@contrast/contrast 1.0.3 → 1.0.4

package/dist/scan/scan.js

@@ -1,44 +1,43 @@
 "use strict";
-const commonApi = require('../utils/commonApi.js');
-const fileUtils = require('../scan/fileUtils');
-const allowedFileTypes = ['.jar', '.war', '.js', '.zip', '.exe'];
-const i18n = require('i18n');
-const oraWrapper = require('../utils/oraWrapper');
-const chalk = require('chalk');
-const isFileAllowed = scanOption => {
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.stripMustacheTags = exports.getMessage = exports.getGroups = exports.formatLinks = exports.formatScanOutput = exports.sendScan = exports.isFileAllowed = exports.allowedFileTypes = void 0;
+const commonApi_js_1 = __importDefault(require("../utils/commonApi.js"));
+const fileUtils_1 = __importDefault(require("../scan/fileUtils"));
+const i18n_1 = __importDefault(require("i18n"));
+const oraWrapper_1 = __importDefault(require("../utils/oraWrapper"));
+const chalk_1 = __importDefault(require("chalk"));
+const groupedResultsModel_1 = require("./models/groupedResultsModel");
+exports.allowedFileTypes = ['.jar', '.war', '.js', '.zip', '.exe'];
+const isFileAllowed = (scanOption) => {
     let valid = false;
-    allowedFileTypes.forEach(fileType => {
+    exports.allowedFileTypes.forEach(fileType => {
         if (scanOption.endsWith(fileType)) {
             valid = true;
         }
     });
     return valid;
 };
-const stripMustacheTags = oldString => {
-    return oldString
-        .replace(/\n/g, ' ')
-        .replace(/{{.*?}}/g, '\n')
-        .replace(/\$\$LINK_DELIM\$\$/g, '\n')
-        .replace(/\s+/g, ' ')
-        .trim();
-};
+exports.isFileAllowed = isFileAllowed;
 const sendScan = async (config) => {
-    if (!isFileAllowed(config.file)) {
-        console.log(i18n.__('scanErrorFileMessage'));
+    if (!(0, exports.isFileAllowed)(config.file)) {
+        console.log(i18n_1.default.__('scanErrorFileMessage'));
         process.exit(9);
     }
     else {
-        fileUtils.checkFilePermissions(config.file);
-        const client = commonApi.getHttpClient(config);
-        const startUploadSpinner = oraWrapper.returnOra(i18n.__('uploadingScan'));
-        oraWrapper.startSpinner(startUploadSpinner);
+        fileUtils_1.default.checkFilePermissions(config.file);
+        const client = commonApi_js_1.default.getHttpClient(config);
+        const startUploadSpinner = oraWrapper_1.default.returnOra(i18n_1.default.__('uploadingScan'));
+        oraWrapper_1.default.startSpinner(startUploadSpinner);
         return await client
             .sendArtifact(config)
             .then(res => {
             if (res.statusCode === 201) {
-                oraWrapper.succeedSpinner(startUploadSpinner, i18n.__('uploadingScanSuccessful'));
+                oraWrapper_1.default.succeedSpinner(startUploadSpinner, i18n_1.default.__('uploadingScanSuccessful'));
                 if (config.verbose) {
-                    console.log(i18n.__('responseMessage', res.body));
+                    console.log(i18n_1.default.__('responseMessage', res.body));
                 }
                 return res.body.id;
             }
@@ -47,12 +46,12 @@ const sendScan = async (config) => {
                     console.log(res.statusCode);
                     console.log(config);
                 }
-                oraWrapper.failSpinner(startUploadSpinner, i18n.__('uploadingScanFail'));
+                oraWrapper_1.default.failSpinner(startUploadSpinner, i18n_1.default.__('uploadingScanFail'));
                 if (res.statusCode === 403) {
-                    console.log(i18n.__('permissionsError'));
+                    console.log(i18n_1.default.__('permissionsError'));
                     process.exit(1);
                 }
-                console.log(i18n.__('genericServiceError', res.statusCode));
+                console.log(i18n_1.default.__('genericServiceError', res.statusCode));
                 process.exit(1);
             }
         })
@@ -61,101 +60,97 @@ const sendScan = async (config) => {
         });
     }
 };
-const formatScanOutput = (overview, results) => {
-    console.log();
-    if (results.content.length === 0) {
-        console.log(i18n.__('scanNoVulnerabilitiesFound'));
+exports.sendScan = sendScan;
+function formatScanOutput(scanResults) {
+    const { projectOverview, scanResultsInstances } = scanResults;
+    if (scanResultsInstances.content.length === 0) {
+        console.log(i18n_1.default.__('scanNoVulnerabilitiesFound'));
     }
     else {
-        let message = overview.critical || overview.high
+        const message = projectOverview.critical || projectOverview.high
             ? 'Here are your top priorities to fix'
             : "No major issues, here's what we found";
-        console.log(chalk.bold(message));
+        console.log(chalk_1.default.bold(message));
         console.log();
-        const groups = getGroups(results.content);
+        const groups = getGroups(scanResultsInstances.content);
         groups.forEach(entry => {
-            console.log(chalk.bold(`${entry.severity} | ${entry.ruleId} (${entry.lineInfoSet.size})`));
+            console.log(chalk_1.default.bold(`[ ${entry.severity} ] | ${entry.ruleId} (${entry.lineInfoSet.size}) - ` +
+                `${entry.message}`));
             let count = 1;
             entry.lineInfoSet.forEach(lineInfo => {
                 console.log(`\t ${count}. ${lineInfo}`);
                 count++;
             });
-            if (entry?.cwe && entry?.cwe.length > 0) {
-                formatLinks('cwe', entry.cwe);
+            if (entry?.issue) {
+                console.log(chalk_1.default.bold('Issue' + ': ') + entry.issue);
             }
-            if (entry?.reference && entry?.reference.length > 0) {
-                formatLinks('reference', entry.reference);
+            if (entry?.advice) {
+                console.log(chalk_1.default.bold('Advice' + ': ') + entry.advice);
             }
-            if (entry?.owasp && entry?.owasp.length > 0) {
-                formatLinks('owasp', entry.owasp);
+            if (entry?.learn && entry?.learn.length > 0) {
+                formatLinks('Learn', entry.learn);
             }
-            console.log(chalk.bold('How to fix:'));
-            console.log(entry.recommendation);
             console.log();
         });
-        const totalVulnerabilities = overview.critical +
-            overview.high +
-            overview.medium +
-            overview.low +
-            overview.note;
-        let vulMessage = totalVulnerabilities === 1 ? `vulnerability` : `vulnerabilities`;
-        console.log(chalk.bold(`Found ${totalVulnerabilities} ${vulMessage}`));
-        console.log(i18n.__('foundDetailedVulnerabilities', overview.critical, overview.high, overview.medium, overview.low, overview.note));
+        printVulnInfo(projectOverview);
     }
-};
-const formatLinks = (objName, entry) => {
-    console.log(chalk.bold(objName + ':'));
+}
+exports.formatScanOutput = formatScanOutput;
+function printVulnInfo(projectOverview) {
+    const totalVulnerabilities = getTotalVulns(projectOverview);
+    const vulMessage = totalVulnerabilities === 1 ? `vulnerability` : `vulnerabilities`;
+    console.log(chalk_1.default.bold(`Found ${totalVulnerabilities} ${vulMessage}`));
+    console.log(i18n_1.default.__('foundDetailedVulnerabilities', String(projectOverview.critical), String(projectOverview.high), String(projectOverview.medium), String(projectOverview.low), String(projectOverview.note)));
+}
+function getTotalVulns(projectOverview) {
+    return (projectOverview.critical +
+        projectOverview.high +
+        projectOverview.medium +
+        projectOverview.low +
+        projectOverview.note);
+}
+function formatLinks(objName, entry) {
+    console.log(chalk_1.default.bold(objName + ':'));
     entry.forEach(link => {
         console.log(link);
     });
-    console.log();
-};
-const getGroups = content => {
+}
+exports.formatLinks = formatLinks;
+function getGroups(content) {
     const groupTypeSet = new Set(content.map(({ ruleId }) => ruleId));
-    let groupTypeResults = [];
+    const groupTypeResults = [];
     groupTypeSet.forEach(groupName => {
-        let groupResultsObj = {
-            ruleId: groupName,
-            lineInfoSet: new Set(),
-            cwe: '',
-            owasp: '',
-            reference: '',
-            recommendation: '',
-            severity: ''
-        };
+        const groupResultsObj = new groupedResultsModel_1.GroupedResultsModel(groupName);
         content.forEach(resultEntry => {
             if (resultEntry.ruleId === groupName) {
                 groupResultsObj.severity = resultEntry.severity;
-                groupResultsObj.cwe = resultEntry.cwe;
-                groupResultsObj.owasp = resultEntry.owasp;
-                groupResultsObj.reference = resultEntry.reference;
-                groupResultsObj.recommendation = resultEntry.recommendation
-                    ? stripMustacheTags(resultEntry.recommendation)
-                    : 'No Recommendations Data Found';
-                groupResultsObj.lineInfoSet.add(formattedCodeLine(resultEntry));
+                groupResultsObj.issue = stripMustacheTags(resultEntry.issue);
+                groupResultsObj.advice = resultEntry.advice;
+                groupResultsObj.learn = resultEntry.learn;
+                groupResultsObj.message = resultEntry.message?.text;
+                groupResultsObj.lineInfoSet.add(getMessage(resultEntry.locations));
             }
         });
         groupTypeResults.push(groupResultsObj);
     });
     return groupTypeResults;
-};
-const formattedCodeLine = resultEntry => {
-    let lineUri = resultEntry.locations[0]?.physicalLocation.artifactLocation.uri;
-    return lineUri + ' @ ' + setLineNumber(resultEntry);
-};
-const setLineNumber = resultEntry => {
-    return resultEntry.codeFlows?.[0]?.threadFlows[0]?.locations[0]?.location
-        ?.physicalLocation?.region?.startLine
-        ? resultEntry.codeFlows[0]?.threadFlows[0]?.locations[0]?.location
-            ?.physicalLocation?.region?.startLine
-        : resultEntry.locations[0]?.physicalLocation?.region?.startLine;
-};
-module.exports = {
-    sendScan: sendScan,
-    getGroups: getGroups,
-    allowedFileTypes: allowedFileTypes,
-    isFileAllowed: isFileAllowed,
-    stripMustacheTags: stripMustacheTags,
-    formatScanOutput: formatScanOutput,
-    formatLinks: formatLinks
-};
+}
+exports.getGroups = getGroups;
+function getMessage(locations) {
+    const message = locations[0]?.physicalLocation?.artifactLocation?.uri || '';
+    const lineNumber = locations[0]?.physicalLocation?.region?.startLine || '';
+    if (!lineNumber) {
+        return '@' + message;
+    }
+    return '@' + message + ':' + lineNumber;
+}
+exports.getMessage = getMessage;
+function stripMustacheTags(oldString) {
+    return oldString
+        .replace(/\n/g, ' ')
+        .replace(/{{.*?}}/g, '\n')
+        .replace(/\$\$LINK_DELIM\$\$/g, '\n')
+        .replace(/\s+/g, ' ')
+        .trim();
+}
+exports.stripMustacheTags = stripMustacheTags;

package/dist/scan/scanConfig.js

@@ -18,7 +18,7 @@ const getScanConfig = argv => {
         if (!Object.values(supportedLanguages).includes(scanParams.language)) {
             console.log(`Did not recognise --language ${scanParams.language}`);
             console.log(i18n.__('constantsHowToRunDev3'));
-            process.exit(0);
+            process.exit(1);
         }
     }
     if (!scanParams.name && scanParams.file) {

package/dist/utils/getConfig.js

@@ -10,6 +10,9 @@ const localConfig = (name, version) => {
         configName: name
     });
     config.set('version', version);
+    if (process.env.CONTRAST_CODSEC_DISABLE_UPDATE_MESSAGE) {
+        config.set('updateMessageHidden', JSON.parse(process.env.CONTRAST_CODSEC_DISABLE_UPDATE_MESSAGE.toLowerCase()));
+    }
     if (!config.has('host')) {
         config.set('host', 'https://ce.contrastsecurity.com/');
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -35,7 +35,7 @@
     "dev": "npx ts-node src/index.ts"
   },
   "engines": {
-    "node": ">=16.13.2 <17"
+    "node": ">=16"
   },
   "dependencies": {
     "@aws-sdk/client-iam": "^3.78.0",

package/src/audit/languageAnalysisEngine/{langugageAnalysisFactory.js → languageAnalysisFactory.js}

@@ -10,8 +10,6 @@ const pythonAE = require('../pythonAnalysisEngine')
 const phpAE = require('../phpAnalysisEngine')
 const goAE = require('../goAnalysisEngine')
 const { vulnerabilityReport } = require('./report/reportingFeature')
-const { vulnReportWithoutDevDep } = require('./report/newReportingFeature')
-const { checkDevDeps } = require('./report/checkIgnoreDevDep')
 const { newSendSnapShot } = require('../languageAnalysisEngine/sendSnapshot')
 const fs = require('fs')
 const chalk = require('chalk')
@@ -50,19 +48,7 @@ module.exports = exports = (err, analysis) => {
     console.log('\n **************CONTRAST OSS ANALYSIS BEGINS**************')
     const snapshotResponse = await newSendSnapShot(analysis, catalogueAppId)
 
-    if (config.report) {
-      const ignoreDevUrl = await checkDevDeps(config)
-      if (ignoreDevUrl) {
-        await vulnReportWithoutDevDep(
-          analysis,
-          catalogueAppId,
-          snapshotResponse.id,
-          config
-        )
-      } else {
-        await vulnerabilityReport(analysis, catalogueAppId, config)
-      }
-    }
+    await vulnerabilityReport(analysis, catalogueAppId, snapshotResponse.id)
 
     //should be moved to processAudit.ts once promises implemented
     await auditSave(config)
@@ -120,7 +106,7 @@ async function auditSave(config) {
     } else {
       console.log(i18n.__('auditBadFiletypeSpecifiedForSave'))
     }
-  } else {
+  } else if (config.save === null) {
     console.log(i18n.__('auditNoFiletypeSpecifiedForSave'))
   }
 }

package/src/audit/languageAnalysisEngine/report/commonReportingFunctions.ts

@@ -0,0 +1,127 @@
+import i18n from 'i18n'
+import { getHttpClient, handleResponseErrors } from '../../../utils/commonApi'
+import {
+  ReportCompositeKey,
+  ReportList,
+  ReportModelStructure
+} from './models/reportListModel'
+import { ReportSeverityModel } from './models/reportSeverityModel'
+import { orderBy } from 'lodash'
+import chalk from 'chalk'
+import { ReportLibraryModel } from './models/reportLibraryModel'
+import { findHighestSeverityCVE, findNameAndVersion } from './utils/reportUtils'
+import {
+  failSpinner,
+  returnOra,
+  startSpinner,
+  succeedSpinner
+} from '../../../utils/oraWrapper'
+
+export const createLibraryHeader = (
+  id: string,
+  numberOfVulnerableLibraries: number,
+  numberOfCves: number,
+  name: string
+) => {
+  name
+    ? console.log(`\n Application Name: ${name} | Application ID: ${id}`)
+    : console.log(` Application ID: ${id}`)
+
+  numberOfVulnerableLibraries === 1
+    ? console.log(
+        '\n **************************' +
+          ` Found 1 vulnerable library containing ${numberOfCves} CVE's` +
+          '************************** '
+      )
+    : console.log(
+        '\n **************************' +
+          ` Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVE's ` +
+          '************************** '
+      )
+}
+
+export const getReport = async (config: any, reportId: string) => {
+  const client = getHttpClient(config)
+
+  const reportSpinner = returnOra(i18n.__('auditReportWaiting'))
+  reportSpinner.indent = 1
+  startSpinner(reportSpinner)
+  return client
+    .getReportById(config, reportId)
+    .then((res: { statusCode: number; body: any }) => {
+      if (res.statusCode === 200) {
+        succeedSpinner(reportSpinner, i18n.__('auditReportSuccessMessage'))
+        return res.body
+      } else {
+        failSpinner(reportSpinner, i18n.__('auditReportFail'))
+        console.log('config-------------------')
+        console.log(config)
+        console.log('reportId----------------')
+        console.log(reportId)
+        console.log(JSON.stringify(res))
+        handleResponseErrors(res, 'report')
+      }
+    })
+    .catch((err: any) => {
+      console.log(err)
+    })
+}
+
+export const printVulnerabilityResponse = (
+  vulnerabilities: ReportLibraryModel[],
+  config: any
+) => {
+  let hasSomeVulnerabilitiesReported = false
+  printFormattedOutput(vulnerabilities, config)
+  if (Object.keys(vulnerabilities).length > 0) {
+    hasSomeVulnerabilitiesReported = true
+  }
+  return hasSomeVulnerabilitiesReported
+}
+
+export const printFormattedOutput = (
+  libraries: ReportLibraryModel[],
+  config: any
+) => {
+  const report = new ReportList()
+
+  for (const library of libraries) {
+    const { name, version } = findNameAndVersion(library, config)
+
+    const newOutputModel = new ReportModelStructure(
+      new ReportCompositeKey(
+        name,
+        version,
+        findHighestSeverityCVE(library.cveArray) as ReportSeverityModel
+      ),
+      library.cveArray
+    )
+
+    report.reportOutputList.push(newOutputModel)
+  }
+
+  const orderedOutputList = orderBy(
+    report.reportOutputList,
+    reportListItem => reportListItem.compositeKey.highestSeverity.priority
+  )
+
+  for (const reportModel of orderedOutputList) {
+    const name = reportModel.compositeKey.libraryName
+    const version = reportModel.compositeKey.libraryVersion
+    const highestSeverity = reportModel.compositeKey.highestSeverity.severity
+
+    const numOfCVEs = reportModel.cveArray.length
+
+    const cveNames: string[] = []
+
+    reportModel.cveArray.forEach(cve => cveNames.push(cve.name as string))
+
+    const boldHeader = chalk.bold(`${highestSeverity} | Vulnerable Library`)
+    const cvePluralised = numOfCVEs > 1 ? 'CVEs' : 'CVE'
+    console.log(
+      `\n ${boldHeader} ${name} (${version}) has ${numOfCVEs} known ${cvePluralised}`
+    )
+    console.log(` ${cveNames.join(', ')}`)
+    console.log(chalk.bold(' How to fix: Update to latest version'))
+  }
+}

package/src/audit/languageAnalysisEngine/report/models/reportLibraryModel.ts

@@ -0,0 +1,30 @@
+export class ReportLibraryModel {
+  name: string
+  cveArray: ReportCVEModel[]
+
+  constructor (name: string, cveArray: ReportCVEModel[]){
+    this.name = name
+    this.cveArray = cveArray
+  }
+}
+
+export class ReportCVEModel {
+  name?: string
+  description?: string
+  authentication?: string
+  references?: []
+  severityCode?: string
+  cvss3SeverityCode?: string
+
+  constructor (
+    name: string,
+    description: string,
+    severityCode: string,
+    cvss3SeverityCode: string
+  ){
+    this.name = name
+    this.description = description
+    this.severityCode = severityCode
+    this.cvss3SeverityCode = cvss3SeverityCode
+  }
+}

package/src/audit/languageAnalysisEngine/report/models/reportListModel.ts

@@ -0,0 +1,32 @@
+import {ReportSeverityModel} from "./reportSeverityModel";
+import {ReportCVEModel} from "./reportLibraryModel";
+
+export class ReportList {
+  reportOutputList: ReportModelStructure[]
+
+  constructor (){
+    this.reportOutputList = []
+  }
+}
+
+export class ReportModelStructure {
+  compositeKey: ReportCompositeKey;
+  cveArray: ReportCVEModel[];
+
+  constructor (compositeKey: ReportCompositeKey, cveArray: ReportCVEModel[]){
+    this.compositeKey = compositeKey
+    this.cveArray = cveArray
+  }
+}
+
+export class ReportCompositeKey {
+  libraryName!: string;
+  libraryVersion!: string;
+  highestSeverity!: ReportSeverityModel;
+
+  constructor (libraryName: string, libraryVersion: string, highestSeverity: ReportSeverityModel){
+    this.libraryName = libraryName
+    this.libraryVersion = libraryVersion
+    this.highestSeverity = highestSeverity
+  }
+}

package/src/audit/languageAnalysisEngine/report/models/reportSeverityModel.ts

@@ -0,0 +1,9 @@
+export class ReportSeverityModel {
+  severity!: string
+  priority!: number
+
+  constructor(severity: string, priority: number) {
+    this.severity = severity
+    this.priority = priority
+  }
+}

package/src/audit/languageAnalysisEngine/report/reportingFeature.ts

@@ -0,0 +1,56 @@
+import {
+  createLibraryHeader,
+  getReport,
+  printVulnerabilityResponse
+} from './commonReportingFunctions'
+import {
+  convertGenericToTypedLibraries,
+  severityCount
+} from './utils/reportUtils'
+
+export async function vulnerabilityReport(
+  analysis: any,
+  applicationId: string,
+  reportId: string
+) {
+  const reportResponse = await getReport(analysis.config, reportId)
+
+  if (reportResponse !== undefined) {
+    const id = applicationId
+    const name = analysis.config.applicationName
+    formatVulnerabilityOutput(
+      reportResponse.vulnerabilities,
+      id,
+      name,
+      analysis.config
+    )
+  }
+}
+
+export function formatVulnerabilityOutput(
+  libraryVulnerabilityResponse: any,
+  id: string,
+  name: string,
+  config: any
+) {
+  const vulnerableLibraries = convertGenericToTypedLibraries(
+    libraryVulnerabilityResponse
+  )
+
+  const numberOfVulnerableLibraries = vulnerableLibraries.length
+  let numberOfCves = 0
+  vulnerableLibraries.forEach(lib => (numberOfCves += lib.cveArray.length))
+
+  createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves, name)
+
+  const hasSomeVulnerabilitiesReported = printVulnerabilityResponse(
+    vulnerableLibraries,
+    config
+  )
+
+  return [
+    hasSomeVulnerabilitiesReported,
+    numberOfCves,
+    severityCount(vulnerableLibraries)
+  ]
+}