@contrast/contrast 2.1.6 → 2.2.0

package/dist/cliConstants.js

@@ -343,6 +343,45 @@ const auditAdvancedOptionDefinitionsForHelp = [
             i18n.__('constantsMavenSettingsPath')
     }
 ];
+const sarifAdvancedOptionDefinitionsForHelp = [
+    ...sharedConnectionOptionDefinitions,
+    ...sharedCertOptionDefinitions
+];
+const sarifOptionDefinitions = [
+    ...sarifAdvancedOptionDefinitionsForHelp,
+    {
+        name: 'help',
+        alias: 'h',
+        type: Boolean
+    },
+    {
+        name: 'application-id',
+        description: '{bold ' +
+            i18n.__('constantsRequired') +
+            '}: ' +
+            i18n.__('constantsApplicationId')
+    },
+    {
+        name: 'metadata',
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}: ' +
+            i18n.__('constantsMetadata')
+    },
+    {
+        name: 'severity',
+        type: severity => parseSeverity(severity),
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}: ' +
+            i18n.__('constantsSarifSeverity')
+    },
+    {
+        name: 'debug',
+        alias: 'd',
+        type: Boolean
+    }
+];
 const auditOptionDefinitions = [
     ...auditAdvancedOptionDefinitionsForHelp,
     {
@@ -509,11 +548,13 @@ const mainUsageGuide = commandLineUsage([
             { name: i18n.__('configName'), summary: i18n.__('helpConfigSummary') },
             { name: i18n.__('versionName'), summary: i18n.__('helpVersionSummary') },
             { name: i18n.__('auditName'), summary: i18n.__('helpAuditSummary') },
+            { name: i18n.__('sarifName'), summary: i18n.__('helpSarifSummary') },
             { name: i18n.__('scanName'), summary: i18n.__('helpScanSummary') },
             { name: i18n.__('assessName'), summary: i18n.__('assessSummary') },
             { name: i18n.__('lambdaName'), summary: i18n.__('helpLambdaSummary') },
             { name: i18n.__('helpName'), summary: i18n.__('helpSummary') },
             { name: i18n.__('learnName'), summary: i18n.__('helpLearnSummary') },
+            { name: i18n.__('sarifName'), summary: i18n.__('sarifSummary') },
             {
                 name: i18n.__('configGenerate'),
                 summary: i18n.__('configGenerateSummary')
@@ -543,6 +584,8 @@ export const commandLineDefinitions = {
     auditOptionDefinitions,
     authOptionDefinitions,
     configOptionDefinitions,
+    sarifOptionDefinitions,
+    sarifAdvancedOptionDefinitionsForHelp,
     scanAdvancedOptionDefinitionsForHelp,
     auditAdvancedOptionDefinitionsForHelp,
     assessOptionDefinitions,

package/dist/common/baseRequest.js

@@ -108,4 +108,5 @@ export var ErrorType;
     ErrorType["VULNERABILITIES"] = "VULNERABILITIES";
     ErrorType["SCAN"] = "SCAN";
     ErrorType["TELEMETRY"] = "TELEMETRY";
+    ErrorType["SARIF"] = "SARIF";
 })(ErrorType || (ErrorType = {}));

package/dist/constants/constants.js

@@ -17,7 +17,7 @@ export const HIGH = 'HIGH';
 export const CRITICAL = 'CRITICAL';
 // App
 export const APP_NAME = 'contrast';
-const APP_VERSION = '2.1.6';
+const APP_VERSION = '2.2.0';
 export const TIMEOUT = 120000;
 export const CRITICAL_PRIORITY = 1;
 export const HIGH_PRIORITY = 2;

package/dist/constants/locales.js

@@ -52,6 +52,7 @@ export const en_locales = () => {
         failThresholdOptionErrorMessage: 'More than 0 vulnerabilities found',
         failSeverityOptionErrorMessage: ' FAIL - Results detected vulnerabilities over accepted severity level',
         constantsSeverity: 'Use with "contrast scan --fail --severity high" or "contrast audit --fail --severity high". Set the severity level to detect vulnerabilities or dependencies. Severity levels are critical, high, medium, low or note.',
+        constantsSarifSeverity: 'Set the severity level to filter the vulnerabilities included in the SARIF output. Severity levels are critical, high, medium, low or note.',
         constantsHeader: `Contrast CLI @ v${getAppVersion()}`,
         configHeader2: 'Config options',
         clearHeader: '-c, --clear',
@@ -67,6 +68,8 @@ export const en_locales = () => {
         constantsConfigUsageContents: 'view / clear the configuration',
         constantsPrerequisitesContent: 'To scan a Java binary project you will need a .jar, .war or a zip of multiple .jar or .war files for analysis\n' +
             'To scan source code you will need a .zip file containing the code for analysis',
+        constantsSarifPreRequisitesContent: 'To generate a SARIF file you will need the application-id of the application you want to generate the SARIF file for.\n' +
+            'To get the application-id, go to the Contrast UI, select the application you want to generate the SARIF file for, and copy the application-id from the URL.',
         constantsUsage: 'Usage',
         constantsUsageCommandExample: 'contrast [command] [options]',
         constantsUsageCommandInfo: 'The file argument is optional. If no file is given, Contrast will search for a .jar, .war, .exe or .zip file in the working directory.\n',
@@ -90,6 +93,7 @@ export const en_locales = () => {
         scanLabel: "adds a label to the scan - defaults to 'Started by CLI tool at current date'",
         constantsIgnoreDev: 'Excludes developer dependencies from the results. All dependencies are included by default.',
         constantsCommands: 'Commands',
+        constantsSarifOptions: 'SARIF Options',
         constantsScanOptions: 'Scan Options',
         constantsAssessOptions: 'Assess Options',
         generatorConfigOptions: 'Generate Config Options',
@@ -114,6 +118,7 @@ export const en_locales = () => {
         helpScanSummary: 'Searches for a .jar, .war, .js, or .zip file in the working directory, uploads files for analysis, and returns the results. \n[scan --help for options] Java, .NET, .NET Core, JavaScript are supported. ',
         assessSummary: 'Reports vulnerabilities found at run-time on a server or microservice using a Contrast agent. \n [assess --help for options] Java, .NET, Node, Ruby, Python, Go, PHP are supported.',
         helpLambdaSummary: 'Performs a static security scan on an AWS lambda function. [lambda --help for options] AWS Lambda - Java & Python are supported. ',
+        helpSarifSummary: 'Generates a SARIF file (contrast.sarif) for Contrast Assess and Contrast SCA results for the specified application-id.',
         helpVersionSummary: 'Displays version of Contrast CLI',
         helpConfigSummary: 'Displays stored credentials',
         helpSummary: 'Displays usage guide',
@@ -126,6 +131,7 @@ export const en_locales = () => {
         configName: 'config',
         helpName: 'help',
         learnName: 'learn',
+        sarifName: 'sarif',
         configGenerate: 'generate-config',
         helpLearnSummary: 'Launches Contrast’s Secure Code Learning Hub.',
         configGenerateSummary: 'Generates contrast configuration yaml file.',
@@ -170,6 +176,8 @@ export const en_locales = () => {
         foundDetailedVulnerabilities: chalk.bold('%s') + ' | ' + chalk.bold('%s') + ' | %s | %s | %s ',
         searchingScanFileDirectory: 'Searching for file to scan from %s...',
         searchingAuditFileDirectory: 'Searching for package manager files from %s...',
+        sarifHeader: 'Contrast SARIF CLI',
+        sarifHeaderMessage: "Use 'contrast sarif' to generate a SARIF file for the given application-id.",
         scanHeader: `Contrast Scan CLI`,
         assessHeader: `Contrast Assess CLI`,
         generateConfigHeader: `Contrast Generate Config`,

package/dist/index.js

@@ -14,6 +14,7 @@ import { processLearn } from './commands/learn/processLearn.js';
 import { sendTelemetryConfigAsConfObj } from './telemetry/telemetry.js';
 import { findCommandOnError } from './common/errorHandling.js';
 import { processAssess } from './assess/index.js';
+import { processSarif } from './sarif/generateSarif.js';
 import { logInfo } from './common/logging.js';
 import { generateYamlConfiguration } from './generateYaml/index.js';
 const config = localConfig(APP_NAME, getAppVersion());
@@ -70,15 +71,15 @@ const start = async () => {
             if (command === 'assess') {
                 return await processAssess(config, argvMain);
             }
-            if (command === 'assess') {
-                return await processAssess(config, argvMain);
-            }
             if (command === 'generate-config') {
                 return await generateYamlConfiguration(config, argvMain);
             }
             if (command === 'fingerprint') {
                 return await processFingerprint(config, argvMain);
             }
+            if (command === 'sarif') {
+                return await processSarif(config, argvMain);
+            }
             if (command === 'learn') {
                 return processLearn();
             }

package/dist/sarif/generateSarif.js

@@ -0,0 +1,27 @@
+import { getSarifConfig } from './sarifConfig.js';
+import { scaCVES } from './sarifScaClient.js';
+import { checkApplicationAccess, iastData } from './sarifIastClient.js';
+import { writeCombinedSarif } from './sarifWriter.js';
+import { logInfo } from '../common/logging.js';
+import { sarifUsageGuide } from './help.js';
+// This filename could be set by a customer
+// Defaulted to be ingested in a GH workflow
+const outputFileName = 'contrast.sarif';
+export const processSarif = async (contrastConf, argvMain) => {
+    if (argvMain.indexOf('--help') !== -1 || argvMain.indexOf('help') !== -1) {
+        printHelpMessage();
+        process.exit(0);
+    }
+    let config = await getSarifConfig(contrastConf, 'sarif', argvMain);
+    await checkApplicationAccess(config);
+    logInfo('Generating SARIF file');
+    const scaVulns = await scaCVES(config);
+    logInfo(`Found ${scaVulns.length} SCA vulnerabilities matching criteria`);
+    const iastVulns = await iastData(config);
+    logInfo(`Found ${iastVulns.length} IAST vulnerabilities matching criteria`);
+    writeCombinedSarif(iastVulns, scaVulns, outputFileName);
+    logInfo('contrast.sarif file generated successfully');
+};
+const printHelpMessage = () => {
+    logInfo(sarifUsageGuide);
+};

package/dist/sarif/help.js

@@ -0,0 +1,52 @@
+import commandLineUsage from 'command-line-usage';
+import i18n from 'i18n';
+import { commandLineDefinitions } from '../cliConstants.js';
+import { commonHelpLinks } from '../common/commonHelp.js';
+const { __ } = i18n;
+export const sarifUsageGuide = commandLineUsage([
+    {
+        header: __('constantsHeader')
+    },
+    {
+        header: __('sarifHeader'),
+        content: [__('sarifHeaderMessage')]
+    },
+    {
+        header: __('constantsPrerequisitesHeader'),
+        content: [__('constantsSarifPreRequisitesContent')]
+    },
+    {
+        header: __('constantsSarifOptions'),
+        optionList: commandLineDefinitions.sarifOptionDefinitions,
+        hide: [
+            'organization-id',
+            'api-key',
+            'authorization',
+            'host',
+            'proxy',
+            'cert',
+            'cacert',
+            'key',
+            'help',
+            'ff',
+            'cert-self-signed',
+            'debug',
+            'experimental',
+            'tags',
+            'sub-project',
+            'code',
+            'maven-settings-path',
+            'language',
+            'app-groups',
+            'branch',
+            'repo'
+        ]
+    },
+    {
+        header: __('constantsAdvancedOptions'),
+        optionList: commandLineDefinitions.sarifAdvancedOptionDefinitionsForHelp
+    },
+    commonHelpLinks()[0],
+    commonHelpLinks()[1],
+    commonHelpLinks()[2]
+]);

package/dist/sarif/sarifAssessRequests.js

@@ -0,0 +1,62 @@
+import { buildBaseRequestOptions, ErrorType } from '../common/baseRequest.js';
+import { got } from 'got';
+import { logDebug } from '../common/logging.js';
+export function getApplicationAccess(config) {
+    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
+    options.url = getApplicationUrl(config, config.applicationId, config.organizationId);
+    logDebug(config, 'url: ' + options.url);
+    return got.get(options);
+}
+const getApplicationUrl = (config, applicationId, organizationId) => {
+    return `${config.host}/Contrast/api/ng/${organizationId}/applications/${applicationId}?expand=license`;
+};
+const getAssessTraceIdsUrl = (config, offset, resultsLimit) => {
+    return `${config.host}/Contrast/api/ng/${config.organizationId}/orgtraces/filter/?offset=${offset}&limit=${resultsLimit}`;
+};
+export function getAssessTraceIds(config, offset, resultsLimit) {
+    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
+    options.url = getAssessTraceIdsUrl(config, offset, resultsLimit);
+    options.json = {
+        applicationID: config.applicationId,
+        metadataFilters: config.metadata ? config.metadata : [],
+        severities: config.severity ? [config.severity] : []
+    };
+    logDebug(config, 'url: ' + options.url);
+    return got.post(options);
+}
+const getAssessTraceDetailsUrl = (config, traceId) => {
+    return `${config.host}/Contrast/api/ng/${config.organizationId}/traces/${config.applicationId}/filter/${traceId}?expand=events,request,sink,${traceId},skip_links`;
+};
+export function getAssessTraceDetails(config, traceId) {
+    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
+    options.url = getAssessTraceDetailsUrl(config, traceId);
+    logDebug(config, 'url: ' + options.url);
+    return got.get(options);
+}
+const getAssessTraceEventsUrl = (config, traceId, eventId) => {
+    return `${config.host}/Contrast/api/ng/${config.organizationId}/traces/${traceId}/events/${eventId}/details`;
+};
+export function getAssessTraceEvents(config, traceId, eventId) {
+    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
+    options.url = getAssessTraceEventsUrl(config, traceId, eventId);
+    logDebug(config, 'url: ' + options.url);
+    return got.get(options);
+}
+const getAssessTraceRoutesUrl = (config, traceId) => {
+    return `${config.host}/Contrast/api/ng/${config.organizationId}/traces/${config.applicationId}/trace/${traceId}/routes`;
+};
+export function getAssessTraceRoutes(config, traceId) {
+    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
+    options.url = getAssessTraceRoutesUrl(config, traceId);
+    logDebug(config, 'url: ' + options.url);
+    return got.get(options);
+}
+const getAssessAgentSessionFiltersUrl = (config) => {
+    return `${config.host}/Contrast/api/ng/${config.organizationId}/metadata/session/${config.applicationId}/filters`;
+};
+export function getAssessAgentSessionFilters(config) {
+    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
+    options.url = getAssessAgentSessionFiltersUrl(config);
+    logDebug(config, 'url: ' + options.url);
+    return got.get(options);
+}

package/dist/sarif/sarifConfig.js

@@ -0,0 +1,8 @@
+import { getCommandLineArgsCustom } from '../utils/parsedCLIOptions.js';
+import { commandLineDefinitions } from '../cliConstants.js';
+import { getAuth } from '../utils/paramsUtil/paramHandler.js';
+export const getSarifConfig = async (contrastConf, command, argv) => {
+    const sarifParameters = await getCommandLineArgsCustom(contrastConf, command, argv, commandLineDefinitions.sarifOptionDefinitions);
+    const paramsAuth = getAuth(sarifParameters);
+    return { ...paramsAuth, ...sarifParameters };
+};

package/dist/sarif/sarifIastClient.js

@@ -0,0 +1,121 @@
+import { getAssessAgentSessionFilters, getAssessTraceDetails, getAssessTraceEvents, getAssessTraceIds, getAssessTraceRoutes, getApplicationAccess } from './sarifAssessRequests.js';
+import { logInfo, logDebug } from '../common/logging.js';
+import { get } from 'http';
+const resultsLimit = 50;
+let offset = 0;
+export const iastData = async (config) => {
+    if (config.metadata) {
+        const filters = await getAgentSessionFilters(config);
+        logInfo(`Found ${filters.length} available filters`);
+        if (filters.length !== 0) {
+            config = convertMetadataInput(config, filters);
+        }
+    }
+    const filteredTraceIds = await getTraceIds(config, offset, resultsLimit);
+    logInfo(`Found ${filteredTraceIds.length} traces`);
+    let completeTraces = [];
+    for (const traceId of filteredTraceIds) {
+        const traceDetails = await getTraceDetails(config, traceId);
+        const traceRoutes = await getTraceRoutes(config, traceId);
+        let eventsWithFrames = [];
+        if (traceDetails.events) {
+            logInfo(`Found ${traceDetails.events.length} events for trace ${traceId} getting further details`);
+            for (const eventSummary of traceDetails.events) {
+                const eventDetails = await getTraceEvents(config, traceId, eventSummary.eventId);
+                eventsWithFrames.push(eventDetails);
+            }
+            // Only push when we have actual events , is this right?
+            completeTraces.push({
+                trace: traceDetails,
+                events: eventsWithFrames,
+                routes: traceRoutes
+            });
+        }
+    }
+    return completeTraces;
+};
+export async function checkApplicationAccess(config) {
+    logInfo('Checking application access');
+    if (config.applicationId === undefined) {
+        logInfo('Application ID not specified - this is required for IAST vulnerability retrieval');
+    }
+    try {
+        const response = getApplicationAccess(config);
+        const json = await response.json();
+        if (json.application.license.level === 'Unlicensed') {
+            logInfo('Application is not licensed for Assess, please contact your administrator to enable Assess for this application.');
+            process.exit(1);
+        }
+    }
+    catch (e) {
+        logInfo('Error accessing application, ensure you have access to application:' +
+            config.applicationId);
+        process.exit(1);
+    }
+}
+export async function getTraceIds(config, offset, resultsLimit) {
+    let hasResults = true;
+    let pivotedData = [];
+    // Will return all traces if no severity is specified
+    while (hasResults) {
+        const response = getAssessTraceIds(config, offset, resultsLimit);
+        const responseBody = await response.json();
+        if (responseBody.traces == null) {
+            logInfo('No libraries found');
+            return pivotedData;
+        }
+        const result = responseBody.traces;
+        const traceIds = result.map(trace => {
+            return trace.uuid;
+        });
+        pivotedData = pivotedData.concat(traceIds);
+        if (result.length < resultsLimit) {
+            hasResults = false;
+        }
+        offset += resultsLimit;
+    }
+    return pivotedData;
+}
+export async function getTraceDetails(config, traceId) {
+    logInfo(`Getting trace details for ${traceId} of application ${config.applicationId}`);
+    const response = getAssessTraceDetails(config, traceId);
+    const responseBody = await response.json();
+    return responseBody.trace;
+}
+export async function getTraceEvents(config, traceId, eventId) {
+    const response = getAssessTraceEvents(config, traceId, eventId);
+    logDebug(`Getting trace events for ${eventId} of trace ${traceId}`);
+    const responseBody = await response.json();
+    return responseBody.event;
+}
+export async function getTraceRoutes(config, traceId) {
+    logInfo(`Getting trace routes for ${traceId} of application ${config.applicationId}`);
+    const response = getAssessTraceRoutes(config, traceId);
+    const responseBody = await response.json();
+    return responseBody.routes;
+}
+export async function getAgentSessionFilters(config) {
+    const response = getAssessAgentSessionFilters(config);
+    const responseBody = await response.json();
+    return responseBody.filters;
+}
+export function convertMetadataInput(config, filterLabels) {
+    // Agent session filters response returns a list of filters each containing an id and label
+    // The user input metadata will contain a label, which must be replaced by the id
+    // to then be used in the traces endpoint
+    let updatedMetadataInput = [];
+    const inputList = config.metadata.split(',');
+    const metadataInput = inputList.map(item => {
+        return { label: item.split('=')[0], values: [item.split('=')[1]] };
+    });
+    metadataInput.forEach(item => {
+        const filterLabel = filterLabels.find(f => f.label.toLowerCase() === item.label.toLowerCase());
+        if (filterLabel) {
+            item.fieldId = filterLabel.id;
+        }
+        const newValue = { fieldID: item.fieldId, values: item.values };
+        updatedMetadataInput.push(newValue);
+    });
+    config.metadata = updatedMetadataInput;
+    return config;
+}

package/dist/sarif/sarifSCARequests.js

@@ -0,0 +1,27 @@
+import { buildBaseRequestOptions, ErrorType } from '../common/baseRequest.js';
+import { got } from 'got';
+import { logDebug } from '../common/logging.js';
+const getSCAVulnsUrl = (config, offset, resultsLimit) => {
+    return `${config.host}/Contrast/api/ng/${config.organizationId}/libraries/filter?expand=skip_links,apps,quickFilters,vulns,status,usage_counts&offset=${offset}&limit=${resultsLimit}&sort=score`;
+};
+export function getSCAVulns(config, offset, resultsLimit) {
+    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
+    options.url = getSCAVulnsUrl(config, offset, resultsLimit);
+    options.json = {
+        q: '',
+        quickFilter: 'VULNERABLE',
+        apps: [config.applicationId],
+        servers: [],
+        environments: [],
+        grades: [],
+        languages: [],
+        licenses: [],
+        status: [],
+        severities: config.severity ? [config.severity] : [],
+        tags: [],
+        includeUnused: false,
+        includeUsed: false
+    };
+    logDebug(config, 'url: ' + options.url);
+    return got.post(options);
+}

package/dist/sarif/sarifScaClient.js

@@ -0,0 +1,38 @@
+import { logInfo } from '../common/logging.js';
+import { getSCAVulns } from './sarifSCARequests.js';
+const resultsLimit = 50;
+let offset = 0;
+export const scaCVES = async (config) => {
+    let hasResults = true;
+    let pivotedData = [];
+    // Will return all CVEs if no severity is specified
+    while (hasResults) {
+        const response = getSCAVulns(config, offset, resultsLimit);
+        const responseBody = await response.json();
+        if (responseBody.libraries == null) {
+            logInfo('No libraries found');
+            return pivotedData;
+        }
+        // Finds all libraries with a vulnerability of specified severity
+        const result = responseBody.libraries.flatMap(item => {
+            const { vulns } = item;
+            return vulns.flatMap(vuln => {
+                vuln.library = item;
+                return vuln;
+            });
+        });
+        // All vulns associated with the library will be returned,
+        // so we must filter by severity again
+        for (const vuln of result) {
+            if (config.severity == null ||
+                vuln.severityToUse.toLowerCase() === config.severity) {
+                pivotedData.push(vuln);
+            }
+        }
+        if (result.length < resultsLimit) {
+            hasResults = false;
+        }
+        offset += resultsLimit;
+    }
+    return pivotedData;
+};

package/dist/sarif/sarifWriter.js

@@ -0,0 +1,196 @@
+import { SarifBuilder, SarifRunBuilder, SarifResultBuilder, SarifRuleBuilder } from 'node-sarif-builder';
+import fs from 'fs';
+export const mapSeverity = contrastSeverity => {
+    switch (contrastSeverity.toLowerCase()) {
+        case 'critical':
+            return 'error';
+        case 'high':
+            return 'warning';
+        case 'medium':
+            return 'note';
+        case 'low':
+            return 'note';
+        case 'note':
+            return 'note';
+        default:
+            return 'note';
+    }
+};
+export const getFileFromTSDescription = description => {
+    const regex = /\(([^)]+):\d*\)/;
+    const match = regex.exec(description);
+    return match ? match[1] : 'NOT AVAILABLE';
+};
+export const getLineFromTSDescription = description => {
+    const regex = /\(.*:(\d*)\)/;
+    const match = regex.exec(description);
+    return match ? parseInt(match[1]) : 1;
+};
+export const getLogicalLocationFromTSDescription = description => {
+    const regex = /(.*)\([^]+:\d*\)/;
+    const match = regex.exec(description);
+    return match ? match[1] + '()' : 'NOT AVAILABLE';
+};
+export const generateIastSarifRun = traces => {
+    const sarifRunBuilderIast = new SarifRunBuilder().initSimple({
+        toolDriverName: 'contrast-assess',
+        toolDriverVersion: '1.0.0',
+        url: 'https://contrastsecurity.com' // Url of your analyzer tool
+    });
+    if (traces.length === 0) {
+        return sarifRunBuilderIast;
+    }
+    for (const trace of traces) {
+        let extractedString = null;
+        if (trace.trace.sink && trace.trace.sink.label) {
+            extractedString = getFileFromTSDescription(trace.trace.sink.label);
+        }
+        const sarifResultBuilder = new SarifResultBuilder().initSimple({
+            ruleId: trace.trace.rule_title,
+            messageText: trace.trace.title,
+            level: mapSeverity(trace.trace.severity)
+        });
+        const sarifRuleBuilder = new SarifRuleBuilder().initSimple({
+            ruleId: trace.trace.rule_title,
+            shortDescriptionText: trace.trace.title,
+            fullDescriptionText: trace.trace.title
+        });
+        sarifRunBuilderIast.addRule(sarifRuleBuilder);
+        if (extractedString) {
+            sarifResultBuilder.setLocationArtifactUri({ uri: extractedString });
+        }
+        if (trace.trace.request) {
+            sarifResultBuilder.result.webRequest = {
+                target: trace.trace.request.uri,
+                method: trace.trace.request.method,
+                protocol: trace.trace.request.protocol,
+                version: trace.trace.request.version
+            };
+        }
+        sarifResultBuilder.result.provenance = {
+            firstDetectionTimeUtc: new Date(trace.trace.discovered).toISOString(),
+            lastDetectionTimeUtc: new Date(trace.trace.last_time_seen).toISOString()
+        };
+        sarifResultBuilder.result.properties = {
+            vulnerability_id: trace.trace.uuid,
+            contrast_severity: trace.trace.severity,
+            contrast_status: trace.trace.status,
+            contrast_substatus: trace.trace.sub_status
+        };
+        // Add stack trace
+        sarifResultBuilder.result.codeFlows = [
+            {
+                threadFlows: trace.events.map(event => {
+                    return {
+                        locations: [
+                            {
+                                location: {
+                                    physicalLocation: {
+                                        artifactLocation: {
+                                            uri: getFileFromTSDescription(event.stacktraces[0].description)
+                                        },
+                                        region: {
+                                            startLine: getLineFromTSDescription(event.stacktraces[0].description)
+                                        }
+                                    },
+                                    logicalLocations: [
+                                        {
+                                            fullyQualifiedName: getLogicalLocationFromTSDescription(event.stacktraces[0].description)
+                                        }
+                                    ]
+                                },
+                                stack: {
+                                    frames: event.stacktraces
+                                        .filter(stacktrace => getFileFromTSDescription(stacktrace.description) !==
+                                        'NOT AVAILABLE')
+                                        .map(stacktrace => {
+                                        return {
+                                            location: {
+                                                physicalLocation: {
+                                                    artifactLocation: {
+                                                        uri: getFileFromTSDescription(stacktrace.description)
+                                                    },
+                                                    region: {
+                                                        startLine: getLineFromTSDescription(stacktrace.description)
+                                                    }
+                                                },
+                                                logicalLocations: [
+                                                    {
+                                                        fullyQualifiedName: getLogicalLocationFromTSDescription(stacktrace.description)
+                                                    }
+                                                ]
+                                            }
+                                        };
+                                    })
+                                }
+                            }
+                        ]
+                    };
+                }),
+                properties: {
+                    routeSignature: trace.routes[0] ? trace.routes[0].signature : ''
+                }
+            }
+        ];
+        sarifResultBuilder.result.locations = [];
+        sarifResultBuilder.result.locations.push({
+            physicalLocation: {
+                artifactLocation: {
+                    uri: getFileFromTSDescription(trace.trace.sink.label)
+                },
+                region: {
+                    startLine: getLineFromTSDescription(trace.trace.sink.label)
+                }
+            },
+            logicalLocations: [
+                {
+                    fullyQualifiedName: getLogicalLocationFromTSDescription(trace.trace.sink.label)
+                }
+            ]
+        });
+        sarifRunBuilderIast.addResult(sarifResultBuilder);
+    }
+    return sarifRunBuilderIast;
+};
+export const generateScaSarifRun = cveList => {
+    const sarifRunBuilderSca = new SarifRunBuilder().initSimple({
+        toolDriverName: 'contrast-sca',
+        toolDriverVersion: '1.0.0',
+        url: 'https://contrastsecurity.com' // Url of your analyzer tool
+    });
+    if (cveList.length === 0) {
+        return sarifRunBuilderSca;
+    }
+    for (const cve of cveList) {
+        const sarifResultBuilder = new SarifResultBuilder().initSimple({
+            ruleId: cve.name,
+            messageText: cve.description,
+            level: mapSeverity(cve.severityToUse)
+        });
+        sarifResultBuilder.setLocationArtifactUri({ uri: cve.library.file_name });
+        sarifResultBuilder.result.properties = {
+            contrast_severity: cve.severityToUse,
+            library_version: cve.library.version,
+            cvss_score: cve.cvss_3_severity_value,
+            vector: cve.cvss_3_vector
+        };
+        sarifRunBuilderSca.addResult(sarifResultBuilder);
+    }
+    return sarifRunBuilderSca;
+};
+export const writeCombinedSarif = (traces, cveList, output) => {
+    const sarifBuilder = new SarifBuilder();
+    const sarifRunBuilderIast = generateIastSarifRun(traces);
+    sarifBuilder.addRun(sarifRunBuilderIast);
+    const sarifRunBuilderSca = generateScaSarifRun(cveList);
+    sarifBuilder.addRun(sarifRunBuilderSca);
+    const sarifJsonString = sarifBuilder.buildSarifJsonString({
+        indent: true
+    }); // indent:true if you like
+    if (output) {
+        fs.writeFileSync(output, sarifJsonString);
+    }
+    else {
+        console.log(sarifJsonString);
+    }
+};

package/dist/scaAnalysis/common/scaServicesUpload.js

@@ -78,6 +78,15 @@ export const noProjectUpload = async (analysis, config, reportSpinner) => {
             doPoll = false;
             const reportRes = await scaServiceReportNoProject(config, reportID);
             const reportBody = reportRes.body;
+            for (let x in reportBody) {
+                let dateTime = new Date();
+                if (reportBody[x].vulnerabilities.length === 0) {
+                    logDebug(config, `${dateTime.toISOString()} Unable to find vulnerabilities for ${reportBody[x].groupName}:${reportBody[x].artifactName}, ${reportBody[x].version}, ${reportBody[x].hash}.  Environment: ${config.host}, OrgId: ${config.organizationId}, AppId: ${config.applicationId}`);
+                }
+                if (reportBody[x].remediationAdvice === null) {
+                    logDebug(config, `${dateTime.toISOString()} unable to find remediation advice for ${reportBody[x].groupName}:${reportBody[x].artifactName}, ${reportBody[x].version}, ${reportBody[x].hash}. Environment: ${config.host}, OrgId: ${config.organizationId}, AppId: ${config.applicationId}`);
+                }
+            }
             if (config.saveResults !== undefined) {
                 fs.writeFileSync('audit-results.json', JSON.stringify(reportBody));
             }

package/dist/scaAnalysis/java/analysis.js

@@ -7,8 +7,11 @@ import { logDebug } from '../../common/logging.js';
 import { GO, GRADLE, MAVEN, NODE, YARN } from '../../constants/constants.js';
 export const determineProjectTypeAndCwd = (files, packageManager, config) => {
     const projectData = {};
+    //clean up the path to be a folder not a file
+    projectData.cwd = config.file ? replacePathing(config) : config.file;
     if (isMaven(files, packageManager)) {
         projectData.projectType = MAVEN;
+        calculateMavenCommand(projectData);
     }
     else if (isGradle(files, packageManager)) {
         projectData.projectType = GRADLE;
@@ -46,7 +49,7 @@ const replacePathing = config => config.file
     .replace('build.gradle', '')
     .replace('build.gradle.kts', '');
 const buildMaven = (config, projectData, timeout) => {
-    let command = 'mvn';
+    let command = projectData.mvnCommand;
     let args = ['dependency:tree', '-B', '-Dscope=runtime'];
     if (config.mavenSettingsPath) {
         args.push('-s');
@@ -61,6 +64,17 @@ const buildMaven = (config, projectData, timeout) => {
     checkForErrors(cmdDepTree, config);
     return cmdDepTree.stdout.toString();
 };
+export const calculateMavenCommand = projectData => {
+    if (fs.existsSync(projectData.cwd + '/mvnw')) {
+        projectData.mvnCommand = projectData.cwd + '/mvnw';
+        if (process.platform === 'win32') {
+            projectData.mvnCommand += '.cmd';
+        }
+    }
+    else {
+        projectData.mvnCommand = 'mvn';
+    }
+};
 export function checkForErrors(cmdDepTree, config) {
     checkMavenExists(cmdDepTree, config);
     if (cmdDepTree.error || cmdDepTree.status !== 0) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "2.1.6",
+  "version": "2.2.0",
   "description": "Contrast Security's command line tool",
   "exports": "./dist/index.js",
   "type": "module",
@@ -77,14 +77,15 @@
     "js-yaml": "4.1.0",
     "lodash-es": "4.17.21",
     "log-symbols": "4.1.0",
+    "node-sarif-builder": "^3.1.0",
     "open": "8.4.2",
     "ora": "6.3.1",
+    "pkginfo": "0.4.1",
     "semver": "7.5.4",
     "string-builder": "0.1.8",
     "string-multiple-replace": "1.0.5",
     "xml2js": "0.6.1",
-    "yarn-lockfile": "1.1.1",
-    "pkginfo": "0.4.1"
+    "yarn-lockfile": "1.1.1"
   },
   "devDependencies": {
     "@babel/core": "7.21.8",
@@ -115,7 +116,7 @@
     "ts-node": "^10.9.2",
     "typescript": "5.1.6",
     "uuid": "9.0.0",
-    "vitest": "0.33.0"
+    "vitest": "1.4.0"
   },
   "resolutions": {
     "faker": "5.5.3",