@contrast/contrast 1.0.4 → 1.0.5

package/src/scan/fileUtils.js

@@ -11,6 +11,90 @@ const findFile = async () => {
   })
 }
 
+const findFilesJava = async languagesFound => {
+  const result = await fg(
+    ['**/pom.xml', '**/build.gradle', '**/build.gradle.kts'],
+    {
+      dot: false,
+      deep: 1,
+      onlyFiles: true
+    }
+  )
+
+  if (result.length > 0) {
+    return languagesFound.push({ java: result })
+  }
+  return languagesFound
+}
+
+const findFilesJavascript = async languagesFound => {
+  const result = await fg(
+    ['**/package.json', '**/yarn.lock', '**/package.lock.json'],
+    {
+      dot: false,
+      deep: 1,
+      onlyFiles: true
+    }
+  )
+
+  if (result.length > 0) {
+    return languagesFound.push({ javascript: result })
+  }
+  return languagesFound
+}
+
+const findFilesPython = async languagesFound => {
+  const result = await fg(['**/Pipfile.lock', '**/Pipfile'], {
+    dot: false,
+    deep: 3,
+    onlyFiles: true
+  })
+
+  if (result.length > 0) {
+    return languagesFound.push({ python: result })
+  }
+  return languagesFound
+}
+
+const findFilesGo = async languagesFound => {
+  const result = await fg(['**/go.mod'], {
+    dot: false,
+    deep: 3,
+    onlyFiles: true
+  })
+
+  if (result.length > 0) {
+    return languagesFound.push({ go: result })
+  }
+  return languagesFound
+}
+
+const findFilesRuby = async languagesFound => {
+  const result = await fg(['**/Gemfile', '**/Gemfile.lock'], {
+    dot: false,
+    deep: 3,
+    onlyFiles: true
+  })
+
+  if (result.length > 0) {
+    return languagesFound.push({ ruby: result })
+  }
+  return languagesFound
+}
+
+const findFilesPhp = async languagesFound => {
+  const result = await fg(['**/composer.json', '**/composer.lock'], {
+    dot: false,
+    deep: 3,
+    onlyFiles: true
+  })
+
+  if (result.length > 0) {
+    return languagesFound.push({ php: result })
+  }
+  return languagesFound
+}
+
 const checkFilePermissions = file => {
   let readableFile = false
   try {
@@ -29,5 +113,11 @@ const fileExists = path => {
 module.exports = {
   findFile,
   fileExists,
-  checkFilePermissions
+  checkFilePermissions,
+  findFilesJava,
+  findFilesJavascript,
+  findFilesPython,
+  findFilesGo,
+  findFilesPhp,
+  findFilesRuby
 }

package/src/scan/formatScanOutput.ts

@@ -0,0 +1,241 @@
+import { ProjectOverview, ScanResultsModel } from './models/scanResultsModel'
+import i18n from 'i18n'
+import chalk from 'chalk'
+import { ResultContent } from './models/resultContentModel'
+import { GroupedResultsModel } from './models/groupedResultsModel'
+import { sortBy } from 'lodash'
+import Table from 'cli-table3'
+import {
+  CRITICAL_COLOUR,
+  HIGH_COLOUR,
+  LOW_COLOUR,
+  MEDIUM_COLOUR,
+  NOTE_COLOUR
+} from '../constants/constants'
+
+export function formatScanOutput(scanResults: ScanResultsModel) {
+  const { scanResultsInstances } = scanResults
+
+  let projectOverview = getProjectOverview(scanResultsInstances.content)
+  if (scanResultsInstances.content.length === 0) {
+    console.log(i18n.__('scanNoVulnerabilitiesFound'))
+    console.log(i18n.__('scanNoVulnerabilitiesFoundSecureCode'))
+    console.log(i18n.__('scanNoVulnerabilitiesFoundGoodWork'))
+  } else {
+    const message =
+      projectOverview.critical || projectOverview.high
+        ? 'Here are your top priorities to fix'
+        : "No major issues, here's what we found"
+    console.log(chalk.bold(message))
+    console.log()
+
+    let defaultView = getDefaultView(scanResultsInstances.content)
+
+    let count = defaultView.length
+    defaultView.forEach(entry => {
+      let table = new Table({
+        chars: {
+          top: '',
+          'top-mid': '',
+          'top-left': '',
+          'top-right': '',
+          bottom: '',
+          'bottom-mid': '',
+          'bottom-left': '',
+          'bottom-right': '',
+          left: '',
+          'left-mid': '',
+          mid: '',
+          'mid-mid': '',
+          right: '',
+          'right-mid': '',
+          middle: ' '
+        },
+        style: { 'padding-left': 0, 'padding-right': 0 },
+        colAligns: ['right'],
+        wordWrap: true,
+        colWidths: [12, 1, 100]
+      })
+      let learnRow: string[] = []
+      let adviceRow = []
+      let headerRow = [
+        chalk
+          .hex(entry.colour)
+          .bold(`CONTRAST-${count.toString().padStart(3, '0')}`),
+        chalk.hex(entry.colour).bold('-'),
+        chalk.hex(entry.colour).bold(`[${entry.severity}] ${entry.ruleId}`) +
+          entry.message
+      ]
+      let codeRow = [
+        chalk.hex('#F6F5F5').bold(`Code`),
+        chalk.hex('#F6F5F5').bold(`:`),
+        chalk.hex('#F6F5F5').bold(`${entry.codePath}`)
+      ]
+      let issueRow = [chalk.bold(`Issue`), chalk.bold(`:`), `${entry.issue}`]
+
+      table.push(headerRow, codeRow, issueRow)
+
+      if (entry?.advice) {
+        adviceRow = [
+          chalk.bold('Advice'),
+          chalk.bold(`:`),
+          stripTags(entry.advice)
+        ]
+        table.push(adviceRow)
+      }
+
+      if (entry?.learn && entry?.learn.length > 0) {
+        learnRow = [
+          chalk.bold('Learn'),
+          chalk.bold(`:`),
+          chalk.hex('#97f7f7').bold.underline(entry.learn[0])
+        ]
+        table.push(learnRow)
+      }
+      count--
+      console.log(table.toString())
+      console.log()
+    })
+  }
+  printVulnInfo(projectOverview)
+}
+
+function printVulnInfo(projectOverview: any) {
+  const totalVulnerabilities = projectOverview.total
+
+  const vulMessage =
+    totalVulnerabilities === 1 ? `vulnerability` : `vulnerabilities`
+  console.log(chalk.bold(`Found ${totalVulnerabilities} ${vulMessage}`))
+  console.log(
+    i18n.__(
+      'foundDetailedVulnerabilities',
+      String(projectOverview.critical),
+      String(projectOverview.high),
+      String(projectOverview.medium),
+      String(projectOverview.low),
+      String(projectOverview.note)
+    )
+  )
+}
+
+export function getProjectOverview(content: ResultContent[]) {
+  let acc: any = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    note: 0,
+    total: 0
+  }
+  content.forEach((i: ResultContent) => {
+    acc[i.severity.toLowerCase()] += 1
+    acc.total += 1
+    return acc
+  })
+
+  return acc
+}
+
+export function formatLinks(objName: string, entry: any[]) {
+  let line = chalk.bold(objName + '  : ')
+  if (entry.length === 1) {
+    console.log(line + chalk.hex('#97DCF7').bold.underline(entry[0]))
+  } else {
+    console.log(line)
+    entry.forEach(link => {
+      console.log(chalk.hex('#97DCF7').bold.underline(link))
+    })
+  }
+}
+
+export function getDefaultView(content: ResultContent[]) {
+  const groupTypeResults = [] as GroupedResultsModel[]
+
+  content.forEach(resultEntry => {
+    const groupResultsObj = new GroupedResultsModel(resultEntry.ruleId)
+    groupResultsObj.severity = resultEntry.severity
+    groupResultsObj.ruleId = resultEntry.ruleId
+    groupResultsObj.issue = stripTags(resultEntry.issue)
+    groupResultsObj.advice = resultEntry.advice
+    groupResultsObj.learn = resultEntry.learn
+    groupResultsObj.message = resultEntry.message?.text
+      ? editVulName(resultEntry.message.text) +
+        ':' +
+        getSourceLineNumber(resultEntry)
+      : ''
+    groupResultsObj.codePath = getLocationsSyncInfo(resultEntry)
+    groupTypeResults.push(groupResultsObj)
+    assignBySeverity(resultEntry, groupResultsObj)
+  })
+
+  return sortBy(groupTypeResults, ['priority']).reverse()
+}
+export function editVulName(message: string) {
+  return message.substring(message.indexOf(' in '))
+}
+export function getLocationsSyncInfo(resultEntry: ResultContent) {
+  const locationsMessage =
+    resultEntry.locations[0]?.physicalLocation?.artifactLocation?.uri || ''
+  const locationsLineNumber =
+    resultEntry.locations[0]?.physicalLocation?.region?.startLine || ''
+
+  if (!locationsLineNumber) {
+    return '@' + locationsMessage
+  }
+
+  return '@' + locationsMessage + ':' + locationsLineNumber
+}
+
+export function getSourceLineNumber(resultEntry: ResultContent) {
+  const locationsLineNumber =
+    resultEntry.locations[0]?.physicalLocation?.region?.startLine || ''
+  let codeFlowLineNumber = getCodeFlowInfo(resultEntry)
+
+  return codeFlowLineNumber ? codeFlowLineNumber : locationsLineNumber
+}
+
+export function getCodeFlowInfo(resultEntry: ResultContent) {
+  let result: any
+  resultEntry.codeFlows[0]?.threadFlows.forEach((i: { locations: any[] }) => {
+    return (result = i.locations.find(
+      (locations: { importance: string }) =>
+        locations.importance === 'essential'
+    ))
+  })
+
+  return result?.location?.physicalLocation?.region?.startLine
+}
+
+export function stripTags(oldString: string) {
+  return oldString
+    .replace(/\n/g, ' ')
+    .replace(/\s+/g, ' ')
+    .trim()
+}
+
+export function assignBySeverity(
+  entry: ResultContent,
+  assignedObj: GroupedResultsModel
+) {
+  if (entry.severity.toUpperCase() === 'CRITICAL') {
+    assignedObj.priority = 1
+    assignedObj.colour = CRITICAL_COLOUR
+    return assignedObj
+  } else if (entry.severity.toUpperCase() === 'HIGH') {
+    assignedObj.priority = 2
+    assignedObj.colour = HIGH_COLOUR
+    return assignedObj
+  } else if (entry.severity.toUpperCase() === 'MEDIUM') {
+    assignedObj.priority = 3
+    assignedObj.colour = MEDIUM_COLOUR
+    return assignedObj
+  } else if (entry.severity.toUpperCase() === 'LOW') {
+    assignedObj.priority = 4
+    assignedObj.colour = LOW_COLOUR
+    return assignedObj
+  } else if (entry.severity.toUpperCase() === 'NOTE') {
+    assignedObj.priority = 5
+    assignedObj.colour = NOTE_COLOUR
+    return assignedObj
+  }
+}

package/src/scan/help.js

@@ -30,7 +30,9 @@ const scanUsageGuide = commandLineUsage([
       'ff',
       'ignore-cert-errors',
       'verbose',
-      'debug'
+      'debug',
+      'experimental',
+      'application-name'
     ]
   },
   {

package/src/scan/models/groupedResultsModel.ts

@@ -1,18 +1,20 @@
 export class GroupedResultsModel {
   ruleId: string
-  lineInfoSet: Set<string>
+  codePathSet: Set<string>
   cwe?: string[]
-  owasp?: string[]
   reference?: string[]
-  recommendation?: string
   severity?: string
   advice?: string
   learn?: string[]
   issue?: string
-  message?: string
+  priority?: number
+  message?: string | undefined
+  colour: string;
+  codePath?: string;
 
   constructor(ruleId: string) {
     this.ruleId = ruleId
-    this.lineInfoSet = new Set<string>
+    this.colour = '#999999'
+    this.codePathSet = new Set<string>
   }
 }

package/src/scan/models/resultContentModel.ts

@@ -5,7 +5,7 @@ interface ArtifactLocation {
 }
 
 interface Region {
-  startLine: number
+  startLine: string
   snippet: Snippet
 }
 
@@ -52,7 +52,7 @@ export interface CodeFlow {
 }
 
 export interface ResultContent {
-  message: {text: string};
+  message?: {text :string};
   id: string
   organizationId: string
   projectId: string

package/src/scan/scan.ts

@@ -2,10 +2,6 @@ import commonApi from '../utils/commonApi.js'
 import fileUtils from '../scan/fileUtils'
 import i18n from 'i18n'
 import oraWrapper from '../utils/oraWrapper'
-import chalk from 'chalk'
-import { ProjectOverview, ScanResultsModel } from './models/scanResultsModel'
-import { Location, ResultContent } from './models/resultContentModel'
-import { GroupedResultsModel } from './models/groupedResultsModel'
 
 export const allowedFileTypes = ['.jar', '.war', '.js', '.zip', '.exe']
 
@@ -64,129 +60,3 @@ export const sendScan = async (config: any) => {
       })
   }
 }
-
-export function formatScanOutput(scanResults: ScanResultsModel) {
-  const { projectOverview, scanResultsInstances } = scanResults
-
-  if (scanResultsInstances.content.length === 0) {
-    console.log(i18n.__('scanNoVulnerabilitiesFound'))
-  } else {
-    const message =
-      projectOverview.critical || projectOverview.high
-        ? 'Here are your top priorities to fix'
-        : "No major issues, here's what we found"
-    console.log(chalk.bold(message))
-    console.log()
-
-    const groups = getGroups(scanResultsInstances.content)
-
-    groups.forEach(entry => {
-      console.log(
-        chalk.bold(
-          `[ ${entry.severity} ] | ${entry.ruleId} (${entry.lineInfoSet.size}) - ` +
-            `${entry.message}`
-        )
-      )
-
-      let count = 1
-      entry.lineInfoSet.forEach(lineInfo => {
-        console.log(`\t ${count}. ${lineInfo}`)
-        count++
-      })
-
-      if (entry?.issue) {
-        console.log(chalk.bold('Issue' + ': ') + entry.issue)
-      }
-
-      if (entry?.advice) {
-        console.log(chalk.bold('Advice' + ': ') + entry.advice)
-      }
-
-      if (entry?.learn && entry?.learn.length > 0) {
-        formatLinks('Learn', entry.learn)
-      }
-      console.log()
-    })
-
-    printVulnInfo(projectOverview)
-  }
-}
-
-function printVulnInfo(projectOverview: ProjectOverview) {
-  const totalVulnerabilities = getTotalVulns(projectOverview)
-
-  const vulMessage =
-    totalVulnerabilities === 1 ? `vulnerability` : `vulnerabilities`
-  console.log(chalk.bold(`Found ${totalVulnerabilities} ${vulMessage}`))
-  console.log(
-    i18n.__(
-      'foundDetailedVulnerabilities',
-      String(projectOverview.critical),
-      String(projectOverview.high),
-      String(projectOverview.medium),
-      String(projectOverview.low),
-      String(projectOverview.note)
-    )
-  )
-}
-
-function getTotalVulns(projectOverview: ProjectOverview) {
-  return (
-    projectOverview.critical +
-    projectOverview.high +
-    projectOverview.medium +
-    projectOverview.low +
-    projectOverview.note
-  )
-}
-
-export function formatLinks(objName: string, entry: any[]) {
-  console.log(chalk.bold(objName + ':'))
-  entry.forEach(link => {
-    console.log(link)
-  })
-}
-
-export function getGroups(content: ResultContent[]) {
-  const groupTypeSet = new Set(content.map(({ ruleId }) => ruleId))
-  const groupTypeResults = [] as GroupedResultsModel[]
-
-  groupTypeSet.forEach(groupName => {
-    const groupResultsObj = new GroupedResultsModel(groupName)
-
-    content.forEach(resultEntry => {
-      if (resultEntry.ruleId === groupName) {
-        groupResultsObj.severity = resultEntry.severity
-        groupResultsObj.issue = stripMustacheTags(resultEntry.issue)
-        groupResultsObj.advice = resultEntry.advice
-        groupResultsObj.learn = resultEntry.learn
-        groupResultsObj.message = resultEntry.message?.text
-
-        groupResultsObj.lineInfoSet.add(getMessage(resultEntry.locations))
-      }
-    })
-    groupTypeResults.push(groupResultsObj)
-  })
-
-  return groupTypeResults
-}
-
-export function getMessage(locations: Location[]) {
-  const message = locations[0]?.physicalLocation?.artifactLocation?.uri || ''
-  const lineNumber = locations[0]?.physicalLocation?.region?.startLine || ''
-
-  if (!lineNumber) {
-    return '@' + message
-  }
-
-  return '@' + message + ':' + lineNumber
-}
-
-export function stripMustacheTags(oldString: string) {
-  return oldString
-    .replace(/\n/g, ' ')
-    .replace(/{{.*?}}/g, '\n')
-    .replace(/\$\$LINK_DELIM\$\$/g, '\n')
-    .replace(/\s+/g, ' ')
-    .trim()
-}

package/src/scan/scanController.js

@@ -68,8 +68,7 @@ const startScan = async configToUse => {
     console.log(
       `----- Scan completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
     )
-    const projectOverview = await scanResults.returnScanProjectById(configToUse)
-    return { projectOverview, scanDetail, scanResultsInstances }
+    return { scanDetail, scanResultsInstances }
   }
 }
 

package/src/scan/scanResults.js

@@ -47,8 +47,14 @@ const returnScanResults = async (
         }
         if (result.body.status === 'FAILED') {
           complete = true
-          oraFunctions.failSpinner(startScanSpinner, 'Contrast Scan Failed.')
-          console.log(result.body.errorMessage)
+          oraFunctions.failSpinner(
+            startScanSpinner,
+            i18n.__(
+              'scanNotCompleted',
+              'https://docs.contrastsecurity.com/en/binary-package-preparation.html'
+            )
+          )
+          result.body.errorMessage ? console.log(result.body.errorMessage) : ''
           if (
             result.body.errorMessage ===
             'Unable to determine language for code artifact'
@@ -87,23 +93,9 @@ const returnScanResultsInstances = async (config, scanId) => {
   }
 }
 
-const returnScanProjectById = async config => {
-  const client = commonApi.getHttpClient(config)
-  let result
-  try {
-    result = await client.getScanProjectById(config)
-    if (JSON.stringify(result.statusCode) == 200) {
-      return result.body
-    }
-  } catch (e) {
-    console.log(e.message.toString())
-  }
-}
-
 module.exports = {
   getScanId: getScanId,
   returnScanResults: returnScanResults,
   pollScanResults: pollScanResults,
-  returnScanResultsInstances: returnScanResultsInstances,
-  returnScanProjectById: returnScanProjectById
+  returnScanResultsInstances: returnScanResultsInstances
 }