@contrast/contrast 2.0.1 → 2.0.2-beta.1

package/src/common/baseRequest.ts

@@ -0,0 +1,83 @@
+import { HttpsProxyAgent } from 'hpagent'
+import fs from 'fs'
+import got, { Options } from 'got'
+import { Agents, HTTPSOptions } from 'got/dist/source/core'
+
+export function gotInstance(config: any) {
+  return got.extend({ retry: { limit: 0 }, ...buildBaseRequestOptions(config) })
+}
+
+export function buildBaseRequestOptions(config: any) {
+  const { apiKey, authorization } = config
+  const rejectUnauthorized = !config.certSelfSigned
+
+  const superApiKey = config.superApiKey
+  const superAuthToken = config.superAuthorization
+
+  const requestOptions = {
+    responseType: 'json',
+    forever: true,
+    uri: config.host,
+    followRedirect: false,
+    headers: {
+      'Content-Type': 'application/json; charset=utf-8',
+      Authorization: authorization,
+      'API-Key': apiKey,
+      SuperAuthorization: superAuthToken,
+      'Super-API-Key': superApiKey,
+      'User-Agent': 'contrast-cli-v2'
+    },
+    agent: getAgent(config)
+  } as Options
+
+  requestOptions.https = {
+    rejectUnauthorized: rejectUnauthorized
+  }
+
+  maybeAddCertsToRequest(config, requestOptions.https)
+  return requestOptions
+}
+
+function getAgent(config: any) {
+  return config.proxy
+    ? (new HttpsProxyAgent({ proxy: config.proxy }) as Agents)
+    : false
+}
+
+function maybeAddCertsToRequest(config: any, https: HTTPSOptions) {
+  // cacert
+  const caCertFilePath = config.cacert
+  if (caCertFilePath) {
+    try {
+      https.certificateAuthority = fs.readFileSync(caCertFilePath)
+    } catch (error: any) {
+      throw new Error(
+        `Unable to read CA from ${caCertFilePath}, msg: ${error.message}`
+      )
+    }
+  }
+
+  // cert
+  const certPath = config.cert
+  if (certPath) {
+    try {
+      https.certificate = fs.readFileSync(certPath)
+    } catch (error: any) {
+      throw new Error(
+        `Unable to read Certificate PEM file from config option contrast.api.certificate.cert_file='${certPath}', msg: ${error.message}`
+      )
+    }
+  }
+
+  // key
+  const keyPath = config.key
+  if (keyPath) {
+    try {
+      https.key = fs.readFileSync(keyPath)
+    } catch (error: any) {
+      throw new Error(
+        `Unable to read Key PEM file from config option contrast.api.certificate.key_file='${keyPath}', msg: ${error.message}`
+      )
+    }
+  }
+}

package/src/constants/constants.js

@@ -14,7 +14,7 @@ const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
 // App
 const APP_NAME = 'contrast'
-const APP_VERSION = '2.0.1'
+const APP_VERSION = '2.0.2-beta.1'
 const TIMEOUT = 120000
 const HIGH_COLOUR = '#ff9900'
 const CRITICAL_COLOUR = '#e35858'

package/src/scaAnalysis/common/auditReport.js

@@ -4,13 +4,20 @@ const {
 } = require('../../audit/report/commonReportingFunctions')
 const common = require('../../common/fail')
 const { printFormattedOutputSca } = require('./commonReportingFunctionsSca')
+const { auditSave } = require('../../audit/save')
 
-const processAuditReport = (config, reportModelList) => {
+const processAuditReport = async (config, reportModelList, reportId) => {
   let severityCounts = {}
   if (reportModelList !== undefined) {
     severityCounts = formatScaServicesReport(config, reportModelList)
   }
 
+  if (config.save !== undefined) {
+    await auditSave(config, reportId)
+  } else {
+    console.log('Use contrast audit --save to generate an SBOM')
+  }
+
   if (config.fail) {
     common.processFail(config, severityCounts)
   }

package/src/scaAnalysis/common/scaServicesUpload.js

@@ -14,8 +14,12 @@ const scaTreeUpload = async (analysis, config, reportSpinner) => {
   config.language = config.language === 'JAVASCRIPT' ? 'NODE' : config.language
   const startTime = performance.now()
   const timeout = commonApi.getTimeout(config)
+
+  const doINeedParent = config.repositoryId && config.language === 'JAVA'
+
   const requestBody = {
-    dependencyTree: analysis,
+    parentPom: doINeedParent ? analysis.parentPom : null,
+    dependencyTree: doINeedParent ? analysis.dependencyTree : analysis,
     organizationId: config.organizationId,
     language: config.language,
     tool: {

package/src/scaAnalysis/go/goReadDepFile.js

@@ -8,7 +8,10 @@ const getGoDependencies = config => {
   try {
     // A sample of this output can be found
     // in the go test folder data/goModGraphResults.text
-    cmdStdout = child_process.execSync('go mod graph', { cwd })
+    cmdStdout = child_process.execSync('go mod graph', {
+      cwd: cwd,
+      maxBuffer: 50 * 1024 * 1024
+    })
 
     return cmdStdout.toString()
   } catch (err) {
@@ -22,6 +25,7 @@ const getGoDependencies = config => {
     // throw new Error(
     //   i18n.__('goReadProjectFile', cwd, `${err.message ? err.message : ''}`)
     // )
+    process.exit(1)
   }
 }
 

package/src/scaAnalysis/java/analysis.js

@@ -30,7 +30,7 @@ const determineProjectTypeAndCwd = (files, config) => {
 
 const buildMaven = (config, projectData, timeout) => {
   let command = 'mvn'
-  let args = ['dependency:tree', '-B']
+  let args = ['dependency:tree', '-B', '-Dscope=runtime']
   if (config.mavenSettingsPath) {
     args.push('-s')
     args.push(config.mavenSettingsPath)

package/src/scaAnalysis/java/javaBuildDepsParser.js

@@ -140,7 +140,7 @@ const computeRelationToLastElement = element => {
 }
 
 const stripElement = element => {
-  return element
+  const initialStrippedElement = element
     .replace(/[|]/g, '')
     .replace('+---', '')
     .replace('\\---', '')
@@ -148,6 +148,22 @@ const stripElement = element => {
     .replace('(c)', '')
     .replace('->', '@')
     .replace('(*)', '')
+
+  //work out Gradle resolved versioning e.g. org.slf4j:slf4j-api:1.7.25 -> 1.7.22
+  //take 1.7.22
+  const splitElements = initialStrippedElement.split(':')
+  if (
+    splitElements[2] !== undefined &&
+    splitElements[2] !== null &&
+    splitElements[2].includes('@')
+  ) {
+    const splitVersions = splitElements[2].split('@')
+    return initialStrippedElement
+      .replace(':' + splitVersions[0], '')
+      .replace('@', ':')
+  }
+
+  return initialStrippedElement
 }
 
 const checkVersion = element => {

package/src/scaAnalysis/legacy/legacyFlow.js

@@ -32,11 +32,6 @@ const legacyFlow = async (config, messageToSend) => {
   succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
 
   await vulnerabilityReportV2(config, snapshotResponse.id)
-  if (config.save !== undefined) {
-    await auditSave(config)
-  } else {
-    console.log('\nUse contrast audit --save to generate an SBOM')
-  }
   const endTime = performance.now() - startTime
   const scanDurationMs = endTime - startTime
 

package/src/scaAnalysis/processServicesFlow.js

@@ -1,7 +1,8 @@
 const projectConfig = require('../commands/github/projectGroup')
+const repoService = require('../commands/github/repoServices')
 const scaServicesUpload = require('../scaAnalysis/common/scaServicesUpload')
 
-const trackProcess = async (analysis, config, reportSpinner) => {
+const dealWithNoProjectId = async (analysis, config, reportSpinner) => {
   await projectConfig.registerNewProjectGroup(config)
   let projectId = await projectConfig.getProjectIdByOrg(config)
   await projectConfig.registerProjectIdOnCliServices(config, projectId)
@@ -10,29 +11,83 @@ const trackProcess = async (analysis, config, reportSpinner) => {
 }
 
 const repoProcess = async (analysis, config, reportSpinner) => {
-  let repoInfo = repoService.retrieveRepoId(config)
-  if (repoInfo.repoId === '') {
-    repoInfo = repoService.registerRepo(config)
+  if (config.debug || config.verbose) {
+    console.log('in repository process')
+    console.log('repository id: ', config.repositoryId)
+  }
+  if (config.repositoryId === '') {
+    console.log('Failed to retrieve Repository Id')
+    process.exit(1)
   }
-  await projectConfig.registerProjectIdOnCliServices(config, repoInfo.projectId)
-  return repoInfo
-}
 
-const dealWithNoProjectId = async (analysis, config, reportSpinner) => {
-  // if (config.repo === '') {
-  //   return repoProcess(analysis, config, reportSpinner)
+  let repoInfo = await repoService.retrieveProjectInfoViaRepoId(config)
+
+  repoInfo = repoInfo.find(
+    element =>
+      config.fileName === element.path &&
+      config.fileName === element.name &&
+      config.projectGroupId === element.projectGroupId
+  )
+
+  // console.log('repoInfo', repoInfo)
+
+  // if(repoInfo !== undefined) {
+  //   console.log('re-register / register first time')
+  //   const language  = repoInfo.language === 'JAVASCRIPT' ? 'NODE' : repoInfo.language
+  //   const additionalData = {
+  //     projectGroupId: repoInfo.projectGroupId,
+  //     projectGroupName: repoInfo.name,
+  //     projectLanguage: language,
+  //     projectType: 'REPOSITORY'
+  //   }
+  //
+  //   // check project exists in sca / register (just in case, it failed in the past)
+  //   await projectConfig.registerProjectIdOnCliServices(
+  //     config,
+  //     repoInfo.projectId,
+  //     additionalData
+  //   )
   // }
-  if (config.track) {
-    return trackProcess(analysis, config, reportSpinner)
-  }
 
-  if (!config.track) {
-    return await scaServicesUpload.noProjectUpload(
-      analysis,
+  if (
+    config.projectGroupId &&
+    !repoInfo?.projectId &&
+    (repoInfo === undefined || repoInfo.length === 0)
+  ) {
+    console.log(
+      '*** has projectGroupId, no projectId and repo has no project found that matches'
+    )
+    repoInfo = await projectConfig.registerProjectWithGroupProjectId(config)
+    console.log('new registered group', repoInfo)
+    const language =
+      repoInfo.language === 'JAVASCRIPT' ? 'NODE' : repoInfo.language
+
+    // const additionalData = {
+    //   projectGroupId: repoInfo.projectGroupId,
+    //   projectGroupName: repoInfo.name,
+    //   projectLanguage: language,
+    //   projectType: 'REPOSITORY'
+    // }
+
+    await projectConfig.registerProjectIdOnCliServices(
       config,
-      reportSpinner
+      repoInfo.projectId
     )
   }
+  config.projectId = repoInfo.projectId
+  return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner)
+}
+
+const trackProcess = async (analysis, config, reportSpinner) => {
+  let projectId = await projectConfig.getProjectIdByOrg(config)
+
+  if (projectId === '') {
+    return dealWithNoProjectId(analysis, config, reportSpinner)
+  }
+  config.projectId = projectId
+  // we can always register just in case but normally we exit when
+  await projectConfig.registerProjectIdOnCliServices(config, projectId)
+  return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner)
 }
 
 const processUpload = async (analysis, config, reportSpinner) => {
@@ -40,15 +95,17 @@ const processUpload = async (analysis, config, reportSpinner) => {
   //  if cli tracked but no projectId -> registerNewProjectGroup THEN scaTreeUpload
   //  if cli not tracked and no projectID -> noProjectUpload
   //  if cli not tracked and projectID -> scaTreeUpload}
-  let projectId = await projectConfig.getProjectIdByOrg(config)
 
-  if (projectId === '') {
-    return dealWithNoProjectId(analysis, config, reportSpinner)
+  if (config.repositoryId) {
+    return repoProcess(analysis, config, reportSpinner)
   }
 
-  if (projectId) {
-    config.projectId = projectId
-    return await scaServicesUpload.scaTreeUpload(
+  if (config.track) {
+    return trackProcess(analysis, config, reportSpinner)
+  }
+
+  if (!config.track) {
+    return await scaServicesUpload.noProjectUpload(
       analysis,
       config,
       reportSpinner
@@ -57,5 +114,6 @@ const processUpload = async (analysis, config, reportSpinner) => {
 }
 
 module.exports = {
-  processUpload
+  processUpload,
+  repoProcess
 }

package/src/scaAnalysis/repoMode/mavenParser.js

@@ -1,89 +1,139 @@
 const fs = require('fs')
-const xml2js = require('xml2js')
+const { XMLParser } = require('fast-xml-parser')
 
 const readPomFile = project => {
   const mavenFilePath = project.cwd + '/pom.xml'
   const projectFile = fs.readFileSync(mavenFilePath)
-  let jsonPomFile
-  xml2js.parseString(projectFile, (err, result) => {
-    if (err) {
-      throw err
-    }
-    const json = JSON.stringify(result, null)
-    jsonPomFile = JSON.parse(json)
+  const parser = new XMLParser()
+  return parser.parse(projectFile)
+}
+
+const parsePomFile = jsonPomFile => {
+  console.log(JSON.stringify(jsonPomFile))
+  let dependencyTree = {}
+  let dependencies = []
+  let dependencyManagement = []
+
+  if (jsonPomFile.project && jsonPomFile.project.dependencies) {
+    dependencies = jsonPomFile.project.dependencies.dependency
+  }
+
+  if (jsonPomFile.project && jsonPomFile.project.dependencyManagement) {
+    dependencyManagement =
+      jsonPomFile.project.dependencyManagement.dependencies.dependency
+  }
+
+  //merge dependencies with dependencyManagement deps
+  //filter out any that don't appear in both by groupId and artifactId
+  const mergedAndFilteredDeps = dependencies.map(obj1 => {
+    const obj2 = dependencyManagement.find(
+      obj2 =>
+        obj2.groupId === obj1.groupId && obj2.artifactId === obj1.artifactId
+    )
+    return obj2 ? { ...obj1, ...obj2 } : obj1
   })
-  return jsonPomFile
+
+  buildDependencies(mergedAndFilteredDeps, dependencyTree, jsonPomFile)
+  return {
+    parentPom: getParentDependency(jsonPomFile),
+    dependencyTree
+  }
+}
+
+const getParentDependency = jsonPomFile => {
+  if (jsonPomFile.project && jsonPomFile.project.parent) {
+    return buildParent(jsonPomFile.project.parent)
+  } else {
+    return undefined
+  }
 }
 
-const getFromVersionsTag = (dependencyName, versionIdentifier, jsonPomFile) => {
-  // reading:
-  // <!-- DEPENDENCY VERSIONS -->
-  // <versions.animal-sniffer>1.16</versions.animal-sniffer>
-  let formattedVersion = versionIdentifier.replace(/[{}]/g, '').replace('$', '')
+const buildParent = parent => {
+  return {
+    group: parent.groupId,
+    name: parent.artifactId,
+    version: parent.version
+  }
+}
 
-  if (jsonPomFile.project.properties[0].hasOwnProperty([formattedVersion])) {
-    return jsonPomFile.project.properties[0][formattedVersion][0]
+const getVersionFromParent = (parentObj, dependencyWithoutVersion) => {
+  const { groupId, version } = parentObj
+  if (groupId === dependencyWithoutVersion.groupId) {
+    return version
   } else {
     return null
   }
 }
 
-const parsePomFile = jsonPomFile => {
-  let dependencyTree = {}
-  let parsedVersion
-  let dependencies
-  jsonPomFile.project.hasOwnProperty('dependencies')
-    ? (dependencies = jsonPomFile.project.dependencies[0].dependency)
-    : (dependencies =
-        jsonPomFile.project.dependencyManagement[0].dependencies[0].dependency)
-
-  for (let x in dependencies) {
-    let dependencyObject = dependencies[x]
-    if (!dependencyObject.hasOwnProperty('version')) {
-      parsedVersion = getVersion(jsonPomFile, dependencyObject)
-    } else {
-      dependencyObject.version[0].includes('${versions.')
-        ? (parsedVersion = getFromVersionsTag(
-            dependencyObject.artifactId[0],
-            dependencyObject.version[0],
-            jsonPomFile
-          ))
-        : (parsedVersion = dependencyObject.version[0])
+const getVersionFromProperties = (properties, dep) => {
+  if (properties && dep.version.includes('${')) {
+    const currentDepVersionPlaceholder = dep.version
+      .replace('${', '')
+      .replace('}', '')
+
+    for (const prop in properties) {
+      if (prop === currentDepVersionPlaceholder) {
+        return properties[prop]
+      }
     }
+  }
+}
 
-    let depName =
-      dependencyObject.groupId +
-      '/' +
-      dependencyObject.artifactId +
-      '@' +
-      parsedVersion
-
-    let parsedDependency = {
-      name: dependencyObject.artifactId[0],
-      group: dependencyObject.groupId[0],
-      version: parsedVersion,
-      directDependency: true,
-      productionDependency: true,
-      dependencies: []
+const buildDependencies = (dependencies, dependencyTree, jsonPomFile) => {
+  const parent = getParentDependency(jsonPomFile)
+  for (const dep of dependencies) {
+    //sometimes versions are parsed as numbers, convert to string
+    const versionAsString = dep.version ? dep.version.toString() : dep.version
+    if (versionAsString && !versionAsString.includes('${')) {
+      const depName = dep.groupId + '/' + dep.artifactId + '@' + versionAsString
+      dependencyTree[depName] = buildDep(dep, dep.version)
+    } else if (
+      jsonPomFile.project.properties &&
+      dep.version &&
+      dep.version.includes('${')
+    ) {
+      searchAndBuildFromProperties(jsonPomFile, dep, dependencyTree)
+    } else if (!dep.version) {
+      if (parent && parent.version) {
+        //get version where group matches from parent tag
+        const { parent } = jsonPomFile.project
+        const parsedVersion = getVersionFromParent(parent, dep)
+        const depName = dep.groupId + '/' + dep.artifactId + '@' + parsedVersion
+        dependencyTree[depName] = buildDep(dep, parsedVersion)
+      }
     }
-    dependencyTree[depName] = parsedDependency
   }
-  return dependencyTree
 }
 
-const getVersion = (pomFile, dependencyWithoutVersion) => {
-  let parentVersion = pomFile.project.parent[0].version[0]
-  let parentGroupName = pomFile.project.parent[0].groupId[0]
-  if (parentGroupName === dependencyWithoutVersion.groupId[0]) {
-    return parentVersion
+const searchAndBuildFromProperties = (jsonPomFile, dep, dependencyTree) => {
+  //get version from properties tag
+  const { properties } = jsonPomFile.project
+  let versionFromProperties = getVersionFromProperties(properties, dep)
+
+  if (versionFromProperties) {
+    versionFromProperties = versionFromProperties.toString()
+    const depName =
+      dep.groupId + '/' + dep.artifactId + '@' + versionFromProperties
+    dependencyTree[depName] = buildDep(dep, versionFromProperties)
   } else {
-    return null
+    const depName = dep.groupId + '/' + dep.artifactId + '@' + null
+    dependencyTree[depName] = buildDep(dep, null)
+  }
+}
+
+const buildDep = (dep, version) => {
+  return {
+    name: dep.artifactId,
+    group: dep.groupId,
+    version: version,
+    directDependency: true,
+    productionDependency: true,
+    dependencies: []
   }
 }
 
 module.exports = {
   readPomFile,
-  getVersion,
-  parsePomFile,
-  getFromVersionsTag
+  getVersionFromParent,
+  parsePomFile
 }

package/src/scaAnalysis/scaAnalysis.js

@@ -10,7 +10,6 @@ const autoDetection = require('../scan/autoDetection')
 const rootFile = require('../audit/languageAnalysisEngine/getProjectRootFilenames')
 const path = require('path')
 const i18n = require('i18n')
-const auditSave = require('../audit/save')
 const { auditUsageGuide } = require('../commands/audit/help')
 const repoMode = require('./repoMode')
 const { dotNetAnalysis } = require('./dotnet')
@@ -37,6 +36,8 @@ const processSca = async config => {
     process.exit(0)
   }
 
+  config.repo = config.repositoryId !== undefined
+
   const projectStats = await rootFile.getProjectStats(config.file)
   let pathWithFile = projectStats.isFile()
 
@@ -46,7 +47,7 @@ const processSca = async config => {
     : config.file
 
   filesFound = await autoDetection.autoDetectAuditFilesAndLanguages(config.file)
-
+  filesFound = await autoDetection.detectPackageManager(filesFound)
   autoDetection.dealWithMultiJava(filesFound)
 
   if (filesFound.length > 1 && pathWithFile) {
@@ -59,6 +60,7 @@ const processSca = async config => {
   //check we have the language and call the right analyser
   let messageToSend = undefined
   if (filesFound.length === 1) {
+    config.packageManager = filesFound[0]?.packageManager
     switch (Object.keys(filesFound[0])[0]) {
       case JAVA:
         config.language = JAVA
@@ -131,12 +133,11 @@ const processSca = async config => {
       const reportModelLibraryList = convertGenericToTypedReportModelSca(
         reportResponse.reportArray
       )
-      auditReport.processAuditReport(config, reportModelLibraryList)
-      if (config.save !== undefined) {
-        await auditSave.auditSave(config, reportResponse.reportId)
-      } else {
-        console.log('Use contrast audit --save to generate an SBOM')
-      }
+      await auditReport.processAuditReport(
+        config,
+        reportModelLibraryList,
+        reportResponse.reportId
+      )
 
       succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
 

package/src/scan/autoDetection.js

@@ -9,11 +9,14 @@ const autoDetectFingerprintInfo = async (filePath, depth, config) => {
   let count = 0
   complexObj.forEach(i => {
     count++
-    result.push({
-      filePath: i,
-      id: count.toString(),
-      repositoryId: config.repositoryId
-    })
+    if (!i.includes('package.json')) {
+      result.push({
+        filePath: i,
+        id: count.toString(),
+        repositoryId: config.repositoryId,
+        projectGroupId: config.projectGroupId
+      })
+    }
   })
 
   return result
@@ -43,15 +46,19 @@ const detectPackageManager = async array => {
     }
     if (i.filePath.includes('Pipfile')) {
       i['language'] = PYTHON
+      i['packageManager'] = 'PYPI'
     }
     if (i.filePath.includes('csproj')) {
       i['language'] = DOTNET
+      i['packageManager'] = 'NUGET'
     }
     if (i.filePath.includes('Gemfile')) {
       i['language'] = RUBY
+      i['packageManager'] = 'RUBYGEMS'
     }
     if (i.filePath.includes('go.mod')) {
       i['language'] = GO
+      i['packageManager'] = 'PKG'
     }
   })
   return array