@contrast/contrast 2.3.0 → 2.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/audit/report/models/reportListModel.js +8 -0
- package/dist/audit/report/models/reportSeverityModel.js +8 -0
- package/dist/constants/constants.js +1 -1
- package/dist/constants/locales.js +1 -0
- package/dist/scaAnalysis/common/commonReportingFunctionsSca.js +11 -3
- package/dist/scaAnalysis/common/utils/reportUtilsSca.js +2 -0
- package/dist/scaAnalysis/scaAnalysis.js +1 -0
- package/package.json +1 -1
|
@@ -17,4 +17,12 @@ export class ReportCompositeKey {
|
|
|
17
17
|
this.highestSeverity = highestSeverity;
|
|
18
18
|
this.numberOfSeverities = numberOfSeverities;
|
|
19
19
|
}
|
|
20
|
+
toString() {
|
|
21
|
+
return `ReportCompositeKey {
|
|
22
|
+
libraryName: ${this.libraryName},
|
|
23
|
+
libraryVersion: ${this.libraryVersion},
|
|
24
|
+
highestSeverity: ${this.highestSeverity},
|
|
25
|
+
numberOfSeverities: ${this.numberOfSeverities}
|
|
26
|
+
}`;
|
|
27
|
+
}
|
|
20
28
|
}
|
|
@@ -17,7 +17,7 @@ export const HIGH = 'HIGH';
|
|
|
17
17
|
export const CRITICAL = 'CRITICAL';
|
|
18
18
|
// App
|
|
19
19
|
export const APP_NAME = 'contrast';
|
|
20
|
-
const APP_VERSION = '2.3.
|
|
20
|
+
const APP_VERSION = '2.3.1';
|
|
21
21
|
export const TIMEOUT = 120000;
|
|
22
22
|
export const CRITICAL_PRIORITY = 1;
|
|
23
23
|
export const HIGH_PRIORITY = 2;
|
|
@@ -53,6 +53,7 @@ export const en_locales = () => {
|
|
|
53
53
|
failSeverityOptionErrorMessage: ' FAIL - Results detected vulnerabilities over accepted severity level',
|
|
54
54
|
constantsSeverity: 'Use with "contrast scan --fail --severity high" or "contrast audit --fail --severity high". Set the severity level to detect vulnerabilities or dependencies. Severity levels are critical, high, medium, low or note.',
|
|
55
55
|
constantsSarifSeverity: 'Set the severity level to filter the vulnerabilities included in the SARIF output. Severity levels are critical, high, medium, low or note.',
|
|
56
|
+
constantsToolType: 'The tools that are included in the generated SARIF file. Valid options are SCA or ASSESS. The default value is both.',
|
|
56
57
|
constantsHeader: `Contrast CLI @ v${getAppVersion()}`,
|
|
57
58
|
configHeader2: 'Config options',
|
|
58
59
|
clearHeader: '-c, --clear',
|
|
@@ -3,12 +3,12 @@ import { countVulnerableLibrariesBySeverity } from '../../audit/report/utils/rep
|
|
|
3
3
|
import { SeverityCountModel } from '../../audit/report/models/severityCountModel.js';
|
|
4
4
|
import { orderBy } from 'lodash-es';
|
|
5
5
|
import { ReportOutputModel, ReportOutputHeaderModel, ReportOutputBodyModel } from '../../audit/report/models/reportOutputModel.js';
|
|
6
|
-
import { CE_URL, CRITICAL_COLOUR, HIGH_COLOUR, MEDIUM_COLOUR, LOW_COLOUR, NOTE_COLOUR } from '../../constants/constants.js';
|
|
6
|
+
import { CE_URL, CRITICAL_COLOUR, HIGH_COLOUR, MEDIUM_COLOUR, LOW_COLOUR, NOTE_COLOUR, NOTE_PRIORITY } from '../../constants/constants.js';
|
|
7
7
|
import Table from 'cli-table3';
|
|
8
8
|
import { findHighestSeverityCVESca, severityCountAllCVEsSca, findCVESeveritySca, orderByHighestPrioritySca } from './utils/reportUtilsSca.js';
|
|
9
9
|
import chalk from 'chalk';
|
|
10
10
|
import { buildFormattedHeaderNum } from '../../audit/report/commonReportingFunctions.js';
|
|
11
|
-
import { logInfo } from '../../common/logging.js';
|
|
11
|
+
import { logDebug, logInfo } from '../../common/logging.js';
|
|
12
12
|
export const createSummaryMessageTop = (numberOfVulnerableLibraries, numberOfCves) => {
|
|
13
13
|
numberOfVulnerableLibraries === 1
|
|
14
14
|
? logInfo(`\n\nFound 1 vulnerable library containing ${numberOfCves} CVE`)
|
|
@@ -25,11 +25,18 @@ export const printFormattedOutputSca = (config, reportModelList, numberOfVulnera
|
|
|
25
25
|
const report = new ReportList();
|
|
26
26
|
for (const library of reportModelList) {
|
|
27
27
|
const { artifactName, version, vulnerabilities, remediationAdvice } = library;
|
|
28
|
-
const
|
|
28
|
+
const highestSeverity = findHighestSeverityCVESca(vulnerabilities, config);
|
|
29
|
+
const severityCount = severityCountAllCVEsSca(vulnerabilities, new SeverityCountModel()).getTotal;
|
|
30
|
+
if (highestSeverity.priority === undefined) {
|
|
31
|
+
highestSeverity.priority = NOTE_PRIORITY;
|
|
32
|
+
logDebug(config, `Unknown severity for vulnerability ${artifactName}`);
|
|
33
|
+
}
|
|
34
|
+
const newOutputModel = new ReportModelStructure(new ReportCompositeKey(artifactName, version, highestSeverity, severityCount), vulnerabilities, remediationAdvice);
|
|
29
35
|
report.reportOutputList.push(newOutputModel);
|
|
30
36
|
}
|
|
31
37
|
const outputOrderedByLowestSeverityAndLowestNumOfCvesFirst = orderBy(report.reportOutputList, [
|
|
32
38
|
reportListItem => {
|
|
39
|
+
logDebug(config, reportListItem.compositeKey);
|
|
33
40
|
return reportListItem.compositeKey.highestSeverity.priority;
|
|
34
41
|
},
|
|
35
42
|
reportListItem => {
|
|
@@ -99,6 +106,7 @@ export function buildHeader(highestSeverity, contrastHeaderNum, libraryName, ver
|
|
|
99
106
|
return new ReportOutputHeaderModel(vulnMessage, introducesMessage);
|
|
100
107
|
}
|
|
101
108
|
export function buildBody(cveArray, advice, config) {
|
|
109
|
+
logDebug(config, `buildBody 204: ${JSON.stringify(cveArray)}`);
|
|
102
110
|
const orderedCvesWithSeverityAssigned = orderByHighestPrioritySca(cveArray.map(cve => findCVESeveritySca(cve, config)));
|
|
103
111
|
const issueMessage = getIssueRow(orderedCvesWithSeverityAssigned);
|
|
104
112
|
const adviceMessage = getAdviceRow(advice);
|
|
@@ -4,6 +4,7 @@ import { ReportSeverityModel } from '../../../audit/report/models/reportSeverity
|
|
|
4
4
|
import { ScaReportModel } from '../models/ScaReportModel.js';
|
|
5
5
|
import { logDebug } from '../../../common/logging.js';
|
|
6
6
|
export function findHighestSeverityCVESca(cveArray, config) {
|
|
7
|
+
logDebug(config, `\n findHighestSeverityCVESca 25: ${JSON.stringify(cveArray)} \n`);
|
|
7
8
|
const mappedToReportSeverityModels = cveArray.map(cve => findCVESeveritySca(cve, config));
|
|
8
9
|
// order and get first
|
|
9
10
|
return orderBy(mappedToReportSeverityModels, cve => cve?.priority)[0];
|
|
@@ -13,6 +14,7 @@ export function orderByHighestPrioritySca(reportSeverityModel) {
|
|
|
13
14
|
}
|
|
14
15
|
export function findCVESeveritySca(vulnerabilityModel, config) {
|
|
15
16
|
const { name } = vulnerabilityModel;
|
|
17
|
+
logDebug(config, `\n findCVESeveritySca 44: ${JSON.stringify(vulnerabilityModel)} \n`);
|
|
16
18
|
if (vulnerabilityModel.cvss3Severity === 'CRITICAL' ||
|
|
17
19
|
vulnerabilityModel.severity === 'CRITICAL') {
|
|
18
20
|
return new ReportSeverityModel('CRITICAL', CRITICAL_PRIORITY, CRITICAL_COLOUR, name);
|
|
@@ -21,6 +21,7 @@ import { auditUsageGuide } from '../audit/help.js';
|
|
|
21
21
|
import chalk from 'chalk';
|
|
22
22
|
import { logDebug, logInfo } from '../common/logging.js';
|
|
23
23
|
export const processSca = async (config) => {
|
|
24
|
+
logDebug(config, `audit started at ${new Date().toISOString()}`);
|
|
24
25
|
let filesFound;
|
|
25
26
|
if (config.help) {
|
|
26
27
|
logInfo(auditUsageGuide);
|