npm - @contrast/contrast - Versions diffs - 1.0.7 → 1.0.10 - Mend

@contrast/contrast 1.0.7 → 1.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (196) hide show

package/dist/utils/getConfig.js CHANGED Viewed

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.setConfigValues = exports.createConfigFromYaml = exports.localConfig = void 0;
+exports.setConfigValues = exports.localConfig = void 0;
 const conf_1 = __importDefault(require("conf"));
 const localConfig = (name, version) => {
     const config = new conf_1.default({
@@ -19,11 +19,6 @@ const localConfig = (name, version) => {
     return config;
 };
 exports.localConfig = localConfig;
-const createConfigFromYaml = (yamlPath) => {
-    const yamlConfig = {};
-    return yamlConfig;
-};
-exports.createConfigFromYaml = createConfigFromYaml;
 const setConfigValues = (config, values) => {
     config.set('apiKey', values.apiKey);
     config.set('organizationId', values.orgId);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "1.0.7",
+  "version": "1.0.10",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -23,7 +23,7 @@
     "test": "jest --testPathIgnorePatterns=./test-integration/",
     "test-int": "jest ./test-integration/",
     "test-int-scan": "jest ./test-integration/scan",
-    "test-int-audit": "jest ./test-integration/audit",
+    "test-int-audit": "jest test-integration/audit/audit-int.spec.js",
     "format": "prettier --write \"**/*.{ts,tsx,js,json,md,yml}\" .eslintrc.*",
     "check-format": "prettier --check \"**/*.{ts,tsx,js,json,md,yml}\" .eslintrc.*",
     "coverage-local": "nyc --reporter=text mocha './test/**/*.spec.js'",
@@ -53,7 +53,6 @@
     "fast-glob": "^3.2.11",
     "i18n": "^0.14.2",
     "js-yaml": "^4.1.0",
-    "latest-version": "5.1.0",
     "lodash": "^4.17.21",
     "log-symbols": "^4.1.0",
     "open": "^8.4.0",

package/src/audit/catalogueApplication/catalogueApplication.js CHANGED Viewed

@@ -1,10 +1,5 @@
-const i18n = require('i18n')
 const { getHttpClient, handleResponseErrors } = require('../../utils/commonApi')
-const displaySuccessMessage = () => {
-  console.log(i18n.__('catalogueSuccessCommand'))
-}
 const catalogueApplication = async config => {
   const client = getHttpClient(config)
   let appId
@@ -14,6 +9,8 @@ const catalogueApplication = async config => {
       if (res.statusCode === 201) {
         //displaySuccessMessage(config, res.body.application.app_id)
         appId = res.body.application.app_id
+      } else if (doesMessagesContainAppId(res)) {
+        appId = tryRetrieveAppIdFromMessages(res.body.messages)
       } else {
         handleResponseErrors(res, 'catalogue')
       }
@@ -24,6 +21,31 @@ const catalogueApplication = async config => {
   return appId
 }
+const doesMessagesContainAppId = res => {
+  const regex = /(Application ID =)/
+  if (
+    res.statusCode === 400 &&
+    res.body.messages.filter(message => regex.exec(message))[0]
+  ) {
+    return true
+  }
+  return false
+}
+const tryRetrieveAppIdFromMessages = messages => {
+  let appId
+  messages.forEach(message => {
+    if (message.includes('Application ID')) {
+      appId = message.split('=')[1].replace(/\s+/g, '')
+    }
+  })
+  return appId
+}
 module.exports = {
-  catalogueApplication: catalogueApplication
+  catalogueApplication: catalogueApplication,
+  doesMessagesContainAppId,
+  tryRetrieveAppIdFromMessages
 }

package/src/audit/languageAnalysisEngine/getProjectRootFilenames.js CHANGED Viewed

@@ -1,72 +1,36 @@
 const fs = require('fs')
 const path = require('path')
 const i18n = require('i18n')
-/**
- * Will get the filenames from the project path provided to the SCA CLI tool. If
- * the project path points to a file and not a directory will return the
- * filename in the same fashion as if a directory had been read.
- *
- * Will fail and throw for a manner of reasons when doing file/directory
- * inspection.
- *
- * @param {string} projectPath - The path to a projects root directory or a
- * specific project file
- *
- * @return {string[]} List of filenames associated with a projects root
- * directory or the name of the specific project file if that was provided to
- * the 'projectPath' parameter
- *
- * @throws {Error} If the project path doesn't exist
- * @throws {Error} If the project path information can't be collected
- * @throws {Error} If a non-file or non-directory inspected
- */
-module.exports = exports = (analysis, next) => {
-  const { projectPath, languageAnalysis } = analysis
-  try {
-    languageAnalysis.projectRootFilenames = getProjectRootFilenames(projectPath)
-  } catch (err) {
-    next(err)
-    return
+const getDirectoryFromPathGiven = file => {
+  let projectStats = getProjectStats(file)
+  if (projectStats.isFile()) {
+    let newPath = path.resolve(file)
+    return path.dirname(newPath)
+  }
+  if (projectStats.isDirectory()) {
+    return file
   }
-  next()
 }
-const getProjectRootFilenames = projectPath => {
-  let projectStats = null
+const getProjectStats = file => {
   try {
-    projectStats = fs.statSync(projectPath)
+    //might not need this
+    if (file.endsWith('/')) {
+      file = file.slice(0, -1)
+    }
+    return fs.statSync(file)
   } catch (err) {
     throw new Error(
-      i18n.__('languageAnalysisProjectRootFileNameFailure', projectPath) +
+      i18n.__('languageAnalysisProjectRootFileNameFailure', file) +
         `${err.message}`
     )
   }
-  // Return the contents of a directory...
-  if (projectStats.isDirectory()) {
-    try {
-      return fs.readdirSync(projectPath)
-    } catch (err) {
-      throw new Error(
-        i18n.__('languageAnalysisProjectRootFileNameReadError', projectPath) +
-          `${err.message}`
-      )
-    }
-  }
-  // If we are working with a file return it in a list as we do when we work
-  // with a directory...
-  if (projectStats.isFile()) {
-    return [path.basename(projectPath)]
-  }
-  // Error out if we are working with something like a socket file or some
-  // other craziness...
-  throw new Error(
-    i18n.__('languageAnalysisProjectRootFileNameMissingError'),
-    projectPath
-  )
 }
-//For testing purposes
-exports.getProjectRootFilenames = getProjectRootFilenames
+module.exports = {
+  getProjectStats,
+  getDirectoryFromPathGiven: getDirectoryFromPathGiven
+}

package/src/audit/languageAnalysisEngine/report/commonReportingFunctions.ts CHANGED Viewed

@@ -9,6 +9,7 @@ import { orderBy } from 'lodash'
 import chalk from 'chalk'
 import { ReportCVEModel, ReportLibraryModel } from './models/reportLibraryModel'
 import {
+  countVulnerableLibrariesBySeverity,
   findCVESeveritiesAndOrderByHighestPriority,
   findHighestSeverityCVE,
   findNameAndVersion,
@@ -20,18 +21,23 @@ import {
   ReportOutputHeaderModel,
   ReportOutputModel
 } from './models/reportOutputModel'
+import {
+  CRITICAL_COLOUR,
+  HIGH_COLOUR,
+  LOW_COLOUR,
+  MEDIUM_COLOUR,
+  NOTE_COLOUR
+} from '../../../constants/constants'
+import Table from 'cli-table3'
-export const createLibraryHeader = (
-  id: string,
+export const createSummaryMessage = (
   numberOfVulnerableLibraries: number,
   numberOfCves: number
 ) => {
   numberOfVulnerableLibraries === 1
-    ? console.log(
-        ` Found 1 vulnerable library containing ${numberOfCves} CVE's`
-      )
+    ? console.log(`Found 1 vulnerable library containing ${numberOfCves} CVE`)
     : console.log(
-        ` Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVE's `
+        `Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVEs`
       )
 }
@@ -43,10 +49,6 @@ export const getReport = async (config: any, reportId: string) => {
       if (res.statusCode === 200) {
         return res.body
       } else {
-        console.log('config-------------------')
-        console.log(config)
-        console.log('reportId----------------')
-        console.log(reportId)
         console.log(JSON.stringify(res))
         handleResponseErrors(res, 'report')
       }
@@ -57,21 +59,35 @@ export const getReport = async (config: any, reportId: string) => {
 }
 export const printVulnerabilityResponse = (
-  vulnerabilities: ReportLibraryModel[],
-  config: any
+  config: any,
+  vulnerableLibraries: ReportLibraryModel[],
+  numberOfVulnerableLibraries: number,
+  numberOfCves: number,
+  guidance: any
 ) => {
   let hasSomeVulnerabilitiesReported = false
-  printFormattedOutput(vulnerabilities, config)
-  if (Object.keys(vulnerabilities).length > 0) {
+  printFormattedOutput(
+    config,
+    vulnerableLibraries,
+    numberOfVulnerableLibraries,
+    numberOfCves,
+    guidance
+  )
+  if (Object.keys(vulnerableLibraries).length > 0) {
     hasSomeVulnerabilitiesReported = true
   }
   return hasSomeVulnerabilitiesReported
 }
 export const printFormattedOutput = (
+  config: any,
   libraries: ReportLibraryModel[],
-  config: any
+  numberOfVulnerableLibraries: number,
+  numberOfCves: number,
+  guidance: any
 ) => {
+  createSummaryMessage(numberOfVulnerableLibraries, numberOfCves)
+  console.log()
   const report = new ReportList()
   for (const library of libraries) {
@@ -81,27 +97,61 @@ export const printFormattedOutput = (
       new ReportCompositeKey(
         name,
         version,
-        findHighestSeverityCVE(library.cveArray) as ReportSeverityModel
+        findHighestSeverityCVE(library.cveArray) as ReportSeverityModel,
+        severityCountAllCVEs(
+          library.cveArray,
+          new SeverityCountModel()
+        ).getTotal
       ),
       library.cveArray
     )
     report.reportOutputList.push(newOutputModel)
   }
-  const orderedOutputListLowestFirst = orderBy(
+  const outputOrderedByLowestSeverityAndLowestNumOfCvesFirst = orderBy(
     report.reportOutputList,
-    reportListItem => reportListItem.compositeKey.highestSeverity.priority,
-    ['desc']
+    [
+      (reportListItem: ReportModelStructure) => {
+        return reportListItem.compositeKey.highestSeverity.priority
+      },
+      (reportListItem: ReportModelStructure) => {
+        return reportListItem.compositeKey.numberOfSeverities
+      }
+    ],
+    ['asc', 'desc']
   )
   let contrastHeaderNumCounter = 0
-  for (const reportModel of orderedOutputListLowestFirst) {
+  for (const reportModel of outputOrderedByLowestSeverityAndLowestNumOfCvesFirst) {
     contrastHeaderNumCounter++
     const { libraryName, libraryVersion, highestSeverity } =
       reportModel.compositeKey
     const numOfCVEs = reportModel.cveArray.length
+    const table = new Table({
+      chars: {
+        top: '',
+        'top-mid': '',
+        'top-left': '',
+        'top-right': '',
+        bottom: '',
+        'bottom-mid': '',
+        'bottom-left': '',
+        'bottom-right': '',
+        left: '',
+        'left-mid': '',
+        mid: '',
+        'mid-mid': '',
+        right: '',
+        'right-mid': '',
+        middle: ' '
+      },
+      style: { 'padding-left': 0, 'padding-right': 0 },
+      colAligns: ['right'],
+      wordWrap: true,
+      colWidths: [12, 1, 100]
+    })
     const header = buildHeader(
       highestSeverity,
       contrastHeaderNumCounter,
@@ -110,16 +160,36 @@ export const printFormattedOutput = (
       numOfCVEs
     )
-    const body = buildBody(reportModel.cveArray)
+    const advice = gatherRemediationAdvice(guidance, reportModel)
+    const body = buildBody(reportModel.cveArray, advice)
     const reportOutputModel = new ReportOutputModel(header, body)
+    table.push(
+      reportOutputModel.body.issueMessage,
+      reportOutputModel.body.issueMessageCves,
+      reportOutputModel.body.adviceMessage
+    )
     console.log(
       reportOutputModel.header.vulnMessage,
       reportOutputModel.header.introducesMessage
     )
-    console.log(reportOutputModel.body.issueMessage)
-    console.log(reportOutputModel.body.adviceMessage)
+    console.log(table.toString() + '\n')
   }
+  createSummaryMessage(numberOfVulnerableLibraries, numberOfCves)
+  const {
+    criticalMessage,
+    highMessage,
+    mediumMessage,
+    lowMessage,
+    noteMessage
+  } = buildFooter(outputOrderedByLowestSeverityAndLowestNumOfCvesFirst)
+  console.log(
+    `${criticalMessage} | ${highMessage} | ${mediumMessage} | ${lowMessage} | ${noteMessage}`
+  )
 }
 export function buildHeader(
@@ -130,7 +200,7 @@ export function buildHeader(
   numOfCVEs: number
 ) {
   const vulnerabilityPluralised =
-    numOfCVEs > 1 ? 'Vulnerabilities' : 'Vulnerability'
+    numOfCVEs > 1 ? 'vulnerabilities' : 'vulnerability'
   const formattedHeaderNum = buildFormattedHeaderNum(contrastHeaderNum)
   const vulnMessage = chalk
@@ -139,14 +209,12 @@ export function buildHeader(
       `${formattedHeaderNum} - [${highestSeverity.severity}] ${libraryName}-${version}`
     )
-  const introducesMessage = chalk.bold(
-    `introduces ${numOfCVEs} ${vulnerabilityPluralised}`
-  )
+  const introducesMessage = `introduces ${numOfCVEs} ${vulnerabilityPluralised}`
   return new ReportOutputHeaderModel(vulnMessage, introducesMessage)
 }
-export function buildBody(cveArray: ReportCVEModel[]) {
+export function buildBody(cveArray: ReportCVEModel[], advice: any) {
   const cveMessages: string[] = []
   findCVESeveritiesAndOrderByHighestPriority(cveArray).forEach(
@@ -158,36 +226,57 @@ export function buildBody(cveArray: ReportCVEModel[]) {
         .hex(outputColour)
         .bold(`[${severity.charAt(0).toUpperCase()}]`)
-      const builtMessage = `${severityShorthand} ${cveName}`
+      const builtMessage = severityShorthand + cveName
       cveMessages.push(builtMessage)
     }
   )
   const numAndSeverityType = getNumOfAndSeverityType(cveArray)
-  const issueMessage = ` ${chalk.bold(
-    'Issue'
-  )}  : ${numAndSeverityType} ${cveMessages.join(', ')}.`
+  const issueMessage = [chalk.bold('Issue'), ':', `${numAndSeverityType}`]
-  const adviceMessage = ` ${chalk.bold('Advice')} : ${chalk.bold(
-    'Update to latest version'
-  )}.`
+  const issueMessageCves = ['', '', cveMessages.join(', ')]
-  return new ReportOutputBodyModel(issueMessage, adviceMessage)
+  //todo different advice based on remediationGuidance being available or now
+  // console.log(advice)
+  const displayAdvice = advice?.minimum
+    ? `Update to version ${chalk.bold(advice.minimum)}`
+    : `Update to latest version`
+  const adviceMessage = [chalk.bold('Advice'), ':', displayAdvice]
+  return new ReportOutputBodyModel(
+    issueMessage,
+    issueMessageCves,
+    adviceMessage
+  )
 }
-export function buildFormattedHeaderNum(contrastHeaderNum: number) {
-  let formattedHeaderNum
-  if (contrastHeaderNum < 10) {
-    formattedHeaderNum = `00${contrastHeaderNum}`
-  } else if (contrastHeaderNum >= 10 && contrastHeaderNum < 100) {
-    formattedHeaderNum = `0${contrastHeaderNum}`
-  } else if (contrastHeaderNum >= 100) {
-    formattedHeaderNum = contrastHeaderNum
+export function gatherRemediationAdvice(guidance: any, reportModel: any) {
+  const guidanceData = {
+    minimum: undefined,
+    maximum: undefined,
+    latest: undefined
+  }
+  const data =
+    guidance[
+      reportModel.compositeKey.libraryName +
+        '@' +
+        reportModel.compositeKey.libraryVersion
+    ]
+  if (data) {
+    guidanceData.minimum = data.minUpgradeVersion
+    guidanceData.maximum = data.maxUpgradeVersion
   }
-  return `CONTRAST-${formattedHeaderNum}`
+  return guidanceData
+}
+export function buildFormattedHeaderNum(contrastHeaderNum: number) {
+  return `CONTRAST-${contrastHeaderNum.toString().padStart(3, '0')}`
 }
 export function getNumOfAndSeverityType(cveArray: ReportCVEModel[]) {
@@ -207,3 +296,24 @@ export function getNumOfAndSeverityType(cveArray: ReportCVEModel[]) {
     .replace(/\s+/g, ' ')
     .trim()
 }
+const buildFooter = (reportModelStructure: ReportModelStructure[]) => {
+  const { critical, high, medium, low, note } =
+    countVulnerableLibrariesBySeverity(reportModelStructure)
+  const criticalMessage = chalk
+    .hex(CRITICAL_COLOUR)
+    .bold(`${critical} Critical`)
+  const highMessage = chalk.hex(HIGH_COLOUR).bold(`${high} High`)
+  const mediumMessage = chalk.hex(MEDIUM_COLOUR).bold(`${medium} Medium`)
+  const lowMessage = chalk.hex(LOW_COLOUR).bold(`${low} Low`)
+  const noteMessage = chalk.hex(NOTE_COLOUR).bold(`${note} Note`)
+  return {
+    criticalMessage,
+    highMessage,
+    mediumMessage,
+    lowMessage,
+    noteMessage
+  }
+}

package/src/audit/languageAnalysisEngine/report/models/reportListModel.ts CHANGED Viewed

@@ -23,14 +23,17 @@ export class ReportCompositeKey {
   libraryName!: string
   libraryVersion!: string
   highestSeverity!: ReportSeverityModel
+  numberOfSeverities!: number
   constructor(
     libraryName: string,
     libraryVersion: string,
-    highestSeverity: ReportSeverityModel
+    highestSeverity: ReportSeverityModel,
+    numberOfSeverities: number
   ) {
     this.libraryName = libraryName
     this.libraryVersion = libraryVersion
     this.highestSeverity = highestSeverity
+    this.numberOfSeverities = numberOfSeverities
   }
 }

package/src/audit/languageAnalysisEngine/report/models/reportOutputModel.ts CHANGED Viewed

@@ -19,11 +19,17 @@ export class ReportOutputHeaderModel {
 }
 export class ReportOutputBodyModel {
-  issueMessage: string
-  adviceMessage: string
+  issueMessage: string[]
+  issueMessageCves: string[]
+  adviceMessage: string[]
-  constructor(bodyIssueMessage: string, bodyAdviceMessage: string) {
-    this.issueMessage = bodyIssueMessage
-    this.adviceMessage = bodyAdviceMessage
+  constructor(
+    issueMessage: string[],
+    issueMessageCves: string[],
+    adviceMessage: string[]
+  ) {
+    this.issueMessage = issueMessage
+    this.issueMessageCves = issueMessageCves
+    this.adviceMessage = adviceMessage
   }
 }

package/src/audit/languageAnalysisEngine/report/models/severityCountModel.ts CHANGED Viewed

@@ -13,4 +13,8 @@ export class SeverityCountModel {
     this.low = 0
     this.note = 0
   }
+  get getTotal(): number {
+    return this.critical + this.high + this.medium + this.low + this.note
+  }
 }