@contrast/contrast 1.0.6 → 1.0.9

package/src/audit/languageAnalysisEngine/report/utils/reportUtils.ts

@@ -3,7 +3,7 @@ import {
   ReportLibraryModel
 } from '../models/reportLibraryModel'
 import { ReportSeverityModel } from '../models/reportSeverityModel'
-import languageAnalysisEngine from '../../../languageAnalysisEngine/constants'
+import languageAnalysisEngine from './../../../../constants/constants'
 import {
   CRITICAL_COLOUR,
   CRITICAL_PRIORITY,
@@ -17,7 +17,8 @@ import {
   NOTE_PRIORITY
 } from '../../../../constants/constants'
 import { orderBy } from 'lodash'
-import {SeverityCountModel} from "../models/severityCountModel";
+import { SeverityCountModel } from '../models/severityCountModel'
+import { ReportModelStructure } from '../models/reportListModel'
 const {
   supportedLanguages: { GO }
 } = languageAnalysisEngine
@@ -29,19 +30,37 @@ export function findHighestSeverityCVE(cveArray: ReportCVEModel[]) {
   return orderBy(mappedToReportSeverityModels, cve => cve?.priority)[0]
 }
 
-
-export function findCVESeveritiesAndOrderByHighestPriority(cves: ReportCVEModel[]) {
-  return orderBy(cves.map(cve => findCVESeverity(cve)), ['priority'], ['asc'])
+export function findCVESeveritiesAndOrderByHighestPriority(
+  cves: ReportCVEModel[]
+) {
+  return orderBy(
+    cves.map(cve => findCVESeverity(cve)),
+    ['priority'],
+    ['asc']
+  )
 }
 
 export function findCVESeverity(cve: ReportCVEModel) {
   const cveName = cve.name as string
   if (cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL') {
-    return new ReportSeverityModel('CRITICAL', CRITICAL_PRIORITY, CRITICAL_COLOUR, cveName)
+    return new ReportSeverityModel(
+      'CRITICAL',
+      CRITICAL_PRIORITY,
+      CRITICAL_COLOUR,
+      cveName
+    )
   } else if (cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH') {
     return new ReportSeverityModel('HIGH', HIGH_PRIORITY, HIGH_COLOUR, cveName)
-  } else if (cve.cvss3SeverityCode === 'MEDIUM' || cve.severityCode === 'MEDIUM') {
-    return new ReportSeverityModel('MEDIUM', MEDIUM_PRIORITY, MEDIUM_COLOUR, cveName)
+  } else if (
+    cve.cvss3SeverityCode === 'MEDIUM' ||
+    cve.severityCode === 'MEDIUM'
+  ) {
+    return new ReportSeverityModel(
+      'MEDIUM',
+      MEDIUM_PRIORITY,
+      MEDIUM_COLOUR,
+      cveName
+    )
   } else if (cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW') {
     return new ReportSeverityModel('LOW', LOW_PRIORITY, LOW_COLOUR, cveName)
   } else if (cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE') {
@@ -49,49 +68,47 @@ export function findCVESeverity(cve: ReportCVEModel) {
   }
 }
 
-export function convertGenericToTypedLibraries(libraries: any) {
+export function convertGenericToTypedLibraryVulns(libraries: any) {
   return Object.entries(libraries).map(([name, cveArray]) => {
     return new ReportLibraryModel(name, cveArray as ReportCVEModel[])
   })
 }
 
-export function severityCountAllLibraries(vulnerableLibraries: ReportLibraryModel[]) {
+export function severityCountAllLibraries(
+  vulnerableLibraries: ReportLibraryModel[]
+) {
   const severityCount = new SeverityCountModel()
-  vulnerableLibraries.forEach(lib => severityCountAllCVEs(lib.cveArray, severityCount))
+  vulnerableLibraries.forEach(lib =>
+    severityCountAllCVEs(lib.cveArray, severityCount)
+  )
   return severityCount
 }
 
-export function severityCountAllCVEs(cveArray: ReportCVEModel[], severityCount: SeverityCountModel) {
+export function severityCountAllCVEs(
+  cveArray: ReportCVEModel[],
+  severityCount: SeverityCountModel
+) {
   const severityCountInner = severityCount
   cveArray.forEach(cve => severityCountSingleCVE(cve, severityCountInner))
   return severityCountInner
 }
 
-export function severityCountSingleCVE(cve: ReportCVEModel, severityCount: SeverityCountModel) {
-  if (
-    cve.cvss3SeverityCode === 'CRITICAL' ||
-    cve.severityCode === 'CRITICAL'
-  ) {
+export function severityCountSingleCVE(
+  cve: ReportCVEModel,
+  severityCount: SeverityCountModel
+) {
+  if (cve.cvss3SeverityCode === 'CRITICAL' || cve.severityCode === 'CRITICAL') {
     severityCount.critical += 1
-  } else if (
-    cve.cvss3SeverityCode === 'HIGH' ||
-    cve.severityCode === 'HIGH'
-  ) {
+  } else if (cve.cvss3SeverityCode === 'HIGH' || cve.severityCode === 'HIGH') {
     severityCount.high += 1
   } else if (
     cve.cvss3SeverityCode === 'MEDIUM' ||
     cve.severityCode === 'MEDIUM'
   ) {
     severityCount.medium += 1
-  } else if (
-    cve.cvss3SeverityCode === 'LOW' ||
-    cve.severityCode === 'LOW'
-  ) {
+  } else if (cve.cvss3SeverityCode === 'LOW' || cve.severityCode === 'LOW') {
     severityCount.low += 1
-  } else if (
-    cve.cvss3SeverityCode === 'NOTE' ||
-    cve.severityCode === 'NOTE'
-  ) {
+  } else if (cve.cvss3SeverityCode === 'NOTE' || cve.severityCode === 'NOTE') {
     severityCount.note += 1
   }
 
@@ -106,11 +123,49 @@ export function findNameAndVersion(library: ReportLibraryModel, config: any) {
 
     return { name, version }
   } else {
-    const splitLibraryName = library.name.split('/')
-    const nameVersion = splitLibraryName[1].split('@')
-    const name = nameVersion[0]
+    //spreads items from split into set so no duplicates appear
+    const uniqueSplitLibraryName = [...new Set(library.name.split('/'))]
+    const nameVersion = uniqueSplitLibraryName[1].split('@')
+
+    let parentLibrary
+    let name
+    if (
+      uniqueSplitLibraryName[0] !== 'null' &&
+      uniqueSplitLibraryName[0] !== '' &&
+      !uniqueSplitLibraryName[1].includes(uniqueSplitLibraryName[0])
+    ) {
+      //if the parent lib (element 0) is not null, not blank and not already part of the library name
+      //e.g. shared-ini-file-loader-1.0.0-rc.3 is very generic - converts to @aws-sdk/shared-ini-file-loader-1.0.0-rc.3
+      parentLibrary = uniqueSplitLibraryName[0]
+      name = `${parentLibrary}/${nameVersion[0]}`
+    } else {
+      name = nameVersion[0]
+    }
+
     const version = nameVersion[1]
 
     return { name, version }
   }
 }
+
+export function countVulnerableLibrariesBySeverity(
+  reportModelStructure: ReportModelStructure[]
+) {
+  const severityCount = new SeverityCountModel()
+  reportModelStructure.forEach(vuln => {
+    const currentSeverity = vuln.compositeKey.highestSeverity.severity
+    if (currentSeverity === 'CRITICAL') {
+      severityCount.critical += 1
+    } else if (currentSeverity === 'HIGH') {
+      severityCount.high += 1
+    } else if (currentSeverity === 'MEDIUM') {
+      severityCount.medium += 1
+    } else if (currentSeverity === 'LOW') {
+      severityCount.low += 1
+    } else if (currentSeverity === 'NOTE') {
+      severityCount.note += 1
+    }
+  })
+
+  return severityCount
+}

package/src/audit/languageAnalysisEngine/sendSnapshot.js

@@ -1,31 +1,80 @@
-const { getHttpClient } = require('../../utils/commonApi')
-const { handleResponseErrors } = require('../../common/errorHandling')
-const { APP_VERSION } = require('../../constants/constants')
-
-const newSendSnapShot = async analysis => {
-  const analysisLanguage = analysis.config.language.toLowerCase()
-  const requestBody = {
-    appID: analysis.config.applicationId,
-    cliVersion: APP_VERSION,
-    snapshot: { [analysisLanguage]: analysis[analysisLanguage] }
-  }
-
-  const client = getHttpClient(analysis.config)
+const commonApi = require('../../utils/commonApi')
+const _ = require('lodash')
+const oraFunctions = require('../../utils/oraWrapper')
+const i18n = require('i18n')
+const oraWrapper = require('../../utils/oraWrapper')
+const requestUtils = require('../../utils/requestUtils')
+const { performance } = require('perf_hooks')
 
+const pollSnapshotResults = async (config, snapshotId, client) => {
+  await requestUtils.sleep(5000)
   return client
-    .sendSnapshot(requestBody, analysis.config)
+    .getReportStatusById(config, snapshotId)
     .then(res => {
-      if (res.statusCode === 201) {
-        return res.body
-      } else {
-        handleResponseErrors(res, 'snapshot')
-      }
+      return res
     })
     .catch(err => {
       console.log(err)
     })
 }
 
+const getTimeout = config => {
+  if (config.timeout) {
+    return config.timeout
+  } else {
+    if (config.verbose) {
+      console.log('Timeout set to 5 minutes')
+    }
+    return 300
+  }
+}
+
+const pollForSnapshotCompletition = async (
+  config,
+  snapshotId,
+  reportSpinner
+) => {
+  const client = commonApi.getHttpClient(config)
+  const startTime = performance.now()
+  const timeout = getTimeout(config)
+
+  let complete = false
+  if (!_.isNil(snapshotId)) {
+    while (!complete) {
+      let result = await pollSnapshotResults(config, snapshotId, client)
+      if (result.statusCode === 200) {
+        if (result.body.status === 'PROCESSED') {
+          complete = true
+          return result.body
+        }
+        if (result.body.status === 'FAILED') {
+          complete = true
+          if (config.debug) {
+            oraFunctions.failSpinner(
+              reportSpinner,
+              i18n.__('auditNotCompleted')
+            )
+          }
+          console.log(result.body.errorMessage)
+          oraWrapper.stopSpinner(reportSpinner)
+          console.log('Contrast audit finished')
+          process.exit(1)
+        }
+      }
+      const endTime = performance.now() - startTime
+      if (requestUtils.millisToSeconds(endTime) > timeout) {
+        oraFunctions.failSpinner(
+          reportSpinner,
+          'Contrast audit timed out at the specified timeout of ' +
+            timeout +
+            ' seconds.'
+        )
+        throw new Error('You can update the timeout using --timeout')
+      }
+    }
+  }
+}
+
 module.exports = {
-  newSendSnapShot: newSendSnapShot
+  pollForSnapshotCompletition: pollForSnapshotCompletition
 }

package/src/audit/save.js

@@ -0,0 +1,48 @@
+const fs = require('fs')
+const i18n = require('i18n')
+const chalk = require('chalk')
+const save = require('../commands/audit/saveFile')
+const sbom = require('../sbom/generateSbom')
+const {
+  SBOM_CYCLONE_DX_FILE,
+  SBOM_SPDX_FILE
+} = require('../constants/constants')
+
+async function auditSave(config) {
+  let fileFormat
+  switch (config.save) {
+    case null:
+    case SBOM_CYCLONE_DX_FILE:
+      fileFormat = SBOM_CYCLONE_DX_FILE
+      break
+    case SBOM_SPDX_FILE:
+      fileFormat = SBOM_SPDX_FILE
+      break
+    default:
+      break
+  }
+
+  if (fileFormat) {
+    save.saveFile(
+      config,
+      fileFormat,
+      await sbom.generateSbom(config, fileFormat)
+    )
+    const filename = `${config.applicationId}-sbom-${fileFormat}.json`
+    if (fs.existsSync(filename)) {
+      console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`)
+    } else {
+      console.log(
+        chalk.yellow.bold(
+          `\n Unable to save ${filename} Software Bill of Materials (SBOM)`
+        )
+      )
+    }
+  } else {
+    console.log(i18n.__('auditBadFiletypeSpecifiedForSave'))
+  }
+}
+
+module.exports = {
+  auditSave
+}

package/src/commands/audit/auditConfig.ts

@@ -1,15 +1,6 @@
 import paramHandler from '../../utils/paramsUtil/paramHandler'
 import constants from '../../constants'
 import cliOptions from '../../utils/parsedCLIOptions'
-import languageAnalysisEngine from '../../audit/languageAnalysisEngine/constants'
-import {
-  determineProjectLanguage,
-  identifyLanguages
-} from '../../audit/autodetection/autoDetectLanguage'
-
-const {
-  supportedLanguages: { NODE, JAVASCRIPT }
-} = languageAnalysisEngine
 
 export const getAuditConfig = (argv: string[]): { [key: string]: string } => {
   const auditParameters = cliOptions.getCommandLineArgsCustom(
@@ -18,22 +9,6 @@ export const getAuditConfig = (argv: string[]): { [key: string]: string } => {
   )
   const paramsAuth = paramHandler.getAuth(auditParameters)
 
-  if (
-    auditParameters.language === undefined ||
-    auditParameters.language === null
-  ) {
-    try {
-      auditParameters.language = determineProjectLanguage(
-        identifyLanguages(auditParameters)
-      )
-    } catch (err: any) {
-      console.log(err.message)
-      process.exit(1)
-    }
-  } else if (auditParameters.language.toUpperCase() === JAVASCRIPT) {
-    auditParameters.language = NODE.toLowerCase()
-  }
-
   // @ts-ignore
   return { ...paramsAuth, ...auditParameters }
 }

package/src/commands/audit/auditController.ts

@@ -1,10 +1,6 @@
 import { catalogueApplication } from '../../audit/catalogueApplication/catalogueApplication'
 import commonApi from '../../audit/languageAnalysisEngine/commonApi'
 
-const identifyLanguageAE = require('./../../audit/languageAnalysisEngine')
-const languageFactory = require('../../audit/languageAnalysisEngine/languageAnalysisFactory')
-const { v4: uuidv4 } = require('uuid')
-
 export const dealWithNoAppId = async (config: { [x: string]: string }) => {
   let appID: string
   try {
@@ -14,14 +10,15 @@ export const dealWithNoAppId = async (config: { [x: string]: string }) => {
       return await catalogueApplication(config)
     }
     if (!appID && !config.applicationName) {
-      config.applicationName = uuidv4()
-      return await catalogueApplication(config)
+      config.applicationName = getAppName(config.file) as string
+      // @ts-ignore
+      appID = await commonApi.returnAppId(config)
+      if (!appID) {
+        return await catalogueApplication(config)
+      }
     }
-    // @ts-ignore
-  } catch (e) {
-    // @ts-ignore
+  } catch (e: any) {
     if (e.toString().includes('tunneling socket could not be established')) {
-      // @ts-ignore
       console.log(e.message.toString())
       console.log(
         'There seems to be an issue with your proxy, please check and try again'
@@ -32,15 +29,16 @@ export const dealWithNoAppId = async (config: { [x: string]: string }) => {
   return appID
 }
 
-export const startAudit = async (config: { [key: string]: string }) => {
-  if (!config.applicationId) {
-    // @ts-ignore
-    config.applicationId = await dealWithNoAppId(config)
+export const getAppName = (file: string) => {
+  const last = file.charAt(file.length - 1)
+  if (last !== '/') {
+    return file.split('/').pop()
+  } else {
+    const str = removeLastChar(file)
+    return str.split('/').pop()
   }
-  identifyLanguageAE(
-    config.projectPath,
-    languageFactory,
-    config.applicationId,
-    config
-  )
+}
+
+const removeLastChar = (str: string) => {
+  return str.substring(0, str.length - 1)
 }

package/src/commands/audit/help.ts

@@ -13,35 +13,41 @@ const auditUsageGuide = commandLineUsage([
       '{bold ' +
         i18n.__('constantsAuditPrerequisitesContentSupportedLanguages') +
         '}',
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentJava') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentMessage'),
-      '',
-      '{italic ' + i18n.__('constantsJavaNote') + '}',
-      '{italic ' + i18n.__('constantsJavaNoteGradle') + '}',
-      '',
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentDotNet') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentDotNetMessage'),
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentLanguageNode') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentLanguageNodeMessage'),
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentLanguageRuby') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentLanguageRubyMessage'),
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentLanguagePython') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentLanguagePythonMessage')
+      i18n.__('constantsAuditPrerequisitesJavaContentMessage'),
+      i18n.__('constantsAuditPrerequisitesContentDotNetMessage'),
+      i18n.__('constantsAuditPrerequisitesContentNodeMessage'),
+      i18n.__('constantsAuditPrerequisitesContentRubyMessage'),
+      i18n.__('constantsAuditPrerequisitesContentPythonMessage'),
+      i18n.__('constantsAuditPrerequisitesContentGoMessage'),
+      i18n.__('constantsAuditPrerequisitesContentPHPMessage')
     ]
   },
   {
     header: i18n.__('constantsAuditOptions'),
-    optionList: constants.commandLineDefinitions.auditOptionDefinitions
+    optionList: constants.commandLineDefinitions.auditOptionDefinitions,
+    hide: [
+      'application-id',
+      'application-name',
+      'organization-id',
+      'api-key',
+      'authorization',
+      'host',
+      'proxy',
+      'help',
+      'ff',
+      'ignore-cert-errors',
+      'verbose',
+      'debug',
+      'experimental',
+      'tags',
+      'sub-project',
+      'code',
+      'maven-settings-path',
+      'language',
+      'experimental',
+      'app-groups',
+      'metadata'
+    ]
   }
 ])
 

package/src/commands/audit/processAudit.ts

@@ -1,19 +1,16 @@
-import { startAudit } from './auditController'
 import { getAuditConfig } from './auditConfig'
 import { auditUsageGuide } from './help'
+import { processSca } from '../scan/sca/scaAnalysis'
 
 export type parameterInput = string[]
 
 export const processAudit = async (argv: parameterInput) => {
   if (argv.indexOf('--help') != -1) {
     printHelpMessage()
-    process.exit(1)
+    process.exit(0)
   }
   const config = getAuditConfig(argv)
-
-  // console.log(config)
-
-  const auditResults = await startAudit(config)
+  await processSca(config)
 }
 
 const printHelpMessage = () => {

package/src/commands/audit/saveFile.ts

@@ -1,6 +1,10 @@
 import fs from 'fs'
 
-export default function saveFile(config: any, rawResults: any) {
-  const fileName = `${config.applicationId}-sbom-cyclonedx.json`
+export const saveFile = (config: any, type: string, rawResults: any) => {
+  const fileName = `${config.applicationId}-sbom-${type}.json`
   fs.writeFileSync(fileName, JSON.stringify(rawResults))
 }
+
+module.exports = {
+  saveFile
+}

package/src/commands/scan/processScan.js

@@ -7,7 +7,6 @@ const { processSca } = require('./sca/scaAnalysis')
 
 const processScan = async argvMain => {
   let config = scanConfig.getScanConfig(argvMain)
-  // console.log(config)
   //try SCA analysis first
   if (config.experimental) {
     await processSca(config)