@contrast/contrast 1.0.6 → 1.0.7

package/src/audit/javaAnalysisEngine/parseMavenProjectFileContents.js

@@ -34,12 +34,13 @@ const formatKeyName = value => {
   return tempArr[0] + '/' + tempArr[1] + '@' + tempArr[versionIndex]
 }
 
-const shaveConsoleOutputUntilItFindsFirsDigraphMention = mvnDependancyTreeOutput => {
-  //shaves of the console output until it reaches the first digraph
-  return mvnDependancyTreeOutput.substring(
-    mvnDependancyTreeOutput.indexOf('digraph')
-  )
-}
+const shaveConsoleOutputUntilItFindsFirsDigraphMention =
+  mvnDependancyTreeOutput => {
+    //shaves of the console output until it reaches the first digraph
+    return mvnDependancyTreeOutput.substring(
+      mvnDependancyTreeOutput.indexOf('digraph')
+    )
+  }
 
 const getDigraphObjInfo = editedOutput => {
   //turns the output into an array of digraph information
@@ -211,10 +212,12 @@ const parseMvn = mvnDependancyTreeOutput => {
 }
 
 // testing purposes
-exports.shaveConsoleOutputUntilItFindsFirsDigraphMention = shaveConsoleOutputUntilItFindsFirsDigraphMention
+exports.shaveConsoleOutputUntilItFindsFirsDigraphMention =
+  shaveConsoleOutputUntilItFindsFirsDigraphMention
 exports.getDigraphObjInfo = getDigraphObjInfo
 exports.createDigraphObjKey = createDigraphObjKey
-exports.turnDigraphDependanciesIntoArrOfInnerDep = turnDigraphDependanciesIntoArrOfInnerDep
+exports.turnDigraphDependanciesIntoArrOfInnerDep =
+  turnDigraphDependanciesIntoArrOfInnerDep
 exports.hasVersion = hasVersion
 exports.formatKeyName = formatKeyName
 exports.createOuterDependanciesAndType = createOuterDependanciesAndType

package/src/audit/languageAnalysisEngine/checkForMultipleIdentifiedLanguages.js

@@ -32,4 +32,5 @@ const checkForMultipleIdentifiedLanguages = identifiedLanguages => {
 }
 
 //For testing purposes
-exports.checkForMultipleIdentifiedLanguages = checkForMultipleIdentifiedLanguages
+exports.checkForMultipleIdentifiedLanguages =
+  checkForMultipleIdentifiedLanguages

package/src/audit/languageAnalysisEngine/checkForMultipleIdentifiedProjectFiles.js

@@ -38,4 +38,5 @@ const checkForMultipleIdentifiedProjectFiles = identifiedLanguages => {
 }
 
 //For testing purposes
-exports.checkForMultipleIdentifiedProjectFiles = checkForMultipleIdentifiedProjectFiles
+exports.checkForMultipleIdentifiedProjectFiles =
+  checkForMultipleIdentifiedProjectFiles

package/src/audit/languageAnalysisEngine/checkIdentifiedLanguageHasProjectFile.js

@@ -29,4 +29,5 @@ const checkIdentifiedLanguageHasProjectFile = identifiedLanguages => {
 }
 
 //For testing purposes
-exports.checkIdentifiedLanguageHasProjectFile = checkIdentifiedLanguageHasProjectFile
+exports.checkIdentifiedLanguageHasProjectFile =
+  checkIdentifiedLanguageHasProjectFile

package/src/audit/languageAnalysisEngine/languageAnalysisFactory.js

@@ -21,6 +21,7 @@ const {
   startSpinner,
   succeedSpinner
 } = require('../../utils/oraWrapper')
+const { pollForSnapshotCompletition } = require('./sendSnapshot')
 
 module.exports = exports = (err, analysis) => {
   const { identifiedLanguageInfo } = analysis.languageAnalysis
@@ -54,6 +55,13 @@ module.exports = exports = (err, analysis) => {
     const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
     startSpinner(reportSpinner)
     const snapshotResponse = await newSendSnapShot(analysis, catalogueAppId)
+
+    //poll for completion
+    const pollResult = await pollForSnapshotCompletition(
+      analysis.config,
+      snapshotResponse.id,
+      reportSpinner
+    )
     succeedSpinner(reportSpinner, 'Contrast SCA analysis complete')
 
     await vulnerabilityReport(analysis, catalogueAppId, snapshotResponse.id)

package/src/audit/languageAnalysisEngine/reduceIdentifiedLanguages.js

@@ -53,13 +53,15 @@ const deduceLanguageScaAnalysis = filenames => {
     //   deducedLanguages.push({language: DOTNET, projectFilename: filename})
     // }
     //
-    // if (isRubyProjectFilename(filename)) {
-    //   deducedLanguages.push({language: RUBY, projectFilename: filename})
-    // }
+    if (isRubyProjectFilename(filename)) {
+      deducedLanguages.push(filename)
+      language = RUBY
+    }
     //
-    // if (isPythonProjectFilename(filename)) {
-    //   deducedLanguages.push({language: PYTHON, projectFilename: filename})
-    // }
+    if (isPythonProjectFilename(filename)) {
+      deducedLanguages.push(filename)
+      language = PYTHON
+    }
     //
     // if (isPhpProjectFilename(filename)) {
     //   deducedLanguages.push({language: PHP, projectFilename: filename})
@@ -207,9 +209,8 @@ module.exports = exports = (analysis, next) => {
 
   let language = config.language
   if (language === undefined) {
-    languageAnalysis.identifiedLanguages = reduceIdentifiedLanguages(
-      identifiedLanguages
-    )
+    languageAnalysis.identifiedLanguages =
+      reduceIdentifiedLanguages(identifiedLanguages)
   } else {
     let refinedIdentifiedLanguages = []
     for (let x in identifiedLanguages) {

package/src/audit/languageAnalysisEngine/report/commonReportingFunctions.ts

@@ -14,12 +14,12 @@ import {
   findNameAndVersion,
   severityCountAllCVEs
 } from './utils/reportUtils'
-import {SeverityCountModel} from "./models/severityCountModel";
+import { SeverityCountModel } from './models/severityCountModel'
 import {
   ReportOutputBodyModel,
   ReportOutputHeaderModel,
   ReportOutputModel
-} from "./models/reportOutputModel";
+} from './models/reportOutputModel'
 
 export const createLibraryHeader = (
   id: string,
@@ -98,7 +98,8 @@ export const printFormattedOutput = (
   let contrastHeaderNumCounter = 0
   for (const reportModel of orderedOutputListLowestFirst) {
     contrastHeaderNumCounter++
-    const {libraryName, libraryVersion, highestSeverity} = reportModel.compositeKey
+    const { libraryName, libraryVersion, highestSeverity } =
+      reportModel.compositeKey
     const numOfCVEs = reportModel.cveArray.length
 
     const header = buildHeader(
@@ -109,12 +110,13 @@ export const printFormattedOutput = (
       numOfCVEs
     )
 
-    const body = buildBody(
-      reportModel.cveArray
-    )
+    const body = buildBody(reportModel.cveArray)
 
     const reportOutputModel = new ReportOutputModel(header, body)
-    console.log(reportOutputModel.header.vulnMessage, reportOutputModel.header.introducesMessage)
+    console.log(
+      reportOutputModel.header.vulnMessage,
+      reportOutputModel.header.introducesMessage
+    )
     console.log(reportOutputModel.body.issueMessage)
     console.log(reportOutputModel.body.adviceMessage)
   }
@@ -125,14 +127,17 @@ export function buildHeader(
   contrastHeaderNum: number,
   libraryName: string,
   version: string,
-  numOfCVEs: number,
+  numOfCVEs: number
 ) {
-  const vulnerabilityPluralised = numOfCVEs > 1 ? 'Vulnerabilities' : 'Vulnerability'
+  const vulnerabilityPluralised =
+    numOfCVEs > 1 ? 'Vulnerabilities' : 'Vulnerability'
   const formattedHeaderNum = buildFormattedHeaderNum(contrastHeaderNum)
 
   const vulnMessage = chalk
-  .hex(highestSeverity.outputColour)
-  .bold(`${formattedHeaderNum} - [${highestSeverity.severity}] ${libraryName}-${version}`)
+    .hex(highestSeverity.outputColour)
+    .bold(
+      `${formattedHeaderNum} - [${highestSeverity.severity}] ${libraryName}-${version}`
+    )
 
   const introducesMessage = chalk.bold(
     `introduces ${numOfCVEs} ${vulnerabilityPluralised}`
@@ -144,13 +149,14 @@ export function buildHeader(
 export function buildBody(cveArray: ReportCVEModel[]) {
   const cveMessages: string[] = []
 
-  findCVESeveritiesAndOrderByHighestPriority(cveArray).forEach(reportSeverityModel => {
+  findCVESeveritiesAndOrderByHighestPriority(cveArray).forEach(
+    reportSeverityModel => {
       // @ts-ignore
-      const {outputColour, severity, cveName} = reportSeverityModel
+      const { outputColour, severity, cveName } = reportSeverityModel
 
       const severityShorthand = chalk
-      .hex(outputColour)
-      .bold(`[${severity.charAt(0).toUpperCase()}]`)
+        .hex(outputColour)
+        .bold(`[${severity.charAt(0).toUpperCase()}]`)
 
       const builtMessage = `${severityShorthand} ${cveName}`
       cveMessages.push(builtMessage)
@@ -159,11 +165,13 @@ export function buildBody(cveArray: ReportCVEModel[]) {
 
   const numAndSeverityType = getNumOfAndSeverityType(cveArray)
 
-  const issueMessage =
-    ` ${chalk.bold('Issue')}  : ${numAndSeverityType} ${cveMessages.join(', ')}.`
+  const issueMessage = ` ${chalk.bold(
+    'Issue'
+  )}  : ${numAndSeverityType} ${cveMessages.join(', ')}.`
 
-  const adviceMessage =
-    ` ${chalk.bold('Advice')} : ${chalk.bold('Update to latest version')}.`
+  const adviceMessage = ` ${chalk.bold('Advice')} : ${chalk.bold(
+    'Update to latest version'
+  )}.`
 
   return new ReportOutputBodyModel(issueMessage, adviceMessage)
 }
@@ -183,13 +191,10 @@ export function buildFormattedHeaderNum(contrastHeaderNum: number) {
 }
 
 export function getNumOfAndSeverityType(cveArray: ReportCVEModel[]) {
-  const {
-    critical,
-    high,
-    medium,
-    low,
-    note
-  } = severityCountAllCVEs(cveArray, new SeverityCountModel())
+  const { critical, high, medium, low, note } = severityCountAllCVEs(
+    cveArray,
+    new SeverityCountModel()
+  )
 
   const criticalMessage = critical > 0 ? `${critical} Critical` : ''
   const highMessage = high > 0 ? `${high} High` : ''
@@ -199,6 +204,6 @@ export function getNumOfAndSeverityType(cveArray: ReportCVEModel[]) {
 
   //removes/trims whitespace to single spaces
   return `${criticalMessage} ${highMessage} ${mediumMessage} ${lowMessage} ${noteMessage}`
-  .replace(/\s+/g, ' ')
-  .trim();
-}
+    .replace(/\s+/g, ' ')
+    .trim()
+}

package/src/audit/languageAnalysisEngine/report/models/reportLibraryModel.ts

@@ -2,7 +2,7 @@ export class ReportLibraryModel {
   name: string
   cveArray: ReportCVEModel[]
 
-  constructor (name: string, cveArray: ReportCVEModel[]){
+  constructor(name: string, cveArray: ReportCVEModel[]) {
     this.name = name
     this.cveArray = cveArray
   }
@@ -16,12 +16,12 @@ export class ReportCVEModel {
   severityCode?: string
   cvss3SeverityCode?: string
 
-  constructor (
+  constructor(
     name: string,
     description: string,
     severityCode: string,
     cvss3SeverityCode: string
-  ){
+  ) {
     this.name = name
     this.description = description
     this.severityCode = severityCode

package/src/audit/languageAnalysisEngine/report/models/reportListModel.ts

@@ -1,32 +1,36 @@
-import {ReportSeverityModel} from "./reportSeverityModel";
-import {ReportCVEModel} from "./reportLibraryModel";
+import { ReportSeverityModel } from './reportSeverityModel'
+import { ReportCVEModel } from './reportLibraryModel'
 
 export class ReportList {
   reportOutputList: ReportModelStructure[]
 
-  constructor (){
+  constructor() {
     this.reportOutputList = []
   }
 }
 
 export class ReportModelStructure {
-  compositeKey: ReportCompositeKey;
-  cveArray: ReportCVEModel[];
+  compositeKey: ReportCompositeKey
+  cveArray: ReportCVEModel[]
 
-  constructor (compositeKey: ReportCompositeKey, cveArray: ReportCVEModel[]){
+  constructor(compositeKey: ReportCompositeKey, cveArray: ReportCVEModel[]) {
     this.compositeKey = compositeKey
     this.cveArray = cveArray
   }
 }
 
 export class ReportCompositeKey {
-  libraryName!: string;
-  libraryVersion!: string;
-  highestSeverity!: ReportSeverityModel;
+  libraryName!: string
+  libraryVersion!: string
+  highestSeverity!: ReportSeverityModel
 
-  constructor (libraryName: string, libraryVersion: string, highestSeverity: ReportSeverityModel){
+  constructor(
+    libraryName: string,
+    libraryVersion: string,
+    highestSeverity: ReportSeverityModel
+  ) {
     this.libraryName = libraryName
     this.libraryVersion = libraryVersion
     this.highestSeverity = highestSeverity
   }
-}
+}

package/src/audit/languageAnalysisEngine/report/models/reportSeverityModel.ts

@@ -4,7 +4,12 @@ export class ReportSeverityModel {
   outputColour: string
   cveName: string
 
-  constructor(severity: string, priority: number, outputColour: string, cveName: string) {
+  constructor(
+    severity: string,
+    priority: number,
+    outputColour: string,
+    cveName: string
+  ) {
     this.severity = severity
     this.priority = priority
     this.outputColour = outputColour

package/src/audit/languageAnalysisEngine/report/utils/reportUtils.ts

@@ -17,7 +17,7 @@ import {
   NOTE_PRIORITY
 } from '../../../../constants/constants'
 import { orderBy } from 'lodash'
-import {SeverityCountModel} from "../models/severityCountModel";
+import { SeverityCountModel } from '../models/severityCountModel'
 const {
   supportedLanguages: { GO }
 } = languageAnalysisEngine
@@ -29,19 +29,37 @@ export function findHighestSeverityCVE(cveArray: ReportCVEModel[]) {
   return orderBy(mappedToReportSeverityModels, cve => cve?.priority)[0]
 }
 
-
-export function findCVESeveritiesAndOrderByHighestPriority(cves: ReportCVEModel[]) {
-  return orderBy(cves.map(cve => findCVESeverity(cve)), ['priority'], ['asc'])
+export function findCVESeveritiesAndOrderByHighestPriority(
+  cves: ReportCVEModel[]
+) {
+  return orderBy(
+    cves.map(cve => findCVESeverity(cve)),
+    ['priority'],
+    ['asc']
+  )
 }
 
 export function findCVESeverity(cve: ReportCVEModel) {
   const cveName = cve.name as string
   if (cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL') {
-    return new ReportSeverityModel('CRITICAL', CRITICAL_PRIORITY, CRITICAL_COLOUR, cveName)
+    return new ReportSeverityModel(
+      'CRITICAL',
+      CRITICAL_PRIORITY,
+      CRITICAL_COLOUR,
+      cveName
+    )
   } else if (cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH') {
     return new ReportSeverityModel('HIGH', HIGH_PRIORITY, HIGH_COLOUR, cveName)
-  } else if (cve.cvss3SeverityCode === 'MEDIUM' || cve.severityCode === 'MEDIUM') {
-    return new ReportSeverityModel('MEDIUM', MEDIUM_PRIORITY, MEDIUM_COLOUR, cveName)
+  } else if (
+    cve.cvss3SeverityCode === 'MEDIUM' ||
+    cve.severityCode === 'MEDIUM'
+  ) {
+    return new ReportSeverityModel(
+      'MEDIUM',
+      MEDIUM_PRIORITY,
+      MEDIUM_COLOUR,
+      cveName
+    )
   } else if (cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW') {
     return new ReportSeverityModel('LOW', LOW_PRIORITY, LOW_COLOUR, cveName)
   } else if (cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE') {
@@ -55,43 +73,41 @@ export function convertGenericToTypedLibraries(libraries: any) {
   })
 }
 
-export function severityCountAllLibraries(vulnerableLibraries: ReportLibraryModel[]) {
+export function severityCountAllLibraries(
+  vulnerableLibraries: ReportLibraryModel[]
+) {
   const severityCount = new SeverityCountModel()
-  vulnerableLibraries.forEach(lib => severityCountAllCVEs(lib.cveArray, severityCount))
+  vulnerableLibraries.forEach(lib =>
+    severityCountAllCVEs(lib.cveArray, severityCount)
+  )
   return severityCount
 }
 
-export function severityCountAllCVEs(cveArray: ReportCVEModel[], severityCount: SeverityCountModel) {
+export function severityCountAllCVEs(
+  cveArray: ReportCVEModel[],
+  severityCount: SeverityCountModel
+) {
   const severityCountInner = severityCount
   cveArray.forEach(cve => severityCountSingleCVE(cve, severityCountInner))
   return severityCountInner
 }
 
-export function severityCountSingleCVE(cve: ReportCVEModel, severityCount: SeverityCountModel) {
-  if (
-    cve.cvss3SeverityCode === 'CRITICAL' ||
-    cve.severityCode === 'CRITICAL'
-  ) {
+export function severityCountSingleCVE(
+  cve: ReportCVEModel,
+  severityCount: SeverityCountModel
+) {
+  if (cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL') {
     severityCount.critical += 1
-  } else if (
-    cve.cvss3SeverityCode === 'HIGH' ||
-    cve.severityCode === 'HIGH'
-  ) {
+  } else if (cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH') {
     severityCount.high += 1
   } else if (
     cve.cvss3SeverityCode === 'MEDIUM' ||
     cve.severityCode === 'MEDIUM'
   ) {
     severityCount.medium += 1
-  } else if (
-    cve.cvss3SeverityCode === 'LOW' ||
-    cve.severityCode === 'LOW'
-  ) {
+  } else if (cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW') {
     severityCount.low += 1
-  } else if (
-    cve.cvss3SeverityCode === 'NOTE' ||
-    cve.severityCode === 'NOTE'
-  ) {
+  } else if (cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE') {
     severityCount.note += 1
   }
 

package/src/audit/languageAnalysisEngine/sendSnapshot.js

@@ -1,6 +1,12 @@
-const { getHttpClient } = require('../../utils/commonApi')
 const { handleResponseErrors } = require('../../common/errorHandling')
 const { APP_VERSION } = require('../../constants/constants')
+const commonApi = require('../../utils/commonApi')
+const _ = require('lodash')
+const oraFunctions = require('../../utils/oraWrapper')
+const i18n = require('i18n')
+const oraWrapper = require('../../utils/oraWrapper')
+const requestUtils = require('../../utils/requestUtils')
+const { performance } = require('perf_hooks')
 
 const newSendSnapShot = async analysis => {
   const analysisLanguage = analysis.config.language.toLowerCase()
@@ -10,7 +16,7 @@ const newSendSnapShot = async analysis => {
     snapshot: { [analysisLanguage]: analysis[analysisLanguage] }
   }
 
-  const client = getHttpClient(analysis.config)
+  const client = commonApi.getHttpClient(analysis.config)
 
   return client
     .sendSnapshot(requestBody, analysis.config)
@@ -26,6 +32,75 @@ const newSendSnapShot = async analysis => {
     })
 }
 
+const pollSnapshotResults = async (config, snapshotId, client) => {
+  await requestUtils.sleep(5000)
+  return client
+    .getReportStatusById(config, snapshotId)
+    .then(res => {
+      return res
+    })
+    .catch(err => {
+      console.log(err)
+    })
+}
+
+const getTimeout = config => {
+  if (config.timeout) {
+    return config.timeout
+  } else {
+    if (config.verbose) {
+      console.log('Timeout set to 2 minutes')
+    }
+    return 120
+  }
+}
+
+const pollForSnapshotCompletition = async (
+  config,
+  snapshotId,
+  reportSpinner
+) => {
+  const client = commonApi.getHttpClient(config)
+  const startTime = performance.now()
+  const timeout = getTimeout(config)
+
+  let complete = false
+  if (!_.isNil(snapshotId)) {
+    while (!complete) {
+      let result = await pollSnapshotResults(config, snapshotId, client)
+      if (result.statusCode === 200) {
+        if (result.body.status === 'PROCESSED') {
+          complete = true
+          return result.body
+        }
+        if (result.body.status === 'FAILED') {
+          complete = true
+          if (config.debug) {
+            oraFunctions.failSpinner(
+              reportSpinner,
+              i18n.__('auditNotCompleted')
+            )
+          }
+          console.log(result.body.errorMessage)
+          oraWrapper.stopSpinner(reportSpinner)
+          console.log('Contrast audit finished')
+          process.exit(1)
+        }
+      }
+      const endTime = performance.now() - startTime
+      if (requestUtils.millisToSeconds(endTime) > timeout) {
+        oraFunctions.failSpinner(
+          reportSpinner,
+          'Contrast audit timed out at the specified ' + timeout + ' seconds.'
+        )
+        console.log('Please try again, allowing more time.')
+        process.exit(1)
+      }
+    }
+  }
+}
+
 module.exports = {
-  newSendSnapShot: newSendSnapShot
+  newSendSnapShot: newSendSnapShot,
+  pollForSnapshotCompletition: pollForSnapshotCompletition
 }

package/src/commands/audit/processAudit.ts

@@ -7,7 +7,7 @@ export type parameterInput = string[]
 export const processAudit = async (argv: parameterInput) => {
   if (argv.indexOf('--help') != -1) {
     printHelpMessage()
-    process.exit(1)
+    process.exit(0)
   }
   const config = getAuditConfig(argv)
 

package/src/commands/scan/sca/scaAnalysis.js

@@ -6,16 +6,19 @@ const {
 } = require('../../../scan/autoDetection')
 const auditController = require('../../audit/auditController')
 const {
-  supportedLanguages: { JAVA, GO }
+  supportedLanguages: { JAVA, GO, RUBY, PYTHON }
 } = require('../../../audit/languageAnalysisEngine/constants')
 const goAnalysis = require('../../../scaAnalysis/go/goAnalysis')
+const { rubyAnalysis } = require('../../../scaAnalysis/ruby')
+const { pythonAnalysis } = require('../../../scaAnalysis/python')
 
 const processSca = async config => {
   let filesFound
   if (config.projectPath) {
-    filesFound = await manualDetectAuditFilesAndLanguages(config.projectPath)
+    filesFound = manualDetectAuditFilesAndLanguages(config.projectPath)
   } else {
     filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config)
+    config.projectPath = process.cwd()
   }
 
   // files found looks like [ { javascript: [ Array ] } ]
@@ -34,9 +37,14 @@ const processSca = async config => {
       // case 'dotnet':
       //     // code block
       //     break;
-      // case 'python':
-      //     // code block
-      //     break;
+      case RUBY:
+        messageToSend = rubyAnalysis(config, filesFound[0])
+        config.language = RUBY
+        break
+      case PYTHON:
+        messageToSend = pythonAnalysis(config, filesFound[0])
+        config.language = PYTHON
+        break
       // case 'ruby':
       //     // code block
       //     break;