@contrast/contrast 2.0.1 → 2.0.2-beta.1

package/dist/scaAnalysis/common/scaServicesUpload.js

@@ -11,8 +11,10 @@ const scaTreeUpload = async (analysis, config, reportSpinner) => {
     config.language = config.language === 'JAVASCRIPT' ? 'NODE' : config.language;
     const startTime = performance.now();
     const timeout = commonApi.getTimeout(config);
+    const doINeedParent = config.repositoryId && config.language === 'JAVA';
     const requestBody = {
-        dependencyTree: analysis,
+        parentPom: doINeedParent ? analysis.parentPom : null,
+        dependencyTree: doINeedParent ? analysis.dependencyTree : analysis,
         organizationId: config.organizationId,
         language: config.language,
         tool: {

package/dist/scaAnalysis/go/goReadDepFile.js

@@ -5,7 +5,10 @@ const getGoDependencies = config => {
     let cmdStdout;
     let cwd = config.file ? config.file.replace('go.mod', '') : process.cwd();
     try {
-        cmdStdout = child_process.execSync('go mod graph', { cwd });
+        cmdStdout = child_process.execSync('go mod graph', {
+            cwd: cwd,
+            maxBuffer: 50 * 1024 * 1024
+        });
         return cmdStdout.toString();
     }
     catch (err) {
@@ -14,6 +17,7 @@ const getGoDependencies = config => {
                 '\n\n*************** No transitive dependencies ***************\n\nWe are unable to build a dependency tree view from your repository as there were no transitive dependencies found.';
         }
         console.log(i18n.__('goReadProjectFile', cwd, `${err.message ? err.message : ''}`));
+        process.exit(1);
     }
 };
 module.exports = {

package/dist/scaAnalysis/java/analysis.js

@@ -24,7 +24,7 @@ const determineProjectTypeAndCwd = (files, config) => {
 };
 const buildMaven = (config, projectData, timeout) => {
     let command = 'mvn';
-    let args = ['dependency:tree', '-B'];
+    let args = ['dependency:tree', '-B', '-Dscope=runtime'];
     if (config.mavenSettingsPath) {
         args.push('-s');
         args.push(config.mavenSettingsPath);

package/dist/scaAnalysis/java/javaBuildDepsParser.js

@@ -119,7 +119,7 @@ const computeRelationToLastElement = element => {
     }
 };
 const stripElement = element => {
-    return element
+    const initialStrippedElement = element
         .replace(/[|]/g, '')
         .replace('+---', '')
         .replace('\\---', '')
@@ -127,6 +127,16 @@ const stripElement = element => {
         .replace('(c)', '')
         .replace('->', '@')
         .replace('(*)', '');
+    const splitElements = initialStrippedElement.split(':');
+    if (splitElements[2] !== undefined &&
+        splitElements[2] !== null &&
+        splitElements[2].includes('@')) {
+        const splitVersions = splitElements[2].split('@');
+        return initialStrippedElement
+            .replace(':' + splitVersions[0], '')
+            .replace('@', ':');
+    }
+    return initialStrippedElement;
 };
 const checkVersion = element => {
     let version = element.split(':');

package/dist/scaAnalysis/legacy/legacyFlow.js

@@ -18,12 +18,6 @@ const legacyFlow = async (config, messageToSend) => {
     await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner);
     succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'));
     await vulnerabilityReportV2(config, snapshotResponse.id);
-    if (config.save !== undefined) {
-        await auditSave(config);
-    }
-    else {
-        console.log('\nUse contrast audit --save to generate an SBOM');
-    }
     const endTime = performance.now() - startTime;
     const scanDurationMs = endTime - startTime;
     console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`);

package/dist/scaAnalysis/processServicesFlow.js

@@ -1,7 +1,8 @@
 "use strict";
 const projectConfig = require('../commands/github/projectGroup');
+const repoService = require('../commands/github/repoServices');
 const scaServicesUpload = require('../scaAnalysis/common/scaServicesUpload');
-const trackProcess = async (analysis, config, reportSpinner) => {
+const dealWithNoProjectId = async (analysis, config, reportSpinner) => {
     await projectConfig.registerNewProjectGroup(config);
     let projectId = await projectConfig.getProjectIdByOrg(config);
     await projectConfig.registerProjectIdOnCliServices(config, projectId);
@@ -9,31 +10,51 @@ const trackProcess = async (analysis, config, reportSpinner) => {
     return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner);
 };
 const repoProcess = async (analysis, config, reportSpinner) => {
-    let repoInfo = repoService.retrieveRepoId(config);
-    if (repoInfo.repoId === '') {
-        repoInfo = repoService.registerRepo(config);
+    if (config.debug || config.verbose) {
+        console.log('in repository process');
+        console.log('repository id: ', config.repositoryId);
     }
-    await projectConfig.registerProjectIdOnCliServices(config, repoInfo.projectId);
-    return repoInfo;
-};
-const dealWithNoProjectId = async (analysis, config, reportSpinner) => {
-    if (config.track) {
-        return trackProcess(analysis, config, reportSpinner);
+    if (config.repositoryId === '') {
+        console.log('Failed to retrieve Repository Id');
+        process.exit(1);
     }
-    if (!config.track) {
-        return await scaServicesUpload.noProjectUpload(analysis, config, reportSpinner);
+    let repoInfo = await repoService.retrieveProjectInfoViaRepoId(config);
+    repoInfo = repoInfo.find(element => config.fileName === element.path &&
+        config.fileName === element.name &&
+        config.projectGroupId === element.projectGroupId);
+    if (config.projectGroupId &&
+        !repoInfo?.projectId &&
+        (repoInfo === undefined || repoInfo.length === 0)) {
+        console.log('*** has projectGroupId, no projectId and repo has no project found that matches');
+        repoInfo = await projectConfig.registerProjectWithGroupProjectId(config);
+        console.log('new registered group', repoInfo);
+        const language = repoInfo.language === 'JAVASCRIPT' ? 'NODE' : repoInfo.language;
+        await projectConfig.registerProjectIdOnCliServices(config, repoInfo.projectId);
     }
+    config.projectId = repoInfo.projectId;
+    return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner);
 };
-const processUpload = async (analysis, config, reportSpinner) => {
+const trackProcess = async (analysis, config, reportSpinner) => {
     let projectId = await projectConfig.getProjectIdByOrg(config);
     if (projectId === '') {
         return dealWithNoProjectId(analysis, config, reportSpinner);
     }
-    if (projectId) {
-        config.projectId = projectId;
-        return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner);
+    config.projectId = projectId;
+    await projectConfig.registerProjectIdOnCliServices(config, projectId);
+    return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner);
+};
+const processUpload = async (analysis, config, reportSpinner) => {
+    if (config.repositoryId) {
+        return repoProcess(analysis, config, reportSpinner);
+    }
+    if (config.track) {
+        return trackProcess(analysis, config, reportSpinner);
+    }
+    if (!config.track) {
+        return await scaServicesUpload.noProjectUpload(analysis, config, reportSpinner);
     }
 };
 module.exports = {
-    processUpload
+    processUpload,
+    repoProcess
 };

package/dist/scaAnalysis/repoMode/mavenParser.js

@@ -1,76 +1,118 @@
 "use strict";
 const fs = require('fs');
-const xml2js = require('xml2js');
+const { XMLParser } = require('fast-xml-parser');
 const readPomFile = project => {
     const mavenFilePath = project.cwd + '/pom.xml';
     const projectFile = fs.readFileSync(mavenFilePath);
-    let jsonPomFile;
-    xml2js.parseString(projectFile, (err, result) => {
-        if (err) {
-            throw err;
-        }
-        const json = JSON.stringify(result, null);
-        jsonPomFile = JSON.parse(json);
+    const parser = new XMLParser();
+    return parser.parse(projectFile);
+};
+const parsePomFile = jsonPomFile => {
+    console.log(JSON.stringify(jsonPomFile));
+    let dependencyTree = {};
+    let dependencies = [];
+    let dependencyManagement = [];
+    if (jsonPomFile.project && jsonPomFile.project.dependencies) {
+        dependencies = jsonPomFile.project.dependencies.dependency;
+    }
+    if (jsonPomFile.project && jsonPomFile.project.dependencyManagement) {
+        dependencyManagement =
+            jsonPomFile.project.dependencyManagement.dependencies.dependency;
+    }
+    const mergedAndFilteredDeps = dependencies.map(obj1 => {
+        const obj2 = dependencyManagement.find(obj2 => obj2.groupId === obj1.groupId && obj2.artifactId === obj1.artifactId);
+        return obj2 ? { ...obj1, ...obj2 } : obj1;
     });
-    return jsonPomFile;
+    buildDependencies(mergedAndFilteredDeps, dependencyTree, jsonPomFile);
+    return {
+        parentPom: getParentDependency(jsonPomFile),
+        dependencyTree
+    };
 };
-const getFromVersionsTag = (dependencyName, versionIdentifier, jsonPomFile) => {
-    let formattedVersion = versionIdentifier.replace(/[{}]/g, '').replace('$', '');
-    if (jsonPomFile.project.properties[0].hasOwnProperty([formattedVersion])) {
-        return jsonPomFile.project.properties[0][formattedVersion][0];
+const getParentDependency = jsonPomFile => {
+    if (jsonPomFile.project && jsonPomFile.project.parent) {
+        return buildParent(jsonPomFile.project.parent);
+    }
+    else {
+        return undefined;
+    }
+};
+const buildParent = parent => {
+    return {
+        group: parent.groupId,
+        name: parent.artifactId,
+        version: parent.version
+    };
+};
+const getVersionFromParent = (parentObj, dependencyWithoutVersion) => {
+    const { groupId, version } = parentObj;
+    if (groupId === dependencyWithoutVersion.groupId) {
+        return version;
     }
     else {
         return null;
     }
 };
-const parsePomFile = jsonPomFile => {
-    let dependencyTree = {};
-    let parsedVersion;
-    let dependencies;
-    jsonPomFile.project.hasOwnProperty('dependencies')
-        ? (dependencies = jsonPomFile.project.dependencies[0].dependency)
-        : (dependencies =
-            jsonPomFile.project.dependencyManagement[0].dependencies[0].dependency);
-    for (let x in dependencies) {
-        let dependencyObject = dependencies[x];
-        if (!dependencyObject.hasOwnProperty('version')) {
-            parsedVersion = getVersion(jsonPomFile, dependencyObject);
+const getVersionFromProperties = (properties, dep) => {
+    if (properties && dep.version.includes('${')) {
+        const currentDepVersionPlaceholder = dep.version
+            .replace('${', '')
+            .replace('}', '');
+        for (const prop in properties) {
+            if (prop === currentDepVersionPlaceholder) {
+                return properties[prop];
+            }
         }
-        else {
-            dependencyObject.version[0].includes('${versions.')
-                ? (parsedVersion = getFromVersionsTag(dependencyObject.artifactId[0], dependencyObject.version[0], jsonPomFile))
-                : (parsedVersion = dependencyObject.version[0]);
+    }
+};
+const buildDependencies = (dependencies, dependencyTree, jsonPomFile) => {
+    const parent = getParentDependency(jsonPomFile);
+    for (const dep of dependencies) {
+        const versionAsString = dep.version ? dep.version.toString() : dep.version;
+        if (versionAsString && !versionAsString.includes('${')) {
+            const depName = dep.groupId + '/' + dep.artifactId + '@' + versionAsString;
+            dependencyTree[depName] = buildDep(dep, dep.version);
+        }
+        else if (jsonPomFile.project.properties &&
+            dep.version &&
+            dep.version.includes('${')) {
+            searchAndBuildFromProperties(jsonPomFile, dep, dependencyTree);
+        }
+        else if (!dep.version) {
+            if (parent && parent.version) {
+                const { parent } = jsonPomFile.project;
+                const parsedVersion = getVersionFromParent(parent, dep);
+                const depName = dep.groupId + '/' + dep.artifactId + '@' + parsedVersion;
+                dependencyTree[depName] = buildDep(dep, parsedVersion);
+            }
         }
-        let depName = dependencyObject.groupId +
-            '/' +
-            dependencyObject.artifactId +
-            '@' +
-            parsedVersion;
-        let parsedDependency = {
-            name: dependencyObject.artifactId[0],
-            group: dependencyObject.groupId[0],
-            version: parsedVersion,
-            directDependency: true,
-            productionDependency: true,
-            dependencies: []
-        };
-        dependencyTree[depName] = parsedDependency;
     }
-    return dependencyTree;
 };
-const getVersion = (pomFile, dependencyWithoutVersion) => {
-    let parentVersion = pomFile.project.parent[0].version[0];
-    let parentGroupName = pomFile.project.parent[0].groupId[0];
-    if (parentGroupName === dependencyWithoutVersion.groupId[0]) {
-        return parentVersion;
+const searchAndBuildFromProperties = (jsonPomFile, dep, dependencyTree) => {
+    const { properties } = jsonPomFile.project;
+    let versionFromProperties = getVersionFromProperties(properties, dep);
+    if (versionFromProperties) {
+        versionFromProperties = versionFromProperties.toString();
+        const depName = dep.groupId + '/' + dep.artifactId + '@' + versionFromProperties;
+        dependencyTree[depName] = buildDep(dep, versionFromProperties);
     }
     else {
-        return null;
+        const depName = dep.groupId + '/' + dep.artifactId + '@' + null;
+        dependencyTree[depName] = buildDep(dep, null);
     }
 };
+const buildDep = (dep, version) => {
+    return {
+        name: dep.artifactId,
+        group: dep.groupId,
+        version: version,
+        directDependency: true,
+        productionDependency: true,
+        dependencies: []
+    };
+};
 module.exports = {
     readPomFile,
-    getVersion,
-    parsePomFile,
-    getFromVersionsTag
+    getVersionFromParent,
+    parsePomFile
 };

package/dist/scaAnalysis/scaAnalysis.js

@@ -5,7 +5,6 @@ const autoDetection = require('../scan/autoDetection');
 const rootFile = require('../audit/languageAnalysisEngine/getProjectRootFilenames');
 const path = require('path');
 const i18n = require('i18n');
-const auditSave = require('../audit/save');
 const { auditUsageGuide } = require('../commands/audit/help');
 const repoMode = require('./repoMode');
 const { dotNetAnalysis } = require('./dotnet');
@@ -27,6 +26,7 @@ const processSca = async (config) => {
         console.log(auditUsageGuide);
         process.exit(0);
     }
+    config.repo = config.repositoryId !== undefined;
     const projectStats = await rootFile.getProjectStats(config.file);
     let pathWithFile = projectStats.isFile();
     config.fileName = config.file;
@@ -34,12 +34,14 @@ const processSca = async (config) => {
         ? rootFile.getDirectoryFromPathGiven(config.file).concat('/')
         : config.file;
     filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config.file);
+    filesFound = await autoDetection.detectPackageManager(filesFound);
     autoDetection.dealWithMultiJava(filesFound);
     if (filesFound.length > 1 && pathWithFile) {
         filesFound = filesFound.filter(i => Object.values(i)[0].includes(path.basename(config.fileName)));
     }
     let messageToSend = undefined;
     if (filesFound.length === 1) {
+        config.packageManager = filesFound[0]?.packageManager;
         switch (Object.keys(filesFound[0])[0]) {
             case JAVA:
                 config.language = JAVA;
@@ -99,13 +101,7 @@ const processSca = async (config) => {
             startSpinner(reportSpinner);
             let reportResponse = await processServices.processUpload(messageToSend, config, reportSpinner);
             const reportModelLibraryList = convertGenericToTypedReportModelSca(reportResponse.reportArray);
-            auditReport.processAuditReport(config, reportModelLibraryList);
-            if (config.save !== undefined) {
-                await auditSave.auditSave(config, reportResponse.reportId);
-            }
-            else {
-                console.log('Use contrast audit --save to generate an SBOM');
-            }
+            await auditReport.processAuditReport(config, reportModelLibraryList, reportResponse.reportId);
             succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'));
             const endTime = performance.now() - startTime;
             const scanDurationMs = endTime - startTime;

package/dist/scan/autoDetection.js

@@ -8,11 +8,14 @@ const autoDetectFingerprintInfo = async (filePath, depth, config) => {
     let count = 0;
     complexObj.forEach(i => {
         count++;
-        result.push({
-            filePath: i,
-            id: count.toString(),
-            repositoryId: config.repositoryId
-        });
+        if (!i.includes('package.json')) {
+            result.push({
+                filePath: i,
+                id: count.toString(),
+                repositoryId: config.repositoryId,
+                projectGroupId: config.projectGroupId
+            });
+        }
     });
     return result;
 };
@@ -40,15 +43,19 @@ const detectPackageManager = async (array) => {
         }
         if (i.filePath.includes('Pipfile')) {
             i['language'] = PYTHON;
+            i['packageManager'] = 'PYPI';
         }
         if (i.filePath.includes('csproj')) {
             i['language'] = DOTNET;
+            i['packageManager'] = 'NUGET';
         }
         if (i.filePath.includes('Gemfile')) {
             i['language'] = RUBY;
+            i['packageManager'] = 'RUBYGEMS';
         }
         if (i.filePath.includes('go.mod')) {
             i['language'] = GO;
+            i['packageManager'] = 'PKG';
         }
     });
     return array;

package/dist/scan/fileUtils.js

@@ -16,6 +16,7 @@ const findAllFiles = async (filePath, depth = 2) => {
         '**/build.gradle',
         '**/build.gradle.kts',
         '**/package.json',
+        '**/package-lock.json',
         '**/yarn.lock',
         '**/Pipfile',
         '**/*.csproj',
@@ -41,79 +42,92 @@ const findFilesJava = async (languagesFound, filePath, depth = 1) => {
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ JAVA: result, language: 'JAVA' });
+        let lockFile = result.find(i => i.includes('pom') || i.includes('gradle'));
+        return languagesFound.push({
+            JAVA: result,
+            language: 'JAVA',
+            filePath: lockFile
+        });
     }
     return languagesFound;
 };
-const findFilesJavascript = async (languagesFound, filePath) => {
+const findFilesJavascript = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/package.json', '**/yarn.lock', '**/package-lock.json'], {
         dot: false,
-        deep: 1,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ JAVASCRIPT: result, language: 'JAVASCRIPT' });
+        let lockFile = result.find(i => i.includes('lock'));
+        return languagesFound.push({
+            JAVASCRIPT: result,
+            language: 'JAVASCRIPT',
+            filePath: lockFile
+        });
     }
     return languagesFound;
 };
-const findFilesPython = async (languagesFound, filePath) => {
+const findFilesPython = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/Pipfile.lock', '**/Pipfile'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ PYTHON: result });
+        return languagesFound.push({ PYTHON: result, filePath: 'Pipfile' });
     }
     return languagesFound;
 };
-const findFilesGo = async (languagesFound, filePath) => {
+const findFilesGo = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/go.mod'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ GO: result });
+        return languagesFound.push({ GO: result, filePath: 'go.mod' });
     }
     return languagesFound;
 };
-const findFilesRuby = async (languagesFound, filePath) => {
+const findFilesRuby = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/Gemfile', '**/Gemfile.lock'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ RUBY: result });
+        return languagesFound.push({ RUBY: result, filePath: 'Gemfile' });
     }
     return languagesFound;
 };
-const findFilesPhp = async (languagesFound, filePath) => {
+const findFilesPhp = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/composer.json', '**/composer.lock'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ PHP: result });
+        return languagesFound.push({ PHP: result, filePath: 'composer.lock' });
     }
     return languagesFound;
 };
-const findFilesDotNet = async (languagesFound, filePath) => {
+const findFilesDotNet = async (languagesFound, filePath, depth = 1) => {
     const result = await fg(['**/*.csproj', '**/packages.lock.json'], {
         dot: false,
-        deep: 3,
+        deep: depth,
         onlyFiles: true,
         cwd: filePath ? filePath : process.cwd()
     });
     if (result.length > 0) {
-        return languagesFound.push({ DOTNET: result });
+        return languagesFound.push({
+            DOTNET: result,
+            filePath: 'packages.lock.json'
+        });
     }
     return languagesFound;
 };

package/dist/utils/paramsUtil/paramHandler.js

@@ -2,7 +2,7 @@
 const commandlineAuth = require('./commandlineParams');
 const configStoreParams = require('./configStoreParams');
 const envVariableParams = require('./envVariableParams');
-const { validateAuthParams } = require('../validationCheck');
+const { validateAuthParams, validateFingerprintParams } = require('../validationCheck');
 const i18n = require('i18n');
 const getAuth = params => {
     let commandLineAuthParamsAuth = commandlineAuth.getAuth(params);
@@ -22,4 +22,13 @@ const getAuth = params => {
         process.exit(1);
     }
 };
-module.exports = { getAuth };
+const getFingerprint = params => {
+    if (validateFingerprintParams(params)) {
+        return params;
+    }
+    else {
+        console.log('missing fingerprint params please check repository-url and repository-name');
+        process.exit(1);
+    }
+};
+module.exports = { getAuth, getFingerprint };

package/dist/utils/validationCheck.js

@@ -19,8 +19,12 @@ const validateAuthParams = params => {
         params.host &&
         params.authorization);
 };
+const validateFingerprintParams = params => {
+    return !!(params.repositoryUrl && params.repositoryName);
+};
 module.exports = {
     checkConfigHasRequiredValues: checkConfigHasRequiredValues,
     validateAuthParams: validateAuthParams,
-    validateRequiredScanParams: validateRequiredScanParams
+    validateRequiredScanParams: validateRequiredScanParams,
+    validateFingerprintParams: validateFingerprintParams
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "2.0.1",
+  "version": "2.0.2-beta.1",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -61,7 +61,10 @@
     "cross-spawn": "^7.0.3",
     "dotenv": "^16.0.0",
     "fast-glob": "^3.2.11",
+    "fast-xml-parser": "^4.2.2",
+    "got": "11.8.6",
     "gradle-to-js": "^2.0.1",
+    "hpagent": "^1.2.0",
     "i18n": "^0.15.1",
     "js-yaml": "^4.1.0",
     "lodash": "^4.17.21",
@@ -74,7 +77,7 @@
     "string-builder": "^0.1.8",
     "string-multiple-replace": "^1.0.5",
     "tmp": "^0.2.1",
-    "xml2js": "^0.4.23",
+    "xml2js": "^0.5.0",
     "yarn-lockfile": "^1.1.1"
   },
   "devDependencies": {
@@ -93,8 +96,9 @@
     "eslint-plugin-prettier": "^4.2.1",
     "husky": "^3.1.0",
     "jest": "^27.5.1",
-    "jest-junit": "^13.2.0",
+    "jest-junit": "^16.0.0",
     "mocha": "^10.2.0",
+    "nock": "^13.3.0",
     "npm-license-crawler": "^0.2.1",
     "nyc": "^15.1.0",
     "pkg": "^5.6.0",

package/src/audit/report/reportingFeature.ts

@@ -12,6 +12,7 @@ import chalk from 'chalk'
 import * as constants from '../../constants/constants'
 import { SeverityCountModel } from './models/severityCountModel'
 import * as common from '../../common/fail'
+import { auditSave } from '../save'
 
 export function convertKeysToStandardFormat(config: any, guidance: any) {
   let convertedGuidance = guidance
@@ -96,6 +97,12 @@ export async function vulnerabilityReportV2(config: any, reportId: string) {
         : {}
     )
 
+    if (config.save !== undefined) {
+      await auditSave(config)
+    } else {
+      console.log('\nUse contrast audit --save to generate an SBOM')
+    }
+
     if (config.fail) {
       common.processFail(config, output[2])
     }