@contrast/contrast 2.0.0 → 2.0.2-beta.0

package/dist/common/baseRequest.js

@@ -0,0 +1,74 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildBaseRequestOptions = exports.gotInstance = void 0;
+const hpagent_1 = require("hpagent");
+const fs_1 = __importDefault(require("fs"));
+const got_1 = __importDefault(require("got"));
+function gotInstance(config) {
+    return got_1.default.extend({ retry: { limit: 0 }, ...buildBaseRequestOptions(config) });
+}
+exports.gotInstance = gotInstance;
+function buildBaseRequestOptions(config) {
+    const { apiKey, authorization } = config;
+    const rejectUnauthorized = !config.certSelfSigned;
+    const superApiKey = config.superApiKey;
+    const superAuthToken = config.superAuthorization;
+    const requestOptions = {
+        responseType: 'json',
+        forever: true,
+        uri: config.host,
+        followRedirect: false,
+        headers: {
+            'Content-Type': 'application/json; charset=utf-8',
+            Authorization: authorization,
+            'API-Key': apiKey,
+            SuperAuthorization: superAuthToken,
+            'Super-API-Key': superApiKey,
+            'User-Agent': 'contrast-cli-v2'
+        },
+        agent: getAgent(config)
+    };
+    requestOptions.https = {
+        rejectUnauthorized: rejectUnauthorized
+    };
+    maybeAddCertsToRequest(config, requestOptions.https);
+    return requestOptions;
+}
+exports.buildBaseRequestOptions = buildBaseRequestOptions;
+function getAgent(config) {
+    return config.proxy
+        ? new hpagent_1.HttpsProxyAgent({ proxy: config.proxy })
+        : false;
+}
+function maybeAddCertsToRequest(config, https) {
+    const caCertFilePath = config.cacert;
+    if (caCertFilePath) {
+        try {
+            https.certificateAuthority = fs_1.default.readFileSync(caCertFilePath);
+        }
+        catch (error) {
+            throw new Error(`Unable to read CA from ${caCertFilePath}, msg: ${error.message}`);
+        }
+    }
+    const certPath = config.cert;
+    if (certPath) {
+        try {
+            https.certificate = fs_1.default.readFileSync(certPath);
+        }
+        catch (error) {
+            throw new Error(`Unable to read Certificate PEM file from config option contrast.api.certificate.cert_file='${certPath}', msg: ${error.message}`);
+        }
+    }
+    const keyPath = config.key;
+    if (keyPath) {
+        try {
+            https.key = fs_1.default.readFileSync(keyPath);
+        }
+        catch (error) {
+            throw new Error(`Unable to read Key PEM file from config option contrast.api.certificate.key_file='${keyPath}', msg: ${error.message}`);
+        }
+    }
+}

package/dist/common/errorHandling.js

@@ -37,7 +37,7 @@ const maxAppError = () => {
     process.exit(1);
 };
 const parametersError = () => {
-    generalError(`Values not recognised`, 'Check your command & keys again for hidden characters.\nFor more information use contrast help.');
+    generalError(`Credentials not recognized`, 'Check your command & keys again for hidden characters / verify that the credentials are correct.\nFor more information use contrast help.');
     process.exit(1);
 };
 const invalidHostNameError = () => {

package/dist/constants/constants.js

@@ -12,7 +12,7 @@ const MEDIUM = 'MEDIUM';
 const HIGH = 'HIGH';
 const CRITICAL = 'CRITICAL';
 const APP_NAME = 'contrast';
-const APP_VERSION = '2.0.0';
+const APP_VERSION = '2.0.2-beta.0';
 const TIMEOUT = 120000;
 const HIGH_COLOUR = '#ff9900';
 const CRITICAL_COLOUR = '#e35858';

package/dist/index.js

@@ -17,6 +17,7 @@ const versionChecker_1 = require("./common/versionChecker");
 const errorHandling_1 = require("./common/errorHandling");
 const telemetry_1 = require("./telemetry/telemetry");
 const processLearn_1 = require("./commands/learn/processLearn");
+const processFingerprint_1 = require("./commands/github/processFingerprint");
 const { commandLineDefinitions: { mainUsageGuide, mainDefinition } } = cliConstants_1.default;
 const config = (0, getConfig_1.localConfig)(constants_1.APP_NAME, constants_1.APP_VERSION);
 const getMainOption = () => {
@@ -65,6 +66,9 @@ const start = async () => {
             if (command === 'audit') {
                 return await (0, processAudit_1.processAudit)(config, argvMain);
             }
+            if (command === 'fingerprint') {
+                return await (0, processFingerprint_1.processFingerprint)(config, argvMain);
+            }
             if (command === 'learn') {
                 return (0, processLearn_1.processLearn)();
             }

package/dist/scaAnalysis/common/auditReport.js

@@ -2,11 +2,18 @@
 const { getSeverityCounts, printNoVulnFoundMsg } = require('../../audit/report/commonReportingFunctions');
 const common = require('../../common/fail');
 const { printFormattedOutputSca } = require('./commonReportingFunctionsSca');
-const processAuditReport = (config, reportModelList) => {
+const { auditSave } = require('../../audit/save');
+const processAuditReport = async (config, reportModelList, reportId) => {
     let severityCounts = {};
     if (reportModelList !== undefined) {
         severityCounts = formatScaServicesReport(config, reportModelList);
     }
+    if (config.save !== undefined) {
+        await auditSave(config, reportId);
+    }
+    else {
+        console.log('Use contrast audit --save to generate an SBOM');
+    }
     if (config.fail) {
         common.processFail(config, severityCounts);
     }

package/dist/scaAnalysis/common/scaServicesUpload.js

@@ -11,8 +11,10 @@ const scaTreeUpload = async (analysis, config, reportSpinner) => {
     config.language = config.language === 'JAVASCRIPT' ? 'NODE' : config.language;
     const startTime = performance.now();
     const timeout = commonApi.getTimeout(config);
+    const doINeedParent = config.repositoryId && config.language === 'JAVA';
     const requestBody = {
-        dependencyTree: analysis,
+        parentPom: doINeedParent ? analysis.parentPom : null,
+        dependencyTree: doINeedParent ? analysis.dependencyTree : analysis,
         organizationId: config.organizationId,
         language: config.language,
         tool: {

package/dist/scaAnalysis/go/goReadDepFile.js

@@ -5,7 +5,10 @@ const getGoDependencies = config => {
     let cmdStdout;
     let cwd = config.file ? config.file.replace('go.mod', '') : process.cwd();
     try {
-        cmdStdout = child_process.execSync('go mod graph', { cwd });
+        cmdStdout = child_process.execSync('go mod graph', {
+            cwd: cwd,
+            maxBuffer: 50 * 1024 * 1024
+        });
         return cmdStdout.toString();
     }
     catch (err) {
@@ -14,6 +17,7 @@ const getGoDependencies = config => {
                 '\n\n*************** No transitive dependencies ***************\n\nWe are unable to build a dependency tree view from your repository as there were no transitive dependencies found.';
         }
         console.log(i18n.__('goReadProjectFile', cwd, `${err.message ? err.message : ''}`));
+        process.exit(1);
     }
 };
 module.exports = {

package/dist/scaAnalysis/java/analysis.js

@@ -24,7 +24,7 @@ const determineProjectTypeAndCwd = (files, config) => {
 };
 const buildMaven = (config, projectData, timeout) => {
     let command = 'mvn';
-    let args = ['dependency:tree', '-B'];
+    let args = ['dependency:tree', '-B', '-Dscope=runtime'];
     if (config.mavenSettingsPath) {
         args.push('-s');
         args.push(config.mavenSettingsPath);

package/dist/scaAnalysis/java/javaBuildDepsParser.js

@@ -119,7 +119,7 @@ const computeRelationToLastElement = element => {
     }
 };
 const stripElement = element => {
-    return element
+    const initialStrippedElement = element
         .replace(/[|]/g, '')
         .replace('+---', '')
         .replace('\\---', '')
@@ -127,6 +127,16 @@ const stripElement = element => {
         .replace('(c)', '')
         .replace('->', '@')
         .replace('(*)', '');
+    const splitElements = initialStrippedElement.split(':');
+    if (splitElements[2] !== undefined &&
+        splitElements[2] !== null &&
+        splitElements[2].includes('@')) {
+        const splitVersions = splitElements[2].split('@');
+        return initialStrippedElement
+            .replace(':' + splitVersions[0], '')
+            .replace('@', ':');
+    }
+    return initialStrippedElement;
 };
 const checkVersion = element => {
     let version = element.split(':');

package/dist/scaAnalysis/legacy/legacyFlow.js

@@ -18,12 +18,6 @@ const legacyFlow = async (config, messageToSend) => {
     await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner);
     succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'));
     await vulnerabilityReportV2(config, snapshotResponse.id);
-    if (config.save !== undefined) {
-        await auditSave(config);
-    }
-    else {
-        console.log('\nUse contrast audit --save to generate an SBOM');
-    }
     const endTime = performance.now() - startTime;
     const scanDurationMs = endTime - startTime;
     console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`);

package/dist/scaAnalysis/processServicesFlow.js

@@ -1,21 +1,60 @@
 "use strict";
 const projectConfig = require('../commands/github/projectGroup');
+const repoService = require('../commands/github/repoServices');
 const scaServicesUpload = require('../scaAnalysis/common/scaServicesUpload');
-const processUpload = async (analysis, config, reportSpinner) => {
+const dealWithNoProjectId = async (analysis, config, reportSpinner) => {
+    await projectConfig.registerNewProjectGroup(config);
+    let projectId = await projectConfig.getProjectIdByOrg(config);
+    await projectConfig.registerProjectIdOnCliServices(config, projectId);
+    config.projectId = projectId;
+    return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner);
+};
+const repoProcess = async (analysis, config, reportSpinner) => {
+    if (config.debug || config.verbose) {
+        console.log('in repository process');
+        console.log('repository id: ', config.repositoryId);
+    }
+    if (config.repositoryId === '') {
+        console.log('Failed to retrieve Repository Id');
+        process.exit(1);
+    }
+    let repoInfo = await repoService.retrieveProjectInfoViaRepoId(config);
+    repoInfo = repoInfo.find(element => config.fileName === element.path &&
+        config.fileName === element.name &&
+        config.projectGroupId === element.projectGroupId);
+    if (config.projectGroupId &&
+        !repoInfo?.projectId &&
+        (repoInfo === undefined || repoInfo.length === 0)) {
+        console.log('*** has projectGroupId, no projectId and repo has no project found that matches');
+        repoInfo = await projectConfig.registerProjectWithGroupProjectId(config);
+        console.log('new registered group', repoInfo);
+        const language = repoInfo.language === 'JAVASCRIPT' ? 'NODE' : repoInfo.language;
+        await projectConfig.registerProjectIdOnCliServices(config, repoInfo.projectId);
+    }
+    config.projectId = repoInfo.projectId;
+    return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner);
+};
+const trackProcess = async (analysis, config, reportSpinner) => {
     let projectId = await projectConfig.getProjectIdByOrg(config);
     if (projectId === '') {
-        if (config.track === true) {
-            await projectConfig.registerNewProjectGroup(config);
-            projectId = await projectConfig.getProjectIdByOrg(config);
-        }
-        if (config.track === false || config.track === undefined) {
-            return await scaServicesUpload.noProjectUpload(analysis, config, reportSpinner);
-        }
+        return dealWithNoProjectId(analysis, config, reportSpinner);
     }
-    await projectConfig.registerProjectIdOnCliServices(config, projectId);
     config.projectId = projectId;
+    await projectConfig.registerProjectIdOnCliServices(config, projectId);
     return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner);
 };
+const processUpload = async (analysis, config, reportSpinner) => {
+    if (config.repositoryId) {
+        return repoProcess(analysis, config, reportSpinner);
+    }
+    if (config.track) {
+        return trackProcess(analysis, config, reportSpinner);
+    }
+    if (!config.track) {
+        return await scaServicesUpload.noProjectUpload(analysis, config, reportSpinner);
+    }
+};
 module.exports = {
-    processUpload
+    processUpload,
+    repoProcess
 };

package/dist/scaAnalysis/repoMode/mavenParser.js

@@ -56,7 +56,25 @@ const parsePomFile = jsonPomFile => {
         };
         dependencyTree[depName] = parsedDependency;
     }
-    return dependencyTree;
+    const retrieveParent = getParentDependency(jsonPomFile);
+    return {
+        parentPom: retrieveParent,
+        dependencyTree
+    };
+};
+const getParentDependency = jsonPomFile => {
+    let parent = {};
+    jsonPomFile.project.hasOwnProperty('parent')
+        ? (parent = buildParent(jsonPomFile.project.parent))
+        : (parent = undefined);
+    return parent;
+};
+const buildParent = parent => {
+    return {
+        group: parent[0].groupId[0],
+        name: parent[0].artifactId[0],
+        version: parent[0].version[0]
+    };
 };
 const getVersion = (pomFile, dependencyWithoutVersion) => {
     let parentVersion = pomFile.project.parent[0].version[0];

package/dist/scaAnalysis/scaAnalysis.js

@@ -5,7 +5,6 @@ const autoDetection = require('../scan/autoDetection');
 const rootFile = require('../audit/languageAnalysisEngine/getProjectRootFilenames');
 const path = require('path');
 const i18n = require('i18n');
-const auditSave = require('../audit/save');
 const { auditUsageGuide } = require('../commands/audit/help');
 const repoMode = require('./repoMode');
 const { dotNetAnalysis } = require('./dotnet');
@@ -27,6 +26,7 @@ const processSca = async (config) => {
         console.log(auditUsageGuide);
         process.exit(0);
     }
+    config.repo = config.repositoryId !== undefined;
     const projectStats = await rootFile.getProjectStats(config.file);
     let pathWithFile = projectStats.isFile();
     config.fileName = config.file;
@@ -34,12 +34,14 @@ const processSca = async (config) => {
         ? rootFile.getDirectoryFromPathGiven(config.file).concat('/')
         : config.file;
     filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config.file);
+    filesFound = await autoDetection.detectPackageManager(filesFound);
     autoDetection.dealWithMultiJava(filesFound);
     if (filesFound.length > 1 && pathWithFile) {
         filesFound = filesFound.filter(i => Object.values(i)[0].includes(path.basename(config.fileName)));
     }
     let messageToSend = undefined;
     if (filesFound.length === 1) {
+        config.packageManager = filesFound[0]?.packageManager;
         switch (Object.keys(filesFound[0])[0]) {
             case JAVA:
                 config.language = JAVA;
@@ -99,13 +101,7 @@ const processSca = async (config) => {
             startSpinner(reportSpinner);
             let reportResponse = await processServices.processUpload(messageToSend, config, reportSpinner);
             const reportModelLibraryList = convertGenericToTypedReportModelSca(reportResponse.reportArray);
-            auditReport.processAuditReport(config, reportModelLibraryList);
-            if (config.save !== undefined) {
-                await auditSave.auditSave(config, reportResponse.reportId);
-            }
-            else {
-                console.log('Use contrast audit --save to generate an SBOM');
-            }
+            await auditReport.processAuditReport(config, reportModelLibraryList, reportResponse.reportId);
             succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'));
             const endTime = performance.now() - startTime;
             const scanDurationMs = endTime - startTime;

package/dist/scan/autoDetection.js

@@ -2,13 +2,20 @@
 const i18n = require('i18n');
 const fileFinder = require('./fileUtils');
 const { supportedLanguages: { JAVA, GO, PYTHON, RUBY, JAVASCRIPT, NODE, PHP, DOTNET } } = require('../constants/constants');
-const autoDetectFingerprintInfo = async (filePath, depth) => {
+const autoDetectFingerprintInfo = async (filePath, depth, config) => {
     let complexObj = await fileFinder.findAllFiles(filePath, depth);
     let result = [];
     let count = 0;
     complexObj.forEach(i => {
         count++;
-        result.push({ filePath: i, id: count.toString() });
+        if (!i.includes('package.json')) {
+            result.push({
+                filePath: i,
+                id: count.toString(),
+                repositoryId: config.repositoryId,
+                projectGroupId: config.projectGroupId
+            });
+        }
     });
     return result;
 };
@@ -26,7 +33,7 @@ const detectPackageManager = async (array) => {
             i['language'] = JAVA;
             i['packageManager'] = 'GRADLE';
         }
-        if (i.filePath.includes('package.json')) {
+        if (i.filePath.includes('package-lock.json')) {
             i['language'] = JAVASCRIPT;
             i['packageManager'] = 'NPM';
         }
@@ -36,15 +43,19 @@ const detectPackageManager = async (array) => {
         }
         if (i.filePath.includes('Pipfile')) {
             i['language'] = PYTHON;
+            i['packageManager'] = 'PYPI';
         }
         if (i.filePath.includes('csproj')) {
             i['language'] = DOTNET;
+            i['packageManager'] = 'NUGET';
         }
         if (i.filePath.includes('Gemfile')) {
             i['language'] = RUBY;
+            i['packageManager'] = 'RUBYGEMS';
         }
         if (i.filePath.includes('go.mod')) {
             i['language'] = GO;
+            i['packageManager'] = 'PKG';
         }
     });
     return array;

package/dist/scan/fileUtils.js

@@ -16,6 +16,7 @@ const findAllFiles = async (filePath, depth = 2) => {
         '**/build.gradle',
         '**/build.gradle.kts',
         '**/package.json',
+        '**/package-lock.json',
         '**/yarn.lock',
         '**/Pipfile',
         '**/*.csproj',
@@ -41,79 +42,92 @@ const findFilesJava = async (languagesFound, filePath, depth = 1) => {
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ JAVA: result, language: 'JAVA' });
+        let lockFile = result.find(i => i.includes('pom') || i.includes('gradle'));
+        return languagesFound.push({
+            JAVA: result,
+            language: 'JAVA',
+            filePath: lockFile
+        });
     }
     return languagesFound;
 };
-const findFilesJavascript = async (languagesFound, filePath) => {
+const findFilesJavascript = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/package.json', '**/yarn.lock', '**/package-lock.json'], {
         dot: false,
-        deep: 1,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ JAVASCRIPT: result, language: 'JAVASCRIPT' });
+        let lockFile = result.find(i => i.includes('lock'));
+        return languagesFound.push({
+            JAVASCRIPT: result,
+            language: 'JAVASCRIPT',
+            filePath: lockFile
+        });
     }
     return languagesFound;
 };
-const findFilesPython = async (languagesFound, filePath) => {
+const findFilesPython = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/Pipfile.lock', '**/Pipfile'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ PYTHON: result });
+        return languagesFound.push({ PYTHON: result, filePath: 'Pipfile' });
     }
     return languagesFound;
 };
-const findFilesGo = async (languagesFound, filePath) => {
+const findFilesGo = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/go.mod'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ GO: result });
+        return languagesFound.push({ GO: result, filePath: 'go.mod' });
     }
     return languagesFound;
 };
-const findFilesRuby = async (languagesFound, filePath) => {
+const findFilesRuby = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/Gemfile', '**/Gemfile.lock'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ RUBY: result });
+        return languagesFound.push({ RUBY: result, filePath: 'Gemfile' });
     }
     return languagesFound;
 };
-const findFilesPhp = async (languagesFound, filePath) => {
+const findFilesPhp = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/composer.json', '**/composer.lock'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ PHP: result });
+        return languagesFound.push({ PHP: result, filePath: 'composer.lock' });
     }
     return languagesFound;
 };
-const findFilesDotNet = async (languagesFound, filePath) => {
+const findFilesDotNet = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/*.csproj', '**/packages.lock.json'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ DOTNET: result });
+        return languagesFound.push({
+            DOTNET: result,
+            filePath: 'packages.lock.json'
+        });
     }
     return languagesFound;
 };

package/dist/utils/paramsUtil/paramHandler.js

@@ -2,7 +2,7 @@
 const commandlineAuth = require('./commandlineParams');
 const configStoreParams = require('./configStoreParams');
 const envVariableParams = require('./envVariableParams');
-const { validateAuthParams } = require('../validationCheck');
+const { validateAuthParams, validateFingerprintParams } = require('../validationCheck');
 const i18n = require('i18n');
 const getAuth = params => {
     let commandLineAuthParamsAuth = commandlineAuth.getAuth(params);
@@ -22,4 +22,13 @@ const getAuth = params => {
         process.exit(1);
     }
 };
-module.exports = { getAuth };
+const getFingerprint = params => {
+    if (validateFingerprintParams(params)) {
+        return params;
+    }
+    else {
+        console.log('missing fingerprint params please check repository-url and repository-name');
+        process.exit(1);
+    }
+};
+module.exports = { getAuth, getFingerprint };

package/dist/utils/validationCheck.js

@@ -19,8 +19,12 @@ const validateAuthParams = params => {
         params.host &&
         params.authorization);
 };
+const validateFingerprintParams = params => {
+    return !!(params.repositoryUrl && params.repositoryName);
+};
 module.exports = {
     checkConfigHasRequiredValues: checkConfigHasRequiredValues,
     validateAuthParams: validateAuthParams,
-    validateRequiredScanParams: validateRequiredScanParams
+    validateRequiredScanParams: validateRequiredScanParams,
+    validateFingerprintParams: validateFingerprintParams
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "2.0.0",
+  "version": "2.0.2-beta.0",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -61,7 +61,9 @@
     "cross-spawn": "^7.0.3",
     "dotenv": "^16.0.0",
     "fast-glob": "^3.2.11",
+    "got": "11.8.6",
     "gradle-to-js": "^2.0.1",
+    "hpagent": "^1.2.0",
     "i18n": "^0.15.1",
     "js-yaml": "^4.1.0",
     "lodash": "^4.17.21",
@@ -74,7 +76,7 @@
     "string-builder": "^0.1.8",
     "string-multiple-replace": "^1.0.5",
     "tmp": "^0.2.1",
-    "xml2js": "^0.4.23",
+    "xml2js": "^0.5.0",
     "yarn-lockfile": "^1.1.1"
   },
   "devDependencies": {
@@ -93,8 +95,9 @@
     "eslint-plugin-prettier": "^4.2.1",
     "husky": "^3.1.0",
     "jest": "^27.5.1",
-    "jest-junit": "^13.2.0",
+    "jest-junit": "^16.0.0",
     "mocha": "^10.2.0",
+    "nock": "^13.3.0",
     "npm-license-crawler": "^0.2.1",
     "nyc": "^15.1.0",
     "pkg": "^5.6.0",

package/src/audit/report/reportingFeature.ts

@@ -12,6 +12,7 @@ import chalk from 'chalk'
 import * as constants from '../../constants/constants'
 import { SeverityCountModel } from './models/severityCountModel'
 import * as common from '../../common/fail'
+import { auditSave } from '../save'
 
 export function convertKeysToStandardFormat(config: any, guidance: any) {
   let convertedGuidance = guidance
@@ -96,6 +97,12 @@ export async function vulnerabilityReportV2(config: any, reportId: string) {
         : {}
     )
 
+    if (config.save !== undefined) {
+      await auditSave(config)
+    } else {
+      console.log('\nUse contrast audit --save to generate an SBOM')
+    }
+
     if (config.fail) {
       common.processFail(config, output[2])
     }