@contrast/contrast 1.0.23 → 2.0.0

package/src/scaAnalysis/common/scaServicesUpload.js

@@ -1,10 +1,20 @@
 const commonApi = require('../../utils/commonApi')
 const { APP_VERSION } = require('../../constants/constants')
 const requestUtils = require('../../utils/requestUtils')
+const { performance } = require('perf_hooks')
 
-const scaTreeUpload = async (analysis, config) => {
+const scaTreeUpload = async (analysis, config, reportSpinner) => {
+  if (config.projectId === '') {
+    console.log(
+      'We were unable to create/locate a project for this manifest, please try again or run with --debug for more information'
+    )
+    process.exit(1)
+  }
+
+  config.language = config.language === 'JAVASCRIPT' ? 'NODE' : config.language
+  const startTime = performance.now()
+  const timeout = commonApi.getTimeout(config)
   const requestBody = {
-    applicationId: config.applicationId,
     dependencyTree: analysis,
     organizationId: config.organizationId,
     language: config.language,
@@ -22,7 +32,7 @@ const scaTreeUpload = async (analysis, config) => {
   const reportID = await client
     .scaServiceIngest(requestBody, config)
     .then(res => {
-      if (res.statusCode === 201) {
+      if (res.statusCode === 201 || res.statusCode === 200) {
         return res.body.libraryIngestJobId
       } else {
         throw new Error(res.statusCode + ` error ingesting dependencies`)
@@ -40,21 +50,95 @@ const scaTreeUpload = async (analysis, config) => {
   while (keepChecking) {
     res = await client.scaServiceReportStatus(config, reportID).then(res => {
       if (config.debug) {
-        console.log(res.statusCode)
+        console.log('scaServiceReportStatus', res.statusCode)
         console.log(res.body)
       }
       if (res.body.status === 'COMPLETED') {
         keepChecking = false
         return client.scaServiceReport(config, reportID).then(res => {
           const reportBody = res.body
-          return { reportBody, reportID }
+          return { reportBody, reportId: reportID }
         })
       }
     })
 
     if (!keepChecking) {
-      return { reportArray: res.reportBody, reportID }
+      return { reportArray: res.reportBody, reportId: reportID }
     }
+
+    commonApi.handleTimeout(startTime, timeout, reportSpinner)
+
+    await requestUtils.sleep(5000)
+  }
+
+  return { reportArray: res, reportID }
+}
+
+const noProjectUpload = async (analysis, config, reportSpinner) => {
+  config.language = config.language === 'JAVASCRIPT' ? 'NODE' : config.language
+  const startTime = performance.now()
+  const timeout = commonApi.getTimeout(config)
+  const requestBody = {
+    dependencyTree: analysis,
+    language: config.language,
+    tool: {
+      name: 'Contrast Codesec',
+      version: APP_VERSION
+    }
+  }
+
+  if (config.branch) {
+    requestBody.branchName = config.branch
+  }
+
+  const client = commonApi.getHttpClient(config)
+  const reportID = await client
+    .noProjectIdUpload(requestBody, config)
+    .then(res => {
+      if (res.statusCode === 201 || res.statusCode === 200) {
+        return res.body.libraryIngestJobId
+      } else {
+        throw new Error(
+          res.statusCode + ` error ingesting dependencies with no project id`
+        )
+      }
+    })
+    .catch(err => {
+      throw err
+    })
+
+  if (config.debug) {
+    console.log(' polling report no project', reportID)
+  }
+
+  let keepChecking = true
+  let res
+  while (keepChecking) {
+    res = await client
+      .scaServiceNoProjectIdReportStatus(config, reportID)
+      .then(res => {
+        if (config.debug) {
+          console.log('\nscaServiceReportStatus')
+          console.log(res.statusCode)
+          console.log(res.body)
+        }
+        if (res.body.status === 'COMPLETED') {
+          keepChecking = false
+          return client
+            .scaServiceReportNoProjectId(config, reportID)
+            .then(res => {
+              const reportBody = res.body
+              return { reportBody, reportId: reportID }
+            })
+        }
+      })
+
+    if (!keepChecking) {
+      return { reportArray: res.reportBody, reportId: reportID }
+    }
+
+    commonApi.handleTimeout(startTime, timeout, reportSpinner)
+
     await requestUtils.sleep(5000)
   }
 
@@ -62,5 +146,6 @@ const scaTreeUpload = async (analysis, config) => {
 }
 
 module.exports = {
-  scaTreeUpload
+  scaTreeUpload,
+  noProjectUpload
 }

package/src/scaAnalysis/common/treeUpload.js

@@ -3,11 +3,13 @@ const { APP_VERSION } = require('../../constants/constants')
 
 const commonSendSnapShot = async (analysis, config) => {
   let requestBody = {}
-  requestBody = {
-    appID: config.applicationId,
-    cliVersion: APP_VERSION,
-    snapshot: analysis
-  }
+  config.legacy === false
+    ? (requestBody = sendToSCAServices(config, analysis))
+    : (requestBody = {
+        appID: config.applicationId,
+        cliVersion: APP_VERSION,
+        snapshot: analysis
+      })
 
   const client = commonApi.getHttpClient(config)
   return client
@@ -31,6 +33,19 @@ const commonSendSnapShot = async (analysis, config) => {
     })
 }
 
+const sendToSCAServices = (config, analysis) => {
+  return {
+    applicationId: config.applicationId,
+    dependencyTree: analysis,
+    organizationId: config.organizationId,
+    language: config.language,
+    tool: {
+      name: 'Contrast Codesec',
+      version: APP_VERSION
+    }
+  }
+}
+
 module.exports = {
   commonSendSnapShot
 }

package/src/scaAnalysis/go/goAnalysis.js

@@ -10,7 +10,12 @@ const goAnalysis = config => {
     const rawGoDependencies = goReadDepFile.getGoDependencies(config)
     const parsedGoDependencies =
       goParseDeps.parseGoDependencies(rawGoDependencies)
-    return createGoTSMessage(parsedGoDependencies)
+
+    if (config.legacy === false) {
+      return parseDependenciesForSCAServices(parsedGoDependencies)
+    } else {
+      return createGoTSMessage(parsedGoDependencies)
+    }
   } catch (e) {
     console.log(e.message.toString())
   }

package/src/scaAnalysis/java/index.js

@@ -11,7 +11,12 @@ const javaAnalysis = async (config, languageFiles) => {
   })
 
   const javaDeps = buildJavaTree(config, languageFiles.JAVA)
-  return createJavaTSMessage(javaDeps)
+
+  if (config.legacy === false) {
+    return parseDependenciesForSCAServices(javaDeps)
+  } else {
+    return createJavaTSMessage(javaDeps)
+  }
 }
 
 const buildJavaTree = (config, files) => {

package/src/scaAnalysis/javascript/index.js

@@ -14,6 +14,10 @@ const jsAnalysis = async (config, languageFiles) => {
 const buildNodeTree = async (config, files) => {
   let analysis = await readFiles(config, files)
   const rawNode = await parseFiles(config, files, analysis)
+  if (config.legacy === false) {
+    return scaServiceParser.parseJS(rawNode)
+  }
+
   return formatMessage.createJavaScriptTSMessage(rawNode)
 }
 
@@ -60,10 +64,8 @@ const parseFiles = async (config, files, js) => {
       )
     }
 
-    if (currentLockFileVersion === 3) {
-      throw new Error(
-        `NPM lockfileVersion 3 is only supported when using the '-e' flag.`
-      )
+    if (currentLockFileVersion === 3 && config.legacy) {
+      throw new Error(`NPM lockfileVersion 3 is not support with --legacy`)
     }
 
     js.npmLockFile = await analysis.parseNpmLockFile(npmLockFile)

package/src/scaAnalysis/legacy/legacyFlow.js

@@ -0,0 +1,48 @@
+const auditController = require('../../commands/audit/auditController')
+const {
+  returnOra,
+  startSpinner,
+  succeedSpinner
+} = require('../../utils/oraWrapper')
+const i18n = require('i18n')
+const treeUpload = require('../common/treeUpload')
+const {
+  pollForSnapshotCompletion
+} = require('../../audit/languageAnalysisEngine/sendSnapshot')
+const { vulnerabilityReportV2 } = require('../../audit/report/reportingFeature')
+const { auditSave } = require('../../audit/save')
+
+const legacyFlow = async (config, messageToSend) => {
+  const startTime = performance.now()
+  if (!config.applicationId) {
+    config.applicationId = await auditController.dealWithNoAppId(config)
+  }
+
+  console.log('') //empty log for space before spinner
+  //send message to TS
+  const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
+  startSpinner(reportSpinner)
+  const snapshotResponse = await treeUpload.commonSendSnapShot(
+    messageToSend,
+    config
+  )
+
+  // poll for completion
+  await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner)
+  succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
+
+  await vulnerabilityReportV2(config, snapshotResponse.id)
+  if (config.save !== undefined) {
+    await auditSave(config)
+  } else {
+    console.log('\nUse contrast audit --save to generate an SBOM')
+  }
+  const endTime = performance.now() - startTime
+  const scanDurationMs = endTime - startTime
+
+  console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`)
+}
+
+module.exports = {
+  legacyFlow
+}

package/src/scaAnalysis/php/index.js

@@ -1,10 +1,16 @@
 const { readFile, parseProjectFiles } = require('./analysis')
 const { createPhpTSMessage } = require('../common/formatMessage')
+const { parsePHPLockFileForScaServices } = require('./phpNewServicesMapper')
 
 const phpAnalysis = config => {
   let analysis = readFiles(config)
-  const phpDep = parseProjectFiles(analysis)
-  return createPhpTSMessage(phpDep)
+
+  if (config.legacy === false) {
+    return parsePHPLockFileForScaServices(analysis.rawLockFileContents)
+  } else {
+    const phpDep = parseProjectFiles(analysis)
+    return createPhpTSMessage(phpDep)
+  }
 }
 
 const readFiles = config => {

package/src/scaAnalysis/processServicesFlow.js

@@ -0,0 +1,29 @@
+const projectConfig = require('../commands/github/projectGroup')
+const scaServicesUpload = require('../scaAnalysis/common/scaServicesUpload')
+const processUpload = async (analysis, config, reportSpinner) => {
+  let projectId = await projectConfig.getProjectIdByOrg(config)
+
+  if (projectId === '') {
+    if (config.track === true) {
+      await projectConfig.registerNewProjectGroup(config)
+      projectId = await projectConfig.getProjectIdByOrg(config)
+    }
+
+    if (config.track === false || config.track === undefined) {
+      return await scaServicesUpload.noProjectUpload(
+        analysis,
+        config,
+        reportSpinner
+      )
+    }
+  }
+
+  await projectConfig.registerProjectIdOnCliServices(config, projectId)
+  config.projectId = projectId
+
+  return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner)
+}
+
+module.exports = {
+  processUpload
+}

package/src/scaAnalysis/python/analysis.js

@@ -60,10 +60,16 @@ const checkForCorrectFiles = languageFiles => {
 
 const getPythonDeps = (config, languageFiles) => {
   try {
-    checkForCorrectFiles(languageFiles)
-    const parseProject = readAndParseProjectFile(config.file)
-    const parsePip = readAndParseLockFile(config.file)
-    return { pipfileLock: parsePip, pipfilDependanceies: parseProject }
+    if (config.legacy === false) {
+      let pythonLockFileContents = readLockFile(config.file)
+      return scaPythonParser(pythonLockFileContents)
+    } else {
+      checkForCorrectFiles(languageFiles)
+      const parseProject = readAndParseProjectFile(config.file)
+      const parsePip = readAndParseLockFile(config.file)
+
+      return { pipfileLock: parsePip, pipfilDependanceies: parseProject }
+    }
   } catch (err) {
     console.log(err.message.toString())
     process.exit(1)

package/src/scaAnalysis/python/index.js

@@ -3,7 +3,12 @@ const { getPythonDeps, secondaryParser } = require('./analysis')
 
 const pythonAnalysis = (config, languageFiles) => {
   const pythonDeps = getPythonDeps(config, languageFiles.PYTHON)
-  return createPythonTSMessage(pythonDeps)
+
+  if (config.legacy === false) {
+    return pythonDeps
+  } else {
+    return createPythonTSMessage(pythonDeps)
+  }
 }
 
 module.exports = {

package/src/scaAnalysis/repoMode/index.js

@@ -7,10 +7,10 @@ const buildRepo = async (config, languageFiles) => {
 
   if (project.projectType === 'maven') {
     let jsonPomFile = mavenParser.readPomFile(project)
-    mavenParser.parsePomFile(jsonPomFile)
+    return mavenParser.parsePomFile(jsonPomFile)
   } else if (project.projectType === 'gradle') {
     const gradleJson = gradleParser.readBuildGradleFile(project)
-    gradleParser.parseGradleJson(await gradleJson)
+    return gradleParser.parseGradleJson(await gradleJson)
   } else {
     console.log('Unable to read project files.')
   }

package/src/scaAnalysis/ruby/analysis.js

@@ -6,7 +6,17 @@ const getRubyDeps = (config, languageFiles) => {
     checkForCorrectFiles(languageFiles)
     const parsedGem = readAndParseGemfile(config.file)
     const parsedLock = readAndParseGemLockFile(config.file)
-    return { gemfilesDependanceies: parsedGem, gemfileLock: parsedLock }
+    if (config.legacy === false) {
+      const rubyArray = removeRedundantAndPopulateDefinedElements(
+        parsedLock.sources
+      )
+      let rubyTree = createRubyTree(rubyArray)
+      findChildrenDependencies(rubyTree)
+      processRootDependencies(parsedLock.dependencies, rubyTree)
+      return rubyTree
+    } else {
+      return { gemfilesDependanceies: parsedGem, gemfileLock: parsedLock }
+    }
   } catch (err) {
     throw err
   }

package/src/scaAnalysis/ruby/index.js

@@ -3,7 +3,12 @@ const { createRubyTSMessage } = require('../common/formatMessage')
 
 const rubyAnalysis = (config, languageFiles) => {
   const rubyDeps = analysis.getRubyDeps(config, languageFiles.RUBY)
-  return createRubyTSMessage(rubyDeps)
+
+  if (config.legacy === false) {
+    return rubyDeps
+  } else {
+    return createRubyTSMessage(rubyDeps)
+  }
 }
 
 module.exports = {

package/src/scaAnalysis/scaAnalysis.js

@@ -1,18 +1,12 @@
 const {
   supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET }
 } = require('../constants/constants')
-const {
-  pollForSnapshotCompletion
-} = require('../audit/languageAnalysisEngine/sendSnapshot')
 const {
   returnOra,
   startSpinner,
   succeedSpinner
 } = require('../utils/oraWrapper')
-const { vulnerabilityReportV2 } = require('../audit/report/reportingFeature')
 const autoDetection = require('../scan/autoDetection')
-const treeUpload = require('./common/treeUpload')
-const auditController = require('../commands/audit/auditController')
 const rootFile = require('../audit/languageAnalysisEngine/getProjectRootFilenames')
 const path = require('path')
 const i18n = require('i18n')
@@ -26,12 +20,16 @@ const { rubyAnalysis } = require('./ruby')
 const { pythonAnalysis } = require('./python')
 const javaAnalysis = require('./java')
 const jsAnalysis = require('./javascript')
+const auditReport = require('./common/auditReport')
+const processServices = require('./processServicesFlow')
 const chalk = require('chalk')
+const {
+  convertGenericToTypedReportModelSca
+} = require('./common/utils/reportUtilsSca')
+const projectConfig = require('../commands/github/projectGroup')
+const { legacyFlow } = require('./legacy/legacyFlow')
 
 const processSca = async config => {
-  //checks to see whether to use old TS / new SCA path
-
-  const startTime = performance.now()
   let filesFound
 
   if (config.help) {
@@ -64,7 +62,17 @@ const processSca = async config => {
     switch (Object.keys(filesFound[0])[0]) {
       case JAVA:
         config.language = JAVA
-        messageToSend = await javaAnalysis.javaAnalysis(config, filesFound[0])
+        if (config.repo && !config.legacy) {
+          try {
+            messageToSend = await repoMode.buildRepo(config, filesFound[0])
+          } catch (e) {
+            throw new Error(
+              'Unable to build in repository mode. Check your project file'
+            )
+          }
+        } else {
+          messageToSend = await javaAnalysis.javaAnalysis(config, filesFound[0])
+        }
         break
       case JAVASCRIPT:
         messageToSend = await jsAnalysis.jsAnalysis(config, filesFound[0])
@@ -87,43 +95,59 @@ const processSca = async config => {
         config.language = GO
         break
       case DOTNET:
-        messageToSend = dotNetAnalysis(config, filesFound[0])
-        config.language = DOTNET
-        break
+        if (config.legacy === false) {
+          console.log(
+            `${chalk.bold(
+              '\n.NET project found\n'
+            )} Language type is unsupported.`
+          )
+          return
+        } else {
+          messageToSend = dotNetAnalysis(config, filesFound[0])
+          config.language = DOTNET
+          break
+        }
       default:
         //something is wrong
         console.log('No supported language detected in project path')
         return
     }
 
-    if (!config.applicationId) {
-      config.applicationId = await auditController.dealWithNoAppId(config)
-    }
-    console.log('') //empty log for space before spinner
-    //send message to TS
-    const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
-    startSpinner(reportSpinner)
-    const snapshotResponse = await treeUpload.commonSendSnapShot(
-      messageToSend,
-      config
-    )
+    if (config.legacy === false) {
+      if (!config.name) {
+        config = await projectConfig.dealWithNoName(config)
+      }
+      const startTime = performance.now()
+      console.log('') //empty log for space before spinner
+      const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
+      startSpinner(reportSpinner)
 
-    // poll for completion
-    await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner)
-    succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
+      let reportResponse = await processServices.processUpload(
+        messageToSend,
+        config,
+        reportSpinner
+      )
 
-    await vulnerabilityReportV2(config, snapshotResponse.id)
-    if (config.save !== undefined) {
-      await auditSave.auditSave(config)
+      const reportModelLibraryList = convertGenericToTypedReportModelSca(
+        reportResponse.reportArray
+      )
+      auditReport.processAuditReport(config, reportModelLibraryList)
+      if (config.save !== undefined) {
+        await auditSave.auditSave(config, reportResponse.reportId)
+      } else {
+        console.log('Use contrast audit --save to generate an SBOM')
+      }
+
+      succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
+
+      const endTime = performance.now() - startTime
+      const scanDurationMs = endTime - startTime
+      console.log(
+        `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
+      )
     } else {
-      console.log('\nUse contrast audit --save to generate an SBOM')
+      await legacyFlow(config, messageToSend)
     }
-    const endTime = performance.now() - startTime
-    const scanDurationMs = endTime - startTime
-
-    console.log(
-      `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
-    )
   } else {
     if (filesFound.length === 0) {
       console.log(i18n.__('languageAnalysisNoLanguage'))

package/src/scan/autoDetection.js

@@ -1,6 +1,8 @@
 const i18n = require('i18n')
 const fileFinder = require('./fileUtils')
-
+const {
+  supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET }
+} = require('../constants/constants')
 const autoDetectFingerprintInfo = async (filePath, depth) => {
   let complexObj = await fileFinder.findAllFiles(filePath, depth)
   let result = []
@@ -13,6 +15,44 @@ const autoDetectFingerprintInfo = async (filePath, depth) => {
   return result
 }
 
+const detectPackageManager = async array => {
+  array.forEach(i => {
+    if (i.filePath.includes('pom.xml')) {
+      i['language'] = JAVA
+      i['packageManager'] = 'MAVEN'
+    }
+    if (i.filePath.includes('build.gradle.kts')) {
+      i['language'] = JAVA
+      i['packageManager'] = 'GRADLE'
+    }
+    if (i.filePath.includes('build.gradle')) {
+      i['language'] = JAVA
+      i['packageManager'] = 'GRADLE'
+    }
+    if (i.filePath.includes('package.json')) {
+      i['language'] = JAVASCRIPT
+      i['packageManager'] = 'NPM'
+    }
+    if (i.filePath.includes('yarn.lock')) {
+      i['language'] = JAVASCRIPT
+      i['packageManager'] = 'YARN'
+    }
+    if (i.filePath.includes('Pipfile')) {
+      i['language'] = PYTHON
+    }
+    if (i.filePath.includes('csproj')) {
+      i['language'] = DOTNET
+    }
+    if (i.filePath.includes('Gemfile')) {
+      i['language'] = RUBY
+    }
+    if (i.filePath.includes('go.mod')) {
+      i['language'] = GO
+    }
+  })
+  return array
+}
+
 const autoDetectFileAndLanguage = async configToUse => {
   const entries = await fileFinder.findFile()
 
@@ -67,7 +107,7 @@ const dealWithMultiJava = filesFound => {
   let hasMultiJava =
     filesFound.filter(data => {
       return (
-        Object.keys(data)[0] === 'JAVA' &&
+        Object.keys(data)[0] === JAVA &&
         Object.values(data)[0].includes('build.gradle') &&
         Object.values(data)[0].includes('pom.xml')
       )
@@ -119,5 +159,6 @@ module.exports = {
   autoDetectAuditFilesAndLanguages,
   errorOnAuditFileDetection,
   autoDetectFingerprintInfo,
-  dealWithMultiJava
+  dealWithMultiJava,
+  detectPackageManager
 }

package/src/scan/fileUtils.js

@@ -18,6 +18,7 @@ const findAllFiles = async (filePath, depth = 2) => {
       '**/build.gradle',
       '**/build.gradle.kts',
       '**/package.json',
+      '**/yarn.lock',
       '**/Pipfile',
       '**/*.csproj',
       '**/Gemfile',
@@ -38,19 +39,19 @@ const findAllFiles = async (filePath, depth = 2) => {
   return []
 }
 
-const findFilesJava = async (languagesFound, filePath) => {
+const findFilesJava = async (languagesFound, filePath, depth = 1) => {
   const result = await fg(
     ['**/pom.xml', '**/build.gradle', '**/build.gradle.kts'],
     {
       dot: false,
-      deep: 1,
+      deep: depth,
       onlyFiles: true,
       cwd: filePath ? filePath : process.cwd()
     }
   )
 
   if (result.length > 0) {
-    return languagesFound.push({ JAVA: result })
+    return languagesFound.push({ JAVA: result, language: 'JAVA' })
   }
   return languagesFound
 }
@@ -67,7 +68,7 @@ const findFilesJavascript = async (languagesFound, filePath) => {
   )
 
   if (result.length > 0) {
-    return languagesFound.push({ JAVASCRIPT: result })
+    return languagesFound.push({ JAVASCRIPT: result, language: 'JAVASCRIPT' })
   }
   return languagesFound
 }