@contrast/contrast 1.0.3 → 1.0.4

package/src/scan/models/resultContentModel.ts

@@ -0,0 +1,86 @@
+type Importance = 'important' | 'essential'
+
+interface ArtifactLocation {
+  uri: string
+}
+
+interface Region {
+  startLine: number
+  snippet: Snippet
+}
+
+interface Snippet {
+  text: string
+  rendered: Rendered
+}
+
+interface Rendered {
+  text: string
+}
+
+interface PhysicalLocation {
+  artifactLocation: ArtifactLocation
+  region: Region
+}
+
+interface LogicalLocation {
+  fullyQualifiedName: string
+  name: string
+}
+
+export interface Location {
+  physicalLocation: PhysicalLocation
+  logicalLocations?: LogicalLocation[]
+}
+
+export interface ThreadFlowLocation {
+  importance: Importance
+  location: Location
+}
+
+interface ThreadFlow {
+  locations: ThreadFlowLocation[]
+}
+
+interface Message {
+  text: string
+}
+
+export interface CodeFlow {
+  message: Message
+  threadFlows: ThreadFlow[]
+}
+
+export interface ResultContent {
+  message: {text: string};
+  id: string
+  organizationId: string
+  projectId: string
+  firstCreatedTime: string
+  ruleId: string
+  codeFlows: CodeFlow[]
+  lastSeenTime: string
+  locations: Location[]
+  name: string
+  description: string
+  recommendation: string | null
+  risk: string | null
+  category: string
+  confidence: string
+  standards: { [key: string]: string[] }
+  cwe: string[]
+  owasp: string[]
+  reference: string[]
+  sink: string
+  detailsTrigger: string
+  type: RuleType
+  source: string
+  severity: Severity
+  advice: string
+  learn: string[]
+  issue: string
+}
+
+export type Severity = 'critical' | 'high' | 'medium' | 'low' | 'note'
+
+export type RuleType = 'DATA_FLOW' | 'CRYPTO' | 'CONFIG' | 'DEFAULT'

package/src/scan/models/scanResultsModel.ts

@@ -0,0 +1,52 @@
+import { ResultContent } from './resultContentModel'
+
+export class ScanResultsModel {
+  projectOverview: ProjectOverview
+  scanDetail: ScanDetail
+  scanResultsInstances: ScanResultsInstances
+
+  constructor(scan: any) {
+    this.projectOverview = scan.projectOverview as ProjectOverview
+    this.scanDetail = scan.scanDetail as ScanDetail
+    this.scanResultsInstances = scan.scanResultsInstances as ScanResultsInstances
+  }
+}
+
+export interface ProjectOverview {
+  id: string
+  organizationId: string
+  name: string
+  archived: boolean
+  language: string
+  critical: number
+  high: number
+  medium: number
+  low: number
+  note: number
+  lastScanTime: string
+  completedScans: number
+  lastScanId: string
+}
+
+export interface ScanDetail {
+  critical: number
+  high: number
+  medium: number
+  low: number
+  note: number
+  id: string
+  organizationId: string
+  projectId: string
+  codeArtifactId: string
+  status: string
+  createdTime: string
+  startedTime: string
+  completedTime: string
+  language: string
+  label: string
+  errorMessage: string
+}
+
+export interface ScanResultsInstances {
+  content: ResultContent[]
+}

package/src/scan/scan.ts

@@ -0,0 +1,192 @@
+import commonApi from '../utils/commonApi.js'
+import fileUtils from '../scan/fileUtils'
+import i18n from 'i18n'
+import oraWrapper from '../utils/oraWrapper'
+import chalk from 'chalk'
+import { ProjectOverview, ScanResultsModel } from './models/scanResultsModel'
+import { Location, ResultContent } from './models/resultContentModel'
+import { GroupedResultsModel } from './models/groupedResultsModel'
+
+export const allowedFileTypes = ['.jar', '.war', '.js', '.zip', '.exe']
+
+export const isFileAllowed = (scanOption: string) => {
+  let valid = false
+  allowedFileTypes.forEach(fileType => {
+    if (scanOption.endsWith(fileType)) {
+      valid = true
+    }
+  })
+  return valid
+}
+
+export const sendScan = async (config: any) => {
+  if (!isFileAllowed(config.file)) {
+    console.log(i18n.__('scanErrorFileMessage'))
+    process.exit(9)
+  } else {
+    fileUtils.checkFilePermissions(config.file)
+    const client = commonApi.getHttpClient(config)
+
+    const startUploadSpinner = oraWrapper.returnOra(i18n.__('uploadingScan'))
+    oraWrapper.startSpinner(startUploadSpinner)
+
+    return await client
+      .sendArtifact(config)
+      .then(res => {
+        if (res.statusCode === 201) {
+          oraWrapper.succeedSpinner(
+            startUploadSpinner,
+            i18n.__('uploadingScanSuccessful')
+          )
+          if (config.verbose) {
+            console.log(i18n.__('responseMessage', res.body))
+          }
+          return res.body.id
+        } else {
+          if (config.debug) {
+            console.log(res.statusCode)
+            console.log(config)
+          }
+          oraWrapper.failSpinner(
+            startUploadSpinner,
+            i18n.__('uploadingScanFail')
+          )
+          if (res.statusCode === 403) {
+            console.log(i18n.__('permissionsError'))
+            process.exit(1)
+          }
+          console.log(i18n.__('genericServiceError', res.statusCode))
+          process.exit(1)
+        }
+      })
+      .catch(err => {
+        console.log(err)
+      })
+  }
+}
+
+export function formatScanOutput(scanResults: ScanResultsModel) {
+  const { projectOverview, scanResultsInstances } = scanResults
+
+  if (scanResultsInstances.content.length === 0) {
+    console.log(i18n.__('scanNoVulnerabilitiesFound'))
+  } else {
+    const message =
+      projectOverview.critical || projectOverview.high
+        ? 'Here are your top priorities to fix'
+        : "No major issues, here's what we found"
+    console.log(chalk.bold(message))
+    console.log()
+
+    const groups = getGroups(scanResultsInstances.content)
+
+    groups.forEach(entry => {
+      console.log(
+        chalk.bold(
+          `[ ${entry.severity} ] | ${entry.ruleId} (${entry.lineInfoSet.size}) - ` +
+            `${entry.message}`
+        )
+      )
+
+      let count = 1
+      entry.lineInfoSet.forEach(lineInfo => {
+        console.log(`\t ${count}. ${lineInfo}`)
+        count++
+      })
+
+      if (entry?.issue) {
+        console.log(chalk.bold('Issue' + ': ') + entry.issue)
+      }
+
+      if (entry?.advice) {
+        console.log(chalk.bold('Advice' + ': ') + entry.advice)
+      }
+
+      if (entry?.learn && entry?.learn.length > 0) {
+        formatLinks('Learn', entry.learn)
+      }
+      console.log()
+    })
+
+    printVulnInfo(projectOverview)
+  }
+}
+
+function printVulnInfo(projectOverview: ProjectOverview) {
+  const totalVulnerabilities = getTotalVulns(projectOverview)
+
+  const vulMessage =
+    totalVulnerabilities === 1 ? `vulnerability` : `vulnerabilities`
+  console.log(chalk.bold(`Found ${totalVulnerabilities} ${vulMessage}`))
+  console.log(
+    i18n.__(
+      'foundDetailedVulnerabilities',
+      String(projectOverview.critical),
+      String(projectOverview.high),
+      String(projectOverview.medium),
+      String(projectOverview.low),
+      String(projectOverview.note)
+    )
+  )
+}
+
+function getTotalVulns(projectOverview: ProjectOverview) {
+  return (
+    projectOverview.critical +
+    projectOverview.high +
+    projectOverview.medium +
+    projectOverview.low +
+    projectOverview.note
+  )
+}
+
+export function formatLinks(objName: string, entry: any[]) {
+  console.log(chalk.bold(objName + ':'))
+  entry.forEach(link => {
+    console.log(link)
+  })
+}
+
+export function getGroups(content: ResultContent[]) {
+  const groupTypeSet = new Set(content.map(({ ruleId }) => ruleId))
+  const groupTypeResults = [] as GroupedResultsModel[]
+
+  groupTypeSet.forEach(groupName => {
+    const groupResultsObj = new GroupedResultsModel(groupName)
+
+    content.forEach(resultEntry => {
+      if (resultEntry.ruleId === groupName) {
+        groupResultsObj.severity = resultEntry.severity
+        groupResultsObj.issue = stripMustacheTags(resultEntry.issue)
+        groupResultsObj.advice = resultEntry.advice
+        groupResultsObj.learn = resultEntry.learn
+        groupResultsObj.message = resultEntry.message?.text
+
+        groupResultsObj.lineInfoSet.add(getMessage(resultEntry.locations))
+      }
+    })
+    groupTypeResults.push(groupResultsObj)
+  })
+
+  return groupTypeResults
+}
+
+export function getMessage(locations: Location[]) {
+  const message = locations[0]?.physicalLocation?.artifactLocation?.uri || ''
+  const lineNumber = locations[0]?.physicalLocation?.region?.startLine || ''
+
+  if (!lineNumber) {
+    return '@' + message
+  }
+
+  return '@' + message + ':' + lineNumber
+}
+
+export function stripMustacheTags(oldString: string) {
+  return oldString
+    .replace(/\n/g, ' ')
+    .replace(/{{.*?}}/g, '\n')
+    .replace(/\$\$LINK_DELIM\$\$/g, '\n')
+    .replace(/\s+/g, ' ')
+    .trim()
+}

package/src/scan/scanConfig.js

@@ -26,7 +26,7 @@ const getScanConfig = argv => {
     if (!Object.values(supportedLanguages).includes(scanParams.language)) {
       console.log(`Did not recognise --language ${scanParams.language}`)
       console.log(i18n.__('constantsHowToRunDev3'))
-      process.exit(0)
+      process.exit(1)
     }
   }
 

package/src/scan/scanController.js

@@ -56,10 +56,12 @@ const startScan = async configToUse => {
       getTimeout(configToUse),
       startScanSpinner
     )
+
     const scanResultsInstances = await scanResults.returnScanResultsInstances(
       configToUse,
       scanDetail.id
     )
+
     const endTime = performance.now()
     const scanDurationMs = endTime - startTime
     succeedSpinner(startScanSpinner, 'Contrast Scan complete')

package/src/utils/getConfig.ts

@@ -7,6 +7,7 @@ type ContrastConfOptions = Partial<{
   orgId: string
   authHeader: string
   numOfRuns: number
+  updateMessageHidden: boolean
 }>
 
 type ContrastConf = Conf<ContrastConfOptions>
@@ -17,6 +18,15 @@ const localConfig = (name: string, version: string) => {
   })
   config.set('version', version)
 
+  if (process.env.CONTRAST_CODSEC_DISABLE_UPDATE_MESSAGE) {
+    config.set(
+      'updateMessageHidden',
+      JSON.parse(
+        process.env.CONTRAST_CODSEC_DISABLE_UPDATE_MESSAGE.toLowerCase()
+      )
+    )
+  }
+
   if (!config.has('host')) {
     config.set('host', 'https://ce.contrastsecurity.com/')
   }

package/dist/audit/languageAnalysisEngine/report/checkIgnoreDevDep.js

@@ -1,17 +0,0 @@
-"use strict";
-const { getGlobalProperties, getFeatures, isFeatureEnabled } = require('../util/generalAPI');
-const { CLI_IGNORE_DEV_DEPS } = require('../util/capabilities');
-const checkDevDeps = async (config) => {
-    const shouldIgnoreDev = config.ignoreDev;
-    const globalProperties = await getGlobalProperties();
-    const features = getFeatures(globalProperties.internal_version);
-    const isfeatureEnabled = isFeatureEnabled(features, CLI_IGNORE_DEV_DEPS);
-    let ignoreDevUrl = false;
-    if (shouldIgnoreDev) {
-        ignoreDevUrl = isfeatureEnabled;
-    }
-    return ignoreDevUrl;
-};
-module.exports = {
-    checkDevDeps
-};

package/dist/audit/languageAnalysisEngine/report/newReportingFeature.js

@@ -1,81 +0,0 @@
-"use strict";
-const commonReport = require('./commonReportingFunctions');
-const { handleResponseErrors } = require('../commonApi');
-const { getHttpClient } = require('../../../utils/commonApi');
-const vulnReportWithoutDevDep = async (analysis, applicationId, snapshotId, config) => {
-    if (config.report) {
-        const reportResponse = await getSpecReport(snapshotId, config);
-        if (reportResponse !== undefined) {
-            const severity = config.cveSeverity;
-            const id = applicationId;
-            const name = config.applicationName;
-            const hasSomeVulnerabilitiesReported = formatVulnerabilityOutput(reportResponse.vulnerabilities, severity, id, name, config);
-            commonReport.analyseReportOptions(hasSomeVulnerabilitiesReported);
-        }
-    }
-};
-const getSpecReport = async (reportId, config) => {
-    const client = getHttpClient(config);
-    return client
-        .getSpecificReport(config, reportId)
-        .then(res => {
-        if (res.statusCode === 200) {
-            commonReport.displaySuccessMessageReport();
-            return res.body;
-        }
-        else {
-            handleResponseErrors(res, 'report');
-        }
-    })
-        .catch(err => {
-        console.log(err);
-    });
-};
-const countSeverity = vulnerabilities => {
-    const severityCount = {
-        critical: 0,
-        high: 0,
-        medium: 0,
-        low: 0
-    };
-    for (const key of Object.keys(vulnerabilities)) {
-        vulnerabilities[key].forEach(vuln => {
-            if (vuln.severityCode === 'HIGH') {
-                severityCount['high'] += 1;
-            }
-            else if (vuln.severityCode === 'MEDIUM') {
-                severityCount['medium'] += 1;
-            }
-            else if (vuln.severityCode === 'LOW') {
-                severityCount['low'] += 1;
-            }
-            else if (vuln.severityCode === 'CRITICAL') {
-                severityCount['critical'] += 1;
-            }
-        });
-    }
-    return severityCount;
-};
-const formatVulnerabilityOutput = (vulnerabilities, severity, id, name, config) => {
-    const numberOfVulnerableLibraries = Object.keys(vulnerabilities).length;
-    let numberOfCves = 0;
-    for (const key of Object.keys(vulnerabilities)) {
-        numberOfCves += vulnerabilities[key].length;
-    }
-    commonReport.createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves, name);
-    const severityCount = countSeverity(vulnerabilities);
-    const filteredVulns = commonReport.filterVulnerabilitiesBySeverity(severity, vulnerabilities);
-    let hasSomeVulnerabilitiesReported;
-    hasSomeVulnerabilitiesReported = commonReport.printVulnerabilityResponse(severity, filteredVulns, vulnerabilities);
-    console.log('\n **************************' +
-        ` Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVE's ` +
-        '************************** ');
-    console.log(' \n Please go to the Contrast UI to view your dependency tree: \n' +
-        ` \n ${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`);
-    return [hasSomeVulnerabilitiesReported, numberOfCves, severityCount];
-};
-module.exports = {
-    vulnReportWithoutDevDep: vulnReportWithoutDevDep,
-    formatVulnerabilityOutput: formatVulnerabilityOutput,
-    getSpecReport: getSpecReport
-};

package/src/audit/languageAnalysisEngine/report/checkIgnoreDevDep.js

@@ -1,27 +0,0 @@
-const {
-  getGlobalProperties,
-  getFeatures,
-  isFeatureEnabled
-} = require('../util/generalAPI')
-const { CLI_IGNORE_DEV_DEPS } = require('../util/capabilities')
-
-const checkDevDeps = async config => {
-  const shouldIgnoreDev = config.ignoreDev
-  const globalProperties = await getGlobalProperties()
-
-  // returns [ 'CLI_IGNORE_DEV_DEPS' ] if teamserver version is above 3.8.1
-  const features = getFeatures(globalProperties.internal_version)
-
-  // providing user is on version >= 3.8.1, isfeatureEnabled will always return true,
-  // therefore shouldIgnoreDev flag (from params) is needed to disable ignore dev deps
-  const isfeatureEnabled = isFeatureEnabled(features, CLI_IGNORE_DEV_DEPS)
-  let ignoreDevUrl = false
-  if (shouldIgnoreDev) {
-    ignoreDevUrl = isfeatureEnabled
-  }
-  return ignoreDevUrl
-}
-
-module.exports = {
-  checkDevDeps
-}