@contrast/contrast 1.0.6 → 1.0.9

package/src/scaAnalysis/javascript/analysis.js

@@ -0,0 +1,126 @@
+const fs = require('fs')
+const yarnParser = require('@yarnpkg/lockfile')
+const yaml = require('js-yaml')
+const i18n = require('i18n')
+const {
+  formatKey
+} = require('../../audit/nodeAnalysisEngine/parseYarn2LockFileContents')
+
+const readFile = async (config, languageFiles, nameOfFile) => {
+  const index = languageFiles.findIndex(v => v.includes(nameOfFile))
+
+  if (config.file) {
+    return fs.readFileSync(config.file.concat(languageFiles[index]), 'utf8')
+  } else {
+    throw new Error('could not find file')
+  }
+}
+
+const readYarn = async (config, languageFiles, nameOfFile) => {
+  let yarn = {
+    yarnVersion: 1,
+    rawYarnLockFileContents: ''
+  }
+
+  try {
+    let rawYarnLockFileContents = await readFile(
+      config,
+      languageFiles,
+      nameOfFile
+    )
+    yarn.rawYarnLockFileContents = rawYarnLockFileContents
+
+    if (
+      !yarn.rawYarnLockFileContents.includes('lockfile v1') ||
+      yarn.rawYarnLockFileContents.includes('__metadata')
+    ) {
+      yarn.rawYarnLockFileContents = yaml.load(rawYarnLockFileContents)
+      yarn.yarnVersion = 2
+    }
+
+    return yarn
+  } catch (err) {
+    throw new Error(i18n.__('nodeReadYarnLockFileError') + `${err.message}`)
+  }
+}
+
+const parseNpmLockFile = async js => {
+  try {
+    js.npmLockFile = JSON.parse(js.rawLockFileContents)
+    if (js.npmLockFile && js.npmLockFile.lockfileVersion > 1) {
+      const listOfTopDep = Object.keys(js.npmLockFile.dependencies)
+      Object.entries(js.npmLockFile.dependencies).forEach(([objKey, value]) => {
+        if (value.requires) {
+          const listOfRequiresDep = Object.keys(value.requires)
+          listOfRequiresDep.forEach(dep => {
+            if (!listOfTopDep.includes(dep)) {
+              addDepToLockFile(js, value['requires'], dep)
+            }
+          })
+        }
+
+        if (value.dependencies) {
+          Object.entries(value.dependencies).forEach(
+            ([objChildKey, childValue]) => {
+              if (childValue.requires) {
+                const listOfRequiresDep = Object.keys(childValue.requires)
+                listOfRequiresDep.forEach(dep => {
+                  if (!listOfTopDep.includes(dep)) {
+                    addDepToLockFile(js, childValue['requires'], dep)
+                  }
+                })
+              }
+            }
+          )
+        }
+      })
+      return js.npmLockFile
+    } else {
+      return js.npmLockFile
+    }
+  } catch (err) {
+    throw new Error(i18n.__('NodeParseNPM') + `${err.message}`)
+  }
+}
+
+const addDepToLockFile = (js, depObj, key) => {
+  return (js.npmLockFile.dependencies[key] = { version: depObj[key] })
+}
+const parseYarnLockFile = async js => {
+  try {
+    js.yarn.yarnLockFile = {}
+    if (js.yarn.yarnVersion === 1) {
+      js.yarn.yarnLockFile = yarnParser.parse(js.yarn.rawYarnLockFileContents)
+      delete js.yarn.rawYarnLockFileContents
+      return js
+    } else {
+      js.yarn.yarnLockFile['object'] = js.yarn.rawYarnLockFileContents
+      delete js.yarn.yarnLockFile['object'].__metadata
+      js.yarn.yarnLockFile['type'] = 'success'
+
+      Object.entries(js.yarn.rawYarnLockFileContents).forEach(
+        ([key, value]) => {
+          const rawKeyNames = key.split(',')
+          const keyNames = formatKey(rawKeyNames)
+
+          keyNames.forEach(name => {
+            js.yarn.yarnLockFile.object[name] = value
+          })
+        }
+      )
+      return js
+    }
+  } catch (err) {
+    throw new Error(
+      i18n.__('NodeParseYarn', js.yarn.yarnVersion) + `${err.message}`
+    )
+  }
+}
+
+module.exports = {
+  readYarn,
+  parseYarnLockFile,
+  parseNpmLockFile,
+  readFile,
+  formatKey
+}

package/src/scaAnalysis/javascript/index.js

@@ -0,0 +1,72 @@
+const analysis = require('./analysis')
+const i18n = require('i18n')
+const formatMessage = require('../common/formatMessage')
+
+const jsAnalysis = async (config, languageFiles) => {
+  checkForCorrectFiles(languageFiles)
+
+  return buildNodeTree(config, languageFiles.JAVASCRIPT)
+}
+const buildNodeTree = async (config, files) => {
+  let analysis = await readFiles(config, files)
+  const rawNode = await parseFiles(config, files, analysis)
+  return formatMessage.createJavaScriptTSMessage(rawNode)
+}
+
+const readFiles = async (config, files) => {
+  let js = {}
+
+  js.packageJSON = JSON.parse(
+    await analysis.readFile(config, files, 'package.json')
+  )
+
+  if (files.includes('package-lock.json')) {
+    js.rawLockFileContents = await analysis.readFile(
+      config,
+      files,
+      'package-lock.json'
+    )
+  }
+  if (files.includes('yarn.lock')) {
+    js.yarn = {}
+    js.yarn = await analysis.readYarn(config, files, 'yarn.lock')
+  }
+
+  return js
+}
+
+const parseFiles = async (config, files, js) => {
+  if (files.includes('package-lock.json')) {
+    js.npmLockFile = await analysis.parseNpmLockFile(js)
+  }
+  if (files.includes('yarn.lock')) {
+    js = await analysis.parseYarnLockFile(js)
+  }
+
+  return js
+}
+
+const checkForCorrectFiles = languageFiles => {
+  if (
+    languageFiles.JAVASCRIPT.includes('package-lock.json') &&
+    languageFiles.JAVASCRIPT.includes('yarn.lock')
+  ) {
+    throw new Error(
+      i18n.__('languageAnalysisHasMultipleLockFiles', 'javascript')
+    )
+  }
+
+  if (
+    !languageFiles.JAVASCRIPT.includes('package-lock.json') &&
+    !languageFiles.JAVASCRIPT.includes('yarn.lock')
+  ) {
+    throw new Error(i18n.__('languageAnalysisHasNoLockFile', 'javascript'))
+  }
+
+  if (!languageFiles.JAVASCRIPT.includes('package.json')) {
+    throw new Error(i18n.__('languageAnalysisHasNoPackageJsonFile'))
+  }
+}
+module.exports = {
+  jsAnalysis
+}

package/src/scaAnalysis/php/analysis.js

@@ -0,0 +1,78 @@
+const fs = require('fs')
+const i18n = require('i18n')
+const _ = require('lodash')
+
+const readFile = (config, nameOfFile) => {
+  if (config.file) {
+    try {
+      return fs.readFileSync(config.file + '/' + nameOfFile)
+    } catch (error) {
+      console.log('Unable to find file')
+      console.log(error)
+    }
+  }
+}
+
+const parseProjectFiles = php => {
+  try {
+    // composer.json
+    php.composerJSON.dependencies = php.composerJSON.require
+    php.composerJSON.devDependencies = php.composerJSON['require-dev']
+
+    // composer.lock
+    php.lockFile = php.rawLockFileContents
+    let packages = _.keyBy(php.lockFile.packages, 'name')
+    let packagesDev = _.keyBy(php.lockFile['packages-dev'], 'name')
+    php.lockFile.dependencies = _.merge(packages, packagesDev)
+
+    const listOfTopDep = Object.keys(php.lockFile.dependencies)
+
+    Object.entries(php.lockFile.dependencies).forEach(([key, value]) => {
+      if (value.require) {
+        const listOfRequiresDep = Object.keys(value.require)
+        listOfRequiresDep.forEach(dep => {
+          if (!listOfTopDep.includes(dep)) {
+            addChildDepToLockFileAsOwnObj(php, value['require'], dep)
+          }
+        })
+      }
+
+      if (value['require-dev']) {
+        const listOfRequiresDep = Object.keys(value['require-dev'])
+        listOfRequiresDep.forEach(dep => {
+          if (!listOfTopDep.includes(dep)) {
+            addChildDepToLockFileAsOwnObj(php, value['require-dev'], dep)
+          }
+        })
+      }
+    })
+    formatParentDepToLockFile(php)
+    delete php.rawLockFileContents
+    return php
+  } catch (err) {
+    return console.log(i18n.__('phpParseComposerLock', php) + `${err.message}`) // not sure on this
+  }
+}
+
+function addChildDepToLockFileAsOwnObj(php, depObj, key) {
+  php.lockFile.dependencies[key] = { version: depObj[key] }
+}
+
+function formatParentDepToLockFile(php) {
+  for (const [key, value] of Object.entries(php.lockFile.dependencies)) {
+    let requires = {}
+    for (const [childKey, childValue] of Object.entries(value)) {
+      if (childKey === 'require' || childKey === 'require-dev') {
+        requires = _.merge(requires, childValue)
+        php.lockFile.dependencies[key].requires = requires
+        delete php.lockFile.dependencies[key].require
+        delete php.lockFile.dependencies[key]['require-dev']
+      }
+    }
+  }
+}
+
+module.exports = {
+  parseProjectFiles,
+  readFile
+}

package/src/scaAnalysis/php/index.js

@@ -0,0 +1,22 @@
+const { readFile, parseProjectFiles } = require('./analysis')
+const { createPhpTSMessage } = require('../common/formatMessage')
+
+const phpAnalysis = (config, files) => {
+  let analysis = readFiles(config, files.PHP)
+  const phpDep = parseProjectFiles(analysis)
+  return createPhpTSMessage(phpDep)
+}
+
+const readFiles = (config, files) => {
+  let php = {}
+
+  php.composerJSON = JSON.parse(readFile(config, 'composer.json'))
+
+  php.rawLockFileContents = JSON.parse(readFile(config, 'composer.lock'))
+
+  return php
+}
+
+module.exports = {
+  phpAnalysis
+}

package/src/scaAnalysis/python/analysis.js

@@ -0,0 +1,49 @@
+const multiReplace = require('string-multiple-replace')
+const fs = require('fs')
+
+const readAndParseProjectFile = file => {
+  const filePath = filePathForWindows(file + '/Pipfile')
+  const pipFile = fs.readFileSync(filePath, 'utf8')
+
+  const matcherObj = { '"': '' }
+  const sequencer = ['"']
+  const parsedPipfile = multiReplace(pipFile, matcherObj, sequencer)
+
+  const pythonArray = parsedPipfile.split('\n')
+
+  return pythonArray.filter(element => element !== '' && !element.includes('#'))
+}
+
+const readAndParseLockFile = file => {
+  const filePath = filePathForWindows(file + '/Pipfile.lock')
+  const lockFile = fs.readFileSync(filePath, 'utf8')
+  let parsedPipLock = JSON.parse(lockFile)
+  parsedPipLock['defaults'] = parsedPipLock['default']
+  delete parsedPipLock['default']
+  return parsedPipLock
+}
+
+const getPythonDeps = config => {
+  try {
+    const parseProject = readAndParseProjectFile(config.file)
+    const parsePip = readAndParseLockFile(config.file)
+
+    return { pipfileLock: parsePip, pipfilDependanceies: parseProject }
+  } catch (err) {
+    console.log(err.message.toString())
+    process.exit(1)
+  }
+}
+
+const filePathForWindows = path => {
+  if (process.platform === 'win32') {
+    path = path.replace(/\//g, '\\')
+  }
+  return path
+}
+
+module.exports = {
+  getPythonDeps,
+  readAndParseProjectFile,
+  readAndParseLockFile
+}

package/src/scaAnalysis/python/index.js

@@ -0,0 +1,11 @@
+const { createPythonTSMessage } = require('../common/formatMessage')
+const { getPythonDeps } = require('./analysis')
+
+const pythonAnalysis = (config, languageFiles) => {
+  const pythonDeps = getPythonDeps(config, languageFiles.PYTHON)
+  return createPythonTSMessage(pythonDeps)
+}
+
+module.exports = {
+  pythonAnalysis
+}

package/src/scaAnalysis/ruby/analysis.js

@@ -0,0 +1,273 @@
+const fs = require('fs')
+
+const readAndParseGemfile = file => {
+  const gemFile = fs.readFileSync(file + '/Gemfile', 'utf8')
+  const rubyArray = gemFile.split('\n')
+
+  let filteredRubyDep = rubyArray.filter(element => {
+    return (
+      !element.includes('#') &&
+      element.includes('gem') &&
+      !element.includes('source')
+    )
+  })
+
+  for (let i = 0; i < filteredRubyDep.length; i++) {
+    filteredRubyDep[i] = filteredRubyDep[i].trim()
+  }
+
+  return filteredRubyDep
+}
+
+const readAndParseGemLockFile = file => {
+  const lockFile = fs.readFileSync(file + '/Gemfile.lock', 'utf8')
+  const dependencyRegEx = /^\s*([A-Za-z0-9.!@#$%\-^&*_+]*)\s*(\((.*?)\))/
+
+  const lines = lockFile.split('\n')
+
+  return {
+    dependencies: getDirectDependencies(lines, dependencyRegEx),
+    runtimeDetails: getLockFileRuntimeInfo(lines),
+    sources: getSourceArray(lines, dependencyRegEx)
+  }
+}
+
+const nonDependencyKeys = (line, sourceObject) => {
+  const GEMFILE_KEY_VALUE = /^\s*([^:(]*)\s*\:*\s*(.*)/
+  let parts = GEMFILE_KEY_VALUE.exec(line)
+  let key = parts[1].trim()
+  let value = parts[2] || ''
+
+  sourceObject[key] = value
+  return sourceObject
+}
+
+const populateResolveAndPlatform = (version, sourceObject) => {
+  const depArr = version.split('-')
+  sourceObject.resolved = depArr[0]
+  sourceObject.platform = depArr.length > 1 ? depArr[1] : 'UNSPECIFIED'
+  return sourceObject
+}
+
+const isUpperCase = str => {
+  return str === str.toUpperCase()
+}
+
+const getDirectDependencies = (lines, dependencyRegEx) => {
+  const dependencies = {}
+
+  let depIndex = 0
+  for (let i = 0; i < lines.length; i++) {
+    if (lines[i] === 'DEPENDENCIES') {
+      depIndex = i
+    }
+  }
+  const getDepArray = lines.slice(depIndex)
+
+  for (let j = 1; j < getDepArray.length; j++) {
+    const element = getDepArray[j]
+    if (!isUpperCase(element)) {
+      const isDependencyWithVersion = dependencyRegEx.test(element)
+      if (isDependencyWithVersion) {
+        const dependency = dependencyRegEx.exec(element)
+        let name = dependency[1]
+        name = name.replace('!', '')
+        dependencies[name.trim()] = dependency[3]
+      } else {
+        let name = element
+        name = name.replace('!', ' ')
+        dependencies[name.trim()] = 'UNSPECIFIED'
+      }
+    }
+  }
+
+  return dependencies
+}
+
+const getLockFileRuntimeInfo = lines => {
+  let rubVersionIndex = 0
+  for (let i = 0; i < lines.length; i++) {
+    if (lines[i] === 'RUBY VERSION') {
+      rubVersionIndex = i
+      break
+    }
+  }
+
+  const runtimeDetails = {}
+  if (rubVersionIndex !== 0) {
+    const getRubyVersionArray = lines.slice(rubVersionIndex)
+
+    for (let element of getRubyVersionArray) {
+      if (!isUpperCase(element)) {
+        runtimeDetails['version'] = getVersion(element)
+        runtimeDetails['patchLevel'] = getPatchLevel(element)
+
+        if (element.includes('engine')) {
+          let splitElement = element.split(' ')
+          runtimeDetails[splitElement[0]] = splitElement[1]
+        }
+      }
+    }
+  }
+  return runtimeDetails
+}
+
+const getVersion = element => {
+  const versionRegex = /^([ruby\s0-9.*]+)/
+  if (versionRegex.test(element)) {
+    let version = versionRegex.exec(element)[0]
+
+    if (version.includes('ruby')) {
+      return trimWhiteSpace(version.replace('ruby', ''))
+    }
+  }
+}
+
+const getPatchLevel = element => {
+  const patchLevelRegex = /(p\d+)/
+  if (patchLevelRegex.test(element)) {
+    return patchLevelRegex.exec(element)[0]
+  }
+}
+
+const formatSourceArr = sourceArr => {
+  return sourceArr.map(element => {
+    if (element.sourceType === 'GIT') {
+      delete element.specs
+    }
+
+    if (element.sourceType === 'GEM') {
+      delete element.branch
+      delete element.revision
+      delete element.depthLevel
+      delete element.specs
+    }
+
+    if (element.sourceType === 'PATH') {
+      delete element.branch
+      delete element.revision
+      delete element.depthLevel
+      delete element.specs
+      delete element.platform
+    }
+    return element
+  })
+}
+
+const getSourceArray = (lines, dependencyRegEx) => {
+  const sourceObject = {
+    dependencies: {}
+  }
+
+  const whitespaceRegx = /^(\s*)/
+  let index = 0
+
+  let line = 0
+  const sources = []
+  while ((line = lines[index++]) !== undefined) {
+    let currentWS = whitespaceRegx.exec(line)[1].length
+    if (!line.includes(' bundler (')) {
+      if (currentWS === 0 && !line.includes(':') && line !== '') {
+        sourceObject.sourceType = line
+      }
+
+      if (currentWS !== 0 && line.includes(':')) {
+        nonDependencyKeys(line, sourceObject)
+      }
+
+      if (currentWS > 2) {
+        let nexlineWS = whitespaceRegx.exec(lines[index])[1].length
+        sourceObject.dependencies = buildSourceDependencyWithVersion(
+          whitespaceRegx,
+          dependencyRegEx,
+          line,
+          currentWS,
+          sourceObject.name,
+          sourceObject.dependencies
+        )
+
+        if (currentWS === 4 && sourceObject.depthLevel === undefined) {
+          const dependency = dependencyRegEx.exec(line)
+          sourceObject.name = dependency[1]
+          sourceObject.depthLevel = currentWS
+          populateResolveAndPlatform(dependency[3], sourceObject)
+        }
+
+        if (currentWS === 4 && sourceObject.depthLevel) {
+          // create new Parent
+          const dependency = dependencyRegEx.exec(line)
+          sourceObject.name = dependency[1]
+          sourceObject.depthLevel = currentWS
+          populateResolveAndPlatform(dependency[3], sourceObject)
+        }
+
+        if (
+          (currentWS === 4 && nexlineWS === 4) ||
+          (currentWS === 6 && nexlineWS === 4) ||
+          nexlineWS == ''
+        ) {
+          let newObj = {}
+          newObj = JSON.parse(JSON.stringify(sourceObject))
+          sources.push(newObj)
+          sourceObject.dependencies = {}
+        }
+      }
+    }
+  }
+  return formatSourceArr(sources)
+}
+
+const buildSourceDependencyWithVersion = (
+  whitespaceRegx,
+  dependencyRegEx,
+  line,
+  currentWhiteSpace,
+  name,
+  dependencies
+) => {
+  const isDependencyWithVersion = dependencyRegEx.test(line)
+
+  if (currentWhiteSpace === 6) {
+    const dependency = dependencyRegEx.exec(line)
+    if (isDependencyWithVersion) {
+      if (name !== dependency[1]) {
+        dependencies[dependency[1]] = dependency[3]
+      }
+    } else {
+      dependencies[line.trim()] = 'UNSPECIFIED'
+    }
+  }
+
+  return dependencies
+}
+
+const getRubyDeps = config => {
+  try {
+    const parsedGem = readAndParseGemfile(config.file)
+    const parsedLock = readAndParseGemLockFile(config.file)
+
+    return { gemfilesDependanceies: parsedGem, gemfileLock: parsedLock }
+  } catch (err) {
+    console.log(err.message)
+    process.exit(1)
+  }
+}
+
+const trimWhiteSpace = string => {
+  return string.replace(/\s+/g, '')
+}
+
+module.exports = {
+  getRubyDeps,
+  readAndParseGemfile,
+  readAndParseGemLockFile,
+  nonDependencyKeys,
+  populateResolveAndPlatform,
+  isUpperCase,
+  getDirectDependencies,
+  getLockFileRuntimeInfo,
+  getVersion,
+  getPatchLevel,
+  formatSourceArr,
+  getSourceArray
+}

package/src/scaAnalysis/ruby/index.js

@@ -0,0 +1,11 @@
+const analysis = require('./analysis')
+const { createRubyTSMessage } = require('../common/formatMessage')
+
+const rubyAnalysis = (config, languageFiles) => {
+  const rubyDeps = analysis.getRubyDeps(config, languageFiles.RUBY)
+  return createRubyTSMessage(rubyDeps)
+}
+
+module.exports = {
+  rubyAnalysis
+}