npm - @contrast/contrast - Versions diffs - 1.0.8 → 1.0.9 - Mend

@contrast/contrast 1.0.8 → 1.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (173) hide show

package/src/audit/languageAnalysisEngine/report/commonReportingFunctions.ts CHANGED Viewed

@@ -9,11 +9,11 @@ import { orderBy } from 'lodash'
 import chalk from 'chalk'
 import { ReportCVEModel, ReportLibraryModel } from './models/reportLibraryModel'
 import {
+  countVulnerableLibrariesBySeverity,
   findCVESeveritiesAndOrderByHighestPriority,
   findHighestSeverityCVE,
   findNameAndVersion,
-  severityCountAllCVEs,
-  severityCountAllLibraries
+  severityCountAllCVEs
 } from './utils/reportUtils'
 import { SeverityCountModel } from './models/severityCountModel'
 import {
@@ -28,16 +28,16 @@ import {
   MEDIUM_COLOUR,
   NOTE_COLOUR
 } from '../../../constants/constants'
+import Table from 'cli-table3'
-export const createLibraryHeader = (
-  id: string,
+export const createSummaryMessage = (
   numberOfVulnerableLibraries: number,
   numberOfCves: number
 ) => {
   numberOfVulnerableLibraries === 1
-    ? console.log(`Found 1 vulnerable library containing ${numberOfCves} CVEs`)
+    ? console.log(`Found 1 vulnerable library containing ${numberOfCves} CVE`)
     : console.log(
-        `Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVEs `
+        `Found ${numberOfVulnerableLibraries} vulnerable libraries containing ${numberOfCves} CVEs`
       )
 }
@@ -59,21 +59,35 @@ export const getReport = async (config: any, reportId: string) => {
 }
 export const printVulnerabilityResponse = (
-  vulnerabilities: ReportLibraryModel[],
-  config: any
+  config: any,
+  vulnerableLibraries: ReportLibraryModel[],
+  numberOfVulnerableLibraries: number,
+  numberOfCves: number,
+  guidance: any
 ) => {
   let hasSomeVulnerabilitiesReported = false
-  printFormattedOutput(vulnerabilities, config)
-  if (Object.keys(vulnerabilities).length > 0) {
+  printFormattedOutput(
+    config,
+    vulnerableLibraries,
+    numberOfVulnerableLibraries,
+    numberOfCves,
+    guidance
+  )
+  if (Object.keys(vulnerableLibraries).length > 0) {
     hasSomeVulnerabilitiesReported = true
   }
   return hasSomeVulnerabilitiesReported
 }
 export const printFormattedOutput = (
+  config: any,
   libraries: ReportLibraryModel[],
-  config: any
+  numberOfVulnerableLibraries: number,
+  numberOfCves: number,
+  guidance: any
 ) => {
+  createSummaryMessage(numberOfVulnerableLibraries, numberOfCves)
+  console.log()
   const report = new ReportList()
   for (const library of libraries) {
@@ -91,7 +105,6 @@ export const printFormattedOutput = (
       ),
       library.cveArray
     )
     report.reportOutputList.push(newOutputModel)
   }
@@ -105,17 +118,40 @@ export const printFormattedOutput = (
         return reportListItem.compositeKey.numberOfSeverities
       }
     ],
-    ['desc']
+    ['asc', 'desc']
   )
-  let contrastHeaderNumCounter =
-    outputOrderedByLowestSeverityAndLowestNumOfCvesFirst.length + 1
+  let contrastHeaderNumCounter = 0
   for (const reportModel of outputOrderedByLowestSeverityAndLowestNumOfCvesFirst) {
-    contrastHeaderNumCounter--
+    contrastHeaderNumCounter++
     const { libraryName, libraryVersion, highestSeverity } =
       reportModel.compositeKey
     const numOfCVEs = reportModel.cveArray.length
+    const table = new Table({
+      chars: {
+        top: '',
+        'top-mid': '',
+        'top-left': '',
+        'top-right': '',
+        bottom: '',
+        'bottom-mid': '',
+        'bottom-left': '',
+        'bottom-right': '',
+        left: '',
+        'left-mid': '',
+        mid: '',
+        'mid-mid': '',
+        right: '',
+        'right-mid': '',
+        middle: ' '
+      },
+      style: { 'padding-left': 0, 'padding-right': 0 },
+      colAligns: ['right'],
+      wordWrap: true,
+      colWidths: [12, 1, 100]
+    })
     const header = buildHeader(
       highestSeverity,
       contrastHeaderNumCounter,
@@ -124,31 +160,36 @@ export const printFormattedOutput = (
       numOfCVEs
     )
-    const body = buildBody(reportModel.cveArray)
+    const advice = gatherRemediationAdvice(guidance, reportModel)
+    const body = buildBody(reportModel.cveArray, advice)
     const reportOutputModel = new ReportOutputModel(header, body)
+    table.push(
+      reportOutputModel.body.issueMessage,
+      reportOutputModel.body.issueMessageCves,
+      reportOutputModel.body.adviceMessage
+    )
     console.log(
       reportOutputModel.header.vulnMessage,
       reportOutputModel.header.introducesMessage
     )
-    console.log(reportOutputModel.body.issueMessage)
-    console.log(reportOutputModel.body.adviceMessage + '\n')
+    console.log(table.toString() + '\n')
   }
+  createSummaryMessage(numberOfVulnerableLibraries, numberOfCves)
   const {
     criticalMessage,
     highMessage,
     mediumMessage,
     lowMessage,
-    noteMessage,
-    total
-  } = buildFooter(libraries)
-  if (total > 1) {
-    console.log(
-      `${criticalMessage} | ${highMessage} | ${mediumMessage} | ${lowMessage} | ${noteMessage}`
-    )
-  }
+    noteMessage
+  } = buildFooter(outputOrderedByLowestSeverityAndLowestNumOfCvesFirst)
+  console.log(
+    `${criticalMessage} | ${highMessage} | ${mediumMessage} | ${lowMessage} | ${noteMessage}`
+  )
 }
 export function buildHeader(
@@ -168,14 +209,12 @@ export function buildHeader(
       `${formattedHeaderNum} - [${highestSeverity.severity}] ${libraryName}-${version}`
     )
-  const introducesMessage = chalk.bold(
-    `introduces ${numOfCVEs} ${vulnerabilityPluralised}`
-  )
+  const introducesMessage = `introduces ${numOfCVEs} ${vulnerabilityPluralised}`
   return new ReportOutputHeaderModel(vulnMessage, introducesMessage)
 }
-export function buildBody(cveArray: ReportCVEModel[]) {
+export function buildBody(cveArray: ReportCVEModel[], advice: any) {
   const cveMessages: string[] = []
   findCVESeveritiesAndOrderByHighestPriority(cveArray).forEach(
@@ -187,57 +226,57 @@ export function buildBody(cveArray: ReportCVEModel[]) {
         .hex(outputColour)
         .bold(`[${severity.charAt(0).toUpperCase()}]`)
-      const builtMessage = `${severityShorthand} ${cveName}`
+      const builtMessage = severityShorthand + cveName
       cveMessages.push(builtMessage)
     }
   )
   const numAndSeverityType = getNumOfAndSeverityType(cveArray)
-  const issueMessage = ` ${chalk.bold(
-    'Issue'
-  )}  : ${numAndSeverityType} ${cveMessages.join(', ')}.`
+  const issueMessage = [chalk.bold('Issue'), ':', `${numAndSeverityType}`]
+  const issueMessageCves = ['', '', cveMessages.join(', ')]
-  const adviceMessage = ` ${chalk.bold('Advice')} : ${chalk.bold(
-    'Update to latest version'
-  )}.`
+  //todo different advice based on remediationGuidance being available or now
+  // console.log(advice)
-  return new ReportOutputBodyModel(issueMessage, adviceMessage)
+  const displayAdvice = advice?.minimum
+    ? `Update to version ${chalk.bold(advice.minimum)}`
+    : `Update to latest version`
+  const adviceMessage = [chalk.bold('Advice'), ':', displayAdvice]
+  return new ReportOutputBodyModel(
+    issueMessage,
+    issueMessageCves,
+    adviceMessage
+  )
 }
-const buildFooter = (libraries: ReportLibraryModel[]) => {
-  const { critical, high, medium, low, note, getTotal } =
-    severityCountAllLibraries(libraries)
-  const criticalMessage = chalk
-    .hex(CRITICAL_COLOUR)
-    .bold(`${critical} Critical`)
-  const highMessage = chalk.hex(HIGH_COLOUR).bold(`${high} High`)
-  const mediumMessage = chalk.hex(MEDIUM_COLOUR).bold(`${medium} Medium`)
-  const lowMessage = chalk.hex(LOW_COLOUR).bold(`${low} Low`)
-  const noteMessage = chalk.hex(NOTE_COLOUR).bold(`${note} Note`)
+export function gatherRemediationAdvice(guidance: any, reportModel: any) {
+  const guidanceData = {
+    minimum: undefined,
+    maximum: undefined,
+    latest: undefined
+  }
-  return {
-    criticalMessage,
-    highMessage,
-    mediumMessage,
-    lowMessage,
-    noteMessage,
-    total: getTotal
+  const data =
+    guidance[
+      reportModel.compositeKey.libraryName +
+        '@' +
+        reportModel.compositeKey.libraryVersion
+    ]
+  if (data) {
+    guidanceData.minimum = data.minUpgradeVersion
+    guidanceData.maximum = data.maxUpgradeVersion
   }
+  return guidanceData
 }
 export function buildFormattedHeaderNum(contrastHeaderNum: number) {
-  let formattedHeaderNum
-  if (contrastHeaderNum < 10) {
-    formattedHeaderNum = `00${contrastHeaderNum}`
-  } else if (contrastHeaderNum >= 10 && contrastHeaderNum < 100) {
-    formattedHeaderNum = `0${contrastHeaderNum}`
-  } else if (contrastHeaderNum >= 100) {
-    formattedHeaderNum = contrastHeaderNum
-  }
-  return `CONTRAST-${formattedHeaderNum}`
+  return `CONTRAST-${contrastHeaderNum.toString().padStart(3, '0')}`
 }
 export function getNumOfAndSeverityType(cveArray: ReportCVEModel[]) {
@@ -257,3 +296,24 @@ export function getNumOfAndSeverityType(cveArray: ReportCVEModel[]) {
     .replace(/\s+/g, ' ')
     .trim()
 }
+const buildFooter = (reportModelStructure: ReportModelStructure[]) => {
+  const { critical, high, medium, low, note } =
+    countVulnerableLibrariesBySeverity(reportModelStructure)
+  const criticalMessage = chalk
+    .hex(CRITICAL_COLOUR)
+    .bold(`${critical} Critical`)
+  const highMessage = chalk.hex(HIGH_COLOUR).bold(`${high} High`)
+  const mediumMessage = chalk.hex(MEDIUM_COLOUR).bold(`${medium} Medium`)
+  const lowMessage = chalk.hex(LOW_COLOUR).bold(`${low} Low`)
+  const noteMessage = chalk.hex(NOTE_COLOUR).bold(`${note} Note`)
+  return {
+    criticalMessage,
+    highMessage,
+    mediumMessage,
+    lowMessage,
+    noteMessage
+  }
+}

package/src/audit/languageAnalysisEngine/report/models/reportOutputModel.ts CHANGED Viewed

@@ -19,11 +19,17 @@ export class ReportOutputHeaderModel {
 }
 export class ReportOutputBodyModel {
-  issueMessage: string
-  adviceMessage: string
+  issueMessage: string[]
+  issueMessageCves: string[]
+  adviceMessage: string[]
-  constructor(bodyIssueMessage: string, bodyAdviceMessage: string) {
-    this.issueMessage = bodyIssueMessage
-    this.adviceMessage = bodyAdviceMessage
+  constructor(
+    issueMessage: string[],
+    issueMessageCves: string[],
+    adviceMessage: string[]
+  ) {
+    this.issueMessage = issueMessage
+    this.issueMessageCves = issueMessageCves
+    this.adviceMessage = adviceMessage
   }
 }

package/src/audit/languageAnalysisEngine/report/reportingFeature.ts CHANGED Viewed

@@ -1,5 +1,4 @@
 import {
-  createLibraryHeader,
   getReport,
   printVulnerabilityResponse
 } from './commonReportingFunctions'
@@ -9,33 +8,51 @@ import {
 } from './utils/reportUtils'
 import i18n from 'i18n'
 import chalk from 'chalk'
+import * as constants from '../../../constants/constants'
-export async function vulnerabilityReport(
-  analysis: any,
-  applicationId: string,
-  reportId: string
-) {
-  const reportResponse = await getReport(analysis.config, reportId)
+export function convertKeysToStandardFormat(config: any, guidance: any) {
+  let convertedGuidance = guidance
-  if (reportResponse !== undefined) {
-    const id = applicationId
-    formatVulnerabilityOutput(
-      reportResponse.vulnerabilities,
-      id,
-      analysis.config
-    )
+  switch (config.language) {
+    case constants.supportedLanguages.JAVA:
+    case constants.supportedLanguages.GO:
+    case constants.supportedLanguages.PHP:
+      break
+    case constants.supportedLanguages.NODE:
+    case constants.supportedLanguages.DOTNET:
+    case constants.supportedLanguages.PYTHON:
+    case constants.supportedLanguages.RUBY:
+      convertedGuidance = convertJSDotNetPython(guidance)
+      break
   }
+  return convertedGuidance
+}
+export function convertJSDotNetPython(guidance: any) {
+  const returnObject = {}
+  Object.entries(guidance).forEach(([key, value]) => {
+    const splitKey = key.split('/')
+    if (splitKey.length === 2) {
+      // @ts-ignore
+      returnObject[splitKey[1]] = value
+    }
+  })
+  return returnObject
 }
 export function formatVulnerabilityOutput(
   libraryVulnerabilityResponse: any,
   id: string,
-  config: any
+  config: any,
+  remediationGuidance: any
 ) {
   const vulnerableLibraries = convertGenericToTypedLibraryVulns(
     libraryVulnerabilityResponse
   )
+  const guidance = convertKeysToStandardFormat(config, remediationGuidance)
   const numberOfVulnerableLibraries = vulnerableLibraries.length
   if (numberOfVulnerableLibraries === 0) {
@@ -59,11 +76,12 @@ export function formatVulnerabilityOutput(
     let numberOfCves = 0
     vulnerableLibraries.forEach(lib => (numberOfCves += lib.cveArray.length))
-    createLibraryHeader(id, numberOfVulnerableLibraries, numberOfCves)
     const hasSomeVulnerabilitiesReported = printVulnerabilityResponse(
+      config,
       vulnerableLibraries,
-      config
+      numberOfVulnerableLibraries,
+      numberOfCves,
+      guidance
     )
     return [
@@ -75,6 +93,7 @@ export function formatVulnerabilityOutput(
 }
 export async function vulnerabilityReportV2(config: any, reportId: string) {
+  console.log()
   const reportResponse = await getReport(config, reportId)
   if (reportResponse !== undefined) {
@@ -82,7 +101,10 @@ export async function vulnerabilityReportV2(config: any, reportId: string) {
     formatVulnerabilityOutput(
       reportResponse.vulnerabilities,
       config.applicationId,
-      config
+      config,
+      reportResponse.remediationGuidance
+        ? reportResponse.remediationGuidance
+        : {}
     )
   }
 }

package/src/audit/languageAnalysisEngine/report/utils/reportUtils.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import {
   ReportLibraryModel
 } from '../models/reportLibraryModel'
 import { ReportSeverityModel } from '../models/reportSeverityModel'
-import languageAnalysisEngine from '../../../languageAnalysisEngine/constants'
+import languageAnalysisEngine from './../../../../constants/constants'
 import {
   CRITICAL_COLOUR,
   CRITICAL_PRIORITY,
@@ -18,6 +18,7 @@ import {
 } from '../../../../constants/constants'
 import { orderBy } from 'lodash'
 import { SeverityCountModel } from '../models/severityCountModel'
+import { ReportModelStructure } from '../models/reportListModel'
 const {
   supportedLanguages: { GO }
 } = languageAnalysisEngine
@@ -122,11 +123,49 @@ export function findNameAndVersion(library: ReportLibraryModel, config: any) {
     return { name, version }
   } else {
-    const splitLibraryName = library.name.split('/')
-    const nameVersion = splitLibraryName[1].split('@')
-    const name = nameVersion[0]
+    //spreads items from split into set so no duplicates appear
+    const uniqueSplitLibraryName = [...new Set(library.name.split('/'))]
+    const nameVersion = uniqueSplitLibraryName[1].split('@')
+    let parentLibrary
+    let name
+    if (
+      uniqueSplitLibraryName[0] !== 'null' &&
+      uniqueSplitLibraryName[0] !== '' &&
+      !uniqueSplitLibraryName[1].includes(uniqueSplitLibraryName[0])
+    ) {
+      //if the parent lib (element 0) is not null, not blank and not already part of the library name
+      //e.g. shared-ini-file-loader-1.0.0-rc.3 is very generic - converts to @aws-sdk/shared-ini-file-loader-1.0.0-rc.3
+      parentLibrary = uniqueSplitLibraryName[0]
+      name = `${parentLibrary}/${nameVersion[0]}`
+    } else {
+      name = nameVersion[0]
+    }
     const version = nameVersion[1]
     return { name, version }
   }
 }
+export function countVulnerableLibrariesBySeverity(
+  reportModelStructure: ReportModelStructure[]
+) {
+  const severityCount = new SeverityCountModel()
+  reportModelStructure.forEach(vuln => {
+    const currentSeverity = vuln.compositeKey.highestSeverity.severity
+    if (currentSeverity === 'CRITICAL') {
+      severityCount.critical += 1
+    } else if (currentSeverity === 'HIGH') {
+      severityCount.high += 1
+    } else if (currentSeverity === 'MEDIUM') {
+      severityCount.medium += 1
+    } else if (currentSeverity === 'LOW') {
+      severityCount.low += 1
+    } else if (currentSeverity === 'NOTE') {
+      severityCount.note += 1
+    }
+  })
+  return severityCount
+}

package/src/audit/languageAnalysisEngine/sendSnapshot.js CHANGED Viewed

@@ -1,5 +1,3 @@
-const { handleResponseErrors } = require('../../common/errorHandling')
-const { APP_VERSION } = require('../../constants/constants')
 const commonApi = require('../../utils/commonApi')
 const _ = require('lodash')
 const oraFunctions = require('../../utils/oraWrapper')
@@ -8,30 +6,6 @@ const oraWrapper = require('../../utils/oraWrapper')
 const requestUtils = require('../../utils/requestUtils')
 const { performance } = require('perf_hooks')
-const newSendSnapShot = async analysis => {
-  const analysisLanguage = analysis.config.language.toLowerCase()
-  const requestBody = {
-    appID: analysis.config.applicationId,
-    cliVersion: APP_VERSION,
-    snapshot: { [analysisLanguage]: analysis[analysisLanguage] }
-  }
-  const client = commonApi.getHttpClient(analysis.config)
-  return client
-    .sendSnapshot(requestBody, analysis.config)
-    .then(res => {
-      if (res.statusCode === 201) {
-        return res.body
-      } else {
-        handleResponseErrors(res, 'snapshot')
-      }
-    })
-    .catch(err => {
-      console.log(err)
-    })
-}
 const pollSnapshotResults = async (config, snapshotId, client) => {
   await requestUtils.sleep(5000)
   return client
@@ -49,9 +23,9 @@ const getTimeout = config => {
     return config.timeout
   } else {
     if (config.verbose) {
-      console.log('Timeout set to 2 minutes')
+      console.log('Timeout set to 5 minutes')
     }
-    return 120
+    return 300
   }
 }
@@ -91,16 +65,16 @@ const pollForSnapshotCompletition = async (
       if (requestUtils.millisToSeconds(endTime) > timeout) {
         oraFunctions.failSpinner(
           reportSpinner,
-          'Contrast audit timed out at the specified ' + timeout + ' seconds.'
+          'Contrast audit timed out at the specified timeout of ' +
+            timeout +
+            ' seconds.'
         )
-        console.log('Please try again, allowing more time.')
-        process.exit(1)
+        throw new Error('You can update the timeout using --timeout')
       }
     }
   }
 }
 module.exports = {
-  newSendSnapShot: newSendSnapShot,
   pollForSnapshotCompletition: pollForSnapshotCompletition
 }

package/src/audit/save.js CHANGED Viewed

@@ -3,27 +3,43 @@ const i18n = require('i18n')
 const chalk = require('chalk')
 const save = require('../commands/audit/saveFile')
 const sbom = require('../sbom/generateSbom')
+const {
+  SBOM_CYCLONE_DX_FILE,
+  SBOM_SPDX_FILE
+} = require('../constants/constants')
 async function auditSave(config) {
-  if (config.save) {
-    if (config.save.toLowerCase() === 'sbom') {
-      save.saveFile(config, await sbom.generateSbom(config))
+  let fileFormat
+  switch (config.save) {
+    case null:
+    case SBOM_CYCLONE_DX_FILE:
+      fileFormat = SBOM_CYCLONE_DX_FILE
+      break
+    case SBOM_SPDX_FILE:
+      fileFormat = SBOM_SPDX_FILE
+      break
+    default:
+      break
+  }
-      const filename = `${config.applicationId}-sbom-cyclonedx.json`
-      if (fs.existsSync(filename)) {
-        console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`)
-      } else {
-        console.log(
-          chalk.yellow.bold(
-            `\n Unable to save ${filename} Software Bill of Materials (SBOM)`
-          )
-        )
-      }
+  if (fileFormat) {
+    save.saveFile(
+      config,
+      fileFormat,
+      await sbom.generateSbom(config, fileFormat)
+    )
+    const filename = `${config.applicationId}-sbom-${fileFormat}.json`
+    if (fs.existsSync(filename)) {
+      console.log(i18n.__('auditSBOMSaveSuccess') + ` - ${filename}`)
     } else {
-      console.log(i18n.__('auditBadFiletypeSpecifiedForSave'))
+      console.log(
+        chalk.yellow.bold(
+          `\n Unable to save ${filename} Software Bill of Materials (SBOM)`
+        )
+      )
     }
-  } else if (config.save === null) {
-    console.log(i18n.__('auditNoFiletypeSpecifiedForSave'))
+  } else {
+    console.log(i18n.__('auditBadFiletypeSpecifiedForSave'))
   }
 }

package/src/commands/audit/auditConfig.ts CHANGED Viewed

@@ -1,15 +1,6 @@
 import paramHandler from '../../utils/paramsUtil/paramHandler'
 import constants from '../../constants'
 import cliOptions from '../../utils/parsedCLIOptions'
-import languageAnalysisEngine from '../../audit/languageAnalysisEngine/constants'
-import {
-  determineProjectLanguage,
-  identifyLanguages
-} from '../../audit/autodetection/autoDetectLanguage'
-const {
-  supportedLanguages: { NODE, JAVASCRIPT }
-} = languageAnalysisEngine
 export const getAuditConfig = (argv: string[]): { [key: string]: string } => {
   const auditParameters = cliOptions.getCommandLineArgsCustom(
@@ -18,22 +9,6 @@ export const getAuditConfig = (argv: string[]): { [key: string]: string } => {
   )
   const paramsAuth = paramHandler.getAuth(auditParameters)
-  if (
-    auditParameters.language === undefined ||
-    auditParameters.language === null
-  ) {
-    try {
-      auditParameters.language = determineProjectLanguage(
-        identifyLanguages(auditParameters)
-      )
-    } catch (err: any) {
-      console.log(err.message)
-      process.exit(1)
-    }
-  } else if (auditParameters.language.toUpperCase() === JAVASCRIPT) {
-    auditParameters.language = NODE.toLowerCase()
-  }
   // @ts-ignore
   return { ...paramsAuth, ...auditParameters }
 }