npm - @contrast/contrast - Versions diffs - 2.0.2-beta.0 → 2.0.2-beta.1 - Mend

@contrast/contrast 2.0.2-beta.0 → 2.0.2-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/constants/constants.js +1 -1
package/dist/scaAnalysis/repoMode/mavenParser.js +91 -67
package/package.json +2 -1
package/src/constants/constants.js +1 -1
package/src/scaAnalysis/repoMode/mavenParser.js +105 -78

package/dist/constants/constants.js CHANGED Viewed

@@ -12,7 +12,7 @@ const MEDIUM = 'MEDIUM';
 const HIGH = 'HIGH';
 const CRITICAL = 'CRITICAL';
 const APP_NAME = 'contrast';
-const APP_VERSION = '2.0.2-beta.0';
+const APP_VERSION = '2.0.2-beta.1';
 const TIMEOUT = 120000;
 const HIGH_COLOUR = '#ff9900';
 const CRITICAL_COLOUR = '#e35858';

package/dist/scaAnalysis/repoMode/mavenParser.js CHANGED Viewed

@@ -1,94 +1,118 @@
 "use strict";
 const fs = require('fs');
-const xml2js = require('xml2js');
+const { XMLParser } = require('fast-xml-parser');
 const readPomFile = project => {
     const mavenFilePath = project.cwd + '/pom.xml';
     const projectFile = fs.readFileSync(mavenFilePath);
-    let jsonPomFile;
-    xml2js.parseString(projectFile, (err, result) => {
-        if (err) {
-            throw err;
-        }
-        const json = JSON.stringify(result, null);
-        jsonPomFile = JSON.parse(json);
-    });
-    return jsonPomFile;
-};
-const getFromVersionsTag = (dependencyName, versionIdentifier, jsonPomFile) => {
-    let formattedVersion = versionIdentifier.replace(/[{}]/g, '').replace('$', '');
-    if (jsonPomFile.project.properties[0].hasOwnProperty([formattedVersion])) {
-        return jsonPomFile.project.properties[0][formattedVersion][0];
-    }
-    else {
-        return null;
-    }
+    const parser = new XMLParser();
+    return parser.parse(projectFile);
 };
 const parsePomFile = jsonPomFile => {
+    console.log(JSON.stringify(jsonPomFile));
     let dependencyTree = {};
-    let parsedVersion;
-    let dependencies;
-    jsonPomFile.project.hasOwnProperty('dependencies')
-        ? (dependencies = jsonPomFile.project.dependencies[0].dependency)
-        : (dependencies =
-            jsonPomFile.project.dependencyManagement[0].dependencies[0].dependency);
-    for (let x in dependencies) {
-        let dependencyObject = dependencies[x];
-        if (!dependencyObject.hasOwnProperty('version')) {
-            parsedVersion = getVersion(jsonPomFile, dependencyObject);
-        }
-        else {
-            dependencyObject.version[0].includes('${versions.')
-                ? (parsedVersion = getFromVersionsTag(dependencyObject.artifactId[0], dependencyObject.version[0], jsonPomFile))
-                : (parsedVersion = dependencyObject.version[0]);
-        }
-        let depName = dependencyObject.groupId +
-            '/' +
-            dependencyObject.artifactId +
-            '@' +
-            parsedVersion;
-        let parsedDependency = {
-            name: dependencyObject.artifactId[0],
-            group: dependencyObject.groupId[0],
-            version: parsedVersion,
-            directDependency: true,
-            productionDependency: true,
-            dependencies: []
-        };
-        dependencyTree[depName] = parsedDependency;
+    let dependencies = [];
+    let dependencyManagement = [];
+    if (jsonPomFile.project && jsonPomFile.project.dependencies) {
+        dependencies = jsonPomFile.project.dependencies.dependency;
+    }
+    if (jsonPomFile.project && jsonPomFile.project.dependencyManagement) {
+        dependencyManagement =
+            jsonPomFile.project.dependencyManagement.dependencies.dependency;
     }
-    const retrieveParent = getParentDependency(jsonPomFile);
+    const mergedAndFilteredDeps = dependencies.map(obj1 => {
+        const obj2 = dependencyManagement.find(obj2 => obj2.groupId === obj1.groupId && obj2.artifactId === obj1.artifactId);
+        return obj2 ? { ...obj1, ...obj2 } : obj1;
+    });
+    buildDependencies(mergedAndFilteredDeps, dependencyTree, jsonPomFile);
     return {
-        parentPom: retrieveParent,
+        parentPom: getParentDependency(jsonPomFile),
         dependencyTree
     };
 };
 const getParentDependency = jsonPomFile => {
-    let parent = {};
-    jsonPomFile.project.hasOwnProperty('parent')
-        ? (parent = buildParent(jsonPomFile.project.parent))
-        : (parent = undefined);
-    return parent;
+    if (jsonPomFile.project && jsonPomFile.project.parent) {
+        return buildParent(jsonPomFile.project.parent);
+    }
+    else {
+        return undefined;
+    }
 };
 const buildParent = parent => {
     return {
-        group: parent[0].groupId[0],
-        name: parent[0].artifactId[0],
-        version: parent[0].version[0]
+        group: parent.groupId,
+        name: parent.artifactId,
+        version: parent.version
     };
 };
-const getVersion = (pomFile, dependencyWithoutVersion) => {
-    let parentVersion = pomFile.project.parent[0].version[0];
-    let parentGroupName = pomFile.project.parent[0].groupId[0];
-    if (parentGroupName === dependencyWithoutVersion.groupId[0]) {
-        return parentVersion;
+const getVersionFromParent = (parentObj, dependencyWithoutVersion) => {
+    const { groupId, version } = parentObj;
+    if (groupId === dependencyWithoutVersion.groupId) {
+        return version;
     }
     else {
         return null;
     }
 };
+const getVersionFromProperties = (properties, dep) => {
+    if (properties && dep.version.includes('${')) {
+        const currentDepVersionPlaceholder = dep.version
+            .replace('${', '')
+            .replace('}', '');
+        for (const prop in properties) {
+            if (prop === currentDepVersionPlaceholder) {
+                return properties[prop];
+            }
+        }
+    }
+};
+const buildDependencies = (dependencies, dependencyTree, jsonPomFile) => {
+    const parent = getParentDependency(jsonPomFile);
+    for (const dep of dependencies) {
+        const versionAsString = dep.version ? dep.version.toString() : dep.version;
+        if (versionAsString && !versionAsString.includes('${')) {
+            const depName = dep.groupId + '/' + dep.artifactId + '@' + versionAsString;
+            dependencyTree[depName] = buildDep(dep, dep.version);
+        }
+        else if (jsonPomFile.project.properties &&
+            dep.version &&
+            dep.version.includes('${')) {
+            searchAndBuildFromProperties(jsonPomFile, dep, dependencyTree);
+        }
+        else if (!dep.version) {
+            if (parent && parent.version) {
+                const { parent } = jsonPomFile.project;
+                const parsedVersion = getVersionFromParent(parent, dep);
+                const depName = dep.groupId + '/' + dep.artifactId + '@' + parsedVersion;
+                dependencyTree[depName] = buildDep(dep, parsedVersion);
+            }
+        }
+    }
+};
+const searchAndBuildFromProperties = (jsonPomFile, dep, dependencyTree) => {
+    const { properties } = jsonPomFile.project;
+    let versionFromProperties = getVersionFromProperties(properties, dep);
+    if (versionFromProperties) {
+        versionFromProperties = versionFromProperties.toString();
+        const depName = dep.groupId + '/' + dep.artifactId + '@' + versionFromProperties;
+        dependencyTree[depName] = buildDep(dep, versionFromProperties);
+    }
+    else {
+        const depName = dep.groupId + '/' + dep.artifactId + '@' + null;
+        dependencyTree[depName] = buildDep(dep, null);
+    }
+};
+const buildDep = (dep, version) => {
+    return {
+        name: dep.artifactId,
+        group: dep.groupId,
+        version: version,
+        directDependency: true,
+        productionDependency: true,
+        dependencies: []
+    };
+};
 module.exports = {
     readPomFile,
-    getVersion,
-    parsePomFile,
-    getFromVersionsTag
+    getVersionFromParent,
+    parsePomFile
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "2.0.2-beta.0",
+  "version": "2.0.2-beta.1",
   "description": "Contrast Security's command line tool",
   "main": "dist/index.js",
   "bin": {
@@ -61,6 +61,7 @@
     "cross-spawn": "^7.0.3",
     "dotenv": "^16.0.0",
     "fast-glob": "^3.2.11",
+    "fast-xml-parser": "^4.2.2",
     "got": "11.8.6",
     "gradle-to-js": "^2.0.1",
     "hpagent": "^1.2.0",

package/src/constants/constants.js CHANGED Viewed

@@ -14,7 +14,7 @@ const HIGH = 'HIGH'
 const CRITICAL = 'CRITICAL'
 // App
 const APP_NAME = 'contrast'
-const APP_VERSION = '2.0.2-beta.0'
+const APP_VERSION = '2.0.2-beta.1'
 const TIMEOUT = 120000
 const HIGH_COLOUR = '#ff9900'
 const CRITICAL_COLOUR = '#e35858'

package/src/scaAnalysis/repoMode/mavenParser.js CHANGED Viewed

@@ -1,112 +1,139 @@
 const fs = require('fs')
-const xml2js = require('xml2js')
+const { XMLParser } = require('fast-xml-parser')
 const readPomFile = project => {
   const mavenFilePath = project.cwd + '/pom.xml'
   const projectFile = fs.readFileSync(mavenFilePath)
-  let jsonPomFile
-  xml2js.parseString(projectFile, (err, result) => {
-    if (err) {
-      throw err
-    }
-    const json = JSON.stringify(result, null)
-    jsonPomFile = JSON.parse(json)
-  })
-  return jsonPomFile
-}
-const getFromVersionsTag = (dependencyName, versionIdentifier, jsonPomFile) => {
-  // reading:
-  // <!-- DEPENDENCY VERSIONS -->
-  // <versions.animal-sniffer>1.16</versions.animal-sniffer>
-  let formattedVersion = versionIdentifier.replace(/[{}]/g, '').replace('$', '')
-  if (jsonPomFile.project.properties[0].hasOwnProperty([formattedVersion])) {
-    return jsonPomFile.project.properties[0][formattedVersion][0]
-  } else {
-    return null
-  }
+  const parser = new XMLParser()
+  return parser.parse(projectFile)
 }
 const parsePomFile = jsonPomFile => {
+  console.log(JSON.stringify(jsonPomFile))
   let dependencyTree = {}
-  let parsedVersion
-  let dependencies
-  jsonPomFile.project.hasOwnProperty('dependencies')
-    ? (dependencies = jsonPomFile.project.dependencies[0].dependency)
-    : (dependencies =
-        jsonPomFile.project.dependencyManagement[0].dependencies[0].dependency)
-  for (let x in dependencies) {
-    let dependencyObject = dependencies[x]
-    if (!dependencyObject.hasOwnProperty('version')) {
-      parsedVersion = getVersion(jsonPomFile, dependencyObject)
-    } else {
-      dependencyObject.version[0].includes('${versions.')
-        ? (parsedVersion = getFromVersionsTag(
-            dependencyObject.artifactId[0],
-            dependencyObject.version[0],
-            jsonPomFile
-          ))
-        : (parsedVersion = dependencyObject.version[0])
-    }
+  let dependencies = []
+  let dependencyManagement = []
-    let depName =
-      dependencyObject.groupId +
-      '/' +
-      dependencyObject.artifactId +
-      '@' +
-      parsedVersion
-    let parsedDependency = {
-      name: dependencyObject.artifactId[0],
-      group: dependencyObject.groupId[0],
-      version: parsedVersion,
-      directDependency: true,
-      productionDependency: true,
-      dependencies: []
-    }
-    dependencyTree[depName] = parsedDependency
+  if (jsonPomFile.project && jsonPomFile.project.dependencies) {
+    dependencies = jsonPomFile.project.dependencies.dependency
+  }
+  if (jsonPomFile.project && jsonPomFile.project.dependencyManagement) {
+    dependencyManagement =
+      jsonPomFile.project.dependencyManagement.dependencies.dependency
   }
-  const retrieveParent = getParentDependency(jsonPomFile)
+  //merge dependencies with dependencyManagement deps
+  //filter out any that don't appear in both by groupId and artifactId
+  const mergedAndFilteredDeps = dependencies.map(obj1 => {
+    const obj2 = dependencyManagement.find(
+      obj2 =>
+        obj2.groupId === obj1.groupId && obj2.artifactId === obj1.artifactId
+    )
+    return obj2 ? { ...obj1, ...obj2 } : obj1
+  })
+  buildDependencies(mergedAndFilteredDeps, dependencyTree, jsonPomFile)
   return {
-    parentPom: retrieveParent,
+    parentPom: getParentDependency(jsonPomFile),
     dependencyTree
   }
 }
 const getParentDependency = jsonPomFile => {
-  let parent = {}
-  jsonPomFile.project.hasOwnProperty('parent')
-    ? (parent = buildParent(jsonPomFile.project.parent))
-    : (parent = undefined)
-  return parent
+  if (jsonPomFile.project && jsonPomFile.project.parent) {
+    return buildParent(jsonPomFile.project.parent)
+  } else {
+    return undefined
+  }
 }
 const buildParent = parent => {
   return {
-    group: parent[0].groupId[0],
-    name: parent[0].artifactId[0],
-    version: parent[0].version[0]
+    group: parent.groupId,
+    name: parent.artifactId,
+    version: parent.version
   }
 }
-const getVersion = (pomFile, dependencyWithoutVersion) => {
-  let parentVersion = pomFile.project.parent[0].version[0]
-  let parentGroupName = pomFile.project.parent[0].groupId[0]
-  if (parentGroupName === dependencyWithoutVersion.groupId[0]) {
-    return parentVersion
+const getVersionFromParent = (parentObj, dependencyWithoutVersion) => {
+  const { groupId, version } = parentObj
+  if (groupId === dependencyWithoutVersion.groupId) {
+    return version
   } else {
     return null
   }
 }
+const getVersionFromProperties = (properties, dep) => {
+  if (properties && dep.version.includes('${')) {
+    const currentDepVersionPlaceholder = dep.version
+      .replace('${', '')
+      .replace('}', '')
+    for (const prop in properties) {
+      if (prop === currentDepVersionPlaceholder) {
+        return properties[prop]
+      }
+    }
+  }
+}
+const buildDependencies = (dependencies, dependencyTree, jsonPomFile) => {
+  const parent = getParentDependency(jsonPomFile)
+  for (const dep of dependencies) {
+    //sometimes versions are parsed as numbers, convert to string
+    const versionAsString = dep.version ? dep.version.toString() : dep.version
+    if (versionAsString && !versionAsString.includes('${')) {
+      const depName = dep.groupId + '/' + dep.artifactId + '@' + versionAsString
+      dependencyTree[depName] = buildDep(dep, dep.version)
+    } else if (
+      jsonPomFile.project.properties &&
+      dep.version &&
+      dep.version.includes('${')
+    ) {
+      searchAndBuildFromProperties(jsonPomFile, dep, dependencyTree)
+    } else if (!dep.version) {
+      if (parent && parent.version) {
+        //get version where group matches from parent tag
+        const { parent } = jsonPomFile.project
+        const parsedVersion = getVersionFromParent(parent, dep)
+        const depName = dep.groupId + '/' + dep.artifactId + '@' + parsedVersion
+        dependencyTree[depName] = buildDep(dep, parsedVersion)
+      }
+    }
+  }
+}
+const searchAndBuildFromProperties = (jsonPomFile, dep, dependencyTree) => {
+  //get version from properties tag
+  const { properties } = jsonPomFile.project
+  let versionFromProperties = getVersionFromProperties(properties, dep)
+  if (versionFromProperties) {
+    versionFromProperties = versionFromProperties.toString()
+    const depName =
+      dep.groupId + '/' + dep.artifactId + '@' + versionFromProperties
+    dependencyTree[depName] = buildDep(dep, versionFromProperties)
+  } else {
+    const depName = dep.groupId + '/' + dep.artifactId + '@' + null
+    dependencyTree[depName] = buildDep(dep, null)
+  }
+}
+const buildDep = (dep, version) => {
+  return {
+    name: dep.artifactId,
+    group: dep.groupId,
+    version: version,
+    directDependency: true,
+    productionDependency: true,
+    dependencies: []
+  }
+}
 module.exports = {
   readPomFile,
-  getVersion,
-  parsePomFile,
-  getFromVersionsTag
+  getVersionFromParent,
+  parsePomFile
 }