npm - @contrast/contrast - Versions diffs - 1.0.8 → 1.0.11 - Mend

@contrast/contrast 1.0.8 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (217) hide show

package/README.md +2 -2
package/dist/audit/languageAnalysisEngine/getProjectRootFilenames.js +16 -25
package/dist/audit/languageAnalysisEngine/report/commonReportingFunctions.js +103 -57
package/dist/audit/languageAnalysisEngine/report/models/reportGuidanceModel.js +6 -0
package/dist/audit/languageAnalysisEngine/report/models/reportOutputModel.js +3 -3
package/dist/audit/languageAnalysisEngine/report/models/severityCountModel.js +1 -0
package/dist/audit/languageAnalysisEngine/report/reportingFeature.js +68 -17
package/dist/audit/languageAnalysisEngine/report/utils/reportUtils.js +39 -7
package/dist/audit/languageAnalysisEngine/sendSnapshot.js +6 -30
package/dist/audit/save.js +21 -13
package/dist/commands/audit/auditConfig.js +3 -19
package/dist/commands/audit/auditController.js +1 -10
package/dist/commands/audit/help.js +7 -24
package/dist/commands/audit/processAudit.js +5 -9
package/dist/commands/audit/saveFile.js +2 -2
package/dist/commands/auth/auth.js +1 -1
package/dist/commands/config/config.js +2 -2
package/dist/commands/scan/processScan.js +11 -4
package/dist/commands/scan/sca/scaAnalysis.js +37 -13
package/dist/common/HTTPClient.js +17 -8
package/dist/common/errorHandling.js +2 -2
package/dist/common/fail.js +66 -0
package/dist/common/versionChecker.js +1 -1
package/dist/constants/constants.js +7 -2
package/dist/constants/locales.js +40 -38
package/dist/constants.js +62 -12
package/dist/index.js +57 -45
package/dist/lambda/lambda.js +5 -2
package/dist/sbom/generateSbom.js +2 -2
package/dist/scaAnalysis/common/formatMessage.js +7 -1
package/dist/scaAnalysis/common/scaParserForGoAndJava.js +32 -0
package/dist/scaAnalysis/common/treeUpload.js +24 -10
package/dist/scaAnalysis/dotnet/analysis.js +55 -0
package/dist/scaAnalysis/dotnet/index.js +10 -0
package/dist/scaAnalysis/go/goAnalysis.js +8 -2
package/dist/scaAnalysis/java/analysis.js +10 -6
package/dist/scaAnalysis/java/index.js +7 -1
package/dist/scaAnalysis/java/javaBuildDepsParser.js +19 -3
package/dist/scaAnalysis/javascript/analysis.js +4 -7
package/dist/scaAnalysis/javascript/index.js +16 -4
package/dist/scaAnalysis/php/analysis.js +14 -33
package/dist/scaAnalysis/php/index.js +11 -4
package/dist/scaAnalysis/python/analysis.js +43 -5
package/dist/scaAnalysis/python/index.js +7 -2
package/dist/scaAnalysis/ruby/analysis.js +16 -14
package/dist/scan/autoDetection.js +13 -24
package/dist/scan/fileUtils.js +31 -12
package/dist/scan/formatScanOutput.js +9 -8
package/dist/scan/populateProjectIdAndProjectName.js +5 -0
package/dist/scan/scan.js +4 -0
package/dist/scan/scanConfig.js +5 -5
package/dist/scan/scanResults.js +39 -3
package/dist/telemetry/telemetry.js +137 -0
package/dist/utils/commonApi.js +1 -1
package/dist/utils/getConfig.js +3 -8
package/dist/utils/parsedCLIOptions.js +3 -1
package/dist/utils/requestUtils.js +7 -1
package/package.json +2 -3
package/src/audit/languageAnalysisEngine/getProjectRootFilenames.js +21 -57
package/src/audit/languageAnalysisEngine/report/commonReportingFunctions.ts +155 -77
package/src/audit/languageAnalysisEngine/report/models/reportGuidanceModel.ts +5 -0
package/src/audit/languageAnalysisEngine/report/models/reportOutputModel.ts +5 -5
package/src/audit/languageAnalysisEngine/report/models/severityCountModel.ts +2 -0
package/src/audit/languageAnalysisEngine/report/reportingFeature.ts +56 -27
package/src/audit/languageAnalysisEngine/report/utils/reportUtils.ts +45 -6
package/src/audit/languageAnalysisEngine/sendSnapshot.js +6 -32
package/src/audit/save.js +32 -16
package/src/commands/audit/auditConfig.ts +10 -28
package/src/commands/audit/auditController.ts +0 -11
package/src/commands/audit/help.ts +7 -24
package/src/commands/audit/processAudit.ts +16 -8
package/src/commands/audit/saveFile.ts +2 -2
package/src/commands/auth/auth.js +3 -1
package/src/commands/config/config.js +4 -2
package/src/commands/scan/processScan.js +18 -5
package/src/commands/scan/sca/scaAnalysis.js +50 -18
package/src/common/HTTPClient.js +23 -9
package/src/common/errorHandling.ts +2 -3
package/src/common/fail.js +75 -0
package/src/common/versionChecker.ts +1 -1
package/src/constants/constants.js +9 -3
package/src/constants/locales.js +70 -45
package/src/constants.js +67 -13
package/src/index.ts +91 -66
package/src/lambda/lambda.ts +5 -2
package/src/lambda/types.ts +1 -0
package/src/sbom/generateSbom.ts +2 -2
package/src/scaAnalysis/common/formatMessage.js +8 -1
package/src/scaAnalysis/common/scaParserForGoAndJava.js +41 -0
package/src/scaAnalysis/common/treeUpload.js +25 -11
package/src/scaAnalysis/dotnet/analysis.js +72 -0
package/src/scaAnalysis/dotnet/index.js +11 -0
package/src/scaAnalysis/go/goAnalysis.js +9 -2
package/src/scaAnalysis/java/analysis.js +11 -6
package/src/scaAnalysis/java/index.js +9 -1
package/src/scaAnalysis/java/javaBuildDepsParser.js +25 -6
package/src/scaAnalysis/javascript/analysis.js +6 -7
package/src/scaAnalysis/javascript/index.js +25 -6
package/src/scaAnalysis/php/analysis.js +15 -35
package/src/scaAnalysis/php/index.js +15 -4
package/src/scaAnalysis/python/analysis.js +49 -5
package/src/scaAnalysis/python/index.js +7 -2
package/src/scaAnalysis/ruby/analysis.js +18 -15
package/src/scan/autoDetection.js +14 -27
package/src/scan/fileUtils.js +33 -12
package/src/scan/formatScanOutput.ts +10 -8
package/src/scan/populateProjectIdAndProjectName.js +5 -1
package/src/scan/scan.ts +4 -0
package/src/scan/scanConfig.js +7 -7
package/src/scan/scanResults.js +46 -3
package/src/telemetry/telemetry.ts +154 -0
package/src/utils/commonApi.js +1 -1
package/src/utils/getConfig.ts +5 -18
package/src/utils/parsedCLIOptions.js +14 -1
package/src/utils/requestUtils.js +8 -1
package/dist/audit/AnalysisEngine.js +0 -37
package/dist/audit/autodetection/autoDetectLanguage.js +0 -32
package/dist/audit/dotnetAnalysisEngine/index.js +0 -25
package/dist/audit/dotnetAnalysisEngine/parseLockFileContents.js +0 -35
package/dist/audit/dotnetAnalysisEngine/parseProjectFileContents.js +0 -15
package/dist/audit/dotnetAnalysisEngine/readLockFileContents.js +0 -18
package/dist/audit/dotnetAnalysisEngine/readProjectFileContents.js +0 -14
package/dist/audit/dotnetAnalysisEngine/sanitizer.js +0 -9
package/dist/audit/goAnalysisEngine/index.js +0 -17
package/dist/audit/goAnalysisEngine/parseProjectFileContents.js +0 -164
package/dist/audit/goAnalysisEngine/readProjectFileContents.js +0 -21
package/dist/audit/goAnalysisEngine/sanitizer.js +0 -5
package/dist/audit/javaAnalysisEngine/index.js +0 -34
package/dist/audit/javaAnalysisEngine/parseMavenProjectFileContents.js +0 -155
package/dist/audit/javaAnalysisEngine/parseProjectFileContents.js +0 -353
package/dist/audit/javaAnalysisEngine/readProjectFileContents.js +0 -98
package/dist/audit/javaAnalysisEngine/sanitizer.js +0 -5
package/dist/audit/languageAnalysisEngine/checkForMultipleIdentifiedLanguages.js +0 -25
package/dist/audit/languageAnalysisEngine/checkForMultipleIdentifiedProjectFiles.js +0 -25
package/dist/audit/languageAnalysisEngine/checkIdentifiedLanguageHasLockFile.js +0 -35
package/dist/audit/languageAnalysisEngine/checkIdentifiedLanguageHasProjectFile.js +0 -24
package/dist/audit/languageAnalysisEngine/constants.js +0 -20
package/dist/audit/languageAnalysisEngine/getIdentifiedLanguageInfo.js +0 -25
package/dist/audit/languageAnalysisEngine/index.js +0 -39
package/dist/audit/languageAnalysisEngine/languageAnalysisFactory.js +0 -66
package/dist/audit/languageAnalysisEngine/reduceIdentifiedLanguages.js +0 -166
package/dist/audit/nodeAnalysisEngine/handleNPMLockFileV2.js +0 -40
package/dist/audit/nodeAnalysisEngine/index.js +0 -31
package/dist/audit/nodeAnalysisEngine/parseNPMLockFileContents.js +0 -18
package/dist/audit/nodeAnalysisEngine/parseYarnLockFileContents.js +0 -18
package/dist/audit/nodeAnalysisEngine/readNPMLockFileContents.js +0 -17
package/dist/audit/nodeAnalysisEngine/readProjectFileContents.js +0 -14
package/dist/audit/nodeAnalysisEngine/readYarnLockFileContents.js +0 -24
package/dist/audit/nodeAnalysisEngine/sanitizer.js +0 -9
package/dist/audit/phpAnalysisEngine/index.js +0 -23
package/dist/audit/phpAnalysisEngine/parseLockFileContents.js +0 -52
package/dist/audit/phpAnalysisEngine/readLockFileContents.js +0 -13
package/dist/audit/phpAnalysisEngine/readProjectFileContents.js +0 -16
package/dist/audit/phpAnalysisEngine/sanitizer.js +0 -5
package/dist/audit/pythonAnalysisEngine/index.js +0 -25
package/dist/audit/pythonAnalysisEngine/parsePipfileLockContents.js +0 -17
package/dist/audit/pythonAnalysisEngine/parseProjectFileContents.js +0 -21
package/dist/audit/pythonAnalysisEngine/readPipfileLockFileContents.js +0 -13
package/dist/audit/pythonAnalysisEngine/readPythonProjectFileContents.js +0 -14
package/dist/audit/pythonAnalysisEngine/sanitizer.js +0 -7
package/dist/audit/rubyAnalysisEngine/index.js +0 -25
package/dist/audit/rubyAnalysisEngine/parseGemfileLockContents.js +0 -176
package/dist/audit/rubyAnalysisEngine/parsedGemfile.js +0 -22
package/dist/audit/rubyAnalysisEngine/readGemfileContents.js +0 -14
package/dist/audit/rubyAnalysisEngine/readGemfileLockContents.js +0 -14
package/dist/audit/rubyAnalysisEngine/sanitizer.js +0 -6
package/src/audit/AnalysisEngine.js +0 -103
package/src/audit/autodetection/autoDetectLanguage.ts +0 -40
package/src/audit/dotnetAnalysisEngine/index.js +0 -26
package/src/audit/dotnetAnalysisEngine/parseLockFileContents.js +0 -47
package/src/audit/dotnetAnalysisEngine/parseProjectFileContents.js +0 -29
package/src/audit/dotnetAnalysisEngine/readLockFileContents.js +0 -30
package/src/audit/dotnetAnalysisEngine/readProjectFileContents.js +0 -26
package/src/audit/dotnetAnalysisEngine/sanitizer.js +0 -11
package/src/audit/goAnalysisEngine/index.js +0 -18
package/src/audit/goAnalysisEngine/parseProjectFileContents.js +0 -209
package/src/audit/goAnalysisEngine/readProjectFileContents.js +0 -31
package/src/audit/goAnalysisEngine/sanitizer.js +0 -7
package/src/audit/javaAnalysisEngine/index.js +0 -41
package/src/audit/javaAnalysisEngine/parseMavenProjectFileContents.js +0 -225
package/src/audit/javaAnalysisEngine/parseProjectFileContents.js +0 -420
package/src/audit/javaAnalysisEngine/readProjectFileContents.js +0 -141
package/src/audit/javaAnalysisEngine/sanitizer.js +0 -6
package/src/audit/languageAnalysisEngine/checkForMultipleIdentifiedLanguages.js +0 -36
package/src/audit/languageAnalysisEngine/checkForMultipleIdentifiedProjectFiles.js +0 -42
package/src/audit/languageAnalysisEngine/checkIdentifiedLanguageHasLockFile.js +0 -54
package/src/audit/languageAnalysisEngine/checkIdentifiedLanguageHasProjectFile.js +0 -33
package/src/audit/languageAnalysisEngine/constants.js +0 -23
package/src/audit/languageAnalysisEngine/getIdentifiedLanguageInfo.js +0 -41
package/src/audit/languageAnalysisEngine/index.js +0 -45
package/src/audit/languageAnalysisEngine/languageAnalysisFactory.js +0 -96
package/src/audit/languageAnalysisEngine/reduceIdentifiedLanguages.js +0 -251
package/src/audit/nodeAnalysisEngine/handleNPMLockFileV2.js +0 -49
package/src/audit/nodeAnalysisEngine/index.js +0 -35
package/src/audit/nodeAnalysisEngine/parseNPMLockFileContents.js +0 -20
package/src/audit/nodeAnalysisEngine/parseYarnLockFileContents.js +0 -26
package/src/audit/nodeAnalysisEngine/readNPMLockFileContents.js +0 -23
package/src/audit/nodeAnalysisEngine/readProjectFileContents.js +0 -27
package/src/audit/nodeAnalysisEngine/readYarnLockFileContents.js +0 -36
package/src/audit/nodeAnalysisEngine/sanitizer.js +0 -11
package/src/audit/phpAnalysisEngine/index.js +0 -27
package/src/audit/phpAnalysisEngine/parseLockFileContents.js +0 -60
package/src/audit/phpAnalysisEngine/readLockFileContents.js +0 -14
package/src/audit/phpAnalysisEngine/readProjectFileContents.js +0 -25
package/src/audit/phpAnalysisEngine/sanitizer.js +0 -4
package/src/audit/pythonAnalysisEngine/index.js +0 -55
package/src/audit/pythonAnalysisEngine/parsePipfileLockContents.js +0 -23
package/src/audit/pythonAnalysisEngine/parseProjectFileContents.js +0 -33
package/src/audit/pythonAnalysisEngine/readPipfileLockFileContents.js +0 -16
package/src/audit/pythonAnalysisEngine/readPythonProjectFileContents.js +0 -22
package/src/audit/pythonAnalysisEngine/sanitizer.js +0 -9
package/src/audit/rubyAnalysisEngine/index.js +0 -30
package/src/audit/rubyAnalysisEngine/parseGemfileLockContents.js +0 -215
package/src/audit/rubyAnalysisEngine/parsedGemfile.js +0 -39
package/src/audit/rubyAnalysisEngine/readGemfileContents.js +0 -18
package/src/audit/rubyAnalysisEngine/readGemfileLockContents.js +0 -17
package/src/audit/rubyAnalysisEngine/sanitizer.js +0 -8

package/src/constants/locales.js CHANGED Viewed

@@ -20,8 +20,8 @@ const en_locales = () => {
     libraryAnalysisError:
       'Please ensure the language parameter is set in accordance to the language specified on the project path.\nContrast CLI must be run in the same directory as the project manifest file OR the project_path parameter must be used to identify the directory containing the project manifest file.\n\nFor further information please read our usage guide, which can be accessed with the following command:\n\ncontrast-cli --help',
     yamlMissingParametersHeader: 'Missing Parameters',
-    yamlMissingParametersMessage:
-      'The following parameters are required: \n \norganization-id \napi-key \nauthorization \nhost \nlanguage \n \nThey must be specified as a command line argument. \nFor further information please read our usage guide, which can be accessed with the following command:\ncontrast audit --help',
+    genericErrorMessage:
+      'An error has occur please check your command again. For more information use the --help commands.',
     unauthenticatedErrorHeader: '401 error - Unauthenticated',
     unauthenticatedErrorMessage:
       'Please check the following keys are correct:\n--organization-id, --api-key or --authorization',
@@ -53,8 +53,10 @@ const en_locales = () => {
       "Identified project language as '%s' but found multiple project files: %s. Please specify which project file you would like analyzed with the %s CLI option.",
     languageAnalysisHasNoLockFile:
       "Identified project language as '%s' but no project lock file was found.",
+    languageAnalysisHasNoPackageJsonFile:
+      'Identified project language as javascript but no package.json file was found.',
     languageAnalysisHasMultipleLockFiles:
-      "Identified project language as '%s' but multiple project lock files were found: %s \n",
+      "Identified project language as '%s' but multiple project lock files were found.",
     languageAnalysisProjectFileError:
       "Identified project language as '%s' but no project file was found.",
     languageAnalysisProjectRootFileNameReadError:
@@ -64,17 +66,20 @@ const en_locales = () => {
     languageAnalysisProjectRootFileNameFailure:
       'Failed to get information about the file or directory @ %s because: ',
     languageAnalysisFailure: ' analysis failed because: ',
-    languageAnalysisNoLanguage: 'No language detected in project path @ %s',
+    languageAnalysisNoLanguage:
+      'We cannot detect a project, use -f <path> to specify a file or folder to analyze.',
+    languageAnalysisNoLanguageHelpLine: `${chalk.bold(
+      'contrast audit --help'
+    )} for more information.`,
     NodeAnalysisFailure: 'NODE analysis failed because: ',
     phpAnalysisFailure: 'PHP analysis failed because: ',
-    NodeParseNPM:
-      "Failed to parse NODE package-lock.json file @ '%s' because: ",
+    NodeParseNPM: 'Failed to parse NODE package-lock.json file because: ',
     phpParseComposerLock:
       "Failed to parse PHP composer.lock file @ '%s' because: ",
     NodeReadNpmError:
       'Failed to read the package-lock.json file @ "%s" because: ',
     phpReadError: 'Failed to read the composer.lock file @ "%s" because: ',
-    NodeParseYarn: "Failed to parse Node yarn.lock version 1 @ '%s' because: ",
+    NodeParseYarn: 'Failed to parse yarn.lock version %s because: ',
     NodeParseYarn2: "Failed to parse Node yarn.lock version 2 @ '%s' because: ",
     nodeReadProjectFileError:
       'Failed to read the NODE project file @ "%s" because: ',
@@ -116,10 +121,11 @@ const en_locales = () => {
       'The name of the application cataloged by Contrast UI',
     constantsCatalogueApplication:
       'Provide this if you want to catalogue an application',
+    failOptionErrorMessage:
+      ' FAIL - CVEs have been detected that match at least the cve_severity option specified.',
     constantsLanguage:
       'Valid values are JAVA, DOTNET, NODE, PYTHON and RUBY. If there are multiple project configuration files in the project_path, language is also required.  Also, provide this when cataloguing an application',
-    constantsFilePath:
-      'The directory root of a project/application that you would like analyzed. Defaults to current directory.',
+    constantsFilePath: `Specify a directory or the file where dependencies are declared. (By default, CodeSec will search for project files in the current directory.)`,
     constantsSilent: 'Silences JSON output.',
     constantsAppGroups:
       'Assign your application to one or more pre-existing groups when using the catalogue command. Group lists should be comma separated.',
@@ -138,15 +144,22 @@ const en_locales = () => {
     constantsReport: 'Display vulnerability information for this application',
     constantsFail:
       'Set the process to fail if this option is set in combination with --cve_severity.',
-    failOptionErrorMessage:
-      ' FAIL - CVEs have been detected that match at least the cve_severity or cve_threshold option specified.',
+    failThresholdOptionErrorMessage: 'More than 0 vulnerabilities found',
+    failSeverityOptionErrorMessage:
+      ' FAIL - Results detected vulnerabilities over accepted severity level',
     constantsSeverity:
       'Allows the user to report libraries with vulnerabilities above a chosen severity level. For example, cve_severity medium only reports libraries with vulnerabilities at medium or higher severity. Values for level are high, medium or low.',
     constantsCount: 'The number of CVEs that must be exceeded to fail a build',
     constantsHeader: 'CodeSec by Contrast Security',
-    constantsPrerequisitesContentScanLanguages: 'Java & JavaScript supported',
+    configHeader2: 'Config options',
+    clearHeader: '-c, --clear',
+    clearContent: 'Removes stored credentials',
+    constantsPrerequisitesContentScanLanguages:
+      'Java, Javascript and .NET supported',
     constantsContrastContent:
-      "Use the 'contrast' command for fast and accurate security analysis of your applications and APIs (Java, JavaScript and .NET ) as well as serverless functions (AWS lambda, Java and Python).",
+      'Use the ‘contrast’ command for fast and accurate security analysis of your applications, APIs, serverless functions, and libraries.',
+    constantsContrastCategories:
+      '\n Code: Java, .NET, .NET Core, JavaScript\n Serverless: AWS Lambda - Java, Python\n Libraries: Java, .NET, Node, Ruby, Python, Go, PHP\n',
     constantsUsageGuideContentRecommendation:
       'Our recommendation is that this is invoked as part of a CI pipeline so that running the cli is automated as part of your build process.',
     constantsPrerequisitesHeader: 'Pre-requisites',
@@ -249,7 +262,7 @@ const en_locales = () => {
     scanLabel:
       "adds a label to the scan - defaults to 'Started by CLI tool at current date'",
     constantsIgnoreDev:
-      'Excludes developer dependencies from the output. By default all dependencies are included.',
+      'Excludes developer dependencies from the results. All dependencies are included by default.',
     constantsCommands: 'Commands',
     constantsScanOptions: 'Scan Options',
     sbomError: 'All required parameters are not present.',
@@ -277,12 +290,17 @@ const en_locales = () => {
       'We only accept the following file types: \nJava - .jar, .war \nJavaScript - .js or .zip files',
     helpAuthSummary:
       'Authenticate Contrast using your Github or Google account',
-    helpScanSummary: 'Perform static analysis on binaries / code artifacts',
-    helpLambdaSummary: 'Perform scan on AWS Lambda functions',
+    helpAuditSummary:
+      'Searches for a suitable file in the working directory to perform a security audit of dependencies and returns the results. [Contrast audit --help (for options).]',
+    helpScanSummary:
+      'Searches for a .jar, .war, .js, or .zip file in the working directory, uploads files for analysis, and returns the results. [For further help/options, enter scan --help]',
+    helpLambdaSummary:
+      'Performs a static security scan on an AWS lambda function. lambda --help (for options)',
     helpVersionSummary: 'Displays version of Contrast CLI',
     helpConfigSummary: 'Displays stored credentials',
     helpSummary: 'Displays usage guide',
     authName: 'auth',
+    auditName: 'audit',
     scanName: 'scan',
     lambdaName: 'lambda',
     versionName: 'version',
@@ -300,8 +318,7 @@ const en_locales = () => {
     scanOptionsVerboseSummary: ' Returns extended information to the terminal.',
     authSuccessMessage: 'Authentication successful',
     runAuthSuccessMessage:
-      "Now you can use Contrast CLI \nRun 'contrast scan' on your file \n" +
-      "or 'contrast help' to learn more about the capabilities.",
+      "Now you can use CodeSec by Contrast \nRun: \n'contrast scan' on your file \n'contrast audit' on a file or directory,\n'contrast lambda' on an AWS function.\nor 'contrast help' to learn more about the capabilities.",
     authWaitingMessage: 'Waiting for auth...',
     authTimedOutMessage: 'Auth Timed out, try again',
     zipErrorScan:
@@ -329,7 +346,7 @@ const en_locales = () => {
       'Supported runtimes: Java & Python',
     lambdaPrerequisitesContentLambdaDescriptionTitle: 'AWS Requirements\n',
     lambdaPrerequisitesContentLambdaDescription:
-      'Make sure you have the AWS credentials configured on your local environment. \nYou need the following AWS permissions configured on your IAM user:\n   - Lambda: GetFunction, GetLayerVersionֿ\n   - IAM: GetRolePolicy, GetPolicy, GetPolicyVersion, ListRolePolicies, ListAttachedRolePolicies',
+      'Make sure you have the AWS credentials configured on your local environment. \nYou need the following AWS permissions configured on your IAM user:\n   - Lambda: GetFunction, GetLayerVersion, ListFunctions\n   - IAM: GetRolePolicy, GetPolicy, GetPolicyVersion, ListRolePolicies, ListAttachedRolePolicies',
     scanFileNameOption: '-f, --file',
     lambdaFunctionNameOption: '-f, --function-name',
     lambdaListFunctionsOption: '-l, --list-functions',
@@ -364,36 +381,44 @@ const en_locales = () => {
       'An error has occurred when trying to get the Project Id please check your internet connection or provide the Project Id manually',
     internalServerErrorHeader: '500 error - Internal server error',
     resourceLockedErrorHeader: '423 error - Resource is locked',
-    auditHeader: 'Contrast Audit',
-    auditHeaderMessage: `
-    Performs software composition analysis (SCA) on your application/code time to show you the dependencies between open source libraries, including where vulnerabilities were introduced.\n
-    Our recommendation is that this is invoked as part of a CI pipeline so that running the cli is automated as part of your build process.`,
+    auditHeader: 'Contrast audit help',
+    auditHeaderMessage:
+      "Use 'contrast audit' to analyze a project’s dependencies for vulnerabilities.",
     constantsAuditPrerequisitesContentSupportedLanguages:
       'Supported languages and their requirements are:',
-    constantsAuditPrerequisitesContentJava: 'Java: ',
-    constantsAuditPrerequisitesContentMessage: `
-       pom.xml AND Maven build platform, including the dependency plugin.
-       For a Gradle project (v4.8+) use build.gradle. A gradle-wrapper.properties file is also required.
-       Kotlin is also supported requiring a build.gradle.kts file.`,
-    constantsAuditPrerequisitesContentDotNet: '.NET framework and .NET core: ',
+    constantsAuditPrerequisitesJavaContentMessage: `
+    ${chalk.bold('Java:')} pom.xml ${chalk.bold(
+      'and'
+    )} Maven build platform including the dependency plugin.
+    ${chalk.bold('Or')} build.gradle ${chalk.bold(
+      'and'
+    )} gradle dependencies or ./gradlew dependencies must be supported`,
     constantsAuditPrerequisitesContentDotNetMessage: `
-       MSBuild 15.0 or greater and have a packages.lock.json file are supported.\n
-       Note: If the packages.lock.json file is unavailable it can be generated by setting RestorePackagesWithLockFile to true within each *.csproj file and running dotnet build.\n`,
-    constantsAuditPrerequisitesContentLanguageNode: 'Node: ',
-    constantsAuditPrerequisitesContentLanguageRuby: 'Ruby: ',
-    constantsAuditPrerequisitesContentLanguagePython: 'Python: ',
-    constantsAuditPrerequisitesContentLanguageNodeMessage:
-      '*.package.json AND a lock file either *.package-lock.json or *.yarn.lock',
-    constantsAuditPrerequisitesContentLanguageRubyMessage:
-      'gemfile AND gemfile.lock',
-    constantsAuditPrerequisitesContentLanguagePythonMessage:
-      'pipfile AND pipfile.lock',
+    ${chalk.bold(
+      '.NET framework and .NET core:'
+    )} MSBuild 15.0 or greater and a packages.lock.json file.
+    Note: If the packages.lock.json file is unavailable it can be generated by setting RestorePackagesWithLockFile to true within each *.csproj file and running dotnet build.\n`,
+    constantsAuditPrerequisitesContentNodeMessage: `${chalk.bold(
+      'Node:'
+    )} package.json and a lock file (either .package-lock.json or .yarn.lock.)\n`,
+    constantsAuditPrerequisitesContentRubyMessage: `${chalk.bold(
+      'Ruby:'
+    )} gemfile and gemfile.lock\n`,
+    constantsAuditPrerequisitesContentPythonMessage: `${chalk.bold(
+      'Python:'
+    )} pipfile and pipfile.lock\n`,
+    constantsAuditPrerequisitesContentGoMessage: `${chalk.bold(
+      'Go:'
+    )} go.mod\n`,
+    constantsAuditPrerequisitesContentPHPMessage: `${chalk.bold(
+      'PHP:'
+    )} composer.json and composer.lock\n`,
     constantsAuditOptions: 'Audit Options',
-    auditOptionsIgnoreDevDependencies: '-igd, --ignore-dev',
-    auditOptionsIgnoreDevDependenciesDescription: 'ignores DevDependencies',
-    auditOptionsSave: '-s, --save',
     auditOptionsSaveDescription:
-      'saves the output in specified format, options: sbom',
+      'Generate and save an SBOM (Software Bill of Materials)\n',
+    auditOptionsSaveOptionsDescription:
+      'Valid options are: --save spdx and --save cyclonedx (CycloneDX is the default format.)',
+    exceededFreeTier: `It looks like you are really loving CodeSec! \nYou have reached the monthly scan limit on the FREE tier. \nPlease contact sales@contrastsecurity.com to upgrade.`,
     scanNotCompleted:
       'Scan not completed. Check for framework and language support here: %s',
     auditNotCompleted: 'audit not completed.  Please try again',
@@ -415,7 +440,7 @@ const en_locales = () => {
     auditReportSuccessMessage: 'Report successfully retrieved',
     auditReportFailureMessage: 'Unable to generate library report',
     auditSCAAnalysisBegins: 'Contrast SCA audit started',
-    auditSCAAnalysisComplete: 'Contrast SCA audit complete',
+    auditSCAAnalysisComplete: 'Contrast audit complete',
     ...lambda
   }
 }

package/src/constants.js CHANGED Viewed

@@ -1,6 +1,7 @@
 const commandLineUsage = require('command-line-usage')
 const i18n = require('i18n')
 const { en_locales } = require('./constants/locales.js')
+const { parseSeverity } = require('./common/fail')
 i18n.configure({
   staticCatalog: {
@@ -106,6 +107,24 @@ const scanOptionDefinitions = [
       '}: ' +
       i18n.__('constantsProxyServer')
   },
+  {
+    name: 'fail',
+    type: Boolean,
+    description:
+      '{bold ' +
+      i18n.__('constantsOptional') +
+      '}: ' +
+      i18n.__('failOptionErrorMessage')
+  },
+  {
+    name: 'severity',
+    type: severity => parseSeverity(severity),
+    description:
+      '{bold ' +
+      i18n.__('constantsOptional') +
+      '}: ' +
+      i18n.__('constantsSeverity')
+  },
   {
     name: 'ff',
     type: Boolean,
@@ -213,13 +232,31 @@ const auditOptionDefinitions = [
   {
     name: 'file',
     alias: 'f',
-    defaultValue: process.cwd(),
+    defaultValue: process.cwd().concat('/'),
     description:
       '{bold ' +
       i18n.__('constantsOptional') +
       '}: ' +
       i18n.__('constantsFilePath')
   },
+  {
+    name: 'fail',
+    type: Boolean,
+    description:
+      '{bold ' +
+      i18n.__('constantsOptional') +
+      '}: ' +
+      i18n.__('failOptionErrorMessage')
+  },
+  {
+    name: 'severity',
+    type: severity => parseSeverity(severity),
+    description:
+      '{bold ' +
+      i18n.__('constantsOptional') +
+      '}: ' +
+      i18n.__('constantsSeverity')
+  },
   {
     name: 'app-groups',
     description:
@@ -257,6 +294,7 @@ const auditOptionDefinitions = [
   {
     name: 'ignore-dev',
     type: Boolean,
+    alias: 'i',
     description:
       '{bold ' +
       i18n.__('constantsOptional') +
@@ -266,15 +304,6 @@ const auditOptionDefinitions = [
   {
     name: 'maven-settings-path'
   },
-  {
-    name: 'language',
-    alias: 'l',
-    description:
-      '{bold ' +
-      i18n.__('constantsRequiredCatalogue') +
-      '}: ' +
-      i18n.__('constantsLanguage')
-  },
   {
     name: 'organization-id',
     alias: 'o',
@@ -302,7 +331,6 @@ const auditOptionDefinitions = [
   },
   {
     name: 'host',
-    alias: 'h',
     description:
       '{bold ' +
       i18n.__('constantsRequired') +
@@ -333,19 +361,38 @@ const auditOptionDefinitions = [
       '{bold ' +
       i18n.__('constantsOptional') +
       '}: ' +
-      i18n.__('auditOptionsSaveDescription')
+      i18n.__('auditOptionsSaveDescription') +
+      i18n.__('auditOptionsSaveOptionsDescription')
   },
   {
     name: 'experimental',
     alias: 'e',
     type: Boolean
+  },
+  {
+    name: 'timeout',
+    alias: 't',
+    type: Number,
+    description:
+      '{bold ' +
+      i18n.__('constantsOptional') +
+      '}: ' +
+      i18n.__('scanOptionsTimeoutSummary')
+  },
+  {
+    name: 'help',
+    alias: 'h',
+    type: Boolean
   }
 ]
 const mainUsageGuide = commandLineUsage([
   {
     header: i18n.__('constantsHeader'),
-    content: [i18n.__('constantsContrastContent')]
+    content: [
+      i18n.__('constantsContrastContent'),
+      i18n.__('constantsContrastCategories')
+    ]
   },
   {
     header: i18n.__('constantsUsage'),
@@ -357,6 +404,7 @@ const mainUsageGuide = commandLineUsage([
       { name: i18n.__('authName'), summary: i18n.__('helpAuthSummary') },
       { name: i18n.__('scanName'), summary: i18n.__('helpScanSummary') },
       { name: i18n.__('lambdaName'), summary: i18n.__('helpLambdaSummary') },
+      { name: i18n.__('auditName'), summary: i18n.__('helpAuditSummary') },
       { name: i18n.__('versionName'), summary: i18n.__('helpVersionSummary') },
       { name: i18n.__('configName'), summary: i18n.__('helpConfigSummary') },
       { name: i18n.__('helpName'), summary: i18n.__('helpSummary') }
@@ -365,6 +413,12 @@ const mainUsageGuide = commandLineUsage([
   {
     content:
       '{underline https://developer.contrastsecurity.com/} \n For technical support head to {underline https://support.contrastsecurity.com}'
+  },
+  {
+    header: i18n.__('configHeader2'),
+    content: [
+      { name: i18n.__('clearHeader'), summary: i18n.__('clearContent') }
+    ]
   }
 ])

package/src/index.ts CHANGED Viewed

@@ -14,6 +14,7 @@ import {
   isCorrectNodeVersion
 } from './common/versionChecker'
 import { findCommandOnError } from './common/errorHandling'
+import { sendTelemetryConfigAsConfObj } from './telemetry/telemetry'
 const {
   commandLineDefinitions: { mainUsageGuide, mainDefinition }
@@ -36,74 +37,98 @@ const getMainOption = () => {
 }
 const start = async () => {
-  if (await isCorrectNodeVersion(process.version)) {
-    const { mainOptions, argv: argvMain } = getMainOption()
-    const command =
-      mainOptions.command != undefined ? mainOptions.command.toLowerCase() : ''
-    if (
-      command === 'version' ||
-      argvMain.includes('--v') ||
-      argvMain.includes('--version')
-    ) {
-      console.log(APP_VERSION)
-      await findLatestCLIVersion(config)
-      return
-    }
-    // @ts-ignore
-    config.set('numOfRuns', config.get('numOfRuns') + 1)
-    // @ts-ignore
-    if (config.get('numOfRuns') >= 1) {
-      await findLatestCLIVersion(config)
-      config.set('numOfRuns', 0)
-    }
-    if (command === 'config') {
-      return processConfig(argvMain, config)
-    }
-    if (command === 'auth') {
-      return await processAuth(argvMain, config)
-    }
-    if (command === 'lambda') {
-      return await processLambda(argvMain)
-    }
-    if (command === 'scan') {
-      return await processScan(argvMain)
-    }
-    if (command === 'audit') {
-      return await processAudit(argvMain)
-    }
-    if (
-      command === 'help' ||
-      argvMain.includes('--help') ||
-      Object.keys(mainOptions).length === 0
-    ) {
-      console.log(mainUsageGuide)
-    } else if (mainOptions._unknown !== undefined) {
-      const foundCommand = findCommandOnError(mainOptions._unknown)
-      foundCommand
-        ? console.log(
-            `Unknown Command: Did you mean "${foundCommand}"? \nUse "${foundCommand} --help" for the full list of options`
-          )
-        : console.log(
-            `Unknown Command: ${command} \nUse --help for the full list`
-          )
+  try {
+    if (await isCorrectNodeVersion(process.version)) {
+      const { mainOptions, argv: argvMain } = getMainOption()
+      const command =
+        mainOptions.command != undefined
+          ? mainOptions.command.toLowerCase()
+          : ''
+      if (
+        command === 'version' ||
+        argvMain.includes('--v') ||
+        argvMain.includes('--version')
+      ) {
+        console.log(APP_VERSION)
+        await findLatestCLIVersion(config)
+        return
+      }
+      // @ts-ignore
+      config.set('numOfRuns', config.get('numOfRuns') + 1)
+      // @ts-ignore
+      if (config.get('numOfRuns') >= 1) {
+        await findLatestCLIVersion(config)
+        config.set('numOfRuns', 0)
+      }
+      if (command === 'config') {
+        return processConfig(argvMain, config)
+      }
+      if (command === 'auth') {
+        return await processAuth(argvMain, config)
+      }
+      if (command === 'lambda') {
+        return await processLambda(argvMain)
+      }
+      if (command === 'scan') {
+        return await processScan(config, argvMain)
+      }
+      if (command === 'audit') {
+        return await processAudit(config, argvMain)
+      }
+      if (
+        command === 'help' ||
+        argvMain.includes('--help') ||
+        Object.keys(mainOptions).length === 0
+      ) {
+        console.log(mainUsageGuide)
+      } else if (mainOptions._unknown !== undefined) {
+        const foundCommand = findCommandOnError(mainOptions._unknown)
+        foundCommand
+          ? console.log(
+              `Unknown Command: Did you mean "${foundCommand}"? \nUse "${foundCommand} --help" for the full list of options`
+            )
+          : console.log(
+              `Unknown Command: ${command} \nUse --help for the full list`
+            )
+        await sendTelemetryConfigAsConfObj(
+          config,
+          command,
+          argvMain,
+          'FAILURE',
+          'undefined'
+        )
+      } else {
+        console.log(
+          `Unknown Command: ${command} \nUse --help for the full list`
+        )
+        await sendTelemetryConfigAsConfObj(
+          config,
+          command,
+          argvMain,
+          'FAILURE',
+          'undefined'
+        )
+      }
+      process.exit(9)
     } else {
-      console.log(`Unknown Command: ${command} \nUse --help for the full list`)
+      console.log(
+        'Contrast supports Node versions >=16.13.2 <17. Please use one of those versions.'
+      )
+      process.exit(9)
     }
-    process.exit(9)
-  } else {
-    console.log(
-      'Contrast supports Node versions >=16.13.2 <17. Please use one of those versions.'
-    )
-    process.exit(9)
+  } catch (err: any) {
+    console.log()
+    console.log(err.message.toString())
+    process.exit(1)
   }
 }

package/src/lambda/lambda.ts CHANGED Viewed

@@ -16,6 +16,7 @@ import { sleep } from '../utils/requestUtils'
 import ora from '../utils/oraWrapper'
 import { postAnalytics } from './analytics'
 import { LambdaOptions, AnalyticsOption, StatusType, EventType } from './types'
+import { APP_VERSION } from '../constants/constants'
 type ApiParams = {
   organizationId: string
@@ -73,7 +74,8 @@ const processLambda = async (argv: string[]) => {
     const startCommandAnalytics: AnalyticsOption = {
       arguments: lambdaOptions,
       sessionId: commandSessionId,
-      eventType: EventType.START
+      eventType: EventType.START,
+      packageVersion: APP_VERSION
     }
     postAnalytics(startCommandAnalytics).catch((error: Error) => {
       /* ignore */
@@ -99,7 +101,8 @@ const processLambda = async (argv: string[]) => {
     const endCommandAnalytics: AnalyticsOption = {
       sessionId: commandSessionId,
       eventType: EventType.END,
-      status: errorMsg ? StatusType.FAILED : StatusType.SUCCESS
+      status: errorMsg ? StatusType.FAILED : StatusType.SUCCESS,
+      packageVersion: APP_VERSION
     }
     if (errorMsg) {
       endCommandAnalytics.errorMsg = errorMsg

package/src/lambda/types.ts CHANGED Viewed

@@ -28,6 +28,7 @@ type ScanFunctionData = {
 export type AnalyticsOption = {
   sessionId: string
   eventType: EventType
+  packageVersion: string
   arguments?: LambdaOptions
   scanFunctionData?: ScanFunctionData
   status?: StatusType

package/src/sbom/generateSbom.ts CHANGED Viewed

@@ -1,9 +1,9 @@
 import { getHttpClient } from '../utils/commonApi'
-export const generateSbom = (config: any) => {
+export const generateSbom = (config: any, type: string) => {
   const client = getHttpClient(config)
   return client
-    .getSbom(config)
+    .getSbom(config, type)
     .then((res: { statusCode: number; body: any }) => {
       if (res.statusCode === 200) {
         return res.body

package/src/scaAnalysis/common/formatMessage.js CHANGED Viewed

@@ -50,11 +50,18 @@ const createPhpTSMessage = phpTree => {
   }
 }
+const createDotNetTSMessage = dotnetTree => {
+  return {
+    dotnet: dotnetTree
+  }
+}
 module.exports = {
   createJavaScriptTSMessage,
   createJavaTSMessage,
   createGoTSMessage,
   createPhpTSMessage,
   createRubyTSMessage,
-  createPythonTSMessage
+  createPythonTSMessage,
+  createDotNetTSMessage
 }

package/src/scaAnalysis/common/scaParserForGoAndJava.js ADDED Viewed

@@ -0,0 +1,41 @@
+const parseDependenciesForSCAServices = dependencyTreeObject => {
+  let parsedDependencyTree = {}
+  let subDeps
+  for (let tree in dependencyTreeObject) {
+    let unParsedDependencyTree = dependencyTreeObject[tree]
+    for (let dependency in unParsedDependencyTree) {
+      subDeps = parseSubDependencies(unParsedDependencyTree[dependency].edges)
+      let parsedDependency = {
+        name: unParsedDependencyTree[dependency].artifactID,
+        group: unParsedDependencyTree[dependency].group,
+        version: unParsedDependencyTree[dependency].version,
+        directDependency: unParsedDependencyTree[dependency].type === 'direct',
+        isProduction: true,
+        dependencies: subDeps
+      }
+      parsedDependencyTree[dependency] = parsedDependency
+    }
+  }
+  return parsedDependencyTree
+}
+const parseSubDependencies = dependencies => {
+  // converting:
+  // dependencies: {
+  //   'gopkg.in/check.v1@v0.0.0-2': 'gopkg.in/check.v1@v0.0.0-2'
+  // }
+  // to:
+  // dependencies: [ 'gopkg.in/check.v1@v0.0.0-2' ]
+  let subDeps = []
+  for (let x in dependencies) {
+    subDeps.push(dependencies[x])
+  }
+  return subDeps
+}
+module.exports = {
+  parseDependenciesForSCAServices,
+  parseSubDependencies
+}