@contrast/contrast 1.0.7 → 1.0.10

package/src/index.ts

@@ -1,3 +1,5 @@
+#!/usr/bin/env node
+
 import commandLineArgs from 'command-line-args'
 import { processAudit } from './commands/audit/processAudit'
 import { processAuth } from './commands/auth/auth'
@@ -34,74 +36,84 @@ const getMainOption = () => {
 }
 
 const start = async () => {
-  if (await isCorrectNodeVersion(process.version)) {
-    const { mainOptions, argv: argvMain } = getMainOption()
-    const command =
-      mainOptions.command != undefined ? mainOptions.command.toLowerCase() : ''
-    if (
-      command === 'version' ||
-      argvMain.includes('--v') ||
-      argvMain.includes('--version')
-    ) {
-      console.log(APP_VERSION)
-      await findLatestCLIVersion(config.get('updateMessageHidden') as boolean)
-      return
-    }
+  try {
+    if (await isCorrectNodeVersion(process.version)) {
+      const { mainOptions, argv: argvMain } = getMainOption()
+      const command =
+        mainOptions.command != undefined
+          ? mainOptions.command.toLowerCase()
+          : ''
+      if (
+        command === 'version' ||
+        argvMain.includes('--v') ||
+        argvMain.includes('--version')
+      ) {
+        console.log(APP_VERSION)
+        await findLatestCLIVersion(config)
+        return
+      }
 
-    // @ts-ignore
-    config.set('numOfRuns', config.get('numOfRuns') + 1)
+      // @ts-ignore
+      config.set('numOfRuns', config.get('numOfRuns') + 1)
 
-    // @ts-ignore
-    if (config.get('numOfRuns') >= 5) {
-      await findLatestCLIVersion(config.get('updateMessageHidden') as boolean)
-      config.set('numOfRuns', 0)
-    }
+      // @ts-ignore
+      if (config.get('numOfRuns') >= 1) {
+        await findLatestCLIVersion(config)
+        config.set('numOfRuns', 0)
+      }
 
-    if (command === 'config') {
-      return processConfig(argvMain, config)
-    }
+      if (command === 'config') {
+        return processConfig(argvMain, config)
+      }
 
-    if (command === 'auth') {
-      return await processAuth(argvMain, config)
-    }
+      if (command === 'auth') {
+        return await processAuth(argvMain, config)
+      }
 
-    if (command === 'lambda') {
-      return await processLambda(argvMain)
-    }
+      if (command === 'lambda') {
+        return await processLambda(argvMain)
+      }
 
-    if (command === 'scan') {
-      return await processScan(argvMain)
-    }
+      if (command === 'scan') {
+        return await processScan(argvMain)
+      }
 
-    if (command === 'audit') {
-      return await processAudit(argvMain)
-    }
+      if (command === 'audit') {
+        return await processAudit(argvMain)
+      }
+
+      if (
+        command === 'help' ||
+        argvMain.includes('--help') ||
+        Object.keys(mainOptions).length === 0
+      ) {
+        console.log(mainUsageGuide)
+      } else if (mainOptions._unknown !== undefined) {
+        const foundCommand = findCommandOnError(mainOptions._unknown)
 
-    if (
-      command === 'help' ||
-      argvMain.includes('--help') ||
-      Object.keys(mainOptions).length === 0
-    ) {
-      console.log(mainUsageGuide)
-    } else if (mainOptions._unknown !== undefined) {
-      const foundCommand = findCommandOnError(mainOptions._unknown)
-
-      foundCommand
-        ? console.log(
-            `Unknown Command: Did you mean "${foundCommand}"? \nUse "${foundCommand} --help" for the full list of options`
-          )
-        : console.log(
-            `Unknown Command: ${command} \nUse --help for the full list`
-          )
+        foundCommand
+          ? console.log(
+              `Unknown Command: Did you mean "${foundCommand}"? \nUse "${foundCommand} --help" for the full list of options`
+            )
+          : console.log(
+              `Unknown Command: ${command} \nUse --help for the full list`
+            )
+      } else {
+        console.log(
+          `Unknown Command: ${command} \nUse --help for the full list`
+        )
+      }
+      process.exit(9)
     } else {
-      console.log(`Unknown Command: ${command} \nUse --help for the full list`)
+      console.log(
+        'Contrast supports Node versions >=16.13.2 <17. Please use one of those versions.'
+      )
+      process.exit(9)
     }
-    process.exit(9)
-  } else {
-    console.log(
-      'Contrast supports Node versions >=16.13.2 <17. Please use one of those versions.'
-    )
-    process.exit(9)
+  } catch (err: any) {
+    console.log()
+    console.log(err.message.toString())
+    process.exit(1)
   }
 }
 

package/src/lambda/lambda.ts

@@ -16,6 +16,7 @@ import { sleep } from '../utils/requestUtils'
 import ora from '../utils/oraWrapper'
 import { postAnalytics } from './analytics'
 import { LambdaOptions, AnalyticsOption, StatusType, EventType } from './types'
+import { APP_VERSION } from '../constants/constants'
 
 type ApiParams = {
   organizationId: string
@@ -73,7 +74,8 @@ const processLambda = async (argv: string[]) => {
     const startCommandAnalytics: AnalyticsOption = {
       arguments: lambdaOptions,
       sessionId: commandSessionId,
-      eventType: EventType.START
+      eventType: EventType.START,
+      packageVersion: APP_VERSION
     }
     postAnalytics(startCommandAnalytics).catch((error: Error) => {
       /* ignore */
@@ -99,7 +101,8 @@ const processLambda = async (argv: string[]) => {
     const endCommandAnalytics: AnalyticsOption = {
       sessionId: commandSessionId,
       eventType: EventType.END,
-      status: errorMsg ? StatusType.FAILED : StatusType.SUCCESS
+      status: errorMsg ? StatusType.FAILED : StatusType.SUCCESS,
+      packageVersion: APP_VERSION
     }
     if (errorMsg) {
       endCommandAnalytics.errorMsg = errorMsg

package/src/lambda/types.ts

@@ -28,6 +28,7 @@ type ScanFunctionData = {
 export type AnalyticsOption = {
   sessionId: string
   eventType: EventType
+  packageVersion: string
   arguments?: LambdaOptions
   scanFunctionData?: ScanFunctionData
   status?: StatusType

package/src/sbom/generateSbom.ts

@@ -1,9 +1,9 @@
 import { getHttpClient } from '../utils/commonApi'
 
-export default function generateSbom(config: any) {
+export const generateSbom = (config: any, type: string) => {
   const client = getHttpClient(config)
   return client
-    .getSbom(config)
+    .getSbom(config, type)
     .then((res: { statusCode: number; body: any }) => {
       if (res.statusCode === 200) {
         return res.body

package/src/scaAnalysis/common/formatMessage.js

@@ -6,6 +6,21 @@ const createJavaTSMessage = javaTree => {
   }
 }
 
+const createJavaScriptTSMessage = js => {
+  let message = {
+    node: {
+      packageJSON: js.packageJSON
+    }
+  }
+  if (js.yarn !== undefined) {
+    message.node.yarnLockFile = js.yarn.yarnLockFile
+    message.node.yarnVersion = js.yarn.yarnVersion
+  } else {
+    message.node.npmLockFile = js.npmLockFile
+  }
+  return message
+}
+
 const createGoTSMessage = goTree => {
   return {
     go: {
@@ -16,23 +31,37 @@ const createGoTSMessage = goTree => {
 
 const createRubyTSMessage = rubyTree => {
   return {
-    ruby: {
-      rubyDependencyTrees: rubyTree
-    }
+    ruby: rubyTree
   }
 }
 
 const createPythonTSMessage = pythonTree => {
   return {
-    python: {
-      pythonDependencyTrees: pythonTree
+    python: pythonTree
+  }
+}
+
+const createPhpTSMessage = phpTree => {
+  return {
+    php: {
+      composerJSON: phpTree.composerJSON,
+      lockFile: phpTree.lockFile
     }
   }
 }
 
+const createDotNetTSMessage = dotnetTree => {
+  return {
+    dotnet: dotnetTree
+  }
+}
+
 module.exports = {
+  createJavaScriptTSMessage,
   createJavaTSMessage,
   createGoTSMessage,
+  createPhpTSMessage,
   createRubyTSMessage,
-  createPythonTSMessage
+  createPythonTSMessage,
+  createDotNetTSMessage
 }

package/src/scaAnalysis/common/treeUpload.js

@@ -1,4 +1,4 @@
-const { getHttpClient } = require('../../utils/commonApi')
+const commonApi = require('../../utils/commonApi')
 const { APP_VERSION } = require('../../constants/constants')
 
 const commonSendSnapShot = async (analysis, config) => {
@@ -8,20 +8,18 @@ const commonSendSnapShot = async (analysis, config) => {
     snapshot: analysis
   }
 
-  const client = getHttpClient(config)
+  const client = commonApi.getHttpClient(config)
   return client
     .sendSnapshot(requestBody, config)
     .then(res => {
       if (res.statusCode === 201) {
-        console.log('dependencies processed successfully')
         return res.body
       } else {
-        console.log(res.statusCode)
-        console.log('error processing dependencies')
+        throw new Error(res.statusCode + ` error processing dependencies`)
       }
     })
     .catch(err => {
-      console.log(err)
+      throw err
     })
 }
 

package/src/scaAnalysis/dotnet/analysis.js

@@ -0,0 +1,54 @@
+const fs = require('fs')
+const xml2js = require('xml2js')
+const i18n = require('i18n')
+
+const readAndParseProjectFile = projectFilePath => {
+  const projectFile = fs.readFileSync(projectFilePath)
+
+  return new xml2js.Parser({
+    explicitArray: false,
+    mergeAttrs: true
+  }).parseString(projectFile)
+}
+
+const readAndParseLockFile = lockFilePath => {
+  const lockFile = JSON.parse(fs.readFileSync(lockFilePath).toString())
+
+  let count = 0 // Used to test if some nodes are deleted
+
+  for (const dependenciesNode in lockFile.dependencies) {
+    for (const innerNode in lockFile.dependencies[dependenciesNode]) {
+      const nodeValidation = JSON.stringify(
+        lockFile.dependencies[dependenciesNode][innerNode]
+      )
+      if (nodeValidation.includes('"type":"Project"')) {
+        count += 1
+        delete lockFile.dependencies[dependenciesNode][innerNode]
+        lockFile.additionalInfo = 'dependenciesNote'
+      }
+    }
+  }
+
+  if (count > 0) {
+    const multiLevelProjectWarning = () => {
+      console.log('')
+      console.log(i18n.__('dependenciesNote'))
+    }
+    setTimeout(multiLevelProjectWarning, 7000)
+  }
+
+  return lockFile
+}
+
+const getDotNetDeps = (filePath, languageFiles) => {
+  const projectFile = readAndParseProjectFile(filePath + `/${languageFiles[0]}`)
+  const lockFile = readAndParseLockFile(filePath + `/${languageFiles[1]}`)
+
+  return { projectFile, lockFile }
+}
+
+module.exports = {
+  getDotNetDeps,
+  readAndParseProjectFile,
+  readAndParseLockFile
+}

package/src/scaAnalysis/dotnet/index.js

@@ -0,0 +1,11 @@
+const { getDotNetDeps } = require('./analysis')
+const { createDotNetTSMessage } = require('../common/formatMessage')
+
+const dotNetAnalysis = (config, languageFiles) => {
+  const dotNetDeps = getDotNetDeps(config.file, languageFiles.DOTNET)
+  return createDotNetTSMessage(dotNetDeps)
+}
+
+module.exports = {
+  dotNetAnalysis
+}

package/src/scaAnalysis/go/goReadDepFile.js

@@ -3,9 +3,7 @@ const i18n = require('i18n')
 
 const getGoDependencies = config => {
   let cmdStdout
-  let cwd = config.projectPath
-    ? config.projectPath.replace('go.mod', '')
-    : process.cwd()
+  let cwd = config.file ? config.file.replace('go.mod', '') : process.cwd()
 
   try {
     // A sample of this output can be found

package/src/scaAnalysis/java/analysis.js

@@ -6,7 +6,7 @@ const fs = require('fs')
 const MAVEN = 'maven'
 const GRADLE = 'gradle'
 
-const determineProjectTypeAndCwd = (files, projectPath) => {
+const determineProjectTypeAndCwd = (files, file) => {
   const projectData = {}
 
   if (files[0].includes('pom.xml')) {
@@ -16,9 +16,9 @@ const determineProjectTypeAndCwd = (files, projectPath) => {
   }
 
   //clean up the path to be a folder not a file
-  projectData.cwd = projectPath
-    ? projectPath.replace('pom.xml', '').replace('build.gradle', '')
-    : projectPath
+  projectData.cwd = file
+    ? file.replace('pom.xml', '').replace('build.gradle', '')
+    : file
 
   return projectData
 }
@@ -124,7 +124,7 @@ const getJavaBuildDeps = (config, files) => {
   }
 
   try {
-    const projectData = determineProjectTypeAndCwd(files, config.projectPath)
+    const projectData = determineProjectTypeAndCwd(files, config.file)
     if (projectData.projectType === MAVEN) {
       output.mvnDependancyTreeOutput = buildMaven(config, projectData, timeout)
     } else if (projectData.projectType === GRADLE) {

package/src/scaAnalysis/javascript/analysis.js

@@ -0,0 +1,126 @@
+const fs = require('fs')
+const yarnParser = require('@yarnpkg/lockfile')
+const yaml = require('js-yaml')
+const i18n = require('i18n')
+const {
+  formatKey
+} = require('../../audit/nodeAnalysisEngine/parseYarn2LockFileContents')
+
+const readFile = async (config, languageFiles, nameOfFile) => {
+  const index = languageFiles.findIndex(v => v.includes(nameOfFile))
+
+  if (config.file) {
+    return fs.readFileSync(config.file.concat(languageFiles[index]), 'utf8')
+  } else {
+    throw new Error('could not find file')
+  }
+}
+
+const readYarn = async (config, languageFiles, nameOfFile) => {
+  let yarn = {
+    yarnVersion: 1,
+    rawYarnLockFileContents: ''
+  }
+
+  try {
+    let rawYarnLockFileContents = await readFile(
+      config,
+      languageFiles,
+      nameOfFile
+    )
+    yarn.rawYarnLockFileContents = rawYarnLockFileContents
+
+    if (
+      !yarn.rawYarnLockFileContents.includes('lockfile v1') ||
+      yarn.rawYarnLockFileContents.includes('__metadata')
+    ) {
+      yarn.rawYarnLockFileContents = yaml.load(rawYarnLockFileContents)
+      yarn.yarnVersion = 2
+    }
+
+    return yarn
+  } catch (err) {
+    throw new Error(i18n.__('nodeReadYarnLockFileError') + `${err.message}`)
+  }
+}
+
+const parseNpmLockFile = async js => {
+  try {
+    js.npmLockFile = JSON.parse(js.rawLockFileContents)
+    if (js.npmLockFile && js.npmLockFile.lockfileVersion > 1) {
+      const listOfTopDep = Object.keys(js.npmLockFile.dependencies)
+      Object.entries(js.npmLockFile.dependencies).forEach(([objKey, value]) => {
+        if (value.requires) {
+          const listOfRequiresDep = Object.keys(value.requires)
+          listOfRequiresDep.forEach(dep => {
+            if (!listOfTopDep.includes(dep)) {
+              addDepToLockFile(js, value['requires'], dep)
+            }
+          })
+        }
+
+        if (value.dependencies) {
+          Object.entries(value.dependencies).forEach(
+            ([objChildKey, childValue]) => {
+              if (childValue.requires) {
+                const listOfRequiresDep = Object.keys(childValue.requires)
+                listOfRequiresDep.forEach(dep => {
+                  if (!listOfTopDep.includes(dep)) {
+                    addDepToLockFile(js, childValue['requires'], dep)
+                  }
+                })
+              }
+            }
+          )
+        }
+      })
+      return js.npmLockFile
+    } else {
+      return js.npmLockFile
+    }
+  } catch (err) {
+    throw new Error(i18n.__('NodeParseNPM') + `${err.message}`)
+  }
+}
+
+const addDepToLockFile = (js, depObj, key) => {
+  return (js.npmLockFile.dependencies[key] = { version: depObj[key] })
+}
+const parseYarnLockFile = async js => {
+  try {
+    js.yarn.yarnLockFile = {}
+    if (js.yarn.yarnVersion === 1) {
+      js.yarn.yarnLockFile = yarnParser.parse(js.yarn.rawYarnLockFileContents)
+      delete js.yarn.rawYarnLockFileContents
+      return js
+    } else {
+      js.yarn.yarnLockFile['object'] = js.yarn.rawYarnLockFileContents
+      delete js.yarn.yarnLockFile['object'].__metadata
+      js.yarn.yarnLockFile['type'] = 'success'
+
+      Object.entries(js.yarn.rawYarnLockFileContents).forEach(
+        ([key, value]) => {
+          const rawKeyNames = key.split(',')
+          const keyNames = formatKey(rawKeyNames)
+
+          keyNames.forEach(name => {
+            js.yarn.yarnLockFile.object[name] = value
+          })
+        }
+      )
+      return js
+    }
+  } catch (err) {
+    throw new Error(
+      i18n.__('NodeParseYarn', js.yarn.yarnVersion) + `${err.message}`
+    )
+  }
+}
+
+module.exports = {
+  readYarn,
+  parseYarnLockFile,
+  parseNpmLockFile,
+  readFile,
+  formatKey
+}

package/src/scaAnalysis/javascript/index.js

@@ -0,0 +1,75 @@
+const analysis = require('./analysis')
+const i18n = require('i18n')
+const formatMessage = require('../common/formatMessage')
+
+const jsAnalysis = async (config, languageFiles) => {
+  checkForCorrectFiles(languageFiles)
+
+  if (!config.file.endsWith('/')) {
+    config.file = config.file.concat('/')
+  }
+  return buildNodeTree(config, languageFiles.JAVASCRIPT)
+}
+const buildNodeTree = async (config, files) => {
+  let analysis = await readFiles(config, files)
+  const rawNode = await parseFiles(config, files, analysis)
+  return formatMessage.createJavaScriptTSMessage(rawNode)
+}
+
+const readFiles = async (config, files) => {
+  let js = {}
+
+  js.packageJSON = JSON.parse(
+    await analysis.readFile(config, files, 'package.json')
+  )
+
+  if (files.includes('package-lock.json')) {
+    js.rawLockFileContents = await analysis.readFile(
+      config,
+      files,
+      'package-lock.json'
+    )
+  }
+  if (files.includes('yarn.lock')) {
+    js.yarn = {}
+    js.yarn = await analysis.readYarn(config, files, 'yarn.lock')
+  }
+
+  return js
+}
+
+const parseFiles = async (config, files, js) => {
+  if (files.includes('package-lock.json')) {
+    js.npmLockFile = await analysis.parseNpmLockFile(js)
+  }
+  if (files.includes('yarn.lock')) {
+    js = await analysis.parseYarnLockFile(js)
+  }
+
+  return js
+}
+
+const checkForCorrectFiles = languageFiles => {
+  if (
+    languageFiles.JAVASCRIPT.includes('package-lock.json') &&
+    languageFiles.JAVASCRIPT.includes('yarn.lock')
+  ) {
+    throw new Error(
+      i18n.__('languageAnalysisHasMultipleLockFiles', 'javascript')
+    )
+  }
+
+  if (
+    !languageFiles.JAVASCRIPT.includes('package-lock.json') &&
+    !languageFiles.JAVASCRIPT.includes('yarn.lock')
+  ) {
+    throw new Error(i18n.__('languageAnalysisHasNoLockFile', 'javascript'))
+  }
+
+  if (!languageFiles.JAVASCRIPT.includes('package.json')) {
+    throw new Error(i18n.__('languageAnalysisHasNoPackageJsonFile'))
+  }
+}
+module.exports = {
+  jsAnalysis
+}

package/src/scaAnalysis/php/analysis.js

@@ -0,0 +1,78 @@
+const fs = require('fs')
+const i18n = require('i18n')
+const _ = require('lodash')
+
+const readFile = (config, nameOfFile) => {
+  if (config.file) {
+    try {
+      return fs.readFileSync(config.file + '/' + nameOfFile)
+    } catch (error) {
+      console.log('Unable to find file')
+      console.log(error)
+    }
+  }
+}
+
+const parseProjectFiles = php => {
+  try {
+    // composer.json
+    php.composerJSON.dependencies = php.composerJSON.require
+    php.composerJSON.devDependencies = php.composerJSON['require-dev']
+
+    // composer.lock
+    php.lockFile = php.rawLockFileContents
+    let packages = _.keyBy(php.lockFile.packages, 'name')
+    let packagesDev = _.keyBy(php.lockFile['packages-dev'], 'name')
+    php.lockFile.dependencies = _.merge(packages, packagesDev)
+
+    const listOfTopDep = Object.keys(php.lockFile.dependencies)
+
+    Object.entries(php.lockFile.dependencies).forEach(([key, value]) => {
+      if (value.require) {
+        const listOfRequiresDep = Object.keys(value.require)
+        listOfRequiresDep.forEach(dep => {
+          if (!listOfTopDep.includes(dep)) {
+            addChildDepToLockFileAsOwnObj(php, value['require'], dep)
+          }
+        })
+      }
+
+      if (value['require-dev']) {
+        const listOfRequiresDep = Object.keys(value['require-dev'])
+        listOfRequiresDep.forEach(dep => {
+          if (!listOfTopDep.includes(dep)) {
+            addChildDepToLockFileAsOwnObj(php, value['require-dev'], dep)
+          }
+        })
+      }
+    })
+    formatParentDepToLockFile(php)
+    delete php.rawLockFileContents
+    return php
+  } catch (err) {
+    return console.log(i18n.__('phpParseComposerLock', php) + `${err.message}`) // not sure on this
+  }
+}
+
+function addChildDepToLockFileAsOwnObj(php, depObj, key) {
+  php.lockFile.dependencies[key] = { version: depObj[key] }
+}
+
+function formatParentDepToLockFile(php) {
+  for (const [key, value] of Object.entries(php.lockFile.dependencies)) {
+    let requires = {}
+    for (const [childKey, childValue] of Object.entries(value)) {
+      if (childKey === 'require' || childKey === 'require-dev') {
+        requires = _.merge(requires, childValue)
+        php.lockFile.dependencies[key].requires = requires
+        delete php.lockFile.dependencies[key].require
+        delete php.lockFile.dependencies[key]['require-dev']
+      }
+    }
+  }
+}
+
+module.exports = {
+  parseProjectFiles,
+  readFile
+}