@contrast/contrast 1.0.5 → 1.0.8

package/src/lambda/types.ts

@@ -0,0 +1,35 @@
+export enum StatusType {
+  FAILED = 'failed',
+  SUCCESS = 'success'
+}
+
+export enum EventType {
+  START = 'start_command_session',
+  END = 'end_command_session'
+}
+
+export type LambdaOptions = {
+  functionName?: string
+  listFunctions?: boolean
+  region?: string
+  endpointUrl?: string
+  profile?: string
+  help?: boolean
+  verbose?: boolean
+  jsonOutput?: boolean
+  _unknown?: string[]
+}
+
+type ScanFunctionData = {
+  functionArn: string
+  scanId: string
+}
+
+export type AnalyticsOption = {
+  sessionId: string
+  eventType: EventType
+  arguments?: LambdaOptions
+  scanFunctionData?: ScanFunctionData
+  status?: StatusType
+  errorMsg?: string
+}

package/src/lambda/utils.ts

@@ -19,13 +19,8 @@ class PrintVulnerability {
   whatHappened: string
 
   constructor(index: number, vulnerability: any, group?: any[]) {
-    const {
-      severityText,
-      title,
-      description,
-      remediation,
-      categoryText
-    } = vulnerability
+    const { severityText, title, description, remediation, categoryText } =
+      vulnerability
 
     this.group = group
     this.vulnerability = vulnerability

package/src/sbom/generateSbom.ts

@@ -1,6 +1,6 @@
 import { getHttpClient } from '../utils/commonApi'
 
-export default function generateSbom(config: any) {
+export const generateSbom = (config: any) => {
   const client = getHttpClient(config)
   return client
     .getSbom(config)

package/src/scaAnalysis/common/formatMessage.js

@@ -5,6 +5,56 @@ const createJavaTSMessage = javaTree => {
     }
   }
 }
+
+const createJavaScriptTSMessage = js => {
+  let message = {
+    node: {
+      packageJSON: js.packageJSON
+    }
+  }
+  if (js.yarn !== undefined) {
+    message.node.yarnLockFile = js.yarn.yarnLockFile
+    message.node.yarnVersion = js.yarn.yarnVersion
+  } else {
+    message.node.npmLockFile = js.npmLockFile
+  }
+  return message
+}
+
+const createGoTSMessage = goTree => {
+  return {
+    go: {
+      goDependencyTrees: goTree
+    }
+  }
+}
+
+const createRubyTSMessage = rubyTree => {
+  return {
+    ruby: rubyTree
+  }
+}
+
+const createPythonTSMessage = pythonTree => {
+  return {
+    python: pythonTree
+  }
+}
+
+const createPhpTSMessage = phpTree => {
+  return {
+    php: {
+      composerJSON: phpTree.composerJSON,
+      lockFile: phpTree.lockFile
+    }
+  }
+}
+
 module.exports = {
-  createJavaTSMessage
+  createJavaScriptTSMessage,
+  createJavaTSMessage,
+  createGoTSMessage,
+  createPhpTSMessage,
+  createRubyTSMessage,
+  createPythonTSMessage
 }

package/src/scaAnalysis/common/treeUpload.js

@@ -1,5 +1,4 @@
 const { getHttpClient } = require('../../utils/commonApi')
-const { handleResponseErrors } = require('../../common/errorHandling')
 const { APP_VERSION } = require('../../constants/constants')
 
 const commonSendSnapShot = async (analysis, config) => {
@@ -9,19 +8,15 @@ const commonSendSnapShot = async (analysis, config) => {
     snapshot: analysis
   }
 
-  //console.log(JSON.stringify(analysis))
-
-  //console.log(JSON.stringify(requestBody))
   const client = getHttpClient(config)
   return client
     .sendSnapshot(requestBody, config)
     .then(res => {
       if (res.statusCode === 201) {
-        console.log('snapshot processed successfully')
         return res.body
       } else {
         console.log(res.statusCode)
-        handleResponseErrors(res, 'snapshot')
+        console.log('error processing dependencies')
       }
     })
     .catch(err => {

package/src/scaAnalysis/go/goAnalysis.js

@@ -0,0 +1,19 @@
+const { createGoTSMessage } = require('../common/formatMessage')
+const goReadDepFile = require('./goReadDepFile')
+const goParseDeps = require('./goParseDeps')
+
+const goAnalysis = (config, languageFiles) => {
+  try {
+    const rawGoDependencies = goReadDepFile.getGoDependencies(config)
+    const parsedGoDependencies =
+      goParseDeps.parseGoDependencies(rawGoDependencies)
+
+    return createGoTSMessage(parsedGoDependencies)
+  } catch (e) {
+    console.log(e.message.toString())
+  }
+}
+
+module.exports = {
+  goAnalysis
+}

package/src/scaAnalysis/go/goParseDeps.js

@@ -0,0 +1,203 @@
+const crypto = require('crypto')
+
+const parseGoDependencies = goDeps => {
+  return parseGo(goDeps)
+}
+
+const parseGo = modGraphOutput => {
+  let splitLines = splitAllLinesIntoArray(modGraphOutput)
+  const directDepNames = getDirectDepNames(splitLines)
+  const uniqueTransitiveDepNames = getAllUniqueTransitiveDepNames(
+    splitLines,
+    directDepNames
+  )
+
+  let rootNodes = createRootNodes(splitLines)
+
+  createTransitiveDeps(uniqueTransitiveDepNames, splitLines, rootNodes)
+
+  return rootNodes
+}
+
+const splitAllLinesIntoArray = modGraphOutput => {
+  return modGraphOutput.split(/\r\n|\r|\n/)
+}
+
+const getAllDepsOfADepAsEdge = (dep, deps) => {
+  let edges = {}
+
+  const depRows = deps.filter(line => {
+    return line.startsWith(dep)
+  })
+
+  depRows.forEach(dep => {
+    const edgeName = dep.split(' ')[1]
+    edges[edgeName] = edgeName
+  })
+
+  return edges
+}
+
+const getAllDepsOfADepAsName = (dep, deps) => {
+  let edges = []
+
+  const depRows = deps.filter(line => {
+    return line.startsWith(dep)
+  })
+
+  depRows.forEach(dep => {
+    const edgeName = dep.split(' ')[1]
+    edges.push(edgeName)
+  })
+
+  return edges
+}
+
+const createRootNodes = deps => {
+  let rootDep = {}
+  const rootDeps = getRootDeps(deps)
+
+  const edges = rootDeps.map(dep => {
+    return dep.split(' ')[1]
+  })
+
+  rootDep[rootDeps[0].split(' ')[0]] = {}
+
+  edges.forEach(edge => {
+    const splitEdge = edge.split('@')
+    const splitGroupName = splitEdge[0].split('/')
+    const name = splitGroupName.pop()
+    const lastSlash = splitEdge[0].lastIndexOf('/')
+    let group = splitEdge[0].substring(0, lastSlash)
+    const hash = getHash(splitEdge[0])
+
+    group = checkGroupExists(group, name)
+
+    //get the edges of the root dependency
+    const edgesOfDep = getAllDepsOfADepAsEdge(edge, deps)
+
+    rootDep[rootDeps[0].split(' ')[0]][edge] = {
+      artifactID: name,
+      group: group,
+      version: splitEdge[1],
+      scope: '"compile',
+      type: 'direct',
+      hash: hash,
+      edges: edgesOfDep
+    }
+  })
+  return rootDep
+}
+
+const getRootDeps = deps => {
+  const rootDeps = deps.filter(dep => {
+    const parentDep = dep.split(' ')[0]
+    if (parentDep.split('@v').length === 1) {
+      return dep
+    }
+  })
+  return rootDeps
+}
+
+const getHash = library => {
+  let shaSum = crypto.createHash('sha1')
+  shaSum.update(library)
+  return shaSum.digest('hex')
+}
+
+const getDirectDepNames = deps => {
+  const directDepNames = []
+
+  deps.forEach(dep => {
+    const parentDep = dep.split(' ')[0]
+    if (parentDep.split('@v').length === 1) {
+      dep.split(' ')[1] !== undefined
+        ? directDepNames.push(dep.split(' ')[1])
+        : null
+    }
+  })
+  return directDepNames
+}
+
+const getAllUniqueTransitiveDepNames = (deps, directDepNames) => {
+  let uniqueDeps = []
+
+  deps.forEach(dep => {
+    const parentDep = dep.split(' ')[0]
+    if (parentDep.split('@v').length !== 1) {
+      if (!directDepNames.includes(parentDep)) {
+        if (!uniqueDeps.includes(parentDep)) {
+          parentDep.length > 1 ? uniqueDeps.push(parentDep) : null
+        }
+      }
+    }
+  })
+  return uniqueDeps
+}
+
+const checkGroupExists = (group, name) => {
+  if (group === null || group === '') {
+    return name
+  }
+  return group
+}
+
+const createTransitiveDeps = (transitiveDeps, splitLines, rootNodes) => {
+  transitiveDeps.forEach(dep => {
+    //create transitive dep
+    const splitEdge = dep.split('@')
+    const splitGroupName = splitEdge[0].split('/')
+    const name = splitGroupName.pop()
+    const lastSlash = splitEdge[0].lastIndexOf('/')
+    let group = splitEdge[0].substring(0, lastSlash)
+    const hash = getHash(splitEdge[0])
+
+    group = checkGroupExists(group, name)
+
+    const transitiveDep = {
+      artifactID: name,
+      group: group,
+      version: splitEdge[1],
+      scope: 'compile',
+      type: 'transitive',
+      hash: hash,
+      edges: {}
+    }
+
+    //add edges to transitiveDep
+    const edges = getAllDepsOfADepAsEdge(dep, splitLines)
+    transitiveDep.edges = edges
+
+    //add all edges as a transitive dependency to rootNodes
+    const edgesAsName = getAllDepsOfADepAsName(dep, splitLines)
+
+    edgesAsName.forEach(dep => {
+      const splitEdge = dep.split('@')
+      const splitGroupName = splitEdge[0].split('/')
+      const name = splitGroupName.pop()
+      const lastSlash = splitEdge[0].lastIndexOf('/')
+      let group = splitEdge[0].substring(0, lastSlash)
+      const hash = getHash(splitEdge[0])
+
+      group = checkGroupExists(group, name)
+
+      const transitiveDep = {
+        artifactID: name,
+        group: group,
+        version: splitEdge[1],
+        scope: 'compile',
+        type: 'transitive',
+        hash: hash,
+        edges: {}
+      }
+      rootNodes[Object.keys(rootNodes)[0]][dep] = transitiveDep
+    })
+
+    //add transitive dependency to rootNodes
+    rootNodes[Object.keys(rootNodes)[0]][dep] = transitiveDep
+  })
+}
+
+module.exports = {
+  parseGoDependencies
+}

package/src/scaAnalysis/go/goReadDepFile.js

@@ -0,0 +1,30 @@
+const child_process = require('child_process')
+const i18n = require('i18n')
+
+const getGoDependencies = config => {
+  let cmdStdout
+  let cwd = config.file ? config.file.replace('go.mod', '') : process.cwd()
+
+  try {
+    // A sample of this output can be found
+    // in the go test folder data/goModGraphResults.text
+    cmdStdout = child_process.execSync('go mod graph', { cwd })
+
+    return cmdStdout.toString()
+  } catch (err) {
+    if (err.message === 'spawnSync /bin/sh ENOENT') {
+      err.message =
+        '\n\n*************** No transitive dependencies ***************\n\nWe are unable to build a dependency tree view from your repository as there were no transitive dependencies found.'
+    }
+    console.log(
+      i18n.__('goReadProjectFile', cwd, `${err.message ? err.message : ''}`)
+    )
+    // throw new Error(
+    //   i18n.__('goReadProjectFile', cwd, `${err.message ? err.message : ''}`)
+    // )
+  }
+}
+
+module.exports = {
+  getGoDependencies
+}

package/src/scaAnalysis/java/analysis.js

@@ -6,25 +6,24 @@ const fs = require('fs')
 const MAVEN = 'maven'
 const GRADLE = 'gradle'
 
-const determineProjectTypeAndCwd = (files, projectPath) => {
+const determineProjectTypeAndCwd = (files, file) => {
   const projectData = {}
 
   if (files[0].includes('pom.xml')) {
     projectData.projectType = MAVEN
-    projectData.cwd = projectPath
-      ? projectPath
-      : files[0].replace('pom.xml', '')
   } else if (files[0].includes('build.gradle')) {
     projectData.projectType = GRADLE
-    projectData.cwd = projectPath
-      ? projectPath
-      : files[0].replace('pom.xml', '')
   }
 
+  //clean up the path to be a folder not a file
+  projectData.cwd = file
+    ? file.replace('pom.xml', '').replace('build.gradle', '')
+    : file
+
   return projectData
 }
 
-const buildMaven = async (config, projectData, timeout) => {
+const buildMaven = (config, projectData, timeout) => {
   let cmdStdout
   let mvn_settings = ''
 
@@ -40,23 +39,11 @@ const buildMaven = async (config, projectData, timeout) => {
         timeout
       }
     )
-    // output.mvnDependancyTreeOutput = cmdStdout.toString()
-    // console.log(cmdStdout.toString())
     return cmdStdout.toString()
   } catch (err) {
-    try {
-      child_process.execSync('mvn --version', {
-        cwd: projectData.cwd,
-        timeout
-      })
-      throw new Error(
-        i18n.__('mavenDependencyTreeNonZero', projectData.cwd, `${err.message}`)
-      )
-    } catch (mvnErr) {
-      throw new Error(
-        i18n.__('mavenNotInstalledError', projectData.cwd, `${mvnErr.message}`)
-      )
-    }
+    throw new Error(
+      i18n.__('mavenDependencyTreeNonZero', projectData.cwd, `${err.message}`)
+    )
   }
 }
 
@@ -107,7 +94,7 @@ const buildGradle = (config, projectData, timeout) => {
         }
       )
     }
-    output.mvnDependancyTreeOutput = cmdStdout.toString()
+    output = cmdStdout.toString()
     return output
   } catch (err) {
     if (
@@ -129,7 +116,7 @@ const buildGradle = (config, projectData, timeout) => {
   }
 }
 
-const getJavaBuildDeps = async (config, files) => {
+const getJavaBuildDeps = (config, files) => {
   const timeout = 960000
   let output = {
     mvnDependancyTreeOutput: undefined,
@@ -137,20 +124,16 @@ const getJavaBuildDeps = async (config, files) => {
   }
 
   try {
-    const projectData = determineProjectTypeAndCwd(files, config.projectPath)
+    const projectData = determineProjectTypeAndCwd(files, config.file)
     if (projectData.projectType === MAVEN) {
-      output.mvnDependancyTreeOutput = await buildMaven(
-        config,
-        projectData,
-        timeout
-      )
+      output.mvnDependancyTreeOutput = buildMaven(config, projectData, timeout)
     } else if (projectData.projectType === GRADLE) {
       output.mvnDependancyTreeOutput = buildGradle(config, projectData, timeout)
     }
     output.projectType = projectData.projectType
     return output
   } catch (err) {
-    //
+    console.log(err.message.toString())
   }
 }
 

package/src/scaAnalysis/java/index.js

@@ -1,18 +1,18 @@
-const { getJavaBuildDeps } = require('./analysis')
+const analysis = require('./analysis')
 const { parseBuildDeps } = require('./javaBuildDepsParser')
 const { createJavaTSMessage } = require('../common/formatMessage')
 
-const javaAnalysis = async (config, languageFiles) => {
-  languageFiles.java.forEach(file => {
+const javaAnalysis = (config, languageFiles) => {
+  languageFiles.JAVA.forEach(file => {
     file.replace('build.gradle.kts', 'build.gradle')
   })
 
-  const javaDeps = await buildJavaTree(config, languageFiles.java)
+  const javaDeps = buildJavaTree(config, languageFiles.JAVA)
   return createJavaTSMessage(javaDeps)
 }
 
-const buildJavaTree = async (config, files) => {
-  const javaBuildDeps = await getJavaBuildDeps(config, files)
+const buildJavaTree = (config, files) => {
+  const javaBuildDeps = analysis.getJavaBuildDeps(config, files)
   return parseBuildDeps(config, javaBuildDeps)
 }
 

package/src/scaAnalysis/java/javaBuildDepsParser.js

@@ -4,13 +4,13 @@ let sb = new StringBuilder()
 
 const parseBuildDeps = (config, input) => {
   const { mvnDependancyTreeOutput, projectType } = input
-  // console.log(projectType)
   try {
     return parseGradle(mvnDependancyTreeOutput, config, projectType)
   } catch (err) {
     throw new Error(i18n.__('javaParseProjectFile') + `${err.message}`)
   }
 }
+
 const preParser = shavedOutput => {
   let obj = []
   for (let dep in shavedOutput) {
@@ -387,5 +387,18 @@ const parseGradle = (gradleDependencyTreeOutput, config, projectType) => {
 }
 
 module.exports = {
-  parseBuildDeps
+  parseBuildDeps,
+  shaveOutput,
+  validateIndentation,
+  calculateLevels,
+  lastChild,
+  hasChildren,
+  getElementHeader,
+  createElement,
+  stripElement,
+  checkVersion,
+  computeRelationToLastElement,
+  addIndentation,
+  computeLevel,
+  computeIndentation
 }

package/src/scaAnalysis/javascript/analysis.js

@@ -0,0 +1,127 @@
+const fs = require('fs')
+const yarnParser = require('@yarnpkg/lockfile')
+const yaml = require('js-yaml')
+const i18n = require('i18n')
+const {
+  formatKey
+} = require('../../audit/nodeAnalysisEngine/parseYarn2LockFileContents')
+
+const readFile = async (config, languageFiles, nameOfFile) => {
+  const index = languageFiles.findIndex(v => v.includes(nameOfFile))
+
+  if (config.file) {
+    return fs.readFileSync(config.file.concat(languageFiles[index]), 'utf8')
+  } else {
+    console.log('could not find file')
+  }
+}
+
+const readYarn = async (config, languageFiles, nameOfFile) => {
+  let yarn = {
+    yarnVersion: 1,
+    rawYarnLockFileContents: ''
+  }
+
+  try {
+    let rawYarnLockFileContents = await readFile(
+      config,
+      languageFiles,
+      nameOfFile
+    )
+    yarn.rawYarnLockFileContents = rawYarnLockFileContents
+
+    if (
+      !yarn.rawYarnLockFileContents.includes('lockfile v1') ||
+      yarn.rawYarnLockFileContents.includes('__metadata')
+    ) {
+      yarn.rawYarnLockFileContents = yaml.load(rawYarnLockFileContents)
+      yarn.yarnVersion = 2
+    }
+
+    return yarn
+  } catch (err) {
+    console.log(i18n.__('nodeReadYarnLockFileError') + `${err.message}`)
+    return
+  }
+}
+
+const parseNpmLockFile = async js => {
+  try {
+    js.npmLockFile = JSON.parse(js.rawLockFileContents)
+    if (js.npmLockFile && js.npmLockFile.lockfileVersion > 1) {
+      const listOfTopDep = Object.keys(js.npmLockFile.dependencies)
+      Object.entries(js.npmLockFile.dependencies).forEach(([objKey, value]) => {
+        if (value.requires) {
+          const listOfRequiresDep = Object.keys(value.requires)
+          listOfRequiresDep.forEach(dep => {
+            if (!listOfTopDep.includes(dep)) {
+              addDepToLockFile(js, value['requires'], dep)
+            }
+          })
+        }
+
+        if (value.dependencies) {
+          Object.entries(value.dependencies).forEach(
+            ([objChildKey, childValue]) => {
+              if (childValue.requires) {
+                const listOfRequiresDep = Object.keys(childValue.requires)
+                listOfRequiresDep.forEach(dep => {
+                  if (!listOfTopDep.includes(dep)) {
+                    addDepToLockFile(js, childValue['requires'], dep)
+                  }
+                })
+              }
+            }
+          )
+        }
+      })
+      return js.npmLockFile
+    } else {
+      return js.npmLockFile
+    }
+  } catch (err) {
+    console.log(i18n.__('NodeParseNPM') + `${err.message}`)
+    return
+  }
+}
+
+const addDepToLockFile = (js, depObj, key) => {
+  return (js.npmLockFile.dependencies[key] = { version: depObj[key] })
+}
+const parseYarnLockFile = async js => {
+  try {
+    js.yarn.yarnLockFile = {}
+    if (js.yarn.yarnVersion === 1) {
+      js.yarn.yarnLockFile = yarnParser.parse(js.yarn.rawYarnLockFileContents)
+      delete js.yarn.rawYarnLockFileContents
+      return js
+    } else {
+      js.yarn.yarnLockFile['object'] = js.yarn.rawYarnLockFileContents
+      delete js.yarn.yarnLockFile['object'].__metadata
+      js.yarn.yarnLockFile['type'] = 'success'
+
+      Object.entries(js.yarn.rawYarnLockFileContents).forEach(
+        ([key, value]) => {
+          const rawKeyNames = key.split(',')
+          const keyNames = formatKey(rawKeyNames)
+
+          keyNames.forEach(name => {
+            js.yarn.yarnLockFile.object[name] = value
+          })
+        }
+      )
+      return js
+    }
+  } catch (err) {
+    console.log(i18n.__('NodeParseYarn') + `${err.message}`)
+    return
+  }
+}
+
+module.exports = {
+  readYarn,
+  parseYarnLockFile,
+  parseNpmLockFile,
+  readFile,
+  formatKey
+}