@contrast/contrast 2.1.7 → 2.2.0

package/dist/cliConstants.js

@@ -343,6 +343,45 @@ const auditAdvancedOptionDefinitionsForHelp = [
             i18n.__('constantsMavenSettingsPath')
     }
 ];
+const sarifAdvancedOptionDefinitionsForHelp = [
+    ...sharedConnectionOptionDefinitions,
+    ...sharedCertOptionDefinitions
+];
+const sarifOptionDefinitions = [
+    ...sarifAdvancedOptionDefinitionsForHelp,
+    {
+        name: 'help',
+        alias: 'h',
+        type: Boolean
+    },
+    {
+        name: 'application-id',
+        description: '{bold ' +
+            i18n.__('constantsRequired') +
+            '}: ' +
+            i18n.__('constantsApplicationId')
+    },
+    {
+        name: 'metadata',
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}: ' +
+            i18n.__('constantsMetadata')
+    },
+    {
+        name: 'severity',
+        type: severity => parseSeverity(severity),
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}: ' +
+            i18n.__('constantsSarifSeverity')
+    },
+    {
+        name: 'debug',
+        alias: 'd',
+        type: Boolean
+    }
+];
 const auditOptionDefinitions = [
     ...auditAdvancedOptionDefinitionsForHelp,
     {
@@ -509,12 +548,13 @@ const mainUsageGuide = commandLineUsage([
             { name: i18n.__('configName'), summary: i18n.__('helpConfigSummary') },
             { name: i18n.__('versionName'), summary: i18n.__('helpVersionSummary') },
             { name: i18n.__('auditName'), summary: i18n.__('helpAuditSummary') },
+            { name: i18n.__('sarifName'), summary: i18n.__('helpSarifSummary') },
             { name: i18n.__('scanName'), summary: i18n.__('helpScanSummary') },
             { name: i18n.__('assessName'), summary: i18n.__('assessSummary') },
             { name: i18n.__('lambdaName'), summary: i18n.__('helpLambdaSummary') },
             { name: i18n.__('helpName'), summary: i18n.__('helpSummary') },
             { name: i18n.__('learnName'), summary: i18n.__('helpLearnSummary') },
-            // { name: i18n.__('sarifName'), summary: i18n.__('sarifSummary') },
+            { name: i18n.__('sarifName'), summary: i18n.__('sarifSummary') },
             {
                 name: i18n.__('configGenerate'),
                 summary: i18n.__('configGenerateSummary')
@@ -544,6 +584,8 @@ export const commandLineDefinitions = {
     auditOptionDefinitions,
     authOptionDefinitions,
     configOptionDefinitions,
+    sarifOptionDefinitions,
+    sarifAdvancedOptionDefinitionsForHelp,
     scanAdvancedOptionDefinitionsForHelp,
     auditAdvancedOptionDefinitionsForHelp,
     assessOptionDefinitions,

package/dist/constants/constants.js

@@ -17,7 +17,7 @@ export const HIGH = 'HIGH';
 export const CRITICAL = 'CRITICAL';
 // App
 export const APP_NAME = 'contrast';
-const APP_VERSION = '2.1.7';
+const APP_VERSION = '2.2.0';
 export const TIMEOUT = 120000;
 export const CRITICAL_PRIORITY = 1;
 export const HIGH_PRIORITY = 2;

package/dist/constants/locales.js

@@ -52,6 +52,7 @@ export const en_locales = () => {
         failThresholdOptionErrorMessage: 'More than 0 vulnerabilities found',
         failSeverityOptionErrorMessage: ' FAIL - Results detected vulnerabilities over accepted severity level',
         constantsSeverity: 'Use with "contrast scan --fail --severity high" or "contrast audit --fail --severity high". Set the severity level to detect vulnerabilities or dependencies. Severity levels are critical, high, medium, low or note.',
+        constantsSarifSeverity: 'Set the severity level to filter the vulnerabilities included in the SARIF output. Severity levels are critical, high, medium, low or note.',
         constantsHeader: `Contrast CLI @ v${getAppVersion()}`,
         configHeader2: 'Config options',
         clearHeader: '-c, --clear',
@@ -67,6 +68,8 @@ export const en_locales = () => {
         constantsConfigUsageContents: 'view / clear the configuration',
         constantsPrerequisitesContent: 'To scan a Java binary project you will need a .jar, .war or a zip of multiple .jar or .war files for analysis\n' +
             'To scan source code you will need a .zip file containing the code for analysis',
+        constantsSarifPreRequisitesContent: 'To generate a SARIF file you will need the application-id of the application you want to generate the SARIF file for.\n' +
+            'To get the application-id, go to the Contrast UI, select the application you want to generate the SARIF file for, and copy the application-id from the URL.',
         constantsUsage: 'Usage',
         constantsUsageCommandExample: 'contrast [command] [options]',
         constantsUsageCommandInfo: 'The file argument is optional. If no file is given, Contrast will search for a .jar, .war, .exe or .zip file in the working directory.\n',
@@ -90,6 +93,7 @@ export const en_locales = () => {
         scanLabel: "adds a label to the scan - defaults to 'Started by CLI tool at current date'",
         constantsIgnoreDev: 'Excludes developer dependencies from the results. All dependencies are included by default.',
         constantsCommands: 'Commands',
+        constantsSarifOptions: 'SARIF Options',
         constantsScanOptions: 'Scan Options',
         constantsAssessOptions: 'Assess Options',
         generatorConfigOptions: 'Generate Config Options',
@@ -114,6 +118,7 @@ export const en_locales = () => {
         helpScanSummary: 'Searches for a .jar, .war, .js, or .zip file in the working directory, uploads files for analysis, and returns the results. \n[scan --help for options] Java, .NET, .NET Core, JavaScript are supported. ',
         assessSummary: 'Reports vulnerabilities found at run-time on a server or microservice using a Contrast agent. \n [assess --help for options] Java, .NET, Node, Ruby, Python, Go, PHP are supported.',
         helpLambdaSummary: 'Performs a static security scan on an AWS lambda function. [lambda --help for options] AWS Lambda - Java & Python are supported. ',
+        helpSarifSummary: 'Generates a SARIF file (contrast.sarif) for Contrast Assess and Contrast SCA results for the specified application-id.',
         helpVersionSummary: 'Displays version of Contrast CLI',
         helpConfigSummary: 'Displays stored credentials',
         helpSummary: 'Displays usage guide',
@@ -171,6 +176,8 @@ export const en_locales = () => {
         foundDetailedVulnerabilities: chalk.bold('%s') + ' | ' + chalk.bold('%s') + ' | %s | %s | %s ',
         searchingScanFileDirectory: 'Searching for file to scan from %s...',
         searchingAuditFileDirectory: 'Searching for package manager files from %s...',
+        sarifHeader: 'Contrast SARIF CLI',
+        sarifHeaderMessage: "Use 'contrast sarif' to generate a SARIF file for the given application-id.",
         scanHeader: `Contrast Scan CLI`,
         assessHeader: `Contrast Assess CLI`,
         generateConfigHeader: `Contrast Generate Config`,

package/dist/index.js

@@ -78,7 +78,7 @@ const start = async () => {
                 return await processFingerprint(config, argvMain);
             }
             if (command === 'sarif') {
-                return processSarif(config, argvMain);
+                return await processSarif(config, argvMain);
             }
             if (command === 'learn') {
                 return processLearn();

package/dist/sarif/generateSarif.js

@@ -1,17 +1,27 @@
-import { getAuditConfig } from '../audit/auditConfig.js';
+import { getSarifConfig } from './sarifConfig.js';
 import { scaCVES } from './sarifScaClient.js';
-import { iastData } from './sarifIastClient.js';
+import { checkApplicationAccess, iastData } from './sarifIastClient.js';
 import { writeCombinedSarif } from './sarifWriter.js';
+import { logInfo } from '../common/logging.js';
+import { sarifUsageGuide } from './help.js';
 // This filename could be set by a customer
 // Defaulted to be ingested in a GH workflow
-const outputFileName = 'contrast.sarif.json';
+const outputFileName = 'contrast.sarif';
 export const processSarif = async (contrastConf, argvMain) => {
-    console.log('Generating SARIF export');
-    let config = await getAuditConfig(contrastConf, 'audit', argvMain);
+    if (argvMain.indexOf('--help') !== -1 || argvMain.indexOf('help') !== -1) {
+        printHelpMessage();
+        process.exit(0);
+    }
+    let config = await getSarifConfig(contrastConf, 'sarif', argvMain);
+    await checkApplicationAccess(config);
+    logInfo('Generating SARIF file');
     const scaVulns = await scaCVES(config);
-    console.log(`Found ${scaVulns.length} SCA vulnerabilities`);
+    logInfo(`Found ${scaVulns.length} SCA vulnerabilities matching criteria`);
     const iastVulns = await iastData(config);
-    console.log(`Found ${iastVulns.length} IAST vulnerabilities`);
+    logInfo(`Found ${iastVulns.length} IAST vulnerabilities matching criteria`);
     writeCombinedSarif(iastVulns, scaVulns, outputFileName);
-    console.log('SARIF generated');
+    logInfo('contrast.sarif file generated successfully');
+};
+const printHelpMessage = () => {
+    logInfo(sarifUsageGuide);
 };

package/dist/sarif/help.js

@@ -0,0 +1,52 @@
+import commandLineUsage from 'command-line-usage';
+import i18n from 'i18n';
+import { commandLineDefinitions } from '../cliConstants.js';
+import { commonHelpLinks } from '../common/commonHelp.js';
+const { __ } = i18n;
+export const sarifUsageGuide = commandLineUsage([
+    {
+        header: __('constantsHeader')
+    },
+    {
+        header: __('sarifHeader'),
+        content: [__('sarifHeaderMessage')]
+    },
+    {
+        header: __('constantsPrerequisitesHeader'),
+        content: [__('constantsSarifPreRequisitesContent')]
+    },
+    {
+        header: __('constantsSarifOptions'),
+        optionList: commandLineDefinitions.sarifOptionDefinitions,
+        hide: [
+            'organization-id',
+            'api-key',
+            'authorization',
+            'host',
+            'proxy',
+            'cert',
+            'cacert',
+            'key',
+            'help',
+            'ff',
+            'cert-self-signed',
+            'debug',
+            'experimental',
+            'tags',
+            'sub-project',
+            'code',
+            'maven-settings-path',
+            'language',
+            'app-groups',
+            'branch',
+            'repo'
+        ]
+    },
+    {
+        header: __('constantsAdvancedOptions'),
+        optionList: commandLineDefinitions.sarifAdvancedOptionDefinitionsForHelp
+    },
+    commonHelpLinks()[0],
+    commonHelpLinks()[1],
+    commonHelpLinks()[2]
+]);

package/dist/sarif/sarifAssessRequests.js

@@ -1,5 +1,15 @@
 import { buildBaseRequestOptions, ErrorType } from '../common/baseRequest.js';
 import { got } from 'got';
+import { logDebug } from '../common/logging.js';
+export function getApplicationAccess(config) {
+    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
+    options.url = getApplicationUrl(config, config.applicationId, config.organizationId);
+    logDebug(config, 'url: ' + options.url);
+    return got.get(options);
+}
+const getApplicationUrl = (config, applicationId, organizationId) => {
+    return `${config.host}/Contrast/api/ng/${organizationId}/applications/${applicationId}?expand=license`;
+};
 const getAssessTraceIdsUrl = (config, offset, resultsLimit) => {
     return `${config.host}/Contrast/api/ng/${config.organizationId}/orgtraces/filter/?offset=${offset}&limit=${resultsLimit}`;
 };
@@ -8,9 +18,10 @@ export function getAssessTraceIds(config, offset, resultsLimit) {
     options.url = getAssessTraceIdsUrl(config, offset, resultsLimit);
     options.json = {
         applicationID: config.applicationId,
-        // metadataFilters: sessionMetadata,
-        severities: [config.severity]
+        metadataFilters: config.metadata ? config.metadata : [],
+        severities: config.severity ? [config.severity] : []
     };
+    logDebug(config, 'url: ' + options.url);
     return got.post(options);
 }
 const getAssessTraceDetailsUrl = (config, traceId) => {
@@ -19,6 +30,7 @@ const getAssessTraceDetailsUrl = (config, traceId) => {
 export function getAssessTraceDetails(config, traceId) {
     const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
     options.url = getAssessTraceDetailsUrl(config, traceId);
+    logDebug(config, 'url: ' + options.url);
     return got.get(options);
 }
 const getAssessTraceEventsUrl = (config, traceId, eventId) => {
@@ -27,6 +39,7 @@ const getAssessTraceEventsUrl = (config, traceId, eventId) => {
 export function getAssessTraceEvents(config, traceId, eventId) {
     const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
     options.url = getAssessTraceEventsUrl(config, traceId, eventId);
+    logDebug(config, 'url: ' + options.url);
     return got.get(options);
 }
 const getAssessTraceRoutesUrl = (config, traceId) => {
@@ -35,5 +48,15 @@ const getAssessTraceRoutesUrl = (config, traceId) => {
 export function getAssessTraceRoutes(config, traceId) {
     const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
     options.url = getAssessTraceRoutesUrl(config, traceId);
+    logDebug(config, 'url: ' + options.url);
+    return got.get(options);
+}
+const getAssessAgentSessionFiltersUrl = (config) => {
+    return `${config.host}/Contrast/api/ng/${config.organizationId}/metadata/session/${config.applicationId}/filters`;
+};
+export function getAssessAgentSessionFilters(config) {
+    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
+    options.url = getAssessAgentSessionFiltersUrl(config);
+    logDebug(config, 'url: ' + options.url);
     return got.get(options);
 }

package/dist/sarif/sarifConfig.js

@@ -0,0 +1,8 @@
+import { getCommandLineArgsCustom } from '../utils/parsedCLIOptions.js';
+import { commandLineDefinitions } from '../cliConstants.js';
+import { getAuth } from '../utils/paramsUtil/paramHandler.js';
+export const getSarifConfig = async (contrastConf, command, argv) => {
+    const sarifParameters = await getCommandLineArgsCustom(contrastConf, command, argv, commandLineDefinitions.sarifOptionDefinitions);
+    const paramsAuth = getAuth(sarifParameters);
+    return { ...paramsAuth, ...sarifParameters };
+};

package/dist/sarif/sarifIastClient.js

@@ -1,36 +1,67 @@
-import { getAssessTraceDetails, getAssessTraceEvents, getAssessTraceIds, getAssessTraceRoutes } from './sarifAssessRequests.js';
+import { getAssessAgentSessionFilters, getAssessTraceDetails, getAssessTraceEvents, getAssessTraceIds, getAssessTraceRoutes, getApplicationAccess } from './sarifAssessRequests.js';
+import { logInfo, logDebug } from '../common/logging.js';
+import { get } from 'http';
 const resultsLimit = 50;
 let offset = 0;
 export const iastData = async (config) => {
+    if (config.metadata) {
+        const filters = await getAgentSessionFilters(config);
+        logInfo(`Found ${filters.length} available filters`);
+        if (filters.length !== 0) {
+            config = convertMetadataInput(config, filters);
+        }
+    }
     const filteredTraceIds = await getTraceIds(config, offset, resultsLimit);
-    console.log(`Found ${filteredTraceIds.length} traces`);
+    logInfo(`Found ${filteredTraceIds.length} traces`);
     let completeTraces = [];
     for (const traceId of filteredTraceIds) {
         const traceDetails = await getTraceDetails(config, traceId);
         const traceRoutes = await getTraceRoutes(config, traceId);
         let eventsWithFrames = [];
         if (traceDetails.events) {
+            logInfo(`Found ${traceDetails.events.length} events for trace ${traceId} getting further details`);
             for (const eventSummary of traceDetails.events) {
                 const eventDetails = await getTraceEvents(config, traceId, eventSummary.eventId);
                 eventsWithFrames.push(eventDetails);
             }
+            // Only push when we have actual events , is this right?
+            completeTraces.push({
+                trace: traceDetails,
+                events: eventsWithFrames,
+                routes: traceRoutes
+            });
         }
-        completeTraces.push({
-            trace: traceDetails,
-            events: eventsWithFrames,
-            routes: traceRoutes
-        });
     }
     return completeTraces;
 };
+export async function checkApplicationAccess(config) {
+    logInfo('Checking application access');
+    if (config.applicationId === undefined) {
+        logInfo('Application ID not specified - this is required for IAST vulnerability retrieval');
+    }
+    try {
+        const response = getApplicationAccess(config);
+        const json = await response.json();
+        if (json.application.license.level === 'Unlicensed') {
+            logInfo('Application is not licensed for Assess, please contact your administrator to enable Assess for this application.');
+            process.exit(1);
+        }
+    }
+    catch (e) {
+        logInfo('Error accessing application, ensure you have access to application:' +
+            config.applicationId);
+        process.exit(1);
+    }
+}
 export async function getTraceIds(config, offset, resultsLimit) {
     let hasResults = true;
     let pivotedData = [];
+    // Will return all traces if no severity is specified
     while (hasResults) {
         const response = getAssessTraceIds(config, offset, resultsLimit);
         const responseBody = await response.json();
         if (responseBody.traces == null) {
-            console.log('No libraries found');
+            logInfo('No libraries found');
             return pivotedData;
         }
         const result = responseBody.traces;
@@ -46,20 +77,45 @@ export async function getTraceIds(config, offset, resultsLimit) {
     return pivotedData;
 }
 export async function getTraceDetails(config, traceId) {
-    console.log(`Getting trace details for ${traceId} of application ${config.applicationId}`);
+    logInfo(`Getting trace details for ${traceId} of application ${config.applicationId}`);
     const response = getAssessTraceDetails(config, traceId);
     const responseBody = await response.json();
     return responseBody.trace;
 }
 export async function getTraceEvents(config, traceId, eventId) {
     const response = getAssessTraceEvents(config, traceId, eventId);
-    console.log(`Getting trace events for ${eventId} of trace ${traceId}`);
+    logDebug(`Getting trace events for ${eventId} of trace ${traceId}`);
     const responseBody = await response.json();
     return responseBody.event;
 }
 export async function getTraceRoutes(config, traceId) {
-    console.log(`Getting trace route for ${traceId} of application ${config.applicationId}`);
+    logInfo(`Getting trace routes for ${traceId} of application ${config.applicationId}`);
     const response = getAssessTraceRoutes(config, traceId);
     const responseBody = await response.json();
     return responseBody.routes;
 }
+export async function getAgentSessionFilters(config) {
+    const response = getAssessAgentSessionFilters(config);
+    const responseBody = await response.json();
+    return responseBody.filters;
+}
+export function convertMetadataInput(config, filterLabels) {
+    // Agent session filters response returns a list of filters each containing an id and label
+    // The user input metadata will contain a label, which must be replaced by the id
+    // to then be used in the traces endpoint
+    let updatedMetadataInput = [];
+    const inputList = config.metadata.split(',');
+    const metadataInput = inputList.map(item => {
+        return { label: item.split('=')[0], values: [item.split('=')[1]] };
+    });
+    metadataInput.forEach(item => {
+        const filterLabel = filterLabels.find(f => f.label.toLowerCase() === item.label.toLowerCase());
+        if (filterLabel) {
+            item.fieldId = filterLabel.id;
+        }
+        const newValue = { fieldID: item.fieldId, values: item.values };
+        updatedMetadataInput.push(newValue);
+    });
+    config.metadata = updatedMetadataInput;
+    return config;
+}

package/dist/sarif/sarifSCARequests.js

@@ -1,5 +1,6 @@
 import { buildBaseRequestOptions, ErrorType } from '../common/baseRequest.js';
 import { got } from 'got';
+import { logDebug } from '../common/logging.js';
 const getSCAVulnsUrl = (config, offset, resultsLimit) => {
     return `${config.host}/Contrast/api/ng/${config.organizationId}/libraries/filter?expand=skip_links,apps,quickFilters,vulns,status,usage_counts&offset=${offset}&limit=${resultsLimit}&sort=score`;
 };
@@ -16,10 +17,11 @@ export function getSCAVulns(config, offset, resultsLimit) {
         languages: [],
         licenses: [],
         status: [],
-        severities: [config.severity],
+        severities: config.severity ? [config.severity] : [],
         tags: [],
         includeUnused: false,
         includeUsed: false
     };
+    logDebug(config, 'url: ' + options.url);
     return got.post(options);
 }

package/dist/sarif/sarifScaClient.js

@@ -1,14 +1,16 @@
+import { logInfo } from '../common/logging.js';
 import { getSCAVulns } from './sarifSCARequests.js';
 const resultsLimit = 50;
 let offset = 0;
 export const scaCVES = async (config) => {
     let hasResults = true;
     let pivotedData = [];
+    // Will return all CVEs if no severity is specified
     while (hasResults) {
         const response = getSCAVulns(config, offset, resultsLimit);
         const responseBody = await response.json();
         if (responseBody.libraries == null) {
-            console.log('No libraries found');
+            logInfo('No libraries found');
             return pivotedData;
         }
         // Finds all libraries with a vulnerability of specified severity
@@ -22,7 +24,8 @@ export const scaCVES = async (config) => {
         // All vulns associated with the library will be returned,
         // so we must filter by severity again
         for (const vuln of result) {
-            if (vuln.severityToUse.toLowerCase() === config.severity) {
+            if (config.severity == null ||
+                vuln.severityToUse.toLowerCase() === config.severity) {
                 pivotedData.push(vuln);
             }
         }

package/dist/sarif/sarifWriter.js

@@ -1,4 +1,4 @@
-import { SarifBuilder, SarifRunBuilder, SarifResultBuilder } from 'node-sarif-builder';
+import { SarifBuilder, SarifRunBuilder, SarifResultBuilder, SarifRuleBuilder } from 'node-sarif-builder';
 import fs from 'fs';
 export const mapSeverity = contrastSeverity => {
     switch (contrastSeverity.toLowerCase()) {
@@ -24,7 +24,7 @@ export const getFileFromTSDescription = description => {
 export const getLineFromTSDescription = description => {
     const regex = /\(.*:(\d*)\)/;
     const match = regex.exec(description);
-    return match ? parseInt(match[1]) : 0;
+    return match ? parseInt(match[1]) : 1;
 };
 export const getLogicalLocationFromTSDescription = description => {
     const regex = /(.*)\([^]+:\d*\)/;
@@ -42,14 +42,20 @@ export const generateIastSarifRun = traces => {
     }
     for (const trace of traces) {
         let extractedString = null;
-        if (trace.sink && trace.sink.label) {
-            extractedString = getFileFromTSDescription(trace.sink.label);
+        if (trace.trace.sink && trace.trace.sink.label) {
+            extractedString = getFileFromTSDescription(trace.trace.sink.label);
         }
         const sarifResultBuilder = new SarifResultBuilder().initSimple({
             ruleId: trace.trace.rule_title,
             messageText: trace.trace.title,
             level: mapSeverity(trace.trace.severity)
         });
+        const sarifRuleBuilder = new SarifRuleBuilder().initSimple({
+            ruleId: trace.trace.rule_title,
+            shortDescriptionText: trace.trace.title,
+            fullDescriptionText: trace.trace.title
+        });
+        sarifRunBuilderIast.addRule(sarifRuleBuilder);
         if (extractedString) {
             sarifResultBuilder.setLocationArtifactUri({ uri: extractedString });
         }
@@ -78,8 +84,26 @@ export const generateIastSarifRun = traces => {
                     return {
                         locations: [
                             {
+                                location: {
+                                    physicalLocation: {
+                                        artifactLocation: {
+                                            uri: getFileFromTSDescription(event.stacktraces[0].description)
+                                        },
+                                        region: {
+                                            startLine: getLineFromTSDescription(event.stacktraces[0].description)
+                                        }
+                                    },
+                                    logicalLocations: [
+                                        {
+                                            fullyQualifiedName: getLogicalLocationFromTSDescription(event.stacktraces[0].description)
+                                        }
+                                    ]
+                                },
                                 stack: {
-                                    frames: event.stacktraces.map(stacktrace => {
+                                    frames: event.stacktraces
+                                        .filter(stacktrace => getFileFromTSDescription(stacktrace.description) !==
+                                        'NOT AVAILABLE')
+                                        .map(stacktrace => {
                                         return {
                                             location: {
                                                 physicalLocation: {
@@ -108,6 +132,22 @@ export const generateIastSarifRun = traces => {
                 }
             }
         ];
+        sarifResultBuilder.result.locations = [];
+        sarifResultBuilder.result.locations.push({
+            physicalLocation: {
+                artifactLocation: {
+                    uri: getFileFromTSDescription(trace.trace.sink.label)
+                },
+                region: {
+                    startLine: getLineFromTSDescription(trace.trace.sink.label)
+                }
+            },
+            logicalLocations: [
+                {
+                    fullyQualifiedName: getLogicalLocationFromTSDescription(trace.trace.sink.label)
+                }
+            ]
+        });
         sarifRunBuilderIast.addResult(sarifResultBuilder);
     }
     return sarifRunBuilderIast;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "2.1.7",
+  "version": "2.2.0",
   "description": "Contrast Security's command line tool",
   "exports": "./dist/index.js",
   "type": "module",
@@ -116,7 +116,7 @@
     "ts-node": "^10.9.2",
     "typescript": "5.1.6",
     "uuid": "9.0.0",
-    "vitest": "0.33.0"
+    "vitest": "1.4.0"
   },
   "resolutions": {
     "faker": "5.5.3",