@contrast/contrast 1.0.5 → 1.0.8

package/src/audit/languageAnalysisEngine/report/models/severityCountModel.ts

@@ -0,0 +1,20 @@
+export class SeverityCountModel {
+  critical!: number
+  high!: number
+  medium!: number
+  low!: number
+  note!: number
+
+  //needed as default to stop NaN when new object constructed
+  constructor() {
+    this.critical = 0
+    this.high = 0
+    this.medium = 0
+    this.low = 0
+    this.note = 0
+  }
+
+  get getTotal(): number {
+    return this.critical + this.high + this.medium + this.low + this.note
+  }
+}

package/src/audit/languageAnalysisEngine/report/reportingFeature.ts

@@ -4,9 +4,11 @@ import {
   printVulnerabilityResponse
 } from './commonReportingFunctions'
 import {
-  convertGenericToTypedLibraries,
-  severityCount
+  convertGenericToTypedLibraryVulns,
+  severityCountAllLibraries
 } from './utils/reportUtils'
+import i18n from 'i18n'
+import chalk from 'chalk'
 
 export async function vulnerabilityReport(
   analysis: any,
@@ -17,11 +19,9 @@ export async function vulnerabilityReport(
 
   if (reportResponse !== undefined) {
     const id = applicationId
-    const name = analysis.config.applicationName
     formatVulnerabilityOutput(
       reportResponse.vulnerabilities,
       id,
-      name,
       analysis.config
     )
   }
@@ -30,27 +30,59 @@ export async function vulnerabilityReport(
 export function formatVulnerabilityOutput(
   libraryVulnerabilityResponse: any,
   id: string,
-  name: string,
   config: any
 ) {
-  const vulnerableLibraries = convertGenericToTypedLibraries(
+  const vulnerableLibraries = convertGenericToTypedLibraryVulns(
     libraryVulnerabilityResponse
   )
 
   const numberOfVulnerableLibraries = vulnerableLibraries.length
-  let numberOfCves = 0
-  vulnerableLibraries.forEach(lib => (numberOfCves += lib.cveArray.length))
 
-  createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves)
+  if (numberOfVulnerableLibraries === 0) {
+    console.log(i18n.__('scanNoVulnerabilitiesFound'))
+    console.log(i18n.__('scanNoVulnerabilitiesFoundSecureCode'))
+    console.log(i18n.__('scanNoVulnerabilitiesFoundGoodWork'))
+    console.log(
+      chalk.bold(`Found ${numberOfVulnerableLibraries} vulnerabilities`)
+    )
+    console.log(
+      i18n.__(
+        'foundDetailedVulnerabilities',
+        String(0),
+        String(0),
+        String(0),
+        String(0),
+        String(0)
+      )
+    )
+  } else {
+    let numberOfCves = 0
+    vulnerableLibraries.forEach(lib => (numberOfCves += lib.cveArray.length))
 
-  const hasSomeVulnerabilitiesReported = printVulnerabilityResponse(
-    vulnerableLibraries,
-    config
-  )
+    createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves)
+
+    const hasSomeVulnerabilitiesReported = printVulnerabilityResponse(
+      vulnerableLibraries,
+      config
+    )
+
+    return [
+      hasSomeVulnerabilitiesReported,
+      numberOfCves,
+      severityCountAllLibraries(vulnerableLibraries)
+    ]
+  }
+}
+
+export async function vulnerabilityReportV2(config: any, reportId: string) {
+  const reportResponse = await getReport(config, reportId)
 
-  return [
-    hasSomeVulnerabilitiesReported,
-    numberOfCves,
-    severityCount(vulnerableLibraries)
-  ]
+  if (reportResponse !== undefined) {
+    const name = config.applicationName
+    formatVulnerabilityOutput(
+      reportResponse.vulnerabilities,
+      config.applicationId,
+      config
+    )
+  }
 }

package/src/audit/languageAnalysisEngine/report/utils/reportUtils.ts

@@ -4,90 +4,112 @@ import {
 } from '../models/reportLibraryModel'
 import { ReportSeverityModel } from '../models/reportSeverityModel'
 import languageAnalysisEngine from '../../../languageAnalysisEngine/constants'
+import {
+  CRITICAL_COLOUR,
+  CRITICAL_PRIORITY,
+  HIGH_COLOUR,
+  HIGH_PRIORITY,
+  LOW_COLOUR,
+  LOW_PRIORITY,
+  MEDIUM_COLOUR,
+  MEDIUM_PRIORITY,
+  NOTE_COLOUR,
+  NOTE_PRIORITY
+} from '../../../../constants/constants'
+import { orderBy } from 'lodash'
+import { SeverityCountModel } from '../models/severityCountModel'
 const {
   supportedLanguages: { GO }
 } = languageAnalysisEngine
 
 export function findHighestSeverityCVE(cveArray: ReportCVEModel[]) {
-  if (
-    cveArray.find(
-      cve =>
-        cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL'
-    )
-  ) {
-    return new ReportSeverityModel('CRITICAL', 1)
-  } else if (
-    cveArray.find(
-      cve => cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH'
+  const mappedToReportSeverityModels = cveArray.map(cve => findCVESeverity(cve))
+
+  //order and get first
+  return orderBy(mappedToReportSeverityModels, cve => cve?.priority)[0]
+}
+
+export function findCVESeveritiesAndOrderByHighestPriority(
+  cves: ReportCVEModel[]
+) {
+  return orderBy(
+    cves.map(cve => findCVESeverity(cve)),
+    ['priority'],
+    ['asc']
+  )
+}
+
+export function findCVESeverity(cve: ReportCVEModel) {
+  const cveName = cve.name as string
+  if (cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL') {
+    return new ReportSeverityModel(
+      'CRITICAL',
+      CRITICAL_PRIORITY,
+      CRITICAL_COLOUR,
+      cveName
     )
-  ) {
-    return new ReportSeverityModel('HIGH', 2)
+  } else if (cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH') {
+    return new ReportSeverityModel('HIGH', HIGH_PRIORITY, HIGH_COLOUR, cveName)
   } else if (
-    cveArray.find(
-      cve => cve.cvss3SeverityCode === 'MEDIUM' || cve.severityCode === 'MEDIUM'
-    )
+    cve.cvss3SeverityCode === 'MEDIUM' ||
+    cve.severityCode === 'MEDIUM'
   ) {
-    return new ReportSeverityModel('MEDIUM', 3)
-  } else if (
-    cveArray.find(
-      cve => cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW'
+    return new ReportSeverityModel(
+      'MEDIUM',
+      MEDIUM_PRIORITY,
+      MEDIUM_COLOUR,
+      cveName
     )
-  ) {
-    return new ReportSeverityModel('LOW', 4)
-  } else if (
-    cveArray.find(
-      cve => cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE'
-    )
-  ) {
-    return new ReportSeverityModel('NOTE', 5)
+  } else if (cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW') {
+    return new ReportSeverityModel('LOW', LOW_PRIORITY, LOW_COLOUR, cveName)
+  } else if (cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE') {
+    return new ReportSeverityModel('NOTE', NOTE_PRIORITY, NOTE_COLOUR, cveName)
   }
 }
 
-export function convertGenericToTypedLibraries(libraries: any) {
+export function convertGenericToTypedLibraryVulns(libraries: any) {
   return Object.entries(libraries).map(([name, cveArray]) => {
     return new ReportLibraryModel(name, cveArray as ReportCVEModel[])
   })
 }
 
-export function severityCount(vulnerableLibraries: ReportLibraryModel[]) {
-  const severityCount = {
-    critical: 0,
-    high: 0,
-    medium: 0,
-    low: 0,
-    note: 0
-  }
+export function severityCountAllLibraries(
+  vulnerableLibraries: ReportLibraryModel[]
+) {
+  const severityCount = new SeverityCountModel()
+  vulnerableLibraries.forEach(lib =>
+    severityCountAllCVEs(lib.cveArray, severityCount)
+  )
+  return severityCount
+}
 
-  vulnerableLibraries.forEach(lib => {
-    lib.cveArray.forEach(cve => {
-      if (
-        cve.cvss3SeverityCode === 'CRITICAL' ||
-        cve.severityCode === 'CRITICAL'
-      ) {
-        severityCount['critical'] += 1
-      } else if (
-        cve.cvss3SeverityCode === 'HIGH' ||
-        cve.severityCode === 'HIGH'
-      ) {
-        severityCount['high'] += 1
-      } else if (
-        cve.cvss3SeverityCode === 'MEDIUM' ||
-        cve.severityCode === 'MEDIUM'
-      ) {
-        severityCount['medium'] += 1
-      } else if (
-        cve.cvss3SeverityCode === 'LOW' ||
-        cve.severityCode === 'LOW'
-      ) {
-        severityCount['low'] += 1
-      } else if (
-        cve.cvss3SeverityCode === 'NOTE' ||
-        cve.severityCode === 'NOTE'
-      ) {
-        severityCount['note'] += 1
-      }
-    })
-  })
+export function severityCountAllCVEs(
+  cveArray: ReportCVEModel[],
+  severityCount: SeverityCountModel
+) {
+  const severityCountInner = severityCount
+  cveArray.forEach(cve => severityCountSingleCVE(cve, severityCountInner))
+  return severityCountInner
+}
+
+export function severityCountSingleCVE(
+  cve: ReportCVEModel,
+  severityCount: SeverityCountModel
+) {
+  if (cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL') {
+    severityCount.critical += 1
+  } else if (cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH') {
+    severityCount.high += 1
+  } else if (
+    cve.cvss3SeverityCode === 'MEDIUM' ||
+    cve.severityCode === 'MEDIUM'
+  ) {
+    severityCount.medium += 1
+  } else if (cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW') {
+    severityCount.low += 1
+  } else if (cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE') {
+    severityCount.note += 1
+  }
 
   return severityCount
 }

package/src/audit/languageAnalysisEngine/sendSnapshot.js

@@ -1,6 +1,12 @@
-const { getHttpClient } = require('../../utils/commonApi')
 const { handleResponseErrors } = require('../../common/errorHandling')
 const { APP_VERSION } = require('../../constants/constants')
+const commonApi = require('../../utils/commonApi')
+const _ = require('lodash')
+const oraFunctions = require('../../utils/oraWrapper')
+const i18n = require('i18n')
+const oraWrapper = require('../../utils/oraWrapper')
+const requestUtils = require('../../utils/requestUtils')
+const { performance } = require('perf_hooks')
 
 const newSendSnapShot = async analysis => {
   const analysisLanguage = analysis.config.language.toLowerCase()
@@ -10,7 +16,7 @@ const newSendSnapShot = async analysis => {
     snapshot: { [analysisLanguage]: analysis[analysisLanguage] }
   }
 
-  const client = getHttpClient(analysis.config)
+  const client = commonApi.getHttpClient(analysis.config)
 
   return client
     .sendSnapshot(requestBody, analysis.config)
@@ -26,6 +32,75 @@ const newSendSnapShot = async analysis => {
     })
 }
 
+const pollSnapshotResults = async (config, snapshotId, client) => {
+  await requestUtils.sleep(5000)
+  return client
+    .getReportStatusById(config, snapshotId)
+    .then(res => {
+      return res
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+const getTimeout = config => {
+  if (config.timeout) {
+    return config.timeout
+  } else {
+    if (config.verbose) {
+      console.log('Timeout set to 2 minutes')
+    }
+    return 120
+  }
+}
+
+const pollForSnapshotCompletition = async (
+  config,
+  snapshotId,
+  reportSpinner
+) => {
+  const client = commonApi.getHttpClient(config)
+  const startTime = performance.now()
+  const timeout = getTimeout(config)
+
+  let complete = false
+  if (!_.isNil(snapshotId)) {
+    while (!complete) {
+      let result = await pollSnapshotResults(config, snapshotId, client)
+      if (result.statusCode === 200) {
+        if (result.body.status === 'PROCESSED') {
+          complete = true
+          return result.body
+        }
+        if (result.body.status === 'FAILED') {
+          complete = true
+          if (config.debug) {
+            oraFunctions.failSpinner(
+              reportSpinner,
+              i18n.__('auditNotCompleted')
+            )
+          }
+          console.log(result.body.errorMessage)
+          oraWrapper.stopSpinner(reportSpinner)
+          console.log('Contrast audit finished')
+          process.exit(1)
+        }
+      }
+      const endTime = performance.now() - startTime
+      if (requestUtils.millisToSeconds(endTime) > timeout) {
+        oraFunctions.failSpinner(
+          reportSpinner,
+          'Contrast audit timed out at the specified ' + timeout + ' seconds.'
+        )
+        console.log('Please try again, allowing more time.')
+        process.exit(1)
+      }
+    }
+  }
+}
+
 module.exports = {
-  newSendSnapShot: newSendSnapShot
+  newSendSnapShot: newSendSnapShot,
+  pollForSnapshotCompletition: pollForSnapshotCompletition
 }

package/src/audit/save.js

@@ -0,0 +1,32 @@
+const fs = require('fs')
+const i18n = require('i18n')
+const chalk = require('chalk')
+const save = require('../commands/audit/saveFile')
+const sbom = require('../sbom/generateSbom')
+
+async function auditSave(config) {
+  if (config.save) {
+    if (config.save.toLowerCase() === 'sbom') {
+      save.saveFile(config, await sbom.generateSbom(config))
+
+      const filename = `${config.applicationId}-sbom-cyclonedx.json`
+      if (fs.existsSync(filename)) {
+        console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`)
+      } else {
+        console.log(
+          chalk.yellow.bold(
+            `\n Unable to save ${filename} Software Bill of Materials (SBOM)`
+          )
+        )
+      }
+    } else {
+      console.log(i18n.__('auditBadFiletypeSpecifiedForSave'))
+    }
+  } else if (config.save === null) {
+    console.log(i18n.__('auditNoFiletypeSpecifiedForSave'))
+  }
+}
+
+module.exports = {
+  auditSave
+}

package/src/commands/audit/auditController.ts

@@ -3,27 +3,26 @@ import commonApi from '../../audit/languageAnalysisEngine/commonApi'
 
 const identifyLanguageAE = require('./../../audit/languageAnalysisEngine')
 const languageFactory = require('../../audit/languageAnalysisEngine/languageAnalysisFactory')
-const { v4: uuidv4 } = require('uuid')
 
 export const dealWithNoAppId = async (config: { [x: string]: string }) => {
   let appID: string
   try {
     // @ts-ignore
     appID = await commonApi.returnAppId(config)
-    // console.log('appid', appID)
     if (!appID && config.applicationName) {
       return await catalogueApplication(config)
     }
     if (!appID && !config.applicationName) {
-      config.applicationName = uuidv4()
-      return await catalogueApplication(config)
+      config.applicationName = getAppName(config.file) as string
+      // @ts-ignore
+      appID = await commonApi.returnAppId(config)
+      if (!appID) {
+        return await catalogueApplication(config)
+      }
     }
-    // @ts-ignore
-  } catch (e) {
-    // @ts-ignore
+  } catch (e: any) {
     if (e.toString().includes('tunneling socket could not be established')) {
-      // @ts-ignore
-      console.log(e.message)
+      console.log(e.message.toString())
       console.log(
         'There seems to be an issue with your proxy, please check and try again'
       )
@@ -38,10 +37,19 @@ export const startAudit = async (config: { [key: string]: string }) => {
     // @ts-ignore
     config.applicationId = await dealWithNoAppId(config)
   }
-  identifyLanguageAE(
-    config.projectPath,
-    languageFactory,
-    config.applicationId,
-    config
-  )
+  identifyLanguageAE(config.file, languageFactory, config.applicationId, config)
+}
+
+export const getAppName = (file: string) => {
+  const last = file.charAt(file.length - 1)
+  if (last !== '/') {
+    return file.split('/').pop()
+  } else {
+    const str = removeLastChar(file)
+    return str.split('/').pop()
+  }
+}
+
+const removeLastChar = (str: string) => {
+  return str.substring(0, str.length - 1)
 }

package/src/commands/audit/help.ts

@@ -41,7 +41,30 @@ const auditUsageGuide = commandLineUsage([
   },
   {
     header: i18n.__('constantsAuditOptions'),
-    optionList: constants.commandLineDefinitions.auditOptionDefinitions
+    optionList: constants.commandLineDefinitions.auditOptionDefinitions,
+    hide: [
+      'application-id',
+      'application-name',
+      'organization-id',
+      'api-key',
+      'authorization',
+      'host',
+      'proxy',
+      'help',
+      'ff',
+      'ignore-cert-errors',
+      'verbose',
+      'debug',
+      'experimental',
+      'tags',
+      'sub-project',
+      'code',
+      'maven-settings-path',
+      'language',
+      'experimental',
+      'app-groups',
+      'metadata'
+    ]
   }
 ])
 

package/src/commands/audit/processAudit.ts

@@ -1,19 +1,22 @@
 import { startAudit } from './auditController'
 import { getAuditConfig } from './auditConfig'
 import { auditUsageGuide } from './help'
+import { processSca } from '../scan/sca/scaAnalysis'
 
 export type parameterInput = string[]
 
 export const processAudit = async (argv: parameterInput) => {
   if (argv.indexOf('--help') != -1) {
     printHelpMessage()
-    process.exit(1)
+    process.exit(0)
   }
   const config = getAuditConfig(argv)
 
-  // console.log(config)
-
-  const auditResults = await startAudit(config)
+  if (config.experimental) {
+    await processSca(config)
+  } else {
+    await startAudit(config)
+  }
 }
 
 const printHelpMessage = () => {

package/src/commands/audit/saveFile.ts

@@ -1,6 +1,10 @@
 import fs from 'fs'
 
-export default function saveFile(config: any, rawResults: any) {
+export const saveFile = (config: any, rawResults: any) => {
   const fileName = `${config.applicationId}-sbom-cyclonedx.json`
   fs.writeFileSync(fileName, JSON.stringify(rawResults))
 }
+
+module.exports = {
+  saveFile
+}

package/src/commands/scan/processScan.js

@@ -14,7 +14,8 @@ const processScan = async argvMain => {
   }
 
   let scanResults = new ScanResultsModel(await startScan(config))
-  if (scanResults) {
+
+  if (scanResults.scanResultsInstances !== undefined) {
     formatScanOutput(scanResults)
   }