@contrast/contrast 1.0.3 → 1.0.6

package/src/audit/languageAnalysisEngine/report/reportingFeature.ts

@@ -0,0 +1,56 @@
+import {
+  createLibraryHeader,
+  getReport,
+  printVulnerabilityResponse
+} from './commonReportingFunctions'
+import {
+  convertGenericToTypedLibraries,
+  severityCountAllLibraries
+} from './utils/reportUtils'
+
+export async function vulnerabilityReport(
+  analysis: any,
+  applicationId: string,
+  reportId: string
+) {
+  const reportResponse = await getReport(analysis.config, reportId)
+
+  if (reportResponse !== undefined) {
+    const id = applicationId
+    const name = analysis.config.applicationName
+    formatVulnerabilityOutput(
+      reportResponse.vulnerabilities,
+      id,
+      name,
+      analysis.config
+    )
+  }
+}
+
+export function formatVulnerabilityOutput(
+  libraryVulnerabilityResponse: any,
+  id: string,
+  name: string,
+  config: any
+) {
+  const vulnerableLibraries = convertGenericToTypedLibraries(
+    libraryVulnerabilityResponse
+  )
+
+  const numberOfVulnerableLibraries = vulnerableLibraries.length
+  let numberOfCves = 0
+  vulnerableLibraries.forEach(lib => (numberOfCves += lib.cveArray.length))
+
+  createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves)
+
+  const hasSomeVulnerabilitiesReported = printVulnerabilityResponse(
+    vulnerableLibraries,
+    config
+  )
+
+  return [
+    hasSomeVulnerabilitiesReported,
+    numberOfCves,
+    severityCountAllLibraries(vulnerableLibraries)
+  ]
+}

package/src/audit/languageAnalysisEngine/report/utils/reportUtils.ts

@@ -0,0 +1,116 @@
+import {
+  ReportCVEModel,
+  ReportLibraryModel
+} from '../models/reportLibraryModel'
+import { ReportSeverityModel } from '../models/reportSeverityModel'
+import languageAnalysisEngine from '../../../languageAnalysisEngine/constants'
+import {
+  CRITICAL_COLOUR,
+  CRITICAL_PRIORITY,
+  HIGH_COLOUR,
+  HIGH_PRIORITY,
+  LOW_COLOUR,
+  LOW_PRIORITY,
+  MEDIUM_COLOUR,
+  MEDIUM_PRIORITY,
+  NOTE_COLOUR,
+  NOTE_PRIORITY
+} from '../../../../constants/constants'
+import { orderBy } from 'lodash'
+import {SeverityCountModel} from "../models/severityCountModel";
+const {
+  supportedLanguages: { GO }
+} = languageAnalysisEngine
+
+export function findHighestSeverityCVE(cveArray: ReportCVEModel[]) {
+  const mappedToReportSeverityModels = cveArray.map(cve => findCVESeverity(cve))
+
+  //order and get first
+  return orderBy(mappedToReportSeverityModels, cve => cve?.priority)[0]
+}
+
+
+export function findCVESeveritiesAndOrderByHighestPriority(cves: ReportCVEModel[]) {
+  return orderBy(cves.map(cve => findCVESeverity(cve)), ['priority'], ['asc'])
+}
+
+export function findCVESeverity(cve: ReportCVEModel) {
+  const cveName = cve.name as string
+  if (cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL') {
+    return new ReportSeverityModel('CRITICAL', CRITICAL_PRIORITY, CRITICAL_COLOUR, cveName)
+  } else if (cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH') {
+    return new ReportSeverityModel('HIGH', HIGH_PRIORITY, HIGH_COLOUR, cveName)
+  } else if (cve.cvss3SeverityCode === 'MEDIUM' || cve.severityCode === 'MEDIUM') {
+    return new ReportSeverityModel('MEDIUM', MEDIUM_PRIORITY, MEDIUM_COLOUR, cveName)
+  } else if (cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW') {
+    return new ReportSeverityModel('LOW', LOW_PRIORITY, LOW_COLOUR, cveName)
+  } else if (cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE') {
+    return new ReportSeverityModel('NOTE', NOTE_PRIORITY, NOTE_COLOUR, cveName)
+  }
+}
+
+export function convertGenericToTypedLibraries(libraries: any) {
+  return Object.entries(libraries).map(([name, cveArray]) => {
+    return new ReportLibraryModel(name, cveArray as ReportCVEModel[])
+  })
+}
+
+export function severityCountAllLibraries(vulnerableLibraries: ReportLibraryModel[]) {
+  const severityCount = new SeverityCountModel()
+  vulnerableLibraries.forEach(lib => severityCountAllCVEs(lib.cveArray, severityCount))
+  return severityCount
+}
+
+export function severityCountAllCVEs(cveArray: ReportCVEModel[], severityCount: SeverityCountModel) {
+  const severityCountInner = severityCount
+  cveArray.forEach(cve => severityCountSingleCVE(cve, severityCountInner))
+  return severityCountInner
+}
+
+export function severityCountSingleCVE(cve: ReportCVEModel, severityCount: SeverityCountModel) {
+  if (
+    cve.cvss3SeverityCode === 'CRITICAL' ||
+    cve.severityCode === 'CRITICAL'
+  ) {
+    severityCount.critical += 1
+  } else if (
+    cve.cvss3SeverityCode === 'HIGH' ||
+    cve.severityCode === 'HIGH'
+  ) {
+    severityCount.high += 1
+  } else if (
+    cve.cvss3SeverityCode === 'MEDIUM' ||
+    cve.severityCode === 'MEDIUM'
+  ) {
+    severityCount.medium += 1
+  } else if (
+    cve.cvss3SeverityCode === 'LOW' ||
+    cve.severityCode === 'LOW'
+  ) {
+    severityCount.low += 1
+  } else if (
+    cve.cvss3SeverityCode === 'NOTE' ||
+    cve.severityCode === 'NOTE'
+  ) {
+    severityCount.note += 1
+  }
+
+  return severityCount
+}
+
+export function findNameAndVersion(library: ReportLibraryModel, config: any) {
+  if (config.language.toUpperCase() === GO) {
+    const nameVersion = library.name.split('@')
+    const name = nameVersion[0]
+    const version = nameVersion[1]
+
+    return { name, version }
+  } else {
+    const splitLibraryName = library.name.split('/')
+    const nameVersion = splitLibraryName[1].split('@')
+    const name = nameVersion[0]
+    const version = nameVersion[1]
+
+    return { name, version }
+  }
+}

package/src/audit/languageAnalysisEngine/sendSnapshot.js

@@ -1,23 +1,8 @@
-const prettyjson = require('prettyjson')
-const i18n = require('i18n')
 const { getHttpClient } = require('../../utils/commonApi')
 const { handleResponseErrors } = require('../../common/errorHandling')
 const { APP_VERSION } = require('../../constants/constants')
 
-function displaySnapshotSuccessMessage(config) {
-  console.log(
-    '\n **************************' +
-      i18n.__('successHeader') +
-      '************************** '
-  )
-  console.log('\n' + i18n.__('snapshotSuccessMessage') + '\n')
-  console.log(
-    ` ${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
-  )
-  console.log('\n ***********************************************************')
-}
-
-const newSendSnapShot = async (analysis, applicationId) => {
+const newSendSnapShot = async analysis => {
   const analysisLanguage = analysis.config.language.toLowerCase()
   const requestBody = {
     appID: analysis.config.applicationId,
@@ -30,11 +15,7 @@ const newSendSnapShot = async (analysis, applicationId) => {
   return client
     .sendSnapshot(requestBody, analysis.config)
     .then(res => {
-      // if (!analysis.config.silent) {
-      //   console.log(prettyjson.render(requestBody))
-      // }
       if (res.statusCode === 201) {
-        displaySnapshotSuccessMessage(analysis.config)
         return res.body
       } else {
         handleResponseErrors(res, 'snapshot')
@@ -46,6 +27,5 @@ const newSendSnapShot = async (analysis, applicationId) => {
 }
 
 module.exports = {
-  newSendSnapShot: newSendSnapShot,
-  displaySnapshotSuccessMessage: displaySnapshotSuccessMessage
+  newSendSnapShot: newSendSnapShot
 }

package/src/commands/audit/auditConfig.ts

@@ -2,6 +2,10 @@ import paramHandler from '../../utils/paramsUtil/paramHandler'
 import constants from '../../constants'
 import cliOptions from '../../utils/parsedCLIOptions'
 import languageAnalysisEngine from '../../audit/languageAnalysisEngine/constants'
+import {
+  determineProjectLanguage,
+  identifyLanguages
+} from '../../audit/autodetection/autoDetectLanguage'
 
 const {
   supportedLanguages: { NODE, JAVASCRIPT }
@@ -18,9 +22,14 @@ export const getAuditConfig = (argv: string[]): { [key: string]: string } => {
     auditParameters.language === undefined ||
     auditParameters.language === null
   ) {
-    //error no language
-    console.log('error, --language parameter is required')
-    process.exit(1)
+    try {
+      auditParameters.language = determineProjectLanguage(
+        identifyLanguages(auditParameters)
+      )
+    } catch (err: any) {
+      console.log(err.message)
+      process.exit(1)
+    }
   } else if (auditParameters.language.toUpperCase() === JAVASCRIPT) {
     auditParameters.language = NODE.toLowerCase()
   }

package/src/commands/audit/auditController.ts

@@ -1,19 +1,34 @@
 import { catalogueApplication } from '../../audit/catalogueApplication/catalogueApplication'
 import commonApi from '../../audit/languageAnalysisEngine/commonApi'
+
 const identifyLanguageAE = require('./../../audit/languageAnalysisEngine')
-const languageFactory = require('./../../audit/languageAnalysisEngine/langugageAnalysisFactory')
+const languageFactory = require('../../audit/languageAnalysisEngine/languageAnalysisFactory')
+const { v4: uuidv4 } = require('uuid')
 
-const dealWithNoAppId = async (config: { [x: string]: string }) => {
-  let appID
+export const dealWithNoAppId = async (config: { [x: string]: string }) => {
+  let appID: string
   try {
+    // @ts-ignore
     appID = await commonApi.returnAppId(config)
     if (!appID && config.applicationName) {
       return await catalogueApplication(config)
     }
+    if (!appID && !config.applicationName) {
+      config.applicationName = uuidv4()
+      return await catalogueApplication(config)
+    }
+    // @ts-ignore
   } catch (e) {
-    console.log(e)
+    // @ts-ignore
+    if (e.toString().includes('tunneling socket could not be established')) {
+      // @ts-ignore
+      console.log(e.message.toString())
+      console.log(
+        'There seems to be an issue with your proxy, please check and try again'
+      )
+    }
+    process.exit(1)
   }
-  console.log(appID)
   return appID
 }
 

package/src/commands/audit/processAudit.ts

@@ -10,6 +10,9 @@ export const processAudit = async (argv: parameterInput) => {
     process.exit(1)
   }
   const config = getAuditConfig(argv)
+
+  // console.log(config)
+
   const auditResults = await startAudit(config)
 }
 

package/src/commands/scan/processScan.js

@@ -1,18 +1,22 @@
-const { startScan } = require('../../scan/scanController')
-const { formatScanOutput } = require('../../scan/scan')
-const { scanUsageGuide } = require('../../scan/help')
 const scanConfig = require('../../scan/scanConfig')
+const { startScan } = require('../../scan/scanController')
 const { saveScanFile } = require('../../utils/saveFile')
+const { ScanResultsModel } = require('../../scan/models/scanResultsModel')
+const { formatScanOutput } = require('../../scan/formatScanOutput')
+const { processSca } = require('./sca/scaAnalysis')
 
 const processScan = async argvMain => {
   let config = scanConfig.getScanConfig(argvMain)
+  // console.log(config)
+  //try SCA analysis first
+  if (config.experimental) {
+    await processSca(config)
+  }
+
+  let scanResults = new ScanResultsModel(await startScan(config))
 
-  let scanResults = await startScan(config)
-  if (scanResults) {
-    formatScanOutput(
-      scanResults?.projectOverview,
-      scanResults?.scanResultsInstances
-    )
+  if (scanResults.scanResultsInstances !== undefined) {
+    formatScanOutput(scanResults)
   }
 
   if (config.save !== undefined) {

package/src/commands/scan/sca/scaAnalysis.js

@@ -0,0 +1,75 @@
+const autoDetection = require('../../../scan/autoDetection')
+const javaAnalysis = require('../../../scaAnalysis/java')
+const treeUpload = require('../../../scaAnalysis/common/treeUpload')
+const {
+  manualDetectAuditFilesAndLanguages
+} = require('../../../scan/autoDetection')
+const auditController = require('../../audit/auditController')
+const {
+  supportedLanguages: { JAVA, GO }
+} = require('../../../audit/languageAnalysisEngine/constants')
+const goAnalysis = require('../../../scaAnalysis/go/goAnalysis')
+
+const processSca = async config => {
+  let filesFound
+  if (config.projectPath) {
+    filesFound = await manualDetectAuditFilesAndLanguages(config.projectPath)
+  } else {
+    filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config)
+  }
+
+  // files found looks like [ { javascript: [ Array ] } ]
+  //check we have the language and call the right analyser
+  //refactor new analyser and see if we can clean it up
+  let messageToSend = undefined
+  if (filesFound.length === 1) {
+    switch (Object.keys(filesFound[0])[0]) {
+      case JAVA:
+        messageToSend = javaAnalysis.javaAnalysis(config, filesFound[0])
+        config.language = JAVA
+        break
+      // case 'javascript':
+      //     // code block
+      //     break;
+      // case 'dotnet':
+      //     // code block
+      //     break;
+      // case 'python':
+      //     // code block
+      //     break;
+      // case 'ruby':
+      //     // code block
+      //     break;
+      // case 'php':
+      //     // code block
+      //     break;
+      case GO:
+        messageToSend = goAnalysis.goAnalysis(config, filesFound[0])
+        config.language = GO
+        break
+      default:
+        //something is wrong
+        console.log('language detected not supported')
+        return
+    }
+
+    if (!config.applicationId) {
+      config.applicationId = await auditController.dealWithNoAppId(config)
+    }
+    //send message to TS
+    console.log('processing dependencies')
+    const response = await treeUpload.commonSendSnapShot(messageToSend, config)
+  } else {
+    if (filesFound.length === 0) {
+      console.log('no compatible dependency files detected. Continuing...')
+    } else {
+      console.log(
+        'multiple language files detected, please use --project-path to specify a directory or the file where dependencies are declared'
+      )
+    }
+  }
+}
+
+module.exports = {
+  processSca
+}

package/src/common/HTTPClient.js

@@ -106,7 +106,9 @@ HTTPClient.prototype.getScanId = function getScanId(config, codeArtifactId) {
   options.url = url
   options.body = {
     codeArtifactId: codeArtifactId,
-    label: `Started by CLI tool at ${new Date().toString()}`
+    label: config.label
+      ? config.label
+      : `Started by CLI tool at ${new Date().toString()}`
   }
   return requestUtils.sendRequest({ method: 'post', options })
 }
@@ -188,6 +190,9 @@ HTTPClient.prototype.catalogueCommand = function catalogueCommand(config) {
 }
 
 HTTPClient.prototype.sendSnapshot = function sendSnapshot(requestBody, config) {
+  if (config.language.toUpperCase() === 'RUBY') {
+    //console.log('sendSnapshot requestBody', requestBody.snapshot.ruby)
+  }
   const options = _.cloneDeep(this.requestOptions)
   let url = createSnapshotURL(config)
   options.url = url
@@ -195,32 +200,22 @@ HTTPClient.prototype.sendSnapshot = function sendSnapshot(requestBody, config) {
   return requestUtils.sendRequest({ method: 'post', options })
 }
 
-HTTPClient.prototype.getReport = function getReport(config) {
-  const options = _.cloneDeep(this.requestOptions)
-  let url = createReportUrl(config)
-  options.url = url
-
-  return requestUtils.sendRequest({ method: 'get', options })
-}
-
-HTTPClient.prototype.getSpecificReport = function getSpecificReport(
-  config,
-  reportId
-) {
+HTTPClient.prototype.getReportById = function getReportById(config, reportId) {
   const options = _.cloneDeep(this.requestOptions)
-  let url = createSpecificReportUrl(config, reportId)
-  options.url = url
-
+  if (config.ignoreDev) {
+    options.url = createSpecificReportWithProdUrl(config, reportId)
+  } else {
+    options.url = createSpecificReportUrl(config, reportId)
+  }
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
 HTTPClient.prototype.getLibraryVulnerabilities = function getLibraryVulnerabilities(
-  requestBody,
-  config
+  config,
+  requestBody
 ) {
   const options = _.cloneDeep(this.requestOptions)
-  let url = createLibraryVulnerabilitiesUrl(config)
-  options.url = url
+  options.url = createLibraryVulnerabilitiesUrl(config)
   options.body = requestBody
 
   return requestUtils.sendRequest({ method: 'put', options })
@@ -233,16 +228,16 @@ HTTPClient.prototype.getAppId = function getAppId(config) {
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
-HTTPClient.prototype.getDependencyTree = function getReport(
-  orgUuid,
-  appId,
-  reportId
-) {
-  const options = _.cloneDeep(this.requestOptions)
-  let url = createGetDependencyTree(options.uri, orgUuid, appId, reportId)
-  options.url = url
-  return requestUtils.sendRequest({ method: 'get', options })
-}
+// HTTPClient.prototype.getDependencyTree = function getReport(
+//   orgUuid,
+//   appId,
+//   reportId
+// ) {
+//   const options = _.cloneDeep(this.requestOptions)
+//   let url = createGetDependencyTree(options.uri, orgUuid, appId, reportId)
+//   options.url = url
+//   return requestUtils.sendRequest({ method: 'get', options })
+// }
 
 // serverless - lambda
 function getServerlessHost(config = {}) {
@@ -379,22 +374,20 @@ function createLibraryVulnerabilitiesUrl(config) {
   return `${config.host}/Contrast/api/ng/${config.organizationId}/libraries/artifactsByGroupNameVersion`
 }
 
-function createReportUrl(config) {
-  return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/reports`
+function createSpecificReportUrl(config, reportId) {
+  return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/reports/${reportId}`
 }
 
-function createSpecificReportUrl(config, reportId) {
-  return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/reports/${reportId}?nodesToInclude=PROD`
+function createSpecificReportWithProdUrl(config, reportId) {
+  return createSpecificReportUrl(config, reportId).concat(
+    `?nodesToInclude=PROD`
+  )
 }
 
 function createDataUrl() {
   return `https://ardy.contrastsecurity.com/production`
 }
 
-const createGetDependencyTree = (protocol, orgUuid, appId, reportId) => {
-  return `${protocol}/Contrast/api/ng/sca/organizations/${orgUuid}/applications/${appId}/reports/${reportId}`
-}
-
 function createSbomCycloneDXUrl(config) {
   return `${config.host}/Contrast/api/ng/${config.organizationId}/applications/${config.applicationId}/libraries/sbom/cyclonedx`
 }

package/src/common/errorHandling.ts

@@ -1,5 +1,4 @@
 import i18n from 'i18n'
-import { sortBy } from 'lodash'
 
 const handleResponseErrors = (res: any, api: string) => {
   if (res.statusCode === 400) {
@@ -28,30 +27,15 @@ const libraryAnalysisError = () => {
 }
 
 const snapshotFailureError = () => {
-  console.log(
-    '\n ******************************** ' +
-      i18n.__('snapshotFailureHeader') +
-      ' *********************************\n' +
-      i18n.__('snapshotFailureMessage')
-  )
+  console.log(i18n.__('snapshotFailureMessage'))
 }
 
 const vulnerabilitiesFailureError = () => {
-  console.log(
-    '\n ******************************** ' +
-      i18n.__('snapshotFailureHeader') +
-      ' *********************************\n' +
-      i18n.__('vulnerabilitiesFailureMessage')
-  )
+  console.log(i18n.__('vulnerabilitiesFailureMessage'))
 }
 
 const reportFailureError = () => {
-  console.log(
-    '\n ******************************** ' +
-      i18n.__('snapshotFailureHeader') +
-      ' *********************************\n' +
-      i18n.__('reportFailureMessage')
-  )
+  console.log(i18n.__('auditReportFailureMessage'))
 }
 
 const genericError = (missingCliOption: string) => {
@@ -80,10 +64,6 @@ const proxyError = () => {
   generalError('proxyErrorHeader', 'proxyErrorMessage')
 }
 
-const hostWarningError = () => {
-  console.log(i18n.__('snapshotHostMessage'))
-}
-
 const failOptionError = () => {
   console.log(
     '\n ******************************** ' +
@@ -153,10 +133,12 @@ export {
   forbiddenError,
   proxyError,
   failOptionError,
-  hostWarningError,
   generalError,
   getErrorMessage,
   handleResponseErrors,
   libraryAnalysisError,
-  findCommandOnError
+  findCommandOnError,
+  snapshotFailureError,
+  vulnerabilitiesFailureError,
+  reportFailureError
 }

package/src/common/versionChecker.ts

@@ -4,33 +4,35 @@ import boxen from 'boxen'
 import chalk from 'chalk'
 import semver from 'semver'
 
-export async function findLatestCLIVersion() {
-  const latestCLIVersion = await latestVersion('@contrast/contrast')
+export async function findLatestCLIVersion(updateMessageHidden: boolean) {
+  if (!updateMessageHidden) {
+    const latestCLIVersion = await latestVersion('@contrast/contrast')
 
-  if (semver.lt(APP_VERSION, latestCLIVersion)) {
-    const updateAvailableMessage = `Update available ${chalk.yellow(
-      APP_VERSION
-    )} → ${chalk.green(latestCLIVersion)}`
+    if (semver.lt(APP_VERSION, latestCLIVersion)) {
+      const updateAvailableMessage = `Update available ${chalk.yellow(
+        APP_VERSION
+      )} → ${chalk.green(latestCLIVersion)}`
 
-    const npmUpdateAvailableCommand = `Run ${chalk.cyan(
-      'npm i @contrast/contrast -g'
-    )} to update via npm`
+      const npmUpdateAvailableCommand = `Run ${chalk.cyan(
+        'npm i @contrast/contrast -g'
+      )} to update via npm`
 
-    const homebrewUpdateAvailableCommand = `Run ${chalk.cyan(
-      'brew install contrastsecurity/tap/contrast'
-    )} to update via brew`
+      const homebrewUpdateAvailableCommand = `Run ${chalk.cyan(
+        'brew install contrastsecurity/tap/contrast'
+      )} to update via brew`
 
-    console.log(
-      boxen(
-        `${updateAvailableMessage}\n${npmUpdateAvailableCommand}\n\n${homebrewUpdateAvailableCommand}`,
-        {
-          titleAlignment: 'center',
-          margin: 1,
-          padding: 1,
-          align: 'center'
-        }
+      console.log(
+        boxen(
+          `${updateAvailableMessage}\n${npmUpdateAvailableCommand}\n\n${homebrewUpdateAvailableCommand}`,
+          {
+            titleAlignment: 'center',
+            margin: 1,
+            padding: 1,
+            align: 'center'
+          }
+        )
       )
-    )
+    }
   }
 }