@contrast/contrast 1.0.4 → 1.0.7

package/src/audit/languageAnalysisEngine/report/models/reportLibraryModel.ts

@@ -2,7 +2,7 @@ export class ReportLibraryModel {
   name: string
   cveArray: ReportCVEModel[]
 
-  constructor (name: string, cveArray: ReportCVEModel[]){
+  constructor(name: string, cveArray: ReportCVEModel[]) {
     this.name = name
     this.cveArray = cveArray
   }
@@ -16,12 +16,12 @@ export class ReportCVEModel {
   severityCode?: string
   cvss3SeverityCode?: string
 
-  constructor (
+  constructor(
     name: string,
     description: string,
     severityCode: string,
     cvss3SeverityCode: string
-  ){
+  ) {
     this.name = name
     this.description = description
     this.severityCode = severityCode

package/src/audit/languageAnalysisEngine/report/models/reportListModel.ts

@@ -1,32 +1,36 @@
-import {ReportSeverityModel} from "./reportSeverityModel";
-import {ReportCVEModel} from "./reportLibraryModel";
+import { ReportSeverityModel } from './reportSeverityModel'
+import { ReportCVEModel } from './reportLibraryModel'
 
 export class ReportList {
   reportOutputList: ReportModelStructure[]
 
-  constructor (){
+  constructor() {
     this.reportOutputList = []
   }
 }
 
 export class ReportModelStructure {
-  compositeKey: ReportCompositeKey;
-  cveArray: ReportCVEModel[];
+  compositeKey: ReportCompositeKey
+  cveArray: ReportCVEModel[]
 
-  constructor (compositeKey: ReportCompositeKey, cveArray: ReportCVEModel[]){
+  constructor(compositeKey: ReportCompositeKey, cveArray: ReportCVEModel[]) {
     this.compositeKey = compositeKey
     this.cveArray = cveArray
   }
 }
 
 export class ReportCompositeKey {
-  libraryName!: string;
-  libraryVersion!: string;
-  highestSeverity!: ReportSeverityModel;
+  libraryName!: string
+  libraryVersion!: string
+  highestSeverity!: ReportSeverityModel
 
-  constructor (libraryName: string, libraryVersion: string, highestSeverity: ReportSeverityModel){
+  constructor(
+    libraryName: string,
+    libraryVersion: string,
+    highestSeverity: ReportSeverityModel
+  ) {
     this.libraryName = libraryName
     this.libraryVersion = libraryVersion
     this.highestSeverity = highestSeverity
   }
-}
+}

package/src/audit/languageAnalysisEngine/report/models/reportOutputModel.ts

@@ -0,0 +1,29 @@
+export class ReportOutputModel {
+  header: ReportOutputHeaderModel
+  body: ReportOutputBodyModel
+
+  constructor(header: ReportOutputHeaderModel, body: ReportOutputBodyModel) {
+    this.header = header
+    this.body = body
+  }
+}
+
+export class ReportOutputHeaderModel {
+  vulnMessage: string
+  introducesMessage: string
+
+  constructor(vulnMessage: string, introducesMessage: string) {
+    this.vulnMessage = vulnMessage
+    this.introducesMessage = introducesMessage
+  }
+}
+
+export class ReportOutputBodyModel {
+  issueMessage: string
+  adviceMessage: string
+
+  constructor(bodyIssueMessage: string, bodyAdviceMessage: string) {
+    this.issueMessage = bodyIssueMessage
+    this.adviceMessage = bodyAdviceMessage
+  }
+}

package/src/audit/languageAnalysisEngine/report/models/reportSeverityModel.ts

@@ -1,9 +1,18 @@
 export class ReportSeverityModel {
-  severity!: string
-  priority!: number
+  severity: string
+  priority: number
+  outputColour: string
+  cveName: string
 
-  constructor(severity: string, priority: number) {
+  constructor(
+    severity: string,
+    priority: number,
+    outputColour: string,
+    cveName: string
+  ) {
     this.severity = severity
     this.priority = priority
+    this.outputColour = outputColour
+    this.cveName = cveName
   }
 }

package/src/audit/languageAnalysisEngine/report/models/severityCountModel.ts

@@ -0,0 +1,16 @@
+export class SeverityCountModel {
+  critical!: number
+  high!: number
+  medium!: number
+  low!: number
+  note!: number
+
+  //needed as default to stop NaN when new object constructed
+  constructor() {
+    this.critical = 0
+    this.high = 0
+    this.medium = 0
+    this.low = 0
+    this.note = 0
+  }
+}

package/src/audit/languageAnalysisEngine/report/reportingFeature.ts

@@ -5,7 +5,7 @@ import {
 } from './commonReportingFunctions'
 import {
   convertGenericToTypedLibraries,
-  severityCount
+  severityCountAllLibraries
 } from './utils/reportUtils'
 
 export async function vulnerabilityReport(
@@ -41,7 +41,7 @@ export function formatVulnerabilityOutput(
   let numberOfCves = 0
   vulnerableLibraries.forEach(lib => (numberOfCves += lib.cveArray.length))
 
-  createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves, name)
+  createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves)
 
   const hasSomeVulnerabilitiesReported = printVulnerabilityResponse(
     vulnerableLibraries,
@@ -51,6 +51,6 @@ export function formatVulnerabilityOutput(
   return [
     hasSomeVulnerabilitiesReported,
     numberOfCves,
-    severityCount(vulnerableLibraries)
+    severityCountAllLibraries(vulnerableLibraries)
   ]
 }

package/src/audit/languageAnalysisEngine/report/utils/reportUtils.ts

@@ -4,42 +4,66 @@ import {
 } from '../models/reportLibraryModel'
 import { ReportSeverityModel } from '../models/reportSeverityModel'
 import languageAnalysisEngine from '../../../languageAnalysisEngine/constants'
+import {
+  CRITICAL_COLOUR,
+  CRITICAL_PRIORITY,
+  HIGH_COLOUR,
+  HIGH_PRIORITY,
+  LOW_COLOUR,
+  LOW_PRIORITY,
+  MEDIUM_COLOUR,
+  MEDIUM_PRIORITY,
+  NOTE_COLOUR,
+  NOTE_PRIORITY
+} from '../../../../constants/constants'
+import { orderBy } from 'lodash'
+import { SeverityCountModel } from '../models/severityCountModel'
 const {
   supportedLanguages: { GO }
 } = languageAnalysisEngine
 
 export function findHighestSeverityCVE(cveArray: ReportCVEModel[]) {
-  if (
-    cveArray.find(
-      cve =>
-        cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL'
-    )
-  ) {
-    return new ReportSeverityModel('CRITICAL', 1)
-  } else if (
-    cveArray.find(
-      cve => cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH'
+  const mappedToReportSeverityModels = cveArray.map(cve => findCVESeverity(cve))
+
+  //order and get first
+  return orderBy(mappedToReportSeverityModels, cve => cve?.priority)[0]
+}
+
+export function findCVESeveritiesAndOrderByHighestPriority(
+  cves: ReportCVEModel[]
+) {
+  return orderBy(
+    cves.map(cve => findCVESeverity(cve)),
+    ['priority'],
+    ['asc']
+  )
+}
+
+export function findCVESeverity(cve: ReportCVEModel) {
+  const cveName = cve.name as string
+  if (cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL') {
+    return new ReportSeverityModel(
+      'CRITICAL',
+      CRITICAL_PRIORITY,
+      CRITICAL_COLOUR,
+      cveName
     )
-  ) {
-    return new ReportSeverityModel('HIGH', 2)
+  } else if (cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH') {
+    return new ReportSeverityModel('HIGH', HIGH_PRIORITY, HIGH_COLOUR, cveName)
   } else if (
-    cveArray.find(
-      cve => cve.cvss3SeverityCode === 'MEDIUM' || cve.severityCode === 'MEDIUM'
-    )
+    cve.cvss3SeverityCode === 'MEDIUM' ||
+    cve.severityCode === 'MEDIUM'
   ) {
-    return new ReportSeverityModel('MEDIUM', 3)
-  } else if (
-    cveArray.find(
-      cve => cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW'
+    return new ReportSeverityModel(
+      'MEDIUM',
+      MEDIUM_PRIORITY,
+      MEDIUM_COLOUR,
+      cveName
     )
-  ) {
-    return new ReportSeverityModel('LOW', 4)
-  } else if (
-    cveArray.find(
-      cve => cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE'
-    )
-  ) {
-    return new ReportSeverityModel('NOTE', 5)
+  } else if (cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW') {
+    return new ReportSeverityModel('LOW', LOW_PRIORITY, LOW_COLOUR, cveName)
+  } else if (cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE') {
+    return new ReportSeverityModel('NOTE', NOTE_PRIORITY, NOTE_COLOUR, cveName)
   }
 }
 
@@ -49,45 +73,43 @@ export function convertGenericToTypedLibraries(libraries: any) {
   })
 }
 
-export function severityCount(vulnerableLibraries: ReportLibraryModel[]) {
-  const severityCount = {
-    critical: 0,
-    high: 0,
-    medium: 0,
-    low: 0,
-    note: 0
-  }
+export function severityCountAllLibraries(
+  vulnerableLibraries: ReportLibraryModel[]
+) {
+  const severityCount = new SeverityCountModel()
+  vulnerableLibraries.forEach(lib =>
+    severityCountAllCVEs(lib.cveArray, severityCount)
+  )
+  return severityCount
+}
 
-  vulnerableLibraries.forEach(lib => {
-    lib.cveArray.forEach(cve => {
-      if (
-        cve.cvss3SeverityCode === 'CRITICAL' ||
-        cve.severityCode === 'CRITICAL'
-      ) {
-        severityCount['critical'] += 1
-      } else if (
-        cve.cvss3SeverityCode === 'HIGH' ||
-        cve.severityCode === 'HIGH'
-      ) {
-        severityCount['high'] += 1
-      } else if (
-        cve.cvss3SeverityCode === 'MEDIUM' ||
-        cve.severityCode === 'MEDIUM'
-      ) {
-        severityCount['medium'] += 1
-      } else if (
-        cve.cvss3SeverityCode === 'LOW' ||
-        cve.severityCode === 'LOW'
-      ) {
-        severityCount['low'] += 1
-      } else if (
-        cve.cvss3SeverityCode === 'NOTE' ||
-        cve.severityCode === 'NOTE'
-      ) {
-        severityCount['note'] += 1
-      }
-    })
-  })
+export function severityCountAllCVEs(
+  cveArray: ReportCVEModel[],
+  severityCount: SeverityCountModel
+) {
+  const severityCountInner = severityCount
+  cveArray.forEach(cve => severityCountSingleCVE(cve, severityCountInner))
+  return severityCountInner
+}
+
+export function severityCountSingleCVE(
+  cve: ReportCVEModel,
+  severityCount: SeverityCountModel
+) {
+  if (cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL') {
+    severityCount.critical += 1
+  } else if (cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH') {
+    severityCount.high += 1
+  } else if (
+    cve.cvss3SeverityCode === 'MEDIUM' ||
+    cve.severityCode === 'MEDIUM'
+  ) {
+    severityCount.medium += 1
+  } else if (cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW') {
+    severityCount.low += 1
+  } else if (cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE') {
+    severityCount.note += 1
+  }
 
   return severityCount
 }

package/src/audit/languageAnalysisEngine/sendSnapshot.js

@@ -1,23 +1,14 @@
-const prettyjson = require('prettyjson')
-const i18n = require('i18n')
-const { getHttpClient } = require('../../utils/commonApi')
 const { handleResponseErrors } = require('../../common/errorHandling')
 const { APP_VERSION } = require('../../constants/constants')
+const commonApi = require('../../utils/commonApi')
+const _ = require('lodash')
+const oraFunctions = require('../../utils/oraWrapper')
+const i18n = require('i18n')
+const oraWrapper = require('../../utils/oraWrapper')
+const requestUtils = require('../../utils/requestUtils')
+const { performance } = require('perf_hooks')
 
-function displaySnapshotSuccessMessage(config) {
-  console.log(
-    '\n **************************' +
-      i18n.__('successHeader') +
-      '************************** '
-  )
-  console.log('\n' + i18n.__('snapshotSuccessMessage') + '\n')
-  console.log(
-    ` ${config.host}/Contrast/static/ng/index.html#/${config.organizationId}/applications/${config.applicationId}/libs/dependency-tree`
-  )
-  console.log('\n ***********************************************************')
-}
-
-const newSendSnapShot = async (analysis, applicationId) => {
+const newSendSnapShot = async analysis => {
   const analysisLanguage = analysis.config.language.toLowerCase()
   const requestBody = {
     appID: analysis.config.applicationId,
@@ -25,18 +16,12 @@ const newSendSnapShot = async (analysis, applicationId) => {
     snapshot: { [analysisLanguage]: analysis[analysisLanguage] }
   }
 
-  const client = getHttpClient(analysis.config)
+  const client = commonApi.getHttpClient(analysis.config)
 
   return client
     .sendSnapshot(requestBody, analysis.config)
     .then(res => {
-      // if (!analysis.config.silent) {
-      //   console.log(prettyjson.render(requestBody))
-      // }
       if (res.statusCode === 201) {
-        if (analysis.config.host !== 'https://ce.contrastsecurity.com/') {
-          displaySnapshotSuccessMessage(analysis.config)
-        }
         return res.body
       } else {
         handleResponseErrors(res, 'snapshot')
@@ -47,7 +32,75 @@ const newSendSnapShot = async (analysis, applicationId) => {
     })
 }
 
+const pollSnapshotResults = async (config, snapshotId, client) => {
+  await requestUtils.sleep(5000)
+  return client
+    .getReportStatusById(config, snapshotId)
+    .then(res => {
+      return res
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+const getTimeout = config => {
+  if (config.timeout) {
+    return config.timeout
+  } else {
+    if (config.verbose) {
+      console.log('Timeout set to 2 minutes')
+    }
+    return 120
+  }
+}
+
+const pollForSnapshotCompletition = async (
+  config,
+  snapshotId,
+  reportSpinner
+) => {
+  const client = commonApi.getHttpClient(config)
+  const startTime = performance.now()
+  const timeout = getTimeout(config)
+
+  let complete = false
+  if (!_.isNil(snapshotId)) {
+    while (!complete) {
+      let result = await pollSnapshotResults(config, snapshotId, client)
+      if (result.statusCode === 200) {
+        if (result.body.status === 'PROCESSED') {
+          complete = true
+          return result.body
+        }
+        if (result.body.status === 'FAILED') {
+          complete = true
+          if (config.debug) {
+            oraFunctions.failSpinner(
+              reportSpinner,
+              i18n.__('auditNotCompleted')
+            )
+          }
+          console.log(result.body.errorMessage)
+          oraWrapper.stopSpinner(reportSpinner)
+          console.log('Contrast audit finished')
+          process.exit(1)
+        }
+      }
+      const endTime = performance.now() - startTime
+      if (requestUtils.millisToSeconds(endTime) > timeout) {
+        oraFunctions.failSpinner(
+          reportSpinner,
+          'Contrast audit timed out at the specified ' + timeout + ' seconds.'
+        )
+        console.log('Please try again, allowing more time.')
+        process.exit(1)
+      }
+    }
+  }
+}
+
 module.exports = {
   newSendSnapShot: newSendSnapShot,
-  displaySnapshotSuccessMessage: displaySnapshotSuccessMessage
+  pollForSnapshotCompletition: pollForSnapshotCompletition
 }

package/src/commands/audit/auditConfig.ts

@@ -2,6 +2,10 @@ import paramHandler from '../../utils/paramsUtil/paramHandler'
 import constants from '../../constants'
 import cliOptions from '../../utils/parsedCLIOptions'
 import languageAnalysisEngine from '../../audit/languageAnalysisEngine/constants'
+import {
+  determineProjectLanguage,
+  identifyLanguages
+} from '../../audit/autodetection/autoDetectLanguage'
 
 const {
   supportedLanguages: { NODE, JAVASCRIPT }
@@ -18,9 +22,14 @@ export const getAuditConfig = (argv: string[]): { [key: string]: string } => {
     auditParameters.language === undefined ||
     auditParameters.language === null
   ) {
-    //error no language
-    console.log('error, --language parameter is required')
-    process.exit(1)
+    try {
+      auditParameters.language = determineProjectLanguage(
+        identifyLanguages(auditParameters)
+      )
+    } catch (err: any) {
+      console.log(err.message)
+      process.exit(1)
+    }
   } else if (auditParameters.language.toUpperCase() === JAVASCRIPT) {
     auditParameters.language = NODE.toLowerCase()
   }

package/src/commands/audit/auditController.ts

@@ -3,20 +3,26 @@ import commonApi from '../../audit/languageAnalysisEngine/commonApi'
 
 const identifyLanguageAE = require('./../../audit/languageAnalysisEngine')
 const languageFactory = require('../../audit/languageAnalysisEngine/languageAnalysisFactory')
+const { v4: uuidv4 } = require('uuid')
 
-const dealWithNoAppId = async (config: { [x: string]: string }) => {
-  let appID
+export const dealWithNoAppId = async (config: { [x: string]: string }) => {
+  let appID: string
   try {
+    // @ts-ignore
     appID = await commonApi.returnAppId(config)
     if (!appID && config.applicationName) {
       return await catalogueApplication(config)
     }
+    if (!appID && !config.applicationName) {
+      config.applicationName = uuidv4()
+      return await catalogueApplication(config)
+    }
     // @ts-ignore
   } catch (e) {
     // @ts-ignore
     if (e.toString().includes('tunneling socket could not be established')) {
       // @ts-ignore
-      console.log(e.message)
+      console.log(e.message.toString())
       console.log(
         'There seems to be an issue with your proxy, please check and try again'
       )

package/src/commands/audit/processAudit.ts

@@ -7,9 +7,12 @@ export type parameterInput = string[]
 export const processAudit = async (argv: parameterInput) => {
   if (argv.indexOf('--help') != -1) {
     printHelpMessage()
-    process.exit(1)
+    process.exit(0)
   }
   const config = getAuditConfig(argv)
+
+  // console.log(config)
+
   const auditResults = await startAudit(config)
 }
 

package/src/commands/scan/processScan.js

@@ -1,15 +1,21 @@
-const { startScan } = require('../../scan/scanController')
-const { scanUsageGuide } = require('../../scan/help')
 const scanConfig = require('../../scan/scanConfig')
+const { startScan } = require('../../scan/scanController')
 const { saveScanFile } = require('../../utils/saveFile')
 const { ScanResultsModel } = require('../../scan/models/scanResultsModel')
-const { formatScanOutput } = require('../../scan/scan')
+const { formatScanOutput } = require('../../scan/formatScanOutput')
+const { processSca } = require('./sca/scaAnalysis')
 
 const processScan = async argvMain => {
   let config = scanConfig.getScanConfig(argvMain)
+  // console.log(config)
+  //try SCA analysis first
+  if (config.experimental) {
+    await processSca(config)
+  }
 
   let scanResults = new ScanResultsModel(await startScan(config))
-  if (scanResults) {
+
+  if (scanResults.scanResultsInstances !== undefined) {
     formatScanOutput(scanResults)
   }
 

package/src/commands/scan/sca/scaAnalysis.js

@@ -0,0 +1,83 @@
+const autoDetection = require('../../../scan/autoDetection')
+const javaAnalysis = require('../../../scaAnalysis/java')
+const treeUpload = require('../../../scaAnalysis/common/treeUpload')
+const {
+  manualDetectAuditFilesAndLanguages
+} = require('../../../scan/autoDetection')
+const auditController = require('../../audit/auditController')
+const {
+  supportedLanguages: { JAVA, GO, RUBY, PYTHON }
+} = require('../../../audit/languageAnalysisEngine/constants')
+const goAnalysis = require('../../../scaAnalysis/go/goAnalysis')
+const { rubyAnalysis } = require('../../../scaAnalysis/ruby')
+const { pythonAnalysis } = require('../../../scaAnalysis/python')
+
+const processSca = async config => {
+  let filesFound
+  if (config.projectPath) {
+    filesFound = manualDetectAuditFilesAndLanguages(config.projectPath)
+  } else {
+    filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config)
+    config.projectPath = process.cwd()
+  }
+
+  // files found looks like [ { javascript: [ Array ] } ]
+  //check we have the language and call the right analyser
+  //refactor new analyser and see if we can clean it up
+  let messageToSend = undefined
+  if (filesFound.length === 1) {
+    switch (Object.keys(filesFound[0])[0]) {
+      case JAVA:
+        messageToSend = javaAnalysis.javaAnalysis(config, filesFound[0])
+        config.language = JAVA
+        break
+      // case 'javascript':
+      //     // code block
+      //     break;
+      // case 'dotnet':
+      //     // code block
+      //     break;
+      case RUBY:
+        messageToSend = rubyAnalysis(config, filesFound[0])
+        config.language = RUBY
+        break
+      case PYTHON:
+        messageToSend = pythonAnalysis(config, filesFound[0])
+        config.language = PYTHON
+        break
+      // case 'ruby':
+      //     // code block
+      //     break;
+      // case 'php':
+      //     // code block
+      //     break;
+      case GO:
+        messageToSend = goAnalysis.goAnalysis(config, filesFound[0])
+        config.language = GO
+        break
+      default:
+        //something is wrong
+        console.log('language detected not supported')
+        return
+    }
+
+    if (!config.applicationId) {
+      config.applicationId = await auditController.dealWithNoAppId(config)
+    }
+    //send message to TS
+    console.log('processing dependencies')
+    const response = await treeUpload.commonSendSnapShot(messageToSend, config)
+  } else {
+    if (filesFound.length === 0) {
+      console.log('no compatible dependency files detected. Continuing...')
+    } else {
+      console.log(
+        'multiple language files detected, please use --project-path to specify a directory or the file where dependencies are declared'
+      )
+    }
+  }
+}
+
+module.exports = {
+  processSca
+}