add verbosity option (-v) to show the issues' description, migrate to…

… shortened git.io links

package.json

@@ -41,7 +41,7 @@
     "chalk": "^2.4.1",
     "cheerio": "^1.0.0-rc.2",
     "cli-progress": "^2.0.0",
-    "cli-table2": "^0.2.0",
+    "cli-table3": "^0.5.1",
     "escope": "^3.6.0",
     "eslint": "^6.5.1",
     "esprima": "^4.0.0",

src/finder/checks/AtomicChecks/AffinityHTMLCheck.js

@@ -7,6 +7,7 @@ export default class AffinityHTMLCheck {
     this.id = 'AFFINITY_HTML_CHECK';
     this.description = `Review the use of affinity property`;
     this.type = sourceTypes.HTML;
+    this.shortenedURL = "https://git.io/Jeu1z";
   }
 
   match(cheerioObj, content) {
@@ -18,7 +19,7 @@ export default class AffinityHTMLCheck {
       if (wp) {
         let features = parseWebPreferencesFeaturesString(wp);
         if (features['affinity'] !== undefined)
-          loc.push({ line: content.substr(0, elem.startIndex).split('\n').length, column: 0, id: self.id, description: self.description, severity: severity.MEDIUM, confidence: confidence.TENTATIVE, properties: { "AffinityString": features['affinity']}, manualReview: true });
+          loc.push({ line: content.substr(0, elem.startIndex).split('\n').length, column: 0, id: self.id, description: self.description, shortenedURL: self.shortenedURL, severity: severity.MEDIUM, confidence: confidence.TENTATIVE, properties: { "AffinityString": features['affinity']}, manualReview: true });
       }
 
     });

src/finder/checks/AtomicChecks/AffinityJSCheck.js

@@ -6,6 +6,7 @@ export default class AffinityJSCheck {
     this.id = 'AFFINITY_JS_CHECK';
     this.description = `Review the use of affinity property`;
     this.type = sourceTypes.JAVASCRIPT;
+    this.shortenedURL = "https://git.io/Jeu1z";
   }
 
   match(astNode, astHelper, scope) {
@@ -26,7 +27,7 @@ export default class AffinityJSCheck {
 
       for (const node of found_nodes) {
         if (node.value.value) {
-          location.push({ line: node.value.loc.start.line, column: node.value.loc.start.column, id: this.id, description: this.description, severity: severity.MEDIUM, confidence: confidence.TENTATIVE, properties: { "AffinityString": node.value.value }, manualReview: true });
+          location.push({ line: node.value.loc.start.line, column: node.value.loc.start.column, id: this.id, description: this.description, shortenedURL: this.shortenedURL, severity: severity.MEDIUM, confidence: confidence.TENTATIVE, properties: { "AffinityString": node.value.value }, manualReview: true });
         }
       }
     }

src/finder/checks/AtomicChecks/AllowPopupHTMLCheck.js

@@ -6,6 +6,7 @@ export default class AllowPopupsHTMLCheck {
     this.id = 'ALLOWPOPUPS_HTML_CHECK';
     this.description = `Do not allow popups in webview`;
     this.type = sourceTypes.HTML;
+    this.shortenedURL = "https://git.io/Jeu1V";
   }
 
   match(cheerioObj, content) {
@@ -15,7 +16,7 @@ export default class AllowPopupsHTMLCheck {
     webviews.each(function (i, elem) {
       const allowpopups = cheerioObj(this).attr('allowpopups');
       if (allowpopups !== undefined) {
-        loc.push({ line: content.substr(0, elem.startIndex).split('\n').length, column: 0, id: self.id, description: self.description, severity: severity.LOW, confidence: confidence.CERTAIN, manualReview: false });
+        loc.push({ line: content.substr(0, elem.startIndex).split('\n').length, column: 0, id: self.id, description: self.description, shortenedURL: self.shortenedURL, severity: severity.LOW, confidence: confidence.CERTAIN, manualReview: false });
       }
 
     });

src/finder/checks/AtomicChecks/AuxclickHTMLCheck.js

@@ -6,6 +6,7 @@ export default class AuxclickHTMLCheck {
     this.id = 'AUXCLICK_HTML_CHECK';
     this.description = `Limit navigation flows to untrusted origins. Middle-click may cause Electron to open a link within a new window`;
     this.type = sourceTypes.HTML;
+    this.shortenedURL = "https://git.io/Jeu1P";
   }
 
   match(cheerioObj, content) {
@@ -17,7 +18,7 @@ export default class AuxclickHTMLCheck {
       if(dbf && (dbf === "Auxclick")){
         //Nothing to report
       }else{
-        loc.push({ line: content.substr(0, elem.startIndex).split('\n').length, column: 0, id: self.id, description: self.description, severity: severity.MEDIUM, confidence: confidence.FIRM, manualReview: false });
+        loc.push({ line: content.substr(0, elem.startIndex).split('\n').length, column: 0, id: self.id, description: self.description, shortenedURL: self.shortenedURL, severity: severity.MEDIUM, confidence: confidence.FIRM, manualReview: false });
       }
     });
     return loc;

src/finder/checks/AtomicChecks/AuxclickJSCheck.js

@@ -6,6 +6,7 @@ export default class AuxclickJSCheck {
     this.id = 'AUXCLICK_JS_CHECK';
     this.description = `Limit navigation flows to untrusted origins. Middle-click may cause Electron to open a link within a new window`;
     this.type = sourceTypes.JAVASCRIPT;
+    this.shortenedURL = "https://git.io/Jeu1K";
   }
 
   match(astNode, astHelper, scope) {
@@ -27,12 +28,12 @@ export default class AuxclickJSCheck {
       if (found_nodes.length > 0) {
         for (const node of found_nodes) {
           if (node.value.value.indexOf("Auxclick") == -1) {
-            location.push({ line: node.key.loc.start.line, column: node.key.loc.start.column, id: this.id, description: this.description, severity: severity.MEDIUM, confidence: confidence.FIRM, manualReview: false });
+            location.push({ line: node.key.loc.start.line, column: node.key.loc.start.column, id: this.id, description: this.description, shortenedURL: this.shortenedURL, severity: severity.MEDIUM, confidence: confidence.FIRM, manualReview: false });
           }
         }
       }
       else {
-        location.push({ line: astNode.loc.start.line, column: astNode.loc.start.column, id: this.id, description: this.description, severity: severity.MEDIUM, confidence: confidence.FIRM, manualReview: false });
+        location.push({ line: astNode.loc.start.line, column: astNode.loc.start.column, id: this.id, description: this.description, shortenedURL: this.shortenedURL, severity: severity.MEDIUM, confidence: confidence.FIRM, manualReview: false });
       }
 
     }

src/finder/checks/AtomicChecks/BlinkFeaturesHTMLCheck.js

@@ -6,6 +6,7 @@ export default class BlinkFeaturesHTMLCheck {
     this.id = 'BLINK_FEATURES_HTML_CHECK';
     this.description = `Do not use Chromium's experimental features`;
     this.type = sourceTypes.HTML;
+    this.shortenedURL = "https://git.io/Jeu19";
   }
 
   match(cheerioObj, content) {
@@ -15,15 +16,15 @@ export default class BlinkFeaturesHTMLCheck {
     webviews.each(function (i, elem) {
       let wp = cheerioObj(this).attr('enableblinkfeatures');
       if(wp){
-        loc.push({ line: content.substr(0, elem.startIndex).split('\n').length, column: 0, id: self.id, description: self.description, severity: severity.LOW, confidence: confidence.CERTAIN, manualReview: true });
+        loc.push({ line: content.substr(0, elem.startIndex).split('\n').length, column: 0, id: self.id, description: self.description, shortenedURL: self.shortenedURL, severity: severity.LOW, confidence: confidence.CERTAIN, manualReview: true });
       }
 
       // search for both names for now
       // todo: implement taking electron version into account
       // https://github.com/electron/electron/blob/master/docs/api/breaking-changes.md#browserwindow
       wp = cheerioObj(this).attr('blinkfeatures');
       if(wp){
-        loc.push({ line: content.substr(0, elem.startIndex).split('\n').length, column: 0, id: self.id, description: self.description, severity: severity.LOW, confidence: confidence.CERTAIN, manualReview: true });
+        loc.push({ line: content.substr(0, elem.startIndex).split('\n').length, column: 0, id: self.id, description: self.description, shortenedURL: self.shortenedURL, severity: severity.LOW, confidence: confidence.CERTAIN, manualReview: true });
       }
     });
     return loc;

src/finder/checks/AtomicChecks/BlinkFeaturesJSCheck.js

@@ -6,6 +6,7 @@ export default class BlinkFeaturesJSCheck {
     this.id = 'BLINK_FEATURES_JS_CHECK';
     this.description = `Do not use Chromium’s experimental features`;
     this.type = sourceTypes.JAVASCRIPT;
+    this.shortenedURL = "https://git.io/Jeu1M";
   }
 
   match(astNode, astHelper, scope){
@@ -29,7 +30,7 @@ export default class BlinkFeaturesJSCheck {
                  node.key.value === 'blinkFeatures' || node.key.name === 'blinkFeatures'));
 
       for (const node of found_nodes) {
-        location.push({ line: node.key.loc.start.line, column: node.key.loc.start.column, id: this.id, description: this.description, severity: severity.LOW, confidence: confidence.CERTAIN, manualReview: true });
+        location.push({ line: node.key.loc.start.line, column: node.key.loc.start.column, id: this.id, description: this.description, shortenedURL: this.shortenedURL, severity: severity.LOW, confidence: confidence.CERTAIN, manualReview: true });
       }
     }
 

src/finder/checks/AtomicChecks/CSPHTMLCheck.js

@@ -6,6 +6,7 @@ export default class CSPHTMLCheck {
     this.id = 'CSP_HTML_CHECK';
     this.description = `A CSP is set for this page using a meta tag`;
     this.type = sourceTypes.HTML;
+    this.shortenedURL = "https://git.io/JeuMe";
   }
 
   match(cheerioObj, content) {
@@ -16,7 +17,7 @@ export default class CSPHTMLCheck {
       const httpEquiv = cheerioObj(this).attr('http-equiv');
       const cspContent = cheerioObj(this).attr('content');
       if (httpEquiv && httpEquiv.toLowerCase() === "Content-Security-Policy".toLowerCase()) {
-        loc.push({ line: content.substr(0, elem.startIndex).split('\n').length, column: 0, id: self.id, description: self.description, severity: severity.INFORMATIONAL, confidence: confidence.TENTATIVE, properties: { "CSPstring": cspContent }, manualReview: true });
+        loc.push({ line: content.substr(0, elem.startIndex).split('\n').length, column: 0, id: self.id, description: self.description, shortenedURL: self.shortenedURL, severity: severity.INFORMATIONAL, confidence: confidence.TENTATIVE, properties: { "CSPstring": cspContent }, manualReview: true });
       }
     });
     return loc;

src/finder/checks/AtomicChecks/CSPJSCheck.js

@@ -6,6 +6,7 @@ export default class CSPJSCheck {
     this.id = 'CSP_JS_CHECK';
     this.description = `Check for common responseHeaders CSP assignments`;
     this.type = sourceTypes.JAVASCRIPT;
+    this.shortenedURL = "https://git.io/JeuMe";
   }
 
   match(astNode, astHelper){
@@ -27,15 +28,15 @@ export default class CSPJSCheck {
           if (node.value.properties) {
             for (const property of node.value.properties)
               if (property.key && property.key.value && property.key.value.toLowerCase() === "content-security-policy")
-                location.push({ line: node.key.loc.start.line, column: node.key.loc.start.column, id: this.id, description: this.description,severity: severity.INFORMATIONAL, confidence: confidence.TENTATIVE, properties: { "CSPstring": property.value.elements[0].value }, manualReview: true });
+                location.push({ line: node.key.loc.start.line, column: node.key.loc.start.column, id: this.id, description: this.description, shortenedURL: this.shortenedURL, severity: severity.INFORMATIONAL, confidence: confidence.TENTATIVE, properties: { "CSPstring": property.value.elements[0].value }, manualReview: true });
           } // match callback({ responseHeaders: Object.assign({"Content-Security-Policy": [ "default-src 'self'" ]}, details.responseHeaders)}); as a popular stackoverflow answer suggests https://stackoverflow.com/questions/51969512/define-csp-http-header-in-electron-app
           else if (node.value.type === 'CallExpression') {
             if (node.value.arguments.length > 0) {
               for (const argument of node.value.arguments)
                 if (argument.type === 'ObjectExpression')
                   for (const property of argument.properties)
                     if (property.key && property.key.value === 'Content-Security-Policy')
-                      location.push({ line: node.value.loc.start.line, column: node.value.loc.start.column, id: this.id, description: this.description,severity: severity.INFORMATIONAL, confidence: confidence.TENTATIVE, properties: { "CSPstring": property.value.elements[0].value}, manualReview: true });  
+                      location.push({ line: node.value.loc.start.line, column: node.value.loc.start.column, id: this.id, description: this.description, shortenedURL: this.shortenedURL, severity: severity.INFORMATIONAL, confidence: confidence.TENTATIVE, properties: { "CSPstring": property.value.elements[0].value}, manualReview: true });  
             }
           }
         }

src/finder/checks/AtomicChecks/CertificateErrorEventJSCheck.js

@@ -6,6 +6,7 @@ export default class CertificateErrorEventJSCheck {
     this.id = 'CERTIFICATE_ERROR_EVENT_JS_CHECK';
     this.description = `Do not allow insecure connections, by explicitly opting-out from TLS validation`;
     this.type = sourceTypes.JAVASCRIPT;
+    this.shortenedURL = "https://git.io/Jeu1N";
   }
 
   match(astNode){
@@ -17,6 +18,6 @@ export default class CertificateErrorEventJSCheck {
       return null;
     }
 
-    return [{ line: astNode.loc.start.line, column: astNode.loc.start.column, id: this.id, description: this.description, severity: severity.MEDIUM, confidence: confidence.TENTATIVE, manualReview: true }];
+    return [{ line: astNode.loc.start.line, column: astNode.loc.start.column, id: this.id, description: this.description, shortenedURL: this.shortenedURL, severity: severity.MEDIUM, confidence: confidence.TENTATIVE, manualReview: true }];
   }
 }

src/finder/checks/AtomicChecks/CertificateVerifyProcJSCheck.js

@@ -6,6 +6,7 @@ export default class CertificateVerifyProcJSCheck {
     this.id = 'CERTIFICATE_VERIFY_PROC_JS_CHECK';
     this.description = `Do not allow insecure connections, by explicitly opting-out from TLS validation or importing untrusted certificates`;
     this.type = sourceTypes.JAVASCRIPT;
+    this.shortenedURL = "https://git.io/Jeu1A";
   }
 
   match(astNode){
@@ -14,12 +15,12 @@ export default class CertificateVerifyProcJSCheck {
 
     if (astNode.callee.property && astNode.callee.property.name === "setCertificateVerifyProc") {
       const description = 'Verify that the application does not explicitly opt-out from TLS validation';
-      return [{ line: astNode.loc.start.line, column: astNode.loc.start.column, id: this.id, description: description, severity: severity.MEDIUM, confidence: confidence.TENTATIVE, manualReview: true }];
+      return [{ line: astNode.loc.start.line, column: astNode.loc.start.column, id: this.id, description: this.description, shortenedURL: this.shortenedURL, severity: severity.MEDIUM, confidence: confidence.TENTATIVE, manualReview: true }];
     }
 
     if (astNode.callee.property && astNode.callee.property.name === "importCertificate") {
       const description = 'Verify custom TLS certificates imported into the platform certificate store';
-      return [{ line: astNode.loc.start.line, column: astNode.loc.start.column, id: this.id, description: description, severity: severity.MEDIUM, confidence: confidence.TENTATIVE, manualReview: true }];
+      return [{ line: astNode.loc.start.line, column: astNode.loc.start.column, id: this.id, description: this.description, shortenedURL: this.shortenedURL, severity: severity.MEDIUM, confidence: confidence.TENTATIVE, manualReview: true }];
     }
   }
 }