npm - @contrast/contrast - Versions diffs - 1.0.7 → 1.0.10 - Mend

@contrast/contrast 1.0.7 → 1.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (196) hide show

package/src/audit/languageAnalysisEngine/report/reportingFeature.ts CHANGED Viewed

@@ -1,56 +1,110 @@
 import {
-  createLibraryHeader,
   getReport,
   printVulnerabilityResponse
 } from './commonReportingFunctions'
 import {
-  convertGenericToTypedLibraries,
+  convertGenericToTypedLibraryVulns,
   severityCountAllLibraries
 } from './utils/reportUtils'
+import i18n from 'i18n'
+import chalk from 'chalk'
+import * as constants from '../../../constants/constants'
-export async function vulnerabilityReport(
-  analysis: any,
-  applicationId: string,
-  reportId: string
-) {
-  const reportResponse = await getReport(analysis.config, reportId)
+export function convertKeysToStandardFormat(config: any, guidance: any) {
+  let convertedGuidance = guidance
-  if (reportResponse !== undefined) {
-    const id = applicationId
-    const name = analysis.config.applicationName
-    formatVulnerabilityOutput(
-      reportResponse.vulnerabilities,
-      id,
-      name,
-      analysis.config
-    )
+  switch (config.language) {
+    case constants.supportedLanguages.JAVA:
+    case constants.supportedLanguages.GO:
+    case constants.supportedLanguages.PHP:
+      break
+    case constants.supportedLanguages.NODE:
+    case constants.supportedLanguages.DOTNET:
+    case constants.supportedLanguages.PYTHON:
+    case constants.supportedLanguages.RUBY:
+      convertedGuidance = convertJSDotNetPython(guidance)
+      break
   }
+  return convertedGuidance
+}
+export function convertJSDotNetPython(guidance: any) {
+  const returnObject = {}
+  Object.entries(guidance).forEach(([key, value]) => {
+    const splitKey = key.split('/')
+    if (splitKey.length === 2) {
+      // @ts-ignore
+      returnObject[splitKey[1]] = value
+    }
+  })
+  return returnObject
 }
 export function formatVulnerabilityOutput(
   libraryVulnerabilityResponse: any,
   id: string,
-  name: string,
-  config: any
+  config: any,
+  remediationGuidance: any
 ) {
-  const vulnerableLibraries = convertGenericToTypedLibraries(
+  const vulnerableLibraries = convertGenericToTypedLibraryVulns(
     libraryVulnerabilityResponse
   )
+  const guidance = convertKeysToStandardFormat(config, remediationGuidance)
   const numberOfVulnerableLibraries = vulnerableLibraries.length
-  let numberOfCves = 0
-  vulnerableLibraries.forEach(lib => (numberOfCves += lib.cveArray.length))
-  createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves)
+  if (numberOfVulnerableLibraries === 0) {
+    console.log(i18n.__('scanNoVulnerabilitiesFound'))
+    console.log(i18n.__('scanNoVulnerabilitiesFoundSecureCode'))
+    console.log(i18n.__('scanNoVulnerabilitiesFoundGoodWork'))
+    console.log(
+      chalk.bold(`Found ${numberOfVulnerableLibraries} vulnerabilities`)
+    )
+    console.log(
+      i18n.__(
+        'foundDetailedVulnerabilities',
+        String(0),
+        String(0),
+        String(0),
+        String(0),
+        String(0)
+      )
+    )
+  } else {
+    let numberOfCves = 0
+    vulnerableLibraries.forEach(lib => (numberOfCves += lib.cveArray.length))
+    const hasSomeVulnerabilitiesReported = printVulnerabilityResponse(
+      config,
+      vulnerableLibraries,
+      numberOfVulnerableLibraries,
+      numberOfCves,
+      guidance
+    )
-  const hasSomeVulnerabilitiesReported = printVulnerabilityResponse(
-    vulnerableLibraries,
-    config
-  )
+    return [
+      hasSomeVulnerabilitiesReported,
+      numberOfCves,
+      severityCountAllLibraries(vulnerableLibraries)
+    ]
+  }
+}
+export async function vulnerabilityReportV2(config: any, reportId: string) {
+  console.log()
+  const reportResponse = await getReport(config, reportId)
-  return [
-    hasSomeVulnerabilitiesReported,
-    numberOfCves,
-    severityCountAllLibraries(vulnerableLibraries)
-  ]
+  if (reportResponse !== undefined) {
+    const name = config.applicationName
+    formatVulnerabilityOutput(
+      reportResponse.vulnerabilities,
+      config.applicationId,
+      config,
+      reportResponse.remediationGuidance
+        ? reportResponse.remediationGuidance
+        : {}
+    )
+  }
 }

package/src/audit/languageAnalysisEngine/report/utils/reportUtils.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import {
   ReportLibraryModel
 } from '../models/reportLibraryModel'
 import { ReportSeverityModel } from '../models/reportSeverityModel'
-import languageAnalysisEngine from '../../../languageAnalysisEngine/constants'
+import languageAnalysisEngine from './../../../../constants/constants'
 import {
   CRITICAL_COLOUR,
   CRITICAL_PRIORITY,
@@ -18,6 +18,7 @@ import {
 } from '../../../../constants/constants'
 import { orderBy } from 'lodash'
 import { SeverityCountModel } from '../models/severityCountModel'
+import { ReportModelStructure } from '../models/reportListModel'
 const {
   supportedLanguages: { GO }
 } = languageAnalysisEngine
@@ -67,7 +68,7 @@ export function findCVESeverity(cve: ReportCVEModel) {
   }
 }
-export function convertGenericToTypedLibraries(libraries: any) {
+export function convertGenericToTypedLibraryVulns(libraries: any) {
   return Object.entries(libraries).map(([name, cveArray]) => {
     return new ReportLibraryModel(name, cveArray as ReportCVEModel[])
   })
@@ -122,11 +123,49 @@ export function findNameAndVersion(library: ReportLibraryModel, config: any) {
     return { name, version }
   } else {
-    const splitLibraryName = library.name.split('/')
-    const nameVersion = splitLibraryName[1].split('@')
-    const name = nameVersion[0]
+    //spreads items from split into set so no duplicates appear
+    const uniqueSplitLibraryName = [...new Set(library.name.split('/'))]
+    const nameVersion = uniqueSplitLibraryName[1].split('@')
+    let parentLibrary
+    let name
+    if (
+      uniqueSplitLibraryName[0] !== 'null' &&
+      uniqueSplitLibraryName[0] !== '' &&
+      !uniqueSplitLibraryName[1].includes(uniqueSplitLibraryName[0])
+    ) {
+      //if the parent lib (element 0) is not null, not blank and not already part of the library name
+      //e.g. shared-ini-file-loader-1.0.0-rc.3 is very generic - converts to @aws-sdk/shared-ini-file-loader-1.0.0-rc.3
+      parentLibrary = uniqueSplitLibraryName[0]
+      name = `${parentLibrary}/${nameVersion[0]}`
+    } else {
+      name = nameVersion[0]
+    }
     const version = nameVersion[1]
     return { name, version }
   }
 }
+export function countVulnerableLibrariesBySeverity(
+  reportModelStructure: ReportModelStructure[]
+) {
+  const severityCount = new SeverityCountModel()
+  reportModelStructure.forEach(vuln => {
+    const currentSeverity = vuln.compositeKey.highestSeverity.severity
+    if (currentSeverity === 'CRITICAL') {
+      severityCount.critical += 1
+    } else if (currentSeverity === 'HIGH') {
+      severityCount.high += 1
+    } else if (currentSeverity === 'MEDIUM') {
+      severityCount.medium += 1
+    } else if (currentSeverity === 'LOW') {
+      severityCount.low += 1
+    } else if (currentSeverity === 'NOTE') {
+      severityCount.note += 1
+    }
+  })
+  return severityCount
+}

package/src/audit/languageAnalysisEngine/sendSnapshot.js CHANGED Viewed

@@ -1,5 +1,3 @@
-const { handleResponseErrors } = require('../../common/errorHandling')
-const { APP_VERSION } = require('../../constants/constants')
 const commonApi = require('../../utils/commonApi')
 const _ = require('lodash')
 const oraFunctions = require('../../utils/oraWrapper')
@@ -8,30 +6,6 @@ const oraWrapper = require('../../utils/oraWrapper')
 const requestUtils = require('../../utils/requestUtils')
 const { performance } = require('perf_hooks')
-const newSendSnapShot = async analysis => {
-  const analysisLanguage = analysis.config.language.toLowerCase()
-  const requestBody = {
-    appID: analysis.config.applicationId,
-    cliVersion: APP_VERSION,
-    snapshot: { [analysisLanguage]: analysis[analysisLanguage] }
-  }
-  const client = commonApi.getHttpClient(analysis.config)
-  return client
-    .sendSnapshot(requestBody, analysis.config)
-    .then(res => {
-      if (res.statusCode === 201) {
-        return res.body
-      } else {
-        handleResponseErrors(res, 'snapshot')
-      }
-    })
-    .catch(err => {
-      console.log(err)
-    })
-}
 const pollSnapshotResults = async (config, snapshotId, client) => {
   await requestUtils.sleep(5000)
   return client
@@ -49,9 +23,9 @@ const getTimeout = config => {
     return config.timeout
   } else {
     if (config.verbose) {
-      console.log('Timeout set to 2 minutes')
+      console.log('Timeout set to 5 minutes')
     }
-    return 120
+    return 300
   }
 }
@@ -91,16 +65,16 @@ const pollForSnapshotCompletition = async (
       if (requestUtils.millisToSeconds(endTime) > timeout) {
         oraFunctions.failSpinner(
           reportSpinner,
-          'Contrast audit timed out at the specified ' + timeout + ' seconds.'
+          'Contrast audit timed out at the specified timeout of ' +
+            timeout +
+            ' seconds.'
         )
-        console.log('Please try again, allowing more time.')
-        process.exit(1)
+        throw new Error('You can update the timeout using --timeout')
       }
     }
   }
 }
 module.exports = {
-  newSendSnapShot: newSendSnapShot,
   pollForSnapshotCompletition: pollForSnapshotCompletition
 }

package/src/audit/save.js ADDED Viewed

@@ -0,0 +1,48 @@
+const fs = require('fs')
+const i18n = require('i18n')
+const chalk = require('chalk')
+const save = require('../commands/audit/saveFile')
+const sbom = require('../sbom/generateSbom')
+const {
+  SBOM_CYCLONE_DX_FILE,
+  SBOM_SPDX_FILE
+} = require('../constants/constants')
+async function auditSave(config) {
+  let fileFormat
+  switch (config.save) {
+    case null:
+    case SBOM_CYCLONE_DX_FILE:
+      fileFormat = SBOM_CYCLONE_DX_FILE
+      break
+    case SBOM_SPDX_FILE:
+      fileFormat = SBOM_SPDX_FILE
+      break
+    default:
+      break
+  }
+  if (fileFormat) {
+    save.saveFile(
+      config,
+      fileFormat,
+      await sbom.generateSbom(config, fileFormat)
+    )
+    const filename = `${config.applicationId}-sbom-${fileFormat}.json`
+    if (fs.existsSync(filename)) {
+      console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`)
+    } else {
+      console.log(
+        chalk.yellow.bold(
+          `\n Unable to save ${filename} Software Bill of Materials (SBOM)`
+        )
+      )
+    }
+  } else {
+    console.log(i18n.__('auditBadFiletypeSpecifiedForSave'))
+  }
+}
+module.exports = {
+  auditSave
+}

package/src/commands/audit/auditConfig.ts CHANGED Viewed

@@ -1,15 +1,6 @@
 import paramHandler from '../../utils/paramsUtil/paramHandler'
 import constants from '../../constants'
 import cliOptions from '../../utils/parsedCLIOptions'
-import languageAnalysisEngine from '../../audit/languageAnalysisEngine/constants'
-import {
-  determineProjectLanguage,
-  identifyLanguages
-} from '../../audit/autodetection/autoDetectLanguage'
-const {
-  supportedLanguages: { NODE, JAVASCRIPT }
-} = languageAnalysisEngine
 export const getAuditConfig = (argv: string[]): { [key: string]: string } => {
   const auditParameters = cliOptions.getCommandLineArgsCustom(
@@ -18,22 +9,6 @@ export const getAuditConfig = (argv: string[]): { [key: string]: string } => {
   )
   const paramsAuth = paramHandler.getAuth(auditParameters)
-  if (
-    auditParameters.language === undefined ||
-    auditParameters.language === null
-  ) {
-    try {
-      auditParameters.language = determineProjectLanguage(
-        identifyLanguages(auditParameters)
-      )
-    } catch (err: any) {
-      console.log(err.message)
-      process.exit(1)
-    }
-  } else if (auditParameters.language.toUpperCase() === JAVASCRIPT) {
-    auditParameters.language = NODE.toLowerCase()
-  }
   // @ts-ignore
   return { ...paramsAuth, ...auditParameters }
 }

package/src/commands/audit/auditController.ts CHANGED Viewed

@@ -1,10 +1,6 @@
 import { catalogueApplication } from '../../audit/catalogueApplication/catalogueApplication'
 import commonApi from '../../audit/languageAnalysisEngine/commonApi'
-const identifyLanguageAE = require('./../../audit/languageAnalysisEngine')
-const languageFactory = require('../../audit/languageAnalysisEngine/languageAnalysisFactory')
-const { v4: uuidv4 } = require('uuid')
 export const dealWithNoAppId = async (config: { [x: string]: string }) => {
   let appID: string
   try {
@@ -14,14 +10,15 @@ export const dealWithNoAppId = async (config: { [x: string]: string }) => {
       return await catalogueApplication(config)
     }
     if (!appID && !config.applicationName) {
-      config.applicationName = uuidv4()
-      return await catalogueApplication(config)
+      config.applicationName = getAppName(config.file) as string
+      // @ts-ignore
+      appID = await commonApi.returnAppId(config)
+      if (!appID) {
+        return await catalogueApplication(config)
+      }
     }
-    // @ts-ignore
-  } catch (e) {
-    // @ts-ignore
+  } catch (e: any) {
     if (e.toString().includes('tunneling socket could not be established')) {
-      // @ts-ignore
       console.log(e.message.toString())
       console.log(
         'There seems to be an issue with your proxy, please check and try again'
@@ -32,15 +29,16 @@ export const dealWithNoAppId = async (config: { [x: string]: string }) => {
   return appID
 }
-export const startAudit = async (config: { [key: string]: string }) => {
-  if (!config.applicationId) {
-    // @ts-ignore
-    config.applicationId = await dealWithNoAppId(config)
+export const getAppName = (file: string) => {
+  const last = file.charAt(file.length - 1)
+  if (last !== '/') {
+    return file.split('/').pop()
+  } else {
+    const str = removeLastChar(file)
+    return str.split('/').pop()
   }
-  identifyLanguageAE(
-    config.projectPath,
-    languageFactory,
-    config.applicationId,
-    config
-  )
+}
+const removeLastChar = (str: string) => {
+  return str.substring(0, str.length - 1)
 }

package/src/commands/audit/help.ts CHANGED Viewed

@@ -13,35 +13,41 @@ const auditUsageGuide = commandLineUsage([
       '{bold ' +
         i18n.__('constantsAuditPrerequisitesContentSupportedLanguages') +
         '}',
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentJava') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentMessage'),
-      '',
-      '{italic ' + i18n.__('constantsJavaNote') + '}',
-      '{italic ' + i18n.__('constantsJavaNoteGradle') + '}',
-      '',
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentDotNet') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentDotNetMessage'),
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentLanguageNode') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentLanguageNodeMessage'),
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentLanguageRuby') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentLanguageRubyMessage'),
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentLanguagePython') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentLanguagePythonMessage')
+      i18n.__('constantsAuditPrerequisitesJavaContentMessage'),
+      i18n.__('constantsAuditPrerequisitesContentDotNetMessage'),
+      i18n.__('constantsAuditPrerequisitesContentNodeMessage'),
+      i18n.__('constantsAuditPrerequisitesContentRubyMessage'),
+      i18n.__('constantsAuditPrerequisitesContentPythonMessage'),
+      i18n.__('constantsAuditPrerequisitesContentGoMessage'),
+      i18n.__('constantsAuditPrerequisitesContentPHPMessage')
     ]
   },
   {
     header: i18n.__('constantsAuditOptions'),
-    optionList: constants.commandLineDefinitions.auditOptionDefinitions
+    optionList: constants.commandLineDefinitions.auditOptionDefinitions,
+    hide: [
+      'application-id',
+      'application-name',
+      'organization-id',
+      'api-key',
+      'authorization',
+      'host',
+      'proxy',
+      'help',
+      'ff',
+      'ignore-cert-errors',
+      'verbose',
+      'debug',
+      'experimental',
+      'tags',
+      'sub-project',
+      'code',
+      'maven-settings-path',
+      'language',
+      'experimental',
+      'app-groups',
+      'metadata'
+    ]
   }
 ])

package/src/commands/audit/processAudit.ts CHANGED Viewed

@@ -1,6 +1,6 @@
-import { startAudit } from './auditController'
 import { getAuditConfig } from './auditConfig'
 import { auditUsageGuide } from './help'
+import { processSca } from '../scan/sca/scaAnalysis'
 export type parameterInput = string[]
@@ -10,10 +10,7 @@ export const processAudit = async (argv: parameterInput) => {
     process.exit(0)
   }
   const config = getAuditConfig(argv)
-  // console.log(config)
-  const auditResults = await startAudit(config)
+  await processSca(config)
 }
 const printHelpMessage = () => {

package/src/commands/audit/saveFile.ts CHANGED Viewed

@@ -1,6 +1,10 @@
 import fs from 'fs'
-export default function saveFile(config: any, rawResults: any) {
-  const fileName = `${config.applicationId}-sbom-cyclonedx.json`
+export const saveFile = (config: any, type: string, rawResults: any) => {
+  const fileName = `${config.applicationId}-sbom-${type}.json`
   fs.writeFileSync(fileName, JSON.stringify(rawResults))
 }
+module.exports = {
+  saveFile
+}

package/src/commands/scan/processScan.js CHANGED Viewed

@@ -7,7 +7,6 @@ const { processSca } = require('./sca/scaAnalysis')
 const processScan = async argvMain => {
   let config = scanConfig.getScanConfig(argvMain)
-  // console.log(config)
   //try SCA analysis first
   if (config.experimental) {
     await processSca(config)