@contrast/contrast 1.0.5 → 1.0.6

package/dist/scaAnalysis/java/analysis.js

@@ -21,7 +21,7 @@ const determineProjectTypeAndCwd = (files, projectPath) => {
     }
     return projectData;
 };
-const buildMaven = async (config, projectData, timeout) => {
+const buildMaven = (config, projectData, timeout) => {
     let cmdStdout;
     let mvn_settings = '';
     try {
@@ -35,16 +35,7 @@ const buildMaven = async (config, projectData, timeout) => {
         return cmdStdout.toString();
     }
     catch (err) {
-        try {
-            child_process.execSync('mvn --version', {
-                cwd: projectData.cwd,
-                timeout
-            });
-            throw new Error(i18n.__('mavenDependencyTreeNonZero', projectData.cwd, `${err.message}`));
-        }
-        catch (mvnErr) {
-            throw new Error(i18n.__('mavenNotInstalledError', projectData.cwd, `${mvnErr.message}`));
-        }
+        throw new Error(i18n.__('mavenDependencyTreeNonZero', projectData.cwd, `${err.message}`));
     }
 };
 const buildGradle = (config, projectData, timeout) => {
@@ -78,7 +69,7 @@ const buildGradle = (config, projectData, timeout) => {
                 timeout
             });
         }
-        output.mvnDependancyTreeOutput = cmdStdout.toString();
+        output = cmdStdout.toString();
         return output;
     }
     catch (err) {
@@ -91,7 +82,7 @@ const buildGradle = (config, projectData, timeout) => {
         }
     }
 };
-const getJavaBuildDeps = async (config, files) => {
+const getJavaBuildDeps = (config, files) => {
     const timeout = 960000;
     let output = {
         mvnDependancyTreeOutput: undefined,
@@ -100,7 +91,7 @@ const getJavaBuildDeps = async (config, files) => {
     try {
         const projectData = determineProjectTypeAndCwd(files, config.projectPath);
         if (projectData.projectType === MAVEN) {
-            output.mvnDependancyTreeOutput = await buildMaven(config, projectData, timeout);
+            output.mvnDependancyTreeOutput = buildMaven(config, projectData, timeout);
         }
         else if (projectData.projectType === GRADLE) {
             output.mvnDependancyTreeOutput = buildGradle(config, projectData, timeout);
@@ -109,6 +100,7 @@ const getJavaBuildDeps = async (config, files) => {
         return output;
     }
     catch (err) {
+        console.log(err.message.toString());
     }
 };
 module.exports = {

package/dist/scaAnalysis/java/index.js

@@ -1,16 +1,16 @@
 "use strict";
-const { getJavaBuildDeps } = require('./analysis');
+const analysis = require('./analysis');
 const { parseBuildDeps } = require('./javaBuildDepsParser');
 const { createJavaTSMessage } = require('../common/formatMessage');
-const javaAnalysis = async (config, languageFiles) => {
+const javaAnalysis = (config, languageFiles) => {
     languageFiles.java.forEach(file => {
         file.replace('build.gradle.kts', 'build.gradle');
     });
-    const javaDeps = await buildJavaTree(config, languageFiles.java);
+    const javaDeps = buildJavaTree(config, languageFiles.java);
     return createJavaTSMessage(javaDeps);
 };
-const buildJavaTree = async (config, files) => {
-    const javaBuildDeps = await getJavaBuildDeps(config, files);
+const buildJavaTree = (config, files) => {
+    const javaBuildDeps = analysis.getJavaBuildDeps(config, files);
     return parseBuildDeps(config, javaBuildDeps);
 };
 module.exports = {

package/dist/scaAnalysis/java/javaBuildDepsParser.js

@@ -322,5 +322,18 @@ const parseGradle = (gradleDependencyTreeOutput, config, projectType) => {
     }
 };
 module.exports = {
-    parseBuildDeps
+    parseBuildDeps,
+    shaveOutput,
+    validateIndentation,
+    calculateLevels,
+    lastChild,
+    hasChildren,
+    getElementHeader,
+    createElement,
+    stripElement,
+    checkVersion,
+    computeRelationToLastElement,
+    addIndentation,
+    computeLevel,
+    computeIndentation
 };

package/dist/scan/formatScanOutput.js

@@ -12,7 +12,7 @@ const cli_table3_1 = __importDefault(require("cli-table3"));
 const constants_1 = require("../constants/constants");
 function formatScanOutput(scanResults) {
     const { scanResultsInstances } = scanResults;
-    let projectOverview = getProjectOverview(scanResultsInstances.content);
+    let projectOverview = getProjectOverview(scanResultsInstances);
     if (scanResultsInstances.content.length === 0) {
         console.log(i18n_1.default.__('scanNoVulnerabilitiesFound'));
         console.log(i18n_1.default.__('scanNoVulnerabilitiesFoundSecureCode'));
@@ -97,7 +97,7 @@ function printVulnInfo(projectOverview) {
     console.log(chalk_1.default.bold(`Found ${totalVulnerabilities} ${vulMessage}`));
     console.log(i18n_1.default.__('foundDetailedVulnerabilities', String(projectOverview.critical), String(projectOverview.high), String(projectOverview.medium), String(projectOverview.low), String(projectOverview.note)));
 }
-function getProjectOverview(content) {
+function getProjectOverview(scanResultsInstances) {
     let acc = {
         critical: 0,
         high: 0,
@@ -106,11 +106,14 @@ function getProjectOverview(content) {
         note: 0,
         total: 0
     };
-    content.forEach((i) => {
-        acc[i.severity.toLowerCase()] += 1;
-        acc.total += 1;
-        return acc;
-    });
+    if (scanResultsInstances?.content &&
+        scanResultsInstances.content.length > 0) {
+        scanResultsInstances.content.forEach((i) => {
+            acc[i.severity.toLowerCase()] += 1;
+            acc.total += 1;
+            return acc;
+        });
+    }
     return acc;
 }
 exports.getProjectOverview = getProjectOverview;

package/dist/scan/scan.js

@@ -41,15 +41,16 @@ const sendScan = async (config) => {
             }
             else {
                 if (config.debug) {
-                    console.log(res.statusCode);
                     console.log(config);
+                    oraWrapper_1.default.failSpinner(startUploadSpinner, i18n_1.default.__('uploadingScanFail'));
+                    console.log(i18n_1.default.__('genericServiceError', res.statusCode));
                 }
-                oraWrapper_1.default.failSpinner(startUploadSpinner, i18n_1.default.__('uploadingScanFail'));
                 if (res.statusCode === 403) {
                     console.log(i18n_1.default.__('permissionsError'));
                     process.exit(1);
                 }
-                console.log(i18n_1.default.__('genericServiceError', res.statusCode));
+                oraWrapper_1.default.stopSpinner(startUploadSpinner);
+                console.log('Contrast Scan Finished');
                 process.exit(1);
             }
         })

package/dist/scan/scanController.js

@@ -1,6 +1,6 @@
 "use strict";
 const i18n = require('i18n');
-const { returnOra, startSpinner, succeedSpinner } = require('../utils/oraWrapper');
+const { returnOra, startSpinner, succeedSpinner, stopSpinner } = require('../utils/oraWrapper');
 const populateProjectIdAndProjectName = require('./populateProjectIdAndProjectName');
 const scan = require('./scan');
 const scanResults = require('./scanResults');
@@ -46,9 +46,16 @@ const startScan = async (configToUse) => {
         const scanResultsInstances = await scanResults.returnScanResultsInstances(configToUse, scanDetail.id);
         const endTime = performance.now();
         const scanDurationMs = endTime - startTime;
-        succeedSpinner(startScanSpinner, 'Contrast Scan complete');
-        console.log(`----- Scan completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`);
-        return { scanDetail, scanResultsInstances };
+        if (scanResultsInstances.statusCode !== 200) {
+            stopSpinner(startScanSpinner);
+            console.log('Result Service is unavailable, please try again later');
+            process.exit(1);
+        }
+        else {
+            succeedSpinner(startScanSpinner, 'Contrast Scan complete');
+            console.log(`----- Scan completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`);
+            return { scanDetail, scanResultsInstances: scanResultsInstances.body };
+        }
     }
 };
 module.exports = {

package/dist/scan/scanResults.js

@@ -4,6 +4,7 @@ const requestUtils = require('../../src/utils/requestUtils');
 const oraFunctions = require('../utils/oraWrapper');
 const _ = require('lodash');
 const i18n = require('i18n');
+const oraWrapper = require('../utils/oraWrapper');
 const getScanId = async (config, codeArtifactId, client) => {
     return client
         .getScanId(config, codeArtifactId)
@@ -40,12 +41,16 @@ const returnScanResults = async (config, codeArtifactId, timeout, startScanSpinn
                 }
                 if (result.body.status === 'FAILED') {
                     complete = true;
-                    oraFunctions.failSpinner(startScanSpinner, i18n.__('scanNotCompleted', 'https://docs.contrastsecurity.com/en/binary-package-preparation.html'));
-                    result.body.errorMessage ? console.log(result.body.errorMessage) : '';
-                    if (result.body.errorMessage ===
+                    if (config.debug) {
+                        oraFunctions.failSpinner(startScanSpinner, i18n.__('scanNotCompleted', 'https://docs.contrastsecurity.com/en/binary-package-preparation.html'));
+                    }
+                    if (result?.body?.errorMessage ===
                         'Unable to determine language for code artifact') {
+                        console.log(result.body.errorMessage);
                         console.log('Try scanning again using --language param. ', i18n.__('scanOptionsLanguageSummary'));
                     }
+                    oraWrapper.stopSpinner(startScanSpinner);
+                    console.log('Contrast Scan Finished');
                     process.exit(1);
                 }
             }
@@ -64,11 +69,16 @@ const returnScanResultsInstances = async (config, scanId) => {
     try {
         result = await client.getScanResultsInstances(config, scanId);
         if (JSON.stringify(result.statusCode) == 200) {
-            return result.body;
+            return { body: result.body, statusCode: result.statusCode };
+        }
+        if (JSON.stringify(result.statusCode) == 503) {
+            return { statusCode: result.statusCode };
         }
     }
     catch (e) {
-        console.log(e.message.toString());
+        if (config.debug) {
+            console.log(e.message.toString());
+        }
     }
 };
 module.exports = {

package/dist/utils/oraWrapper.js

@@ -6,6 +6,9 @@ const returnOra = text => {
 const startSpinner = spinner => {
     spinner.start();
 };
+const stopSpinner = spinner => {
+    spinner.stop();
+};
 const succeedSpinner = (spinner, text) => {
     spinner.succeed(text);
 };
@@ -16,5 +19,6 @@ module.exports = {
     returnOra,
     startSpinner,
     succeedSpinner,
-    failSpinner
+    failSpinner,
+    stopSpinner
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {

package/src/audit/languageAnalysisEngine/reduceIdentifiedLanguages.js

@@ -72,7 +72,7 @@ const deduceLanguageScaAnalysis = filenames => {
     //
     if (isNodeLockFilename(filename)) {
       deducedLanguages.push(filename)
-      language = node
+      language = NODE
     }
     //
     // if (isRubyLockFilename(filename)) {
@@ -88,10 +88,11 @@ const deduceLanguageScaAnalysis = filenames => {
     //   deducedLanguages.push({language: PHP, lockFilename: filename})
     // }
     //
-    // // go does not have a lockfile, it should have a go.mod file containing the modules
-    // if (isGoProjectFilename(filename)) {
-    //   deducedLanguages.push({language: GO, projectFilename: filename})
-    // }
+    // go does not have a lockfile, it should have a go.mod file containing the modules
+    if (isGoProjectFilename(filename)) {
+      deducedLanguages.push({ language: GO, projectFilename: filename })
+      language = GO
+    }
   })
   let identifiedLanguages = { [language]: deducedLanguages }
 

package/src/audit/languageAnalysisEngine/report/commonReportingFunctions.ts

@@ -7,8 +7,19 @@ import {
 import { ReportSeverityModel } from './models/reportSeverityModel'
 import { orderBy } from 'lodash'
 import chalk from 'chalk'
-import { ReportLibraryModel } from './models/reportLibraryModel'
-import { findHighestSeverityCVE, findNameAndVersion } from './utils/reportUtils'
+import { ReportCVEModel, ReportLibraryModel } from './models/reportLibraryModel'
+import {
+  findCVESeveritiesAndOrderByHighestPriority,
+  findHighestSeverityCVE,
+  findNameAndVersion,
+  severityCountAllCVEs
+} from './utils/reportUtils'
+import {SeverityCountModel} from "./models/severityCountModel";
+import {
+  ReportOutputBodyModel,
+  ReportOutputHeaderModel,
+  ReportOutputModel
+} from "./models/reportOutputModel";
 
 export const createLibraryHeader = (
   id: string,
@@ -78,28 +89,116 @@ export const printFormattedOutput = (
     report.reportOutputList.push(newOutputModel)
   }
 
-  const orderedOutputList = orderBy(
+  const orderedOutputListLowestFirst = orderBy(
     report.reportOutputList,
-    reportListItem => reportListItem.compositeKey.highestSeverity.priority
+    reportListItem => reportListItem.compositeKey.highestSeverity.priority,
+    ['desc']
   )
 
-  for (const reportModel of orderedOutputList) {
-    const name = reportModel.compositeKey.libraryName
-    const version = reportModel.compositeKey.libraryVersion
-    const highestSeverity = reportModel.compositeKey.highestSeverity.severity
-
+  let contrastHeaderNumCounter = 0
+  for (const reportModel of orderedOutputListLowestFirst) {
+    contrastHeaderNumCounter++
+    const {libraryName, libraryVersion, highestSeverity} = reportModel.compositeKey
     const numOfCVEs = reportModel.cveArray.length
 
-    const cveNames: string[] = []
-
-    reportModel.cveArray.forEach(cve => cveNames.push(cve.name as string))
+    const header = buildHeader(
+      highestSeverity,
+      contrastHeaderNumCounter,
+      libraryName,
+      libraryVersion,
+      numOfCVEs
+    )
 
-    const boldHeader = chalk.bold(`${highestSeverity} | Vulnerable Library`)
-    const cvePluralised = numOfCVEs > 1 ? 'CVEs' : 'CVE'
-    console.log(
-      `\n ${boldHeader} ${name} (${version}) has ${numOfCVEs} known ${cvePluralised}`
+    const body = buildBody(
+      reportModel.cveArray
     )
-    console.log(` ${cveNames.join(', ')}`)
-    console.log(chalk.bold(' How to fix: Update to latest version'))
+
+    const reportOutputModel = new ReportOutputModel(header, body)
+    console.log(reportOutputModel.header.vulnMessage, reportOutputModel.header.introducesMessage)
+    console.log(reportOutputModel.body.issueMessage)
+    console.log(reportOutputModel.body.adviceMessage)
+  }
+}
+
+export function buildHeader(
+  highestSeverity: ReportSeverityModel,
+  contrastHeaderNum: number,
+  libraryName: string,
+  version: string,
+  numOfCVEs: number,
+) {
+  const vulnerabilityPluralised = numOfCVEs > 1 ? 'Vulnerabilities' : 'Vulnerability'
+  const formattedHeaderNum = buildFormattedHeaderNum(contrastHeaderNum)
+
+  const vulnMessage = chalk
+  .hex(highestSeverity.outputColour)
+  .bold(`${formattedHeaderNum} - [${highestSeverity.severity}] ${libraryName}-${version}`)
+
+  const introducesMessage = chalk.bold(
+    `introduces ${numOfCVEs} ${vulnerabilityPluralised}`
+  )
+
+  return new ReportOutputHeaderModel(vulnMessage, introducesMessage)
+}
+
+export function buildBody(cveArray: ReportCVEModel[]) {
+  const cveMessages: string[] = []
+
+  findCVESeveritiesAndOrderByHighestPriority(cveArray).forEach(reportSeverityModel => {
+      // @ts-ignore
+      const {outputColour, severity, cveName} = reportSeverityModel
+
+      const severityShorthand = chalk
+      .hex(outputColour)
+      .bold(`[${severity.charAt(0).toUpperCase()}]`)
+
+      const builtMessage = `${severityShorthand} ${cveName}`
+      cveMessages.push(builtMessage)
+    }
+  )
+
+  const numAndSeverityType = getNumOfAndSeverityType(cveArray)
+
+  const issueMessage =
+    ` ${chalk.bold('Issue')}  : ${numAndSeverityType} ${cveMessages.join(', ')}.`
+
+  const adviceMessage =
+    ` ${chalk.bold('Advice')} : ${chalk.bold('Update to latest version')}.`
+
+  return new ReportOutputBodyModel(issueMessage, adviceMessage)
+}
+
+export function buildFormattedHeaderNum(contrastHeaderNum: number) {
+  let formattedHeaderNum
+
+  if (contrastHeaderNum < 10) {
+    formattedHeaderNum = `00${contrastHeaderNum}`
+  } else if (contrastHeaderNum >= 10 && contrastHeaderNum < 100) {
+    formattedHeaderNum = `0${contrastHeaderNum}`
+  } else if (contrastHeaderNum >= 100) {
+    formattedHeaderNum = contrastHeaderNum
   }
+
+  return `CONTRAST-${formattedHeaderNum}`
 }
+
+export function getNumOfAndSeverityType(cveArray: ReportCVEModel[]) {
+  const {
+    critical,
+    high,
+    medium,
+    low,
+    note
+  } = severityCountAllCVEs(cveArray, new SeverityCountModel())
+
+  const criticalMessage = critical > 0 ? `${critical} Critical` : ''
+  const highMessage = high > 0 ? `${high} High` : ''
+  const mediumMessage = medium > 0 ? `${medium} Medium` : ''
+  const lowMessage = low > 0 ? `${low} Low` : ''
+  const noteMessage = note > 0 ? `${note} Note` : ''
+
+  //removes/trims whitespace to single spaces
+  return `${criticalMessage} ${highMessage} ${mediumMessage} ${lowMessage} ${noteMessage}`
+  .replace(/\s+/g, ' ')
+  .trim();
+}

package/src/audit/languageAnalysisEngine/report/models/reportOutputModel.ts

@@ -0,0 +1,29 @@
+export class ReportOutputModel {
+  header: ReportOutputHeaderModel
+  body: ReportOutputBodyModel
+
+  constructor(header: ReportOutputHeaderModel, body: ReportOutputBodyModel) {
+    this.header = header
+    this.body = body
+  }
+}
+
+export class ReportOutputHeaderModel {
+  vulnMessage: string
+  introducesMessage: string
+
+  constructor(vulnMessage: string, introducesMessage: string) {
+    this.vulnMessage = vulnMessage
+    this.introducesMessage = introducesMessage
+  }
+}
+
+export class ReportOutputBodyModel {
+  issueMessage: string
+  adviceMessage: string
+
+  constructor(bodyIssueMessage: string, bodyAdviceMessage: string) {
+    this.issueMessage = bodyIssueMessage
+    this.adviceMessage = bodyAdviceMessage
+  }
+}

package/src/audit/languageAnalysisEngine/report/models/reportSeverityModel.ts

@@ -1,9 +1,13 @@
 export class ReportSeverityModel {
-  severity!: string
-  priority!: number
+  severity: string
+  priority: number
+  outputColour: string
+  cveName: string
 
-  constructor(severity: string, priority: number) {
+  constructor(severity: string, priority: number, outputColour: string, cveName: string) {
     this.severity = severity
     this.priority = priority
+    this.outputColour = outputColour
+    this.cveName = cveName
   }
 }

package/src/audit/languageAnalysisEngine/report/models/severityCountModel.ts

@@ -0,0 +1,16 @@
+export class SeverityCountModel {
+  critical!: number
+  high!: number
+  medium!: number
+  low!: number
+  note!: number
+
+  //needed as default to stop NaN when new object constructed
+  constructor() {
+    this.critical = 0
+    this.high = 0
+    this.medium = 0
+    this.low = 0
+    this.note = 0
+  }
+}

package/src/audit/languageAnalysisEngine/report/reportingFeature.ts

@@ -5,7 +5,7 @@ import {
 } from './commonReportingFunctions'
 import {
   convertGenericToTypedLibraries,
-  severityCount
+  severityCountAllLibraries
 } from './utils/reportUtils'
 
 export async function vulnerabilityReport(
@@ -51,6 +51,6 @@ export function formatVulnerabilityOutput(
   return [
     hasSomeVulnerabilitiesReported,
     numberOfCves,
-    severityCount(vulnerableLibraries)
+    severityCountAllLibraries(vulnerableLibraries)
   ]
 }