@contrast/contrast 2.0.1 → 2.0.2-beta.0

package/src/commands/github/projectGroup.js

@@ -17,25 +17,41 @@ const getProjectIdByOrg = async config => {
 
 const createNewProjectGroupBody = async config => {
   let body = {
-    organizationId: config.organizationId,
-    name: config.name ? config.name : config.file //has to be unique per project
+    organizationId: config.organizationId
   }
   if (config.repo || config?.repositoryId) {
     body.repositoryId = config.repositoryId
     body.type = 'REPOSITORY'
+    body.name = getProjectGroupNameRepo(config)
   } else {
     body.repositoryId = null
     body.type = 'CLI'
+    body.name = getProjectGroupNameCLI(config)
   }
   return body
 }
 
+const getProjectGroupNameRepo = config => {
+  return config.repositoryName
+}
+const getProjectGroupNameCLI = config => {
+  // file here is actually folder name
+  return config.name ? config.name : config.file
+}
+
+const getProjectName = config => {
+  return config.name ? config.name : config.fileName
+}
+
 const registerNewProjectGroup = async config => {
   let body = await createNewProjectGroupBody(config)
 
   const client = await commonApi.getHttpClient(config)
-  body.projects = createProjects([config])
-
+  if (config.repositoryId) {
+    body.projects = []
+  } else {
+    body.projects = createProjectsArray([config])
+  }
   let projectGroupInfo = await client
     .registerProjectGroup(config, body)
     .then(res => {
@@ -53,7 +69,7 @@ const registerNewProjectGroup = async config => {
       }
 
       if (res.statusCode === 409) {
-        return []
+        return ''
       }
     })
     .catch(err => {
@@ -64,30 +80,33 @@ const registerNewProjectGroup = async config => {
   return projectGroupInfo
 }
 
-const createProjects = params => {
+const createProjectsArray = params => {
   let projectsArray = []
   let projects = {}
-
   params.forEach(param => {
-    projects = {
-      path: param.file,
-      name: param.name ? param.name : param.file,
-      source: 'SCA',
-      language: param.language,
-      packageManager: 'MAVEN',
-      target: 'SCA',
-      sourceId: '' // this is appID at the moment and scaID in future
-    }
+    projects = createProject(param)
     projectsArray.push(projects)
   })
 
   return projectsArray
 }
 
+const createProject = param => {
+  return {
+    path: param.fileName,
+    name: param.repo ? param.fileName : getProjectName(param),
+    source: 'SCA',
+    language: param.language,
+    packageManager: param.packageManager,
+    target: 'SCA',
+    sourceId: ''
+  }
+}
+
 const getExistingGroupProjectId = (config, projectGroupsInfoEx) => {
   let existingGroupProjectId = ''
   projectGroupsInfoEx.forEach(i => {
-    if (i.name === config.name) {
+    if (i.repositoryId === config.repositoryId) {
       existingGroupProjectId = i.projectGroupId
     }
   })
@@ -95,21 +114,46 @@ const getExistingGroupProjectId = (config, projectGroupsInfoEx) => {
 }
 
 const getProjectIdFromArray = (config, array) => {
-  let projectId = ''
-  array?.forEach(i => {
-    if (i.name === config.name) {
-      projectId = i.projectId
+  if (array.length === 1) {
+    return array[0].projectId
+  }
+
+  if (config.name) {
+    for (const i of array) {
+      //match on name
+      if (i.name === config.name) return i.projectId
     }
-  })
-  return projectId
+  }
+
+  for (const i of array) {
+    //match on fileName
+    if (i.name === config.fileName) return i.projectId
+  }
+
+  return ''
+}
+
+const addAdditionalData = (body, data) => {
+  body.projectGroupId = data.projectGroupId ? data.projectGroupId : null
+  body.projectGroupName = data.projectGroupName ? data.projectGroupName : null
+  body.projectLanguage = data.projectLanguage ? data.projectLanguage : null
+  body.projectType = data.projectType ? data.projectType : null
 }
 
-const registerProjectIdOnCliServices = async (config, projectId) => {
+const registerProjectIdOnCliServices = async (
+  config,
+  projectId,
+  additionalData = undefined
+) => {
   const client = commonApi.getHttpClient(config)
 
   let cliServicesBody = {
     projectId: projectId,
-    name: config.name
+    name: config.repo ? config.fileName : getProjectName(config)
+  }
+
+  if (additionalData) {
+    addAdditionalData(cliServicesBody, additionalData)
   }
 
   let result = await client
@@ -117,24 +161,48 @@ const registerProjectIdOnCliServices = async (config, projectId) => {
     .then(res => {
       if (config.debug || config.verbose) {
         console.log('\nregistration on cli services')
-        console.log(res.statusCode)
+        console.log('request body', cliServicesBody)
+        console.log('response code', res.statusCode)
       }
       if (res.statusCode === 201 || res.statusCode === 200) {
         return res.body
       } else {
-        return []
+        console.log('Failed to Register On Cli Services')
+        console.log(res.statusCode)
+        process.exit(1)
       }
     })
 
   return result
 }
 
+const registerProjectWithGroupProjectId = async config => {
+  const client = commonApi.getHttpClient(config)
+  config.language = config.language === 'NODE' ? 'JAVASCRIPT' : config.language
+
+  let body = createProject(config)
+  let result = await client.registerProject(config, body).then(res => {
+    if (config.debug || config.verbose) {
+      console.log('\nregister Project With Group ProjectId')
+      console.log(res.statusCode)
+      console.log(res.body)
+    }
+    if (res.statusCode === 201 || res.statusCode === 200) {
+      return res.body
+    } else {
+      return []
+    }
+  })
+
+  return result
+}
+
 const retrieveExistingProjectIdWithProjectGroupId = async (
   config,
   client,
   projectGroupId
 ) => {
-  let groups = await client
+  return await client
     .retrieveExistingProjectIdByProjectGroupId(config, projectGroupId)
     .then(res => {
       if (config.debug || config.verbose) {
@@ -146,11 +214,9 @@ const retrieveExistingProjectIdWithProjectGroupId = async (
       if (res.statusCode === 200) {
         return res.body
       } else {
-        return []
+        return ''
       }
     })
-
-  return getProjectIdFromArray(config, groups)
 }
 
 const retrieveProjectByOrganization = async (config, client) => {
@@ -169,16 +235,41 @@ const retrieveProjectByOrganization = async (config, client) => {
   })
 }
 
-const retrieveExistingProjectGroups = async (config, client) => {
+const retrieveExistingProjectGroups = async config => {
+  const client = commonApi.getHttpClient(config)
   return await client.retrieveExistingProjectGroupsByOrg(config).then(res => {
+    if (config.debug || config.verbose) {
+      console.log('retrieve Existing ProjectGroups By Org')
+      console.log(res.statusCode)
+      console.log(res.body)
+    }
     if (res.statusCode === 201 || res.statusCode === 200) {
-      return res.body
+      let correctGroupID = res?.body?.filter(
+        i => i.repositoryId === config.repositoryId
+      )
+
+      if (correctGroupID.length > 0) {
+        return correctGroupID[0].projectGroupId
+      }
+      return ''
     } else {
-      return []
+      return ''
     }
   })
 }
 
+const getProjectGroupId = async config => {
+  let projectGroupId = ''
+  if (config.projectGroupId === '' || config.projectGroupId === undefined) {
+    projectGroupId = await retrieveExistingProjectGroups(config)
+  }
+
+  if (projectGroupId === '') {
+    projectGroupId = await registerNewProjectGroup(config)
+  }
+  return projectGroupId
+}
+
 const dealWithNoName = async config => {
   try {
     config.name = getAppName(config.file)
@@ -194,5 +285,10 @@ module.exports = {
   registerProjectIdOnCliServices,
   dealWithNoName,
   registerNewProjectGroup,
-  createNewProjectGroupBody
+  createNewProjectGroupBody,
+  registerProjectWithGroupProjectId,
+  getExistingGroupProjectId,
+  getProjectGroupId,
+  retrieveExistingProjectGroups,
+  createProject
 }

package/src/commands/github/repoServices.js

@@ -23,12 +23,16 @@ const retrieveRepoId = async config => {
 
 const registerNewRepo = async config => {
   let body = {
-    externalScmUrl: config.repoUrl ? config.repoUrl : '',
-    externalScmName: config.repoName,
-    externalId: config.externalId ? config.externalId : '',
+    externalScmUrl: config.repositoryUrl,
+    externalScmName: config.repositoryName,
+    externalId: config.externalId,
     primaryLanguage: config.language,
     defaultBranch: 'develop'
   }
+  if (config.debug || config.verbose) {
+    console.log('registerNewRepo')
+    console.log(body)
+  }
 
   const client = await commonApi.getHttpClient(config)
 
@@ -51,10 +55,47 @@ const registerNewRepo = async config => {
       if (res.statusCode === 409) {
         return ''
       }
+      if (res.statusCode === 400) {
+        if (config.debug || config.verbose) {
+          console.log('\nError Registering Repository - Bad request')
+          console.log(res.statusCode)
+          console.log(res.message)
+        }
+        process.exit(1)
+      }
     })
     .catch(err => {
       console.log('\nError Registering Repository')
       console.log(err.statusCode)
+      console.log(err.message)
+      process.exit(1)
+    })
+
+  return result
+}
+
+const retrieveProjectInfoViaRepoId = async config => {
+  const client = await commonApi.getHttpClient(config)
+
+  let result = await client
+    .retrieveProjectByRepoId(config)
+    .then(res => {
+      if (config.debug || config.verbose) {
+        console.log('\nRetrieve Project By RepoId')
+        console.log(res.statusCode)
+        console.log(res.body)
+      }
+      if (res.statusCode === 201 || res.statusCode === 200) {
+        return res?.body
+      }
+
+      if (res.statusCode === 409) {
+        return []
+      }
+    })
+    .catch(err => {
+      console.log('\nError Retrieve Project By RepoId')
+      console.log(err.statusCode)
     })
 
   return result
@@ -76,5 +117,6 @@ const getRepoId = async config => {
 module.exports = {
   retrieveRepoId,
   registerNewRepo,
-  getRepoId
+  getRepoId,
+  retrieveProjectInfoViaRepoId
 }

package/src/common/HTTPClient.js

@@ -225,12 +225,6 @@ HTTPClient.prototype.scaServiceIngest = function scaServiceIngest(
   options.url = url
   options.body = requestBody
 
-  if (config.debug || config.verbose) {
-    console.log('scaServiceIngest')
-    console.log('url', options.url)
-    console.log('body', options.body)
-  }
-
   return requestUtils.sendRequest({ method: 'post', options })
 }
 
@@ -346,6 +340,17 @@ HTTPClient.prototype.registerRepo = function registerRepo(config, requestBody) {
   return requestUtils.sendRequest({ method: 'post', options })
 }
 
+HTTPClient.prototype.retrieveProjectByRepoId = function retrieveProjectByRepoId(
+  config,
+  requestBody
+) {
+  const options = _.cloneDeep(this.requestOptions)
+  let url = createRepoProjectUrl(config)
+  options.url = url
+  options.body = requestBody
+  return requestUtils.sendRequest({ method: 'get', options })
+}
+
 HTTPClient.prototype.registerProjectGroup = function (config, requestBody) {
   const options = _.cloneDeep(this.requestOptions)
   let url = registerProjectGroupUrl(config)
@@ -355,17 +360,18 @@ HTTPClient.prototype.registerProjectGroup = function (config, requestBody) {
   if (config.debug || config.verbose) {
     console.log('registerProjectGroup')
     console.log('url', options.url)
-    console.log('body', options.body)
+    // console.log('body', options.body)
   }
 
   return requestUtils.sendRequest({ method: 'post', options })
 }
 
-HTTPClient.prototype.registerProject = function (config, projectGroupId) {
+HTTPClient.prototype.registerProject = function (config, body) {
   const options = _.cloneDeep(this.requestOptions)
-  let url = registerProjectUrl(config, projectGroupId)
+  let url = registerProjectUrl(config)
   options.url = url
-  return requestUtils.sendRequest({ method: 'get', options })
+  options.body = body
+  return requestUtils.sendRequest({ method: 'post', options })
 }
 HTTPClient.prototype.retrieveSourcesViaRepositoryId = function (
   config,
@@ -405,6 +411,9 @@ HTTPClient.prototype.retrieveProjectByOrganizationId = function registerRepo(
   const options = _.cloneDeep(this.requestOptions)
   let url = retrieveProjectByOrganizationIdUrl(config)
   options.url = url
+  if (config.debug || config.verbose) {
+    console.log(url)
+  }
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
@@ -412,8 +421,15 @@ HTTPClient.prototype.retrieveExistingProjectGroupsByOrg = function registerRepo(
   config
 ) {
   const options = _.cloneDeep(this.requestOptions)
-  let url = retrieveExistingGroupProjectsByOrgUrl(config)
+  let url =
+    retrieveExistingGroupProjectsByOrgUrl(config) +
+    '?name=' +
+    config.repositoryName +
+    '&type=REPOSITORY'
   options.url = url
+  if (config.debug || config.verbose) {
+    console.log(options.url)
+  }
   return requestUtils.sendRequest({ method: 'get', options })
 }
 
@@ -622,7 +638,9 @@ function createScaServiceReportStatusURL(config, reportId) {
 function createScaServiceNoProjectIdURL(config) {
   return `${config.host}/Contrast/api/sca/organizations/${
     config.organizationId
-  }/libraries/ingests/tree${config.repo ? '?incomplete=true' : ''}`
+  }/libraries/ingests/tree${
+    config.repo && config.language === 'JAVA?' ? 'incomplete=true' : ''
+  }`
 }
 
 // function createScaServiceIngestsURL(config) {
@@ -635,7 +653,9 @@ function createScaServiceHealthURL(config) {
 
 function createScaServiceIngestURL(config) {
   let optionalParams = []
-  config.repo ? optionalParams.push('incomplete=true') : null
+  config.repo && config.language === 'JAVA'
+    ? optionalParams.push('incomplete=true')
+    : null
   config.track ? optionalParams.push('persist=true') : null
 
   let params = '?'
@@ -664,8 +684,8 @@ const registerProjectGroupUrl = config => {
   return `${config.host}/api/v4/organizations/${config.organizationId}/project-groups`
 }
 
-const registerProjectUrl = (config, projectGroupId) => {
-  return `${config.host}/api/v4/organizations/${config.organizationId}/project-groups/${projectGroupId}/projects`
+const registerProjectUrl = config => {
+  return `${config.host}/api/v4/organizations/${config.organizationId}/project-groups/${config.projectGroupId}/projects`
 }
 
 const retrieveRegisterOnCliServicesUrl = config => {
@@ -677,16 +697,21 @@ const retrieveSourcesUrl = (config, repositoryId) => {
 }
 
 const retrieveRepoByOrgAndGitURL = config => {
-  return `${config.host}/api/v4/organizations/${config.organizationId}/repositories/external-url?externalRepoUrl=${config.repoUrl}`
+  return `${config.host}/api/v4/organizations/${config.organizationId}/repositories/external-url?externalRepoUrl=${config.repositoryUrl}`
 }
 
 const retrieveProjectByOrganizationIdUrl = config => {
   let baseUrl = `${config.host}/api/v4/organizations/${config.organizationId}/projects`
-  baseUrl = config.name ? baseUrl.concat(`?name=${config.name}`) : baseUrl
+  baseUrl = config.name
+    ? baseUrl.concat(`?name=${config.name}`)
+    : baseUrl.concat(`?name=${config.fileName}`)
   baseUrl = config.language
     ? baseUrl.concat(`&language=${config.language}`)
     : baseUrl
   baseUrl = config.language ? baseUrl.concat(`&source=SCA`) : baseUrl
+  baseUrl = config.repo
+    ? baseUrl.concat(`&type=REPOSITORY`)
+    : baseUrl.concat(`&type=CLI`)
   return baseUrl
 }
 
@@ -705,6 +730,10 @@ function createRepositoryUrl(config) {
   return `${config.host}/api/v4/organizations/${config.organizationId}/repositories`
 }
 
+function createRepoProjectUrl(config) {
+  return `${config.host}/api/v4/organizations/${config.organizationId}/repositories/${config.repositoryId}/projects`
+}
+
 function createLibraryVulnerabilitiesUrl(config) {
   return `${config.host}/Contrast/api/ng/${config.organizationId}/libraries/artifactsByGroupNameVersion`
 }

package/src/common/baseRequest.ts

@@ -0,0 +1,83 @@
+import { HttpsProxyAgent } from 'hpagent'
+import fs from 'fs'
+import got, { Options } from 'got'
+import { Agents, HTTPSOptions } from 'got/dist/source/core'
+
+export function gotInstance(config: any) {
+  return got.extend({ retry: { limit: 0 }, ...buildBaseRequestOptions(config) })
+}
+
+export function buildBaseRequestOptions(config: any) {
+  const { apiKey, authorization } = config
+  const rejectUnauthorized = !config.certSelfSigned
+
+  const superApiKey = config.superApiKey
+  const superAuthToken = config.superAuthorization
+
+  const requestOptions = {
+    responseType: 'json',
+    forever: true,
+    uri: config.host,
+    followRedirect: false,
+    headers: {
+      'Content-Type': 'application/json; charset=utf-8',
+      Authorization: authorization,
+      'API-Key': apiKey,
+      SuperAuthorization: superAuthToken,
+      'Super-API-Key': superApiKey,
+      'User-Agent': 'contrast-cli-v2'
+    },
+    agent: getAgent(config)
+  } as Options
+
+  requestOptions.https = {
+    rejectUnauthorized: rejectUnauthorized
+  }
+
+  maybeAddCertsToRequest(config, requestOptions.https)
+  return requestOptions
+}
+
+function getAgent(config: any) {
+  return config.proxy
+    ? (new HttpsProxyAgent({ proxy: config.proxy }) as Agents)
+    : false
+}
+
+function maybeAddCertsToRequest(config: any, https: HTTPSOptions) {
+  // cacert
+  const caCertFilePath = config.cacert
+  if (caCertFilePath) {
+    try {
+      https.certificateAuthority = fs.readFileSync(caCertFilePath)
+    } catch (error: any) {
+      throw new Error(
+        `Unable to read CA from ${caCertFilePath}, msg: ${error.message}`
+      )
+    }
+  }
+
+  // cert
+  const certPath = config.cert
+  if (certPath) {
+    try {
+      https.certificate = fs.readFileSync(certPath)
+    } catch (error: any) {
+      throw new Error(
+        `Unable to read Certificate PEM file from config option contrast.api.certificate.cert_file='${certPath}', msg: ${error.message}`
+      )
+    }
+  }
+
+  // key
+  const keyPath = config.key
+  if (keyPath) {
+    try {
+      https.key = fs.readFileSync(keyPath)
+    } catch (error: any) {
+      throw new Error(
+        `Unable to read Key PEM file from config option contrast.api.certificate.key_file='${keyPath}', msg: ${error.message}`
+      )
+    }
+  }
+}

package/src/constants/constants.js

@@ -14,7 +14,7 @@ const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
 // App
 const APP_NAME = 'contrast'
-const APP_VERSION = '2.0.1'
+const APP_VERSION = '2.0.2-beta.0'
 const TIMEOUT = 120000
 const HIGH_COLOUR = '#ff9900'
 const CRITICAL_COLOUR = '#e35858'

package/src/scaAnalysis/common/auditReport.js

@@ -4,13 +4,20 @@ const {
 } = require('../../audit/report/commonReportingFunctions')
 const common = require('../../common/fail')
 const { printFormattedOutputSca } = require('./commonReportingFunctionsSca')
+const { auditSave } = require('../../audit/save')
 
-const processAuditReport = (config, reportModelList) => {
+const processAuditReport = async (config, reportModelList, reportId) => {
   let severityCounts = {}
   if (reportModelList !== undefined) {
     severityCounts = formatScaServicesReport(config, reportModelList)
   }
 
+  if (config.save !== undefined) {
+    await auditSave(config, reportId)
+  } else {
+    console.log('Use contrast audit --save to generate an SBOM')
+  }
+
   if (config.fail) {
     common.processFail(config, severityCounts)
   }

package/src/scaAnalysis/common/scaServicesUpload.js

@@ -14,8 +14,12 @@ const scaTreeUpload = async (analysis, config, reportSpinner) => {
   config.language = config.language === 'JAVASCRIPT' ? 'NODE' : config.language
   const startTime = performance.now()
   const timeout = commonApi.getTimeout(config)
+
+  const doINeedParent = config.repositoryId && config.language === 'JAVA'
+
   const requestBody = {
-    dependencyTree: analysis,
+    parentPom: doINeedParent ? analysis.parentPom : null,
+    dependencyTree: doINeedParent ? analysis.dependencyTree : analysis,
     organizationId: config.organizationId,
     language: config.language,
     tool: {

package/src/scaAnalysis/go/goReadDepFile.js

@@ -8,7 +8,10 @@ const getGoDependencies = config => {
   try {
     // A sample of this output can be found
     // in the go test folder data/goModGraphResults.text
-    cmdStdout = child_process.execSync('go mod graph', { cwd })
+    cmdStdout = child_process.execSync('go mod graph', {
+      cwd: cwd,
+      maxBuffer: 50 * 1024 * 1024
+    })
 
     return cmdStdout.toString()
   } catch (err) {
@@ -22,6 +25,7 @@ const getGoDependencies = config => {
     // throw new Error(
     //   i18n.__('goReadProjectFile', cwd, `${err.message ? err.message : ''}`)
     // )
+    process.exit(1)
   }
 }
 

package/src/scaAnalysis/java/analysis.js

@@ -30,7 +30,7 @@ const determineProjectTypeAndCwd = (files, config) => {
 
 const buildMaven = (config, projectData, timeout) => {
   let command = 'mvn'
-  let args = ['dependency:tree', '-B']
+  let args = ['dependency:tree', '-B', '-Dscope=runtime']
   if (config.mavenSettingsPath) {
     args.push('-s')
     args.push(config.mavenSettingsPath)

package/src/scaAnalysis/java/javaBuildDepsParser.js

@@ -140,7 +140,7 @@ const computeRelationToLastElement = element => {
 }
 
 const stripElement = element => {
-  return element
+  const initialStrippedElement = element
     .replace(/[|]/g, '')
     .replace('+---', '')
     .replace('\\---', '')
@@ -148,6 +148,22 @@ const stripElement = element => {
     .replace('(c)', '')
     .replace('->', '@')
     .replace('(*)', '')
+
+  //work out Gradle resolved versioning e.g. org.slf4j:slf4j-api:1.7.25 -> 1.7.22
+  //take 1.7.22
+  const splitElements = initialStrippedElement.split(':')
+  if (
+    splitElements[2] !== undefined &&
+    splitElements[2] !== null &&
+    splitElements[2].includes('@')
+  ) {
+    const splitVersions = splitElements[2].split('@')
+    return initialStrippedElement
+      .replace(':' + splitVersions[0], '')
+      .replace('@', ':')
+  }
+
+  return initialStrippedElement
 }
 
 const checkVersion = element => {