npm - @contrast/contrast - Versions diffs - 3.2.0 → 3.2.2 - Mend

@contrast/contrast 3.2.0 → 3.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/auth/auth.js +4 -4
package/dist/constants/constants.js +1 -1
package/dist/constants/locales.js +1 -0
package/dist/index.js +1 -7
package/dist/sarif/generateSarif.js +43 -10
package/dist/sarif/help.js +1 -4
package/dist/sarif/sarifHelper.js +16 -0
package/dist/sarif/sarifRequests.js +21 -5
package/dist/utils/paramsUtil/paramHandler.js +15 -0
package/package.json +1 -2
package/dist/sarif/sarifClient.js +0 -33
package/dist/sarif/sarifWriter.js +0 -199

package/dist/auth/auth.js CHANGED Viewed

@@ -2,7 +2,7 @@ import { v4 as uuidv4 } from 'uuid';
 import i18n from 'i18n';
 import { failSpinner, returnOra, startSpinner, succeedSpinner } from '../utils/oraWrapper.js';
 import { en_locales } from '../constants/locales.js';
-import { AUTH_UI_URL, CE_URL, TIMEOUT } from '../constants/constants.js';
+import { AUTH_UI_URL, TIMEOUT } from '../constants/constants.js';
 import { setConfigValues } from '../utils/getConfig.js';
 import commandLineUsage from 'command-line-usage';
 import { commonMessageFormatter } from '../common/errorHandling.js';
@@ -11,12 +11,12 @@ import { commandLineDefinitions } from '../cliConstants.js';
 import { pollForAuth } from './authRequests.js';
 import open from 'open';
 import { logDebug, logInfo } from '../common/logging.js';
+import { checkDeprecatedHost } from '../utils/paramsUtil/paramHandler.js';
 const messages = en_locales();
 export const processAuth = async (argv, config) => {
     const authParams = await getCommandLineArgsCustom(config, 'auth', argv, commandLineDefinitions.authOptionDefinitions);
-    if (authParams.host === CE_URL) {
-        logInfo(i18n.__('codeSecEoL'));
-        process.exit(0);
+    if (authParams.host) {
+        checkDeprecatedHost(authParams);
     }
     if (authParams.help) {
         logInfo(authUsageGuide);

package/dist/constants/constants.js CHANGED Viewed

@@ -17,7 +17,7 @@ export const HIGH = 'HIGH';
 export const CRITICAL = 'CRITICAL';
 // App
 export const APP_NAME = 'contrast';
-const APP_VERSION = '3.2.0';
+const APP_VERSION = '3.2.2';
 export const TIMEOUT = 120000;
 export const CRITICAL_PRIORITY = 1;
 export const HIGH_PRIORITY = 2;

package/dist/constants/locales.js CHANGED Viewed

@@ -249,6 +249,7 @@ export const en_locales = () => {
         auditServicesMessageForTS: 'View your vulnerable library list or full dependency tree in Contrast:',
         auditReportFailureMessage: 'Unable to generate library report',
         auditSCAAnalysisBegins: 'Contrast SCA audit started',
+        sarifAnalysis: 'Sarif analysis started...',
         auditSCAAnalysisComplete: 'Contrast audit complete',
         commonHelpHeader: 'Need More Help? NEW users',
         commonHelpEnterpriseHeader: 'Existing Contrast Licensed user?',

package/dist/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { localConfig } from './utils/getConfig.js';
-import { APP_NAME, CE_URL, getAppVersion } from './constants/constants.js';
+import { APP_NAME, getAppVersion } from './constants/constants.js';
 import commandLineArgs from 'command-line-args';
 import { commandLineDefinitions } from './cliConstants.js';
 import { findLatestCLIVersion, isCorrectNodeVersion } from './common/versionChecker.js';
@@ -17,8 +17,6 @@ import { processAssess } from './assess/index.js';
 import { processSarif } from './sarif/generateSarif.js';
 import { logInfo } from './common/logging.js';
 import { generateYamlConfiguration } from './generateYaml/index.js';
-import i18n from 'i18n';
-import { exit } from 'process';
 const config = localConfig(APP_NAME, getAppVersion());
 const getMainOption = () => {
     const mainOptions = commandLineArgs(commandLineDefinitions.mainDefinition, {
@@ -61,10 +59,6 @@ const start = async () => {
             if (command === 'auth') {
                 return await processAuth(argvMain, config);
             }
-            if (config.get('host') === CE_URL) {
-                logInfo(i18n.__('codeSecEoL'));
-                exit(0);
-            }
             if (command === 'lambda') {
                 return await processLambda(argvMain);
             }

package/dist/sarif/generateSarif.js CHANGED Viewed

@@ -1,8 +1,14 @@
 import { getSarifConfig } from './sarifConfig.js';
-import { writeSarif } from './sarifWriter.js';
-import { logInfo } from '../common/logging.js';
+import { convertSeverityInput, writeSarif } from './sarifHelper.js';
+import { logDebug, logInfo } from '../common/logging.js';
 import { sarifUsageGuide } from './help.js';
-import { sarifVulns } from './sarifClient.js';
+import { createSarifReportId, sarifReport, sarifStatus } from './sarifRequests.js';
+import { got } from 'got';
+import { sleep } from '../utils/requestUtils.js';
+import { handleTimeout } from '../utils/commonApi.js';
+import { performance } from 'perf_hooks';
+import { failSpinner, returnOra, startSpinner, succeedSpinner } from '../utils/oraWrapper.js';
+import i18n from 'i18n';
 // This filename could be set by a customer
 // Defaulted to be ingested in a GH workflow
 const outputFileName = 'contrast.sarif';
@@ -11,15 +17,42 @@ export const processSarif = async (contrastConf, argvMain) => {
         printHelpMessage();
         process.exit(0);
     }
+    const startTime = performance.now();
     let config = await getSarifConfig(contrastConf, 'sarif', argvMain);
-    logInfo('Generating SARIF file');
-    const sarifData = await sarifVulns(config);
-    if (sarifData === '') {
-        logInfo('No SARIF data found');
-        process.exit(0);
+    if (!config.applicationId) {
+        throw new Error(`Unable to generate sarif file without application ID.`);
+    }
+    const reportSpinner = returnOra(i18n.__('sarifAnalysis'));
+    startSpinner(reportSpinner);
+    await generateSarif(config, reportSpinner, startTime);
+};
+export const generateSarif = async (config, reportSpinner, startTime) => {
+    let severities = [];
+    if (config.severity) {
+        severities = convertSeverityInput(config.severity);
+    }
+    const response = await createSarifReportId(config, severities);
+    if (response.body.success === true) {
+        const reportId = response.body.uuid;
+        logDebug(config, `Async sarif endpoint hit successfully - ${response.body.messages}`);
+        let doPoll = true;
+        while (doPoll) {
+            await sleep(5000);
+            const statusRes = await sarifStatus(config, reportId);
+            if (statusRes.body.status === 'ACTIVE') {
+                doPoll = false;
+                let data = await sarifReport(config, reportId);
+                writeSarif(outputFileName, data.body);
+                succeedSpinner(reportSpinner, 'contrast.sarif file generated successfully');
+            }
+            // defaulting timeout to 30 minutes
+            handleTimeout(startTime, 1800, reportSpinner);
+        }
+    }
+    else {
+        logDebug(config, response.body.messages);
+        failSpinner(reportSpinner, 'Unable to generate contrast.sarif');
     }
-    writeSarif(outputFileName, sarifData);
-    logInfo('contrast.sarif file generated successfully');
 };
 const printHelpMessage = () => {
     logInfo(sarifUsageGuide);

package/dist/sarif/help.js CHANGED Viewed

@@ -45,8 +45,5 @@ export const sarifUsageGuide = commandLineUsage([
     {
         header: __('constantsAdvancedOptions'),
         optionList: commandLineDefinitions.sarifAdvancedOptionDefinitionsForHelp
-    },
-    commonHelpLinks()[0],
-    commonHelpLinks()[1],
-    commonHelpLinks()[2]
+    }
 ]);

package/dist/sarif/sarifHelper.js ADDED Viewed

@@ -0,0 +1,16 @@
+import fs from 'fs';
+export const writeSarif = (outputFileName, sarifData) => {
+    if (outputFileName) {
+        fs.writeFileSync(outputFileName, JSON.stringify(sarifData, null, 2), 'utf8');
+    }
+    else {
+        console.log(sarifData);
+    }
+};
+export const SEVERITIES = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'NOTE'];
+export const convertSeverityInput = severity => {
+    const index = SEVERITIES.indexOf(severity.toUpperCase());
+    if (index === -1)
+        return SEVERITIES;
+    return SEVERITIES.slice(0, index + 1);
+};

package/dist/sarif/sarifRequests.js CHANGED Viewed

@@ -1,11 +1,11 @@
 import { buildBaseRequestOptions, ErrorType } from '../common/baseRequest.js';
 import { got } from 'got';
-const getSarifUrl = (config) => {
-    return `${config.host}/Contrast/api/ng/organizations/${config.organizationId}/applications/${config.applicationId}/sarif`;
+export const createSarifReportUrl = (config) => {
+    return `${config.host}/Contrast/api/ng/organizations/${config.organizationId}/applications/${config.applicationId}/sarif/async`;
 };
-export function getSarifVulns(config, severities) {
+export const createSarifReportId = (config, severities) => {
     const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
-    options.url = getSarifUrl(config);
+    options.url = createSarifReportUrl(config);
     options.json = {
         metadataFilters: config.metadata ? config.metadata : [],
         // User can specify minimum severity, if none will include all
@@ -14,4 +14,20 @@ export function getSarifVulns(config, severities) {
         toolTypes: config.toolType ? [config.toolType] : ['SCA', 'ASSESS']
     };
     return got.post(options);
-}
+};
+export const sarifStatusUrl = (config, reportUuid) => {
+    return `${config.host}/Contrast/api/ng/organizations/${config.organizationId}/reports/${reportUuid}/status`;
+};
+export const sarifStatus = (config, reportId) => {
+    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
+    options.url = sarifStatusUrl(config, reportId);
+    return got.get(options);
+};
+export const getSarifDataUrl = (config, reportUuid) => {
+    return `${config.host}/Contrast/api/ng/${config.organizationId}/reports/${reportUuid}/download`;
+};
+export const sarifReport = async (config, reportId) => {
+    const options = buildBaseRequestOptions(config, ErrorType.GENERIC);
+    options.url = getSarifDataUrl(config, reportId);
+    return await got.post(options);
+};

package/dist/utils/paramsUtil/paramHandler.js CHANGED Viewed

@@ -4,17 +4,32 @@ import { configStoreGetAuth } from './configStoreParams.js';
 import i18n from 'i18n';
 import { validateAuthParams, validateFingerprintParams } from '../validationCheck.js';
 import { logInfo } from '../../common/logging.js';
+import { CE_URL } from '../../constants/constants.js';
+import { exit } from 'process';
+/**
+ * Checks if the host is the deprecated CE_URL and exits if it is
+ * @param {Object} authParams - Auth parameters object containing host property
+ */
+export function checkDeprecatedHost(authParams) {
+    if (authParams.host === CE_URL) {
+        logInfo(i18n.__('codeSecEoL'));
+        exit(1);
+    }
+}
 export function getAuth(params) {
     let commandLineAuthParamsAuth = commandGetAuth(params);
     let envVariableParamsAuth = envGetAuth();
     let configStoreParamsAuth = configStoreGetAuth();
     if (validateAuthParams(commandLineAuthParamsAuth)) {
+        checkDeprecatedHost(commandLineAuthParamsAuth);
         return commandLineAuthParamsAuth;
     }
     else if (validateAuthParams(envVariableParamsAuth)) {
+        checkDeprecatedHost(envVariableParamsAuth);
         return envVariableParamsAuth;
     }
     else if (validateAuthParams(configStoreParamsAuth)) {
+        checkDeprecatedHost(configStoreParamsAuth);
         return configStoreParamsAuth;
     }
     else {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/contrast",
-  "version": "3.2.0",
+  "version": "3.2.2",
   "description": "Contrast Security's command line tool",
   "exports": "./dist/index.js",
   "type": "module",
@@ -77,7 +77,6 @@
     "js-yaml": "4.1.0",
     "lodash-es": "4.17.21",
     "log-symbols": "4.1.0",
-    "node-sarif-builder": "^3.1.0",
     "open": "8.4.2",
     "ora": "6.3.1",
     "pkginfo": "0.4.1",

package/dist/sarif/sarifClient.js DELETED Viewed

@@ -1,33 +0,0 @@
-import { getSarifVulns } from './sarifRequests.js';
-export const sarifVulns = async (config) => {
-    let severities = [];
-    if (config.severity) {
-        severities = convertSeverityInput(config.severity);
-    }
-    const response = await getSarifVulns(config, severities);
-    if (response.statusCode === 200) {
-        console.log('Retrieved SARIF data');
-        return JSON.stringify(response.body, null, 2);
-    }
-    else {
-        console.log(`Error retrieving SARIF data`);
-        return '';
-    }
-};
-export function convertSeverityInput(severity) {
-    const severities = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'NOTE'];
-    switch (severity.toUpperCase()) {
-        case 'CRITICAL':
-            return severities.slice(0, 1);
-        case 'HIGH':
-            return severities.slice(0, 2);
-        case 'MEDIUM':
-            return severities.slice(0, 3);
-        case 'LOW':
-            return severities.slice(0, 4);
-        case 'NOTE':
-            return severities;
-        default:
-            return severities;
-    }
-}

package/dist/sarif/sarifWriter.js DELETED Viewed

@@ -1,199 +0,0 @@
-import { SarifBuilder, SarifRunBuilder, SarifResultBuilder, SarifRuleBuilder } from 'node-sarif-builder';
-import fs from 'fs';
-export const mapSeverity = contrastSeverity => {
-    switch (contrastSeverity.toLowerCase()) {
-        case 'critical':
-            return 'error';
-        case 'high':
-            return 'warning';
-        case 'medium':
-            return 'note';
-        case 'low':
-            return 'note';
-        case 'note':
-            return 'note';
-        default:
-            return 'note';
-    }
-};
-export const getFileFromTSDescription = description => {
-    const regex = /\(([^)]+):\d*\)/;
-    const match = regex.exec(description);
-    return match ? match[1] : 'NOT AVAILABLE';
-};
-export const getLineFromTSDescription = description => {
-    const regex = /\(.*:(\d*)\)/;
-    const match = regex.exec(description);
-    return match ? parseInt(match[1]) : 1;
-};
-export const getLogicalLocationFromTSDescription = description => {
-    const regex = /(.*)\([^]+:\d*\)/;
-    const match = regex.exec(description);
-    return match ? match[1] + '()' : 'NOT AVAILABLE';
-};
-export const generateIastSarifRun = traces => {
-    const sarifRunBuilderIast = new SarifRunBuilder().initSimple({
-        toolDriverName: 'contrast-assess',
-        toolDriverVersion: '1.0.0',
-        url: 'https://contrastsecurity.com' // Url of your analyzer tool
-    });
-    if (traces.length === 0) {
-        return sarifRunBuilderIast;
-    }
-    for (const trace of traces) {
-        let extractedString = null;
-        if (trace.trace.sink && trace.trace.sink.label) {
-            extractedString = getFileFromTSDescription(trace.trace.sink.label);
-        }
-        const sarifResultBuilder = new SarifResultBuilder().initSimple({
-            ruleId: trace.trace.rule_title,
-            messageText: trace.trace.title,
-            level: mapSeverity(trace.trace.severity)
-        });
-        const sarifRuleBuilder = new SarifRuleBuilder().initSimple({
-            ruleId: trace.trace.rule_title,
-            shortDescriptionText: trace.trace.title,
-            fullDescriptionText: trace.trace.title
-        });
-        sarifRunBuilderIast.addRule(sarifRuleBuilder);
-        if (extractedString) {
-            sarifResultBuilder.setLocationArtifactUri({ uri: extractedString });
-        }
-        if (trace.trace.request) {
-            sarifResultBuilder.result.webRequest = {
-                target: trace.trace.request.uri,
-                method: trace.trace.request.method,
-                protocol: trace.trace.request.protocol,
-                version: trace.trace.request.version
-            };
-        }
-        sarifResultBuilder.result.provenance = {
-            firstDetectionTimeUtc: new Date(trace.trace.discovered).toISOString(),
-            lastDetectionTimeUtc: new Date(trace.trace.last_time_seen).toISOString()
-        };
-        sarifResultBuilder.result.properties = {
-            vulnerability_id: trace.trace.uuid,
-            contrast_severity: trace.trace.severity,
-            contrast_status: trace.trace.status,
-            contrast_substatus: trace.trace.sub_status
-        };
-        // Add stack trace
-        sarifResultBuilder.result.codeFlows = [
-            {
-                threadFlows: trace.events.map(event => {
-                    return {
-                        locations: [
-                            {
-                                location: {
-                                    physicalLocation: {
-                                        artifactLocation: {
-                                            uri: getFileFromTSDescription(event.stacktraces[0].description)
-                                        },
-                                        region: {
-                                            startLine: getLineFromTSDescription(event.stacktraces[0].description)
-                                        }
-                                    },
-                                    logicalLocations: [
-                                        {
-                                            fullyQualifiedName: getLogicalLocationFromTSDescription(event.stacktraces[0].description)
-                                        }
-                                    ]
-                                },
-                                stack: {
-                                    frames: event.stacktraces
-                                        .filter(stacktrace => getFileFromTSDescription(stacktrace.description) !==
-                                        'NOT AVAILABLE')
-                                        .map(stacktrace => {
-                                        return {
-                                            location: {
-                                                physicalLocation: {
-                                                    artifactLocation: {
-                                                        uri: getFileFromTSDescription(stacktrace.description)
-                                                    },
-                                                    region: {
-                                                        startLine: getLineFromTSDescription(stacktrace.description)
-                                                    }
-                                                },
-                                                logicalLocations: [
-                                                    {
-                                                        fullyQualifiedName: getLogicalLocationFromTSDescription(stacktrace.description)
-                                                    }
-                                                ]
-                                            }
-                                        };
-                                    })
-                                }
-                            }
-                        ]
-                    };
-                }),
-                properties: {
-                    routeSignature: trace.routes[0] ? trace.routes[0].signature : ''
-                }
-            }
-        ];
-        sarifResultBuilder.result.locations = [];
-        sarifResultBuilder.result.locations.push({
-            physicalLocation: {
-                artifactLocation: {
-                    uri: getFileFromTSDescription(trace.trace.sink.label)
-                },
-                region: {
-                    startLine: getLineFromTSDescription(trace.trace.sink.label)
-                }
-            },
-            logicalLocations: [
-                {
-                    fullyQualifiedName: getLogicalLocationFromTSDescription(trace.trace.sink.label)
-                }
-            ]
-        });
-        sarifRunBuilderIast.addResult(sarifResultBuilder);
-    }
-    return sarifRunBuilderIast;
-};
-export const generateScaSarifRun = cveList => {
-    const sarifRunBuilderSca = new SarifRunBuilder().initSimple({
-        toolDriverName: 'contrast-sca',
-        toolDriverVersion: '1.0.0',
-        url: 'https://contrastsecurity.com' // Url of your analyzer tool
-    });
-    if (cveList.length === 0) {
-        return sarifRunBuilderSca;
-    }
-    for (const cve of cveList) {
-        const sarifResultBuilder = new SarifResultBuilder().initSimple({
-            ruleId: cve.name,
-            messageText: cve.description,
-            level: mapSeverity(cve.severityToUse)
-        });
-        sarifResultBuilder.setLocationArtifactUri({ uri: cve.library.file_name });
-        sarifResultBuilder.result.properties = {
-            contrast_severity: cve.severityToUse,
-            library_version: cve.library.version,
-            cvss_score: cve.cvss_3_severity_value,
-            vector: cve.cvss_3_vector
-        };
-        sarifRunBuilderSca.addResult(sarifResultBuilder);
-    }
-    return sarifRunBuilderSca;
-};
-export const writeCombinedSarif = (traces, cveList, outputFileName) => {
-    const sarifBuilder = new SarifBuilder();
-    const sarifRunBuilderIast = generateIastSarifRun(traces);
-    sarifBuilder.addRun(sarifRunBuilderIast);
-    const sarifRunBuilderSca = generateScaSarifRun(cveList);
-    sarifBuilder.addRun(sarifRunBuilderSca);
-    const sarifJsonString = sarifBuilder.buildSarifJsonString({
-        indent: true
-    }); // indent:true if you like
-    writeSarif(outputFileName, sarifJsonString);
-};
-export const writeSarif = (outputFileName, sarifData) => {
-    if (outputFileName) {
-        fs.writeFileSync(outputFileName, sarifData);
-    }
-    else {
-        console.log(sarifData);
-    }
-};