@contrast/contrast 1.0.5 → 1.0.6

package/src/audit/languageAnalysisEngine/report/utils/reportUtils.ts

@@ -4,91 +4,97 @@ import {
 } from '../models/reportLibraryModel'
 import { ReportSeverityModel } from '../models/reportSeverityModel'
 import languageAnalysisEngine from '../../../languageAnalysisEngine/constants'
+import {
+  CRITICAL_COLOUR,
+  CRITICAL_PRIORITY,
+  HIGH_COLOUR,
+  HIGH_PRIORITY,
+  LOW_COLOUR,
+  LOW_PRIORITY,
+  MEDIUM_COLOUR,
+  MEDIUM_PRIORITY,
+  NOTE_COLOUR,
+  NOTE_PRIORITY
+} from '../../../../constants/constants'
+import { orderBy } from 'lodash'
+import {SeverityCountModel} from "../models/severityCountModel";
 const {
   supportedLanguages: { GO }
 } = languageAnalysisEngine
 
 export function findHighestSeverityCVE(cveArray: ReportCVEModel[]) {
+  const mappedToReportSeverityModels = cveArray.map(cve => findCVESeverity(cve))
+
+  //order and get first
+  return orderBy(mappedToReportSeverityModels, cve => cve?.priority)[0]
+}
+
+
+export function findCVESeveritiesAndOrderByHighestPriority(cves: ReportCVEModel[]) {
+  return orderBy(cves.map(cve => findCVESeverity(cve)), ['priority'], ['asc'])
+}
+
+export function findCVESeverity(cve: ReportCVEModel) {
+  const cveName = cve.name as string
+  if (cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL') {
+    return new ReportSeverityModel('CRITICAL', CRITICAL_PRIORITY, CRITICAL_COLOUR, cveName)
+  } else if (cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH') {
+    return new ReportSeverityModel('HIGH', HIGH_PRIORITY, HIGH_COLOUR, cveName)
+  } else if (cve.cvss3SeverityCode === 'MEDIUM' || cve.severityCode === 'MEDIUM') {
+    return new ReportSeverityModel('MEDIUM', MEDIUM_PRIORITY, MEDIUM_COLOUR, cveName)
+  } else if (cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW') {
+    return new ReportSeverityModel('LOW', LOW_PRIORITY, LOW_COLOUR, cveName)
+  } else if (cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE') {
+    return new ReportSeverityModel('NOTE', NOTE_PRIORITY, NOTE_COLOUR, cveName)
+  }
+}
+
+export function convertGenericToTypedLibraries(libraries: any) {
+  return Object.entries(libraries).map(([name, cveArray]) => {
+    return new ReportLibraryModel(name, cveArray as ReportCVEModel[])
+  })
+}
+
+export function severityCountAllLibraries(vulnerableLibraries: ReportLibraryModel[]) {
+  const severityCount = new SeverityCountModel()
+  vulnerableLibraries.forEach(lib => severityCountAllCVEs(lib.cveArray, severityCount))
+  return severityCount
+}
+
+export function severityCountAllCVEs(cveArray: ReportCVEModel[], severityCount: SeverityCountModel) {
+  const severityCountInner = severityCount
+  cveArray.forEach(cve => severityCountSingleCVE(cve, severityCountInner))
+  return severityCountInner
+}
+
+export function severityCountSingleCVE(cve: ReportCVEModel, severityCount: SeverityCountModel) {
   if (
-    cveArray.find(
-      cve =>
-        cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL'
-    )
+    cve.cvss3SeverityCode === 'CRITICAL' ||
+    cve.severityCode === 'CRITICAL'
   ) {
-    return new ReportSeverityModel('CRITICAL', 1)
+    severityCount.critical += 1
   } else if (
-    cveArray.find(
-      cve => cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH'
-    )
+    cve.cvss3SeverityCode === 'HIGH' ||
+    cve.severityCode === 'HIGH'
   ) {
-    return new ReportSeverityModel('HIGH', 2)
+    severityCount.high += 1
   } else if (
-    cveArray.find(
-      cve => cve.cvss3SeverityCode === 'MEDIUM' || cve.severityCode === 'MEDIUM'
-    )
+    cve.cvss3SeverityCode === 'MEDIUM' ||
+    cve.severityCode === 'MEDIUM'
   ) {
-    return new ReportSeverityModel('MEDIUM', 3)
+    severityCount.medium += 1
   } else if (
-    cveArray.find(
-      cve => cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW'
-    )
+    cve.cvss3SeverityCode === 'LOW' ||
+    cve.severityCode === 'LOW'
   ) {
-    return new ReportSeverityModel('LOW', 4)
+    severityCount.low += 1
   } else if (
-    cveArray.find(
-      cve => cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE'
-    )
+    cve.cvss3SeverityCode === 'NOTE' ||
+    cve.severityCode === 'NOTE'
   ) {
-    return new ReportSeverityModel('NOTE', 5)
-  }
-}
-
-export function convertGenericToTypedLibraries(libraries: any) {
-  return Object.entries(libraries).map(([name, cveArray]) => {
-    return new ReportLibraryModel(name, cveArray as ReportCVEModel[])
-  })
-}
-
-export function severityCount(vulnerableLibraries: ReportLibraryModel[]) {
-  const severityCount = {
-    critical: 0,
-    high: 0,
-    medium: 0,
-    low: 0,
-    note: 0
+    severityCount.note += 1
   }
 
-  vulnerableLibraries.forEach(lib => {
-    lib.cveArray.forEach(cve => {
-      if (
-        cve.cvss3SeverityCode === 'CRITICAL' ||
-        cve.severityCode === 'CRITICAL'
-      ) {
-        severityCount['critical'] += 1
-      } else if (
-        cve.cvss3SeverityCode === 'HIGH' ||
-        cve.severityCode === 'HIGH'
-      ) {
-        severityCount['high'] += 1
-      } else if (
-        cve.cvss3SeverityCode === 'MEDIUM' ||
-        cve.severityCode === 'MEDIUM'
-      ) {
-        severityCount['medium'] += 1
-      } else if (
-        cve.cvss3SeverityCode === 'LOW' ||
-        cve.severityCode === 'LOW'
-      ) {
-        severityCount['low'] += 1
-      } else if (
-        cve.cvss3SeverityCode === 'NOTE' ||
-        cve.severityCode === 'NOTE'
-      ) {
-        severityCount['note'] += 1
-      }
-    })
-  })
-
   return severityCount
 }
 

package/src/commands/audit/auditController.ts

@@ -10,7 +10,6 @@ export const dealWithNoAppId = async (config: { [x: string]: string }) => {
   try {
     // @ts-ignore
     appID = await commonApi.returnAppId(config)
-    // console.log('appid', appID)
     if (!appID && config.applicationName) {
       return await catalogueApplication(config)
     }
@@ -23,7 +22,7 @@ export const dealWithNoAppId = async (config: { [x: string]: string }) => {
     // @ts-ignore
     if (e.toString().includes('tunneling socket could not be established')) {
       // @ts-ignore
-      console.log(e.message)
+      console.log(e.message.toString())
       console.log(
         'There seems to be an issue with your proxy, please check and try again'
       )

package/src/commands/scan/processScan.js

@@ -14,7 +14,8 @@ const processScan = async argvMain => {
   }
 
   let scanResults = new ScanResultsModel(await startScan(config))
-  if (scanResults) {
+
+  if (scanResults.scanResultsInstances !== undefined) {
     formatScanOutput(scanResults)
   }
 

package/src/commands/scan/sca/scaAnalysis.js

@@ -1,13 +1,14 @@
 const autoDetection = require('../../../scan/autoDetection')
-const { javaAnalysis } = require('../../../scaAnalysis/java')
-const { commonSendSnapShot } = require('../../../scaAnalysis/common/treeUpload')
+const javaAnalysis = require('../../../scaAnalysis/java')
+const treeUpload = require('../../../scaAnalysis/common/treeUpload')
 const {
   manualDetectAuditFilesAndLanguages
 } = require('../../../scan/autoDetection')
-const { dealWithNoAppId } = require('../../audit/auditController')
+const auditController = require('../../audit/auditController')
 const {
-  supportedLanguages: { JAVA }
+  supportedLanguages: { JAVA, GO }
 } = require('../../../audit/languageAnalysisEngine/constants')
+const goAnalysis = require('../../../scaAnalysis/go/goAnalysis')
 
 const processSca = async config => {
   let filesFound
@@ -24,7 +25,7 @@ const processSca = async config => {
   if (filesFound.length === 1) {
     switch (Object.keys(filesFound[0])[0]) {
       case JAVA:
-        messageToSend = await javaAnalysis(config, filesFound[0])
+        messageToSend = javaAnalysis.javaAnalysis(config, filesFound[0])
         config.language = JAVA
         break
       // case 'javascript':
@@ -42,9 +43,10 @@ const processSca = async config => {
       // case 'php':
       //     // code block
       //     break;
-      // case 'go':
-      //     // code block
-      //     break;
+      case GO:
+        messageToSend = goAnalysis.goAnalysis(config, filesFound[0])
+        config.language = GO
+        break
       default:
         //something is wrong
         console.log('language detected not supported')
@@ -52,11 +54,11 @@ const processSca = async config => {
     }
 
     if (!config.applicationId) {
-      config.applicationId = await dealWithNoAppId(config)
+      config.applicationId = await auditController.dealWithNoAppId(config)
     }
     //send message to TS
     console.log('processing dependencies')
-    const response = await commonSendSnapShot(messageToSend, config)
+    const response = await treeUpload.commonSendSnapShot(messageToSend, config)
   } else {
     if (filesFound.length === 0) {
       console.log('no compatible dependency files detected. Continuing...')

package/src/constants/constants.js

@@ -13,13 +13,18 @@ const MEDIUM = 'MEDIUM'
 const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
 const APP_NAME = 'contrast'
-const APP_VERSION = '1.0.5'
+const APP_VERSION = '1.0.6'
 const TIMEOUT = 120000
 const HIGH_COLOUR = '#ff9900'
 const CRITICAL_COLOUR = '#e35858'
 const MEDIUM_COLOUR = '#f1c232'
-const LOW_COLOUR = '#ff9900'
+const LOW_COLOUR = '#b7b7b7'
 const NOTE_COLOUR = '#999999'
+const CRITICAL_PRIORITY = 1
+const HIGH_PRIORITY = 2
+const MEDIUM_PRIORITY = 3
+const LOW_PRIORITY = 4
+const NOTE_PRIORITY = 5
 
 const AUTH_UI_URL = 'https://cli-auth.contrastsecurity.com'
 const AUTH_CALLBACK_URL = 'https://cli-auth-api.contrastsecurity.com'
@@ -43,5 +48,10 @@ module.exports = {
   MEDIUM_COLOUR,
   LOW_COLOUR,
   NOTE_COLOUR,
-  CE_URL
+  CE_URL,
+  CRITICAL_PRIORITY,
+  HIGH_PRIORITY,
+  MEDIUM_PRIORITY,
+  LOW_PRIORITY,
+  NOTE_PRIORITY
 }

package/src/scaAnalysis/common/formatMessage.js

@@ -5,6 +5,16 @@ const createJavaTSMessage = javaTree => {
     }
   }
 }
+
+const createGoTSMessage = goTree => {
+  return {
+    go: {
+      goDependencyTrees: goTree
+    }
+  }
+}
+
 module.exports = {
-  createJavaTSMessage
+  createJavaTSMessage,
+  createGoTSMessage
 }

package/src/scaAnalysis/common/treeUpload.js

@@ -1,5 +1,4 @@
 const { getHttpClient } = require('../../utils/commonApi')
-const { handleResponseErrors } = require('../../common/errorHandling')
 const { APP_VERSION } = require('../../constants/constants')
 
 const commonSendSnapShot = async (analysis, config) => {
@@ -9,19 +8,16 @@ const commonSendSnapShot = async (analysis, config) => {
     snapshot: analysis
   }
 
-  //console.log(JSON.stringify(analysis))
-
-  //console.log(JSON.stringify(requestBody))
   const client = getHttpClient(config)
   return client
     .sendSnapshot(requestBody, config)
     .then(res => {
       if (res.statusCode === 201) {
-        console.log('snapshot processed successfully')
+        console.log('dependencies processed successfully')
         return res.body
       } else {
         console.log(res.statusCode)
-        handleResponseErrors(res, 'snapshot')
+        console.log('error processing dependencies')
       }
     })
     .catch(err => {

package/src/scaAnalysis/go/goAnalysis.js

@@ -0,0 +1,20 @@
+const { createGoTSMessage } = require('../common/formatMessage')
+const goReadDepFile = require('./goReadDepFile')
+const goParseDeps = require('./goParseDeps')
+
+const goAnalysis = (config, languageFiles) => {
+  try {
+    const rawGoDependencies = goReadDepFile.getGoDependencies(config)
+    const parsedGoDependencies = goParseDeps.parseGoDependencies(
+      rawGoDependencies
+    )
+
+    return createGoTSMessage(parsedGoDependencies)
+  } catch (e) {
+    console.log(e.message.toString())
+  }
+}
+
+module.exports = {
+  goAnalysis
+}

package/src/scaAnalysis/go/goParseDeps.js

@@ -0,0 +1,203 @@
+const crypto = require('crypto')
+
+const parseGoDependencies = goDeps => {
+  return parseGo(goDeps)
+}
+
+const parseGo = modGraphOutput => {
+  let splitLines = splitAllLinesIntoArray(modGraphOutput)
+  const directDepNames = getDirectDepNames(splitLines)
+  const uniqueTransitiveDepNames = getAllUniqueTransitiveDepNames(
+    splitLines,
+    directDepNames
+  )
+
+  let rootNodes = createRootNodes(splitLines)
+
+  createTransitiveDeps(uniqueTransitiveDepNames, splitLines, rootNodes)
+
+  return rootNodes
+}
+
+const splitAllLinesIntoArray = modGraphOutput => {
+  return modGraphOutput.split(/\r\n|\r|\n/)
+}
+
+const getAllDepsOfADepAsEdge = (dep, deps) => {
+  let edges = {}
+
+  const depRows = deps.filter(line => {
+    return line.startsWith(dep)
+  })
+
+  depRows.forEach(dep => {
+    const edgeName = dep.split(' ')[1]
+    edges[edgeName] = edgeName
+  })
+
+  return edges
+}
+
+const getAllDepsOfADepAsName = (dep, deps) => {
+  let edges = []
+
+  const depRows = deps.filter(line => {
+    return line.startsWith(dep)
+  })
+
+  depRows.forEach(dep => {
+    const edgeName = dep.split(' ')[1]
+    edges.push(edgeName)
+  })
+
+  return edges
+}
+
+const createRootNodes = deps => {
+  let rootDep = {}
+  const rootDeps = getRootDeps(deps)
+
+  const edges = rootDeps.map(dep => {
+    return dep.split(' ')[1]
+  })
+
+  rootDep[rootDeps[0].split(' ')[0]] = {}
+
+  edges.forEach(edge => {
+    const splitEdge = edge.split('@')
+    const splitGroupName = splitEdge[0].split('/')
+    const name = splitGroupName.pop()
+    const lastSlash = splitEdge[0].lastIndexOf('/')
+    let group = splitEdge[0].substring(0, lastSlash)
+    const hash = getHash(splitEdge[0])
+
+    group = checkGroupExists(group, name)
+
+    //get the edges of the root dependency
+    const edgesOfDep = getAllDepsOfADepAsEdge(edge, deps)
+
+    rootDep[rootDeps[0].split(' ')[0]][edge] = {
+      artifactID: name,
+      group: group,
+      version: splitEdge[1],
+      scope: '"compile',
+      type: 'direct',
+      hash: hash,
+      edges: edgesOfDep
+    }
+  })
+  return rootDep
+}
+
+const getRootDeps = deps => {
+  const rootDeps = deps.filter(dep => {
+    const parentDep = dep.split(' ')[0]
+    if (parentDep.split('@v').length === 1) {
+      return dep
+    }
+  })
+  return rootDeps
+}
+
+const getHash = library => {
+  let shaSum = crypto.createHash('sha1')
+  shaSum.update(library)
+  return shaSum.digest('hex')
+}
+
+const getDirectDepNames = deps => {
+  const directDepNames = []
+
+  deps.forEach(dep => {
+    const parentDep = dep.split(' ')[0]
+    if (parentDep.split('@v').length === 1) {
+      dep.split(' ')[1] !== undefined
+        ? directDepNames.push(dep.split(' ')[1])
+        : null
+    }
+  })
+  return directDepNames
+}
+
+const getAllUniqueTransitiveDepNames = (deps, directDepNames) => {
+  let uniqueDeps = []
+
+  deps.forEach(dep => {
+    const parentDep = dep.split(' ')[0]
+    if (parentDep.split('@v').length !== 1) {
+      if (!directDepNames.includes(parentDep)) {
+        if (!uniqueDeps.includes(parentDep)) {
+          parentDep.length > 1 ? uniqueDeps.push(parentDep) : null
+        }
+      }
+    }
+  })
+  return uniqueDeps
+}
+
+const checkGroupExists = (group, name) => {
+  if (group === null || group === '') {
+    return name
+  }
+  return group
+}
+
+const createTransitiveDeps = (transitiveDeps, splitLines, rootNodes) => {
+  transitiveDeps.forEach(dep => {
+    //create transitive dep
+    const splitEdge = dep.split('@')
+    const splitGroupName = splitEdge[0].split('/')
+    const name = splitGroupName.pop()
+    const lastSlash = splitEdge[0].lastIndexOf('/')
+    let group = splitEdge[0].substring(0, lastSlash)
+    const hash = getHash(splitEdge[0])
+
+    group = checkGroupExists(group, name)
+
+    const transitiveDep = {
+      artifactID: name,
+      group: group,
+      version: splitEdge[1],
+      scope: 'compile',
+      type: 'transitive',
+      hash: hash,
+      edges: {}
+    }
+
+    //add edges to transitiveDep
+    const edges = getAllDepsOfADepAsEdge(dep, splitLines)
+    transitiveDep.edges = edges
+
+    //add all edges as a transitive dependency to rootNodes
+    const edgesAsName = getAllDepsOfADepAsName(dep, splitLines)
+
+    edgesAsName.forEach(dep => {
+      const splitEdge = dep.split('@')
+      const splitGroupName = splitEdge[0].split('/')
+      const name = splitGroupName.pop()
+      const lastSlash = splitEdge[0].lastIndexOf('/')
+      let group = splitEdge[0].substring(0, lastSlash)
+      const hash = getHash(splitEdge[0])
+
+      group = checkGroupExists(group, name)
+
+      const transitiveDep = {
+        artifactID: name,
+        group: group,
+        version: splitEdge[1],
+        scope: 'compile',
+        type: 'transitive',
+        hash: hash,
+        edges: {}
+      }
+      rootNodes[Object.keys(rootNodes)[0]][dep] = transitiveDep
+    })
+
+    //add transitive dependency to rootNodes
+    rootNodes[Object.keys(rootNodes)[0]][dep] = transitiveDep
+  })
+}
+
+module.exports = {
+  parseGoDependencies
+}

package/src/scaAnalysis/go/goReadDepFile.js

@@ -0,0 +1,32 @@
+const child_process = require('child_process')
+const i18n = require('i18n')
+
+const getGoDependencies = config => {
+  let cmdStdout
+  let cwd = config.projectPath
+    ? config.projectPath.replace('go.mod', '')
+    : process.cwd()
+
+  try {
+    // A sample of this output can be found
+    // in the go test folder data/goModGraphResults.text
+    cmdStdout = child_process.execSync('go mod graph', { cwd })
+
+    return cmdStdout.toString()
+  } catch (err) {
+    if (err.message === 'spawnSync /bin/sh ENOENT') {
+      err.message =
+        '\n\n*************** No transitive dependencies ***************\n\nWe are unable to build a dependency tree view from your repository as there were no transitive dependencies found.'
+    }
+    console.log(
+      i18n.__('goReadProjectFile', cwd, `${err.message ? err.message : ''}`)
+    )
+    // throw new Error(
+    //   i18n.__('goReadProjectFile', cwd, `${err.message ? err.message : ''}`)
+    // )
+  }
+}
+
+module.exports = {
+  getGoDependencies
+}

package/src/scaAnalysis/java/analysis.js

@@ -24,7 +24,7 @@ const determineProjectTypeAndCwd = (files, projectPath) => {
   return projectData
 }
 
-const buildMaven = async (config, projectData, timeout) => {
+const buildMaven = (config, projectData, timeout) => {
   let cmdStdout
   let mvn_settings = ''
 
@@ -40,23 +40,11 @@ const buildMaven = async (config, projectData, timeout) => {
         timeout
       }
     )
-    // output.mvnDependancyTreeOutput = cmdStdout.toString()
-    // console.log(cmdStdout.toString())
     return cmdStdout.toString()
   } catch (err) {
-    try {
-      child_process.execSync('mvn --version', {
-        cwd: projectData.cwd,
-        timeout
-      })
-      throw new Error(
-        i18n.__('mavenDependencyTreeNonZero', projectData.cwd, `${err.message}`)
-      )
-    } catch (mvnErr) {
-      throw new Error(
-        i18n.__('mavenNotInstalledError', projectData.cwd, `${mvnErr.message}`)
-      )
-    }
+    throw new Error(
+      i18n.__('mavenDependencyTreeNonZero', projectData.cwd, `${err.message}`)
+    )
   }
 }
 
@@ -107,7 +95,7 @@ const buildGradle = (config, projectData, timeout) => {
         }
       )
     }
-    output.mvnDependancyTreeOutput = cmdStdout.toString()
+    output = cmdStdout.toString()
     return output
   } catch (err) {
     if (
@@ -129,7 +117,7 @@ const buildGradle = (config, projectData, timeout) => {
   }
 }
 
-const getJavaBuildDeps = async (config, files) => {
+const getJavaBuildDeps = (config, files) => {
   const timeout = 960000
   let output = {
     mvnDependancyTreeOutput: undefined,
@@ -139,18 +127,14 @@ const getJavaBuildDeps = async (config, files) => {
   try {
     const projectData = determineProjectTypeAndCwd(files, config.projectPath)
     if (projectData.projectType === MAVEN) {
-      output.mvnDependancyTreeOutput = await buildMaven(
-        config,
-        projectData,
-        timeout
-      )
+      output.mvnDependancyTreeOutput = buildMaven(config, projectData, timeout)
     } else if (projectData.projectType === GRADLE) {
       output.mvnDependancyTreeOutput = buildGradle(config, projectData, timeout)
     }
     output.projectType = projectData.projectType
     return output
   } catch (err) {
-    //
+    console.log(err.message.toString())
   }
 }
 

package/src/scaAnalysis/java/index.js

@@ -1,18 +1,18 @@
-const { getJavaBuildDeps } = require('./analysis')
+const analysis = require('./analysis')
 const { parseBuildDeps } = require('./javaBuildDepsParser')
 const { createJavaTSMessage } = require('../common/formatMessage')
 
-const javaAnalysis = async (config, languageFiles) => {
+const javaAnalysis = (config, languageFiles) => {
   languageFiles.java.forEach(file => {
     file.replace('build.gradle.kts', 'build.gradle')
   })
 
-  const javaDeps = await buildJavaTree(config, languageFiles.java)
+  const javaDeps = buildJavaTree(config, languageFiles.java)
   return createJavaTSMessage(javaDeps)
 }
 
-const buildJavaTree = async (config, files) => {
-  const javaBuildDeps = await getJavaBuildDeps(config, files)
+const buildJavaTree = (config, files) => {
+  const javaBuildDeps = analysis.getJavaBuildDeps(config, files)
   return parseBuildDeps(config, javaBuildDeps)
 }