mobbdev 0.0.1

package/.env

@@ -0,0 +1,4 @@
+# production@v3
+WEB_LOGIN_URL="https://app.mobb.dev/cli-login"
+WEB_REPORT_URL="https://app.mobb.dev/report/"
+API_URL="https://api.mobb.dev/v1/graphql"

package/README.md

@@ -0,0 +1,17 @@
+# [mobb.dev](https://www.mobb.dev)
+
+Give your developers time back with fixes you can trust.
+
+Turn mountains of depressing SAST findings into code fixes with Mobb's developer-first automated secure code remediation.
+
+## Disclaimer
+
+This is a demo version only capable of analyzing public GitHub repositories. We wrap Snyk Code CLI to produce SAST vulnerabilities report.
+
+Only Java projects are supported at the moment.
+
+## Usage
+
+```shell
+npx mobb https://github.com/mobb-dev/simple-vulnerable-java-project
+```

package/bin/cli.mjs

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import '../index.mjs';

package/index.mjs

@@ -0,0 +1,17 @@
+import { main } from './src/index.mjs';
+import tmp from 'tmp';
+
+const tmpObj = tmp.dirSync({
+    unsafeCleanup: true,
+});
+
+main(tmpObj.name, process.argv.at(2))
+    .catch((err) => {
+        console.error(
+            'Something went wrong, please try again or contact support if issue persists.'
+        );
+        console.error(err);
+    })
+    .then(() => {
+        tmpObj.removeCallback();
+    });

package/package.json

@@ -0,0 +1,44 @@
+{
+    "name": "mobbdev",
+    "version": "0.0.1",
+    "description": "Automated secure code remediation tool",
+    "main": "index.js",
+    "scripts": {
+        "lint": "prettier --check . && eslint **/*.mjs",
+        "lint:fix": "prettier --write . && eslint --fix **/*.mjs",
+        "test": "DOTENV_ME=${ENV_VAULT_CLI} dotenv-vault pull development .env && TOKEN=$(../../scripts/login_auth0.sh) NODE_OPTIONS=--experimental-vm-modules jest",
+        "prepack": "dotenv-vault pull production .env"
+    },
+    "bin": {
+        "mobb": "bin/cli.mjs"
+    },
+    "author": "",
+    "license": "ISC",
+    "dependencies": {
+        "configstore": "6.0.0",
+        "dotenv": "16.0.3",
+        "extract-zip": "2.0.1",
+        "form-data": "4.0.0",
+        "got": "12.6.0",
+        "open": "8.4.2",
+        "snyk": "1.1118.0",
+        "tmp": "0.2.1",
+        "zod": "3.21.4"
+    },
+    "devDependencies": {
+        "@jest/globals": "29.5.0",
+        "eslint": "8.36.0",
+        "jest": "29.5.0",
+        "prettier": "2.8.4"
+    },
+    "engines": {
+        "node": ">=8.5.0"
+    },
+    "files": [
+        "src",
+        "index.mjs",
+        ".env",
+        "README.md",
+        "package.json"
+    ]
+}

package/src/constants.mjs

@@ -0,0 +1,18 @@
+import * as dotenv from 'dotenv';
+import { z } from 'zod';
+
+dotenv.config();
+
+const envVariablesSchema = z
+    .object({
+        WEB_LOGIN_URL: z.string(),
+        WEB_REPORT_URL: z.string(),
+        API_URL: z.string(),
+    })
+    .required();
+
+const envVariables = envVariablesSchema.parse(process.env);
+
+export const WEB_LOGIN_URL = envVariables.WEB_LOGIN_URL;
+export const WEB_REPORT_URL = envVariables.WEB_REPORT_URL;
+export const API_URL = envVariables.API_URL;

package/src/github.mjs

@@ -0,0 +1,61 @@
+import got from 'got';
+import fs from 'node:fs';
+import { promisify } from 'node:util';
+import stream from 'node:stream';
+import extract from 'extract-zip';
+import path from 'node:path';
+
+const pipeline = promisify(stream.pipeline);
+
+export async function getDefaultBranch(repoUrl) {
+    let slug = repoUrl.replace(/https?:\/\/github\.com\//i, '');
+
+    if (slug.endsWith('/')) {
+        slug = slug.substring(0, slug.length - 1);
+    }
+
+    if (slug.endsWith('.git')) {
+        slug = slug.substring(0, slug.length - '.git'.length);
+    }
+
+    try {
+        const repoInfo = await got(`https://api.github.com/repos/${slug}`, {
+            method: 'GET',
+            headers: {
+                Accept: 'application/vnd.github+json',
+                'X-GitHub-Api-Version': '2022-11-28',
+            },
+        }).json();
+
+        return repoInfo.default_branch;
+    } catch (e) {
+        throw new Error(
+            `Can't get default branch, make sure the repository is public: ${repoUrl}.`
+        );
+    }
+}
+
+export async function downloadRepo(repoUrl, reference, dirname) {
+    const zipFilePath = path.join(dirname, 'repo.zip');
+    const downloadStream = got.stream(`${repoUrl}/zipball/${reference}`);
+    const fileWriterStream = fs.createWriteStream(zipFilePath);
+
+    downloadStream.on('downloadProgress', ({ transferred, percent }) => {
+        if (transferred > 0) {
+            console.log(
+                `Progress: ${transferred} (${Math.round(percent * 100)}%) ...`
+            );
+        }
+    });
+
+    await pipeline(downloadStream, fileWriterStream);
+    await extract(zipFilePath, { dir: dirname });
+
+    const repoRoot = fs
+        .readdirSync(dirname, { withFileTypes: true })
+        .filter((dirent) => dirent.isDirectory())
+        .map((dirent) => dirent.name)
+        .at(0);
+
+    return path.join(dirname, repoRoot);
+}

package/src/gql.mjs

@@ -0,0 +1,122 @@
+import got from 'got';
+import { API_URL } from './constants.mjs';
+
+const ME = `
+query me {
+  me {
+    email
+    projectId
+  }
+}
+`;
+
+const CREATE_COMMUNITY_USER = `
+mutation CreateCommunityUser {
+  createCommunityUser {
+    status
+  }
+}
+`;
+
+const UPLOAD_S3_BUCKET_INFO = `
+mutation uploadS3BucketInfo($fileName: String!) {
+  uploadS3BucketInfo(fileName: $fileName) {
+    status
+    error
+    uploadInfo {
+      url
+      fixReportId
+      uploadFieldsJSON
+      uploadKey
+    }
+  }
+}
+`;
+
+const SUBMIT_VULNERABILITY_REPORT = `
+mutation SubmitVulnerabilityReport($vulnerabilityReportFileName: String!, $fixReportId: String!, $repoUrl: String!, $reference: String!) {
+  submitVulnerabilityReport(
+    fixReportId: $fixReportId
+    repoUrl: $repoUrl
+    reference: $reference
+    vulnerabilityReportFileName: $vulnerabilityReportFileName
+    githubAuthToken: null
+  ) {
+    __typename
+  }
+}
+`;
+
+export class GQLClient {
+    #token;
+
+    constructor(token) {
+        this.#token = token;
+    }
+
+    async #apiCall(query, variables = {}) {
+        const response = await got(API_URL, {
+            method: 'POST',
+            headers: {
+                authorization: `Bearer ${this.#token}`,
+            },
+            body: JSON.stringify({
+                query,
+                variables,
+            }),
+        }).json();
+
+        if (response.errors) {
+            throw new Error(`API error: ${response.errors[0].message}`);
+        }
+
+        if (!response.data) {
+            throw new Error('No data returned for the API query.');
+        }
+
+        return response.data;
+    }
+
+    async verifyToken() {
+        await this.createCommunityUser();
+
+        try {
+            await this.#apiCall(ME);
+        } catch (e) {
+            return false;
+        }
+        return true;
+    }
+
+    async createCommunityUser() {
+        try {
+            await this.#apiCall(CREATE_COMMUNITY_USER);
+        } catch (e) {
+            // Ignore errors
+        }
+    }
+
+    async uploadS3BucketInfo() {
+        const data = await this.#apiCall(UPLOAD_S3_BUCKET_INFO, {
+            fileName: 'report.json',
+        });
+
+        return {
+            fixReportId: data.uploadS3BucketInfo.uploadInfo.fixReportId,
+            uploadKey: data.uploadS3BucketInfo.uploadInfo.uploadKey,
+            url: data.uploadS3BucketInfo.uploadInfo.url,
+            uploadFields: JSON.parse(
+                data.uploadS3BucketInfo.uploadInfo.uploadFieldsJSON
+            ),
+        };
+    }
+
+    async submitVulnerabilityReport(fixReportId, repoUrl, reference) {
+        await this.#apiCall(SUBMIT_VULNERABILITY_REPORT, {
+            fixReportId,
+            repoUrl,
+            reference,
+            vulnerabilityReportFileName: 'report.json',
+        });
+    }
+}

package/src/index.mjs

@@ -0,0 +1,76 @@
+import { fileURLToPath } from 'node:url';
+import fs from 'node:fs';
+import path from 'node:path';
+import open from 'open';
+import Configstore from 'configstore';
+import { GQLClient } from './gql.mjs';
+import { webLogin } from './web-login.mjs';
+import { downloadRepo, getDefaultBranch } from './github.mjs';
+import { getSnykReport } from './snyk.mjs';
+import { uploadFile } from './upload-file.mjs';
+import { WEB_REPORT_URL } from './constants.mjs';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const packageJson = JSON.parse(
+    fs.readFileSync(path.join(__dirname, '../package.json'), 'utf8')
+);
+const config = new Configstore(packageJson.name, { token: '' });
+
+export async function main(dirname, repoUrl) {
+    if (!repoUrl) {
+        console.warn('Mobb CLI usage: npx mobb <public GitHub repository URL>');
+        return;
+    }
+
+    let token = config.get('token');
+    let gqlClient = new GQLClient(token);
+
+    if (!token || !(await gqlClient.verifyToken())) {
+        console.log(
+            'You will be redirected to our login page, once the authorization is complete, return to this prompt.'
+        );
+        token = await webLogin();
+        gqlClient = new GQLClient(token);
+
+        if (!(await gqlClient.verifyToken())) {
+            console.error('Something went wrong, API token is invalid.');
+            return;
+        }
+        config.set('token', token);
+    }
+
+    const reference = await getDefaultBranch(repoUrl);
+    const uploadData = await gqlClient.uploadS3BucketInfo();
+
+    const repositoryRoot = await downloadRepo(repoUrl, reference, dirname);
+    const reportPath = path.join(dirname, 'report.json');
+
+    console.log(
+        'We will run Snyk CLI to scan the repository for vulnerabilities. You may be redirected to the login page in the process.'
+    );
+    await getSnykReport(reportPath, repositoryRoot);
+
+    const report = JSON.parse(fs.readFileSync(reportPath, 'utf8'));
+
+    if ((report.runs?.at(0)?.results?.length ?? 0) === 0) {
+        console.log('Snyk has not found any vulnerabilities — nothing to fix.');
+        return;
+    }
+
+    await uploadFile(
+        reportPath,
+        uploadData.url,
+        uploadData.uploadKey,
+        uploadData.uploadFields
+    );
+    await gqlClient.submitVulnerabilityReport(
+        uploadData.fixReportId,
+        repoUrl,
+        reference
+    );
+
+    console.log(
+        'You will be redirected to our report page, please wait until the analysis is finished and enjoy your fixes.'
+    );
+    await open(`${WEB_REPORT_URL}${uploadData.fixReportId}`);
+}

package/src/snyk.mjs

@@ -0,0 +1,41 @@
+import cp from 'node:child_process';
+import { createRequire } from 'node:module';
+
+const require = createRequire(import.meta.url);
+const SNYK_PATH = require.resolve('snyk/bin/snyk');
+
+async function forkSnyk(args, stdio = 'inherit') {
+    return new Promise((resolve, reject) => {
+        const child = cp.fork(SNYK_PATH, args, {
+            stdio,
+        });
+        let out = '';
+
+        if (stdio === 'pipe') {
+            child.stdout.on('data', (chunk) => {
+                out += chunk;
+            });
+        }
+
+        child.on('exit', () => {
+            resolve(out);
+        });
+
+        child.on('error', reject);
+    });
+}
+
+export async function getSnykReport(reportPath, repoRoot) {
+    const config = await forkSnyk(['config'], 'pipe');
+
+    if (!config.includes('api: ')) {
+        await forkSnyk(['auth']);
+    }
+
+    await forkSnyk([
+        'code',
+        'test',
+        `--sarif-file-output=${reportPath}`,
+        repoRoot,
+    ]);
+}

package/src/upload-file.mjs

@@ -0,0 +1,19 @@
+import FormData from 'form-data';
+import fs from 'node:fs';
+import got from 'got';
+
+export async function uploadFile(reportPath, url, uploadKey, uploadFields) {
+    const form = new FormData();
+
+    for (const key in uploadFields) {
+        form.append(key, uploadFields[key]);
+    }
+
+    form.append('key', uploadKey);
+    form.append('file', fs.createReadStream(reportPath));
+
+    await got(url, {
+        method: 'POST',
+        body: form,
+    });
+}

package/src/web-login.mjs

@@ -0,0 +1,47 @@
+import { setTimeout, clearTimeout } from 'node:timers';
+import http from 'node:http';
+import { WEB_LOGIN_URL } from './constants.mjs';
+import querystring from 'node:querystring';
+import open from 'open';
+
+export async function webLogin() {
+    let responseResolver;
+    let responseRejecter;
+    const responseAwaiter = new Promise((resolve, reject) => {
+        responseResolver = resolve;
+        responseRejecter = reject;
+    });
+    const timerHandler = setTimeout(() => {
+        responseRejecter(new Error('No login happened in one minute.'));
+    }, 60000);
+
+    const server = http.createServer((req, res) => {
+        let body = '';
+
+        req.on('data', (chunk) => {
+            body += chunk;
+        });
+
+        req.on('end', () => {
+            res.writeHead(301, {
+                Location: `${WEB_LOGIN_URL}?done=true`,
+            }).end();
+            responseResolver(querystring.parse(body).token);
+        });
+    });
+
+    const port = await new Promise((resolve) => {
+        server.listen(0, '127.0.0.1', () => {
+            resolve(server.address().port);
+        });
+    });
+
+    await open(`${WEB_LOGIN_URL}?port=${port}`);
+
+    try {
+        return await responseAwaiter;
+    } finally {
+        clearTimeout(timerHandler);
+        server.close();
+    }
+}