npm - @contrast/contrast - Versions diffs - 2.2.0 → 2.3.1 - Mend

@contrast/contrast 2.2.0 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/dist/audit/report/models/reportListModel.js +8 -0
package/dist/audit/report/models/reportSeverityModel.js +8 -0
package/dist/cliConstants.js +7 -0
package/dist/constants/constants.js +1 -1
package/dist/constants/locales.js +1 -0
package/dist/sarif/generateSarif.js +8 -9
package/dist/sarif/sarifClient.js +33 -0
package/dist/sarif/sarifRequests.js +17 -0
package/dist/sarif/sarifWriter.js +7 -4
package/dist/scaAnalysis/common/commonReportingFunctionsSca.js +14 -6
package/dist/scaAnalysis/common/utils/reportUtilsSca.js +11 -4
package/dist/scaAnalysis/javascript/analysis.js +9 -2
package/dist/scaAnalysis/javascript/index.js +1 -6
package/dist/scaAnalysis/javascript/v3LockFileParser.js +107 -0
package/dist/scaAnalysis/scaAnalysis.js +1 -0
package/package.json +11 -11
package/dist/sarif/sarifAssessRequests.js +0 -62
package/dist/sarif/sarifIastClient.js +0 -121
package/dist/sarif/sarifSCARequests.js +0 -27
package/dist/sarif/sarifScaClient.js +0 -38

package/dist/audit/report/models/reportListModel.js CHANGED Viewed

@@ -17,4 +17,12 @@ export class ReportCompositeKey {
         this.highestSeverity = highestSeverity;
         this.numberOfSeverities = numberOfSeverities;
     }
+    toString() {
+        return `ReportCompositeKey {
+      libraryName: ${this.libraryName},
+      libraryVersion: ${this.libraryVersion},
+      highestSeverity: ${this.highestSeverity},
+      numberOfSeverities: ${this.numberOfSeverities}
+    }`;
+    }
 }

package/dist/audit/report/models/reportSeverityModel.js CHANGED Viewed

@@ -5,4 +5,12 @@ export class ReportSeverityModel {
         this.colour = colour;
         this.name = name;
     }
+    toString() {
+        return `ReportSeverityModel {
+      severity: ${this.severity},
+      priority: ${this.priority},
+      colour: ${this.colour},
+      name: ${this.name}
+    }`;
+    }
 }

package/dist/cliConstants.js CHANGED Viewed

@@ -376,6 +376,13 @@ const sarifOptionDefinitions = [
             '}: ' +
             i18n.__('constantsSarifSeverity')
     },
+    {
+        name: 'tool-type',
+        description: '{bold ' +
+            i18n.__('constantsOptional') +
+            '}: ' +
+            i18n.__('constantsToolType')
+    },
     {
         name: 'debug',
         alias: 'd',

package/dist/constants/constants.js CHANGED Viewed

@@ -17,7 +17,7 @@ export const HIGH = 'HIGH';
 export const CRITICAL = 'CRITICAL';
 // App
 export const APP_NAME = 'contrast';
-const APP_VERSION = '2.2.0';
+const APP_VERSION = '2.3.1';
 export const TIMEOUT = 120000;
 export const CRITICAL_PRIORITY = 1;
 export const HIGH_PRIORITY = 2;

package/dist/constants/locales.js CHANGED Viewed

@@ -53,6 +53,7 @@ export const en_locales = () => {
         failSeverityOptionErrorMessage: ' FAIL - Results detected vulnerabilities over accepted severity level',
         constantsSeverity: 'Use with "contrast scan --fail --severity high" or "contrast audit --fail --severity high". Set the severity level to detect vulnerabilities or dependencies. Severity levels are critical, high, medium, low or note.',
         constantsSarifSeverity: 'Set the severity level to filter the vulnerabilities included in the SARIF output. Severity levels are critical, high, medium, low or note.',
+        constantsToolType: 'The tools that are included in the generated SARIF file. Valid options are SCA or ASSESS. The default value is both.',
         constantsHeader: `Contrast CLI @ v${getAppVersion()}`,
         configHeader2: 'Config options',
         clearHeader: '-c, --clear',

package/dist/sarif/generateSarif.js CHANGED Viewed

@@ -1,9 +1,8 @@
 import { getSarifConfig } from './sarifConfig.js';
-import { scaCVES } from './sarifScaClient.js';
-import { checkApplicationAccess, iastData } from './sarifIastClient.js';
-import { writeCombinedSarif } from './sarifWriter.js';
+import { writeSarif } from './sarifWriter.js';
 import { logInfo } from '../common/logging.js';
 import { sarifUsageGuide } from './help.js';
+import { sarifVulns } from './sarifClient.js';
 // This filename could be set by a customer
 // Defaulted to be ingested in a GH workflow
 const outputFileName = 'contrast.sarif';
@@ -13,13 +12,13 @@ export const processSarif = async (contrastConf, argvMain) => {
         process.exit(0);
     }
     let config = await getSarifConfig(contrastConf, 'sarif', argvMain);
-    await checkApplicationAccess(config);
     logInfo('Generating SARIF file');
-    const scaVulns = await scaCVES(config);
-    logInfo(`Found ${scaVulns.length} SCA vulnerabilities matching criteria`);
-    const iastVulns = await iastData(config);
-    logInfo(`Found ${iastVulns.length} IAST vulnerabilities matching criteria`);
-    writeCombinedSarif(iastVulns, scaVulns, outputFileName);
+    const sarifData = await sarifVulns(config);
+    if (sarifData === '') {
+        logInfo('No SARIF data found');
+        process.exit(0);
+    }
+    writeSarif(outputFileName, sarifData);
     logInfo('contrast.sarif file generated successfully');
 };
 const printHelpMessage = () => {

package/dist/sarif/sarifClient.js ADDED Viewed

@@ -0,0 +1,33 @@
+import { getSarifVulns } from './sarifRequests.js';
+export const sarifVulns = async (config) => {
+    let severities = [];
+    if (config.severity) {
+        severities = convertSeverityInput(config.severity);
+    }
+    const response = await getSarifVulns(config, severities);
+    if (response.statusCode === 200) {
+        console.log('Retrieved SARIF data');
+        return JSON.stringify(response.body, null, 2);
+    }
+    else {
+        console.log(`Error retrieving SARIF data`);
+        return '';
+    }
+};
+export function convertSeverityInput(severity) {
+    const severities = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'NOTE'];
+    switch (severity.toUpperCase()) {
+        case 'CRITICAL':
+            return severities.slice(0, 1);
+        case 'HIGH':
+            return severities.slice(0, 2);
+        case 'MEDIUM':
+            return severities.slice(0, 3);
+        case 'LOW':
+            return severities.slice(0, 4);
+        case 'NOTE':
+            return severities;
+        default:
+            return severities;
+    }
+}

package/dist/sarif/sarifRequests.js ADDED Viewed

@@ -0,0 +1,17 @@
+import { buildBaseRequestOptions, ErrorType } from '../common/baseRequest.js';
+import { got } from 'got';
+const getSarifUrl = (config) => {
+    return `${config.host}/Contrast/api/ng/organizations/${config.organizationId}/applications/${config.applicationId}/sarif`;
+};
+export function getSarifVulns(config, severities) {
+    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
+    options.url = getSarifUrl(config);
+    options.json = {
+        metadataFilters: config.metadata ? config.metadata : [],
+        // User can specify minimum severity, if none will include all
+        severities: severities,
+        // Allow user to specify toolTypes and default as both
+        toolTypes: config.toolType ? [config.toolType] : ['SCA', 'ASSESS']
+    };
+    return got.post(options);
+}

package/dist/sarif/sarifWriter.js CHANGED Viewed

@@ -178,7 +178,7 @@ export const generateScaSarifRun = cveList => {
     }
     return sarifRunBuilderSca;
 };
-export const writeCombinedSarif = (traces, cveList, output) => {
+export const writeCombinedSarif = (traces, cveList, outputFileName) => {
     const sarifBuilder = new SarifBuilder();
     const sarifRunBuilderIast = generateIastSarifRun(traces);
     sarifBuilder.addRun(sarifRunBuilderIast);
@@ -187,10 +187,13 @@ export const writeCombinedSarif = (traces, cveList, output) => {
     const sarifJsonString = sarifBuilder.buildSarifJsonString({
         indent: true
     }); // indent:true if you like
-    if (output) {
-        fs.writeFileSync(output, sarifJsonString);
+    writeSarif(outputFileName, sarifJsonString);
+};
+export const writeSarif = (outputFileName, sarifData) => {
+    if (outputFileName) {
+        fs.writeFileSync(outputFileName, sarifData);
     }
     else {
-        console.log(sarifJsonString);
+        console.log(sarifData);
     }
 };

package/dist/scaAnalysis/common/commonReportingFunctionsSca.js CHANGED Viewed

@@ -3,12 +3,12 @@ import { countVulnerableLibrariesBySeverity } from '../../audit/report/utils/rep
 import { SeverityCountModel } from '../../audit/report/models/severityCountModel.js';
 import { orderBy } from 'lodash-es';
 import { ReportOutputModel, ReportOutputHeaderModel, ReportOutputBodyModel } from '../../audit/report/models/reportOutputModel.js';
-import { CE_URL, CRITICAL_COLOUR, HIGH_COLOUR, MEDIUM_COLOUR, LOW_COLOUR, NOTE_COLOUR } from '../../constants/constants.js';
+import { CE_URL, CRITICAL_COLOUR, HIGH_COLOUR, MEDIUM_COLOUR, LOW_COLOUR, NOTE_COLOUR, NOTE_PRIORITY } from '../../constants/constants.js';
 import Table from 'cli-table3';
 import { findHighestSeverityCVESca, severityCountAllCVEsSca, findCVESeveritySca, orderByHighestPrioritySca } from './utils/reportUtilsSca.js';
 import chalk from 'chalk';
 import { buildFormattedHeaderNum } from '../../audit/report/commonReportingFunctions.js';
-import { logInfo } from '../../common/logging.js';
+import { logDebug, logInfo } from '../../common/logging.js';
 export const createSummaryMessageTop = (numberOfVulnerableLibraries, numberOfCves) => {
     numberOfVulnerableLibraries === 1
         ? logInfo(`\n\nFound 1 vulnerable library containing ${numberOfCves} CVE`)
@@ -25,11 +25,18 @@ export const printFormattedOutputSca = (config, reportModelList, numberOfVulnera
     const report = new ReportList();
     for (const library of reportModelList) {
         const { artifactName, version, vulnerabilities, remediationAdvice } = library;
-        const newOutputModel = new ReportModelStructure(new ReportCompositeKey(artifactName, version, findHighestSeverityCVESca(vulnerabilities), severityCountAllCVEsSca(vulnerabilities, new SeverityCountModel()).getTotal), vulnerabilities, remediationAdvice);
+        const highestSeverity = findHighestSeverityCVESca(vulnerabilities, config);
+        const severityCount = severityCountAllCVEsSca(vulnerabilities, new SeverityCountModel()).getTotal;
+        if (highestSeverity.priority === undefined) {
+            highestSeverity.priority = NOTE_PRIORITY;
+            logDebug(config, `Unknown severity for vulnerability ${artifactName}`);
+        }
+        const newOutputModel = new ReportModelStructure(new ReportCompositeKey(artifactName, version, highestSeverity, severityCount), vulnerabilities, remediationAdvice);
         report.reportOutputList.push(newOutputModel);
     }
     const outputOrderedByLowestSeverityAndLowestNumOfCvesFirst = orderBy(report.reportOutputList, [
         reportListItem => {
+            logDebug(config, reportListItem.compositeKey);
             return reportListItem.compositeKey.highestSeverity.priority;
         },
         reportListItem => {
@@ -44,7 +51,7 @@ export const printFormattedOutputSca = (config, reportModelList, numberOfVulnera
         const numOfCVEs = reportModel.cveArray.length;
         const table = getReportTable();
         const header = buildHeader(highestSeverity, contrastHeaderNumCounter, libraryName, libraryVersion, numOfCVEs);
-        const body = buildBody(cveArray, remediationAdvice);
+        const body = buildBody(cveArray, remediationAdvice, config);
         const reportOutputModel = new ReportOutputModel(header, body);
         table.push(reportOutputModel.body.issueMessage, reportOutputModel.body.adviceMessage);
         logInfo(`${reportOutputModel.header.vulnMessage} ${reportOutputModel.header.introducesMessage}`);
@@ -98,8 +105,9 @@ export function buildHeader(highestSeverity, contrastHeaderNum, libraryName, ver
     const introducesMessage = `introduces ${numOfCVEs} ${vulnerabilityPluralised}`;
     return new ReportOutputHeaderModel(vulnMessage, introducesMessage);
 }
-export function buildBody(cveArray, advice) {
-    const orderedCvesWithSeverityAssigned = orderByHighestPrioritySca(cveArray.map(cve => findCVESeveritySca(cve)));
+export function buildBody(cveArray, advice, config) {
+    logDebug(config, `buildBody 204: ${JSON.stringify(cveArray)}`);
+    const orderedCvesWithSeverityAssigned = orderByHighestPrioritySca(cveArray.map(cve => findCVESeveritySca(cve, config)));
     const issueMessage = getIssueRow(orderedCvesWithSeverityAssigned);
     const adviceMessage = getAdviceRow(advice);
     return new ReportOutputBodyModel(issueMessage, adviceMessage);

package/dist/scaAnalysis/common/utils/reportUtilsSca.js CHANGED Viewed

@@ -2,16 +2,19 @@ import { orderBy } from 'lodash-es';
 import { CRITICAL_COLOUR, CRITICAL_PRIORITY, HIGH_COLOUR, HIGH_PRIORITY, LOW_COLOUR, LOW_PRIORITY, MEDIUM_COLOUR, MEDIUM_PRIORITY, NOTE_COLOUR, NOTE_PRIORITY } from '../../../constants/constants.js';
 import { ReportSeverityModel } from '../../../audit/report/models/reportSeverityModel.js';
 import { ScaReportModel } from '../models/ScaReportModel.js';
-export function findHighestSeverityCVESca(cveArray) {
-    const mappedToReportSeverityModels = cveArray.map(cve => findCVESeveritySca(cve));
-    //order and get first
+import { logDebug } from '../../../common/logging.js';
+export function findHighestSeverityCVESca(cveArray, config) {
+    logDebug(config, `\n  findHighestSeverityCVESca 25: ${JSON.stringify(cveArray)} \n`);
+    const mappedToReportSeverityModels = cveArray.map(cve => findCVESeveritySca(cve, config));
+    // order and get first
     return orderBy(mappedToReportSeverityModels, cve => cve?.priority)[0];
 }
 export function orderByHighestPrioritySca(reportSeverityModel) {
     return orderBy(reportSeverityModel, ['priority'], ['asc']);
 }
-export function findCVESeveritySca(vulnerabilityModel) {
+export function findCVESeveritySca(vulnerabilityModel, config) {
     const { name } = vulnerabilityModel;
+    logDebug(config, `\n findCVESeveritySca 44: ${JSON.stringify(vulnerabilityModel)} \n`);
     if (vulnerabilityModel.cvss3Severity === 'CRITICAL' ||
         vulnerabilityModel.severity === 'CRITICAL') {
         return new ReportSeverityModel('CRITICAL', CRITICAL_PRIORITY, CRITICAL_COLOUR, name);
@@ -32,6 +35,10 @@ export function findCVESeveritySca(vulnerabilityModel) {
         vulnerabilityModel.severity === 'NOTE') {
         return new ReportSeverityModel('NOTE', NOTE_PRIORITY, NOTE_COLOUR, name);
     }
+    else {
+        logDebug(config, `Unknown severity for vulnerability ${name} with cvss3severity of ${vulnerabilityModel.cvss3Severity} and and cvss severity of: ${vulnerabilityModel.severity}`);
+        return new ReportSeverityModel('NOTE', NOTE_PRIORITY, NOTE_COLOUR, name);
+    }
 }
 export function convertGenericToTypedReportModelSca(reportArray) {
     return reportArray.map((library) => {

package/dist/scaAnalysis/javascript/analysis.js CHANGED Viewed

@@ -3,6 +3,7 @@ import { load } from 'js-yaml';
 import i18n from 'i18n';
 import { formatKey } from '../../audit/nodeAnalysisEngine/parseYarn2LockFileContents.js';
 import yarnpkg from '@yarnpkg/lockfile';
+import { buildDependencyTreeForV3LockFile } from './v3LockFileParser.js';
 export const readFile = async (config, languageFiles, nameOfFile) => {
     const index = languageFiles.findIndex(v => v.includes(nameOfFile));
     if (config.file) {
@@ -31,7 +32,7 @@ export const readYarn = async (config, languageFiles, nameOfFile) => {
         throw new Error(i18n.__('nodeReadYarnLockFileError') + `${err.message}`);
     }
 };
-export const parseNpmLockFile = async (npmLockFile) => {
+export const parseNpmLockFile = async (npmLockFile, lockFileVersion) => {
     try {
         if (!npmLockFile.parsedPackages) {
             npmLockFile.parsedPackages = {};
@@ -42,9 +43,15 @@ export const parseNpmLockFile = async (npmLockFile) => {
                 //e.g: node_modules/@aws-amplify/datastore/node_modules/uuid --> @aws-amplify/datastore/uuid
                 packageKey = packageKey.replace(/(node_modules\/)+/g, '');
             }
+            if (lockFileVersion === 3) {
+                delete packageValue.license;
+            }
             npmLockFile.parsedPackages[packageKey] = packageValue;
         });
-        //remove base project package - unneeded
+        if (lockFileVersion === 3) {
+            buildDependencyTreeForV3LockFile(npmLockFile);
+        }
+        // remove base project package - unneeded
         delete npmLockFile.parsedPackages[''];
         return npmLockFile;
     }

package/dist/scaAnalysis/javascript/index.js CHANGED Viewed

@@ -47,12 +47,7 @@ const parseFiles = async (config, files, js) => {
             logDebug(config, message);
             throw new Error(message);
         }
-        if (currentLockFileVersion === 3 && config.legacy) {
-            const message = `NPM lockfileVersion 3 is not support with --legacy`;
-            logDebug(config, message);
-            throw new Error(message);
-        }
-        js.npmLockFile = await parseNpmLockFile(npmLockFile);
+        js.npmLockFile = await parseNpmLockFile(npmLockFile, currentLockFileVersion);
     }
     if (files.includes('yarn.lock')) {
         js = await parseYarnLockFile(js);

package/dist/scaAnalysis/javascript/v3LockFileParser.js ADDED Viewed

@@ -0,0 +1,107 @@
+export const buildDependencyTreeForV3LockFile = npmLockFile => {
+    let npmLockFileWithDepsObject = createDepTreeObject(npmLockFile);
+    const distinguishedDeps = distinguishParentAndTransitiveDependencies(npmLockFileWithDepsObject.dependencies);
+    assignChildrenToParents(distinguishedDeps.transitive, distinguishedDeps.parents, npmLockFile);
+};
+export const createDepTreeObject = npmLockFile => {
+    const parsedPackages = npmLockFile.parsedPackages;
+    let dependencies = {};
+    for (let dep in parsedPackages) {
+        dependencies[dep] = {
+            version: parsedPackages[dep].version,
+            resolved: parsedPackages[dep].resolved,
+            integrity: parsedPackages[dep].integrity,
+            ...(parsedPackages[dep].peer != null
+                ? { peer: parsedPackages[dep].peer }
+                : {}),
+            ...(parsedPackages[dep].optional != null
+                ? { optional: parsedPackages[dep].optional }
+                : {}),
+            ...(parsedPackages[dep].dev != null
+                ? { dev: parsedPackages[dep].dev }
+                : {}),
+            ...(parsedPackages[dep].dependencies != null
+                ? { requires: parsedPackages[dep].dependencies }
+                : {})
+        };
+        npmLockFile.dependencies = dependencies;
+        delete npmLockFile.dependencies[''];
+    }
+    return npmLockFile;
+};
+export const distinguishParentAndTransitiveDependencies = dependencies => {
+    let listOfParentObjects = {};
+    let listOfChildObjects = {};
+    for (let library in dependencies) {
+        let library_name = filterDependency(library.split('/'));
+        if (library_name.length === 1) {
+            Object.assign(listOfParentObjects, {
+                [library_name]: dependencies[library]
+            });
+        }
+        else {
+            if (library_name.join('/').includes('@') && library_name.length === 2) {
+                Object.assign(listOfParentObjects, {
+                    [library_name.join('/')]: dependencies[library]
+                });
+            }
+            else {
+                Object.assign(listOfChildObjects, {
+                    [library_name.join('/')]: dependencies[library]
+                });
+            }
+        }
+    }
+    return { parents: listOfParentObjects, transitive: listOfChildObjects };
+};
+export const assignChildrenToParents = (transitiveDeps, parentDeps, npmLockFile) => {
+    for (let child in transitiveDeps) {
+        let group = child.split('/');
+        let name = group.pop();
+        if (parentDeps[group.join('/')] === undefined) {
+            let additionalName = group.pop();
+            if (parentDeps[group.join('/')] !== undefined) {
+                let newName = additionalName + '/' + name;
+                addDependencyToNode(parentDeps[group.join('/')], transitiveDeps[child], newName);
+                delete transitiveDeps[child];
+            }
+            else {
+                console.log('WARNING: Unable to find parent dependency for ', child);
+                console.log('Adding as a parent dependency');
+                Object.assign(parentDeps, { [child]: transitiveDeps[child] });
+            }
+        }
+        else {
+            addDependencyToNode(parentDeps[group.join('/')], transitiveDeps[child], name);
+            delete transitiveDeps[child];
+        }
+    }
+    delete npmLockFile.dependencies;
+    npmLockFile.dependencies = parentDeps;
+    return npmLockFile;
+};
+export const filterDependency = inputString => {
+    let foundFirstInstance = false;
+    // Filter the parts to remove any item containing '@' except for the first instance
+    const filteredParts = inputString.filter(part => {
+        if (part.includes('@')) {
+            if (!foundFirstInstance) {
+                foundFirstInstance = true;
+                return true;
+            }
+            return false;
+        }
+        return true;
+    });
+    return filteredParts;
+};
+export function addDependencyToNode(baseObject, newDependency, potentialChildDeps) {
+    // Ensure the dependencies node exists
+    if (!baseObject.dependencies) {
+        baseObject.dependencies = {};
+    }
+    // Add the new dependency
+    Object.assign(baseObject.dependencies, {
+        [potentialChildDeps]: newDependency
+    });
+}

package/dist/scaAnalysis/scaAnalysis.js CHANGED Viewed

@@ -21,6 +21,7 @@ import { auditUsageGuide } from '../audit/help.js';
 import chalk from 'chalk';
 import { logDebug, logInfo } from '../common/logging.js';
 export const processSca = async (config) => {
+    logDebug(config, `audit started at ${new Date().toISOString()}`);
     let filesFound;
     if (config.help) {
         logInfo(auditUsageGuide);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "2.2.0",
+  "version": "2.3.1",
   "description": "Contrast Security's command line tool",
   "exports": "./dist/index.js",
   "type": "module",
@@ -30,15 +30,15 @@
     "build-package": "yarn build && yarn build-binary && yarn package-binary",
     "test": "export VITEST_MAX_THREADS=4 && export VITEST_MIN_THREADS=1 && vitest --dir ./tests/unit-tests/",
     "test-debug": "export VITEST_MAX_THREADS=4 && export VITEST_MIN_THREADS=1 && vitest --dir ./tests/unit-tests/ --inspect-brk",
-    "test-int": "vitest --dir ./tests/integration-tests/ --no-threads",
-    "test-int-scan": "vitest --dir ./tests/integration-tests/scan --no-threads",
-    "test-int-audit": "vitest --dir ./tests/integration-tests/audit --no-threads",
-    "test-int-scan-errors": "vitest ./tests/integration-tests/scan/scanLocalErrors.spec.js --no-threads",
-    "test-int-scan-reports": "vitest ./tests/integration-tests/scan/scanReport.spec.js --no-threads",
-    "test-int-audit-features": "vitest --dir ./tests/integration-tests/audit/auditFeatures/ --no-threads",
-    "test-int-audit-projects": "vitest ./tests/integration-tests/audit/audit-projects.spec.js --no-threads",
-    "test-int-fingerprint": "vitest ./tests/integration-tests/fingerprint/fingerprint.spec.js --no-threads",
-    "test-int-repository": "vitest ./tests/integration-tests/fingerprint/repository.spec.js --no-threads",
+    "test-int": "vitest --dir ./tests/integration-tests/ --pool=forks",
+    "test-int-scan": "vitest --dir ./tests/integration-tests/scan --pool=forks",
+    "test-int-audit": "vitest --dir ./tests/integration-tests/audit --pool=forks",
+    "test-int-scan-errors": "vitest ./tests/integration-tests/scan/scanLocalErrors.spec.js --pool=forks",
+    "test-int-scan-reports": "vitest ./tests/integration-tests/scan/scanReport.spec.js --pool=forks",
+    "test-int-audit-features": "vitest --dir ./tests/integration-tests/audit/auditFeatures/ --pool=forks",
+    "test-int-audit-projects": "vitest ./tests/integration-tests/audit/audit-projects.spec.js --pool=forks",
+    "test-int-fingerprint": "vitest ./tests/integration-tests/fingerprint/fingerprint.spec.js --pool=forks",
+    "test-int-repository": "vitest ./tests/integration-tests/fingerprint/repository.spec.js --pool=forks",
     "format": "prettier --write \"**/*.{ts,tsx,js,json,md,yml}\" .eslintrc.*",
     "check-format": "prettier --check \"**/*.{ts,tsx,js,json,md,yml,mjs,cjs}\" .eslintrc.*",
     "coverage-local": "c8 --reporter=text mocha './tests/unit-tests/**/*.spec.js'",
@@ -47,7 +47,7 @@
     "extract-licenses": "node scripts/extract-licenses",
     "lambda-dev": "npx ts-node src/index.ts lambda",
     "dev": "npx ts-node src/index.ts",
-    "proxy-tests": "vitest ./tests/integration-tests/proxy/proxy-coverage.spec.js --no-threads"
+    "proxy-tests": "vitest ./tests/integration-tests/proxy/proxy-coverage.spec.js --pool=forks"
   },
   "engines": {
     "node": ">=18.16.0"

package/dist/sarif/sarifAssessRequests.js DELETED Viewed

@@ -1,62 +0,0 @@
-import { buildBaseRequestOptions, ErrorType } from '../common/baseRequest.js';
-import { got } from 'got';
-import { logDebug } from '../common/logging.js';
-export function getApplicationAccess(config) {
-    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
-    options.url = getApplicationUrl(config, config.applicationId, config.organizationId);
-    logDebug(config, 'url: ' + options.url);
-    return got.get(options);
-}
-const getApplicationUrl = (config, applicationId, organizationId) => {
-    return `${config.host}/Contrast/api/ng/${organizationId}/applications/${applicationId}?expand=license`;
-};
-const getAssessTraceIdsUrl = (config, offset, resultsLimit) => {
-    return `${config.host}/Contrast/api/ng/${config.organizationId}/orgtraces/filter/?offset=${offset}&limit=${resultsLimit}`;
-};
-export function getAssessTraceIds(config, offset, resultsLimit) {
-    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
-    options.url = getAssessTraceIdsUrl(config, offset, resultsLimit);
-    options.json = {
-        applicationID: config.applicationId,
-        metadataFilters: config.metadata ? config.metadata : [],
-        severities: config.severity ? [config.severity] : []
-    };
-    logDebug(config, 'url: ' + options.url);
-    return got.post(options);
-}
-const getAssessTraceDetailsUrl = (config, traceId) => {
-    return `${config.host}/Contrast/api/ng/${config.organizationId}/traces/${config.applicationId}/filter/${traceId}?expand=events,request,sink,${traceId},skip_links`;
-};
-export function getAssessTraceDetails(config, traceId) {
-    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
-    options.url = getAssessTraceDetailsUrl(config, traceId);
-    logDebug(config, 'url: ' + options.url);
-    return got.get(options);
-}
-const getAssessTraceEventsUrl = (config, traceId, eventId) => {
-    return `${config.host}/Contrast/api/ng/${config.organizationId}/traces/${traceId}/events/${eventId}/details`;
-};
-export function getAssessTraceEvents(config, traceId, eventId) {
-    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
-    options.url = getAssessTraceEventsUrl(config, traceId, eventId);
-    logDebug(config, 'url: ' + options.url);
-    return got.get(options);
-}
-const getAssessTraceRoutesUrl = (config, traceId) => {
-    return `${config.host}/Contrast/api/ng/${config.organizationId}/traces/${config.applicationId}/trace/${traceId}/routes`;
-};
-export function getAssessTraceRoutes(config, traceId) {
-    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
-    options.url = getAssessTraceRoutesUrl(config, traceId);
-    logDebug(config, 'url: ' + options.url);
-    return got.get(options);
-}
-const getAssessAgentSessionFiltersUrl = (config) => {
-    return `${config.host}/Contrast/api/ng/${config.organizationId}/metadata/session/${config.applicationId}/filters`;
-};
-export function getAssessAgentSessionFilters(config) {
-    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
-    options.url = getAssessAgentSessionFiltersUrl(config);
-    logDebug(config, 'url: ' + options.url);
-    return got.get(options);
-}

package/dist/sarif/sarifIastClient.js DELETED Viewed

@@ -1,121 +0,0 @@
-import { getAssessAgentSessionFilters, getAssessTraceDetails, getAssessTraceEvents, getAssessTraceIds, getAssessTraceRoutes, getApplicationAccess } from './sarifAssessRequests.js';
-import { logInfo, logDebug } from '../common/logging.js';
-import { get } from 'http';
-const resultsLimit = 50;
-let offset = 0;
-export const iastData = async (config) => {
-    if (config.metadata) {
-        const filters = await getAgentSessionFilters(config);
-        logInfo(`Found ${filters.length} available filters`);
-        if (filters.length !== 0) {
-            config = convertMetadataInput(config, filters);
-        }
-    }
-    const filteredTraceIds = await getTraceIds(config, offset, resultsLimit);
-    logInfo(`Found ${filteredTraceIds.length} traces`);
-    let completeTraces = [];
-    for (const traceId of filteredTraceIds) {
-        const traceDetails = await getTraceDetails(config, traceId);
-        const traceRoutes = await getTraceRoutes(config, traceId);
-        let eventsWithFrames = [];
-        if (traceDetails.events) {
-            logInfo(`Found ${traceDetails.events.length} events for trace ${traceId} getting further details`);
-            for (const eventSummary of traceDetails.events) {
-                const eventDetails = await getTraceEvents(config, traceId, eventSummary.eventId);
-                eventsWithFrames.push(eventDetails);
-            }
-            // Only push when we have actual events , is this right?
-            completeTraces.push({
-                trace: traceDetails,
-                events: eventsWithFrames,
-                routes: traceRoutes
-            });
-        }
-    }
-    return completeTraces;
-};
-export async function checkApplicationAccess(config) {
-    logInfo('Checking application access');
-    if (config.applicationId === undefined) {
-        logInfo('Application ID not specified - this is required for IAST vulnerability retrieval');
-    }
-    try {
-        const response = getApplicationAccess(config);
-        const json = await response.json();
-        if (json.application.license.level === 'Unlicensed') {
-            logInfo('Application is not licensed for Assess, please contact your administrator to enable Assess for this application.');
-            process.exit(1);
-        }
-    }
-    catch (e) {
-        logInfo('Error accessing application, ensure you have access to application:' +
-            config.applicationId);
-        process.exit(1);
-    }
-}
-export async function getTraceIds(config, offset, resultsLimit) {
-    let hasResults = true;
-    let pivotedData = [];
-    // Will return all traces if no severity is specified
-    while (hasResults) {
-        const response = getAssessTraceIds(config, offset, resultsLimit);
-        const responseBody = await response.json();
-        if (responseBody.traces == null) {
-            logInfo('No libraries found');
-            return pivotedData;
-        }
-        const result = responseBody.traces;
-        const traceIds = result.map(trace => {
-            return trace.uuid;
-        });
-        pivotedData = pivotedData.concat(traceIds);
-        if (result.length < resultsLimit) {
-            hasResults = false;
-        }
-        offset += resultsLimit;
-    }
-    return pivotedData;
-}
-export async function getTraceDetails(config, traceId) {
-    logInfo(`Getting trace details for ${traceId} of application ${config.applicationId}`);
-    const response = getAssessTraceDetails(config, traceId);
-    const responseBody = await response.json();
-    return responseBody.trace;
-}
-export async function getTraceEvents(config, traceId, eventId) {
-    const response = getAssessTraceEvents(config, traceId, eventId);
-    logDebug(`Getting trace events for ${eventId} of trace ${traceId}`);
-    const responseBody = await response.json();
-    return responseBody.event;
-}
-export async function getTraceRoutes(config, traceId) {
-    logInfo(`Getting trace routes for ${traceId} of application ${config.applicationId}`);
-    const response = getAssessTraceRoutes(config, traceId);
-    const responseBody = await response.json();
-    return responseBody.routes;
-}
-export async function getAgentSessionFilters(config) {
-    const response = getAssessAgentSessionFilters(config);
-    const responseBody = await response.json();
-    return responseBody.filters;
-}
-export function convertMetadataInput(config, filterLabels) {
-    // Agent session filters response returns a list of filters each containing an id and label
-    // The user input metadata will contain a label, which must be replaced by the id
-    // to then be used in the traces endpoint
-    let updatedMetadataInput = [];
-    const inputList = config.metadata.split(',');
-    const metadataInput = inputList.map(item => {
-        return { label: item.split('=')[0], values: [item.split('=')[1]] };
-    });
-    metadataInput.forEach(item => {
-        const filterLabel = filterLabels.find(f => f.label.toLowerCase() === item.label.toLowerCase());
-        if (filterLabel) {
-            item.fieldId = filterLabel.id;
-        }
-        const newValue = { fieldID: item.fieldId, values: item.values };
-        updatedMetadataInput.push(newValue);
-    });
-    config.metadata = updatedMetadataInput;
-    return config;
-}

package/dist/sarif/sarifSCARequests.js DELETED Viewed

@@ -1,27 +0,0 @@
-import { buildBaseRequestOptions, ErrorType } from '../common/baseRequest.js';
-import { got } from 'got';
-import { logDebug } from '../common/logging.js';
-const getSCAVulnsUrl = (config, offset, resultsLimit) => {
-    return `${config.host}/Contrast/api/ng/${config.organizationId}/libraries/filter?expand=skip_links,apps,quickFilters,vulns,status,usage_counts&offset=${offset}&limit=${resultsLimit}&sort=score`;
-};
-export function getSCAVulns(config, offset, resultsLimit) {
-    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
-    options.url = getSCAVulnsUrl(config, offset, resultsLimit);
-    options.json = {
-        q: '',
-        quickFilter: 'VULNERABLE',
-        apps: [config.applicationId],
-        servers: [],
-        environments: [],
-        grades: [],
-        languages: [],
-        licenses: [],
-        status: [],
-        severities: config.severity ? [config.severity] : [],
-        tags: [],
-        includeUnused: false,
-        includeUsed: false
-    };
-    logDebug(config, 'url: ' + options.url);
-    return got.post(options);
-}

package/dist/sarif/sarifScaClient.js DELETED Viewed

@@ -1,38 +0,0 @@
-import { logInfo } from '../common/logging.js';
-import { getSCAVulns } from './sarifSCARequests.js';
-const resultsLimit = 50;
-let offset = 0;
-export const scaCVES = async (config) => {
-    let hasResults = true;
-    let pivotedData = [];
-    // Will return all CVEs if no severity is specified
-    while (hasResults) {
-        const response = getSCAVulns(config, offset, resultsLimit);
-        const responseBody = await response.json();
-        if (responseBody.libraries == null) {
-            logInfo('No libraries found');
-            return pivotedData;
-        }
-        // Finds all libraries with a vulnerability of specified severity
-        const result = responseBody.libraries.flatMap(item => {
-            const { vulns } = item;
-            return vulns.flatMap(vuln => {
-                vuln.library = item;
-                return vuln;
-            });
-        });
-        // All vulns associated with the library will be returned,
-        // so we must filter by severity again
-        for (const vuln of result) {
-            if (config.severity == null ||
-                vuln.severityToUse.toLowerCase() === config.severity) {
-                pivotedData.push(vuln);
-            }
-        }
-        if (result.length < resultsLimit) {
-            hasResults = false;
-        }
-        offset += resultsLimit;
-    }
-    return pivotedData;
-};