@contrast/contrast 1.0.8 → 1.0.11

package/src/audit/save.js

@@ -3,27 +3,43 @@ const i18n = require('i18n')
 const chalk = require('chalk')
 const save = require('../commands/audit/saveFile')
 const sbom = require('../sbom/generateSbom')
+const {
+  SBOM_CYCLONE_DX_FILE,
+  SBOM_SPDX_FILE
+} = require('../constants/constants')
 
 async function auditSave(config) {
-  if (config.save) {
-    if (config.save.toLowerCase() === 'sbom') {
-      save.saveFile(config, await sbom.generateSbom(config))
+  let fileFormat
+  switch (config.save) {
+    case null:
+    case SBOM_CYCLONE_DX_FILE:
+      fileFormat = SBOM_CYCLONE_DX_FILE
+      break
+    case SBOM_SPDX_FILE:
+      fileFormat = SBOM_SPDX_FILE
+      break
+    default:
+      break
+  }
 
-      const filename = `${config.applicationId}-sbom-cyclonedx.json`
-      if (fs.existsSync(filename)) {
-        console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`)
-      } else {
-        console.log(
-          chalk.yellow.bold(
-            `\n Unable to save ${filename} Software Bill of Materials (SBOM)`
-          )
-        )
-      }
+  if (fileFormat) {
+    save.saveFile(
+      config,
+      fileFormat,
+      await sbom.generateSbom(config, fileFormat)
+    )
+    const filename = `${config.applicationId}-sbom-${fileFormat}.json`
+    if (fs.existsSync(filename)) {
+      console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`)
     } else {
-      console.log(i18n.__('auditBadFiletypeSpecifiedForSave'))
+      console.log(
+        chalk.yellow.bold(
+          `\n Unable to save ${filename} Software Bill of Materials (SBOM)`
+        )
+      )
     }
-  } else if (config.save === null) {
-    console.log(i18n.__('auditNoFiletypeSpecifiedForSave'))
+  } else {
+    console.log(i18n.__('auditBadFiletypeSpecifiedForSave'))
   }
 }
 

package/src/commands/audit/auditConfig.ts

@@ -1,39 +1,21 @@
 import paramHandler from '../../utils/paramsUtil/paramHandler'
 import constants from '../../constants'
-import cliOptions from '../../utils/parsedCLIOptions'
-import languageAnalysisEngine from '../../audit/languageAnalysisEngine/constants'
-import {
-  determineProjectLanguage,
-  identifyLanguages
-} from '../../audit/autodetection/autoDetectLanguage'
+import { getCommandLineArgsCustom } from '../../utils/parsedCLIOptions'
+import { ContrastConf } from '../../utils/getConfig'
 
-const {
-  supportedLanguages: { NODE, JAVASCRIPT }
-} = languageAnalysisEngine
-
-export const getAuditConfig = (argv: string[]): { [key: string]: string } => {
-  const auditParameters = cliOptions.getCommandLineArgsCustom(
+export const getAuditConfig = async (
+  contrastConf: ContrastConf,
+  command: string,
+  argv: string[]
+): Promise<{ [key: string]: string }> => {
+  const auditParameters = await getCommandLineArgsCustom(
+    contrastConf,
+    command,
     argv,
     constants.commandLineDefinitions.auditOptionDefinitions
   )
   const paramsAuth = paramHandler.getAuth(auditParameters)
 
-  if (
-    auditParameters.language === undefined ||
-    auditParameters.language === null
-  ) {
-    try {
-      auditParameters.language = determineProjectLanguage(
-        identifyLanguages(auditParameters)
-      )
-    } catch (err: any) {
-      console.log(err.message)
-      process.exit(1)
-    }
-  } else if (auditParameters.language.toUpperCase() === JAVASCRIPT) {
-    auditParameters.language = NODE.toLowerCase()
-  }
-
   // @ts-ignore
   return { ...paramsAuth, ...auditParameters }
 }

package/src/commands/audit/auditController.ts

@@ -1,9 +1,6 @@
 import { catalogueApplication } from '../../audit/catalogueApplication/catalogueApplication'
 import commonApi from '../../audit/languageAnalysisEngine/commonApi'
 
-const identifyLanguageAE = require('./../../audit/languageAnalysisEngine')
-const languageFactory = require('../../audit/languageAnalysisEngine/languageAnalysisFactory')
-
 export const dealWithNoAppId = async (config: { [x: string]: string }) => {
   let appID: string
   try {
@@ -32,14 +29,6 @@ export const dealWithNoAppId = async (config: { [x: string]: string }) => {
   return appID
 }
 
-export const startAudit = async (config: { [key: string]: string }) => {
-  if (!config.applicationId) {
-    // @ts-ignore
-    config.applicationId = await dealWithNoAppId(config)
-  }
-  identifyLanguageAE(config.file, languageFactory, config.applicationId, config)
-}
-
 export const getAppName = (file: string) => {
   const last = file.charAt(file.length - 1)
   if (last !== '/') {

package/src/commands/audit/help.ts

@@ -13,30 +13,13 @@ const auditUsageGuide = commandLineUsage([
       '{bold ' +
         i18n.__('constantsAuditPrerequisitesContentSupportedLanguages') +
         '}',
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentJava') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentMessage'),
-      '',
-      '{italic ' + i18n.__('constantsJavaNote') + '}',
-      '{italic ' + i18n.__('constantsJavaNoteGradle') + '}',
-      '',
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentDotNet') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentDotNetMessage'),
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentLanguageNode') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentLanguageNodeMessage'),
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentLanguageRuby') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentLanguageRubyMessage'),
-      '{bold ' +
-        i18n.__('constantsAuditPrerequisitesContentLanguagePython') +
-        '}' +
-        i18n.__('constantsAuditPrerequisitesContentLanguagePythonMessage')
+      i18n.__('constantsAuditPrerequisitesJavaContentMessage'),
+      i18n.__('constantsAuditPrerequisitesContentDotNetMessage'),
+      i18n.__('constantsAuditPrerequisitesContentNodeMessage'),
+      i18n.__('constantsAuditPrerequisitesContentRubyMessage'),
+      i18n.__('constantsAuditPrerequisitesContentPythonMessage'),
+      i18n.__('constantsAuditPrerequisitesContentGoMessage'),
+      i18n.__('constantsAuditPrerequisitesContentPHPMessage')
     ]
   },
   {

package/src/commands/audit/processAudit.ts

@@ -1,22 +1,30 @@
-import { startAudit } from './auditController'
 import { getAuditConfig } from './auditConfig'
 import { auditUsageGuide } from './help'
 import { processSca } from '../scan/sca/scaAnalysis'
+import { sendTelemetryConfigAsObject } from '../../telemetry/telemetry'
+import { ContrastConf } from '../../utils/getConfig'
 
 export type parameterInput = string[]
 
-export const processAudit = async (argv: parameterInput) => {
+export const processAudit = async (
+  contrastConf: ContrastConf,
+  argv: parameterInput
+) => {
   if (argv.indexOf('--help') != -1) {
     printHelpMessage()
     process.exit(0)
   }
-  const config = getAuditConfig(argv)
 
-  if (config.experimental) {
-    await processSca(config)
-  } else {
-    await startAudit(config)
-  }
+  const config = await getAuditConfig(contrastConf, 'audit', argv)
+  await processSca(config)
+  await sendTelemetryConfigAsObject(
+    config,
+    'audit',
+    argv,
+    'SUCCESS',
+    // @ts-ignore
+    config.language
+  )
 }
 
 const printHelpMessage = () => {

package/src/commands/audit/saveFile.ts

@@ -1,7 +1,7 @@
 import fs from 'fs'
 
-export const saveFile = (config: any, rawResults: any) => {
-  const fileName = `${config.applicationId}-sbom-cyclonedx.json`
+export const saveFile = (config: any, type: string, rawResults: any) => {
+  const fileName = `${config.applicationId}-sbom-${type}.json`
   fs.writeFileSync(fileName, JSON.stringify(rawResults))
 }
 

package/src/commands/auth/auth.js

@@ -16,7 +16,9 @@ const constants = require('../../constants')
 const commandLineUsage = require('command-line-usage')
 
 const processAuth = async (argv, config) => {
-  let authParams = parsedCLIOptions.getCommandLineArgsCustom(
+  let authParams = await parsedCLIOptions.getCommandLineArgsCustom(
+    config,
+    'auth',
     argv,
     constants.commandLineDefinitions.authOptionDefinitions
   )

package/src/commands/config/config.js

@@ -3,9 +3,11 @@ const constants = require('../../constants')
 const commandLineUsage = require('command-line-usage')
 const i18n = require('i18n')
 
-const processConfig = (argv, config) => {
+const processConfig = async (argv, config) => {
   try {
-    let configParams = parsedCLIOptions.getCommandLineArgsCustom(
+    let configParams = await parsedCLIOptions.getCommandLineArgsCustom(
+      config,
+      'config',
       argv,
       constants.commandLineDefinitions.configOptionDefinitions
     )

package/src/commands/scan/processScan.js

@@ -4,24 +4,37 @@ const { saveScanFile } = require('../../utils/saveFile')
 const { ScanResultsModel } = require('../../scan/models/scanResultsModel')
 const { formatScanOutput } = require('../../scan/formatScanOutput')
 const { processSca } = require('./sca/scaAnalysis')
+const common = require('../../common/fail')
+const { sendTelemetryConfigAsObject } = require('../../telemetry/telemetry')
 
-const processScan = async argvMain => {
-  let config = scanConfig.getScanConfig(argvMain)
-  // console.log(config)
+const processScan = async (contrastConf, argv) => {
+  let config = await scanConfig.getScanConfig(contrastConf, 'scan', argv)
+  let output = undefined
   //try SCA analysis first
   if (config.experimental) {
-    await processSca(config)
+    await processSca(config, argv)
   }
 
   let scanResults = new ScanResultsModel(await startScan(config))
+  await sendTelemetryConfigAsObject(
+    config,
+    'scan',
+    argv,
+    'SUCCESS',
+    scanResults.scanDetail.language
+  )
 
   if (scanResults.scanResultsInstances !== undefined) {
-    formatScanOutput(scanResults)
+    output = formatScanOutput(scanResults)
   }
 
   if (config.save !== undefined) {
     await saveScanFile(config, scanResults)
   }
+
+  if (config.fail) {
+    common.processFail(config, output)
+  }
 }
 
 module.exports = {

package/src/commands/scan/sca/scaAnalysis.js

@@ -1,13 +1,10 @@
 const autoDetection = require('../../../scan/autoDetection')
 const javaAnalysis = require('../../../scaAnalysis/java')
 const treeUpload = require('../../../scaAnalysis/common/treeUpload')
-const {
-  manualDetectAuditFilesAndLanguages
-} = require('../../../scan/autoDetection')
 const auditController = require('../../audit/auditController')
 const {
-  supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP }
-} = require('../../../audit/languageAnalysisEngine/constants')
+  supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET }
+} = require('../../../constants/constants')
 const goAnalysis = require('../../../scaAnalysis/go/goAnalysis')
 const phpAnalysis = require('../../../scaAnalysis/php/index')
 const { rubyAnalysis } = require('../../../scaAnalysis/ruby')
@@ -26,15 +23,33 @@ const {
   vulnerabilityReportV2
 } = require('../../../audit/languageAnalysisEngine/report/reportingFeature')
 const auditSave = require('../../../audit/save')
-
+const { dotNetAnalysis } = require('../../../scaAnalysis/dotnet')
+const { auditUsageGuide } = require('../../audit/help')
+const rootFile = require('../../../audit/languageAnalysisEngine/getProjectRootFilenames')
+const path = require('path')
 const processSca = async config => {
+  const startTime = performance.now()
   let filesFound
-  if (config.file) {
-    config.file = config.file.concat('/')
-    filesFound = await manualDetectAuditFilesAndLanguages(config.file)
-  } else {
-    filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config)
-    config.file = process.cwd().concat('/')
+
+  if (config.help) {
+    console.log(auditUsageGuide)
+    process.exit(0)
+  }
+
+  const projectStats = await rootFile.getProjectStats(config.file)
+  let pathWithFile = projectStats.isFile()
+
+  config.fileName = config.file
+  config.file = pathWithFile
+    ? rootFile.getDirectoryFromPathGiven(config.file).concat('/')
+    : config.file
+
+  filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config.file)
+
+  if (filesFound.length > 1 && pathWithFile) {
+    filesFound = filesFound.filter(i =>
+      Object.values(i)[0].includes(path.basename(config.fileName))
+    )
   }
 
   // files found looks like [ { javascript: [ Array ] } ]
@@ -70,15 +85,21 @@ const processSca = async config => {
         messageToSend = goAnalysis.goAnalysis(config, filesFound[0])
         config.language = GO
         break
+      case DOTNET:
+        messageToSend = dotNetAnalysis(config, filesFound[0])
+        config.language = DOTNET
+        break
       default:
         //something is wrong
-        console.log('language detected not supported')
+        console.log('No supported language detected in project path')
         return
     }
 
     if (!config.applicationId) {
       config.applicationId = await auditController.dealWithNoAppId(config)
     }
+
+    console.log('') //empty log for space before spinner
     //send message to TS
     const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
     startSpinner(reportSpinner)
@@ -93,17 +114,28 @@ const processSca = async config => {
       snapshotResponse.id,
       reportSpinner
     )
-    succeedSpinner(reportSpinner, 'Contrast SCA audit complete')
+    succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
 
     await vulnerabilityReportV2(config, snapshotResponse.id)
+    if (config.save !== undefined) {
+      await auditSave.auditSave(config)
+    }
+    const endTime = performance.now() - startTime
+    const scanDurationMs = endTime - startTime
 
-    await auditSave.auditSave(config)
+    console.log(
+      `----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`
+    )
   } else {
     if (filesFound.length === 0) {
-      console.log('no compatible dependency files detected. Continuing...')
+      console.log(i18n.__('languageAnalysisNoLanguage'))
+      console.log(i18n.__('languageAnalysisNoLanguageHelpLine'))
+      throw new Error()
     } else {
-      console.log(
-        'multiple language files detected, please use --file to specify a directory or the file where dependencies are declared'
+      throw new Error(
+        `multiple language files detected \n` +
+          JSON.stringify(filesFound) +
+          `\nplease use --file to audit one language only. Example: contrast audit --file package-lock.json`
       )
     }
   }

package/src/common/HTTPClient.js

@@ -333,9 +333,9 @@ HTTPClient.prototype.checkLibrary = function checkLibrary(data) {
   return requestUtils.sendRequest({ method: 'post', options })
 }
 
-HTTPClient.prototype.getSbom = function getSbom(config) {
+HTTPClient.prototype.getSbom = function getSbom(config, type) {
   const options = _.cloneDeep(this.requestOptions)
-  options.url = createSbomCycloneDXUrl(config)
+  options.url = createSbomUrl(config, type)
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
@@ -346,6 +346,16 @@ HTTPClient.prototype.getLatestVersion = function getLatestVersion() {
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
+HTTPClient.prototype.postTelemetry = function postTelemetry(
+  config,
+  requestBody
+) {
+  const options = _.cloneDeep(this.requestOptions)
+  options.url = createTelemetryEventUrl(config)
+  options.body = requestBody
+  return requestUtils.sendRequest({ method: 'post', options })
+}
+
 // analytics
 
 HTTPClient.prototype.postAnalyticsFunction = function (config, provider, body) {
@@ -417,13 +427,13 @@ function createLibraryVulnerabilitiesUrl(config) {
   return `${config.host}/Contrast/api/ng/${config.organizationId}/libraries/artifactsByGroupNameVersion`
 }
 
-function createSpecificReportUrl(config, reportId) {
-  return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/reports/${reportId}`
+function createSpecificReportUrl(config, reportId, includeTree = false) {
+  return `${config.host}/Contrast/api/ng/sca/organizations/${config.organizationId}/applications/${config.applicationId}/reports/${reportId}?&includeTree=${includeTree}`
 }
 
-function createSpecificReportWithProdUrl(config, reportId) {
-  return createSpecificReportUrl(config, reportId).concat(
-    `?nodesToInclude=PROD`
+function createSpecificReportWithProdUrl(config, reportId, includeTree) {
+  return createSpecificReportUrl(config, reportId, includeTree).concat(
+    `&nodesToInclude=PROD`
   )
 }
 
@@ -435,8 +445,12 @@ function createDataUrl() {
   return `https://ardy.contrastsecurity.com/production`
 }
 
-function createSbomCycloneDXUrl(config) {
-  return `${config.host}/Contrast/api/ng/${config.organizationId}/applications/${config.applicationId}/libraries/sbom/cyclonedx`
+function createSbomUrl(config, type) {
+  return `${config.host}/Contrast/api/ng/${config.organizationId}/applications/${config.applicationId}/libraries/sbom/${type}`
+}
+
+function createTelemetryEventUrl(config) {
+  return `${config.host}/Contrast/api/sast/organizations/${config.organizationId}/cli`
 }
 
 module.exports = HTTPClient

package/src/common/errorHandling.ts

@@ -39,9 +39,8 @@ const reportFailureError = () => {
 }
 
 const genericError = (missingCliOption: string) => {
-  // prettier-ignore
-  console.log(`*************************** ${i18n.__('yamlMissingParametersHeader')} ***************************\n${missingCliOption}`)
-  console.error(i18n.__('yamlMissingParametersMessage'))
+  console.log(missingCliOption)
+  console.error(i18n.__('genericErrorMessage'))
   process.exit(1)
 }
 

package/src/common/fail.js

@@ -0,0 +1,75 @@
+const i18n = require('i18n')
+
+const processFail = (config, reportResults) => {
+  if (config.severity !== undefined) {
+    if (
+      reportResults[config.severity] !== undefined &&
+      isSeverityViolation(config.severity, reportResults)
+    ) {
+      failPipeline('failSeverityOptionErrorMessage')
+    }
+  }
+
+  if (config.severity === undefined && reportResults.total > 0) {
+    failPipeline('failThresholdOptionErrorMessage')
+  }
+}
+
+const isSeverityViolation = (severity, reportResults) => {
+  let count = 0
+  switch (severity) {
+    case 'critical':
+      count += reportResults.critical
+      break
+    case 'high':
+      count += reportResults.high + reportResults.critical
+      break
+    case 'medium':
+      count += reportResults.medium + reportResults.low + reportResults.critical
+      break
+    case 'low':
+      count +=
+        reportResults.high + reportResults.critical + reportResults.medium
+      break
+    case 'note':
+      if (reportResults.note == reportResults.total) {
+        count = 0
+      } else {
+        count = reportResults.total
+      }
+      break
+    default:
+      count = 0
+  }
+  return count > 0
+}
+
+const failPipeline = (message = '') => {
+  console.log(
+    '\n ******************************** ' +
+      i18n.__('snapshotFailureHeader') +
+      ' *********************************\n' +
+      i18n.__(message)
+  )
+  process.exit(1)
+}
+
+const parseSeverity = severity => {
+  const severities = ['NOTE', 'LOW', 'MEDIUM', 'HIGH', 'CRITICAL']
+  if (severities.includes(severity.toUpperCase())) {
+    return severity.toLowerCase()
+  } else {
+    console.log(
+      severity +
+        ' Not recognised as a severity type please use LOW, MEDIUM, HIGH, CRITICAL, NOTE'
+    )
+    return undefined
+  }
+}
+
+module.exports = {
+  failPipeline,
+  processFail,
+  isSeverityViolation,
+  parseSeverity
+}

package/src/common/versionChecker.ts

@@ -20,7 +20,7 @@ const getLatestVersion = async (config: any) => {
 
 // @ts-ignore
 export async function findLatestCLIVersion(config: ContrastConf) {
-  const messageHidden = config.get('updateMessageHidden') as boolean
+  const messageHidden = config.get('isCI') as boolean
 
   if (!messageHidden) {
     let latestCLIVersion: string = await getLatestVersion(config)

package/src/constants/constants.js

@@ -5,15 +5,16 @@ const JAVA = 'JAVA'
 const RUBY = 'RUBY'
 const PYTHON = 'PYTHON'
 const GO = 'GO'
-// we set the langauge as Node instead of PHP since we're using the Node engine in TS
 const PHP = 'PHP'
 const JAVASCRIPT = 'JAVASCRIPT'
+// Severity
 const LOW = 'LOW'
 const MEDIUM = 'MEDIUM'
 const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
+// App
 const APP_NAME = 'contrast'
-const APP_VERSION = '1.0.8'
+const APP_VERSION = '1.0.11'
 const TIMEOUT = 120000
 const HIGH_COLOUR = '#ff9900'
 const CRITICAL_COLOUR = '#e35858'
@@ -29,10 +30,13 @@ const NOTE_PRIORITY = 5
 const AUTH_UI_URL = 'https://cli-auth.contrastsecurity.com'
 const AUTH_CALLBACK_URL = 'https://cli-auth-api.contrastsecurity.com'
 const SARIF_FILE = 'SARIF'
+const SBOM_CYCLONE_DX_FILE = 'cyclonedx'
+const SBOM_SPDX_FILE = 'spdx'
 const CE_URL = 'https://ce.contrastsecurity.com/'
 
 module.exports = {
   supportedLanguages: { NODE, DOTNET, JAVA, RUBY, PYTHON, GO, PHP, JAVASCRIPT },
+  supportedLanguagesScan: { JAVASCRIPT, DOTNET, JAVA },
   LOW,
   MEDIUM,
   HIGH,
@@ -53,5 +57,7 @@ module.exports = {
   HIGH_PRIORITY,
   MEDIUM_PRIORITY,
   LOW_PRIORITY,
-  NOTE_PRIORITY
+  NOTE_PRIORITY,
+  SBOM_CYCLONE_DX_FILE,
+  SBOM_SPDX_FILE
 }