@contrast/contrast 1.0.23 → 2.0.1

package/src/index.ts

@@ -5,7 +5,6 @@ import { processAudit } from './commands/audit/processAudit'
 import { processAuth } from './commands/auth/auth'
 import { processConfig } from './commands/config/config'
 import { processScan } from './commands/scan/processScan'
-import { processFingerprint } from './commands/fingerprint/processFingerprint'
 import constants from './cliConstants'
 import { APP_NAME, APP_VERSION } from './constants/constants'
 import { processLambda } from './lambda/lambda'
@@ -17,6 +16,7 @@ import {
 import { findCommandOnError } from './common/errorHandling'
 import { sendTelemetryConfigAsConfObj } from './telemetry/telemetry'
 import { processLearn } from './commands/learn/processLearn'
+import { processFingerprint } from './commands/github/processFingerprint'
 const {
   commandLineDefinitions: { mainUsageGuide, mainDefinition }
 } = constants
@@ -84,14 +84,14 @@ const start = async () => {
         return await processAudit(config, argvMain)
       }
 
-      if (command === 'learn') {
-        return processLearn()
-      }
-
       if (command === 'fingerprint') {
         return await processFingerprint(config, argvMain)
       }
 
+      if (command === 'learn') {
+        return processLearn()
+      }
+
       if (
         command === 'help' ||
         argvMain.includes('--help') ||

package/src/lambda/lambda.ts

@@ -126,7 +126,9 @@ const processLambda = async (argv: string[]) => {
 
 const getAvailableFunctions = async (lambdaOptions: LambdaOptions) => {
   const lambdas = await getAllLambdas(lambdaOptions)
-  printAvailableLambdas(lambdas, { runtimes: ['python', 'java', 'node'] })
+  printAvailableLambdas(lambdas, {
+    runtimes: ['python', 'java', 'node', 'dotnet']
+  })
 }
 
 const actualProcessLambda = async (lambdaOptions: LambdaOptions) => {

package/src/lambda/lambdaUtils.ts

@@ -11,7 +11,7 @@ import ora from '../utils/oraWrapper'
 import { LambdaOptions } from './lambda'
 import { log, getReadableFileSize } from './logUtils'
 
-type RuntimeLanguage = 'java' | 'python' | 'node'
+type RuntimeLanguage = 'java' | 'python' | 'node' | 'dotnet'
 
 type FilterLambdas = {
   runtimes: RuntimeLanguage[]

package/src/scaAnalysis/common/commonReportingFunctionsSca.js

@@ -142,12 +142,12 @@ const printFormattedOutputSca = (
     `${criticalMessage} | ${highMessage} | ${mediumMessage} | ${lowMessage} | ${noteMessage}`
   )
 
-  if (config.host !== CE_URL) {
+  if (config.host !== CE_URL && config.projectId) {
     console.log(
-      '\n' + chalk.bold('View your full dependency tree in Contrast:')
+      '\n' + chalk.bold("Check out your project's results in Contrast")
     )
     console.log(
-      `${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
+      `${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/libraries?view=static&projects=${config.name}`
     )
   }
 }

package/src/scaAnalysis/common/scaServicesUpload.js

@@ -1,10 +1,20 @@
 const commonApi = require('../../utils/commonApi')
 const { APP_VERSION } = require('../../constants/constants')
 const requestUtils = require('../../utils/requestUtils')
+const { performance } = require('perf_hooks')
 
-const scaTreeUpload = async (analysis, config) => {
+const scaTreeUpload = async (analysis, config, reportSpinner) => {
+  if (config.projectId === '') {
+    console.log(
+      'We were unable to create/locate a project for this manifest, please try again or run with --debug for more information'
+    )
+    process.exit(1)
+  }
+
+  config.language = config.language === 'JAVASCRIPT' ? 'NODE' : config.language
+  const startTime = performance.now()
+  const timeout = commonApi.getTimeout(config)
   const requestBody = {
-    applicationId: config.applicationId,
     dependencyTree: analysis,
     organizationId: config.organizationId,
     language: config.language,
@@ -22,7 +32,7 @@ const scaTreeUpload = async (analysis, config) => {
   const reportID = await client
     .scaServiceIngest(requestBody, config)
     .then(res => {
-      if (res.statusCode === 201) {
+      if (res.statusCode === 201 || res.statusCode === 200) {
         return res.body.libraryIngestJobId
       } else {
         throw new Error(res.statusCode + ` error ingesting dependencies`)
@@ -40,21 +50,95 @@ const scaTreeUpload = async (analysis, config) => {
   while (keepChecking) {
     res = await client.scaServiceReportStatus(config, reportID).then(res => {
       if (config.debug) {
-        console.log(res.statusCode)
+        console.log('scaServiceReportStatus', res.statusCode)
         console.log(res.body)
       }
       if (res.body.status === 'COMPLETED') {
         keepChecking = false
         return client.scaServiceReport(config, reportID).then(res => {
           const reportBody = res.body
-          return { reportBody, reportID }
+          return { reportBody, reportId: reportID }
         })
       }
     })
 
     if (!keepChecking) {
-      return { reportArray: res.reportBody, reportID }
+      return { reportArray: res.reportBody, reportId: reportID }
     }
+
+    commonApi.handleTimeout(startTime, timeout, reportSpinner)
+
+    await requestUtils.sleep(5000)
+  }
+
+  return { reportArray: res, reportID }
+}
+
+const noProjectUpload = async (analysis, config, reportSpinner) => {
+  config.language = config.language === 'JAVASCRIPT' ? 'NODE' : config.language
+  const startTime = performance.now()
+  const timeout = commonApi.getTimeout(config)
+  const requestBody = {
+    dependencyTree: analysis,
+    language: config.language,
+    tool: {
+      name: 'Contrast Codesec',
+      version: APP_VERSION
+    }
+  }
+
+  if (config.branch) {
+    requestBody.branchName = config.branch
+  }
+
+  const client = commonApi.getHttpClient(config)
+  const reportID = await client
+    .noProjectIdUpload(requestBody, config)
+    .then(res => {
+      if (res.statusCode === 201 || res.statusCode === 200) {
+        return res.body.libraryIngestJobId
+      } else {
+        throw new Error(
+          res.statusCode + ` error ingesting dependencies with no project id`
+        )
+      }
+    })
+    .catch(err => {
+      throw err
+    })
+
+  if (config.debug) {
+    console.log(' polling report no project', reportID)
+  }
+
+  let keepChecking = true
+  let res
+  while (keepChecking) {
+    res = await client
+      .scaServiceNoProjectIdReportStatus(config, reportID)
+      .then(res => {
+        if (config.debug) {
+          console.log('\nscaServiceReportStatus')
+          console.log(res.statusCode)
+          console.log(res.body)
+        }
+        if (res.body.status === 'COMPLETED') {
+          keepChecking = false
+          return client
+            .scaServiceReportNoProjectId(config, reportID)
+            .then(res => {
+              const reportBody = res.body
+              return { reportBody, reportId: reportID }
+            })
+        }
+      })
+
+    if (!keepChecking) {
+      return { reportArray: res.reportBody, reportId: reportID }
+    }
+
+    commonApi.handleTimeout(startTime, timeout, reportSpinner)
+
     await requestUtils.sleep(5000)
   }
 
@@ -62,5 +146,6 @@ const scaTreeUpload = async (analysis, config) => {
 }
 
 module.exports = {
-  scaTreeUpload
+  scaTreeUpload,
+  noProjectUpload
 }

package/src/scaAnalysis/common/treeUpload.js

@@ -3,11 +3,13 @@ const { APP_VERSION } = require('../../constants/constants')
 
 const commonSendSnapShot = async (analysis, config) => {
   let requestBody = {}
-  requestBody = {
-    appID: config.applicationId,
-    cliVersion: APP_VERSION,
-    snapshot: analysis
-  }
+  config.legacy === false
+    ? (requestBody = sendToSCAServices(config, analysis))
+    : (requestBody = {
+        appID: config.applicationId,
+        cliVersion: APP_VERSION,
+        snapshot: analysis
+      })
 
   const client = commonApi.getHttpClient(config)
   return client
@@ -31,6 +33,19 @@ const commonSendSnapShot = async (analysis, config) => {
     })
 }
 
+const sendToSCAServices = (config, analysis) => {
+  return {
+    applicationId: config.applicationId,
+    dependencyTree: analysis,
+    organizationId: config.organizationId,
+    language: config.language,
+    tool: {
+      name: 'Contrast Codesec',
+      version: APP_VERSION
+    }
+  }
+}
+
 module.exports = {
   commonSendSnapShot
 }

package/src/scaAnalysis/go/goAnalysis.js

@@ -10,7 +10,12 @@ const goAnalysis = config => {
     const rawGoDependencies = goReadDepFile.getGoDependencies(config)
     const parsedGoDependencies =
       goParseDeps.parseGoDependencies(rawGoDependencies)
-    return createGoTSMessage(parsedGoDependencies)
+
+    if (config.legacy === false) {
+      return parseDependenciesForSCAServices(parsedGoDependencies)
+    } else {
+      return createGoTSMessage(parsedGoDependencies)
+    }
   } catch (e) {
     console.log(e.message.toString())
   }

package/src/scaAnalysis/java/index.js

@@ -11,7 +11,12 @@ const javaAnalysis = async (config, languageFiles) => {
   })
 
   const javaDeps = buildJavaTree(config, languageFiles.JAVA)
-  return createJavaTSMessage(javaDeps)
+
+  if (config.legacy === false) {
+    return parseDependenciesForSCAServices(javaDeps)
+  } else {
+    return createJavaTSMessage(javaDeps)
+  }
 }
 
 const buildJavaTree = (config, files) => {

package/src/scaAnalysis/javascript/index.js

@@ -14,6 +14,10 @@ const jsAnalysis = async (config, languageFiles) => {
 const buildNodeTree = async (config, files) => {
   let analysis = await readFiles(config, files)
   const rawNode = await parseFiles(config, files, analysis)
+  if (config.legacy === false) {
+    return scaServiceParser.parseJS(rawNode)
+  }
+
   return formatMessage.createJavaScriptTSMessage(rawNode)
 }
 
@@ -60,10 +64,8 @@ const parseFiles = async (config, files, js) => {
       )
     }
 
-    if (currentLockFileVersion === 3) {
-      throw new Error(
-        `NPM lockfileVersion 3 is only supported when using the '-e' flag.`
-      )
+    if (currentLockFileVersion === 3 && config.legacy) {
+      throw new Error(`NPM lockfileVersion 3 is not support with --legacy`)
     }
 
     js.npmLockFile = await analysis.parseNpmLockFile(npmLockFile)

package/src/scaAnalysis/legacy/legacyFlow.js

@@ -0,0 +1,48 @@
+const auditController = require('../../commands/audit/auditController')
+const {
+  returnOra,
+  startSpinner,
+  succeedSpinner
+} = require('../../utils/oraWrapper')
+const i18n = require('i18n')
+const treeUpload = require('../common/treeUpload')
+const {
+  pollForSnapshotCompletion
+} = require('../../audit/languageAnalysisEngine/sendSnapshot')
+const { vulnerabilityReportV2 } = require('../../audit/report/reportingFeature')
+const { auditSave } = require('../../audit/save')
+
+const legacyFlow = async (config, messageToSend) => {
+  const startTime = performance.now()
+  if (!config.applicationId) {
+    config.applicationId = await auditController.dealWithNoAppId(config)
+  }
+
+  console.log('') //empty log for space before spinner
+  //send message to TS
+  const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
+  startSpinner(reportSpinner)
+  const snapshotResponse = await treeUpload.commonSendSnapShot(
+    messageToSend,
+    config
+  )
+
+  // poll for completion
+  await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner)
+  succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
+
+  await vulnerabilityReportV2(config, snapshotResponse.id)
+  if (config.save !== undefined) {
+    await auditSave(config)
+  } else {
+    console.log('\nUse contrast audit --save to generate an SBOM')
+  }
+  const endTime = performance.now() - startTime
+  const scanDurationMs = endTime - startTime
+
+  console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`)
+}
+
+module.exports = {
+  legacyFlow
+}

package/src/scaAnalysis/php/index.js

@@ -1,10 +1,16 @@
 const { readFile, parseProjectFiles } = require('./analysis')
 const { createPhpTSMessage } = require('../common/formatMessage')
+const { parsePHPLockFileForScaServices } = require('./phpNewServicesMapper')
 
 const phpAnalysis = config => {
   let analysis = readFiles(config)
-  const phpDep = parseProjectFiles(analysis)
-  return createPhpTSMessage(phpDep)
+
+  if (config.legacy === false) {
+    return parsePHPLockFileForScaServices(analysis.rawLockFileContents)
+  } else {
+    const phpDep = parseProjectFiles(analysis)
+    return createPhpTSMessage(phpDep)
+  }
 }
 
 const readFiles = config => {

package/src/scaAnalysis/processServicesFlow.js

@@ -0,0 +1,61 @@
+const projectConfig = require('../commands/github/projectGroup')
+const scaServicesUpload = require('../scaAnalysis/common/scaServicesUpload')
+
+const trackProcess = async (analysis, config, reportSpinner) => {
+  await projectConfig.registerNewProjectGroup(config)
+  let projectId = await projectConfig.getProjectIdByOrg(config)
+  await projectConfig.registerProjectIdOnCliServices(config, projectId)
+  config.projectId = projectId
+  return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner)
+}
+
+const repoProcess = async (analysis, config, reportSpinner) => {
+  let repoInfo = repoService.retrieveRepoId(config)
+  if (repoInfo.repoId === '') {
+    repoInfo = repoService.registerRepo(config)
+  }
+  await projectConfig.registerProjectIdOnCliServices(config, repoInfo.projectId)
+  return repoInfo
+}
+
+const dealWithNoProjectId = async (analysis, config, reportSpinner) => {
+  // if (config.repo === '') {
+  //   return repoProcess(analysis, config, reportSpinner)
+  // }
+  if (config.track) {
+    return trackProcess(analysis, config, reportSpinner)
+  }
+
+  if (!config.track) {
+    return await scaServicesUpload.noProjectUpload(
+      analysis,
+      config,
+      reportSpinner
+    )
+  }
+}
+
+const processUpload = async (analysis, config, reportSpinner) => {
+  //  if repo but no repoId -> RegisterRepo -> GroupProjectFlow THEN scaTreeUpload
+  //  if cli tracked but no projectId -> registerNewProjectGroup THEN scaTreeUpload
+  //  if cli not tracked and no projectID -> noProjectUpload
+  //  if cli not tracked and projectID -> scaTreeUpload}
+  let projectId = await projectConfig.getProjectIdByOrg(config)
+
+  if (projectId === '') {
+    return dealWithNoProjectId(analysis, config, reportSpinner)
+  }
+
+  if (projectId) {
+    config.projectId = projectId
+    return await scaServicesUpload.scaTreeUpload(
+      analysis,
+      config,
+      reportSpinner
+    )
+  }
+}
+
+module.exports = {
+  processUpload
+}

package/src/scaAnalysis/python/analysis.js

@@ -60,10 +60,16 @@ const checkForCorrectFiles = languageFiles => {
 
 const getPythonDeps = (config, languageFiles) => {
   try {
-    checkForCorrectFiles(languageFiles)
-    const parseProject = readAndParseProjectFile(config.file)
-    const parsePip = readAndParseLockFile(config.file)
-    return { pipfileLock: parsePip, pipfilDependanceies: parseProject }
+    if (config.legacy === false) {
+      let pythonLockFileContents = readLockFile(config.file)
+      return scaPythonParser(pythonLockFileContents)
+    } else {
+      checkForCorrectFiles(languageFiles)
+      const parseProject = readAndParseProjectFile(config.file)
+      const parsePip = readAndParseLockFile(config.file)
+
+      return { pipfileLock: parsePip, pipfilDependanceies: parseProject }
+    }
   } catch (err) {
     console.log(err.message.toString())
     process.exit(1)

package/src/scaAnalysis/python/index.js

@@ -3,7 +3,12 @@ const { getPythonDeps, secondaryParser } = require('./analysis')
 
 const pythonAnalysis = (config, languageFiles) => {
   const pythonDeps = getPythonDeps(config, languageFiles.PYTHON)
-  return createPythonTSMessage(pythonDeps)
+
+  if (config.legacy === false) {
+    return pythonDeps
+  } else {
+    return createPythonTSMessage(pythonDeps)
+  }
 }
 
 module.exports = {

package/src/scaAnalysis/repoMode/index.js

@@ -7,10 +7,10 @@ const buildRepo = async (config, languageFiles) => {
 
   if (project.projectType === 'maven') {
     let jsonPomFile = mavenParser.readPomFile(project)
-    mavenParser.parsePomFile(jsonPomFile)
+    return mavenParser.parsePomFile(jsonPomFile)
   } else if (project.projectType === 'gradle') {
     const gradleJson = gradleParser.readBuildGradleFile(project)
-    gradleParser.parseGradleJson(await gradleJson)
+    return gradleParser.parseGradleJson(await gradleJson)
   } else {
     console.log('Unable to read project files.')
   }

package/src/scaAnalysis/ruby/analysis.js

@@ -6,7 +6,17 @@ const getRubyDeps = (config, languageFiles) => {
     checkForCorrectFiles(languageFiles)
     const parsedGem = readAndParseGemfile(config.file)
     const parsedLock = readAndParseGemLockFile(config.file)
-    return { gemfilesDependanceies: parsedGem, gemfileLock: parsedLock }
+    if (config.legacy === false) {
+      const rubyArray = removeRedundantAndPopulateDefinedElements(
+        parsedLock.sources
+      )
+      let rubyTree = createRubyTree(rubyArray)
+      findChildrenDependencies(rubyTree)
+      processRootDependencies(parsedLock.dependencies, rubyTree)
+      return rubyTree
+    } else {
+      return { gemfilesDependanceies: parsedGem, gemfileLock: parsedLock }
+    }
   } catch (err) {
     throw err
   }

package/src/scaAnalysis/ruby/index.js

@@ -3,7 +3,12 @@ const { createRubyTSMessage } = require('../common/formatMessage')
 
 const rubyAnalysis = (config, languageFiles) => {
   const rubyDeps = analysis.getRubyDeps(config, languageFiles.RUBY)
-  return createRubyTSMessage(rubyDeps)
+
+  if (config.legacy === false) {
+    return rubyDeps
+  } else {
+    return createRubyTSMessage(rubyDeps)
+  }
 }
 
 module.exports = {

package/src/scaAnalysis/scaAnalysis.js

@@ -1,18 +1,12 @@
 const {
   supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET }
 } = require('../constants/constants')
-const {
-  pollForSnapshotCompletion
-} = require('../audit/languageAnalysisEngine/sendSnapshot')
 const {
   returnOra,
   startSpinner,
   succeedSpinner
 } = require('../utils/oraWrapper')
-const { vulnerabilityReportV2 } = require('../audit/report/reportingFeature')
 const autoDetection = require('../scan/autoDetection')
-const treeUpload = require('./common/treeUpload')
-const auditController = require('../commands/audit/auditController')
 const rootFile = require('../audit/languageAnalysisEngine/getProjectRootFilenames')
 const path = require('path')
 const i18n = require('i18n')
@@ -26,12 +20,16 @@ const { rubyAnalysis } = require('./ruby')
 const { pythonAnalysis } = require('./python')
 const javaAnalysis = require('./java')
 const jsAnalysis = require('./javascript')
+const auditReport = require('./common/auditReport')
+const processServices = require('./processServicesFlow')
 const chalk = require('chalk')
+const {
+  convertGenericToTypedReportModelSca
+} = require('./common/utils/reportUtilsSca')
+const projectConfig = require('../commands/github/projectGroup')
+const { legacyFlow } = require('./legacy/legacyFlow')
 
 const processSca = async config => {
-  //checks to see whether to use old TS / new SCA path
-
-  const startTime = performance.now()
   let filesFound
 
   if (config.help) {
@@ -64,7 +62,17 @@ const processSca = async config => {
     switch (Object.keys(filesFound[0])[0]) {
       case JAVA:
         config.language = JAVA
-        messageToSend = await javaAnalysis.javaAnalysis(config, filesFound[0])
+        if (config.repo && !config.legacy) {
+          try {
+            messageToSend = await repoMode.buildRepo(config, filesFound[0])
+          } catch (e) {
+            throw new Error(
+              'Unable to build in repository mode. Check your project file'
+            )
+          }
+        } else {
+          messageToSend = await javaAnalysis.javaAnalysis(config, filesFound[0])
+        }
         break
       case JAVASCRIPT:
         messageToSend = await jsAnalysis.jsAnalysis(config, filesFound[0])
@@ -87,43 +95,59 @@ const processSca = async config => {
         config.language = GO
         break
       case DOTNET:
-        messageToSend = dotNetAnalysis(config, filesFound[0])
-        config.language = DOTNET
-        break
+        if (config.legacy === false) {
+          console.log(
+            `${chalk.bold(
+              '\n.NET project found\n'
+            )} Language type is unsupported.`
+          )
+          return
+        } else {
+          messageToSend = dotNetAnalysis(config, filesFound[0])
+          config.language = DOTNET
+          break
+        }
       default:
         //something is wrong
         console.log('No supported language detected in project path')
         return
     }
 
-    if (!config.applicationId) {
-      config.applicationId = await auditController.dealWithNoAppId(config)
-    }
-    console.log('') //empty log for space before spinner
-    //send message to TS
-    const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
-    startSpinner(reportSpinner)
-    const snapshotResponse = await treeUpload.commonSendSnapShot(
-      messageToSend,
-      config
-    )
+    if (config.legacy === false) {
+      if (!config.name) {
+        config = await projectConfig.dealWithNoName(config)
+      }
+      const startTime = performance.now()
+      console.log('') //empty log for space before spinner
+      const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
+      startSpinner(reportSpinner)
 
-    // poll for completion
-    await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner)
-    succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
+      let reportResponse = await processServices.processUpload(
+        messageToSend,
+        config,
+        reportSpinner
+      )
 
-    await vulnerabilityReportV2(config, snapshotResponse.id)
-    if (config.save !== undefined) {
-      await auditSave.auditSave(config)
+      const reportModelLibraryList = convertGenericToTypedReportModelSca(
+        reportResponse.reportArray
+      )
+      auditReport.processAuditReport(config, reportModelLibraryList)
+      if (config.save !== undefined) {
+        await auditSave.auditSave(config, reportResponse.reportId)
+      } else {
+        console.log('Use contrast audit --save to generate an SBOM')
+      }
+
+      succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
+
+      const endTime = performance.now() - startTime
+      const scanDurationMs = endTime - startTime
+      console.log(
+        `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
+      )
     } else {
-      console.log('\nUse contrast audit --save to generate an SBOM')
+      await legacyFlow(config, messageToSend)
     }
-    const endTime = performance.now() - startTime
-    const scanDurationMs = endTime - startTime
-
-    console.log(
-      `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
-    )
   } else {
     if (filesFound.length === 0) {
       console.log(i18n.__('languageAnalysisNoLanguage'))