@contrast/contrast 2.0.2-beta.1 → 2.0.2-beta.11

package/src/scaAnalysis/javascript/analysis.js

@@ -1,111 +0,0 @@
-const fs = require('fs')
-const yarnParser = require('@yarnpkg/lockfile')
-const yaml = require('js-yaml')
-const i18n = require('i18n')
-const {
-  formatKey
-} = require('../../audit/nodeAnalysisEngine/parseYarn2LockFileContents')
-
-const readFile = async (config, languageFiles, nameOfFile) => {
-  const index = languageFiles.findIndex(v => v.includes(nameOfFile))
-
-  if (config.file) {
-    return fs.readFileSync(config.file.concat(languageFiles[index]), 'utf8')
-  } else {
-    throw new Error('could not find file')
-  }
-}
-
-const readYarn = async (config, languageFiles, nameOfFile) => {
-  let yarn = {
-    yarnVersion: 1,
-    rawYarnLockFileContents: ''
-  }
-
-  try {
-    let rawYarnLockFileContents = await readFile(
-      config,
-      languageFiles,
-      nameOfFile
-    )
-    yarn.rawYarnLockFileContents = rawYarnLockFileContents
-
-    if (
-      !yarn.rawYarnLockFileContents.includes('lockfile v1') ||
-      yarn.rawYarnLockFileContents.includes('__metadata')
-    ) {
-      yarn.rawYarnLockFileContents = yaml.load(rawYarnLockFileContents)
-      yarn.yarnVersion = 2
-    }
-
-    return yarn
-  } catch (err) {
-    throw new Error(i18n.__('nodeReadYarnLockFileError') + `${err.message}`)
-  }
-}
-
-const parseNpmLockFile = async npmLockFile => {
-  try {
-    if (!npmLockFile.parsedPackages) {
-      npmLockFile.parsedPackages = {}
-    }
-
-    Object.entries(npmLockFile.packages).forEach(
-      ([packageKey, packageValue]) => {
-        if (packageKey.includes('node_modules/')) {
-          //remove object keys node modules prefixing
-          //e.g: node_modules/@aws-amplify/datastore/node_modules/uuid --> @aws-amplify/datastore/uuid
-          packageKey = packageKey.replace(/(node_modules\/)+/g, '')
-        }
-
-        npmLockFile.parsedPackages[packageKey] = packageValue
-      }
-    )
-
-    //remove base project package - unneeded
-    delete npmLockFile.parsedPackages['']
-
-    return npmLockFile
-  } catch (err) {
-    throw new Error(i18n.__('NodeParseNPM') + `${err.message}`)
-  }
-}
-
-const parseYarnLockFile = async js => {
-  try {
-    js.yarn.yarnLockFile = {}
-    if (js.yarn.yarnVersion === 1) {
-      js.yarn.yarnLockFile = yarnParser.parse(js.yarn.rawYarnLockFileContents)
-      delete js.yarn.rawYarnLockFileContents
-      return js
-    } else {
-      js.yarn.yarnLockFile['object'] = js.yarn.rawYarnLockFileContents
-      delete js.yarn.yarnLockFile['object'].__metadata
-      js.yarn.yarnLockFile['type'] = 'success'
-
-      Object.entries(js.yarn.rawYarnLockFileContents).forEach(
-        ([key, value]) => {
-          const rawKeyNames = key.split(',')
-          const keyNames = formatKey(rawKeyNames)
-
-          keyNames.forEach(name => {
-            js.yarn.yarnLockFile.object[name] = value
-          })
-        }
-      )
-      return js
-    }
-  } catch (err) {
-    throw new Error(
-      i18n.__('NodeParseYarn', js.yarn.yarnVersion) + `${err.message}`
-    )
-  }
-}
-
-module.exports = {
-  readYarn,
-  parseYarnLockFile,
-  parseNpmLockFile,
-  readFile,
-  formatKey
-}

package/src/scaAnalysis/javascript/index.js

@@ -1,104 +0,0 @@
-const analysis = require('./analysis')
-const i18n = require('i18n')
-const formatMessage = require('../common/formatMessage')
-const scaServiceParser = require('./scaServiceParser')
-
-const jsAnalysis = async (config, languageFiles) => {
-  checkForCorrectFiles(languageFiles)
-
-  if (!config.file.endsWith('/')) {
-    config.file = config.file.concat('/')
-  }
-  return buildNodeTree(config, languageFiles.JAVASCRIPT)
-}
-const buildNodeTree = async (config, files) => {
-  let analysis = await readFiles(config, files)
-  const rawNode = await parseFiles(config, files, analysis)
-  if (config.legacy === false) {
-    return scaServiceParser.parseJS(rawNode)
-  }
-
-  return formatMessage.createJavaScriptTSMessage(rawNode)
-}
-
-const readFiles = async (config, files) => {
-  let js = {}
-
-  js.packageJSON = JSON.parse(
-    await analysis.readFile(config, files, 'package.json')
-  )
-
-  if (files.includes('package-lock.json')) {
-    js.rawLockFileContents = await analysis.readFile(
-      config,
-      files,
-      'package-lock.json'
-    )
-  }
-  if (files.includes('yarn.lock')) {
-    js.yarn = {}
-    js.yarn = await analysis.readYarn(config, files, 'yarn.lock')
-  }
-
-  return js
-}
-
-const parseFiles = async (config, files, js) => {
-  if (files.includes('package-lock.json')) {
-    const npmLockFile = JSON.parse(js.rawLockFileContents)
-
-    const currentLockFileVersion = npmLockFile.lockfileVersion
-    const generalRebuildMessage =
-      '\nPlease update to Node 16+ & NPM 8+ or 9+ and then rebuild your package files.' +
-      '\nMore info here: https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json'
-
-    if (currentLockFileVersion === 1) {
-      throw new Error(
-        `NPM lockfileVersion 1 is no longer supported. \n ${generalRebuildMessage}`
-      )
-    }
-
-    if (!currentLockFileVersion || !npmLockFile.packages) {
-      throw new Error(
-        `package-lock.json needs to be in the NPM v2 or v3 format. \n ${generalRebuildMessage}`
-      )
-    }
-
-    if (currentLockFileVersion === 3 && config.legacy) {
-      throw new Error(`NPM lockfileVersion 3 is not support with --legacy`)
-    }
-
-    js.npmLockFile = await analysis.parseNpmLockFile(npmLockFile)
-  }
-
-  if (files.includes('yarn.lock')) {
-    js = await analysis.parseYarnLockFile(js)
-  }
-
-  return js
-}
-
-const checkForCorrectFiles = languageFiles => {
-  if (
-    languageFiles.JAVASCRIPT.includes('package-lock.json') &&
-    languageFiles.JAVASCRIPT.includes('yarn.lock')
-  ) {
-    throw new Error(
-      i18n.__('languageAnalysisHasMultipleLockFiles', 'javascript')
-    )
-  }
-
-  if (
-    !languageFiles.JAVASCRIPT.includes('package-lock.json') &&
-    !languageFiles.JAVASCRIPT.includes('yarn.lock')
-  ) {
-    throw new Error(i18n.__('languageAnalysisHasNoLockFile', 'javascript'))
-  }
-
-  if (!languageFiles.JAVASCRIPT.includes('package.json')) {
-    throw new Error(i18n.__('languageAnalysisHasNoPackageJsonFile'))
-  }
-}
-module.exports = {
-  jsAnalysis
-}

package/src/scaAnalysis/javascript/scaServiceParser.js

@@ -1,151 +0,0 @@
-const parseJS = rawNode => {
-  let dependencyTree = {}
-  let combinedPackageJSONDep = {
-    ...rawNode.packageJSON?.dependencies,
-    ...rawNode.packageJSON?.devDependencies
-  }
-  let analyseLock = chooseLockFile(rawNode)
-
-  if (analyseLock.type === 'yarn') {
-    dependencyTree = yarnCreateDepTree(
-      dependencyTree,
-      combinedPackageJSONDep,
-      analyseLock.lockFile,
-      rawNode
-    )
-  }
-
-  if (analyseLock.type === 'npm') {
-    dependencyTree = npmCreateDepTree(
-      dependencyTree,
-      combinedPackageJSONDep,
-      analyseLock.lockFile,
-      rawNode
-    )
-  }
-
-  return dependencyTree
-}
-
-const npmCreateDepTree = (
-  dependencyTree,
-  combinedPackageJSONDep,
-  packageLock,
-  rawNode
-) => {
-  for (const [key, value] of Object.entries(packageLock)) {
-    dependencyTree[key] = {
-      name: key,
-      version: getResolvedVersion(key, packageLock),
-      group: null,
-      productionDependency: checkIfInPackageJSON(
-        rawNode.packageJSON.dependencies,
-        key
-      ),
-      directDependency: checkIfInPackageJSON(combinedPackageJSONDep, key),
-      dependencies: createNPMChildDependencies(packageLock, key)
-    }
-  }
-  return dependencyTree
-}
-
-const yarnCreateDepTree = (
-  dependencyTree,
-  combinedPackageJSONDep,
-  packageLock,
-  rawNode
-) => {
-  for (const [key, value] of Object.entries(packageLock)) {
-    let gav = getNameFromGAV(key)
-    let nag = getDepNameWithoutVersion(key)
-    dependencyTree[key] = {
-      name: gav,
-      version: getResolvedVersion(key, packageLock),
-      group: null,
-      productionDependency: checkIfInPackageJSON(
-        rawNode.packageJSON.dependencies,
-        nag
-      ),
-      directDependency: checkIfInPackageJSON(combinedPackageJSONDep, nag),
-      dependencies: createChildDependencies(packageLock, key)
-    }
-  }
-  return dependencyTree
-}
-
-const chooseLockFile = rawNode => {
-  if (rawNode?.yarn?.yarnLockFile !== undefined) {
-    return { lockFile: rawNode?.yarn?.yarnLockFile?.object, type: 'yarn' }
-  } else if (rawNode.npmLockFile !== undefined) {
-    return { lockFile: rawNode?.npmLockFile?.parsedPackages, type: 'npm' }
-  } else {
-    return undefined
-  }
-}
-
-const createKeyName = (dep, version) => {
-  return dep + '@' + version
-}
-
-const checkIfInPackageJSON = (list, dep) => {
-  return Object.keys(list).includes(dep)
-}
-
-const createChildDependencies = (lockFileDep, currentDep) => {
-  let depArray = []
-  if (lockFileDep[currentDep]?.dependencies) {
-    for (const [key, value] of Object.entries(
-      lockFileDep[currentDep]?.dependencies
-    )) {
-      depArray.push(createKeyName(key, value))
-    }
-  }
-  return depArray
-}
-
-const createNPMChildDependencies = (lockFileDep, currentDep) => {
-  let depArray = []
-  if (lockFileDep[currentDep]?.dependencies) {
-    for (const [key, value] of Object.entries(
-      lockFileDep[currentDep]?.dependencies
-    )) {
-      depArray.push(key)
-    }
-  }
-  return depArray
-}
-
-const getDepNameWithoutVersion = depKey => {
-  let dependency = depKey.split('@')
-  if (dependency.length - 1 > 1) {
-    return '@' + dependency[1]
-  }
-  return dependency[0]
-}
-
-const getNameFromGAV = depKey => {
-  let dependency = depKey.split('/')
-  if (dependency.length == 2) {
-    dependency = getDepNameWithoutVersion(dependency[1])
-    return dependency
-  }
-  if (dependency.length == 1) {
-    dependency = getDepNameWithoutVersion(depKey)
-    return dependency
-  }
-  //what should we do if there's no version? The service will fall over but do we want to throw error for only one wrong version?
-  return depKey
-}
-
-const getResolvedVersion = (depKey, packageLock) => {
-  return packageLock[depKey]?.version
-}
-
-module.exports = {
-  parseJS,
-  checkIfInPackageJSON,
-  getNameFromGAV,
-  getResolvedVersion,
-  chooseLockFile,
-  createNPMChildDependencies
-}

package/src/scaAnalysis/legacy/legacyFlow.js

@@ -1,43 +0,0 @@
-const auditController = require('../../commands/audit/auditController')
-const {
-  returnOra,
-  startSpinner,
-  succeedSpinner
-} = require('../../utils/oraWrapper')
-const i18n = require('i18n')
-const treeUpload = require('../common/treeUpload')
-const {
-  pollForSnapshotCompletion
-} = require('../../audit/languageAnalysisEngine/sendSnapshot')
-const { vulnerabilityReportV2 } = require('../../audit/report/reportingFeature')
-const { auditSave } = require('../../audit/save')
-
-const legacyFlow = async (config, messageToSend) => {
-  const startTime = performance.now()
-  if (!config.applicationId) {
-    config.applicationId = await auditController.dealWithNoAppId(config)
-  }
-
-  console.log('') //empty log for space before spinner
-  //send message to TS
-  const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
-  startSpinner(reportSpinner)
-  const snapshotResponse = await treeUpload.commonSendSnapShot(
-    messageToSend,
-    config
-  )
-
-  // poll for completion
-  await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner)
-  succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
-
-  await vulnerabilityReportV2(config, snapshotResponse.id)
-  const endTime = performance.now() - startTime
-  const scanDurationMs = endTime - startTime
-
-  console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`)
-}
-
-module.exports = {
-  legacyFlow
-}

package/src/scaAnalysis/php/analysis.js

@@ -1,78 +0,0 @@
-const fs = require('fs')
-const i18n = require('i18n')
-const _ = require('lodash')
-
-const readFile = (config, nameOfFile) => {
-  if (config.file) {
-    try {
-      return fs.readFileSync(config.file + '/' + nameOfFile, 'utf8')
-    } catch (error) {
-      console.log('Unable to find file')
-      console.log(error)
-    }
-  }
-}
-
-const parseProjectFiles = php => {
-  try {
-    // composer.json
-    php.composerJSON.dependencies = php.composerJSON.require
-    php.composerJSON.devDependencies = php.composerJSON['require-dev']
-
-    // composer.lock
-    php.lockFile = php.rawLockFileContents
-    let packages = _.keyBy(php.lockFile.packages, 'name')
-    let packagesDev = _.keyBy(php.lockFile['packages-dev'], 'name')
-    php.lockFile.dependencies = _.merge(packages, packagesDev)
-
-    const listOfTopDep = Object.keys(php.lockFile.dependencies)
-
-    Object.entries(php.lockFile.dependencies).forEach(([key, value]) => {
-      if (value.require) {
-        const listOfRequiresDep = Object.keys(value.require)
-        listOfRequiresDep.forEach(dep => {
-          if (!listOfTopDep.includes(dep)) {
-            addChildDepToLockFileAsOwnObj(php, value['require'], dep)
-          }
-        })
-      }
-
-      if (value['require-dev']) {
-        const listOfRequiresDep = Object.keys(value['require-dev'])
-        listOfRequiresDep.forEach(dep => {
-          if (!listOfTopDep.includes(dep)) {
-            addChildDepToLockFileAsOwnObj(php, value['require-dev'], dep)
-          }
-        })
-      }
-    })
-    formatParentDepToLockFile(php)
-    delete php.rawLockFileContents
-    return php
-  } catch (err) {
-    return console.log(i18n.__('phpParseComposerLock', php) + `${err.message}`) // not sure on this
-  }
-}
-
-function addChildDepToLockFileAsOwnObj(php, depObj, key) {
-  php.lockFile.dependencies[key] = { version: depObj[key] }
-}
-
-function formatParentDepToLockFile(php) {
-  for (const [key, value] of Object.entries(php.lockFile.dependencies)) {
-    let requires = {}
-    for (const [childKey, childValue] of Object.entries(value)) {
-      if (childKey === 'require' || childKey === 'require-dev') {
-        requires = _.merge(requires, childValue)
-        php.lockFile.dependencies[key].requires = requires
-        delete php.lockFile.dependencies[key].require
-        delete php.lockFile.dependencies[key]['require-dev']
-      }
-    }
-  }
-}
-
-module.exports = {
-  parseProjectFiles,
-  readFile
-}

package/src/scaAnalysis/php/index.js

@@ -1,28 +0,0 @@
-const { readFile, parseProjectFiles } = require('./analysis')
-const { createPhpTSMessage } = require('../common/formatMessage')
-const { parsePHPLockFileForScaServices } = require('./phpNewServicesMapper')
-
-const phpAnalysis = config => {
-  let analysis = readFiles(config)
-
-  if (config.legacy === false) {
-    return parsePHPLockFileForScaServices(analysis.rawLockFileContents)
-  } else {
-    const phpDep = parseProjectFiles(analysis)
-    return createPhpTSMessage(phpDep)
-  }
-}
-
-const readFiles = config => {
-  let php = {}
-
-  php.composerJSON = JSON.parse(readFile(config, 'composer.json'))
-
-  php.rawLockFileContents = JSON.parse(readFile(config, 'composer.lock'))
-
-  return php
-}
-
-module.exports = {
-  phpAnalysis: phpAnalysis
-}

package/src/scaAnalysis/php/phpNewServicesMapper.js

@@ -1,77 +0,0 @@
-const { keyBy, merge } = require('lodash')
-
-const parsePHPLockFileForScaServices = phpLockFile => {
-  const packages = keyBy(phpLockFile.packages, 'name')
-  const packagesDev = keyBy(phpLockFile['packages-dev'], 'name')
-
-  return merge(buildDepTree(packages, true), buildDepTree(packagesDev, false))
-}
-
-const buildDepTree = (packages, productionDependency) => {
-  //builds deps into flat structure
-  const dependencyTree = {}
-
-  for (const packagesKey in packages) {
-    const currentObj = packages[packagesKey]
-    const { group, name } = findGroupAndName(currentObj.name)
-
-    const key = `${group}/${name}@${currentObj.version}`
-    dependencyTree[key] = {
-      group: group,
-      name: name,
-      version: currentObj.version,
-      directDependency: true,
-      productionDependency: productionDependency,
-      dependencies: []
-    }
-
-    const mergedChildDeps = merge(
-      buildSubDepsIntoFlatStructure(currentObj.require),
-      buildSubDepsIntoFlatStructure(currentObj['require-dev'])
-    )
-
-    for (const childKey in mergedChildDeps) {
-      const { group, name } = findGroupAndName(childKey)
-      const builtKey = `${group}/${name}`
-      dependencyTree[builtKey] = mergedChildDeps[childKey]
-    }
-  }
-  return dependencyTree
-}
-
-// currently sub deps will be built into a flat structure
-// but not ingested via the new services as they do not have concrete versions
-const buildSubDepsIntoFlatStructure = childDeps => {
-  const dependencyTree = {}
-
-  for (const dep in childDeps) {
-    const version = childDeps[dep]
-    const { group, name } = findGroupAndName(dep)
-    const key = `${group}/${name}`
-    dependencyTree[key] = {
-      group: group,
-      name: name,
-      version: version,
-      directDependency: false,
-      productionDependency: false,
-      dependencies: []
-    }
-  }
-  return dependencyTree
-}
-
-const findGroupAndName = groupAndName => {
-  if (groupAndName.includes('/')) {
-    const groupName = groupAndName.split('/')
-    return { group: groupName[0], name: groupName[1] }
-  } else {
-    return { group: groupAndName, name: groupAndName }
-  }
-}
-
-module.exports = {
-  parsePHPLockFileForScaServices,
-  buildDepTree,
-  buildSubDepsIntoFlatStructure,
-  findGroupAndName
-}