@contrast/reporter - npm Package Compare versions

Comparing version 1.21.1 to 1.22.0

lib/reporters/base.d.ts

@@ -1,2 +0,2 @@
-import { AppInfo, Event, Lifecycle, Messages, RequestStore } from '@contrast/common';
+import { AppInfo, Event, Messages, RequestStore } from '@contrast/common';
 import { Config } from '@contrast/config';
@@ -13,5 +13,2 @@ import { Scopes } from '@contrast/scopes';
     readonly messages: Messages;
-    readonly events: {
-        lifecycle: Lifecycle;
-    };
     readonly protect: Protect;
@@ -27,3 +24,3 @@ readonly scopes: Scopes;
     constructor(core: Core, name: string);
-    subscribeWithLock(event: Event, cb: (msg: any) => void, ee?: Lifecycle | Messages): void;
+    subscribeWithLock(event: Event, cb: (msg: any) => void): void;
     abstract install(): Promise<void>;
@@ -30,0 +27,0 @@ abstract handleAssessEvent(msg: RequestStore): void;

lib/reporters/base.js

@@ -28,5 +28,5 @@ "use strict";
     }
-    subscribeWithLock(event, cb, ee) {
+    subscribeWithLock(event, cb) {
         const { instrumentation } = this.scopes;
-        (ee || this.messages).on(event, (msg) => {
+        this.messages.on(event, (msg) => {
             if (!instrumentation.isLocked()) {
@@ -33,0 +33,0 @@ instrumentation.run({ lock: true, name: this.name }, cb, msg);

lib/reporters/contrast-ui/endpoints/traces/index.js

@@ -76,5 +76,2 @@ "use strict";
             const { ruleId, vulnerabilityMetadata } = msg;
-            // NODE-3135
-            if (msg.ruleId === common_1.ResponseScanningRule.X_POWERED_BY_HEADER)
-                return;
             const store = this.getStore(msg);
@@ -101,2 +98,13 @@ if (!store)
         });
+        this.reporter.subscribeWithLock(common_1.Event.ASSESS_CRYPTO_ANALYSIS_FINDING, (msg) => {
+            const { ruleId, finding } = msg;
+            const store = this.getStore(msg);
+            if (!store)
+                return;
+            this.getAccum(store).messages.push({
+                events: [tx.getCryptoEvent(finding)],
+                ruleId,
+                time: Date.now(),
+            });
+        });
         this.reporter.subscribeWithLock(common_1.Event.RESPONSE_FINISH, (store) => {
@@ -112,3 +120,3 @@ const { route } = store;
             this.initiateCompletenessCondition(accum);
-        }, this.core.events.lifecycle);
+        });
         setInterval(() => {
@@ -115,0 +123,0 @@ for (const [store, accum] of this.accumMap.entries()) {

lib/reporters/contrast-ui/endpoints/traces/translations.d.ts

@@ -8,2 +8,3 @@ import { RequestStore } from '@contrast/common';
 export declare function getTraceEvent(event: any): TraceEvent;
+export declare function getCryptoEvent(finding: any): any;
 export declare function topologicalSort(sinkEvent: any): any[];
@@ -10,0 +11,0 @@ export declare function getRoutes(route: any): {

lib/reporters/contrast-ui/endpoints/traces/translations.js

@@ -17,3 +17,3 @@ "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getTraceEvents = exports.getRequest = exports.getRoutes = exports.topologicalSort = exports.getTraceEvent = exports.getEventHash = exports.getSignature = exports.getEventAction = exports.getTaintRanges = void 0;
+exports.getTraceEvents = exports.getRequest = exports.getRoutes = exports.topologicalSort = exports.getCryptoEvent = exports.getTraceEvent = exports.getEventHash = exports.getSignature = exports.getEventAction = exports.getTaintRanges = void 0;
 const crc_32_1 = require("crc-32");
@@ -70,3 +70,3 @@ const common_1 = require("@contrast/common");
         // - signature | normalized-uri | uri
-        hash = (0, crc_32_1.str)(route?.signature || request?.normalizedUrl || request?.uri || '', hash);
+        hash = (0, crc_32_1.str)(route?.signature || request?.standardNormalizedUri || request?.uri || '', hash);
         // - verb
@@ -150,2 +150,36 @@ hash = (0, crc_32_1.str)(route?.method || '', hash);
 exports.getTraceEvent = getTraceEvent;
+function getCryptoEvent(finding) {
+    return {
+        action: 'TRIGGER',
+        args: finding.args.map((arg) => ({
+            tracked: arg.tracked,
+            value: (0, common_1.encodeString)(arg.value),
+        })),
+        fieldName: '',
+        context: finding.context || '',
+        object: {
+            tracked: finding.object.tracked,
+            value: (0, common_1.encodeString)(finding.object.value),
+        },
+        ret: {
+            tracked: finding.result.tracked,
+            value: (0, common_1.encodeString)(finding.result.value),
+        },
+        signature: {
+            returnType: typeof finding.result.value,
+            className: finding.moduleName,
+            methodName: finding.methodName,
+            argTypes: finding.args.map((a) => typeof a.value),
+            constructor: false,
+            voidMethod: false,
+            flags: 0,
+        },
+        source: finding.source,
+        stack: finding.stack,
+        thread: '',
+        time: finding.time,
+        type: 'METHOD',
+    };
+}
+exports.getCryptoEvent = getCryptoEvent;
 function topologicalSort(sinkEvent) {
@@ -197,3 +231,3 @@ const eventSet = new Set();
         uri,
-        normalizedUrl: route && route.url,
+        standardNormalizedUri: route?.normalizedUrl,
         version: httpVersion,
@@ -200,0 +234,0 @@ };

lib/reporters/file.js

@@ -39,2 +39,3 @@ "use strict";
             common_1.Event.ASSESS_SESSION_CONFIGURATION_FINDING,
+            common_1.Event.ASSESS_CRYPTO_ANALYSIS_FINDING,
             common_1.Event.LIBRARY_USAGE,
@@ -41,0 +42,0 @@ common_1.Event.LIBRARY,

lib/reporters/security-logger/index.js

@@ -72,10 +72,12 @@ "use strict";
         this.streams = [];
-        try {
-            fs_1.default.mkdirSync(path_1.default.dirname(this.loggerConfig.path), { recursive: true });
-            fs_1.default.openSync(this.loggerConfig.path, 'a');
-            this.streams.push(new sonic_boom_1.default({ dest: this.loggerConfig.path }));
+        if (this.loggerConfig.path !== '/dev/null') {
+            try {
+                fs_1.default.mkdirSync(path_1.default.dirname(this.loggerConfig.path), { recursive: true });
+                fs_1.default.openSync(this.loggerConfig.path, 'a');
+                this.streams.push(new sonic_boom_1.default({ dest: this.loggerConfig.path }));
+            }
+            catch (err) {
+                core.logger.warn({ err }, 'Unable to write to the configured security logger path.');
+            }
         }
-        catch (err) {
-            core.logger.warn({ err }, 'Unable to write to the configured security logger path.');
-        }
         if (this.loggerConfig.stdout) {
@@ -82,0 +84,0 @@ this.streams.push(new sonic_boom_1.default({ fd: process.stdout.fd }));

package.json

 {
   "name": "@contrast/reporter",
-  "version": "1.21.1",
+  "version": "1.22.0",
   "description": "Subscribes to agent messages and reports them",
@@ -21,4 +21,4 @@ "license": "SEE LICENSE IN LICENSE",
   "dependencies": {
-    "@contrast/common": "1.15.1",
-    "axios": "^0.27.2",
+    "@contrast/common": "1.16.0",
+    "axios": "^1.6.0",
     "crc-32": "^1.2.2",
@@ -25,0 +25,0 @@ "hpagent": "^1.2.0",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

206409

increased by1.37%

Lines of code

2894

increased by1.51%

Dependency changes

• + Added@contrast/common@1.16.0(transitive)

• + Addedaxios@1.7.7(transitive)

• + Addedproxy-from-env@1.1.0(transitive)

• - Removed@contrast/common@1.15.1(transitive)

• - Removedaxios@0.27.2(transitive)

• Updated@contrast/common@1.16.0

• Updatedaxios@^1.6.0