@contrast/contrast 2.0.1 → 2.0.2-beta.0

package/dist/scaAnalysis/common/scaServicesUpload.js

@@ -11,8 +11,10 @@ const scaTreeUpload = async (analysis, config, reportSpinner) => {
     config.language = config.language === 'JAVASCRIPT' ? 'NODE' : config.language;
     const startTime = performance.now();
     const timeout = commonApi.getTimeout(config);
+    const doINeedParent = config.repositoryId && config.language === 'JAVA';
     const requestBody = {
-        dependencyTree: analysis,
+        parentPom: doINeedParent ? analysis.parentPom : null,
+        dependencyTree: doINeedParent ? analysis.dependencyTree : analysis,
         organizationId: config.organizationId,
         language: config.language,
         tool: {

package/dist/scaAnalysis/go/goReadDepFile.js

@@ -5,7 +5,10 @@ const getGoDependencies = config => {
     let cmdStdout;
     let cwd = config.file ? config.file.replace('go.mod', '') : process.cwd();
     try {
-        cmdStdout = child_process.execSync('go mod graph', { cwd });
+        cmdStdout = child_process.execSync('go mod graph', {
+            cwd: cwd,
+            maxBuffer: 50 * 1024 * 1024
+        });
         return cmdStdout.toString();
     }
     catch (err) {
@@ -14,6 +17,7 @@ const getGoDependencies = config => {
                 '\n\n*************** No transitive dependencies ***************\n\nWe are unable to build a dependency tree view from your repository as there were no transitive dependencies found.';
         }
         console.log(i18n.__('goReadProjectFile', cwd, `${err.message ? err.message : ''}`));
+        process.exit(1);
     }
 };
 module.exports = {

package/dist/scaAnalysis/java/analysis.js

@@ -24,7 +24,7 @@ const determineProjectTypeAndCwd = (files, config) => {
 };
 const buildMaven = (config, projectData, timeout) => {
     let command = 'mvn';
-    let args = ['dependency:tree', '-B'];
+    let args = ['dependency:tree', '-B', '-Dscope=runtime'];
     if (config.mavenSettingsPath) {
         args.push('-s');
         args.push(config.mavenSettingsPath);

package/dist/scaAnalysis/java/javaBuildDepsParser.js

@@ -119,7 +119,7 @@ const computeRelationToLastElement = element => {
     }
 };
 const stripElement = element => {
-    return element
+    const initialStrippedElement = element
         .replace(/[|]/g, '')
         .replace('+---', '')
         .replace('\\---', '')
@@ -127,6 +127,16 @@ const stripElement = element => {
         .replace('(c)', '')
         .replace('->', '@')
         .replace('(*)', '');
+    const splitElements = initialStrippedElement.split(':');
+    if (splitElements[2] !== undefined &&
+        splitElements[2] !== null &&
+        splitElements[2].includes('@')) {
+        const splitVersions = splitElements[2].split('@');
+        return initialStrippedElement
+            .replace(':' + splitVersions[0], '')
+            .replace('@', ':');
+    }
+    return initialStrippedElement;
 };
 const checkVersion = element => {
     let version = element.split(':');

package/dist/scaAnalysis/legacy/legacyFlow.js

@@ -18,12 +18,6 @@ const legacyFlow = async (config, messageToSend) => {
     await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner);
     succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'));
     await vulnerabilityReportV2(config, snapshotResponse.id);
-    if (config.save !== undefined) {
-        await auditSave(config);
-    }
-    else {
-        console.log('\nUse contrast audit --save to generate an SBOM');
-    }
     const endTime = performance.now() - startTime;
     const scanDurationMs = endTime - startTime;
     console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`);

package/dist/scaAnalysis/processServicesFlow.js

@@ -1,7 +1,8 @@
 "use strict";
 const projectConfig = require('../commands/github/projectGroup');
+const repoService = require('../commands/github/repoServices');
 const scaServicesUpload = require('../scaAnalysis/common/scaServicesUpload');
-const trackProcess = async (analysis, config, reportSpinner) => {
+const dealWithNoProjectId = async (analysis, config, reportSpinner) => {
     await projectConfig.registerNewProjectGroup(config);
     let projectId = await projectConfig.getProjectIdByOrg(config);
     await projectConfig.registerProjectIdOnCliServices(config, projectId);
@@ -9,31 +10,51 @@ const trackProcess = async (analysis, config, reportSpinner) => {
     return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner);
 };
 const repoProcess = async (analysis, config, reportSpinner) => {
-    let repoInfo = repoService.retrieveRepoId(config);
-    if (repoInfo.repoId === '') {
-        repoInfo = repoService.registerRepo(config);
+    if (config.debug || config.verbose) {
+        console.log('in repository process');
+        console.log('repository id: ', config.repositoryId);
     }
-    await projectConfig.registerProjectIdOnCliServices(config, repoInfo.projectId);
-    return repoInfo;
-};
-const dealWithNoProjectId = async (analysis, config, reportSpinner) => {
-    if (config.track) {
-        return trackProcess(analysis, config, reportSpinner);
+    if (config.repositoryId === '') {
+        console.log('Failed to retrieve Repository Id');
+        process.exit(1);
     }
-    if (!config.track) {
-        return await scaServicesUpload.noProjectUpload(analysis, config, reportSpinner);
+    let repoInfo = await repoService.retrieveProjectInfoViaRepoId(config);
+    repoInfo = repoInfo.find(element => config.fileName === element.path &&
+        config.fileName === element.name &&
+        config.projectGroupId === element.projectGroupId);
+    if (config.projectGroupId &&
+        !repoInfo?.projectId &&
+        (repoInfo === undefined || repoInfo.length === 0)) {
+        console.log('*** has projectGroupId, no projectId and repo has no project found that matches');
+        repoInfo = await projectConfig.registerProjectWithGroupProjectId(config);
+        console.log('new registered group', repoInfo);
+        const language = repoInfo.language === 'JAVASCRIPT' ? 'NODE' : repoInfo.language;
+        await projectConfig.registerProjectIdOnCliServices(config, repoInfo.projectId);
     }
+    config.projectId = repoInfo.projectId;
+    return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner);
 };
-const processUpload = async (analysis, config, reportSpinner) => {
+const trackProcess = async (analysis, config, reportSpinner) => {
     let projectId = await projectConfig.getProjectIdByOrg(config);
     if (projectId === '') {
         return dealWithNoProjectId(analysis, config, reportSpinner);
     }
-    if (projectId) {
-        config.projectId = projectId;
-        return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner);
+    config.projectId = projectId;
+    await projectConfig.registerProjectIdOnCliServices(config, projectId);
+    return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner);
+};
+const processUpload = async (analysis, config, reportSpinner) => {
+    if (config.repositoryId) {
+        return repoProcess(analysis, config, reportSpinner);
+    }
+    if (config.track) {
+        return trackProcess(analysis, config, reportSpinner);
+    }
+    if (!config.track) {
+        return await scaServicesUpload.noProjectUpload(analysis, config, reportSpinner);
     }
 };
 module.exports = {
-    processUpload
+    processUpload,
+    repoProcess
 };

package/dist/scaAnalysis/repoMode/mavenParser.js

@@ -56,7 +56,25 @@ const parsePomFile = jsonPomFile => {
         };
         dependencyTree[depName] = parsedDependency;
     }
-    return dependencyTree;
+    const retrieveParent = getParentDependency(jsonPomFile);
+    return {
+        parentPom: retrieveParent,
+        dependencyTree
+    };
+};
+const getParentDependency = jsonPomFile => {
+    let parent = {};
+    jsonPomFile.project.hasOwnProperty('parent')
+        ? (parent = buildParent(jsonPomFile.project.parent))
+        : (parent = undefined);
+    return parent;
+};
+const buildParent = parent => {
+    return {
+        group: parent[0].groupId[0],
+        name: parent[0].artifactId[0],
+        version: parent[0].version[0]
+    };
 };
 const getVersion = (pomFile, dependencyWithoutVersion) => {
     let parentVersion = pomFile.project.parent[0].version[0];

package/dist/scaAnalysis/scaAnalysis.js

@@ -5,7 +5,6 @@ const autoDetection = require('../scan/autoDetection');
 const rootFile = require('../audit/languageAnalysisEngine/getProjectRootFilenames');
 const path = require('path');
 const i18n = require('i18n');
-const auditSave = require('../audit/save');
 const { auditUsageGuide } = require('../commands/audit/help');
 const repoMode = require('./repoMode');
 const { dotNetAnalysis } = require('./dotnet');
@@ -27,6 +26,7 @@ const processSca = async (config) => {
         console.log(auditUsageGuide);
         process.exit(0);
     }
+    config.repo = config.repositoryId !== undefined;
     const projectStats = await rootFile.getProjectStats(config.file);
     let pathWithFile = projectStats.isFile();
     config.fileName = config.file;
@@ -34,12 +34,14 @@ const processSca = async (config) => {
         ? rootFile.getDirectoryFromPathGiven(config.file).concat('/')
         : config.file;
     filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config.file);
+    filesFound = await autoDetection.detectPackageManager(filesFound);
     autoDetection.dealWithMultiJava(filesFound);
     if (filesFound.length > 1 && pathWithFile) {
         filesFound = filesFound.filter(i => Object.values(i)[0].includes(path.basename(config.fileName)));
     }
     let messageToSend = undefined;
     if (filesFound.length === 1) {
+        config.packageManager = filesFound[0]?.packageManager;
         switch (Object.keys(filesFound[0])[0]) {
             case JAVA:
                 config.language = JAVA;
@@ -99,13 +101,7 @@ const processSca = async (config) => {
             startSpinner(reportSpinner);
             let reportResponse = await processServices.processUpload(messageToSend, config, reportSpinner);
             const reportModelLibraryList = convertGenericToTypedReportModelSca(reportResponse.reportArray);
-            auditReport.processAuditReport(config, reportModelLibraryList);
-            if (config.save !== undefined) {
-                await auditSave.auditSave(config, reportResponse.reportId);
-            }
-            else {
-                console.log('Use contrast audit --save to generate an SBOM');
-            }
+            await auditReport.processAuditReport(config, reportModelLibraryList, reportResponse.reportId);
             succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'));
             const endTime = performance.now() - startTime;
             const scanDurationMs = endTime - startTime;

package/dist/scan/autoDetection.js

@@ -8,11 +8,14 @@ const autoDetectFingerprintInfo = async (filePath, depth, config) => {
     let count = 0;
     complexObj.forEach(i => {
         count++;
-        result.push({
-            filePath: i,
-            id: count.toString(),
-            repositoryId: config.repositoryId
-        });
+        if (!i.includes('package.json')) {
+            result.push({
+                filePath: i,
+                id: count.toString(),
+                repositoryId: config.repositoryId,
+                projectGroupId: config.projectGroupId
+            });
+        }
     });
     return result;
 };
@@ -40,15 +43,19 @@ const detectPackageManager = async (array) => {
         }
         if (i.filePath.includes('Pipfile')) {
             i['language'] = PYTHON;
+            i['packageManager'] = 'PYPI';
         }
         if (i.filePath.includes('csproj')) {
             i['language'] = DOTNET;
+            i['packageManager'] = 'NUGET';
         }
         if (i.filePath.includes('Gemfile')) {
             i['language'] = RUBY;
+            i['packageManager'] = 'RUBYGEMS';
         }
         if (i.filePath.includes('go.mod')) {
             i['language'] = GO;
+            i['packageManager'] = 'PKG';
         }
     });
     return array;

package/dist/scan/fileUtils.js

@@ -16,6 +16,7 @@ const findAllFiles = async (filePath, depth = 2) => {
         '**/build.gradle',
         '**/build.gradle.kts',
         '**/package.json',
+        '**/package-lock.json',
         '**/yarn.lock',
         '**/Pipfile',
         '**/*.csproj',
@@ -41,79 +42,92 @@ const findFilesJava = async (languagesFound, filePath, depth = 1) => {
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ JAVA: result, language: 'JAVA' });
+        let lockFile = result.find(i => i.includes('pom') || i.includes('gradle'));
+        return languagesFound.push({
+            JAVA: result,
+            language: 'JAVA',
+            filePath: lockFile
+        });
     }
     return languagesFound;
 };
-const findFilesJavascript = async (languagesFound, filePath) => {
+const findFilesJavascript = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/package.json', '**/yarn.lock', '**/package-lock.json'], {
         dot: false,
-        deep: 1,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ JAVASCRIPT: result, language: 'JAVASCRIPT' });
+        let lockFile = result.find(i => i.includes('lock'));
+        return languagesFound.push({
+            JAVASCRIPT: result,
+            language: 'JAVASCRIPT',
+            filePath: lockFile
+        });
     }
     return languagesFound;
 };
-const findFilesPython = async (languagesFound, filePath) => {
+const findFilesPython = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/Pipfile.lock', '**/Pipfile'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ PYTHON: result });
+        return languagesFound.push({ PYTHON: result, filePath: 'Pipfile' });
     }
     return languagesFound;
 };
-const findFilesGo = async (languagesFound, filePath) => {
+const findFilesGo = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/go.mod'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ GO: result });
+        return languagesFound.push({ GO: result, filePath: 'go.mod' });
     }
     return languagesFound;
 };
-const findFilesRuby = async (languagesFound, filePath) => {
+const findFilesRuby = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/Gemfile', '**/Gemfile.lock'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ RUBY: result });
+        return languagesFound.push({ RUBY: result, filePath: 'Gemfile' });
     }
     return languagesFound;
 };
-const findFilesPhp = async (languagesFound, filePath) => {
+const findFilesPhp = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/composer.json', '**/composer.lock'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ PHP: result });
+        return languagesFound.push({ PHP: result, filePath: 'composer.lock' });
     }
     return languagesFound;
 };
-const findFilesDotNet = async (languagesFound, filePath) => {
+const findFilesDotNet = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/*.csproj', '**/packages.lock.json'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ DOTNET: result });
+        return languagesFound.push({
+            DOTNET: result,
+            filePath: 'packages.lock.json'
+        });
     }
     return languagesFound;
 };

package/dist/utils/paramsUtil/paramHandler.js

@@ -2,7 +2,7 @@
 const commandlineAuth = require('./commandlineParams');
 const configStoreParams = require('./configStoreParams');
 const envVariableParams = require('./envVariableParams');
-const { validateAuthParams } = require('../validationCheck');
+const { validateAuthParams, validateFingerprintParams } = require('../validationCheck');
 const i18n = require('i18n');
 const getAuth = params => {
     let commandLineAuthParamsAuth = commandlineAuth.getAuth(params);
@@ -22,4 +22,13 @@ const getAuth = params => {
         process.exit(1);
     }
 };
-module.exports = { getAuth };
+const getFingerprint = params => {
+    if (validateFingerprintParams(params)) {
+        return params;
+    }
+    else {
+        console.log('missing fingerprint params please check repository-url and repository-name');
+        process.exit(1);
+    }
+};
+module.exports = { getAuth, getFingerprint };

package/dist/utils/validationCheck.js

@@ -19,8 +19,12 @@ const validateAuthParams = params => {
         params.host &&
         params.authorization);
 };
+const validateFingerprintParams = params => {
+    return !!(params.repositoryUrl && params.repositoryName);
+};
 module.exports = {
     checkConfigHasRequiredValues: checkConfigHasRequiredValues,
     validateAuthParams: validateAuthParams,
-    validateRequiredScanParams: validateRequiredScanParams
+    validateRequiredScanParams: validateRequiredScanParams,
+    validateFingerprintParams: validateFingerprintParams
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "2.0.1",
+  "version": "2.0.2-beta.0",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -61,7 +61,9 @@
     "cross-spawn": "^7.0.3",
     "dotenv": "^16.0.0",
     "fast-glob": "^3.2.11",
+    "got": "11.8.6",
     "gradle-to-js": "^2.0.1",
+    "hpagent": "^1.2.0",
     "i18n": "^0.15.1",
     "js-yaml": "^4.1.0",
     "lodash": "^4.17.21",
@@ -74,7 +76,7 @@
     "string-builder": "^0.1.8",
     "string-multiple-replace": "^1.0.5",
     "tmp": "^0.2.1",
-    "xml2js": "^0.4.23",
+    "xml2js": "^0.5.0",
     "yarn-lockfile": "^1.1.1"
   },
   "devDependencies": {
@@ -93,8 +95,9 @@
     "eslint-plugin-prettier": "^4.2.1",
     "husky": "^3.1.0",
     "jest": "^27.5.1",
-    "jest-junit": "^13.2.0",
+    "jest-junit": "^16.0.0",
     "mocha": "^10.2.0",
+    "nock": "^13.3.0",
     "npm-license-crawler": "^0.2.1",
     "nyc": "^15.1.0",
     "pkg": "^5.6.0",

package/src/audit/report/reportingFeature.ts

@@ -12,6 +12,7 @@ import chalk from 'chalk'
 import * as constants from '../../constants/constants'
 import { SeverityCountModel } from './models/severityCountModel'
 import * as common from '../../common/fail'
+import { auditSave } from '../save'
 
 export function convertKeysToStandardFormat(config: any, guidance: any) {
   let convertedGuidance = guidance
@@ -96,6 +97,12 @@ export async function vulnerabilityReportV2(config: any, reportId: string) {
         : {}
     )
 
+    if (config.save !== undefined) {
+      await auditSave(config)
+    } else {
+      console.log('\nUse contrast audit --save to generate an SBOM')
+    }
+
     if (config.fail) {
       common.processFail(config, output[2])
     }

package/src/cliConstants.js

@@ -412,6 +412,7 @@ const auditOptionDefinitions = [
     name: 'legacy',
     alias: 'l',
     type: Boolean,
+    defaultValue: false,
     description:
       '{bold ' +
       i18n.__('constantsOptional') +
@@ -428,7 +429,12 @@ const auditOptionDefinitions = [
       i18n.__('auditOptionsRepoSummary')
   },
   {
-    name: 'repo-id',
+    name: 'repository-id',
+    type: String,
+    description: ''
+  },
+  {
+    name: 'project-group-id',
     type: String,
     description: ''
   }
@@ -443,7 +449,7 @@ const fingerprintOptionDefinitions = [
       '{bold ' + i18n.__('constantsOptional') + '}: ' + i18n.__('depthOption')
   },
   {
-    name: 'repo-url',
+    name: 'repository-url',
     type: String,
     description: ''
   },
@@ -453,12 +459,7 @@ const fingerprintOptionDefinitions = [
     description: ''
   },
   {
-    name: 'repo-name',
-    type: String,
-    description: ''
-  },
-  {
-    name: 'language',
+    name: 'repository-name',
     type: String,
     description: ''
   }

package/src/commands/audit/processAudit.js

@@ -3,7 +3,6 @@ const { auditUsageGuide } = require('./help')
 const scaController = require('../../scaAnalysis/scaAnalysis')
 const { sendTelemetryConfigAsObject } = require('../../telemetry/telemetry')
 const { postRunMessage } = require('../../common/commonHelp')
-const settingsHelper = require('../../utils/settingsHelper')
 
 const processAudit = async (contrastConf, argvMain) => {
   if (argvMain.indexOf('--help') !== -1) {
@@ -12,7 +11,6 @@ const processAudit = async (contrastConf, argvMain) => {
   }
 
   let config = await auditConfig.getAuditConfig(contrastConf, 'audit', argvMain)
-  config = await settingsHelper.getSettings(config)
 
   await scaController.processSca(config)
   if (!config.fingerprint) {

package/src/commands/github/fingerprintConfig.js

@@ -3,14 +3,14 @@ const constants = require('../../cliConstants')
 const paramHandler = require('../../utils/paramsUtil/paramHandler')
 
 const getFingerprintConfig = async (contrastConf, command, argv) => {
-  const fingerprintParameters = await parsedCLIOptions.getCommandLineArgsCustom(
+  let fingerprintParameters = await parsedCLIOptions.getCommandLineArgsCustom(
     contrastConf,
     command,
     argv,
     constants.commandLineDefinitions.fingerprintOptionDefinitions
   )
   const paramsAuth = paramHandler.getAuth(fingerprintParameters)
-
+  fingerprintParameters = paramHandler.getFingerprint(fingerprintParameters)
   return { ...paramsAuth, ...fingerprintParameters }
 }
 

package/src/commands/github/processFingerprint.js

@@ -1,27 +1,37 @@
 const fingerprintConfig = require('./fingerprintConfig')
 const repoServices = require('./repoServices')
-const settingsHelper = require('../../utils/settingsHelper')
 const autoDetection = require('../../scan/autoDetection')
 const saveResults = require('../../scan/saveResults')
+const projectConfig = require('./projectGroup')
 const processFingerprint = async (contrastConf, argvMain) => {
   let config = await fingerprintConfig.getFingerprintConfig(
     contrastConf,
     'fingerprint',
     argvMain
   )
-  config = await settingsHelper.getSettings(config)
   config.repositoryId = await repoServices.getRepoId(config)
-  let fingerprint = await autoDetection.autoDetectFingerprintInfo(
-    config.file,
-    config.depth,
-    config
-  )
+  if (config.repositoryId !== '') {
+    config.projectGroupId = await projectConfig.getProjectGroupId(config)
+    let fingerprint = await autoDetection.autoDetectFingerprintInfo(
+      config.file,
+      config.depth,
+      config
+    )
+
+    if (fingerprint.length === 0) {
+      console.log('No supported manifests found')
+      process.exit(0)
+    }
 
-  let idArray = fingerprint.map(x => x.id)
-  await saveResults.writeResultsToFile(fingerprint, 'fingerPrintInfo.json')
-  return console.log(idArray)
+    let idArray = fingerprint.map(x => x.id)
+    await saveResults.writeResultsToFile(fingerprint, 'fingerPrintInfo.json')
+    return console.log(idArray)
+  } else {
+    console.log('No repository Id found')
+    process.exit(1)
+  }
 }
 
 module.exports = {
-  processFingerprint
+  processFingerprint: processFingerprint
 }