@contrast/contrast 2.0.2-beta.3 → 2.0.2-beta.5

package/src/scaAnalysis/common/models/ScaReportModel.ts

@@ -1,81 +0,0 @@
-export class ScaReportModel {
-  uuid: string
-  groupName: string
-  artifactName: string
-  version: string
-  hash: string
-  fileName: string
-  libraryLanguage: string
-  vulnerable: boolean
-  privateLibrary: boolean
-  severity: string
-  releaseDate: string
-  latestVersionReleaseDate: string
-  latestVersion: string
-  versionsBehind: number
-  vulnerabilities: ScaReportVulnerabilityModel[]
-  remediationAdvice: ScaReportRemediationAdviceModel
-
-  constructor(library: any) {
-    this.uuid = library.uuid
-    this.groupName = library.groupName
-    this.artifactName = library.artifactName
-    this.version = library.version
-    this.hash = library.hash
-    this.fileName = library.fileName
-    this.libraryLanguage = library.libraryLanguage
-    this.vulnerable = library.vulnerable
-    this.privateLibrary = library.privateLibrary
-    this.severity = library.severity
-    this.releaseDate = library.releaseDate
-    this.latestVersionReleaseDate = library.latestVersionReleaseDate
-    this.latestVersion = library.latestVersion
-    this.versionsBehind = library.versionsBehind
-    this.vulnerabilities = library.vulnerabilities
-    this.remediationAdvice = library.remediationAdvice
-  }
-}
-
-export class ScaReportVulnerabilityModel {
-  name: string
-  description: string
-  cvss2Vector: string
-  severityValue: number
-  severity: string
-  cvss3Vector: string
-  cvss3SeverityValue: number
-  cvss3Severity: string
-  hasCvss3: boolean
-
-  constructor(
-    name: string,
-    description: string,
-    cvss2Vector: string,
-    severityValue: number,
-    severity: string,
-    cvss3Vector: string,
-    cvss3SeverityValue: number,
-    cvss3Severity: string,
-    hasCvss3: boolean
-  ) {
-    this.name = name
-    this.description = description
-    this.cvss2Vector = cvss2Vector
-    this.severityValue = severityValue
-    this.severity = severity
-    this.cvss3Vector = cvss3Vector
-    this.cvss3SeverityValue = cvss3SeverityValue
-    this.cvss3Severity = cvss3Severity
-    this.hasCvss3 = hasCvss3
-  }
-}
-
-export class ScaReportRemediationAdviceModel {
-  closestStableVersion: string
-  latestStableVersion: string
-
-  constructor(closestStableVersion: string, latestStableVersion: string) {
-    this.closestStableVersion = closestStableVersion
-    this.latestStableVersion = latestStableVersion
-  }
-}

package/src/scaAnalysis/common/scaParserForGoAndJava.js

@@ -1,41 +0,0 @@
-const parseDependenciesForSCAServices = dependencyTreeObject => {
-  let parsedDependencyTree = {}
-  let subDeps
-
-  for (let tree in dependencyTreeObject) {
-    let unParsedDependencyTree = dependencyTreeObject[tree]
-    for (let dependency in unParsedDependencyTree) {
-      subDeps = parseSubDependencies(unParsedDependencyTree[dependency].edges)
-
-      let parsedDependency = {
-        name: unParsedDependencyTree[dependency].artifactID,
-        group: unParsedDependencyTree[dependency].group,
-        version: unParsedDependencyTree[dependency].version,
-        directDependency: unParsedDependencyTree[dependency].type === 'direct',
-        productionDependency: true,
-        dependencies: subDeps
-      }
-      parsedDependencyTree[dependency] = parsedDependency
-    }
-  }
-  return parsedDependencyTree
-}
-
-const parseSubDependencies = dependencies => {
-  // converting:
-  // dependencies: {
-  //   'gopkg.in/check.v1@v0.0.0-2': 'gopkg.in/check.v1@v0.0.0-2'
-  // }
-  // to:
-  // dependencies: [ 'gopkg.in/check.v1@v0.0.0-2' ]
-  let subDeps = []
-  for (let x in dependencies) {
-    subDeps.push(dependencies[x])
-  }
-  return subDeps
-}
-
-module.exports = {
-  parseDependenciesForSCAServices,
-  parseSubDependencies
-}

package/src/scaAnalysis/common/scaServicesUpload.js

@@ -1,159 +0,0 @@
-const commonApi = require('../../utils/commonApi')
-const { APP_VERSION } = require('../../constants/constants')
-const requestUtils = require('../../utils/requestUtils')
-const { performance } = require('perf_hooks')
-
-const scaTreeUpload = async (analysis, config, reportSpinner) => {
-  if (config.projectId === '') {
-    console.log(
-      'We were unable to create/locate a project for this manifest, please try again or run with --debug for more information'
-    )
-    process.exit(1)
-  }
-
-  config.language = config.language === 'JAVASCRIPT' ? 'NODE' : config.language
-  const startTime = performance.now()
-  const timeout = commonApi.getTimeout(config)
-
-  const doINeedParent = config.repositoryId && config.language === 'JAVA'
-
-  const requestBody = {
-    parentPom: doINeedParent ? analysis.parentPom : null,
-    dependencyTree: doINeedParent ? analysis.dependencyTree : analysis,
-    organizationId: config.organizationId,
-    language: config.language,
-    tool: {
-      name: 'Contrast Codesec',
-      version: APP_VERSION
-    }
-  }
-
-  if (config.debug || config.verbose) {
-    console.log('requestBody', requestBody)
-  }
-
-  if (config.branch) {
-    requestBody.branchName = config.branch
-  }
-
-  const client = commonApi.getHttpClient(config)
-  const reportID = await client
-    .scaServiceIngest(requestBody, config)
-    .then(res => {
-      if (res.statusCode === 201 || res.statusCode === 200) {
-        return res.body.libraryIngestJobId
-      } else {
-        throw new Error(res.statusCode + ` error ingesting dependencies`)
-      }
-    })
-    .catch(err => {
-      throw err
-    })
-  if (config.debug) {
-    console.log(' polling report', reportID)
-  }
-
-  let keepChecking = true
-  let res
-  while (keepChecking) {
-    res = await client.scaServiceReportStatus(config, reportID).then(res => {
-      if (config.debug) {
-        console.log('scaServiceReportStatus', res.statusCode)
-        console.log(res.body)
-      }
-      if (res.body.status === 'COMPLETED') {
-        keepChecking = false
-        return client.scaServiceReport(config, reportID).then(res => {
-          const reportBody = res.body
-          return { reportBody, reportId: reportID }
-        })
-      }
-    })
-
-    if (!keepChecking) {
-      return { reportArray: res.reportBody, reportId: reportID }
-    }
-
-    commonApi.handleTimeout(startTime, timeout, reportSpinner)
-
-    await requestUtils.sleep(5000)
-  }
-
-  return { reportArray: res, reportID }
-}
-
-const noProjectUpload = async (analysis, config, reportSpinner) => {
-  config.language = config.language === 'JAVASCRIPT' ? 'NODE' : config.language
-  const startTime = performance.now()
-  const timeout = commonApi.getTimeout(config)
-  const requestBody = {
-    dependencyTree: analysis,
-    language: config.language,
-    tool: {
-      name: 'Contrast Codesec',
-      version: APP_VERSION
-    }
-  }
-
-  if (config.branch) {
-    requestBody.branchName = config.branch
-  }
-
-  const client = commonApi.getHttpClient(config)
-  const reportID = await client
-    .noProjectIdUpload(requestBody, config)
-    .then(res => {
-      if (res.statusCode === 201 || res.statusCode === 200) {
-        return res.body.libraryIngestJobId
-      } else {
-        throw new Error(
-          res.statusCode + ` error ingesting dependencies with no project id`
-        )
-      }
-    })
-    .catch(err => {
-      throw err
-    })
-
-  if (config.debug) {
-    console.log(' polling report no project', reportID)
-  }
-
-  let keepChecking = true
-  let res
-  while (keepChecking) {
-    res = await client
-      .scaServiceNoProjectIdReportStatus(config, reportID)
-      .then(res => {
-        if (config.debug) {
-          console.log('\nscaServiceReportStatus')
-          console.log(res.statusCode)
-          console.log(res.body)
-        }
-        if (res.body.status === 'COMPLETED') {
-          keepChecking = false
-          return client
-            .scaServiceReportNoProjectId(config, reportID)
-            .then(res => {
-              const reportBody = res.body
-              return { reportBody, reportId: reportID }
-            })
-        }
-      })
-
-    if (!keepChecking) {
-      return { reportArray: res.reportBody, reportId: reportID }
-    }
-
-    commonApi.handleTimeout(startTime, timeout, reportSpinner)
-
-    await requestUtils.sleep(5000)
-  }
-
-  return { reportArray: res, reportID }
-}
-
-module.exports = {
-  scaTreeUpload,
-  noProjectUpload
-}

package/src/scaAnalysis/common/treeUpload.js

@@ -1,51 +0,0 @@
-const commonApi = require('../../utils/commonApi')
-const { APP_VERSION } = require('../../constants/constants')
-
-const commonSendSnapShot = async (analysis, config) => {
-  let requestBody = {}
-  config.legacy === false
-    ? (requestBody = sendToSCAServices(config, analysis))
-    : (requestBody = {
-        appID: config.applicationId,
-        cliVersion: APP_VERSION,
-        snapshot: analysis
-      })
-
-  const client = commonApi.getHttpClient(config)
-  return client
-    .sendSnapshot(requestBody, config)
-    .then(res => {
-      if (res.statusCode === 201) {
-        return res.body
-      } else {
-        if (res.statusCode === 403) {
-          throw new Error(
-            `🛑 Contrast audit failed \nPlease check you have the right permissions and the application ${
-              config.applicationName ? config.applicationName : ''
-            } has not been archived.`.replace(/ +(?= )/g, '')
-          )
-        }
-        throw new Error(res.statusCode + ` error processing dependencies`)
-      }
-    })
-    .catch(err => {
-      throw err
-    })
-}
-
-const sendToSCAServices = (config, analysis) => {
-  return {
-    applicationId: config.applicationId,
-    dependencyTree: analysis,
-    organizationId: config.organizationId,
-    language: config.language,
-    tool: {
-      name: 'Contrast Codesec',
-      version: APP_VERSION
-    }
-  }
-}
-
-module.exports = {
-  commonSendSnapShot
-}

package/src/scaAnalysis/common/utils/reportUtilsSca.ts

@@ -1,123 +0,0 @@
-import { orderBy } from 'lodash'
-import {
-  CRITICAL_COLOUR,
-  CRITICAL_PRIORITY,
-  HIGH_COLOUR,
-  HIGH_PRIORITY,
-  LOW_COLOUR,
-  LOW_PRIORITY,
-  MEDIUM_COLOUR,
-  MEDIUM_PRIORITY,
-  NOTE_COLOUR,
-  NOTE_PRIORITY
-} from '../../../constants/constants'
-import { ReportSeverityModel } from '../../../audit/report/models/reportSeverityModel'
-import { SeverityCountModel } from '../../../audit/report/models/severityCountModel'
-import {
-  ScaReportModel,
-  ScaReportVulnerabilityModel
-} from '../models/ScaReportModel'
-
-export function findHighestSeverityCVESca(
-  cveArray: ScaReportVulnerabilityModel[]
-) {
-  const mappedToReportSeverityModels = cveArray.map(cve =>
-    findCVESeveritySca(cve)
-  )
-
-  //order and get first
-  return orderBy(mappedToReportSeverityModels, cve => cve?.priority)[0]
-}
-
-export function orderByHighestPrioritySca(
-  reportSeverityModel: ReportSeverityModel[]
-) {
-  return orderBy(reportSeverityModel, ['priority'], ['asc'])
-}
-
-export function findCVESeveritySca(
-  vulnerabilityModel: ScaReportVulnerabilityModel
-) {
-  const { name } = vulnerabilityModel
-
-  if (
-    vulnerabilityModel.cvss3Severity === 'CRITICAL' ||
-    vulnerabilityModel.severity === 'CRITICAL'
-  ) {
-    return new ReportSeverityModel(
-      'CRITICAL',
-      CRITICAL_PRIORITY,
-      CRITICAL_COLOUR,
-      name
-    )
-  } else if (
-    vulnerabilityModel.cvss3Severity === 'HIGH' ||
-    vulnerabilityModel.severity === 'HIGH'
-  ) {
-    return new ReportSeverityModel('HIGH', HIGH_PRIORITY, HIGH_COLOUR, name)
-  } else if (
-    vulnerabilityModel.cvss3Severity === 'MEDIUM' ||
-    vulnerabilityModel.severity === 'MEDIUM'
-  ) {
-    return new ReportSeverityModel(
-      'MEDIUM',
-      MEDIUM_PRIORITY,
-      MEDIUM_COLOUR,
-      name
-    )
-  } else if (
-    vulnerabilityModel.cvss3Severity === 'LOW' ||
-    vulnerabilityModel.severity === 'LOW'
-  ) {
-    return new ReportSeverityModel('LOW', LOW_PRIORITY, LOW_COLOUR, name)
-  } else if (
-    vulnerabilityModel.cvss3Severity === 'NOTE' ||
-    vulnerabilityModel.severity === 'NOTE'
-  ) {
-    return new ReportSeverityModel('NOTE', NOTE_PRIORITY, NOTE_COLOUR, name)
-  }
-}
-
-export function convertGenericToTypedReportModelSca(reportArray: any) {
-  return reportArray.map((library: any) => {
-    return new ScaReportModel(library)
-  })
-}
-
-export function severityCountAllLibrariesSca(
-  vulnerableLibraries: ScaReportModel[],
-  severityCount: SeverityCountModel
-) {
-  vulnerableLibraries.forEach(lib =>
-    severityCountAllCVEsSca(lib.vulnerabilities, severityCount)
-  )
-  return severityCount
-}
-
-export function severityCountAllCVEsSca(
-  cveArray: ScaReportVulnerabilityModel[],
-  severityCount: SeverityCountModel
-) {
-  const severityCountInner = severityCount
-  cveArray.forEach(cve => severityCountSingleCVESca(cve, severityCountInner))
-  return severityCountInner
-}
-
-export function severityCountSingleCVESca(
-  cve: ScaReportVulnerabilityModel,
-  severityCount: SeverityCountModel
-) {
-  if (cve.cvss3Severity === 'CRITICAL' || cve.severity === 'CRITICAL') {
-    severityCount.critical += 1
-  } else if (cve.cvss3Severity === 'HIGH' || cve.severity === 'HIGH') {
-    severityCount.high += 1
-  } else if (cve.cvss3Severity === 'MEDIUM' || cve.severity === 'MEDIUM') {
-    severityCount.medium += 1
-  } else if (cve.cvss3Severity === 'LOW' || cve.severity === 'LOW') {
-    severityCount.low += 1
-  } else if (cve.cvss3Severity === 'NOTE' || cve.severity === 'NOTE') {
-    severityCount.note += 1
-  }
-
-  return severityCount
-}

package/src/scaAnalysis/dotnet/analysis.js

@@ -1,72 +0,0 @@
-const fs = require('fs')
-const xml2js = require('xml2js')
-const i18n = require('i18n')
-
-const readAndParseProjectFile = projectFilePath => {
-  const projectFile = fs.readFileSync(projectFilePath)
-
-  return new xml2js.Parser({
-    explicitArray: false,
-    mergeAttrs: true
-  }).parseString(projectFile)
-}
-
-const readAndParseLockFile = lockFilePath => {
-  const lockFile = JSON.parse(fs.readFileSync(lockFilePath).toString())
-
-  let count = 0 // Used to test if some nodes are deleted
-
-  for (const dependenciesNode in lockFile.dependencies) {
-    for (const innerNode in lockFile.dependencies[dependenciesNode]) {
-      const nodeValidation = JSON.stringify(
-        lockFile.dependencies[dependenciesNode][innerNode]
-      )
-      if (nodeValidation.includes('"type":"Project"')) {
-        count += 1
-        delete lockFile.dependencies[dependenciesNode][innerNode]
-        lockFile.additionalInfo = 'dependenciesNote'
-      }
-    }
-  }
-
-  if (count > 0) {
-    const multiLevelProjectWarning = () => {
-      console.log('')
-      console.log(i18n.__('dependenciesNote'))
-    }
-    setTimeout(multiLevelProjectWarning, 7000)
-  }
-
-  return lockFile
-}
-
-const checkForCorrectFiles = languageFiles => {
-  if (!languageFiles.includes('packages.lock.json')) {
-    throw new Error(i18n.__('languageAnalysisHasNoLockFile', '.NET'))
-  }
-
-  if (!languageFiles.some(i => i.includes('.csproj'))) {
-    throw new Error(i18n.__('languageAnalysisProjectFileError', '.NET'))
-  }
-}
-
-const getDotNetDeps = (filePath, languageFiles) => {
-  checkForCorrectFiles(languageFiles)
-  const projectFileName = languageFiles.find(fileName =>
-    fileName.includes('.csproj')
-  )
-  const lockFileName = languageFiles.find(fileName =>
-    fileName.includes('.json')
-  )
-  const projectFile = readAndParseProjectFile(filePath + `/${projectFileName}`)
-  const lockFile = readAndParseLockFile(filePath + `/${lockFileName}`)
-
-  return { projectFile, lockFile }
-}
-
-module.exports = {
-  getDotNetDeps,
-  readAndParseProjectFile,
-  readAndParseLockFile,
-  checkForCorrectFiles
-}

package/src/scaAnalysis/dotnet/index.js

@@ -1,11 +0,0 @@
-const { getDotNetDeps } = require('./analysis')
-const { createDotNetTSMessage } = require('../common/formatMessage')
-
-const dotNetAnalysis = (config, languageFiles) => {
-  const dotNetDeps = getDotNetDeps(config.file, languageFiles.DOTNET)
-  return createDotNetTSMessage(dotNetDeps)
-}
-
-module.exports = {
-  dotNetAnalysis
-}

package/src/scaAnalysis/go/goAnalysis.js

@@ -1,26 +0,0 @@
-const { createGoTSMessage } = require('../common/formatMessage')
-const {
-  parseDependenciesForSCAServices
-} = require('../common/scaParserForGoAndJava')
-const goReadDepFile = require('./goReadDepFile')
-const goParseDeps = require('./goParseDeps')
-
-const goAnalysis = config => {
-  try {
-    const rawGoDependencies = goReadDepFile.getGoDependencies(config)
-    const parsedGoDependencies =
-      goParseDeps.parseGoDependencies(rawGoDependencies)
-
-    if (config.legacy === false) {
-      return parseDependenciesForSCAServices(parsedGoDependencies)
-    } else {
-      return createGoTSMessage(parsedGoDependencies)
-    }
-  } catch (e) {
-    console.log(e.message.toString())
-  }
-}
-
-module.exports = {
-  goAnalysis
-}