@contrast/contrast 1.0.8 → 1.0.11

package/src/audit/languageAnalysisEngine/report/commonReportingFunctions.ts

@@ -9,11 +9,11 @@ import { orderBy } from 'lodash'
 import chalk from 'chalk'
 import { ReportCVEModel, ReportLibraryModel } from './models/reportLibraryModel'
 import {
+  countVulnerableLibrariesBySeverity,
   findCVESeveritiesAndOrderByHighestPriority,
   findHighestSeverityCVE,
   findNameAndVersion,
-  severityCountAllCVEs,
-  severityCountAllLibraries
+  severityCountAllCVEs
 } from './utils/reportUtils'
 import { SeverityCountModel } from './models/severityCountModel'
 import {
@@ -28,16 +28,17 @@ import {
   MEDIUM_COLOUR,
   NOTE_COLOUR
 } from '../../../constants/constants'
+import Table from 'cli-table3'
+import { ReportGuidanceModel } from './models/reportGuidanceModel'
 
-export const createLibraryHeader = (
-  id: string,
+export const createSummaryMessage = (
   numberOfVulnerableLibraries: number,
   numberOfCves: number
 ) => {
   numberOfVulnerableLibraries === 1
-    ? console.log(`Found 1 vulnerable library containing ${numberOfCves} CVEs`)
+    ? console.log(`Found 1 vulnerable library containing ${numberOfCves} CVE`)
     : console.log(
-        `Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVEs `
+        `Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVEs`
       )
 }
 
@@ -59,21 +60,35 @@ export const getReport = async (config: any, reportId: string) => {
 }
 
 export const printVulnerabilityResponse = (
-  vulnerabilities: ReportLibraryModel[],
-  config: any
+  config: any,
+  vulnerableLibraries: ReportLibraryModel[],
+  numberOfVulnerableLibraries: number,
+  numberOfCves: number,
+  guidance: any
 ) => {
   let hasSomeVulnerabilitiesReported = false
-  printFormattedOutput(vulnerabilities, config)
-  if (Object.keys(vulnerabilities).length > 0) {
+  printFormattedOutput(
+    config,
+    vulnerableLibraries,
+    numberOfVulnerableLibraries,
+    numberOfCves,
+    guidance
+  )
+  if (Object.keys(vulnerableLibraries).length > 0) {
     hasSomeVulnerabilitiesReported = true
   }
   return hasSomeVulnerabilitiesReported
 }
 
 export const printFormattedOutput = (
+  config: any,
   libraries: ReportLibraryModel[],
-  config: any
+  numberOfVulnerableLibraries: number,
+  numberOfCves: number,
+  guidance: any
 ) => {
+  createSummaryMessage(numberOfVulnerableLibraries, numberOfCves)
+  console.log()
   const report = new ReportList()
 
   for (const library of libraries) {
@@ -91,7 +106,6 @@ export const printFormattedOutput = (
       ),
       library.cveArray
     )
-
     report.reportOutputList.push(newOutputModel)
   }
 
@@ -105,17 +119,40 @@ export const printFormattedOutput = (
         return reportListItem.compositeKey.numberOfSeverities
       }
     ],
-    ['desc']
+    ['asc', 'desc']
   )
 
-  let contrastHeaderNumCounter =
-    outputOrderedByLowestSeverityAndLowestNumOfCvesFirst.length + 1
+  let contrastHeaderNumCounter = 0
   for (const reportModel of outputOrderedByLowestSeverityAndLowestNumOfCvesFirst) {
-    contrastHeaderNumCounter--
+    contrastHeaderNumCounter++
     const { libraryName, libraryVersion, highestSeverity } =
       reportModel.compositeKey
     const numOfCVEs = reportModel.cveArray.length
 
+    const table = new Table({
+      chars: {
+        top: '',
+        'top-mid': '',
+        'top-left': '',
+        'top-right': '',
+        bottom: '',
+        'bottom-mid': '',
+        'bottom-left': '',
+        'bottom-right': '',
+        left: '',
+        'left-mid': '',
+        mid: '',
+        'mid-mid': '',
+        right: '',
+        'right-mid': '',
+        middle: ' '
+      },
+      style: { 'padding-left': 0, 'padding-right': 0 },
+      colAligns: ['right'],
+      wordWrap: true,
+      colWidths: [12, 1, 100]
+    })
+
     const header = buildHeader(
       highestSeverity,
       contrastHeaderNumCounter,
@@ -124,31 +161,39 @@ export const printFormattedOutput = (
       numOfCVEs
     )
 
-    const body = buildBody(reportModel.cveArray)
+    const advice = gatherRemediationAdvice(
+      guidance,
+      libraryName,
+      libraryVersion
+    )
+
+    const body = buildBody(reportModel.cveArray, advice)
 
     const reportOutputModel = new ReportOutputModel(header, body)
+
+    table.push(
+      reportOutputModel.body.issueMessage,
+      reportOutputModel.body.adviceMessage
+    )
+
     console.log(
       reportOutputModel.header.vulnMessage,
       reportOutputModel.header.introducesMessage
     )
-    console.log(reportOutputModel.body.issueMessage)
-    console.log(reportOutputModel.body.adviceMessage + '\n')
+    console.log(table.toString() + '\n')
   }
 
+  createSummaryMessage(numberOfVulnerableLibraries, numberOfCves)
   const {
     criticalMessage,
     highMessage,
     mediumMessage,
     lowMessage,
-    noteMessage,
-    total
-  } = buildFooter(libraries)
-
-  if (total > 1) {
-    console.log(
-      `${criticalMessage} | ${highMessage} | ${mediumMessage} | ${lowMessage} | ${noteMessage}`
-    )
-  }
+    noteMessage
+  } = buildFooter(outputOrderedByLowestSeverityAndLowestNumOfCvesFirst)
+  console.log(
+    `${criticalMessage} | ${highMessage} | ${mediumMessage} | ${lowMessage} | ${noteMessage}`
+  )
 }
 
 export function buildHeader(
@@ -162,20 +207,22 @@ export function buildHeader(
     numOfCVEs > 1 ? 'vulnerabilities' : 'vulnerability'
   const formattedHeaderNum = buildFormattedHeaderNum(contrastHeaderNum)
 
-  const vulnMessage = chalk
-    .hex(highestSeverity.outputColour)
-    .bold(
-      `${formattedHeaderNum} - [${highestSeverity.severity}] ${libraryName}-${version}`
-    )
-
-  const introducesMessage = chalk.bold(
-    `introduces ${numOfCVEs} ${vulnerabilityPluralised}`
+  const headerColour = chalk.hex(highestSeverity.outputColour)
+  const headerNumAndSeverity = headerColour(
+    `${formattedHeaderNum} - [${highestSeverity.severity}]`
   )
+  const libraryNameAndVersion = headerColour.bold(`${libraryName}-${version}`)
+  const vulnMessage = `${headerNumAndSeverity} ${libraryNameAndVersion}`
+
+  const introducesMessage = `introduces ${numOfCVEs} ${vulnerabilityPluralised}`
 
   return new ReportOutputHeaderModel(vulnMessage, introducesMessage)
 }
 
-export function buildBody(cveArray: ReportCVEModel[]) {
+export function buildBody(
+  cveArray: ReportCVEModel[],
+  advice: ReportGuidanceModel
+) {
   const cveMessages: string[] = []
 
   findCVESeveritiesAndOrderByHighestPriority(cveArray).forEach(
@@ -187,57 +234,51 @@ export function buildBody(cveArray: ReportCVEModel[]) {
         .hex(outputColour)
         .bold(`[${severity.charAt(0).toUpperCase()}]`)
 
-      const builtMessage = `${severityShorthand} ${cveName}`
+      const builtMessage = severityShorthand + cveName
       cveMessages.push(builtMessage)
     }
   )
 
   const numAndSeverityType = getNumOfAndSeverityType(cveArray)
 
-  const issueMessage = ` ${chalk.bold(
-    'Issue'
-  )}  : ${numAndSeverityType} ${cveMessages.join(', ')}.`
+  const issueMessage = [
+    chalk.bold('Issue'),
+    ':',
+    `${numAndSeverityType} ${cveMessages.join(', ')}`
+  ]
+
+  //todo different advice based on remediationGuidance being available or now
+  // console.log(advice)
+
+  const minOrMax = advice.maximum ? advice.maximum : advice.minimum
+  const displayAdvice = minOrMax
+    ? `Change to version ${chalk.bold(minOrMax)}`
+    : 'No recommendation is available according to our data. Upgrade to the latest stable is the best advice we can give.'
 
-  const adviceMessage = ` ${chalk.bold('Advice')} : ${chalk.bold(
-    'Update to latest version'
-  )}.`
+  const adviceMessage = [chalk.bold('Advice'), ':', displayAdvice]
 
   return new ReportOutputBodyModel(issueMessage, adviceMessage)
 }
 
-const buildFooter = (libraries: ReportLibraryModel[]) => {
-  const { critical, high, medium, low, note, getTotal } =
-    severityCountAllLibraries(libraries)
-  const criticalMessage = chalk
-    .hex(CRITICAL_COLOUR)
-    .bold(`${critical} Critical`)
-  const highMessage = chalk.hex(HIGH_COLOUR).bold(`${high} High`)
-  const mediumMessage = chalk.hex(MEDIUM_COLOUR).bold(`${medium} Medium`)
-  const lowMessage = chalk.hex(LOW_COLOUR).bold(`${low} Low`)
-  const noteMessage = chalk.hex(NOTE_COLOUR).bold(`${note} Note`)
+export function gatherRemediationAdvice(
+  guidance: any,
+  libraryName: string,
+  libraryVersion: string
+) {
+  const guidanceModel = new ReportGuidanceModel()
 
-  return {
-    criticalMessage,
-    highMessage,
-    mediumMessage,
-    lowMessage,
-    noteMessage,
-    total: getTotal
+  const data = guidance[libraryName + '@' + libraryVersion]
+
+  if (data) {
+    guidanceModel.minimum = data.minUpgradeVersion
+    guidanceModel.maximum = data.maxUpgradeVersion
   }
+
+  return guidanceModel
 }
 
 export function buildFormattedHeaderNum(contrastHeaderNum: number) {
-  let formattedHeaderNum
-
-  if (contrastHeaderNum < 10) {
-    formattedHeaderNum = `00${contrastHeaderNum}`
-  } else if (contrastHeaderNum >= 10 && contrastHeaderNum < 100) {
-    formattedHeaderNum = `0${contrastHeaderNum}`
-  } else if (contrastHeaderNum >= 100) {
-    formattedHeaderNum = contrastHeaderNum
-  }
-
-  return `CONTRAST-${formattedHeaderNum}`
+  return `CONTRAST-${contrastHeaderNum.toString().padStart(3, '0')}`
 }
 
 export function getNumOfAndSeverityType(cveArray: ReportCVEModel[]) {
@@ -246,14 +287,51 @@ export function getNumOfAndSeverityType(cveArray: ReportCVEModel[]) {
     new SeverityCountModel()
   )
 
-  const criticalMessage = critical > 0 ? `${critical} Critical` : ''
-  const highMessage = high > 0 ? `${high} High` : ''
-  const mediumMessage = medium > 0 ? `${medium} Medium` : ''
-  const lowMessage = low > 0 ? `${low} Low` : ''
-  const noteMessage = note > 0 ? `${note} Note` : ''
+  const criticalNumCheck = critical > 0
+
+  const highNumCheck = high > 0
+  const highDivider = highNumCheck ? '|' : ''
+
+  const mediumNumCheck = medium > 0
+  const mediumDivider = mediumNumCheck ? '|' : ''
+
+  const lowNumCheck = low > 0
+  const lowDivider = lowNumCheck ? '|' : ''
+
+  const noteNumCheck = low > 0
+  const noteDivider = noteNumCheck ? '|' : ''
+
+  const criticalMessage = criticalNumCheck
+    ? `${critical} Critical ${highDivider}`
+    : ''
+  const highMessage = highNumCheck ? `${high} High ${mediumDivider}` : ''
+  const mediumMessage = mediumNumCheck ? `${medium} Medium ${lowDivider}` : ''
+  const lowMessage = lowNumCheck ? `${low} Low ${noteDivider}` : ''
+  const noteMessage = noteNumCheck ? `${note} Note` : ''
 
   //removes/trims whitespace to single spaces
   return `${criticalMessage} ${highMessage} ${mediumMessage} ${lowMessage} ${noteMessage}`
     .replace(/\s+/g, ' ')
     .trim()
 }
+
+const buildFooter = (reportModelStructure: ReportModelStructure[]) => {
+  const { critical, high, medium, low, note } =
+    countVulnerableLibrariesBySeverity(reportModelStructure)
+
+  const criticalMessage = chalk
+    .hex(CRITICAL_COLOUR)
+    .bold(`${critical} Critical`)
+  const highMessage = chalk.hex(HIGH_COLOUR).bold(`${high} High`)
+  const mediumMessage = chalk.hex(MEDIUM_COLOUR).bold(`${medium} Medium`)
+  const lowMessage = chalk.hex(LOW_COLOUR).bold(`${low} Low`)
+  const noteMessage = chalk.hex(NOTE_COLOUR).bold(`${note} Note`)
+
+  return {
+    criticalMessage,
+    highMessage,
+    mediumMessage,
+    lowMessage,
+    noteMessage
+  }
+}

package/src/audit/languageAnalysisEngine/report/models/reportGuidanceModel.ts

@@ -0,0 +1,5 @@
+export class ReportGuidanceModel {
+  minimum?: string
+  maximum?: string
+  latest?: string
+}

package/src/audit/languageAnalysisEngine/report/models/reportOutputModel.ts

@@ -19,11 +19,11 @@ export class ReportOutputHeaderModel {
 }
 
 export class ReportOutputBodyModel {
-  issueMessage: string
-  adviceMessage: string
+  issueMessage: string[]
+  adviceMessage: string[]
 
-  constructor(bodyIssueMessage: string, bodyAdviceMessage: string) {
-    this.issueMessage = bodyIssueMessage
-    this.adviceMessage = bodyAdviceMessage
+  constructor(issueMessage: string[], adviceMessage: string[]) {
+    this.issueMessage = issueMessage
+    this.adviceMessage = adviceMessage
   }
 }

package/src/audit/languageAnalysisEngine/report/models/severityCountModel.ts

@@ -4,6 +4,7 @@ export class SeverityCountModel {
   medium!: number
   low!: number
   note!: number
+  total!: number
 
   //needed as default to stop NaN when new object constructed
   constructor() {
@@ -12,6 +13,7 @@ export class SeverityCountModel {
     this.medium = 0
     this.low = 0
     this.note = 0
+    this.total = 0
   }
 
   get getTotal(): number {

package/src/audit/languageAnalysisEngine/report/reportingFeature.ts

@@ -1,5 +1,4 @@
 import {
-  createLibraryHeader,
   getReport,
   printVulnerabilityResponse
 } from './commonReportingFunctions'
@@ -9,33 +8,53 @@ import {
 } from './utils/reportUtils'
 import i18n from 'i18n'
 import chalk from 'chalk'
+import * as constants from '../../../constants/constants'
+import { SeverityCountModel } from './models/severityCountModel'
+import * as common from '../../../common/fail'
 
-export async function vulnerabilityReport(
-  analysis: any,
-  applicationId: string,
-  reportId: string
-) {
-  const reportResponse = await getReport(analysis.config, reportId)
+export function convertKeysToStandardFormat(config: any, guidance: any) {
+  let convertedGuidance = guidance
 
-  if (reportResponse !== undefined) {
-    const id = applicationId
-    formatVulnerabilityOutput(
-      reportResponse.vulnerabilities,
-      id,
-      analysis.config
-    )
+  switch (config.language) {
+    case constants.supportedLanguages.JAVA:
+    case constants.supportedLanguages.GO:
+    case constants.supportedLanguages.PHP:
+      break
+    case constants.supportedLanguages.NODE:
+    case constants.supportedLanguages.DOTNET:
+    case constants.supportedLanguages.PYTHON:
+    case constants.supportedLanguages.RUBY:
+      convertedGuidance = convertJSDotNetPython(guidance)
+      break
   }
+  return convertedGuidance
+}
+
+export function convertJSDotNetPython(guidance: any) {
+  const returnObject = {}
+
+  Object.entries(guidance).forEach(([key, value]) => {
+    const splitKey = key.split('/')
+    if (splitKey.length === 2) {
+      // @ts-ignore
+      returnObject[splitKey[1]] = value
+    }
+  })
+  return returnObject
 }
 
 export function formatVulnerabilityOutput(
   libraryVulnerabilityResponse: any,
   id: string,
-  config: any
+  config: any,
+  remediationGuidance: any
 ) {
   const vulnerableLibraries = convertGenericToTypedLibraryVulns(
     libraryVulnerabilityResponse
   )
 
+  const guidance = convertKeysToStandardFormat(config, remediationGuidance)
+
   const numberOfVulnerableLibraries = vulnerableLibraries.length
 
   if (numberOfVulnerableLibraries === 0) {
@@ -55,34 +74,44 @@ export function formatVulnerabilityOutput(
         String(0)
       )
     )
+    return [false, 0, [new SeverityCountModel()]]
   } else {
     let numberOfCves = 0
     vulnerableLibraries.forEach(lib => (numberOfCves += lib.cveArray.length))
 
-    createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves)
-
     const hasSomeVulnerabilitiesReported = printVulnerabilityResponse(
+      config,
       vulnerableLibraries,
-      config
-    )
-
-    return [
-      hasSomeVulnerabilitiesReported,
+      numberOfVulnerableLibraries,
       numberOfCves,
-      severityCountAllLibraries(vulnerableLibraries)
-    ]
+      guidance
+    )
+    let severityCount = new SeverityCountModel()
+    severityCount = severityCountAllLibraries(
+      vulnerableLibraries,
+      severityCount
+    )
+    severityCount.total = severityCount.getTotal
+    return [hasSomeVulnerabilitiesReported, numberOfCves, severityCount]
   }
 }
 
 export async function vulnerabilityReportV2(config: any, reportId: string) {
+  console.log()
   const reportResponse = await getReport(config, reportId)
 
   if (reportResponse !== undefined) {
-    const name = config.applicationName
-    formatVulnerabilityOutput(
+    let output = formatVulnerabilityOutput(
       reportResponse.vulnerabilities,
       config.applicationId,
-      config
+      config,
+      reportResponse.remediationGuidance
+        ? reportResponse.remediationGuidance
+        : {}
     )
+
+    if (config.fail) {
+      common.processFail(config, output[2])
+    }
   }
 }

package/src/audit/languageAnalysisEngine/report/utils/reportUtils.ts

@@ -3,7 +3,7 @@ import {
   ReportLibraryModel
 } from '../models/reportLibraryModel'
 import { ReportSeverityModel } from '../models/reportSeverityModel'
-import languageAnalysisEngine from '../../../languageAnalysisEngine/constants'
+import languageAnalysisEngine from './../../../../constants/constants'
 import {
   CRITICAL_COLOUR,
   CRITICAL_PRIORITY,
@@ -18,6 +18,7 @@ import {
 } from '../../../../constants/constants'
 import { orderBy } from 'lodash'
 import { SeverityCountModel } from '../models/severityCountModel'
+import { ReportModelStructure } from '../models/reportListModel'
 const {
   supportedLanguages: { GO }
 } = languageAnalysisEngine
@@ -74,9 +75,9 @@ export function convertGenericToTypedLibraryVulns(libraries: any) {
 }
 
 export function severityCountAllLibraries(
-  vulnerableLibraries: ReportLibraryModel[]
+  vulnerableLibraries: ReportLibraryModel[],
+  severityCount: SeverityCountModel
 ) {
-  const severityCount = new SeverityCountModel()
   vulnerableLibraries.forEach(lib =>
     severityCountAllCVEs(lib.cveArray, severityCount)
   )
@@ -122,11 +123,49 @@ export function findNameAndVersion(library: ReportLibraryModel, config: any) {
 
     return { name, version }
   } else {
-    const splitLibraryName = library.name.split('/')
-    const nameVersion = splitLibraryName[1].split('@')
-    const name = nameVersion[0]
+    //spreads items from split into set so no duplicates appear
+    const uniqueSplitLibraryName = [...new Set(library.name.split('/'))]
+    const nameVersion = uniqueSplitLibraryName[1].split('@')
+
+    let parentLibrary
+    let name
+    if (
+      uniqueSplitLibraryName[0] !== 'null' &&
+      uniqueSplitLibraryName[0] !== '' &&
+      !uniqueSplitLibraryName[1].includes(uniqueSplitLibraryName[0])
+    ) {
+      //if the parent lib (element 0) is not null, not blank and not already part of the library name
+      //e.g. shared-ini-file-loader-1.0.0-rc.3 is very generic - converts to @aws-sdk/shared-ini-file-loader-1.0.0-rc.3
+      parentLibrary = uniqueSplitLibraryName[0]
+      name = `${parentLibrary}/${nameVersion[0]}`
+    } else {
+      name = nameVersion[0]
+    }
+
     const version = nameVersion[1]
 
     return { name, version }
   }
 }
+
+export function countVulnerableLibrariesBySeverity(
+  reportModelStructure: ReportModelStructure[]
+) {
+  const severityCount = new SeverityCountModel()
+  reportModelStructure.forEach(vuln => {
+    const currentSeverity = vuln.compositeKey.highestSeverity.severity
+    if (currentSeverity === 'CRITICAL') {
+      severityCount.critical += 1
+    } else if (currentSeverity === 'HIGH') {
+      severityCount.high += 1
+    } else if (currentSeverity === 'MEDIUM') {
+      severityCount.medium += 1
+    } else if (currentSeverity === 'LOW') {
+      severityCount.low += 1
+    } else if (currentSeverity === 'NOTE') {
+      severityCount.note += 1
+    }
+  })
+
+  return severityCount
+}

package/src/audit/languageAnalysisEngine/sendSnapshot.js

@@ -1,5 +1,3 @@
-const { handleResponseErrors } = require('../../common/errorHandling')
-const { APP_VERSION } = require('../../constants/constants')
 const commonApi = require('../../utils/commonApi')
 const _ = require('lodash')
 const oraFunctions = require('../../utils/oraWrapper')
@@ -8,30 +6,6 @@ const oraWrapper = require('../../utils/oraWrapper')
 const requestUtils = require('../../utils/requestUtils')
 const { performance } = require('perf_hooks')
 
-const newSendSnapShot = async analysis => {
-  const analysisLanguage = analysis.config.language.toLowerCase()
-  const requestBody = {
-    appID: analysis.config.applicationId,
-    cliVersion: APP_VERSION,
-    snapshot: { [analysisLanguage]: analysis[analysisLanguage] }
-  }
-
-  const client = commonApi.getHttpClient(analysis.config)
-
-  return client
-    .sendSnapshot(requestBody, analysis.config)
-    .then(res => {
-      if (res.statusCode === 201) {
-        return res.body
-      } else {
-        handleResponseErrors(res, 'snapshot')
-      }
-    })
-    .catch(err => {
-      console.log(err)
-    })
-}
-
 const pollSnapshotResults = async (config, snapshotId, client) => {
   await requestUtils.sleep(5000)
   return client
@@ -49,9 +23,9 @@ const getTimeout = config => {
     return config.timeout
   } else {
     if (config.verbose) {
-      console.log('Timeout set to 2 minutes')
+      console.log('Timeout set to 5 minutes')
     }
-    return 120
+    return 300
   }
 }
 
@@ -91,16 +65,16 @@ const pollForSnapshotCompletition = async (
       if (requestUtils.millisToSeconds(endTime) > timeout) {
         oraFunctions.failSpinner(
           reportSpinner,
-          'Contrast audit timed out at the specified ' + timeout + ' seconds.'
+          'Contrast audit timed out at the specified timeout of ' +
+            timeout +
+            ' seconds.'
         )
-        console.log('Please try again, allowing more time.')
-        process.exit(1)
+        throw new Error('You can update the timeout using --timeout')
       }
     }
   }
 }
 
 module.exports = {
-  newSendSnapShot: newSendSnapShot,
   pollForSnapshotCompletition: pollForSnapshotCompletition
 }