@contrast/contrast 2.0.2-beta.3 → 2.0.2-beta.4

package/src/scaAnalysis/javascript/scaServiceParser.js

@@ -1,151 +0,0 @@
-const parseJS = rawNode => {
-  let dependencyTree = {}
-  let combinedPackageJSONDep = {
-    ...rawNode.packageJSON?.dependencies,
-    ...rawNode.packageJSON?.devDependencies
-  }
-  let analyseLock = chooseLockFile(rawNode)
-
-  if (analyseLock.type === 'yarn') {
-    dependencyTree = yarnCreateDepTree(
-      dependencyTree,
-      combinedPackageJSONDep,
-      analyseLock.lockFile,
-      rawNode
-    )
-  }
-
-  if (analyseLock.type === 'npm') {
-    dependencyTree = npmCreateDepTree(
-      dependencyTree,
-      combinedPackageJSONDep,
-      analyseLock.lockFile,
-      rawNode
-    )
-  }
-
-  return dependencyTree
-}
-
-const npmCreateDepTree = (
-  dependencyTree,
-  combinedPackageJSONDep,
-  packageLock,
-  rawNode
-) => {
-  for (const [key, value] of Object.entries(packageLock)) {
-    dependencyTree[key] = {
-      name: key,
-      version: getResolvedVersion(key, packageLock),
-      group: null,
-      productionDependency: checkIfInPackageJSON(
-        rawNode.packageJSON.dependencies,
-        key
-      ),
-      directDependency: checkIfInPackageJSON(combinedPackageJSONDep, key),
-      dependencies: createNPMChildDependencies(packageLock, key)
-    }
-  }
-  return dependencyTree
-}
-
-const yarnCreateDepTree = (
-  dependencyTree,
-  combinedPackageJSONDep,
-  packageLock,
-  rawNode
-) => {
-  for (const [key, value] of Object.entries(packageLock)) {
-    let gav = getNameFromGAV(key)
-    let nag = getDepNameWithoutVersion(key)
-    dependencyTree[key] = {
-      name: gav,
-      version: getResolvedVersion(key, packageLock),
-      group: null,
-      productionDependency: checkIfInPackageJSON(
-        rawNode.packageJSON.dependencies,
-        nag
-      ),
-      directDependency: checkIfInPackageJSON(combinedPackageJSONDep, nag),
-      dependencies: createChildDependencies(packageLock, key)
-    }
-  }
-  return dependencyTree
-}
-
-const chooseLockFile = rawNode => {
-  if (rawNode?.yarn?.yarnLockFile !== undefined) {
-    return { lockFile: rawNode?.yarn?.yarnLockFile?.object, type: 'yarn' }
-  } else if (rawNode.npmLockFile !== undefined) {
-    return { lockFile: rawNode?.npmLockFile?.parsedPackages, type: 'npm' }
-  } else {
-    return undefined
-  }
-}
-
-const createKeyName = (dep, version) => {
-  return dep + '@' + version
-}
-
-const checkIfInPackageJSON = (list, dep) => {
-  return Object.keys(list).includes(dep)
-}
-
-const createChildDependencies = (lockFileDep, currentDep) => {
-  let depArray = []
-  if (lockFileDep[currentDep]?.dependencies) {
-    for (const [key, value] of Object.entries(
-      lockFileDep[currentDep]?.dependencies
-    )) {
-      depArray.push(createKeyName(key, value))
-    }
-  }
-  return depArray
-}
-
-const createNPMChildDependencies = (lockFileDep, currentDep) => {
-  let depArray = []
-  if (lockFileDep[currentDep]?.dependencies) {
-    for (const [key, value] of Object.entries(
-      lockFileDep[currentDep]?.dependencies
-    )) {
-      depArray.push(key)
-    }
-  }
-  return depArray
-}
-
-const getDepNameWithoutVersion = depKey => {
-  let dependency = depKey.split('@')
-  if (dependency.length - 1 > 1) {
-    return '@' + dependency[1]
-  }
-  return dependency[0]
-}
-
-const getNameFromGAV = depKey => {
-  let dependency = depKey.split('/')
-  if (dependency.length == 2) {
-    dependency = getDepNameWithoutVersion(dependency[1])
-    return dependency
-  }
-  if (dependency.length == 1) {
-    dependency = getDepNameWithoutVersion(depKey)
-    return dependency
-  }
-  //what should we do if there's no version? The service will fall over but do we want to throw error for only one wrong version?
-  return depKey
-}
-
-const getResolvedVersion = (depKey, packageLock) => {
-  return packageLock[depKey]?.version
-}
-
-module.exports = {
-  parseJS,
-  checkIfInPackageJSON,
-  getNameFromGAV,
-  getResolvedVersion,
-  chooseLockFile,
-  createNPMChildDependencies
-}

package/src/scaAnalysis/legacy/legacyFlow.js

@@ -1,43 +0,0 @@
-const auditController = require('../../commands/audit/auditController')
-const {
-  returnOra,
-  startSpinner,
-  succeedSpinner
-} = require('../../utils/oraWrapper')
-const i18n = require('i18n')
-const treeUpload = require('../common/treeUpload')
-const {
-  pollForSnapshotCompletion
-} = require('../../audit/languageAnalysisEngine/sendSnapshot')
-const { vulnerabilityReportV2 } = require('../../audit/report/reportingFeature')
-const { auditSave } = require('../../audit/save')
-
-const legacyFlow = async (config, messageToSend) => {
-  const startTime = performance.now()
-  if (!config.applicationId) {
-    config.applicationId = await auditController.dealWithNoAppId(config)
-  }
-
-  console.log('') //empty log for space before spinner
-  //send message to TS
-  const reportSpinner = returnOra(i18n.__('auditSCAAnalysisBegins'))
-  startSpinner(reportSpinner)
-  const snapshotResponse = await treeUpload.commonSendSnapShot(
-    messageToSend,
-    config
-  )
-
-  // poll for completion
-  await pollForSnapshotCompletion(config, snapshotResponse.id, reportSpinner)
-  succeedSpinner(reportSpinner, i18n.__('auditSCAAnalysisComplete'))
-
-  await vulnerabilityReportV2(config, snapshotResponse.id)
-  const endTime = performance.now() - startTime
-  const scanDurationMs = endTime - startTime
-
-  console.log(`----- completed in ${(scanDurationMs / 1000).toFixed(2)}s -----`)
-}
-
-module.exports = {
-  legacyFlow
-}

package/src/scaAnalysis/php/analysis.js

@@ -1,78 +0,0 @@
-const fs = require('fs')
-const i18n = require('i18n')
-const _ = require('lodash')
-
-const readFile = (config, nameOfFile) => {
-  if (config.file) {
-    try {
-      return fs.readFileSync(config.file + '/' + nameOfFile, 'utf8')
-    } catch (error) {
-      console.log('Unable to find file')
-      console.log(error)
-    }
-  }
-}
-
-const parseProjectFiles = php => {
-  try {
-    // composer.json
-    php.composerJSON.dependencies = php.composerJSON.require
-    php.composerJSON.devDependencies = php.composerJSON['require-dev']
-
-    // composer.lock
-    php.lockFile = php.rawLockFileContents
-    let packages = _.keyBy(php.lockFile.packages, 'name')
-    let packagesDev = _.keyBy(php.lockFile['packages-dev'], 'name')
-    php.lockFile.dependencies = _.merge(packages, packagesDev)
-
-    const listOfTopDep = Object.keys(php.lockFile.dependencies)
-
-    Object.entries(php.lockFile.dependencies).forEach(([key, value]) => {
-      if (value.require) {
-        const listOfRequiresDep = Object.keys(value.require)
-        listOfRequiresDep.forEach(dep => {
-          if (!listOfTopDep.includes(dep)) {
-            addChildDepToLockFileAsOwnObj(php, value['require'], dep)
-          }
-        })
-      }
-
-      if (value['require-dev']) {
-        const listOfRequiresDep = Object.keys(value['require-dev'])
-        listOfRequiresDep.forEach(dep => {
-          if (!listOfTopDep.includes(dep)) {
-            addChildDepToLockFileAsOwnObj(php, value['require-dev'], dep)
-          }
-        })
-      }
-    })
-    formatParentDepToLockFile(php)
-    delete php.rawLockFileContents
-    return php
-  } catch (err) {
-    return console.log(i18n.__('phpParseComposerLock', php) + `${err.message}`) // not sure on this
-  }
-}
-
-function addChildDepToLockFileAsOwnObj(php, depObj, key) {
-  php.lockFile.dependencies[key] = { version: depObj[key] }
-}
-
-function formatParentDepToLockFile(php) {
-  for (const [key, value] of Object.entries(php.lockFile.dependencies)) {
-    let requires = {}
-    for (const [childKey, childValue] of Object.entries(value)) {
-      if (childKey === 'require' || childKey === 'require-dev') {
-        requires = _.merge(requires, childValue)
-        php.lockFile.dependencies[key].requires = requires
-        delete php.lockFile.dependencies[key].require
-        delete php.lockFile.dependencies[key]['require-dev']
-      }
-    }
-  }
-}
-
-module.exports = {
-  parseProjectFiles,
-  readFile
-}

package/src/scaAnalysis/php/index.js

@@ -1,28 +0,0 @@
-const { readFile, parseProjectFiles } = require('./analysis')
-const { createPhpTSMessage } = require('../common/formatMessage')
-const { parsePHPLockFileForScaServices } = require('./phpNewServicesMapper')
-
-const phpAnalysis = config => {
-  let analysis = readFiles(config)
-
-  if (config.legacy === false) {
-    return parsePHPLockFileForScaServices(analysis.rawLockFileContents)
-  } else {
-    const phpDep = parseProjectFiles(analysis)
-    return createPhpTSMessage(phpDep)
-  }
-}
-
-const readFiles = config => {
-  let php = {}
-
-  php.composerJSON = JSON.parse(readFile(config, 'composer.json'))
-
-  php.rawLockFileContents = JSON.parse(readFile(config, 'composer.lock'))
-
-  return php
-}
-
-module.exports = {
-  phpAnalysis: phpAnalysis
-}

package/src/scaAnalysis/php/phpNewServicesMapper.js

@@ -1,77 +0,0 @@
-const { keyBy, merge } = require('lodash')
-
-const parsePHPLockFileForScaServices = phpLockFile => {
-  const packages = keyBy(phpLockFile.packages, 'name')
-  const packagesDev = keyBy(phpLockFile['packages-dev'], 'name')
-
-  return merge(buildDepTree(packages, true), buildDepTree(packagesDev, false))
-}
-
-const buildDepTree = (packages, productionDependency) => {
-  //builds deps into flat structure
-  const dependencyTree = {}
-
-  for (const packagesKey in packages) {
-    const currentObj = packages[packagesKey]
-    const { group, name } = findGroupAndName(currentObj.name)
-
-    const key = `${group}/${name}@${currentObj.version}`
-    dependencyTree[key] = {
-      group: group,
-      name: name,
-      version: currentObj.version,
-      directDependency: true,
-      productionDependency: productionDependency,
-      dependencies: []
-    }
-
-    const mergedChildDeps = merge(
-      buildSubDepsIntoFlatStructure(currentObj.require),
-      buildSubDepsIntoFlatStructure(currentObj['require-dev'])
-    )
-
-    for (const childKey in mergedChildDeps) {
-      const { group, name } = findGroupAndName(childKey)
-      const builtKey = `${group}/${name}`
-      dependencyTree[builtKey] = mergedChildDeps[childKey]
-    }
-  }
-  return dependencyTree
-}
-
-// currently sub deps will be built into a flat structure
-// but not ingested via the new services as they do not have concrete versions
-const buildSubDepsIntoFlatStructure = childDeps => {
-  const dependencyTree = {}
-
-  for (const dep in childDeps) {
-    const version = childDeps[dep]
-    const { group, name } = findGroupAndName(dep)
-    const key = `${group}/${name}`
-    dependencyTree[key] = {
-      group: group,
-      name: name,
-      version: version,
-      directDependency: false,
-      productionDependency: false,
-      dependencies: []
-    }
-  }
-  return dependencyTree
-}
-
-const findGroupAndName = groupAndName => {
-  if (groupAndName.includes('/')) {
-    const groupName = groupAndName.split('/')
-    return { group: groupName[0], name: groupName[1] }
-  } else {
-    return { group: groupAndName, name: groupAndName }
-  }
-}
-
-module.exports = {
-  parsePHPLockFileForScaServices,
-  buildDepTree,
-  buildSubDepsIntoFlatStructure,
-  findGroupAndName
-}

package/src/scaAnalysis/processServicesFlow.js

@@ -1,126 +0,0 @@
-const projectConfig = require('../commands/github/projectGroup')
-const repoService = require('../commands/github/repoServices')
-const scaServicesUpload = require('../scaAnalysis/common/scaServicesUpload')
-const { shortenFilePath } = require('../scan/fileUtils')
-
-const dealWithNoProjectId = async (analysis, config, reportSpinner) => {
-  await projectConfig.registerNewProjectGroup(config)
-  let projectId = await projectConfig.getProjectIdByOrg(config)
-  await projectConfig.registerProjectIdOnCliServices(config, projectId)
-  config.projectId = projectId
-  return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner)
-}
-
-const repoProcess = async (analysis, config, reportSpinner) => {
-  if (config.debug || config.verbose) {
-    console.log('in repository process')
-    console.log('repository id: ', config.repositoryId)
-  }
-  if (config.repositoryId === '') {
-    console.log('Failed to retrieve Repository Id')
-    process.exit(1)
-  }
-
-  let shortenedProjectName = shortenFilePath(config.fileName)
-
-  let repoInfo = await repoService.retrieveProjectInfoViaRepoId(config)
-
-  repoInfo = repoInfo.find(
-    element =>
-      config.fileName === element.path &&
-      shortenedProjectName === element.name &&
-      config.projectGroupId === element.projectGroupId
-  )
-
-  // console.log('repoInfo', repoInfo)
-
-  // if(repoInfo !== undefined) {
-  //   console.log('re-register / register first time')
-  //   const language  = repoInfo.language === 'JAVASCRIPT' ? 'NODE' : repoInfo.language
-  //   const additionalData = {
-  //     projectGroupId: repoInfo.projectGroupId,
-  //     projectGroupName: repoInfo.name,
-  //     projectLanguage: language,
-  //     projectType: 'REPOSITORY'
-  //   }
-  //
-  //   // check project exists in sca / register (just in case, it failed in the past)
-  //   await projectConfig.registerProjectIdOnCliServices(
-  //     config,
-  //     repoInfo.projectId,
-  //     additionalData
-  //   )
-  // }
-
-  if (
-    config.projectGroupId &&
-    !repoInfo?.projectId &&
-    (repoInfo === undefined || repoInfo.length === 0)
-  ) {
-    console.log(
-      '*** has projectGroupId, no projectId and repo has no project found that matches'
-    )
-    repoInfo = await projectConfig.registerProjectWithGroupProjectId(
-      config,
-      shortenedProjectName
-    )
-    console.log('new registered group', repoInfo)
-    const language =
-      repoInfo.language === 'JAVASCRIPT' ? 'NODE' : repoInfo.language
-
-    // const additionalData = {
-    //   projectGroupId: repoInfo.projectGroupId,
-    //   projectGroupName: repoInfo.name,
-    //   projectLanguage: language,
-    //   projectType: 'REPOSITORY'
-    // }
-
-    await projectConfig.registerProjectIdOnCliServices(
-      config,
-      repoInfo.projectId,
-      shortenedProjectName
-    )
-  }
-  config.projectId = repoInfo.projectId
-  return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner)
-}
-
-const trackProcess = async (analysis, config, reportSpinner) => {
-  let projectId = await projectConfig.getProjectIdByOrg(config)
-
-  if (projectId === '') {
-    return dealWithNoProjectId(analysis, config, reportSpinner)
-  }
-  config.projectId = projectId
-  // we can always register just in case but normally we exit when
-  await projectConfig.registerProjectIdOnCliServices(config, projectId)
-  return await scaServicesUpload.scaTreeUpload(analysis, config, reportSpinner)
-}
-
-const processUpload = async (analysis, config, reportSpinner) => {
-  //  if repo but no repoId -> RegisterRepo -> GroupProjectFlow THEN scaTreeUpload
-  //  if cli tracked but no projectId -> registerNewProjectGroup THEN scaTreeUpload
-  //  if cli not tracked and no projectID -> noProjectUpload
-  //  if cli not tracked and projectID -> scaTreeUpload}
-
-  if (config.repositoryId) {
-    return repoProcess(analysis, config, reportSpinner)
-  }
-
-  if (config.track) {
-    return trackProcess(analysis, config, reportSpinner)
-  }
-
-  if (!config.track) {
-    return await scaServicesUpload.noProjectUpload(
-      analysis,
-      config,
-      reportSpinner
-    )
-  }
-}
-
-module.exports = {
-  processUpload,
-  repoProcess
-}

package/src/scaAnalysis/python/analysis.js

@@ -1,93 +0,0 @@
-const multiReplace = require('string-multiple-replace')
-const fs = require('fs')
-const i18n = require('i18n')
-
-const readAndParseProjectFile = file => {
-  const filePath = filePathForWindows(file + '/Pipfile')
-  const pipFile = fs.readFileSync(filePath, 'utf8')
-
-  const matcherObj = { '"': '' }
-  const sequencer = ['"']
-  const parsedPipfile = multiReplace(pipFile, matcherObj, sequencer)
-
-  const pythonArray = parsedPipfile.split('\n')
-
-  return pythonArray.filter(element => element !== '' && !element.includes('#'))
-}
-
-const readAndParseLockFile = file => {
-  const filePath = filePathForWindows(file + '/Pipfile.lock')
-  const lockFile = fs.readFileSync(filePath, 'utf8')
-  let parsedPipLock = JSON.parse(lockFile)
-  parsedPipLock['defaults'] = parsedPipLock['default']
-  delete parsedPipLock['default']
-  return parsedPipLock
-}
-
-const readLockFile = file => {
-  const filePath = filePathForWindows(file + '/Pipfile.lock')
-  const lockFile = fs.readFileSync(filePath, 'utf8')
-  let parsedPipLock = JSON.parse(lockFile)
-  return parsedPipLock['default']
-}
-
-const scaPythonParser = pythonDependencies => {
-  let pythonParsedDeps = {}
-  for (let key in pythonDependencies) {
-    pythonParsedDeps[key] = {}
-    pythonParsedDeps[key].version = pythonDependencies[key].version.replace(
-      '==',
-      ''
-    )
-    pythonParsedDeps[key].group = null
-    pythonParsedDeps[key].name = key
-    pythonParsedDeps[key].productionDependency = true
-    pythonParsedDeps[key].dependencies = []
-    pythonParsedDeps[key].directDependency = true
-  }
-  return pythonParsedDeps
-}
-
-const checkForCorrectFiles = languageFiles => {
-  if (!languageFiles.includes('Pipfile.lock')) {
-    throw new Error(i18n.__('languageAnalysisHasNoLockFile', 'python'))
-  }
-
-  if (!languageFiles.includes('Pipfile')) {
-    throw new Error(i18n.__('languageAnalysisProjectFileError', 'python'))
-  }
-}
-
-const getPythonDeps = (config, languageFiles) => {
-  try {
-    if (config.legacy === false) {
-      let pythonLockFileContents = readLockFile(config.file)
-      return scaPythonParser(pythonLockFileContents)
-    } else {
-      checkForCorrectFiles(languageFiles)
-      const parseProject = readAndParseProjectFile(config.file)
-      const parsePip = readAndParseLockFile(config.file)
-
-      return { pipfileLock: parsePip, pipfilDependanceies: parseProject }
-    }
-  } catch (err) {
-    console.log(err.message.toString())
-    process.exit(1)
-  }
-}
-
-const filePathForWindows = path => {
-  if (process.platform === 'win32') {
-    path = path.replace(/\//g, '\\')
-  }
-  return path
-}
-
-module.exports = {
-  getPythonDeps,
-  scaPythonParser,
-  readAndParseLockFile,
-  readAndParseProjectFile,
-  checkForCorrectFiles,
-  readLockFile
-}

package/src/scaAnalysis/python/index.js

@@ -1,16 +0,0 @@
-const { createPythonTSMessage } = require('../common/formatMessage')
-const { getPythonDeps, secondaryParser } = require('./analysis')
-
-const pythonAnalysis = (config, languageFiles) => {
-  const pythonDeps = getPythonDeps(config, languageFiles.PYTHON)
-
-  if (config.legacy === false) {
-    return pythonDeps
-  } else {
-    return createPythonTSMessage(pythonDeps)
-  }
-}
-
-module.exports = {
-  pythonAnalysis
-}

package/src/scaAnalysis/repoMode/gradleParser.js

@@ -1,88 +0,0 @@
-const g2js = require('gradle-to-js/lib/parser')
-
-const readBuildGradleFile = async project => {
-  const gradleFilePath = project.cwd + '/build.gradle'
-  return await g2js.parseFile(gradleFilePath)
-}
-
-const filterGav = (groupId, artifactId, version, gradleJson) => {
-  if (groupId === '') {
-    if (artifactId.includes(':')) {
-      groupId = artifactId.split(':')[0].replace("'", '')
-    }
-  }
-
-  if (version === '') {
-    if (artifactId.includes(':')) {
-      artifactId.split(':').length > 2
-        ? (version = artifactId.split(':')[2].replace("'", ''))
-        : (version = null)
-    }
-  }
-
-  if (artifactId.split(':').length > 1) {
-    artifactId = artifactId.split(':')[1].replace("'", '')
-  }
-
-  if (version === null) {
-    version = getVersion(gradleJson, groupId)
-  }
-  return { groupId, artifactId, version }
-}
-
-const parseGradleJson = gradleJson => {
-  let deps = gradleJson.dependencies
-  let dependencyTree = {}
-
-  if (deps === undefined) {
-    console.log('Unable to find any dependencies in your project file.')
-    process.exit(0)
-  }
-
-  for (let a in deps) {
-    let dependencyType = deps[a].type
-
-    if (dependencyType === 'implementation') {
-      let groupId = deps[a].group
-      let artifactId = deps[a].name
-      let version = deps[a].version
-
-      let filteredGav = filterGav(groupId, artifactId, version, gradleJson)
-
-      let depName =
-        filteredGav.groupId +
-        '/' +
-        filteredGav.artifactId +
-        '@' +
-        filteredGav.version
-
-      let parsedDependency = {
-        name: filteredGav.artifactId,
-        group: filteredGav.groupId,
-        version: filteredGav.version,
-        directDependency: true,
-        isProduction: true,
-        dependencies: []
-      }
-      dependencyTree[depName] = parsedDependency
-    }
-  }
-  return dependencyTree
-}
-
-const getVersion = (gradleJson, dependencyWithoutVersion) => {
-  let parentVersion = gradleJson.plugins[0].version
-  let parentGroupName = gradleJson.plugins[0].id
-  if (parentGroupName === dependencyWithoutVersion) {
-    return parentVersion
-  } else {
-    return null
-  }
-}
-
-module.exports = {
-  readBuildGradleFile,
-  parseGradleJson,
-  getVersion,
-  filterGav
-}