npm - @contrast/contrast - Versions diffs - 1.0.7 → 1.0.10 - Mend

@contrast/contrast 1.0.7 → 1.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (196) hide show

package/src/audit/languageAnalysisEngine/checkIdentifiedLanguageHasProjectFile.js DELETED Viewed

@@ -1,33 +0,0 @@
-const i18n = require('i18n')
-/**
- * Checks that a single identified language in the list of languages and files
- * that has been reduced has a single project file. This is important in the
- * (uncommon) case that a project has a lock file without a project file.
- */
-module.exports = exports = (analysis, next) => {
-  const { languageAnalysis } = analysis
-  try {
-    checkIdentifiedLanguageHasProjectFile(languageAnalysis.identifiedLanguages)
-  } catch (err) {
-    next(err)
-    return
-  }
-  next()
-}
-const checkIdentifiedLanguageHasProjectFile = identifiedLanguages => {
-  // Handle the error case where only a single language has been identified...
-  if (Object.keys(identifiedLanguages).length == 1) {
-    let { projectFilenames } = Object.values(identifiedLanguages)[0]
-    // ...but no project files for that language have been found
-    if (projectFilenames.length == 0) {
-      const [language] = Object.keys(identifiedLanguages)
-      throw new Error(i18n.__('languageAnalysisProjectFileError', language))
-    }
-  }
-}
-//For testing purposes
-exports.checkIdentifiedLanguageHasProjectFile =
-  checkIdentifiedLanguageHasProjectFile

package/src/audit/languageAnalysisEngine/constants.js DELETED Viewed

@@ -1,23 +0,0 @@
-// Language identifiers
-const NODE = 'NODE'
-const JAVASCRIPT = 'JAVASCRIPT'
-const DOTNET = 'DOTNET'
-const JAVA = 'JAVA'
-const RUBY = 'RUBY'
-const PYTHON = 'PYTHON'
-const GO = 'GO'
-// we set the langauge as Node instead of PHP since we're using the Node engine in TS
-const PHP = 'PHP'
-const LOW = 'LOW'
-const MEDIUM = 'MEDIUM'
-const HIGH = 'HIGH'
-const CRITICAL = 'CRITICAL'
-module.exports = {
-  supportedLanguages: { NODE, DOTNET, JAVA, RUBY, PYTHON, GO, PHP, JAVASCRIPT },
-  LOW: LOW,
-  MEDIUM: MEDIUM,
-  HIGH: HIGH,
-  CRITICAL: CRITICAL
-}

package/src/audit/languageAnalysisEngine/getIdentifiedLanguageInfo.js DELETED Viewed

@@ -1,41 +0,0 @@
-const path = require('path')
-/**
- * Assemble analysis results into a common object to provide
- * language, project file name and paths
- */
-module.exports = exports = (analysis, next) => {
-  const { projectPath, languageAnalysis } = analysis
-  languageAnalysis.identifiedLanguageInfo = getIdentifiedLanguageInfo(
-    projectPath,
-    languageAnalysis.identifiedLanguages
-  )
-  next()
-}
-const getIdentifiedLanguageInfo = (projectPath, identifiedLanguages) => {
-  const [language] = Object.keys(identifiedLanguages)
-  const {
-    projectFilenames: [projectFilename],
-    lockFilenames: [lockFilename]
-  } = Object.values(identifiedLanguages)[0]
-  let identifiedLanguageInfo = {
-    language,
-    projectFilename,
-    projectFilePath: path.join(projectPath, projectFilename)
-  }
-  if (lockFilename) {
-    identifiedLanguageInfo = {
-      ...identifiedLanguageInfo,
-      lockFilename,
-      lockFilePath: path.join(projectPath, lockFilename)
-    }
-  }
-  return identifiedLanguageInfo
-}
-//For testing purposes
-exports.getIdentifiedLanguageInfo = getIdentifiedLanguageInfo

package/src/audit/languageAnalysisEngine/index.js DELETED Viewed

@@ -1,45 +0,0 @@
-const AnalysisEngine = require('./../AnalysisEngine')
-const i18n = require('i18n')
-const getProjectRootFilenames = require('./getProjectRootFilenames')
-const reduceIdentifiedLanguages = require('./reduceIdentifiedLanguages')
-const checkForMultipleIdentifiedLanguages = require('./checkForMultipleIdentifiedLanguages')
-const checkForMultipleIdentifiedProjectFiles = require('./checkForMultipleIdentifiedProjectFiles')
-const checkIdentifiedLanguageHasProjectFile = require('./checkIdentifiedLanguageHasProjectFile')
-const checkIdentifiedLanguageHasLockFile = require('./checkIdentifiedLanguageHasLockFile')
-const getIdentifiedLanguageInfo = require('./getIdentifiedLanguageInfo')
-const { libraryAnalysisError } = require('../../common/errorHandling')
-module.exports = exports = (projectPath, callback, appId, config) => {
-  // Create an analysis engine to identify the project language
-  const ae = new AnalysisEngine({
-    projectPath,
-    appId,
-    languageAnalysis: { appId: appId },
-    config
-  })
-  ae.use([
-    getProjectRootFilenames,
-    reduceIdentifiedLanguages,
-    checkForMultipleIdentifiedLanguages,
-    checkForMultipleIdentifiedProjectFiles,
-    checkIdentifiedLanguageHasProjectFile,
-    checkIdentifiedLanguageHasLockFile,
-    getIdentifiedLanguageInfo
-  ])
-  ae.analyze((err, analysis) => {
-    if (err) {
-      console.log(
-        '*******************' +
-          i18n.__('languageAnalysisFailureMessage') +
-          '****************'
-      )
-      console.error(`${err.message}`)
-      libraryAnalysisError()
-      process.exit(1)
-    }
-    callback(null, analysis)
-  })
-}

package/src/audit/languageAnalysisEngine/languageAnalysisFactory.js DELETED Viewed

@@ -1,124 +0,0 @@
-const {
-  supportedLanguages: { DOTNET, NODE, JAVA, RUBY, PYTHON, GO, PHP }
-} = require('../languageAnalysisEngine/constants')
-const i18n = require('i18n')
-const dotnetAE = require('../dotnetAnalysisEngine')
-const nodeAE = require('../nodeAnalysisEngine')
-const javaAE = require('../javaAnalysisEngine')
-const rubyAE = require('../rubyAnalysisEngine')
-const pythonAE = require('../pythonAnalysisEngine')
-const phpAE = require('../phpAnalysisEngine')
-const goAE = require('../goAnalysisEngine')
-const { vulnerabilityReport } = require('./report/reportingFeature')
-const { newSendSnapShot } = require('../languageAnalysisEngine/sendSnapshot')
-const fs = require('fs')
-const chalk = require('chalk')
-const saveFile = require('../../commands/audit/saveFile').default
-const generateSbom = require('../../sbom/generateSbom').default
-const {
-  failSpinner,
-  returnOra,
-  startSpinner,
-  succeedSpinner
-} = require('../../utils/oraWrapper')
-const { pollForSnapshotCompletition } = require('./sendSnapshot')
-module.exports = exports = (err, analysis) => {
-  const { identifiedLanguageInfo } = analysis.languageAnalysis
-  const catalogueAppId = analysis.languageAnalysis.appId
-  if (err) {
-    console.error(err)
-    return
-  }
-  // this callback is the end of the chain
-  const langCallback = async (err, analysis) => {
-    const config = analysis.config
-    if (err) {
-      console.log()
-      console.log(
-        '***********' +
-          i18n.__('languageAnalysisFactoryFailureHeader') +
-          '****************'
-      )
-      console.log(identifiedLanguageInfo.language)
-      console.log()
-      console.error(
-        `${identifiedLanguageInfo.language}` +
-          i18n.__('languageAnalysisFailure') +
-          err
-      )
-      return process.exit(5)
-    }
-    const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
-    startSpinner(reportSpinner)
-    const snapshotResponse = await newSendSnapShot(analysis, catalogueAppId)
-    //poll for completion
-    const pollResult = await pollForSnapshotCompletition(
-      analysis.config,
-      snapshotResponse.id,
-      reportSpinner
-    )
-    succeedSpinner(reportSpinner, 'Contrast SCA analysis complete')
-    await vulnerabilityReport(analysis, catalogueAppId, snapshotResponse.id)
-    //should be moved to processAudit.ts once promises implemented
-    await auditSave(config)
-  }
-  if (identifiedLanguageInfo.language === DOTNET) {
-    dotnetAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-  if (identifiedLanguageInfo.language === NODE) {
-    nodeAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-  if (identifiedLanguageInfo.language === JAVA) {
-    javaAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-  if (identifiedLanguageInfo.language === RUBY) {
-    rubyAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-  if (identifiedLanguageInfo.language === PYTHON) {
-    pythonAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-  if (identifiedLanguageInfo.language === PHP) {
-    phpAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-  if (identifiedLanguageInfo.language === GO) {
-    goAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-}
-async function auditSave(config) {
-  //should be moved to processAudit.ts once promises implemented
-  if (config.save) {
-    if (config.save.toLowerCase() === 'sbom') {
-      saveFile(config, await generateSbom(config))
-      const filename = `${config.applicationId}-sbom-cyclonedx.json`
-      if (fs.existsSync(filename)) {
-        console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`)
-      } else {
-        console.log(
-          chalk.yellow.bold(
-            `\n Unable to save ${filename} Software Bill of Materials (SBOM)`
-          )
-        )
-      }
-    } else {
-      console.log(i18n.__('auditBadFiletypeSpecifiedForSave'))
-    }
-  } else if (config.save === null) {
-    console.log(i18n.__('auditNoFiletypeSpecifiedForSave'))
-  }
-}

package/src/audit/languageAnalysisEngine/reduceIdentifiedLanguages.js DELETED Viewed

@@ -1,250 +0,0 @@
-const {
-  supportedLanguages: { NODE, DOTNET, JAVA, RUBY, PYTHON, GO, PHP, JAVASCRIPT }
-} = require('./constants')
-const i18n = require('i18n')
-const DOT_NET_PROJECT_FILE_REGEX = /.+\.csproj$/
-const DOT_NET_LOCK_FILENAME = 'packages.lock.json'
-const isDotNetProjectFilename = filename =>
-  filename.search(DOT_NET_PROJECT_FILE_REGEX) !== -1
-const isDotNetLockFilename = filename => filename === DOT_NET_LOCK_FILENAME
-function isJavaMavenProjectFilename(filename) {
-  return filename === 'pom.xml'
-}
-function isJavaGradleProjectFilename(filename) {
-  return filename === 'build.gradle' || filename === 'build.gradle.kts'
-}
-const isRubyProjectFilename = filename => filename === 'Gemfile'
-const isNodeProjectFilename = filename => filename === 'package.json'
-const isPythonProjectFilename = filename =>
-  filename === 'requirements.txt' || filename === 'Pipfile'
-const isPhpProjectFilename = filename => filename === 'composer.json'
-const isPhpLockFilename = filename => filename === 'composer.lock'
-function isNodeLockFilename(filename) {
-  return filename === 'package-lock.json' || filename === 'yarn.lock'
-}
-const isRubyLockFilename = filename => filename === 'Gemfile.lock'
-const isPipfileLockLockFilename = filename => filename === 'Pipfile.lock'
-const isGoProjectFilename = filename => filename === 'go.mod'
-const deduceLanguageScaAnalysis = filenames => {
-  const deducedLanguages = []
-  let language = ''
-  filenames.forEach(filename => {
-    // Check for project filenames...
-    if (isJavaMavenProjectFilename(filename)) {
-      deducedLanguages.push(filename)
-      language = JAVA
-    }
-    if (isJavaGradleProjectFilename(filename)) {
-      deducedLanguages.push(filename)
-      language = JAVA
-    }
-    if (isNodeProjectFilename(filename)) {
-      deducedLanguages.push(filename)
-      language = NODE
-    }
-    //
-    // if (isDotNetProjectFilename(filename)) {
-    //   deducedLanguages.push({language: DOTNET, projectFilename: filename})
-    // }
-    //
-    if (isRubyProjectFilename(filename)) {
-      deducedLanguages.push(filename)
-      language = RUBY
-    }
-    //
-    if (isPythonProjectFilename(filename)) {
-      deducedLanguages.push(filename)
-      language = PYTHON
-    }
-    //
-    // if (isPhpProjectFilename(filename)) {
-    //   deducedLanguages.push({language: PHP, projectFilename: filename})
-    // }
-    //
-    // // Check for lock filenames...
-    // if (isDotNetLockFilename(filename)) {
-    //   deducedLanguages.push({language: DOTNET, lockFilename: filename})
-    // }
-    //
-    if (isNodeLockFilename(filename)) {
-      deducedLanguages.push(filename)
-      language = NODE
-    }
-    //
-    // if (isRubyLockFilename(filename)) {
-    //   deducedLanguages.push({language: RUBY, lockFilename: filename})
-    // }
-    //
-    // // this is pipfileLock rather than python lock as there can be different python locks
-    // if (isPipfileLockLockFilename(filename)) {
-    //   deducedLanguages.push({language: PYTHON, lockFilename: filename})
-    // }
-    //
-    // if (isPhpLockFilename(filename)) {
-    //   deducedLanguages.push({language: PHP, lockFilename: filename})
-    // }
-    //
-    // go does not have a lockfile, it should have a go.mod file containing the modules
-    if (isGoProjectFilename(filename)) {
-      deducedLanguages.push({ language: GO, projectFilename: filename })
-      language = GO
-    }
-  })
-  let identifiedLanguages = { [language]: deducedLanguages }
-  return identifiedLanguages
-}
-const deduceLanguage = filename => {
-  const deducedLanguages = []
-  // In theory there shouldn't be multiple languages supported for a single
-  // project filename or lock filename but to protect ourselves and consumers we
-  // will try to detect it
-  // Check for project filenames...
-  if (isJavaMavenProjectFilename(filename)) {
-    deducedLanguages.push({ language: JAVA, projectFilename: filename })
-  }
-  if (isJavaGradleProjectFilename(filename)) {
-    deducedLanguages.push({ language: JAVA, projectFilename: filename })
-  }
-  if (isNodeProjectFilename(filename)) {
-    deducedLanguages.push({ language: NODE, projectFilename: filename })
-  }
-  if (isDotNetProjectFilename(filename)) {
-    deducedLanguages.push({ language: DOTNET, projectFilename: filename })
-  }
-  if (isRubyProjectFilename(filename)) {
-    deducedLanguages.push({ language: RUBY, projectFilename: filename })
-  }
-  if (isPythonProjectFilename(filename)) {
-    deducedLanguages.push({ language: PYTHON, projectFilename: filename })
-  }
-  if (isPhpProjectFilename(filename)) {
-    deducedLanguages.push({ language: PHP, projectFilename: filename })
-  }
-  // Check for lock filenames...
-  if (isDotNetLockFilename(filename)) {
-    deducedLanguages.push({ language: DOTNET, lockFilename: filename })
-  }
-  if (isNodeLockFilename(filename)) {
-    deducedLanguages.push({ language: NODE, lockFilename: filename })
-  }
-  if (isRubyLockFilename(filename)) {
-    deducedLanguages.push({ language: RUBY, lockFilename: filename })
-  }
-  // this is pipfileLock rather than python lock as there can be different python locks
-  if (isPipfileLockLockFilename(filename)) {
-    deducedLanguages.push({ language: PYTHON, lockFilename: filename })
-  }
-  if (isPhpLockFilename(filename)) {
-    deducedLanguages.push({ language: PHP, lockFilename: filename })
-  }
-  // go does not have a lockfile, it should have a go.mod file containing the modules
-  if (isGoProjectFilename(filename)) {
-    deducedLanguages.push({ language: GO, projectFilename: filename })
-  }
-  return deducedLanguages
-}
-const reduceIdentifiedLanguages = identifiedLanguages =>
-  identifiedLanguages.reduce((accumulator, identifiedLanguageInfo) => {
-    const { language, projectFilename, lockFilename } = identifiedLanguageInfo
-    // Add an entry to our map for an identified language (and its filename)
-    // if we haven't accumulated it yet. Otherwise simply add the filename to the
-    // existing list.
-    if (!(language in accumulator)) {
-      accumulator[language] = { projectFilenames: [], lockFilenames: [] }
-    }
-    if (projectFilename) {
-      accumulator[language].projectFilenames.push(projectFilename)
-    } else {
-      accumulator[language].lockFilenames.push(lockFilename)
-    }
-    return accumulator
-  }, {})
-/**
- * Look at each filename and using a heuristic see if we can determine that it
- * specifies a specific language
- */
-module.exports = exports = (analysis, next) => {
-  const { projectPath, languageAnalysis, config } = analysis
-  let identifiedLanguages = languageAnalysis.projectRootFilenames.reduce(
-    (accumulator, filename) => {
-      const deducedLanguages = deduceLanguage(filename)
-      return [...accumulator, ...deducedLanguages]
-    },
-    []
-  )
-  if (Object.keys(identifiedLanguages).length === 0) {
-    next(new Error(i18n.__('languageAnalysisNoLanguage', projectPath)))
-    return
-  }
-  let language = config.language
-  if (language === undefined) {
-    languageAnalysis.identifiedLanguages =
-      reduceIdentifiedLanguages(identifiedLanguages)
-  } else {
-    let refinedIdentifiedLanguages = []
-    for (let x in identifiedLanguages) {
-      if (
-        identifiedLanguages[x].language === language.toUpperCase() ||
-        (identifiedLanguages[x].language === NODE &&
-          language.toUpperCase() === JAVASCRIPT)
-      ) {
-        refinedIdentifiedLanguages.push(identifiedLanguages[x])
-      }
-    }
-    //languages found do not meet that supplied by the user
-    if (refinedIdentifiedLanguages.length === 0) {
-      console.log(`Could not detect language as specified: ${config.language}`)
-      process.exit(1)
-    }
-    languageAnalysis.identifiedLanguages = reduceIdentifiedLanguages(
-      refinedIdentifiedLanguages
-    )
-  }
-  next()
-}
-//For testing purposes
-exports.isJavaMavenProjectFilename = isJavaMavenProjectFilename
-exports.isJavaGradleProjectFilename = isJavaGradleProjectFilename
-exports.isNodeProjectFilename = isNodeProjectFilename
-exports.isDotNetProjectFilename = isDotNetProjectFilename
-exports.isDotNetLockFilename = isDotNetLockFilename
-exports.isGoProjectFilename = isGoProjectFilename
-exports.isPhpProjectFilename = isPhpProjectFilename
-exports.isPhpLockFilename = isPhpLockFilename
-exports.deduceLanguage = deduceLanguage
-exports.reduceIdentifiedLanguages = reduceIdentifiedLanguages
-exports.deduceLanguageScaAnalysis = deduceLanguageScaAnalysis

package/src/audit/nodeAnalysisEngine/handleNPMLockFileV2.js DELETED Viewed

@@ -1,49 +0,0 @@
-const i18n = require('i18n')
-module.exports = exports = (analysis, next) => {
-  const {
-    language: { lockFilePath },
-    node
-  } = analysis
-  try {
-    if (node.npmLockFile && node.npmLockFile.lockfileVersion > 1) {
-      const listOfTopDep = Object.keys(node.npmLockFile.dependencies)
-      Object.entries(node.npmLockFile.dependencies).forEach(([key, value]) => {
-        if (value.requires) {
-          const listOfRequiresDep = Object.keys(value.requires)
-          listOfRequiresDep.forEach(dep => {
-            if (!listOfTopDep.includes(dep)) {
-              addDepToLockFile(value['requires'], dep)
-            }
-          })
-        }
-        if (value.dependencies) {
-          Object.entries(value.dependencies).forEach(
-            ([childKey, childValue]) => {
-              if (childValue.requires) {
-                const listOfRequiresDep = Object.keys(childValue.requires)
-                listOfRequiresDep.forEach(dep => {
-                  if (!listOfTopDep.includes(dep)) {
-                    addDepToLockFile(childValue['requires'], dep)
-                  }
-                })
-              }
-            }
-          )
-        }
-      })
-    }
-  } catch (err) {
-    next(
-      next(new Error(i18n.__('NodeParseNPM', lockFilePath) + `${err.message}`))
-    )
-    return
-  }
-  function addDepToLockFile(depObj, key) {
-    node.npmLockFile.dependencies[key] = { version: depObj[key] }
-  }
-  next()
-}

package/src/audit/nodeAnalysisEngine/index.js DELETED Viewed

@@ -1,35 +0,0 @@
-const AnalysisEngine = require('../AnalysisEngine')
-const readProjectFileContents = require('./readProjectFileContents')
-const readNPMLockFileContents = require('./readNPMLockFileContents')
-const parseNPMLockFileContents = require('./parseNPMLockFileContents')
-const readYarnLockFileContents = require('./readYarnLockFileContents')
-const parseYarnLockFileContents = require('./parseYarnLockFileContents')
-const parseYarn2LockFileContents = require('./parseYarn2LockFileContents')
-const handleNPMLockFileV2 = require('./handleNPMLockFileV2')
-const sanitizer = require('./sanitizer')
-const i18n = require('i18n')
-module.exports = exports = (language, config, callback) => {
-  const ae = new AnalysisEngine({ language, config, node: {} })
-  ae.use([
-    readProjectFileContents,
-    readNPMLockFileContents,
-    parseNPMLockFileContents,
-    readYarnLockFileContents,
-    parseYarnLockFileContents,
-    parseYarn2LockFileContents,
-    handleNPMLockFileV2,
-    sanitizer
-  ])
-  ae.analyze((err, analysis) => {
-    if (err) {
-      callback(new Error(i18n.__('NodeAnalysisFailure') + `${err.message}`))
-      return
-    }
-    callback(null, analysis)
-  })
-}

package/src/audit/nodeAnalysisEngine/parseNPMLockFileContents.js DELETED Viewed

@@ -1,20 +0,0 @@
-const i18n = require('i18n')
-module.exports = exports = ({ language: { lockFilePath }, node }, next) => {
-  // If we never read the package-lock file then pass priority
-  if (node.rawLockFileContents === undefined) {
-    next()
-  } else {
-    try {
-      node.npmLockFile = JSON.parse(node.rawLockFileContents)
-    } catch (err) {
-      next(
-        new Error(
-          i18n.__('NodeParseNPM', lockFilePath ? lockFilePath : 'undefined') +
-            `${err.message}`
-        )
-      )
-      return
-    }
-    next()
-  }
-}

package/src/audit/nodeAnalysisEngine/parseYarnLockFileContents.js DELETED Viewed

@@ -1,26 +0,0 @@
-const yarnParser = require('@yarnpkg/lockfile')
-const i18n = require('i18n')
-module.exports = exports = ({ language: { lockFilename }, node }, next) => {
-  // If we never read the lock file then pass priority
-  if (node.rawYarnLockFileContents === undefined || node.yarnVersion === 2) {
-    next()
-  } else {
-    try {
-      node.yarnLockFile = yarnParser.parse(node.rawYarnLockFileContents)
-    } catch (err) {
-      next(
-        new Error(
-          i18n.__(
-            'NodeParseYarn',
-            lockFilename.lockFilePath ? lockFilename.lockFilePath : 'undefined'
-          ) + `${err.message}`
-        )
-      )
-      return
-    }
-    next()
-  }
-}

package/src/audit/nodeAnalysisEngine/readNPMLockFileContents.js DELETED Viewed

@@ -1,23 +0,0 @@
-const fs = require('fs')
-const i18n = require('i18n')
-module.exports = exports = ({ language: { lockFilePath }, node }, next) => {
-  // check if the lockFilename is populated and if it is check to
-  // see if it has the package-lock if not then go on to next handler
-  if (!lockFilePath || !lockFilePath.includes('package-lock.json')) {
-    next()
-    return
-  }
-  try {
-    node.rawLockFileContents = fs.readFileSync(lockFilePath)
-  } catch (err) {
-    next(
-      new Error(i18n.__('NodeReadNpmError', lockFilePath) + `${err.message}`)
-    )
-    return
-  }
-  next()
-}