mobbdev 0.0.143 → 0.0.148

package/dist/index.mjs

@@ -528,16 +528,11 @@ import fetch4 from "node-fetch";
 import open2 from "open";
 import semver from "semver";
 import tmp2 from "tmp";
-import { z as z11 } from "zod";
+import { z as z12 } from "zod";
 
 // src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
 import Debug4 from "debug";
 
-// src/features/analysis/scm/ado.ts
-import querystring from "node:querystring";
-import * as api from "azure-devops-node-api";
-import { z as z2 } from "zod";
-
 // src/features/analysis/scm/types.ts
 var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
   ReferenceType2["BRANCH"] = "BRANCH";
@@ -566,6 +561,35 @@ var ScmType = /* @__PURE__ */ ((ScmType2) => {
   return ScmType2;
 })(ScmType || {});
 
+// src/features/analysis/scm/ado/constants.ts
+var DEFUALT_ADO_ORIGIN = scmCloudUrl.Ado;
+
+// src/features/analysis/scm/ado/utils.ts
+import querystring3 from "node:querystring";
+import * as api from "azure-devops-node-api";
+import { z as z9 } from "zod";
+
+// src/features/analysis/scm/env.ts
+import { z as z2 } from "zod";
+var EnvVariablesZod = z2.object({
+  GITLAB_API_TOKEN: z2.string().optional(),
+  BROKERED_HOSTS: z2.string().toLowerCase().transform(
+    (x) => x.split(",").map((url) => url.trim(), []).filter(Boolean)
+  ).default(""),
+  GITHUB_API_TOKEN: z2.string().optional(),
+  GIT_PROXY_HOST: z2.string().default("http://tinyproxy:8888")
+});
+var { GITLAB_API_TOKEN, BROKERED_HOSTS, GITHUB_API_TOKEN, GIT_PROXY_HOST } = EnvVariablesZod.parse(process.env);
+
+// src/features/analysis/scm/scm.ts
+import { z as z7 } from "zod";
+
+// src/features/analysis/scm/bitbucket/bitbucket.ts
+import querystring from "node:querystring";
+import bitbucketPkg from "bitbucket";
+import * as bitbucketPkgNode from "bitbucket";
+import { z as z3 } from "zod";
+
 // src/features/analysis/scm/urlParser.ts
 function detectAdoUrl(args) {
   const { pathname, hostname, scmType } = args;
@@ -588,19 +612,21 @@ function detectAdoUrl(args) {
     }
   }
   if (hostname === adoHostname || scmType === "Ado" /* Ado */) {
-    if (pathname.length === 3 && pathname[1] === "_git") {
-      return {
-        organization: pathname[0],
-        projectName: pathname[2],
-        repoName: pathname[2]
-      };
-    }
-    if (pathname.length === 4 && pathname[2] === "_git") {
-      return {
-        organization: pathname[0],
-        projectName: pathname[1],
-        repoName: pathname[3]
-      };
+    if (pathname[pathname.length - 2] === "_git") {
+      if (pathname.length === 3) {
+        return {
+          organization: pathname[0],
+          projectName: pathname[2],
+          repoName: pathname[2]
+        };
+      }
+      if (pathname.length > 3) {
+        return {
+          organization: pathname[pathname.length - 4],
+          projectName: pathname[pathname.length - 3],
+          repoName: pathname[pathname.length - 1]
+        };
+      }
     }
   }
   return null;
@@ -710,509 +736,519 @@ var sanityRepoURL = (scmURL) => {
   }
 };
 
-// src/features/analysis/scm/ado.ts
-function removeTrailingSlash(str) {
-  return str.trim().replace(/\/+$/, "");
-}
-async function _getOrgsForOauthToken({ oauthToken }) {
-  const profileZ = z2.object({
-    displayName: z2.string(),
-    publicAlias: z2.string().min(1),
-    emailAddress: z2.string(),
-    coreRevision: z2.number(),
-    timeStamp: z2.string(),
-    id: z2.string(),
-    revision: z2.number()
-  });
-  const accountsZ = z2.object({
-    count: z2.number(),
-    value: z2.array(
-      z2.object({
-        accountId: z2.string(),
-        accountUri: z2.string(),
-        accountName: z2.string()
-      })
-    )
-  });
-  const profileRes = await fetch(
-    "https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=6.0",
-    {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${oauthToken}`
-      }
-    }
-  );
-  const profileJson = await profileRes.json();
-  const profile = profileZ.parse(profileJson);
-  const accountsRes = await fetch(
-    `https://app.vssps.visualstudio.com/_apis/accounts?memberId=${profile.publicAlias}&api-version=6.0`,
-    {
-      method: "GET",
-      headers: {
-        Authorization: `Bearer ${oauthToken}`
-      }
+// src/features/analysis/scm/utils/get_issue_type.ts
+var getIssueType = (issueType) => {
+  switch (issueType) {
+    case "SQL_Injection" /* SqlInjection */:
+      return "SQL Injection";
+    case "CMDi_relative_path_command" /* CmDiRelativePathCommand */:
+      return "Relative Path Command Injection";
+    case "CMDi" /* CmDi */:
+      return "Command Injection";
+    case "XXE" /* Xxe */:
+      return "XXE";
+    case "XSS" /* Xss */:
+      return "XSS";
+    case "PT" /* Pt */:
+      return "Path Traversal";
+    case "ZIP_SLIP" /* ZipSlip */:
+      return "Zip Slip";
+    case "INSECURE_RANDOMNESS" /* InsecureRandomness */:
+      return "Insecure Randomness";
+    case "SSRF" /* Ssrf */:
+      return "Server Side Request Forgery";
+    case "TYPE_CONFUSION" /* TypeConfusion */:
+      return "Type Confusion";
+    case "REGEX_INJECTION" /* RegexInjection */:
+      return "Regular Expression Injection";
+    case "INCOMPLETE_URL_SANITIZATION" /* IncompleteUrlSanitization */:
+      return "Incomplete URL Sanitization";
+    case "LOCALE_DEPENDENT_COMPARISON" /* LocaleDependentComparison */:
+      return "Locale Dependent Comparison";
+    case "LOG_FORGING" /* LogForging */:
+      return "Log Forging";
+    case "MISSING_CHECK_AGAINST_NULL" /* MissingCheckAgainstNull */:
+      return "Missing Check against Null";
+    case "PASSWORD_IN_COMMENT" /* PasswordInComment */:
+      return "Password in Comment";
+    case "OVERLY_BROAD_CATCH" /* OverlyBroadCatch */:
+      return "Poor Error Handling: Overly Broad Catch";
+    case "USE_OF_SYSTEM_OUTPUT_STREAM" /* UseOfSystemOutputStream */:
+      return "Use of System.out/System.err";
+    case "DANGEROUS_FUNCTION_OVERFLOW" /* DangerousFunctionOverflow */:
+      return "Use of dangerous function";
+    case "DOS_STRING_BUILDER" /* DosStringBuilder */:
+      return "Denial of Service: StringBuilder";
+    case "OPEN_REDIRECT" /* OpenRedirect */:
+      return "Open Redirect";
+    case "WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */:
+      return "Weak XML Schema: Unbounded Occurrences";
+    case "SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */:
+      return "System Information Leak";
+    case "SYSTEM_INFORMATION_LEAK_EXTERNAL" /* SystemInformationLeakExternal */:
+      return "External System Information Leak";
+    case "HTTP_RESPONSE_SPLITTING" /* HttpResponseSplitting */:
+      return "HTTP response splitting";
+    case "HTTP_ONLY_COOKIE" /* HttpOnlyCookie */:
+      return "Cookie is not HttpOnly";
+    case "INSECURE_COOKIE" /* InsecureCookie */:
+      return "Insecure Cookie";
+    case "TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */:
+      return "Trust Boundary Violation";
+    case "NULL_DEREFERENCE" /* NullDereference */:
+      return "Null Dereference";
+    case "UNSAFE_DESERIALIZATION" /* UnsafeDeserialization */:
+      return "Unsafe deserialization";
+    case "INSECURE_BINDER_CONFIGURATION" /* InsecureBinderConfiguration */:
+      return "Insecure Binder Configuration";
+    case "UNSAFE_TARGET_BLANK" /* UnsafeTargetBlank */:
+      return "Unsafe use of target blank";
+    case "IFRAME_WITHOUT_SANDBOX" /* IframeWithoutSandbox */:
+      return "Client use of iframe without sandbox";
+    case "JQUERY_DEPRECATED_SYMBOLS" /* JqueryDeprecatedSymbols */:
+      return "jQuery deprecated symbols";
+    case "MISSING_ANTIFORGERY_VALIDATION" /* MissingAntiforgeryValidation */:
+      return "Missing Anti-Forgery Validation";
+    case "GRAPHQL_DEPTH_LIMIT" /* GraphqlDepthLimit */:
+      return "GraphQL Depth Limit";
+    case "UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */:
+      return "Unchecked Loop Condition";
+    case "IMPROPER_RESOURCE_SHUTDOWN_OR_RELEASE" /* ImproperResourceShutdownOrRelease */:
+      return "Improper Resource Shutdown or Release";
+    case "IMPROPER_EXCEPTION_HANDLING" /* ImproperExceptionHandling */:
+      return "Improper Exception Handling";
+    case "DEFAULT_RIGHTS_IN_OBJ_DEFINITION" /* DefaultRightsInObjDefinition */:
+      return "Default Definer Rights in Package or Object Definition";
+    case "HTML_COMMENT_IN_JSP" /* HtmlCommentInJsp */:
+      return "HTML Comment in JSP";
+    case "ERROR_CONDTION_WITHOUT_ACTION" /* ErrorCondtionWithoutAction */:
+      return "Error Condition Without Action";
+    case "DEPRECATED_FUNCTION" /* DeprecatedFunction */:
+      return "Deprecated Function";
+    case "HARDCODED_SECRETS" /* HardcodedSecrets */:
+      return "Hardcoded Secrets";
+    case "PROTOTYPE_POLLUTION" /* PrototypePollution */:
+      return "Prototype Pollution";
+    case "RACE_CONDITION_FORMAT_FLAW" /* RaceConditionFormatFlaw */:
+      return "Race Condition Format Flaw";
+    case "NON_FINAL_PUBLIC_STATIC_FIELD" /* NonFinalPublicStaticField */:
+      return "Non-final Public Static Field";
+    case "MISSING_HSTS_HEADER" /* MissingHstsHeader */:
+      return "Missing HSTS Header";
+    case "DEAD_CODE_UNUSED_FIELD" /* DeadCodeUnusedField */:
+      return "Dead Code: Unused Field";
+    case "HEADER_MANIPULATION" /* HeaderManipulation */:
+      return "Header Manipulation";
+    case "MISSING_EQUALS_OR_HASHCODE" /* MissingEqualsOrHashcode */:
+      return "Missing equals or hashcode method";
+    case "WCF_MISCONFIGURATION_INSUFFICIENT_LOGGING" /* WcfMisconfigurationInsufficientLogging */:
+      return "WCF Misconfiguration: Insufficient Logging";
+    case "WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED" /* WcfMisconfigurationThrottlingNotEnabled */:
+      return "WCF Misconfiguration: Throttling Not Enabled";
+    case "USELESS_REGEXP_CHAR_ESCAPE" /* UselessRegexpCharEscape */:
+      return "Useless regular-expression character escape";
+    case "INCOMPLETE_HOSTNAME_REGEX" /* IncompleteHostnameRegex */:
+      return "Incomplete Hostname Regex";
+    case "OVERLY_LARGE_RANGE" /* OverlyLargeRange */:
+      return "Regex: Overly Large Range";
+    case "INSUFFICIENT_LOGGING" /* InsufficientLogging */:
+      return "Insufficient Logging of Sensitive Operations";
+    case "PRIVACY_VIOLATION" /* PrivacyViolation */:
+      return "Privacy Violation";
+    case "INCOMPLETE_URL_SCHEME_CHECK" /* IncompleteUrlSchemeCheck */:
+      return "Incomplete URL Scheme Check";
+    case "VALUE_NEVER_READ" /* ValueNeverRead */:
+      return "Value Never Read";
+    case "VALUE_SHADOWING" /* ValueShadowing */:
+      return "Value Shadowing";
+    default: {
+      return issueType ? issueType.replaceAll("_", " ") : "Other";
     }
-  );
-  const accountsJson = await accountsRes.json();
-  const accounts = accountsZ.parse(accountsJson);
-  const orgs = accounts.value.map((account) => account.accountName).filter((value, index, array) => array.indexOf(value) === index);
-  return orgs;
-}
-function _getPublicAdoClient({ orgName }) {
-  const orgUrl = `https://dev.azure.com/${orgName}`;
-  const authHandler = api.getPersonalAccessTokenHandler("");
-  authHandler.canHandleAuthentication = () => false;
-  authHandler.prepareRequest = (_options) => {
-    return;
-  };
-  const connection = new api.WebApi(orgUrl, authHandler);
-  return connection;
-}
-function getAdoTokenType(token) {
-  if (token.includes(".")) {
-    return "OAUTH" /* OAUTH */;
   }
-  return "PAT" /* PAT */;
+};
+
+// src/features/analysis/scm/utils/index.ts
+function getFixUrlWithRedirect(params) {
+  const {
+    fixId,
+    projectId,
+    organizationId,
+    analysisId,
+    redirectUrl,
+    appBaseUrl,
+    commentId
+  } = params;
+  const searchParams = new URLSearchParams();
+  searchParams.append("commit_redirect_url", redirectUrl);
+  searchParams.append("comment_id", commentId.toString());
+  return `${getFixUrl({
+    appBaseUrl,
+    fixId,
+    projectId,
+    organizationId,
+    analysisId
+  })}?${searchParams.toString()}`;
 }
-async function getAdoApiClient({
-  accessToken,
-  tokenOrg,
-  orgName
+function getFixUrl({
+  appBaseUrl,
+  fixId,
+  projectId,
+  organizationId,
+  analysisId
 }) {
-  if (!accessToken || tokenOrg && tokenOrg !== orgName) {
-    return _getPublicAdoClient({ orgName });
-  }
-  const orgUrl = `https://dev.azure.com/${orgName}`;
-  if (getAdoTokenType(accessToken) === "OAUTH" /* OAUTH */) {
-    const connection2 = new api.WebApi(orgUrl, api.getBearerHandler(accessToken));
-    return connection2;
-  }
-  const authHandler = api.getPersonalAccessTokenHandler(accessToken);
-  const connection = new api.WebApi(orgUrl, authHandler);
-  return connection;
+  return `${appBaseUrl}/organization/${organizationId}/project/${projectId}/report/${analysisId}/fix/${fixId}`;
 }
-async function adoValidateParams({
-  url,
-  accessToken,
-  tokenOrg
-}) {
-  try {
-    if (!url && accessToken && getAdoTokenType(accessToken) === "OAUTH" /* OAUTH */) {
-      await _getOrgsForOauthToken({ oauthToken: accessToken });
-      return;
-    }
-    let org = tokenOrg;
-    if (url) {
-      const { owner } = parseAdoOwnerAndRepo(url);
-      org = owner;
-    }
-    if (!org) {
-      throw new InvalidRepoUrlError(`invalid ADO ORG ${org}`);
-    }
-    const api2 = await getAdoApiClient({
-      accessToken,
-      tokenOrg,
-      orgName: org
-    });
-    await api2.connect();
-  } catch (e) {
-    const error = e;
-    const code = error.code || error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
-    const description = error.description || `${e}`;
-    if (code === 401 || code === 403 || description.includes("401") || description.includes("403")) {
-      throw new InvalidAccessTokenError(`invalid ADO access token`);
-    }
-    if (code === 404 || description.includes("404") || description.includes("Not Found")) {
-      throw new InvalidRepoUrlError(`invalid ADO repo URL ${url}`);
-    }
-    throw e;
-  }
-}
-async function getAdoIsUserCollaborator({
-  accessToken,
-  tokenOrg,
-  repoUrl
-}) {
-  try {
-    const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-    const api2 = await getAdoApiClient({
-      accessToken,
-      tokenOrg,
-      orgName: owner
-    });
-    const git = await api2.getGitApi();
-    const branches = await git.getBranches(repo, projectName);
-    if (!branches || branches.length === 0) {
-      throw new InvalidRepoUrlError("no branches");
-    }
-    return true;
-  } catch (e) {
-    return false;
-  }
-}
-var adoStatusNumberToEnumMap = {
-  1: "active" /* active */,
-  2: "abandoned" /* abandoned */,
-  3: "completed" /* completed */,
-  4: "all" /* all */
-};
-async function getAdoPullRequestStatus({
-  accessToken,
-  tokenOrg,
-  repoUrl,
-  prNumber
-}) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-  const api2 = await getAdoApiClient({
-    accessToken,
-    tokenOrg,
-    orgName: owner
-  });
-  const git = await api2.getGitApi();
-  const res = await git.getPullRequest(repo, prNumber, projectName);
-  if (!res.status || res.status < 1 || res.status > 3) {
-    throw new Error("bad pr status for ADO");
-  }
-  return adoStatusNumberToEnumMap[res.status];
+function getCommitUrl(params) {
+  const {
+    fixId,
+    projectId,
+    organizationId,
+    analysisId,
+    redirectUrl,
+    appBaseUrl,
+    commentId
+  } = params;
+  const searchParams = new URLSearchParams();
+  searchParams.append("redirect_url", redirectUrl);
+  searchParams.append("comment_id", commentId.toString());
+  return `${getFixUrl({
+    appBaseUrl,
+    fixId,
+    projectId,
+    organizationId,
+    analysisId
+  })}/commit?${searchParams.toString()}`;
 }
-async function getAdoIsRemoteBranch({
-  accessToken,
-  tokenOrg,
-  repoUrl,
-  branch
-}) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-  const api2 = await getAdoApiClient({
-    accessToken,
-    tokenOrg,
-    orgName: owner
-  });
-  const git = await api2.getGitApi();
-  try {
-    const branchStatus = await git.getBranch(repo, branch, projectName);
-    if (!branchStatus || !branchStatus.commit) {
-      throw new InvalidRepoUrlError("no branch status");
-    }
-    return branchStatus.name === branch;
-  } catch (e) {
-    return false;
+var userNamePattern = /^(https?:\/\/)([^@]+@)?([^/]+\/.+)$/;
+var sshPattern = /^git@([\w.-]+):([\w./-]+)$/;
+function normalizeUrl(repoUrl) {
+  let trimmedUrl = repoUrl.trim().replace(/\/+$/, "");
+  if (repoUrl.endsWith(".git")) {
+    trimmedUrl = trimmedUrl.slice(0, -".git".length);
   }
-}
-async function getAdoRepoList({
-  orgName,
-  tokenOrg,
-  accessToken
-}) {
-  let orgs = [];
-  if (getAdoTokenType(accessToken) === "OAUTH" /* OAUTH */) {
-    orgs = await _getOrgsForOauthToken({ oauthToken: accessToken });
+  const usernameMatch = trimmedUrl.match(userNamePattern);
+  if (usernameMatch) {
+    const [_all, protocol, _username, repoPath] = usernameMatch;
+    trimmedUrl = `${protocol}${repoPath}`;
   }
-  if (orgs.length === 0 && !orgName) {
-    throw new Error(`no orgs for ADO`);
-  } else if (orgs.length === 0 && orgName) {
-    orgs = [orgName];
+  const sshMatch = trimmedUrl.match(sshPattern);
+  if (sshMatch) {
+    const [_all, hostname, reporPath] = sshMatch;
+    trimmedUrl = `https://${hostname}/${reporPath}`;
   }
-  const repos = (await Promise.allSettled(
-    orgs.map(async (org) => {
-      const orgApi = await getAdoApiClient({
-        accessToken,
-        tokenOrg,
-        orgName: org
-      });
-      const gitOrg = await orgApi.getGitApi();
-      const orgRepos = await gitOrg.getRepositories();
-      const repoInfoList = (await Promise.allSettled(
-        orgRepos.map(async (repo) => {
-          if (!repo.name || !repo.remoteUrl || !repo.defaultBranch) {
-            throw new InvalidRepoUrlError("bad repo");
-          }
-          const branch = await gitOrg.getBranch(
-            repo.name,
-            repo.defaultBranch.replace(/^refs\/heads\//, ""),
-            repo.project?.name
-          );
-          return {
-            repoName: repo.name,
-            repoUrl: repo.remoteUrl.replace(
-              /^[hH][tT][tT][pP][sS]:\/\/[^/]+@/,
-              "https://"
-            ),
-            repoOwner: org,
-            repoIsPublic: repo.project?.visibility === 2,
-            //2 is public in the ADO API
-            repoLanguages: [],
-            repoUpdatedAt: branch.commit?.committer?.date?.toDateString() || repo.project?.lastUpdateTime?.toDateString() || (/* @__PURE__ */ new Date()).toDateString()
-          };
-        })
-      )).reduce((acc, res) => {
-        if (res.status === "fulfilled") {
-          acc.push(res.value);
-        }
-        return acc;
-      }, []);
-      return repoInfoList;
-    })
-  )).reduce((acc, res) => {
-    if (res.status === "fulfilled") {
-      return acc.concat(res.value);
-    }
-    return acc;
-  }, []);
-  return repos;
+  return trimmedUrl;
 }
-function getAdoPrUrl({
-  url,
-  prNumber
-}) {
-  return `${url}/pullrequest/${prNumber}`;
+var isUrlHasPath = (url) => {
+  return new URL(url).origin !== url;
+};
+function shouldValidateUrl(repoUrl) {
+  return repoUrl && isUrlHasPath(repoUrl);
 }
-function getAdoDownloadUrl({
-  repoUrl,
-  branch
-}) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-  const url = new URL(repoUrl);
-  const origin = url.origin.toLowerCase().endsWith(".visualstudio.com") ? "https://dev.azure.com" : url.origin.toLowerCase();
-  return `${origin}/${owner}/${projectName}/_apis/git/repositories/${repo}/items/items?path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
+
+// src/features/analysis/scm/bitbucket/bitbucket.ts
+var BITBUCKET_HOSTNAME = "bitbucket.org";
+var TokenExpiredErrorZ = z3.object({
+  status: z3.number(),
+  error: z3.object({
+    type: z3.string(),
+    error: z3.object({
+      message: z3.string()
+    })
+  })
+});
+var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
+var BitbucketAuthResultZ = z3.object({
+  access_token: z3.string(),
+  token_type: z3.string(),
+  refresh_token: z3.string()
+});
+var BitbucketParseResultZ = z3.object({
+  organization: z3.string(),
+  repoName: z3.string(),
+  hostname: z3.literal(BITBUCKET_HOSTNAME)
+});
+function parseBitbucketOrganizationAndRepo(bitbucketUrl) {
+  const parsedGitHubUrl = normalizeUrl(bitbucketUrl);
+  const parsingResult = parseScmURL(parsedGitHubUrl, "Bitbucket" /* Bitbucket */);
+  const validatedBitbucketResult = BitbucketParseResultZ.parse(parsingResult);
+  return {
+    workspace: validatedBitbucketResult.organization,
+    repoSlug: validatedBitbucketResult.repoName
+  };
 }
-async function getAdoBranchList({
-  accessToken,
-  tokenOrg,
-  repoUrl
-}) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-  const api2 = await getAdoApiClient({
-    accessToken,
-    tokenOrg,
-    orgName: owner
-  });
-  const git = await api2.getGitApi();
-  try {
-    const res = await git.getBranches(repo, projectName);
-    res.sort((a, b) => {
-      if (!a.commit?.committer?.date || !b.commit?.committer?.date) {
-        return 0;
-      }
-      return b.commit?.committer?.date.getTime() - a.commit?.committer?.date.getTime();
-    });
-    return res.reduce((acc, branch) => {
-      if (!branch.name) {
-        return acc;
+async function getBitbucketToken(params) {
+  const { bitbucketClientId, bitbucketClientSecret, authType } = params;
+  const res = await fetch(BITBUCKET_ACCESS_TOKEN_URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Authorization: "Basic " + btoa(`${bitbucketClientId}:${bitbucketClientSecret}`)
+    },
+    body: querystring.stringify(
+      authType === "refresh_token" ? {
+        grant_type: authType,
+        refresh_token: params.refreshToken
+      } : {
+        grant_type: authType,
+        code: params.code
       }
-      acc.push(branch.name);
-      return acc;
-    }, []);
-  } catch (e) {
-    return [];
-  }
-}
-async function createAdoPullRequest(options) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(options.repoUrl);
-  const api2 = await getAdoApiClient({
-    accessToken: options.accessToken,
-    tokenOrg: options.tokenOrg,
-    orgName: owner
+    )
   });
-  const git = await api2.getGitApi();
-  const res = await git.createPullRequest(
-    {
-      sourceRefName: `refs/heads/${options.sourceBranchName}`,
-      targetRefName: `refs/heads/${options.targetBranchName}`,
-      title: options.title,
-      description: options.body
-    },
-    repo,
-    projectName
-  );
-  return res.pullRequestId;
+  const authResult = await res.json();
+  return BitbucketAuthResultZ.parse(authResult);
 }
-async function getAdoRepoDefaultBranch({
-  repoUrl,
-  tokenOrg,
-  accessToken
-}) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-  const api2 = await getAdoApiClient({
-    accessToken,
-    tokenOrg,
-    orgName: owner
-  });
-  const git = await api2.getGitApi();
-  const getRepositoryRes = await git.getRepository(
-    decodeURI(repo),
-    projectName ? decodeURI(projectName) : void 0
-  );
-  if (!getRepositoryRes?.defaultBranch) {
-    throw new InvalidRepoUrlError("no default branch");
+function getBitbucketIntance(params) {
+  const BitbucketContstructor = bitbucketPkg && "Bitbucket" in bitbucketPkg ? bitbucketPkg.Bitbucket : bitbucketPkgNode.Bitbucket;
+  switch (params.authType) {
+    case "public":
+      return new BitbucketContstructor();
+    case "token":
+      return new BitbucketContstructor({ auth: { token: params.token } });
+    case "basic":
+      return new BitbucketContstructor({
+        auth: {
+          password: params.password,
+          username: params.username
+        }
+      });
   }
-  return getRepositoryRes.defaultBranch.replace("refs/heads/", "");
 }
-async function getAdoReferenceData({
-  ref,
-  repoUrl,
-  accessToken,
-  tokenOrg
-}) {
-  const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
-  const api2 = await getAdoApiClient({
-    accessToken,
-    tokenOrg,
-    orgName: owner
-  });
-  if (!projectName) {
-    throw new InvalidUrlPatternError("no project name");
-  }
-  const git = await api2.getGitApi();
-  const results = await Promise.allSettled([
-    (async () => {
-      const res = await git.getBranch(repo, ref, projectName);
-      if (!res.commit || !res.commit.commitId) {
-        throw new InvalidRepoUrlError("no commit on branch");
-      }
-      return {
-        sha: res.commit.commitId,
-        type: "BRANCH" /* BRANCH */,
-        date: res.commit.committer?.date || /* @__PURE__ */ new Date()
-      };
-    })(),
-    (async () => {
-      const res = await git.getCommits(
-        repo,
-        {
-          fromCommitId: ref,
-          toCommitId: ref,
-          $top: 1
-        },
-        projectName
+function getBitbucketSdk(params) {
+  const bitbucketClient = getBitbucketIntance(params);
+  return {
+    getAuthType() {
+      return params.authType;
+    },
+    async getRepos(params2) {
+      const repoRes = params2?.workspaceSlug ? await getRepositoriesByWorkspace(bitbucketClient, {
+        workspaceSlug: params2.workspaceSlug
+      }) : await getllUsersrepositories(bitbucketClient);
+      return repoRes.map((repo) => ({
+        repoIsPublic: !repo.is_private,
+        repoName: repo.name || "unknown repo name",
+        repoOwner: repo.owner?.username || "unknown owner",
+        // language can be empty string
+        repoLanguages: repo.language ? [repo.language] : [],
+        repoUpdatedAt: repo.updated_on ? repo.updated_on : (/* @__PURE__ */ new Date()).toISOString(),
+        repoUrl: repo.links?.html?.href || ""
+      }));
+    },
+    async getBranchList(params2) {
+      const { workspace, repoSlug } = parseBitbucketOrganizationAndRepo(
+        params2.repoUrl
       );
-      const commit = res[0];
-      if (!commit || !commit.commitId) {
-        throw new Error("no commit");
-      }
-      return {
-        sha: commit.commitId,
-        type: "COMMIT" /* COMMIT */,
-        date: commit.committer?.date || /* @__PURE__ */ new Date()
-      };
-    })(),
-    (async () => {
-      const res = await git.getRefs(repo, projectName, `tags/${ref}`);
-      if (!res[0] || !res[0].objectId) {
-        throw new Error("no tag ref");
+      const res = await bitbucketClient.refs.listBranches({
+        repo_slug: repoSlug,
+        workspace
+      });
+      if (!res.data.values) {
+        return [];
       }
-      let objectId = res[0].objectId;
-      try {
-        const tag = await git.getAnnotatedTag(projectName, repo, objectId);
-        if (tag.taggedObject?.objectId) {
-          objectId = tag.taggedObject.objectId;
+      return res.data.values.filter((branch) => !!branch.name).map((branch) => z3.string().parse(branch.name));
+    },
+    async getIsUserCollaborator(params2) {
+      const { repoUrl } = params2;
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(repoUrl);
+      const fullRepoName = `${workspace}/${repoSlug}`;
+      const res = await bitbucketClient.user.listPermissionsForRepos({
+        q: `repository.full_name~"${fullRepoName}"`
+      });
+      return res.data.values?.some(
+        (res2) => res2.repository?.full_name === fullRepoName
+      ) ?? false;
+    },
+    async createPullRequest(params2) {
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
+        params2.repoUrl
+      );
+      const res = await bitbucketClient.pullrequests.create({
+        repo_slug: repoSlug,
+        workspace,
+        _body: {
+          type: "pullrequest",
+          title: params2.title,
+          summary: {
+            raw: params2.body
+          },
+          source: {
+            branch: {
+              name: params2.sourceBranchName
+            }
+          },
+          destination: {
+            branch: {
+              name: params2.targetBranchName
+            }
+          }
         }
-      } catch (e) {
-      }
-      const commitRes2 = await git.getCommits(
-        repo,
-        {
-          fromCommitId: objectId,
-          toCommitId: objectId,
-          $top: 1
-        },
-        projectName
+      });
+      return res.data;
+    },
+    async getDownloadlink(params2) {
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
+        params2.repoUrl
       );
-      const commit = commitRes2[0];
-      if (!commit) {
-        throw new Error("no commit");
-      }
-      return {
-        sha: objectId,
+      const res = await bitbucketClient.downloads.list({
+        repo_slug: repoSlug,
+        workspace
+      });
+      return res.data;
+    },
+    async getBranch(params2) {
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
+        params2.repoUrl
+      );
+      const res = await bitbucketClient.refs.getBranch({
+        name: params2.branchName,
+        repo_slug: repoSlug,
+        workspace
+      });
+      return res.data;
+    },
+    async getRepo(params2) {
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
+        params2.repoUrl
+      );
+      const res = await bitbucketClient.repositories.get({
+        repo_slug: repoSlug,
+        workspace
+      });
+      return res.data;
+    },
+    async getCommit(params2) {
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
+        params2.repoUrl
+      );
+      const res = await bitbucketClient.commits.get({
+        commit: params2.commitSha,
+        repo_slug: repoSlug,
+        workspace
+      });
+      return res.data;
+    },
+    async getUser() {
+      const res = await bitbucketClient.user.get({});
+      return res.data;
+    },
+    async getReferenceData({
+      ref,
+      url
+    }) {
+      return Promise.allSettled([
+        this.getTagRef({ repoUrl: url, tagName: ref }),
+        this.getBranchRef({ repoUrl: url, branchName: ref }),
+        this.getCommitRef({ repoUrl: url, commitSha: ref })
+      ]).then((promisesResult) => {
+        const [refPromise] = promisesResult.filter(
+          (promise) => promise.status === "fulfilled"
+        );
+        if (!refPromise) {
+          throw new RefNotFoundError(`Invalid reference ${ref} for ${url}`);
+        }
+        return refPromise.value;
+      });
+    },
+    async getTagRef(params2) {
+      const { tagName, repoUrl } = params2;
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(repoUrl);
+      const tagRes = await bitbucketClient.refs.getTag({
+        repo_slug: repoSlug,
+        workspace,
+        name: tagName
+      });
+      return GetRefererenceResultZ.parse({
+        sha: tagRes.data.target?.hash,
         type: "TAG" /* TAG */,
-        date: commit.committer?.date || /* @__PURE__ */ new Date()
-      };
-    })()
-  ]);
-  const [branchRes, commitRes, tagRes] = results;
-  if (tagRes.status === "fulfilled") {
-    return tagRes.value;
-  }
-  if (branchRes.status === "fulfilled") {
-    return branchRes.value;
-  }
-  if (commitRes.status === "fulfilled") {
-    return commitRes.value;
-  }
-  throw new RefNotFoundError(`ref: ${ref} does not exist`);
+        date: new Date(z3.string().parse(tagRes.data.target?.date))
+      });
+    },
+    async getBranchRef(params2) {
+      const getBranchRes = await this.getBranch(params2);
+      return GetRefererenceResultZ.parse({
+        sha: getBranchRes.target?.hash,
+        type: "BRANCH" /* BRANCH */,
+        date: new Date(z3.string().parse(getBranchRes.target?.date))
+      });
+    },
+    async getCommitRef(params2) {
+      const getCommitRes = await this.getCommit(params2);
+      return GetRefererenceResultZ.parse({
+        sha: getCommitRes.hash,
+        type: "COMMIT" /* COMMIT */,
+        date: new Date(z3.string().parse(getCommitRes.date))
+      });
+    },
+    async getDownloadUrl({ url, sha }) {
+      this.getReferenceData({ ref: sha, url });
+      const repoRes = await this.getRepo({ repoUrl: url });
+      const parsedRepoUrl = z3.string().url().parse(repoRes.links?.html?.href);
+      return `${parsedRepoUrl}/get/${sha}.zip`;
+    },
+    async getPullRequest(params2) {
+      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
+        params2.url
+      );
+      const res = await bitbucketClient.pullrequests.get({
+        pull_request_id: params2.prNumber,
+        repo_slug: repoSlug,
+        workspace
+      });
+      return res.data;
+    }
+  };
 }
-function parseAdoOwnerAndRepo(adoUrl) {
-  adoUrl = removeTrailingSlash(adoUrl);
-  const parsingResult = parseScmURL(adoUrl, "Ado" /* Ado */);
-  if (!parsingResult || parsingResult.hostname !== "dev.azure.com" && !parsingResult.hostname.endsWith(".visualstudio.com")) {
-    throw new InvalidUrlPatternError(`invalid ADO repo URL: ${adoUrl}`);
+async function validateBitbucketParams(params) {
+  const { bitbucketClient } = params;
+  const authType = bitbucketClient.getAuthType();
+  try {
+    if (authType !== "public") {
+      await bitbucketClient.getUser();
+    }
+    if (params.url && shouldValidateUrl(params.url)) {
+      await bitbucketClient.getRepo({ repoUrl: params.url });
+    }
+  } catch (e) {
+    const safeParseError = TokenExpiredErrorZ.safeParse(e);
+    if (safeParseError.success) {
+      switch (safeParseError.data.status) {
+        case 401:
+          throw new InvalidAccessTokenError(
+            safeParseError.data.error.error.message
+          );
+        case 404:
+          throw new InvalidRepoUrlError(safeParseError.data.error.error.message);
+      }
+    }
+    throw e;
   }
-  const { organization, repoName, projectName, projectPath, pathElements } = parsingResult;
-  return {
-    owner: decodeURI(organization),
-    repo: decodeURI(repoName),
-    projectName: projectName ? decodeURI(projectName) : void 0,
-    projectPath,
-    pathElements
-  };
 }
-async function getAdoBlameRanges() {
-  return [];
+async function getUsersworkspacesSlugs(bitbucketClient) {
+  const res = await bitbucketClient.workspaces.getWorkspaces({});
+  return res.data.values?.map((v) => z3.string().parse(v.slug));
 }
-var ADO_ACCESS_TOKEN_URL = "https://app.vssps.visualstudio.com/oauth2/token";
-var AdoAuthResultZ = z2.object({
-  access_token: z2.string().min(1),
-  token_type: z2.string().min(1),
-  refresh_token: z2.string().min(1)
-});
-async function getAdoToken({
-  token,
-  adoClientSecret,
-  tokenType,
-  redirectUri
-}) {
-  const res = await fetch(ADO_ACCESS_TOKEN_URL, {
-    method: "POST",
-    headers: {
-      Accept: "application/json",
-      "Content-Type": "application/x-www-form-urlencoded"
-    },
-    body: querystring.stringify({
-      client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-      client_assertion: adoClientSecret,
-      redirect_uri: redirectUri,
-      assertion: token,
-      grant_type: tokenType === "code" /* CODE */ ? "urn:ietf:params:oauth:grant-type:jwt-bearer" : "refresh_token"
-    })
+async function getllUsersrepositories(bitbucketClient) {
+  const userWorspacesSlugs = await getUsersworkspacesSlugs(bitbucketClient);
+  if (!userWorspacesSlugs) {
+    return [];
+  }
+  const allWorkspaceRepos = [];
+  for (const workspaceSlug of userWorspacesSlugs) {
+    const repos = await bitbucketClient.repositories.list({
+      workspace: workspaceSlug
+    });
+    if (!repos.data.values) {
+      continue;
+    }
+    allWorkspaceRepos.push(...repos.data.values);
+  }
+  return allWorkspaceRepos;
+}
+async function getRepositoriesByWorkspace(bitbucketClient, { workspaceSlug }) {
+  const res = await bitbucketClient.repositories.list({
+    workspace: workspaceSlug
   });
-  const authResult = await res.json();
-  return AdoAuthResultZ.parse(authResult);
-}
-var AdoSdk = {
-  getAdoApiClient,
-  adoValidateParams,
-  getAdoIsUserCollaborator,
-  getAdoPullRequestStatus,
-  getAdoIsRemoteBranch,
-  getAdoRepoList,
-  getAdoDownloadUrl,
-  getAdoBranchList,
-  createAdoPullRequest,
-  getAdoRepoDefaultBranch,
-  getAdoReferenceData,
-  parseAdoOwnerAndRepo,
-  getAdoBlameRanges,
-  getAdoToken,
-  getAdoTokenType
-};
-
-// src/features/analysis/scm/bitbucket/bitbucket.ts
-import querystring3 from "node:querystring";
-import * as bitbucketPkg from "bitbucket";
-import { z as z8 } from "zod";
-
-// src/features/analysis/scm/scm.ts
-import { z as z7 } from "zod";
+  return res.data.values ?? [];
+}
 
 // src/features/analysis/scm/github/github.ts
 import { RequestError } from "@octokit/request-error";
@@ -1303,7 +1339,7 @@ function isGithubOnPrem(url) {
 function getFetch(url) {
   if (url && BROKERED_HOSTS.includes(new URL(url).origin)) {
     const dispatcher = new ProxyAgent({
-      uri: process.env["GIT_PROXY_HOST"] || "http://tinyproxy:8888",
+      uri: GIT_PROXY_HOST,
       requestTls: {
         rejectUnauthorized: false
       }
@@ -1727,226 +1763,6 @@ import {
 } from "@gitbeaker/rest";
 import { ProxyAgent as ProxyAgent2 } from "undici";
 
-// src/features/analysis/scm/env.ts
-import { z as z3 } from "zod";
-var EnvVariablesZod = z3.object({
-  GITLAB_API_TOKEN: z3.string().optional(),
-  BROKERED_HOSTS: z3.string().toLowerCase().transform(
-    (x) => x.split(",").map((url) => url.trim(), []).filter(Boolean)
-  ).default(""),
-  GITHUB_API_TOKEN: z3.string().optional()
-});
-var { GITLAB_API_TOKEN, BROKERED_HOSTS, GITHUB_API_TOKEN } = EnvVariablesZod.parse(process.env);
-
-// src/features/analysis/scm/utils/get_issue_type.ts
-var getIssueType = (issueType) => {
-  switch (issueType) {
-    case "SQL_Injection" /* SqlInjection */:
-      return "SQL Injection";
-    case "CMDi_relative_path_command" /* CmDiRelativePathCommand */:
-      return "Relative Path Command Injection";
-    case "CMDi" /* CmDi */:
-      return "Command Injection";
-    case "XXE" /* Xxe */:
-      return "XXE";
-    case "XSS" /* Xss */:
-      return "XSS";
-    case "PT" /* Pt */:
-      return "Path Traversal";
-    case "ZIP_SLIP" /* ZipSlip */:
-      return "Zip Slip";
-    case "INSECURE_RANDOMNESS" /* InsecureRandomness */:
-      return "Insecure Randomness";
-    case "SSRF" /* Ssrf */:
-      return "Server Side Request Forgery";
-    case "TYPE_CONFUSION" /* TypeConfusion */:
-      return "Type Confusion";
-    case "REGEX_INJECTION" /* RegexInjection */:
-      return "Regular Expression Injection";
-    case "INCOMPLETE_URL_SANITIZATION" /* IncompleteUrlSanitization */:
-      return "Incomplete URL Sanitization";
-    case "LOCALE_DEPENDENT_COMPARISON" /* LocaleDependentComparison */:
-      return "Locale Dependent Comparison";
-    case "LOG_FORGING" /* LogForging */:
-      return "Log Forging";
-    case "MISSING_CHECK_AGAINST_NULL" /* MissingCheckAgainstNull */:
-      return "Missing Check against Null";
-    case "PASSWORD_IN_COMMENT" /* PasswordInComment */:
-      return "Password in Comment";
-    case "OVERLY_BROAD_CATCH" /* OverlyBroadCatch */:
-      return "Poor Error Handling: Overly Broad Catch";
-    case "USE_OF_SYSTEM_OUTPUT_STREAM" /* UseOfSystemOutputStream */:
-      return "Use of System.out/System.err";
-    case "DANGEROUS_FUNCTION_OVERFLOW" /* DangerousFunctionOverflow */:
-      return "Use of dangerous function";
-    case "DOS_STRING_BUILDER" /* DosStringBuilder */:
-      return "Denial of Service: StringBuilder";
-    case "OPEN_REDIRECT" /* OpenRedirect */:
-      return "Open Redirect";
-    case "WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */:
-      return "Weak XML Schema: Unbounded Occurrences";
-    case "SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */:
-      return "System Information Leak";
-    case "SYSTEM_INFORMATION_LEAK_EXTERNAL" /* SystemInformationLeakExternal */:
-      return "External System Information Leak";
-    case "HTTP_RESPONSE_SPLITTING" /* HttpResponseSplitting */:
-      return "HTTP response splitting";
-    case "HTTP_ONLY_COOKIE" /* HttpOnlyCookie */:
-      return "Cookie is not HttpOnly";
-    case "INSECURE_COOKIE" /* InsecureCookie */:
-      return "Insecure Cookie";
-    case "TRUST_BOUNDARY_VIOLATION" /* TrustBoundaryViolation */:
-      return "Trust Boundary Violation";
-    case "NULL_DEREFERENCE" /* NullDereference */:
-      return "Null Dereference";
-    case "UNSAFE_DESERIALIZATION" /* UnsafeDeserialization */:
-      return "Unsafe deserialization";
-    case "INSECURE_BINDER_CONFIGURATION" /* InsecureBinderConfiguration */:
-      return "Insecure Binder Configuration";
-    case "UNSAFE_TARGET_BLANK" /* UnsafeTargetBlank */:
-      return "Unsafe use of target blank";
-    case "IFRAME_WITHOUT_SANDBOX" /* IframeWithoutSandbox */:
-      return "Client use of iframe without sandbox";
-    case "JQUERY_DEPRECATED_SYMBOLS" /* JqueryDeprecatedSymbols */:
-      return "jQuery deprecated symbols";
-    case "MISSING_ANTIFORGERY_VALIDATION" /* MissingAntiforgeryValidation */:
-      return "Missing Anti-Forgery Validation";
-    case "GRAPHQL_DEPTH_LIMIT" /* GraphqlDepthLimit */:
-      return "GraphQL Depth Limit";
-    case "UNCHECKED_LOOP_CONDITION" /* UncheckedLoopCondition */:
-      return "Unchecked Loop Condition";
-    case "IMPROPER_RESOURCE_SHUTDOWN_OR_RELEASE" /* ImproperResourceShutdownOrRelease */:
-      return "Improper Resource Shutdown or Release";
-    case "IMPROPER_EXCEPTION_HANDLING" /* ImproperExceptionHandling */:
-      return "Improper Exception Handling";
-    case "DEFAULT_RIGHTS_IN_OBJ_DEFINITION" /* DefaultRightsInObjDefinition */:
-      return "Default Definer Rights in Package or Object Definition";
-    case "HTML_COMMENT_IN_JSP" /* HtmlCommentInJsp */:
-      return "HTML Comment in JSP";
-    case "ERROR_CONDTION_WITHOUT_ACTION" /* ErrorCondtionWithoutAction */:
-      return "Error Condition Without Action";
-    case "DEPRECATED_FUNCTION" /* DeprecatedFunction */:
-      return "Deprecated Function";
-    case "HARDCODED_SECRETS" /* HardcodedSecrets */:
-      return "Hardcoded Secrets";
-    case "PROTOTYPE_POLLUTION" /* PrototypePollution */:
-      return "Prototype Pollution";
-    case "RACE_CONDITION_FORMAT_FLAW" /* RaceConditionFormatFlaw */:
-      return "Race Condition Format Flaw";
-    case "NON_FINAL_PUBLIC_STATIC_FIELD" /* NonFinalPublicStaticField */:
-      return "Non-final Public Static Field";
-    case "MISSING_HSTS_HEADER" /* MissingHstsHeader */:
-      return "Missing HSTS Header";
-    case "DEAD_CODE_UNUSED_FIELD" /* DeadCodeUnusedField */:
-      return "Dead Code: Unused Field";
-    case "HEADER_MANIPULATION" /* HeaderManipulation */:
-      return "Header Manipulation";
-    case "MISSING_EQUALS_OR_HASHCODE" /* MissingEqualsOrHashcode */:
-      return "Missing equals or hashcode method";
-    case "WCF_MISCONFIGURATION_INSUFFICIENT_LOGGING" /* WcfMisconfigurationInsufficientLogging */:
-      return "WCF Misconfiguration: Insufficient Logging";
-    case "WCF_MISCONFIGURATION_THROTTLING_NOT_ENABLED" /* WcfMisconfigurationThrottlingNotEnabled */:
-      return "WCF Misconfiguration: Throttling Not Enabled";
-    case "USELESS_REGEXP_CHAR_ESCAPE" /* UselessRegexpCharEscape */:
-      return "Useless regular-expression character escape";
-    case "INCOMPLETE_HOSTNAME_REGEX" /* IncompleteHostnameRegex */:
-      return "Incomplete Hostname Regex";
-    case "OVERLY_LARGE_RANGE" /* OverlyLargeRange */:
-      return "Regex: Overly Large Range";
-    case "INSUFFICIENT_LOGGING" /* InsufficientLogging */:
-      return "Insufficient Logging of Sensitive Operations";
-    case "PRIVACY_VIOLATION" /* PrivacyViolation */:
-      return "Privacy Violation";
-    case "INCOMPLETE_URL_SCHEME_CHECK" /* IncompleteUrlSchemeCheck */:
-      return "Incomplete URL Scheme Check";
-    case "VALUE_NEVER_READ" /* ValueNeverRead */:
-      return "Value Never Read";
-    case "VALUE_SHADOWING" /* ValueShadowing */:
-      return "Value Shadowing";
-    default: {
-      return issueType ? issueType.replaceAll("_", " ") : "Other";
-    }
-  }
-};
-
-// src/features/analysis/scm/utils/index.ts
-function getFixUrlWithRedirect(params) {
-  const {
-    fixId,
-    projectId,
-    organizationId,
-    analysisId,
-    redirectUrl,
-    appBaseUrl,
-    commentId
-  } = params;
-  const searchParams = new URLSearchParams();
-  searchParams.append("commit_redirect_url", redirectUrl);
-  searchParams.append("comment_id", commentId.toString());
-  return `${getFixUrl({
-    appBaseUrl,
-    fixId,
-    projectId,
-    organizationId,
-    analysisId
-  })}?${searchParams.toString()}`;
-}
-function getFixUrl({
-  appBaseUrl,
-  fixId,
-  projectId,
-  organizationId,
-  analysisId
-}) {
-  return `${appBaseUrl}/organization/${organizationId}/project/${projectId}/report/${analysisId}/fix/${fixId}`;
-}
-function getCommitUrl(params) {
-  const {
-    fixId,
-    projectId,
-    organizationId,
-    analysisId,
-    redirectUrl,
-    appBaseUrl,
-    commentId
-  } = params;
-  const searchParams = new URLSearchParams();
-  searchParams.append("redirect_url", redirectUrl);
-  searchParams.append("comment_id", commentId.toString());
-  return `${getFixUrl({
-    appBaseUrl,
-    fixId,
-    projectId,
-    organizationId,
-    analysisId
-  })}/commit?${searchParams.toString()}`;
-}
-var userNamePattern = /^(https?:\/\/)([^@]+@)?([^/]+\/.+)$/;
-var sshPattern = /^git@([\w.-]+):([\w./-]+)$/;
-function normalizeUrl(repoUrl) {
-  let trimmedUrl = repoUrl.trim().replace(/\/+$/, "");
-  if (repoUrl.endsWith(".git")) {
-    trimmedUrl = trimmedUrl.slice(0, -".git".length);
-  }
-  const usernameMatch = trimmedUrl.match(userNamePattern);
-  if (usernameMatch) {
-    const [_all, protocol, _username, repoPath] = usernameMatch;
-    trimmedUrl = `${protocol}${repoPath}`;
-  }
-  const sshMatch = trimmedUrl.match(sshPattern);
-  if (sshMatch) {
-    const [_all, hostname, reporPath] = sshMatch;
-    trimmedUrl = `https://${hostname}/${reporPath}`;
-  }
-  return trimmedUrl;
-}
-var isUrlHasPath = (url) => {
-  return new URL(url).origin !== url;
-};
-function shouldValidateUrl(repoUrl) {
-  return repoUrl && isUrlHasPath(repoUrl);
-}
-
 // src/features/analysis/scm/gitlab/types.ts
 import { z as z4 } from "zod";
 var GitlabAuthResultZ = z4.object({
@@ -1956,7 +1772,7 @@ var GitlabAuthResultZ = z4.object({
 });
 
 // src/features/analysis/scm/gitlab/gitlab.ts
-function removeTrailingSlash2(str) {
+function removeTrailingSlash(str) {
   return str.trim().replace(/\/+$/, "");
 }
 function getGitBeaker(options) {
@@ -2185,7 +2001,7 @@ async function getGitlabReferenceData({ ref, gitlabUrl }, options) {
   throw new RefNotFoundError(`ref: ${ref} does not exist`);
 }
 function parseGitlabOwnerAndRepo(gitlabUrl) {
-  gitlabUrl = removeTrailingSlash2(gitlabUrl);
+  gitlabUrl = removeTrailingSlash(gitlabUrl);
   const parsingResult = parseScmURL(gitlabUrl, "GitLab" /* GitLab */);
   if (!parsingResult || !parsingResult.repoName) {
     throw new InvalidUrlPatternError(`invalid gitlab repo Url ${gitlabUrl}`);
@@ -2263,7 +2079,8 @@ var BaseSubmitToScmMessageZ = z5.object({
     })
   ),
   commitHash: z5.string(),
-  repoUrl: z5.string()
+  repoUrl: z5.string(),
+  extraHeaders: z5.record(z5.string(), z5.string()).default({})
 });
 var submitToScmMessageType = {
   commitToSameBranch: "commitToSameBranch",
@@ -2532,7 +2349,8 @@ var SCMLib = class {
     }
     const scmLibType = this.getScmLibType();
     if (scmLibType === "ADO" /* ADO */) {
-      return `https://${accessToken}@${trimmedUrl.toLowerCase().replace("https://", "")}`;
+      const { host, protocol, pathname } = new URL(trimmedUrl);
+      return `${protocol}//${accessToken}@${host}${pathname}`;
     }
     if (this instanceof BitbucketSCMLib) {
       const authData = this.getAuthData();
@@ -2580,7 +2398,7 @@ var SCMLib = class {
     }
     return this.url.split("/").at(-1) || "";
   }
-  _validateToken() {
+  _validateAccessToken() {
     if (!this.accessToken) {
       console.error("no access token");
       throw new Error("no access token");
@@ -2626,14 +2444,12 @@ var SCMLib = class {
           scmLibScmTypeToScmType[z7.nativeEnum(ScmLibScmType).parse(scmType)]
         );
       }
+      console.error(`error validating scm: ${scmType} `, e);
     }
     return new StubSCMLib(trimmedUrl, void 0, void 0);
   }
   _validateAccessTokenAndUrl() {
-    if (!this.accessToken) {
-      console.error("no access token");
-      throw new InvalidAccessTokenError("no access token");
-    }
+    this._validateAccessToken();
     this._validateUrl();
   }
   _validateUrl() {
@@ -2643,45 +2459,65 @@ var SCMLib = class {
     }
   }
 };
+async function initAdoSdk(params) {
+  const { url, accessToken, scmOrg } = params;
+  const adoClientParams = await getAdoClientParams({
+    tokenOrg: scmOrg,
+    accessToken,
+    url
+  });
+  return getAdoSdk(adoClientParams);
+}
 var AdoSCMLib = class extends SCMLib {
+  constructor(url, accessToken, scmOrg) {
+    super(url, accessToken, scmOrg);
+    __publicField(this, "_adoSdkPromise");
+    this._adoSdkPromise = initAdoSdk({ accessToken, url, scmOrg });
+  }
+  async getAdoSdk() {
+    if (!this._adoSdkPromise) {
+      console.error("ado sdk was not initialized");
+      throw new InvalidAccessTokenError("ado sdk was not initialized");
+    }
+    return this._adoSdkPromise;
+  }
   async createSubmitRequest(params) {
     this._validateAccessTokenAndUrl();
     const { targetBranchName, sourceBranchName, title, body } = params;
-    return String(
-      await AdoSdk.createAdoPullRequest({
-        title,
-        body,
-        targetBranchName,
-        sourceBranchName,
-        repoUrl: this.url,
-        accessToken: this.accessToken,
-        tokenOrg: this.scmOrg
-      })
-    );
+    const adoSdk = await this.getAdoSdk();
+    const pullRequestId = await adoSdk.createAdoPullRequest({
+      title,
+      body,
+      targetBranchName,
+      sourceBranchName,
+      repoUrl: this.url
+    });
+    return String(pullRequestId);
   }
   async validateParams() {
-    return AdoSdk.adoValidateParams({
+    return adoValidateParams({
       url: this.url,
       accessToken: this.accessToken,
       tokenOrg: this.scmOrg
     });
   }
   async getRepoList(scmOrg) {
-    if (!this.accessToken) {
-      console.error("no access token");
-      throw new Error("no access token");
+    this._validateAccessToken();
+    if (this.url && new URL(this.url).origin !== scmCloudUrl.Ado) {
+      throw new Error(
+        `Oauth token is not supported for ADO on prem - ${origin} `
+      );
     }
-    return AdoSdk.getAdoRepoList({
+    return getAdoRepoList({
       orgName: scmOrg,
-      tokenOrg: this.scmOrg,
-      accessToken: this.accessToken
+      accessToken: this.accessToken,
+      tokenOrg: this.scmOrg
     });
   }
   async getBranchList() {
     this._validateAccessTokenAndUrl();
-    return AdoSdk.getAdoBranchList({
-      accessToken: this.accessToken,
-      tokenOrg: this.scmOrg,
+    const adoSdk = await this.getAdoSdk();
+    return adoSdk.getAdoBranchList({
       repoUrl: this.url
     });
   }
@@ -2690,7 +2526,7 @@ var AdoSCMLib = class extends SCMLib {
   }
   getAuthHeaders() {
     if (this.accessToken) {
-      if (AdoSdk.getAdoTokenType(this.accessToken) === "OAUTH" /* OAUTH */) {
+      if (getAdoTokenInfo(this.accessToken).type === "OAUTH") {
         return {
           authorization: `Bearer ${this.accessToken}`
         };
@@ -2704,29 +2540,26 @@ var AdoSCMLib = class extends SCMLib {
     }
     return {};
   }
-  getDownloadUrl(sha) {
+  async getDownloadUrl(sha) {
     this._validateUrl();
-    return Promise.resolve(
-      AdoSdk.getAdoDownloadUrl({ repoUrl: this.url, branch: sha })
-    );
+    const adoSdk = await this.getAdoSdk();
+    return adoSdk.getAdoDownloadUrl({ repoUrl: this.url, branch: sha });
   }
   async _getUsernameForAuthUrl() {
     throw new Error("_getUsernameForAuthUrl() is not relevant for ADO");
   }
   async getIsRemoteBranch(branch) {
     this._validateAccessTokenAndUrl();
-    return AdoSdk.getAdoIsRemoteBranch({
-      accessToken: this.accessToken,
-      tokenOrg: this.scmOrg,
+    const adoSdk = await this.getAdoSdk();
+    return adoSdk.getAdoIsRemoteBranch({
       repoUrl: this.url,
       branch
     });
   }
   async getUserHasAccessToRepo() {
     this._validateAccessTokenAndUrl();
-    return AdoSdk.getAdoIsUserCollaborator({
-      accessToken: this.accessToken,
-      tokenOrg: this.scmOrg,
+    const adoSdk = await this.getAdoSdk();
+    return adoSdk.getAdoIsUserCollaborator({
       repoUrl: this.url
     });
   }
@@ -2735,46 +2568,48 @@ var AdoSCMLib = class extends SCMLib {
   }
   async getSubmitRequestStatus(scmSubmitRequestId) {
     this._validateAccessTokenAndUrl();
-    const state = await AdoSdk.getAdoPullRequestStatus({
-      accessToken: this.accessToken,
-      tokenOrg: this.scmOrg,
+    const adoSdk = await this.getAdoSdk();
+    const state = await adoSdk.getAdoPullRequestStatus({
       repoUrl: this.url,
       prNumber: Number(scmSubmitRequestId)
     });
     switch (state) {
-      case "completed" /* completed */:
+      case 3 /* Completed */:
         return "merged";
-      case "active" /* active */:
+      case 1 /* Active */:
         return "open";
-      case "abandoned" /* abandoned */:
+      case 2 /* Abandoned */:
         return "closed";
       default:
         throw new Error(`unknown state ${state}`);
     }
   }
   async getRepoBlameRanges(_ref, _path) {
-    return await AdoSdk.getAdoBlameRanges();
+    const adoSdk = await this.getAdoSdk();
+    return await adoSdk.getAdoBlameRanges();
   }
   async getReferenceData(ref) {
     this._validateUrl();
-    return await AdoSdk.getAdoReferenceData({
+    const adoSdk = await this.getAdoSdk();
+    return await adoSdk.getAdoReferenceData({
       ref,
-      repoUrl: this.url,
-      accessToken: this.accessToken,
-      tokenOrg: this.scmOrg
+      repoUrl: this.url
     });
   }
   async getRepoDefaultBranch() {
     this._validateUrl();
-    return await AdoSdk.getAdoRepoDefaultBranch({
-      repoUrl: this.url,
-      tokenOrg: this.scmOrg,
-      accessToken: this.accessToken
+    const adoSdk = await this.getAdoSdk();
+    return await adoSdk.getAdoRepoDefaultBranch({
+      repoUrl: this.url
     });
   }
-  getPrUrl(prNumber) {
-    this._validateAccessTokenAndUrl();
-    return Promise.resolve(getAdoPrUrl({ prNumber, url: this.url }));
+  async getPrUrl(prNumber) {
+    this._validateUrl();
+    const adoSdk = await this.getAdoSdk();
+    return adoSdk.getAdoPrUrl({
+      url: this.url,
+      prNumber
+    });
   }
 };
 var GitlabSCMLib = class extends SCMLib {
@@ -2937,7 +2772,7 @@ var GithubSCMLib = class extends SCMLib {
     return String(pullRequestResult.data.number);
   }
   async forkRepo(repoUrl) {
-    this._validateToken();
+    this._validateAccessToken();
     return this.githubSdk.forkRepo({
       repoUrl
     });
@@ -3017,7 +2852,7 @@ var GithubSCMLib = class extends SCMLib {
     return z7.string().parse(prRes.data);
   }
   async getRepoList(_scmOrg) {
-    this._validateToken();
+    this._validateAccessToken();
     return this.githubSdk.getGithubRepoList();
   }
   async getBranchList() {
@@ -3060,7 +2895,7 @@ var GithubSCMLib = class extends SCMLib {
     });
   }
   async getUsername() {
-    this._validateToken();
+    this._validateAccessToken();
     return this.githubSdk.getGithubUsername();
   }
   async getSubmitRequestStatus(scmSubmitRequestId) {
@@ -3236,7 +3071,7 @@ var BitbucketSCMLib = class extends SCMLib {
     const authType = this.bitbucketSdk.getAuthType();
     switch (authType) {
       case "basic": {
-        this._validateToken();
+        this._validateAccessToken();
         const { username, password } = getUserAndPassword(this.accessToken);
         return { username, password, authType };
       }
@@ -3262,7 +3097,7 @@ var BitbucketSCMLib = class extends SCMLib {
     });
   }
   async getRepoList(scmOrg) {
-    this._validateToken();
+    this._validateAccessToken();
     return this.bitbucketSdk.getRepos({
       workspaceSlug: scmOrg
     });
@@ -3284,7 +3119,7 @@ var BitbucketSCMLib = class extends SCMLib {
       case "token":
         return { authorization: `Bearer ${this.accessToken}` };
       case "basic": {
-        this._validateToken();
+        this._validateAccessToken();
         const { username, password } = getUserAndPassword(this.accessToken);
         return {
           authorization: `Basic ${Buffer.from(
@@ -3323,7 +3158,7 @@ var BitbucketSCMLib = class extends SCMLib {
     return this.bitbucketSdk.getIsUserCollaborator({ repoUrl: this.url });
   }
   async getUsername() {
-    this._validateToken();
+    this._validateAccessToken();
     const res = await this.bitbucketSdk.getUser();
     return z7.string().parse(res.username);
   }
@@ -3375,309 +3210,516 @@ var BitbucketSCMLib = class extends SCMLib {
   }
 };
 
-// src/features/analysis/scm/bitbucket/bitbucket.ts
-var { Bitbucket } = bitbucketPkg;
-var BITBUCKET_HOSTNAME = "bitbucket.org";
-var TokenExpiredErrorZ = z8.object({
-  status: z8.number(),
-  error: z8.object({
-    type: z8.string(),
-    error: z8.object({
-      message: z8.string()
-    })
-  })
+// src/features/analysis/scm/ado/validation.ts
+import { z as z8 } from "zod";
+var ValidPullRequestStatusZ = z8.union([
+  z8.literal(1 /* Active */),
+  z8.literal(2 /* Abandoned */),
+  z8.literal(3 /* Completed */)
+]);
+var AdoAuthResultZ = z8.object({
+  access_token: z8.string().min(1),
+  token_type: z8.string().min(1),
+  refresh_token: z8.string().min(1)
 });
-var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
-var BitbucketAuthResultZ = z8.object({
-  access_token: z8.string(),
-  token_type: z8.string(),
-  refresh_token: z8.string()
+var profileZ = z8.object({
+  displayName: z8.string(),
+  publicAlias: z8.string().min(1),
+  emailAddress: z8.string(),
+  coreRevision: z8.number(),
+  timeStamp: z8.string(),
+  id: z8.string(),
+  revision: z8.number()
 });
-var BitbucketParseResultZ = z8.object({
-  organization: z8.string(),
-  repoName: z8.string(),
-  hostname: z8.literal(BITBUCKET_HOSTNAME)
+var accountsZ = z8.object({
+  count: z8.number(),
+  value: z8.array(
+    z8.object({
+      accountId: z8.string(),
+      accountUri: z8.string(),
+      accountName: z8.string()
+    })
+  )
 });
-function parseBitbucketOrganizationAndRepo(bitbucketUrl) {
-  const parsedGitHubUrl = normalizeUrl(bitbucketUrl);
-  const parsingResult = parseScmURL(parsedGitHubUrl, "Bitbucket" /* Bitbucket */);
-  const validatedBitbucketResult = BitbucketParseResultZ.parse(parsingResult);
-  return {
-    workspace: validatedBitbucketResult.organization,
-    repoSlug: validatedBitbucketResult.repoName
+
+// src/features/analysis/scm/ado/utils.ts
+function _getPublicAdoClient({
+  orgName,
+  origin: origin2
+}) {
+  const orgUrl = `${origin2}/${orgName}`;
+  const authHandler = api.getPersonalAccessTokenHandler("");
+  authHandler.canHandleAuthentication = () => false;
+  authHandler.prepareRequest = (_options) => {
+    return;
   };
+  const connection = new api.WebApi(orgUrl, authHandler);
+  return connection;
 }
-async function getBitbucketToken(params) {
-  const { bitbucketClientId, bitbucketClientSecret, authType } = params;
-  const res = await fetch(BITBUCKET_ACCESS_TOKEN_URL, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      Authorization: "Basic " + btoa(`${bitbucketClientId}:${bitbucketClientSecret}`)
-    },
-    body: querystring3.stringify(
-      authType === "refresh_token" ? {
-        grant_type: authType,
-        refresh_token: params.refreshToken
-      } : {
-        grant_type: authType,
-        code: params.code
-      }
-    )
-  });
-  const authResult = await res.json();
-  return BitbucketAuthResultZ.parse(authResult);
+function removeTrailingSlash2(str) {
+  return str.trim().replace(/\/+$/, "");
 }
-function getBitbucketIntance(params) {
-  switch (params.authType) {
-    case "public":
-      return new Bitbucket();
-    case "token":
-      return new Bitbucket({ auth: { token: params.token } });
-    case "basic":
-      return new Bitbucket({
-        auth: {
-          password: params.password,
-          username: params.username
-        }
-      });
+function parseAdoOwnerAndRepo(adoUrl) {
+  adoUrl = removeTrailingSlash2(adoUrl);
+  const parsingResult = parseScmURL(adoUrl, "Ado" /* Ado */);
+  if (!parsingResult) {
+    throw new InvalidUrlPatternError(`
+      : ${adoUrl}`);
   }
-}
-function getBitbucketSdk(params) {
-  const bitbucketClient = getBitbucketIntance(params);
+  const {
+    organization,
+    repoName,
+    projectName,
+    projectPath,
+    pathElements,
+    hostname,
+    protocol
+  } = parsingResult;
   return {
-    getAuthType() {
-      return params.authType;
-    },
-    async getRepos(params2) {
-      const repoRes = params2?.workspaceSlug ? await getRepositoriesByWorkspace(bitbucketClient, {
-        workspaceSlug: params2.workspaceSlug
-      }) : await getllUsersrepositories(bitbucketClient);
-      return repoRes.map((repo) => ({
-        repoIsPublic: !repo.is_private,
-        repoName: repo.name || "unknown repo name",
-        repoOwner: repo.owner?.username || "unknown owner",
-        // language can be empty string
-        repoLanguages: repo.language ? [repo.language] : [],
-        repoUpdatedAt: repo.updated_on ? repo.updated_on : (/* @__PURE__ */ new Date()).toISOString(),
-        repoUrl: repo.links?.html?.href || ""
-      }));
-    },
-    async getBranchList(params2) {
-      const { workspace, repoSlug } = parseBitbucketOrganizationAndRepo(
-        params2.repoUrl
-      );
-      const res = await bitbucketClient.refs.listBranches({
-        repo_slug: repoSlug,
-        workspace
-      });
-      if (!res.data.values) {
-        return [];
-      }
-      return res.data.values.filter((branch) => !!branch.name).map((branch) => z8.string().parse(branch.name));
-    },
-    async getIsUserCollaborator(params2) {
-      const { repoUrl } = params2;
-      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(repoUrl);
-      const fullRepoName = `${workspace}/${repoSlug}`;
-      const res = await bitbucketClient.user.listPermissionsForRepos({
-        q: `repository.full_name~"${fullRepoName}"`
-      });
-      return res.data.values?.some(
-        (res2) => res2.repository?.full_name === fullRepoName
-      ) ?? false;
-    },
-    async createPullRequest(params2) {
-      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
-        params2.repoUrl
-      );
-      const res = await bitbucketClient.pullrequests.create({
-        repo_slug: repoSlug,
-        workspace,
-        _body: {
-          type: "pullrequest",
-          title: params2.title,
-          summary: {
-            raw: params2.body
-          },
-          source: {
-            branch: {
-              name: params2.sourceBranchName
-            }
-          },
-          destination: {
-            branch: {
-              name: params2.targetBranchName
-            }
-          }
-        }
-      });
-      return res.data;
-    },
-    async getDownloadlink(params2) {
-      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
-        params2.repoUrl
-      );
-      const res = await bitbucketClient.downloads.list({
-        repo_slug: repoSlug,
-        workspace
-      });
-      return res.data;
-    },
-    async getBranch(params2) {
-      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
-        params2.repoUrl
-      );
-      const res = await bitbucketClient.refs.getBranch({
-        name: params2.branchName,
-        repo_slug: repoSlug,
-        workspace
+    owner: decodeURI(organization),
+    repo: decodeURI(repoName),
+    projectName: projectName ? decodeURI(projectName) : void 0,
+    projectPath,
+    pathElements,
+    origin: `${protocol}//${hostname}`
+  };
+}
+async function getAdoConnectData({
+  url,
+  tokenOrg,
+  adoTokenInfo
+}) {
+  if (url && new URL(url).origin !== url) {
+    const { owner, origin: origin2 } = parseAdoOwnerAndRepo(url);
+    return {
+      org: owner,
+      origin: origin2
+    };
+  }
+  if (!tokenOrg) {
+    if (adoTokenInfo.type === "OAUTH" /* OAUTH */) {
+      const [org] = await _getOrgsForOauthToken({
+        oauthToken: adoTokenInfo.accessToken
       });
-      return res.data;
-    },
-    async getRepo(params2) {
-      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
-        params2.repoUrl
+      return {
+        org: z9.string().parse(org),
+        origin: DEFUALT_ADO_ORIGIN
+      };
+    }
+    throw new InvalidRepoUrlError("ADO URL is null");
+  }
+  return {
+    org: tokenOrg,
+    origin: DEFUALT_ADO_ORIGIN
+  };
+}
+async function getAdoApiClient(params) {
+  const { origin: origin2 = DEFUALT_ADO_ORIGIN, orgName } = params;
+  if (params.tokenType === "NONE" /* NONE */ || // move to public client if the token is not associated with the PAT org
+  params.tokenType === "PAT" /* PAT */ && params.patTokenOrg !== orgName) {
+    return _getPublicAdoClient({ orgName, origin: origin2 });
+  }
+  const orgUrl = `${origin2}/${orgName}`;
+  if (params.tokenType === "OAUTH" /* OAUTH */) {
+    if (origin2 !== DEFUALT_ADO_ORIGIN) {
+      throw new Error(
+        `Oauth token is not supported for ADO on prem - ${origin2} `
       );
-      const res = await bitbucketClient.repositories.get({
-        repo_slug: repoSlug,
-        workspace
-      });
-      return res.data;
+    }
+    const connection2 = new api.WebApi(
+      orgUrl,
+      api.getBearerHandler(params.accessToken),
+      {}
+    );
+    return connection2;
+  }
+  const authHandler = api.getPersonalAccessTokenHandler(params.accessToken);
+  const isBroker = BROKERED_HOSTS.includes(new URL(orgUrl).origin);
+  const connection = new api.WebApi(
+    orgUrl,
+    authHandler,
+    isBroker ? {
+      proxy: {
+        proxyUrl: GIT_PROXY_HOST
+      },
+      ignoreSslError: true
+    } : void 0
+  );
+  return connection;
+}
+function getAdoTokenInfo(token) {
+  if (!token) {
+    return { type: "NONE" /* NONE */ };
+  }
+  if (token.includes(".")) {
+    return { type: "OAUTH" /* OAUTH */, accessToken: token };
+  }
+  return { type: "PAT" /* PAT */, accessToken: token };
+}
+async function getAdoClientParams(params) {
+  const { url, accessToken, tokenOrg } = params;
+  const adoTokenInfo = getAdoTokenInfo(accessToken);
+  const { org, origin: origin2 } = await getAdoConnectData({
+    url,
+    tokenOrg,
+    adoTokenInfo
+  });
+  switch (adoTokenInfo.type) {
+    case "NONE" /* NONE */:
+      return {
+        tokenType: "NONE" /* NONE */,
+        origin: origin2,
+        orgName: org.toLowerCase()
+      };
+    case "OAUTH" /* OAUTH */: {
+      return {
+        tokenType: "OAUTH" /* OAUTH */,
+        accessToken: adoTokenInfo.accessToken,
+        origin: origin2,
+        orgName: org.toLowerCase()
+      };
+    }
+    case "PAT" /* PAT */: {
+      return {
+        tokenType: "PAT" /* PAT */,
+        accessToken: adoTokenInfo.accessToken,
+        patTokenOrg: z9.string().parse(tokenOrg).toLowerCase(),
+        origin: origin2,
+        orgName: org.toLowerCase()
+      };
+    }
+  }
+}
+async function adoValidateParams({
+  url,
+  accessToken,
+  tokenOrg
+}) {
+  try {
+    const api2 = await getAdoApiClient(
+      await getAdoClientParams({ url, accessToken, tokenOrg })
+    );
+    await api2.connect();
+  } catch (e) {
+    console.log("adoValidateParams error", e);
+    const error = e;
+    const code = error.code || error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
+    const description = error.description || `${e}`;
+    if (code === 401 || code === 403 || description.includes("401") || description.includes("403")) {
+      throw new InvalidAccessTokenError(`invalid ADO access token`);
+    }
+    if (code === 404 || description.includes("404") || description.includes("Not Found")) {
+      throw new InvalidRepoUrlError(`invalid ADO repo URL ${url}`);
+    }
+    throw e;
+  }
+}
+async function _getOrgsForOauthToken({
+  oauthToken
+}) {
+  const profileRes = await fetch(
+    "https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=6.0",
+    {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${oauthToken}`
+      }
+    }
+  );
+  const profileJson = await profileRes.json();
+  const profile = profileZ.parse(profileJson);
+  const accountsRes = await fetch(
+    `https://app.vssps.visualstudio.com/_apis/accounts?memberId=${profile.publicAlias}&api-version=6.0`,
+    {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${oauthToken}`
+      }
+    }
+  );
+  const accountsJson = await accountsRes.json();
+  const accounts = accountsZ.parse(accountsJson);
+  const orgs = accounts.value.map((account) => account.accountName).filter((value, index, array) => array.indexOf(value) === index);
+  return orgs;
+}
+
+// src/features/analysis/scm/ado/ado.ts
+async function getAdoSdk(params) {
+  const api2 = await getAdoApiClient(params);
+  return {
+    async getAdoIsUserCollaborator({ repoUrl }) {
+      try {
+        const { repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+        const git = await api2.getGitApi();
+        const branches = await git.getBranches(repo, projectName);
+        if (!branches || branches.length === 0) {
+          throw new InvalidRepoUrlError("no branches");
+        }
+        return true;
+      } catch (e) {
+        return false;
+      }
     },
-    async getCommit(params2) {
-      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
-        params2.repoUrl
+    async getAdoPullRequestStatus({
+      repoUrl,
+      prNumber
+    }) {
+      const { repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+      const git = await api2.getGitApi();
+      const res = await git.getPullRequest(repo, prNumber, projectName);
+      const parsedPullRequestStatus = ValidPullRequestStatusZ.safeParse(
+        res.status
       );
-      const res = await bitbucketClient.commits.get({
-        commit: params2.commitSha,
-        repo_slug: repoSlug,
-        workspace
-      });
-      return res.data;
-    },
-    async getUser() {
-      const res = await bitbucketClient.user.get({});
-      return res.data;
+      if (!parsedPullRequestStatus.success) {
+        throw new Error("bad pr status for ADO");
+      }
+      return parsedPullRequestStatus.data;
     },
-    async getReferenceData({
-      ref,
-      url
+    async getAdoIsRemoteBranch({
+      repoUrl,
+      branch
     }) {
-      return Promise.allSettled([
-        this.getTagRef({ repoUrl: url, tagName: ref }),
-        this.getBranchRef({ repoUrl: url, branchName: ref }),
-        this.getCommitRef({ repoUrl: url, commitSha: ref })
-      ]).then((promisesResult) => {
-        const [refPromise] = promisesResult.filter(
-          (promise) => promise.status === "fulfilled"
-        );
-        if (!refPromise) {
-          throw new RefNotFoundError(`Invalid reference ${ref} for ${url}`);
+      const { repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+      const git = await api2.getGitApi();
+      try {
+        const branchStatus = await git.getBranch(repo, branch, projectName);
+        if (!branchStatus || !branchStatus.commit) {
+          throw new InvalidRepoUrlError("no branch status");
         }
-        return refPromise.value;
-      });
+        return branchStatus.name === branch;
+      } catch (e) {
+        return false;
+      }
     },
-    async getTagRef(params2) {
-      const { tagName, repoUrl } = params2;
-      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(repoUrl);
-      const tagRes = await bitbucketClient.refs.getTag({
-        repo_slug: repoSlug,
-        workspace,
-        name: tagName
-      });
-      return GetRefererenceResultZ.parse({
-        sha: tagRes.data.target?.hash,
-        type: "TAG" /* TAG */,
-        date: new Date(z8.string().parse(tagRes.data.target?.date))
-      });
+    async getAdoPrUrl({ url, prNumber }) {
+      const { repo, projectName } = parseAdoOwnerAndRepo(url);
+      const git = await api2.getGitApi();
+      const getRepositoryRes = await git.getRepository(
+        decodeURI(repo),
+        projectName ? decodeURI(projectName) : void 0
+      );
+      return `${getRepositoryRes.webUrl}/pullrequest/${prNumber}`;
     },
-    async getBranchRef(params2) {
-      const getBranchRes = await this.getBranch(params2);
-      return GetRefererenceResultZ.parse({
-        sha: getBranchRes.target?.hash,
-        type: "BRANCH" /* BRANCH */,
-        date: new Date(z8.string().parse(getBranchRes.target?.date))
-      });
+    getAdoDownloadUrl({
+      repoUrl,
+      branch
+    }) {
+      const { owner, repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+      const url = new URL(repoUrl);
+      const origin2 = url.origin.toLowerCase().endsWith(".visualstudio.com") ? DEFUALT_ADO_ORIGIN : url.origin.toLowerCase();
+      return `${origin2}/${owner}/${projectName}/_apis/git/repositories/${repo}/items/items?path=/&versionDescriptor[versionOptions]=0&versionDescriptor[versionType]=commit&versionDescriptor[version]=${branch}&resolveLfs=true&$format=zip&api-version=5.0&download=true`;
     },
-    async getCommitRef(params2) {
-      const getCommitRes = await this.getCommit(params2);
-      return GetRefererenceResultZ.parse({
-        sha: getCommitRes.hash,
-        type: "COMMIT" /* COMMIT */,
-        date: new Date(z8.string().parse(getCommitRes.date))
-      });
+    async getAdoBranchList({ repoUrl }) {
+      const { repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+      const git = await api2.getGitApi();
+      try {
+        const res = await git.getBranches(repo, projectName);
+        res.sort((a, b) => {
+          if (!a.commit?.committer?.date || !b.commit?.committer?.date) {
+            return 0;
+          }
+          return b.commit?.committer?.date.getTime() - a.commit?.committer?.date.getTime();
+        });
+        return res.reduce((acc, branch) => {
+          if (!branch.name) {
+            return acc;
+          }
+          acc.push(branch.name);
+          return acc;
+        }, []);
+      } catch (e) {
+        return [];
+      }
     },
-    async getDownloadUrl({ url, sha }) {
-      this.getReferenceData({ ref: sha, url });
-      const repoRes = await this.getRepo({ repoUrl: url });
-      const parsedRepoUrl = z8.string().url().parse(repoRes.links?.html?.href);
-      return `${parsedRepoUrl}/get/${sha}.zip`;
+    async createAdoPullRequest(options) {
+      const { repoUrl, sourceBranchName, targetBranchName, title, body } = options;
+      const { repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+      const git = await api2.getGitApi();
+      const res = await git.createPullRequest(
+        {
+          sourceRefName: `refs/heads/${sourceBranchName}`,
+          targetRefName: `refs/heads/${targetBranchName}`,
+          title,
+          description: body
+        },
+        repo,
+        projectName
+      );
+      return res.pullRequestId;
     },
-    async getPullRequest(params2) {
-      const { repoSlug, workspace } = parseBitbucketOrganizationAndRepo(
-        params2.url
+    async getAdoRepoDefaultBranch({
+      repoUrl
+    }) {
+      const { repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+      const git = await api2.getGitApi();
+      const getRepositoryRes = await git.getRepository(
+        decodeURI(repo),
+        projectName ? decodeURI(projectName) : void 0
       );
-      const res = await bitbucketClient.pullrequests.get({
-        pull_request_id: params2.prNumber,
-        repo_slug: repoSlug,
-        workspace
-      });
-      return res.data;
-    }
-  };
-}
-async function validateBitbucketParams(params) {
-  const { bitbucketClient } = params;
-  const authType = bitbucketClient.getAuthType();
-  try {
-    if (authType !== "public") {
-      await bitbucketClient.getUser();
-    }
-    if (params.url && shouldValidateUrl(params.url)) {
-      await bitbucketClient.getRepo({ repoUrl: params.url });
-    }
-  } catch (e) {
-    const safeParseError = TokenExpiredErrorZ.safeParse(e);
-    if (safeParseError.success) {
-      switch (safeParseError.data.status) {
-        case 401:
-          throw new InvalidAccessTokenError(
-            safeParseError.data.error.error.message
+      if (!getRepositoryRes?.defaultBranch) {
+        throw new InvalidRepoUrlError("no default branch");
+      }
+      return getRepositoryRes.defaultBranch.replace("refs/heads/", "");
+    },
+    // todo: refactor this function
+    async getAdoReferenceData({
+      ref,
+      repoUrl
+    }) {
+      const { repo, projectName } = parseAdoOwnerAndRepo(repoUrl);
+      if (!projectName) {
+        throw new InvalidUrlPatternError("no project name");
+      }
+      const git = await api2.getGitApi();
+      const results = await Promise.allSettled([
+        (async () => {
+          const res = await git.getBranch(repo, ref, projectName);
+          if (!res.commit || !res.commit.commitId) {
+            throw new InvalidRepoUrlError("no commit on branch");
+          }
+          return {
+            sha: res.commit.commitId,
+            type: "BRANCH" /* BRANCH */,
+            date: res.commit.committer?.date || /* @__PURE__ */ new Date()
+          };
+        })(),
+        (async () => {
+          const res = await git.getCommits(
+            repo,
+            {
+              fromCommitId: ref,
+              toCommitId: ref,
+              $top: 1
+            },
+            projectName
           );
-        case 404:
-          throw new InvalidRepoUrlError(safeParseError.data.error.error.message);
+          const commit = res[0];
+          if (!commit || !commit.commitId) {
+            throw new Error("no commit");
+          }
+          return {
+            sha: commit.commitId,
+            type: "COMMIT" /* COMMIT */,
+            date: commit.committer?.date || /* @__PURE__ */ new Date()
+          };
+        })(),
+        (async () => {
+          const res = await git.getRefs(repo, projectName, `tags/${ref}`);
+          if (!res[0] || !res[0].objectId) {
+            throw new Error("no tag ref");
+          }
+          let objectId = res[0].objectId;
+          try {
+            const tag = await git.getAnnotatedTag(projectName, repo, objectId);
+            if (tag.taggedObject?.objectId) {
+              objectId = tag.taggedObject.objectId;
+            }
+          } catch (e) {
+          }
+          const commitRes2 = await git.getCommits(
+            repo,
+            {
+              fromCommitId: objectId,
+              toCommitId: objectId,
+              $top: 1
+            },
+            projectName
+          );
+          const commit = commitRes2[0];
+          if (!commit) {
+            throw new Error("no commit");
+          }
+          return {
+            sha: objectId,
+            type: "TAG" /* TAG */,
+            date: commit.committer?.date || /* @__PURE__ */ new Date()
+          };
+        })()
+      ]);
+      const [branchRes, commitRes, tagRes] = results;
+      if (tagRes.status === "fulfilled") {
+        return tagRes.value;
+      }
+      if (branchRes.status === "fulfilled") {
+        return branchRes.value;
+      }
+      if (commitRes.status === "fulfilled") {
+        return commitRes.value;
       }
+      throw new RefNotFoundError(`ref: ${ref} does not exist`);
+    },
+    getAdoBlameRanges() {
+      return [];
     }
-    throw e;
-  }
-}
-async function getUsersworkspacesSlugs(bitbucketClient) {
-  const res = await bitbucketClient.workspaces.getWorkspaces({});
-  return res.data.values?.map((v) => z8.string().parse(v.slug));
+  };
 }
-async function getllUsersrepositories(bitbucketClient) {
-  const userWorspacesSlugs = await getUsersworkspacesSlugs(bitbucketClient);
-  if (!userWorspacesSlugs) {
+async function getAdoRepoList({
+  orgName,
+  tokenOrg,
+  accessToken
+}) {
+  let orgs = [];
+  const adoTokenInfo = getAdoTokenInfo(accessToken);
+  if (adoTokenInfo.type === "NONE" /* NONE */) {
     return [];
   }
-  const allWorkspaceRepos = [];
-  for (const workspaceSlug of userWorspacesSlugs) {
-    const repos = await bitbucketClient.repositories.list({
-      workspace: workspaceSlug
-    });
-    if (!repos.data.values) {
-      continue;
-    }
-    allWorkspaceRepos.push(...repos.data.values);
+  if (adoTokenInfo.type === "OAUTH" /* OAUTH */) {
+    orgs = await _getOrgsForOauthToken({ oauthToken: accessToken });
   }
-  return allWorkspaceRepos;
-}
-async function getRepositoriesByWorkspace(bitbucketClient, { workspaceSlug }) {
-  const res = await bitbucketClient.repositories.list({
-    workspace: workspaceSlug
-  });
-  return res.data.values ?? [];
+  if (orgs.length === 0 && !orgName) {
+    throw new Error(`no orgs for ADO`);
+  } else if (orgs.length === 0 && orgName) {
+    orgs = [orgName];
+  }
+  const repos = (await Promise.allSettled(
+    orgs.map(async (org) => {
+      const orgApi = await getAdoApiClient({
+        ...await getAdoClientParams({
+          accessToken,
+          tokenOrg: tokenOrg || org,
+          url: void 0
+        }),
+        orgName: org
+      });
+      const gitOrg = await orgApi.getGitApi();
+      const orgRepos = await gitOrg.getRepositories();
+      const repoInfoList = (await Promise.allSettled(
+        orgRepos.map(async (repo) => {
+          if (!repo.name || !repo.remoteUrl || !repo.defaultBranch) {
+            throw new InvalidRepoUrlError("bad repo");
+          }
+          const branch = await gitOrg.getBranch(
+            repo.name,
+            repo.defaultBranch.replace(/^refs\/heads\//, ""),
+            repo.project?.name
+          );
+          return {
+            repoName: repo.name,
+            repoUrl: repo.remoteUrl.replace(
+              /^[hH][tT][tT][pP][sS]:\/\/[^/]+@/,
+              "https://"
+            ),
+            repoOwner: org,
+            repoIsPublic: repo.project?.visibility === 2 /* Public */,
+            repoLanguages: [],
+            repoUpdatedAt: branch.commit?.committer?.date?.toDateString() || repo.project?.lastUpdateTime?.toDateString() || (/* @__PURE__ */ new Date()).toDateString()
+          };
+        })
+      )).reduce((acc, res) => {
+        if (res.status === "fulfilled") {
+          acc.push(res.value);
+        }
+        return acc;
+      }, []);
+      return repoInfoList;
+    })
+  )).reduce((acc, res) => {
+    if (res.status === "fulfilled") {
+      return acc.concat(res.value);
+    }
+    return acc;
+  }, []);
+  return repos;
 }
 
 // src/features/analysis/scm/constants.ts
@@ -3686,7 +3728,7 @@ var MOBB_ICON_IMG = "https://app.mobb.ai/gh-action/Logo_Rounded_Icon.svg";
 // src/features/analysis/add_fix_comments_for_pr/utils.ts
 import Debug3 from "debug";
 import parseDiff2 from "parse-diff";
-import { z as z9 } from "zod";
+import { z as z10 } from "zod";
 
 // src/features/analysis/utils/by_key.ts
 function keyBy(array, keyBy2) {
@@ -3837,7 +3879,8 @@ async function postFixComment(params) {
     patchAndQuestions: { patch }
   } = fix;
   const commentRes = await scm.postPrComment({
-    body: "empty",
+    body: `# ${MobbIconMarkdown} Your fix is ready!
+Refresh the page in order to see the changes.`,
     pull_number: pullRequest,
     commit_id: commitSha,
     path: path9,
@@ -3917,7 +3960,7 @@ async function getRelevantVulenrabilitiesFromDiff(params) {
     });
     const lineAddedRanges = calculateRanges(fileNumbers);
     const fileFilter = {
-      path: z9.string().parse(file.to),
+      path: z10.string().parse(file.to),
       ranges: lineAddedRanges.map(([startLine, endLine]) => ({
         endLine,
         startLine
@@ -4224,30 +4267,30 @@ function subscribe(query, variables, callback, wsClientOptions) {
 }
 
 // src/features/analysis/graphql/types.ts
-import { z as z10 } from "zod";
-var VulnerabilityReportIssueCodeNodeZ = z10.object({
-  vulnerabilityReportIssueId: z10.string(),
-  path: z10.string(),
-  startLine: z10.number(),
-  vulnerabilityReportIssue: z10.object({
-    fixId: z10.string()
+import { z as z11 } from "zod";
+var VulnerabilityReportIssueCodeNodeZ = z11.object({
+  vulnerabilityReportIssueId: z11.string(),
+  path: z11.string(),
+  startLine: z11.number(),
+  vulnerabilityReportIssue: z11.object({
+    fixId: z11.string()
   })
 });
-var GetVulByNodesMetadataZ = z10.object({
-  vulnerabilityReportIssueCodeNodes: z10.array(VulnerabilityReportIssueCodeNodeZ),
-  nonFixablePrVuls: z10.object({
-    aggregate: z10.object({
-      count: z10.number()
+var GetVulByNodesMetadataZ = z11.object({
+  vulnerabilityReportIssueCodeNodes: z11.array(VulnerabilityReportIssueCodeNodeZ),
+  nonFixablePrVuls: z11.object({
+    aggregate: z11.object({
+      count: z11.number()
     })
   }),
-  fixablePrVuls: z10.object({
-    aggregate: z10.object({
-      count: z10.number()
+  fixablePrVuls: z11.object({
+    aggregate: z11.object({
+      count: z11.number()
     })
   }),
-  totalScanVulnerabilities: z10.object({
-    aggregate: z10.object({
-      count: z10.number()
+  totalScanVulnerabilities: z11.object({
+    aggregate: z11.object({
+      count: z11.number()
     })
   })
 });
@@ -5148,7 +5191,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     spinner: mobbSpinner,
     submitVulnerabilityReportVariables: {
       fixReportId: reportUploadInfo.fixReportId,
-      repoUrl: z11.string().parse(repo),
+      repoUrl: z12.string().parse(repo),
       reference,
       projectId,
       vulnerabilityReportFileName: "report.json",
@@ -5400,9 +5443,9 @@ async function _scan(params, { skipPrompts = false } = {}) {
         }
       });
       if (command === "review") {
-        const params2 = z11.object({
-          repo: z11.string().url(),
-          githubActionToken: z11.string()
+        const params2 = z12.object({
+          repo: z12.string().url(),
+          githubActionToken: z12.string()
         }).parse({ repo, githubActionToken });
         const scm2 = await SCMLib.init({
           url: params2.repo,
@@ -5419,7 +5462,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
               analysisId,
               gqlClient,
               scm: scm2,
-              scanner: z11.nativeEnum(SCANNERS).parse(scanner)
+              scanner: z12.nativeEnum(SCANNERS).parse(scanner)
             });
           },
           callbackStates: ["Finished" /* Finished */]
@@ -5632,7 +5675,7 @@ var scmTokenOption = {
 // src/args/validation.ts
 import chalk6 from "chalk";
 import path8 from "path";
-import { z as z12 } from "zod";
+import { z as z13 } from "zod";
 function throwRepoUrlErrorMessage({
   error,
   repoUrl,
@@ -5649,13 +5692,13 @@ Example:
   )}`;
   throw new CliError(formattedErrorMessage);
 }
-var UrlZ = z12.string({
+var UrlZ = z13.string({
   invalid_type_error: "is not a valid GitHub / GitLab / ADO URL"
 }).refine((data) => !!sanityRepoURL(data), {
   message: "is not a valid GitHub / GitLab / ADO URL"
 });
 function validateOrganizationId(organizationId) {
-  const orgIdValidation = z12.string().uuid().nullish().safeParse(organizationId);
+  const orgIdValidation = z13.string().uuid().nullish().safeParse(organizationId);
   if (!orgIdValidation.success) {
     throw new CliError(`organizationId: ${organizationId} is not a valid UUID`);
   }
@@ -5812,7 +5855,7 @@ async function scanHandler(args) {
 }
 
 // src/args/commands/token.ts
-import { z as z13 } from "zod";
+import { z as z14 } from "zod";
 function addScmTokenBuilder(args) {
   return args.option("scm-type", scmTypeOption).option("url", urlOption).option("token", scmTokenOption).option("organization", scmOrgOption).option("refresh-token", scmRefreshTokenOption).option("api-key", apiKeyOption).example(
     "$0 add-scm-token --scm-type Ado --url https://dev.azure.com/adoorg/test/_git/repo --token abcdef0123456 --organization myOrg",
@@ -5820,7 +5863,7 @@ function addScmTokenBuilder(args) {
   ).help().demandOption(["url", "token"]);
 }
 function validateAddScmTokenOptions(argv) {
-  if (!z13.nativeEnum(ScmType).safeParse(argv.scmType).success) {
+  if (!z14.nativeEnum(ScmType).safeParse(argv.scmType).success) {
     throw new CliError(
       "\nError: --scm-type must reference a valid SCM type (GitHub, GitLab, Ado, Bitbutcket)"
     );