@contrast/contrast 1.0.7 → 1.0.8

package/dist/scaAnalysis/python/analysis.js

@@ -1,8 +1,8 @@
 "use strict";
 const multiReplace = require('string-multiple-replace');
 const fs = require('fs');
-const readAndParseProjectFile = projectPath => {
-    const filePath = filePathForWindows(projectPath + '/Pipfile');
+const readAndParseProjectFile = file => {
+    const filePath = filePathForWindows(file + '/Pipfile');
     const pipFile = fs.readFileSync(filePath, 'utf8');
     const matcherObj = { '"': '' };
     const sequencer = ['"'];
@@ -10,18 +10,19 @@ const readAndParseProjectFile = projectPath => {
     const pythonArray = parsedPipfile.split('\n');
     return pythonArray.filter(element => element !== '' && !element.includes('#'));
 };
-const readAndParseLockFile = projectPath => {
-    const filePath = filePathForWindows(projectPath + '/Pipfile.lock');
+const readAndParseLockFile = file => {
+    const filePath = filePathForWindows(file + '/Pipfile.lock');
     const lockFile = fs.readFileSync(filePath, 'utf8');
     let parsedPipLock = JSON.parse(lockFile);
     parsedPipLock['defaults'] = parsedPipLock['default'];
+    delete parsedPipLock['default'];
     return parsedPipLock;
 };
 const getPythonDeps = config => {
     try {
-        const parseProject = readAndParseProjectFile(config.projectPath);
-        const parsePip = readAndParseLockFile(config.projectPath);
-        return { pipfileLock: parseProject, pipfilDependanceies: parsePip };
+        const parseProject = readAndParseProjectFile(config.file);
+        const parsePip = readAndParseLockFile(config.file);
+        return { pipfileLock: parsePip, pipfilDependanceies: parseProject };
     }
     catch (err) {
         console.log(err.message.toString());

package/dist/scaAnalysis/ruby/analysis.js

@@ -1,7 +1,7 @@
 "use strict";
 const fs = require('fs');
-const readAndParseGemfile = projectPath => {
-    const fileName = filePathForWindows(projectPath + '/Gemfile');
+const readAndParseGemfile = file => {
+    const fileName = filePathForWindows(file + '/Gemfile');
     const gemFile = fs.readFileSync(fileName, 'utf8');
     const rubyArray = gemFile.split('\n');
     let filteredRubyDep = rubyArray.filter(element => {
@@ -14,8 +14,8 @@ const readAndParseGemfile = projectPath => {
     }
     return filteredRubyDep;
 };
-const readAndParseGemLockFile = projectPath => {
-    const fileName = filePathForWindows(projectPath + '/Gemfile.lock');
+const readAndParseGemLockFile = file => {
+    const fileName = filePathForWindows(file + '/Gemfile.lock');
     const lockFile = fs.readFileSync(fileName, 'utf8');
     const dependencyRegEx = /^\s*([A-Za-z0-9.!@#$%\-^&*_+]*)\s*(\((.*?)\))/;
     const lines = lockFile.split('\n');
@@ -26,7 +26,7 @@ const readAndParseGemLockFile = projectPath => {
     };
 };
 const nonDependencyKeys = (line, sourceObject) => {
-    const GEMFILE_KEY_VALUE = /^\s*([^:(]*)\s*\s*(.*)/;
+    const GEMFILE_KEY_VALUE = /^\s*([^:(]*)\s*\:*\s*(.*)/;
     let parts = GEMFILE_KEY_VALUE.exec(line);
     let key = parts[1].trim();
     let value = parts[2] || '';
@@ -164,7 +164,7 @@ const getSourceArray = (lines, dependencyRegEx) => {
                 }
                 if ((currentWS === 4 && nexlineWS === 4) ||
                     (currentWS === 6 && nexlineWS === 4) ||
-                    nexlineWS === '') {
+                    nexlineWS == '') {
                     let newObj = {};
                     newObj = JSON.parse(JSON.stringify(sourceObject));
                     sources.push(newObj);
@@ -192,8 +192,8 @@ const buildSourceDependencyWithVersion = (whitespaceRegx, dependencyRegEx, line,
 };
 const getRubyDeps = config => {
     try {
-        const parsedGem = readAndParseGemfile(config.projectPath);
-        const parsedLock = readAndParseGemLockFile(config.projectPath);
+        const parsedGem = readAndParseGemfile(config.file);
+        const parsedLock = readAndParseGemLockFile(config.file);
         return { gemfilesDependanceies: parsedGem, gemfileLock: parsedLock };
     }
     catch (err) {

package/dist/scaAnalysis/ruby/index.js

@@ -1,8 +1,8 @@
 "use strict";
-const { getRubyDeps } = require('./analysis');
+const analysis = require('./analysis');
 const { createRubyTSMessage } = require('../common/formatMessage');
 const rubyAnalysis = (config, languageFiles) => {
-    const rubyDeps = getRubyDeps(config, languageFiles.RUBY);
+    const rubyDeps = analysis.getRubyDeps(config, languageFiles.RUBY);
     return createRubyTSMessage(rubyDeps);
 };
 module.exports = {

package/dist/scan/autoDetection.js

@@ -37,14 +37,14 @@ const autoDetectAuditFilesAndLanguages = async () => {
         return languagesFound;
     }
     else {
-        console.log('found multiple languages, please specify one using --file to run SCA analysis');
+        console.log('found multiple languages, please specify one using --file to run SCA audit');
     }
 };
-const manualDetectAuditFilesAndLanguages = projectPath => {
-    let projectRootFilenames = rootFile.getProjectRootFilenames(projectPath);
+const manualDetectAuditFilesAndLanguages = file => {
+    let projectRootFilenames = rootFile.getProjectRootFilenames(file);
     let identifiedLanguages = languageResolver.deduceLanguageScaAnalysis(projectRootFilenames);
     if (Object.keys(identifiedLanguages).length === 0) {
-        console.log(i18n.__('languageAnalysisNoLanguage', projectPath));
+        console.log(i18n.__('languageAnalysisNoLanguage', file));
         return [];
     }
     return [identifiedLanguages];

package/dist/scan/fileUtils.js

@@ -22,7 +22,7 @@ const findFilesJava = async (languagesFound) => {
     return languagesFound;
 };
 const findFilesJavascript = async (languagesFound) => {
-    const result = await fg(['**/package.json', '**/yarn.lock', '**/package.lock.json'], {
+    const result = await fg(['**/package.json', '**/yarn.lock', '**/package-lock.json'], {
         dot: false,
         deep: 1,
         onlyFiles: true
@@ -92,7 +92,18 @@ const fileExists = path => {
 };
 const fileIsEmpty = path => {
     if (fileExists(path) && checkFilePermissions(path)) {
-        return fs.readFileSync(path).length === 0;
+        try {
+            return fs.readFileSync(path).length === 0;
+        }
+        catch (e) {
+            if (e.message.toString().includes('illegal operation on a directory, read')) {
+                console.log('file provided cannot be a directory');
+            }
+            else {
+                console.log(e.message.toString());
+            }
+            process.exit(0);
+        }
     }
     return false;
 };

package/dist/utils/filterProjectPath.js

@@ -1,5 +1,6 @@
 "use strict";
 const path = require('path');
+const child_process = require('child_process');
 function resolveFilePath(filepath) {
     if (filepath[0] === '~') {
         return path.join(process.env.HOME, filepath.slice(1));
@@ -7,11 +8,15 @@ function resolveFilePath(filepath) {
     return filepath;
 }
 const returnProjectPath = () => {
-    if (process.env.PWD !== (undefined || null || 'undefined')) {
+    if (process.platform == 'win32') {
+        let winPath = child_process.execSync('cd').toString();
+        return winPath.replace(/\//g, '\\').trim();
+    }
+    else if (process.env.PWD !== (undefined || null || 'undefined')) {
         return process.env.PWD;
     }
     else {
-        return process.argv[process.argv.indexOf('--project_path') + 1];
+        return process.argv[process.argv.indexOf('--file') + 1];
     }
 };
 module.exports = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "1.0.7",
+  "version": "1.0.8",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -23,7 +23,8 @@
     "test": "jest --testPathIgnorePatterns=./test-integration/",
     "test-int": "jest ./test-integration/",
     "test-int-scan": "jest ./test-integration/scan",
-    "test-int-audit": "jest ./test-integration/audit",
+    "test-int-audit": "jest ./test-integration/audit/audit.spec.js",
+    "test-int-audit-experimental": "jest ./test-integration/audit/audit-experimental.spec.js",
     "format": "prettier --write \"**/*.{ts,tsx,js,json,md,yml}\" .eslintrc.*",
     "check-format": "prettier --check \"**/*.{ts,tsx,js,json,md,yml}\" .eslintrc.*",
     "coverage-local": "nyc --reporter=text mocha './test/**/*.spec.js'",
@@ -53,7 +54,6 @@
     "fast-glob": "^3.2.11",
     "i18n": "^0.14.2",
     "js-yaml": "^4.1.0",
-    "latest-version": "5.1.0",
     "lodash": "^4.17.21",
     "log-symbols": "^4.1.0",
     "open": "^8.4.0",

package/src/audit/autodetection/autoDetectLanguage.ts

@@ -8,8 +8,8 @@ import {
 import { getProjectRootFilenames } from '../languageAnalysisEngine/getProjectRootFilenames'
 
 export function identifyLanguages(config: any) {
-  const { projectPath } = config
-  const projectRootFilenames = getProjectRootFilenames(projectPath)
+  const { file } = config
+  const projectRootFilenames = getProjectRootFilenames(file)
 
   const identifiedLanguages = projectRootFilenames.reduce(
     (accumulator: any, filename: string) => {
@@ -20,7 +20,7 @@ export function identifyLanguages(config: any) {
   )
 
   if (Object.keys(identifiedLanguages).length === 0) {
-    throw new Error(i18n.__('languageAnalysisNoLanguage', projectPath))
+    throw new Error(i18n.__('languageAnalysisNoLanguage', file))
   }
 
   return reduceIdentifiedLanguages(identifiedLanguages)

package/src/audit/catalogueApplication/catalogueApplication.js

@@ -1,10 +1,5 @@
-const i18n = require('i18n')
 const { getHttpClient, handleResponseErrors } = require('../../utils/commonApi')
 
-const displaySuccessMessage = () => {
-  console.log(i18n.__('catalogueSuccessCommand'))
-}
-
 const catalogueApplication = async config => {
   const client = getHttpClient(config)
   let appId
@@ -14,6 +9,8 @@ const catalogueApplication = async config => {
       if (res.statusCode === 201) {
         //displaySuccessMessage(config, res.body.application.app_id)
         appId = res.body.application.app_id
+      } else if (doesMessagesContainAppId(res)) {
+        appId = tryRetrieveAppIdFromMessages(res.body.messages)
       } else {
         handleResponseErrors(res, 'catalogue')
       }
@@ -24,6 +21,31 @@ const catalogueApplication = async config => {
   return appId
 }
 
+const doesMessagesContainAppId = res => {
+  const regex = /(Application ID =)/
+  if (
+    res.statusCode === 400 &&
+    res.body.messages.filter(message => regex.exec(message))[0]
+  ) {
+    return true
+  }
+
+  return false
+}
+
+const tryRetrieveAppIdFromMessages = messages => {
+  let appId
+  messages.forEach(message => {
+    if (message.includes('Application ID')) {
+      appId = message.split('=')[1].replace(/\s+/g, '')
+    }
+  })
+
+  return appId
+}
+
 module.exports = {
-  catalogueApplication: catalogueApplication
+  catalogueApplication: catalogueApplication,
+  doesMessagesContainAppId,
+  tryRetrieveAppIdFromMessages
 }

package/src/audit/languageAnalysisEngine/getIdentifiedLanguageInfo.js

@@ -5,15 +5,15 @@ const path = require('path')
  * language, project file name and paths
  */
 module.exports = exports = (analysis, next) => {
-  const { projectPath, languageAnalysis } = analysis
+  const { file, languageAnalysis } = analysis
   languageAnalysis.identifiedLanguageInfo = getIdentifiedLanguageInfo(
-    projectPath,
+    file,
     languageAnalysis.identifiedLanguages
   )
   next()
 }
 
-const getIdentifiedLanguageInfo = (projectPath, identifiedLanguages) => {
+const getIdentifiedLanguageInfo = (file, identifiedLanguages) => {
   const [language] = Object.keys(identifiedLanguages)
   const {
     projectFilenames: [projectFilename],
@@ -23,14 +23,14 @@ const getIdentifiedLanguageInfo = (projectPath, identifiedLanguages) => {
   let identifiedLanguageInfo = {
     language,
     projectFilename,
-    projectFilePath: path.join(projectPath, projectFilename)
+    projectFilePath: path.join(file, projectFilename)
   }
 
   if (lockFilename) {
     identifiedLanguageInfo = {
       ...identifiedLanguageInfo,
       lockFilename,
-      lockFilePath: path.join(projectPath, lockFilename)
+      lockFilePath: path.join(file, lockFilename)
     }
   }
 

package/src/audit/languageAnalysisEngine/getProjectRootFilenames.js

@@ -9,21 +9,21 @@ const i18n = require('i18n')
  * Will fail and throw for a manner of reasons when doing file/directory
  * inspection.
  *
- * @param {string} projectPath - The path to a projects root directory or a
+ * @param {string} file - The path to a projects root directory or a
  * specific project file
  *
  * @return {string[]} List of filenames associated with a projects root
  * directory or the name of the specific project file if that was provided to
- * the 'projectPath' parameter
+ * the 'file' parameter
  *
  * @throws {Error} If the project path doesn't exist
  * @throws {Error} If the project path information can't be collected
  * @throws {Error} If a non-file or non-directory inspected
  */
 module.exports = exports = (analysis, next) => {
-  const { projectPath, languageAnalysis } = analysis
+  const { file, languageAnalysis } = analysis
   try {
-    languageAnalysis.projectRootFilenames = getProjectRootFilenames(projectPath)
+    languageAnalysis.projectRootFilenames = getProjectRootFilenames(file)
   } catch (err) {
     next(err)
     return
@@ -31,13 +31,13 @@ module.exports = exports = (analysis, next) => {
   next()
 }
 
-const getProjectRootFilenames = projectPath => {
+const getProjectRootFilenames = file => {
   let projectStats = null
   try {
-    projectStats = fs.statSync(projectPath)
+    projectStats = fs.statSync(file)
   } catch (err) {
     throw new Error(
-      i18n.__('languageAnalysisProjectRootFileNameFailure', projectPath) +
+      i18n.__('languageAnalysisProjectRootFileNameFailure', file) +
         `${err.message}`
     )
   }
@@ -45,10 +45,10 @@ const getProjectRootFilenames = projectPath => {
   // Return the contents of a directory...
   if (projectStats.isDirectory()) {
     try {
-      return fs.readdirSync(projectPath)
+      return fs.readdirSync(file)
     } catch (err) {
       throw new Error(
-        i18n.__('languageAnalysisProjectRootFileNameReadError', projectPath) +
+        i18n.__('languageAnalysisProjectRootFileNameReadError', file) +
           `${err.message}`
       )
     }
@@ -57,14 +57,14 @@ const getProjectRootFilenames = projectPath => {
   // If we are working with a file return it in a list as we do when we work
   // with a directory...
   if (projectStats.isFile()) {
-    return [path.basename(projectPath)]
+    return [path.basename(file)]
   }
 
   // Error out if we are working with something like a socket file or some
   // other craziness...
   throw new Error(
     i18n.__('languageAnalysisProjectRootFileNameMissingError'),
-    projectPath
+    file
   )
 }
 

package/src/audit/languageAnalysisEngine/index.js

@@ -10,10 +10,10 @@ const checkIdentifiedLanguageHasLockFile = require('./checkIdentifiedLanguageHas
 const getIdentifiedLanguageInfo = require('./getIdentifiedLanguageInfo')
 const { libraryAnalysisError } = require('../../common/errorHandling')
 
-module.exports = exports = (projectPath, callback, appId, config) => {
+module.exports = exports = (file, callback, appId, config) => {
   // Create an analysis engine to identify the project language
   const ae = new AnalysisEngine({
-    projectPath,
+    file,
     appId,
     languageAnalysis: { appId: appId },
     config

package/src/audit/languageAnalysisEngine/languageAnalysisFactory.js

@@ -11,17 +11,13 @@ const phpAE = require('../phpAnalysisEngine')
 const goAE = require('../goAnalysisEngine')
 const { vulnerabilityReport } = require('./report/reportingFeature')
 const { newSendSnapShot } = require('../languageAnalysisEngine/sendSnapshot')
-const fs = require('fs')
-const chalk = require('chalk')
-const saveFile = require('../../commands/audit/saveFile').default
-const generateSbom = require('../../sbom/generateSbom').default
 const {
-  failSpinner,
   returnOra,
   startSpinner,
   succeedSpinner
 } = require('../../utils/oraWrapper')
 const { pollForSnapshotCompletition } = require('./sendSnapshot')
+const auditSave = require('../save')
 
 module.exports = exports = (err, analysis) => {
   const { identifiedLanguageInfo } = analysis.languageAnalysis
@@ -57,17 +53,17 @@ module.exports = exports = (err, analysis) => {
     const snapshotResponse = await newSendSnapShot(analysis, catalogueAppId)
 
     //poll for completion
-    const pollResult = await pollForSnapshotCompletition(
+    await pollForSnapshotCompletition(
       analysis.config,
       snapshotResponse.id,
       reportSpinner
     )
-    succeedSpinner(reportSpinner, 'Contrast SCA analysis complete')
+    succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
 
     await vulnerabilityReport(analysis, catalogueAppId, snapshotResponse.id)
 
     //should be moved to processAudit.ts once promises implemented
-    await auditSave(config)
+    await auditSave.auditSave(config)
   }
 
   if (identifiedLanguageInfo.language === DOTNET) {
@@ -98,27 +94,3 @@ module.exports = exports = (err, analysis) => {
     goAE(identifiedLanguageInfo, analysis.config, langCallback)
   }
 }
-
-async function auditSave(config) {
-  //should be moved to processAudit.ts once promises implemented
-  if (config.save) {
-    if (config.save.toLowerCase() === 'sbom') {
-      saveFile(config, await generateSbom(config))
-
-      const filename = `${config.applicationId}-sbom-cyclonedx.json`
-      if (fs.existsSync(filename)) {
-        console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`)
-      } else {
-        console.log(
-          chalk.yellow.bold(
-            `\n Unable to save ${filename} Software Bill of Materials (SBOM)`
-          )
-        )
-      }
-    } else {
-      console.log(i18n.__('auditBadFiletypeSpecifiedForSave'))
-    }
-  } else if (config.save === null) {
-    console.log(i18n.__('auditNoFiletypeSpecifiedForSave'))
-  }
-}

package/src/audit/languageAnalysisEngine/reduceIdentifiedLanguages.js

@@ -46,37 +46,38 @@ const deduceLanguageScaAnalysis = filenames => {
 
     if (isNodeProjectFilename(filename)) {
       deducedLanguages.push(filename)
-      language = NODE
+      language = JAVASCRIPT
     }
-    //
+
     // if (isDotNetProjectFilename(filename)) {
     //   deducedLanguages.push({language: DOTNET, projectFilename: filename})
     // }
-    //
+
     if (isRubyProjectFilename(filename)) {
       deducedLanguages.push(filename)
       language = RUBY
     }
-    //
+
     if (isPythonProjectFilename(filename)) {
       deducedLanguages.push(filename)
       language = PYTHON
     }
-    //
-    // if (isPhpProjectFilename(filename)) {
-    //   deducedLanguages.push({language: PHP, projectFilename: filename})
-    // }
-    //
+
+    if (isPhpProjectFilename(filename)) {
+      deducedLanguages.push({ language: PHP, projectFilename: filename })
+      language = PHP
+    }
+
     // // Check for lock filenames...
     // if (isDotNetLockFilename(filename)) {
     //   deducedLanguages.push({language: DOTNET, lockFilename: filename})
     // }
-    //
+
     if (isNodeLockFilename(filename)) {
       deducedLanguages.push(filename)
-      language = NODE
+      language = JAVASCRIPT
     }
-    //
+
     // if (isRubyLockFilename(filename)) {
     //   deducedLanguages.push({language: RUBY, lockFilename: filename})
     // }
@@ -85,11 +86,11 @@ const deduceLanguageScaAnalysis = filenames => {
     // if (isPipfileLockLockFilename(filename)) {
     //   deducedLanguages.push({language: PYTHON, lockFilename: filename})
     // }
-    //
-    // if (isPhpLockFilename(filename)) {
-    //   deducedLanguages.push({language: PHP, lockFilename: filename})
-    // }
-    //
+
+    if (isPhpLockFilename(filename)) {
+      deducedLanguages.push({ language: PHP, lockFilename: filename })
+    }
+
     // go does not have a lockfile, it should have a go.mod file containing the modules
     if (isGoProjectFilename(filename)) {
       deducedLanguages.push({ language: GO, projectFilename: filename })
@@ -192,7 +193,7 @@ const reduceIdentifiedLanguages = identifiedLanguages =>
  * specifies a specific language
  */
 module.exports = exports = (analysis, next) => {
-  const { projectPath, languageAnalysis, config } = analysis
+  const { file, languageAnalysis, config } = analysis
 
   let identifiedLanguages = languageAnalysis.projectRootFilenames.reduce(
     (accumulator, filename) => {
@@ -203,7 +204,7 @@ module.exports = exports = (analysis, next) => {
   )
 
   if (Object.keys(identifiedLanguages).length === 0) {
-    next(new Error(i18n.__('languageAnalysisNoLanguage', projectPath)))
+    next(new Error(i18n.__('languageAnalysisNoLanguage', file)))
     return
   }