
+module.exports = {
+    getProjectIdByOrg,
+    registerProjectIdOnCliServices,
+    dealWithNoName,
+    registerNewProjectGroup
+};