@contrast/contrast 1.0.8 → 1.0.9

package/src/audit/languageAnalysisEngine/checkIdentifiedLanguageHasProjectFile.js

@@ -1,33 +0,0 @@
-const i18n = require('i18n')
-/**
- * Checks that a single identified language in the list of languages and files
- * that has been reduced has a single project file. This is important in the
- * (uncommon) case that a project has a lock file without a project file.
- */
-module.exports = exports = (analysis, next) => {
-  const { languageAnalysis } = analysis
-  try {
-    checkIdentifiedLanguageHasProjectFile(languageAnalysis.identifiedLanguages)
-  } catch (err) {
-    next(err)
-    return
-  }
-  next()
-}
-
-const checkIdentifiedLanguageHasProjectFile = identifiedLanguages => {
-  // Handle the error case where only a single language has been identified...
-  if (Object.keys(identifiedLanguages).length == 1) {
-    let { projectFilenames } = Object.values(identifiedLanguages)[0]
-
-    // ...but no project files for that language have been found
-    if (projectFilenames.length == 0) {
-      const [language] = Object.keys(identifiedLanguages)
-      throw new Error(i18n.__('languageAnalysisProjectFileError', language))
-    }
-  }
-}
-
-//For testing purposes
-exports.checkIdentifiedLanguageHasProjectFile =
-  checkIdentifiedLanguageHasProjectFile

package/src/audit/languageAnalysisEngine/constants.js

@@ -1,23 +0,0 @@
-// Language identifiers
-const NODE = 'NODE'
-const JAVASCRIPT = 'JAVASCRIPT'
-const DOTNET = 'DOTNET'
-const JAVA = 'JAVA'
-const RUBY = 'RUBY'
-const PYTHON = 'PYTHON'
-const GO = 'GO'
-// we set the langauge as Node instead of PHP since we're using the Node engine in TS
-const PHP = 'PHP'
-
-const LOW = 'LOW'
-const MEDIUM = 'MEDIUM'
-const HIGH = 'HIGH'
-const CRITICAL = 'CRITICAL'
-
-module.exports = {
-  supportedLanguages: { NODE, DOTNET, JAVA, RUBY, PYTHON, GO, PHP, JAVASCRIPT },
-  LOW: LOW,
-  MEDIUM: MEDIUM,
-  HIGH: HIGH,
-  CRITICAL: CRITICAL
-}

package/src/audit/languageAnalysisEngine/getIdentifiedLanguageInfo.js

@@ -1,41 +0,0 @@
-const path = require('path')
-
-/**
- * Assemble analysis results into a common object to provide
- * language, project file name and paths
- */
-module.exports = exports = (analysis, next) => {
-  const { file, languageAnalysis } = analysis
-  languageAnalysis.identifiedLanguageInfo = getIdentifiedLanguageInfo(
-    file,
-    languageAnalysis.identifiedLanguages
-  )
-  next()
-}
-
-const getIdentifiedLanguageInfo = (file, identifiedLanguages) => {
-  const [language] = Object.keys(identifiedLanguages)
-  const {
-    projectFilenames: [projectFilename],
-    lockFilenames: [lockFilename]
-  } = Object.values(identifiedLanguages)[0]
-
-  let identifiedLanguageInfo = {
-    language,
-    projectFilename,
-    projectFilePath: path.join(file, projectFilename)
-  }
-
-  if (lockFilename) {
-    identifiedLanguageInfo = {
-      ...identifiedLanguageInfo,
-      lockFilename,
-      lockFilePath: path.join(file, lockFilename)
-    }
-  }
-
-  return identifiedLanguageInfo
-}
-
-//For testing purposes
-exports.getIdentifiedLanguageInfo = getIdentifiedLanguageInfo

package/src/audit/languageAnalysisEngine/index.js

@@ -1,45 +0,0 @@
-const AnalysisEngine = require('./../AnalysisEngine')
-const i18n = require('i18n')
-
-const getProjectRootFilenames = require('./getProjectRootFilenames')
-const reduceIdentifiedLanguages = require('./reduceIdentifiedLanguages')
-const checkForMultipleIdentifiedLanguages = require('./checkForMultipleIdentifiedLanguages')
-const checkForMultipleIdentifiedProjectFiles = require('./checkForMultipleIdentifiedProjectFiles')
-const checkIdentifiedLanguageHasProjectFile = require('./checkIdentifiedLanguageHasProjectFile')
-const checkIdentifiedLanguageHasLockFile = require('./checkIdentifiedLanguageHasLockFile')
-const getIdentifiedLanguageInfo = require('./getIdentifiedLanguageInfo')
-const { libraryAnalysisError } = require('../../common/errorHandling')
-
-module.exports = exports = (file, callback, appId, config) => {
-  // Create an analysis engine to identify the project language
-  const ae = new AnalysisEngine({
-    file,
-    appId,
-    languageAnalysis: { appId: appId },
-    config
-  })
-
-  ae.use([
-    getProjectRootFilenames,
-    reduceIdentifiedLanguages,
-    checkForMultipleIdentifiedLanguages,
-    checkForMultipleIdentifiedProjectFiles,
-    checkIdentifiedLanguageHasProjectFile,
-    checkIdentifiedLanguageHasLockFile,
-    getIdentifiedLanguageInfo
-  ])
-
-  ae.analyze((err, analysis) => {
-    if (err) {
-      console.log(
-        '*******************' +
-          i18n.__('languageAnalysisFailureMessage') +
-          '****************'
-      )
-      console.error(`${err.message}`)
-      libraryAnalysisError()
-      process.exit(1)
-    }
-    callback(null, analysis)
-  })
-}

package/src/audit/languageAnalysisEngine/languageAnalysisFactory.js

@@ -1,96 +0,0 @@
-const {
-  supportedLanguages: { DOTNET, NODE, JAVA, RUBY, PYTHON, GO, PHP }
-} = require('../languageAnalysisEngine/constants')
-const i18n = require('i18n')
-const dotnetAE = require('../dotnetAnalysisEngine')
-const nodeAE = require('../nodeAnalysisEngine')
-const javaAE = require('../javaAnalysisEngine')
-const rubyAE = require('../rubyAnalysisEngine')
-const pythonAE = require('../pythonAnalysisEngine')
-const phpAE = require('../phpAnalysisEngine')
-const goAE = require('../goAnalysisEngine')
-const { vulnerabilityReport } = require('./report/reportingFeature')
-const { newSendSnapShot } = require('../languageAnalysisEngine/sendSnapshot')
-const {
-  returnOra,
-  startSpinner,
-  succeedSpinner
-} = require('../../utils/oraWrapper')
-const { pollForSnapshotCompletition } = require('./sendSnapshot')
-const auditSave = require('../save')
-
-module.exports = exports = (err, analysis) => {
-  const { identifiedLanguageInfo } = analysis.languageAnalysis
-  const catalogueAppId = analysis.languageAnalysis.appId
-
-  if (err) {
-    console.error(err)
-    return
-  }
-
-  // this callback is the end of the chain
-  const langCallback = async (err, analysis) => {
-    const config = analysis.config
-    if (err) {
-      console.log()
-      console.log(
-        '***********' +
-          i18n.__('languageAnalysisFactoryFailureHeader') +
-          '****************'
-      )
-      console.log(identifiedLanguageInfo.language)
-      console.log()
-      console.error(
-        `${identifiedLanguageInfo.language}` +
-          i18n.__('languageAnalysisFailure') +
-          err
-      )
-      return process.exit(5)
-    }
-
-    const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
-    startSpinner(reportSpinner)
-    const snapshotResponse = await newSendSnapShot(analysis, catalogueAppId)
-
-    //poll for completion
-    await pollForSnapshotCompletition(
-      analysis.config,
-      snapshotResponse.id,
-      reportSpinner
-    )
-    succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
-
-    await vulnerabilityReport(analysis, catalogueAppId, snapshotResponse.id)
-
-    //should be moved to processAudit.ts once promises implemented
-    await auditSave.auditSave(config)
-  }
-
-  if (identifiedLanguageInfo.language === DOTNET) {
-    dotnetAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-
-  if (identifiedLanguageInfo.language === NODE) {
-    nodeAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-
-  if (identifiedLanguageInfo.language === JAVA) {
-    javaAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-
-  if (identifiedLanguageInfo.language === RUBY) {
-    rubyAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-
-  if (identifiedLanguageInfo.language === PYTHON) {
-    pythonAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-
-  if (identifiedLanguageInfo.language === PHP) {
-    phpAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-
-  if (identifiedLanguageInfo.language === GO) {
-    goAE(identifiedLanguageInfo, analysis.config, langCallback)
-  }
-}

package/src/audit/languageAnalysisEngine/reduceIdentifiedLanguages.js

@@ -1,251 +0,0 @@
-const {
-  supportedLanguages: { NODE, DOTNET, JAVA, RUBY, PYTHON, GO, PHP, JAVASCRIPT }
-} = require('./constants')
-const i18n = require('i18n')
-
-const DOT_NET_PROJECT_FILE_REGEX = /.+\.csproj$/
-const DOT_NET_LOCK_FILENAME = 'packages.lock.json'
-
-const isDotNetProjectFilename = filename =>
-  filename.search(DOT_NET_PROJECT_FILE_REGEX) !== -1
-const isDotNetLockFilename = filename => filename === DOT_NET_LOCK_FILENAME
-function isJavaMavenProjectFilename(filename) {
-  return filename === 'pom.xml'
-}
-function isJavaGradleProjectFilename(filename) {
-  return filename === 'build.gradle' || filename === 'build.gradle.kts'
-}
-const isRubyProjectFilename = filename => filename === 'Gemfile'
-const isNodeProjectFilename = filename => filename === 'package.json'
-const isPythonProjectFilename = filename =>
-  filename === 'requirements.txt' || filename === 'Pipfile'
-const isPhpProjectFilename = filename => filename === 'composer.json'
-const isPhpLockFilename = filename => filename === 'composer.lock'
-function isNodeLockFilename(filename) {
-  return filename === 'package-lock.json' || filename === 'yarn.lock'
-}
-const isRubyLockFilename = filename => filename === 'Gemfile.lock'
-const isPipfileLockLockFilename = filename => filename === 'Pipfile.lock'
-const isGoProjectFilename = filename => filename === 'go.mod'
-
-const deduceLanguageScaAnalysis = filenames => {
-  const deducedLanguages = []
-  let language = ''
-
-  filenames.forEach(filename => {
-    // Check for project filenames...
-    if (isJavaMavenProjectFilename(filename)) {
-      deducedLanguages.push(filename)
-      language = JAVA
-    }
-
-    if (isJavaGradleProjectFilename(filename)) {
-      deducedLanguages.push(filename)
-      language = JAVA
-    }
-
-    if (isNodeProjectFilename(filename)) {
-      deducedLanguages.push(filename)
-      language = JAVASCRIPT
-    }
-
-    // if (isDotNetProjectFilename(filename)) {
-    //   deducedLanguages.push({language: DOTNET, projectFilename: filename})
-    // }
-
-    if (isRubyProjectFilename(filename)) {
-      deducedLanguages.push(filename)
-      language = RUBY
-    }
-
-    if (isPythonProjectFilename(filename)) {
-      deducedLanguages.push(filename)
-      language = PYTHON
-    }
-
-    if (isPhpProjectFilename(filename)) {
-      deducedLanguages.push({ language: PHP, projectFilename: filename })
-      language = PHP
-    }
-
-    // // Check for lock filenames...
-    // if (isDotNetLockFilename(filename)) {
-    //   deducedLanguages.push({language: DOTNET, lockFilename: filename})
-    // }
-
-    if (isNodeLockFilename(filename)) {
-      deducedLanguages.push(filename)
-      language = JAVASCRIPT
-    }
-
-    // if (isRubyLockFilename(filename)) {
-    //   deducedLanguages.push({language: RUBY, lockFilename: filename})
-    // }
-    //
-    // // this is pipfileLock rather than python lock as there can be different python locks
-    // if (isPipfileLockLockFilename(filename)) {
-    //   deducedLanguages.push({language: PYTHON, lockFilename: filename})
-    // }
-
-    if (isPhpLockFilename(filename)) {
-      deducedLanguages.push({ language: PHP, lockFilename: filename })
-    }
-
-    // go does not have a lockfile, it should have a go.mod file containing the modules
-    if (isGoProjectFilename(filename)) {
-      deducedLanguages.push({ language: GO, projectFilename: filename })
-      language = GO
-    }
-  })
-  let identifiedLanguages = { [language]: deducedLanguages }
-
-  return identifiedLanguages
-}
-
-const deduceLanguage = filename => {
-  const deducedLanguages = []
-
-  // In theory there shouldn't be multiple languages supported for a single
-  // project filename or lock filename but to protect ourselves and consumers we
-  // will try to detect it
-
-  // Check for project filenames...
-  if (isJavaMavenProjectFilename(filename)) {
-    deducedLanguages.push({ language: JAVA, projectFilename: filename })
-  }
-
-  if (isJavaGradleProjectFilename(filename)) {
-    deducedLanguages.push({ language: JAVA, projectFilename: filename })
-  }
-
-  if (isNodeProjectFilename(filename)) {
-    deducedLanguages.push({ language: NODE, projectFilename: filename })
-  }
-
-  if (isDotNetProjectFilename(filename)) {
-    deducedLanguages.push({ language: DOTNET, projectFilename: filename })
-  }
-
-  if (isRubyProjectFilename(filename)) {
-    deducedLanguages.push({ language: RUBY, projectFilename: filename })
-  }
-
-  if (isPythonProjectFilename(filename)) {
-    deducedLanguages.push({ language: PYTHON, projectFilename: filename })
-  }
-
-  if (isPhpProjectFilename(filename)) {
-    deducedLanguages.push({ language: PHP, projectFilename: filename })
-  }
-
-  // Check for lock filenames...
-  if (isDotNetLockFilename(filename)) {
-    deducedLanguages.push({ language: DOTNET, lockFilename: filename })
-  }
-
-  if (isNodeLockFilename(filename)) {
-    deducedLanguages.push({ language: NODE, lockFilename: filename })
-  }
-
-  if (isRubyLockFilename(filename)) {
-    deducedLanguages.push({ language: RUBY, lockFilename: filename })
-  }
-
-  // this is pipfileLock rather than python lock as there can be different python locks
-  if (isPipfileLockLockFilename(filename)) {
-    deducedLanguages.push({ language: PYTHON, lockFilename: filename })
-  }
-
-  if (isPhpLockFilename(filename)) {
-    deducedLanguages.push({ language: PHP, lockFilename: filename })
-  }
-
-  // go does not have a lockfile, it should have a go.mod file containing the modules
-  if (isGoProjectFilename(filename)) {
-    deducedLanguages.push({ language: GO, projectFilename: filename })
-  }
-
-  return deducedLanguages
-}
-
-const reduceIdentifiedLanguages = identifiedLanguages =>
-  identifiedLanguages.reduce((accumulator, identifiedLanguageInfo) => {
-    const { language, projectFilename, lockFilename } = identifiedLanguageInfo
-
-    // Add an entry to our map for an identified language (and its filename)
-    // if we haven't accumulated it yet. Otherwise simply add the filename to the
-    // existing list.
-    if (!(language in accumulator)) {
-      accumulator[language] = { projectFilenames: [], lockFilenames: [] }
-    }
-
-    if (projectFilename) {
-      accumulator[language].projectFilenames.push(projectFilename)
-    } else {
-      accumulator[language].lockFilenames.push(lockFilename)
-    }
-
-    return accumulator
-  }, {})
-
-/**
- * Look at each filename and using a heuristic see if we can determine that it
- * specifies a specific language
- */
-module.exports = exports = (analysis, next) => {
-  const { file, languageAnalysis, config } = analysis
-
-  let identifiedLanguages = languageAnalysis.projectRootFilenames.reduce(
-    (accumulator, filename) => {
-      const deducedLanguages = deduceLanguage(filename)
-      return [...accumulator, ...deducedLanguages]
-    },
-    []
-  )
-
-  if (Object.keys(identifiedLanguages).length === 0) {
-    next(new Error(i18n.__('languageAnalysisNoLanguage', file)))
-    return
-  }
-
-  let language = config.language
-  if (language === undefined) {
-    languageAnalysis.identifiedLanguages =
-      reduceIdentifiedLanguages(identifiedLanguages)
-  } else {
-    let refinedIdentifiedLanguages = []
-    for (let x in identifiedLanguages) {
-      if (
-        identifiedLanguages[x].language === language.toUpperCase() ||
-        (identifiedLanguages[x].language === NODE &&
-          language.toUpperCase() === JAVASCRIPT)
-      ) {
-        refinedIdentifiedLanguages.push(identifiedLanguages[x])
-      }
-    }
-    //languages found do not meet that supplied by the user
-    if (refinedIdentifiedLanguages.length === 0) {
-      console.log(`Could not detect language as specified: ${config.language}`)
-      process.exit(1)
-    }
-
-    languageAnalysis.identifiedLanguages = reduceIdentifiedLanguages(
-      refinedIdentifiedLanguages
-    )
-  }
-
-  next()
-}
-
-//For testing purposes
-exports.isJavaMavenProjectFilename = isJavaMavenProjectFilename
-exports.isJavaGradleProjectFilename = isJavaGradleProjectFilename
-exports.isNodeProjectFilename = isNodeProjectFilename
-exports.isDotNetProjectFilename = isDotNetProjectFilename
-exports.isDotNetLockFilename = isDotNetLockFilename
-exports.isGoProjectFilename = isGoProjectFilename
-exports.isPhpProjectFilename = isPhpProjectFilename
-exports.isPhpLockFilename = isPhpLockFilename
-exports.deduceLanguage = deduceLanguage
-exports.reduceIdentifiedLanguages = reduceIdentifiedLanguages
-exports.deduceLanguageScaAnalysis = deduceLanguageScaAnalysis

package/src/audit/nodeAnalysisEngine/handleNPMLockFileV2.js

@@ -1,49 +0,0 @@
-const i18n = require('i18n')
-module.exports = exports = (analysis, next) => {
-  const {
-    language: { lockFilePath },
-    node
-  } = analysis
-
-  try {
-    if (node.npmLockFile && node.npmLockFile.lockfileVersion > 1) {
-      const listOfTopDep = Object.keys(node.npmLockFile.dependencies)
-      Object.entries(node.npmLockFile.dependencies).forEach(([key, value]) => {
-        if (value.requires) {
-          const listOfRequiresDep = Object.keys(value.requires)
-          listOfRequiresDep.forEach(dep => {
-            if (!listOfTopDep.includes(dep)) {
-              addDepToLockFile(value['requires'], dep)
-            }
-          })
-        }
-
-        if (value.dependencies) {
-          Object.entries(value.dependencies).forEach(
-            ([childKey, childValue]) => {
-              if (childValue.requires) {
-                const listOfRequiresDep = Object.keys(childValue.requires)
-                listOfRequiresDep.forEach(dep => {
-                  if (!listOfTopDep.includes(dep)) {
-                    addDepToLockFile(childValue['requires'], dep)
-                  }
-                })
-              }
-            }
-          )
-        }
-      })
-    }
-  } catch (err) {
-    next(
-      next(new Error(i18n.__('NodeParseNPM', lockFilePath) + `${err.message}`))
-    )
-    return
-  }
-
-  function addDepToLockFile(depObj, key) {
-    node.npmLockFile.dependencies[key] = { version: depObj[key] }
-  }
-
-  next()
-}

package/src/audit/nodeAnalysisEngine/index.js

@@ -1,35 +0,0 @@
-const AnalysisEngine = require('../AnalysisEngine')
-
-const readProjectFileContents = require('./readProjectFileContents')
-const readNPMLockFileContents = require('./readNPMLockFileContents')
-const parseNPMLockFileContents = require('./parseNPMLockFileContents')
-const readYarnLockFileContents = require('./readYarnLockFileContents')
-const parseYarnLockFileContents = require('./parseYarnLockFileContents')
-const parseYarn2LockFileContents = require('./parseYarn2LockFileContents')
-const handleNPMLockFileV2 = require('./handleNPMLockFileV2')
-const sanitizer = require('./sanitizer')
-const i18n = require('i18n')
-
-module.exports = exports = (language, config, callback) => {
-  const ae = new AnalysisEngine({ language, config, node: {} })
-
-  ae.use([
-    readProjectFileContents,
-    readNPMLockFileContents,
-    parseNPMLockFileContents,
-    readYarnLockFileContents,
-    parseYarnLockFileContents,
-    parseYarn2LockFileContents,
-    handleNPMLockFileV2,
-    sanitizer
-  ])
-
-  ae.analyze((err, analysis) => {
-    if (err) {
-      callback(new Error(i18n.__('NodeAnalysisFailure') + `${err.message}`))
-      return
-    }
-
-    callback(null, analysis)
-  })
-}

package/src/audit/nodeAnalysisEngine/parseNPMLockFileContents.js

@@ -1,20 +0,0 @@
-const i18n = require('i18n')
-module.exports = exports = ({ language: { lockFilePath }, node }, next) => {
-  // If we never read the package-lock file then pass priority
-  if (node.rawLockFileContents === undefined) {
-    next()
-  } else {
-    try {
-      node.npmLockFile = JSON.parse(node.rawLockFileContents)
-    } catch (err) {
-      next(
-        new Error(
-          i18n.__('NodeParseNPM', lockFilePath ? lockFilePath : 'undefined') +
-            `${err.message}`
-        )
-      )
-      return
-    }
-    next()
-  }
-}

package/src/audit/nodeAnalysisEngine/parseYarnLockFileContents.js

@@ -1,26 +0,0 @@
-const yarnParser = require('@yarnpkg/lockfile')
-const i18n = require('i18n')
-
-module.exports = exports = ({ language: { lockFilename }, node }, next) => {
-  // If we never read the lock file then pass priority
-  if (node.rawYarnLockFileContents === undefined || node.yarnVersion === 2) {
-    next()
-  } else {
-    try {
-      node.yarnLockFile = yarnParser.parse(node.rawYarnLockFileContents)
-    } catch (err) {
-      next(
-        new Error(
-          i18n.__(
-            'NodeParseYarn',
-            lockFilename.lockFilePath ? lockFilename.lockFilePath : 'undefined'
-          ) + `${err.message}`
-        )
-      )
-
-      return
-    }
-
-    next()
-  }
-}

package/src/audit/nodeAnalysisEngine/readNPMLockFileContents.js

@@ -1,23 +0,0 @@
-const fs = require('fs')
-const i18n = require('i18n')
-
-module.exports = exports = ({ language: { lockFilePath }, node }, next) => {
-  // check if the lockFilename is populated and if it is check to
-  // see if it has the package-lock if not then go on to next handler
-  if (!lockFilePath || !lockFilePath.includes('package-lock.json')) {
-    next()
-    return
-  }
-
-  try {
-    node.rawLockFileContents = fs.readFileSync(lockFilePath)
-  } catch (err) {
-    next(
-      new Error(i18n.__('NodeReadNpmError', lockFilePath) + `${err.message}`)
-    )
-
-    return
-  }
-
-  next()
-}

package/src/audit/nodeAnalysisEngine/readProjectFileContents.js

@@ -1,27 +0,0 @@
-const fs = require('fs')
-const i18n = require('i18n')
-
-module.exports = exports = (analysis, next) => {
-  const {
-    language: { projectFilePath },
-    node
-  } = analysis
-
-  // Read the NODE project file contents. We are reading into memory presuming
-  // that the contents of the file aren't large which may be bad... Could look
-  // into streaming in the future
-
-  try {
-    // package.json is stored in the projectFilePath other files have the word lock so are stored in lockFilename arr
-    node.packageJSON = JSON.parse(fs.readFileSync(projectFilePath, 'utf8'))
-  } catch (err) {
-    next(
-      new Error(
-        i18n.__('nodeReadProjectFileError', projectFilePath) + `${err.message}`
-      )
-    )
-    return
-  }
-
-  next()
-}